Merge pull request #16363 from github/release-prep/2.17.2

Release preparation for version 2.17.2
github · Apr 30, 2024 · 8e251ee · 8e251ee
2 parents 7d9f78b + 5228d94
commit 8e251ee
Show file tree

Hide file tree

Showing 153 changed files with 424 additions and 155 deletions.
diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,20 @@
+## 0.13.0
+
+### Breaking Changes
+
+* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
+
+### New Features
+
+* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
+
+### Minor Analysis Improvements
+
+* Source models have been added for the standard library function `getc` (and variations).
+* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
+* Parameters of functions without definitions now have `ParameterNode`s.
+* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
+
 ## 0.12.11
 
 No user-facing changes.

diff --git a/cpp/ql/lib/change-notes/2024-04-05-sound-ir.md b/cpp/ql/lib/change-notes/2024-04-05-sound-ir.md
diff --git a/cpp/ql/lib/change-notes/2024-04-18-param-nodes.md b/cpp/ql/lib/change-notes/2024-04-18-param-nodes.md
diff --git a/cpp/ql/lib/change-notes/2024-04-26-outdated-deprecations.md b/cpp/ql/lib/change-notes/2024-04-26-outdated-deprecations.md
diff --git a/cpp/ql/lib/change-notes/2024-10-04-getc.md b/cpp/ql/lib/change-notes/2024-10-04-getc.md
diff --git a/cpp/ql/lib/change-notes/2024-10-04-models-as-data.md b/cpp/ql/lib/change-notes/2024-10-04-models-as-data.md
diff --git a/cpp/ql/lib/change-notes/2024-10-04-zmq.md b/cpp/ql/lib/change-notes/2024-10-04-zmq.md
diff --git a/cpp/ql/lib/change-notes/released/0.13.0.md b/cpp/ql/lib/change-notes/released/0.13.0.md
@@ -0,0 +1,16 @@
+## 0.13.0
+
+### Breaking Changes
+
+* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
+
+### New Features
+
+* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
+
+### Minor Analysis Improvements
+
+* Source models have been added for the standard library function `getc` (and variations).
+* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
+* Parameters of functions without definitions now have `ParameterNode`s.
+* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.11
+lastReleaseVersion: 0.13.0
diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.12-dev
+version: 0.13.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.9.11
+
+### Minor Analysis Improvements
+
+* The "Uncontrolled data used in path expression" query (`cpp/path-injection`) query produces fewer near-duplicate results.
+* The "Global variable may be used before initialization" query (`cpp/global-use-before-init`) no longer raises an alert on global variables that are initialized when they are declared.
+* The "Inconsistent null check of pointer" query (`cpp/inconsistent-nullness-testing`) query no longer raises an alert when the guarded check is in a macro expansion.
+
 ## 0.9.10
 
 No user-facing changes.

diff --git a/cpp/ql/src/change-notes/2024-04-25-path-injection.md b/cpp/ql/src/change-notes/2024-04-25-path-injection.md
diff --git a/.../src/change-notes/2024-04-09-reduce-FP.md → cpp/ql/src/change-notes/released/0.9.11.md b/.../src/change-notes/2024-04-09-reduce-FP.md → cpp/ql/src/change-notes/released/0.9.11.md
@@ -1,5 +1,7 @@
----
-category: minorAnalysis
----
+## 0.9.11
+
+### Minor Analysis Improvements
+
+* The "Uncontrolled data used in path expression" query (`cpp/path-injection`) query produces fewer near-duplicate results.
 * The "Global variable may be used before initialization" query (`cpp/global-use-before-init`) no longer raises an alert on global variables that are initialized when they are declared.
-* The "Inconsistent null check of pointer" query (`cpp/inconsistent-nullness-testing`) query no longer raises an alert when the guarded check is in a macro expansion.
+* The "Inconsistent null check of pointer" query (`cpp/inconsistent-nullness-testing`) query no longer raises an alert when the guarded check is in a macro expansion.
diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.10
+lastReleaseVersion: 0.9.11
diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.9.11-dev
+version: 0.9.11
 groups:
   - cpp
   - queries

diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.15
+
+No user-facing changes.
+
 ## 1.7.14
 
 No user-facing changes.

diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.15.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.15.md
@@ -0,0 +1,3 @@
+## 1.7.15
+
+No user-facing changes.
diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.14
+lastReleaseVersion: 1.7.15
diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.15-dev
+version: 1.7.15
 groups:
   - csharp
   - solorigate

diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.15
+
+No user-facing changes.
+
 ## 1.7.14
 
 No user-facing changes.

diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.15.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.15.md
@@ -0,0 +1,3 @@
+## 1.7.15
+
+No user-facing changes.
diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.14
+lastReleaseVersion: 1.7.15
diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.15-dev
+version: 1.7.15
 groups:
   - csharp
   - solorigate

diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 0.10.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getAssemblyName` predicate from the `Operator` class. Use `getFunctionName` instead.
+* Deleted the deprecated `LShiftOperator`, `RShiftOperator`, `AssignLShiftExpr`, `AssignRShiftExpr`, `LShiftExpr`, and `RShiftExpr` aliases.
+* Deleted the deprecated `getCallableDescription` predicate from the `ExternalApiDataNode` class. Use `hasQualifiedName` instead.
+
+### Minor Analysis Improvements
+
+* Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
+
 ## 0.9.1
 
 ### Minor Analysis Improvements

diff --git a/csharp/ql/lib/change-notes/2024-04-05-dotnet-runtime-property-models.md b/csharp/ql/lib/change-notes/2024-04-05-dotnet-runtime-property-models.md
diff --git a/...notes/2024-04-26-outdated-deprecations.md → ...rp/ql/lib/change-notes/released/0.10.0.md b/...notes/2024-04-26-outdated-deprecations.md → ...rp/ql/lib/change-notes/released/0.10.0.md
@@ -1,6 +1,11 @@
----
-category: breaking
----
+## 0.10.0
+
+### Breaking Changes
+
 * Deleted the deprecated `getAssemblyName` predicate from the `Operator` class. Use `getFunctionName` instead.
 * Deleted the deprecated `LShiftOperator`, `RShiftOperator`, `AssignLShiftExpr`, `AssignRShiftExpr`, `LShiftExpr`, and `RShiftExpr` aliases.
-* Deleted the deprecated `getCallableDescription` predicate from the `ExternalApiDataNode` class. Use `hasQualifiedName` instead.
+* Deleted the deprecated `getCallableDescription` predicate from the `ExternalApiDataNode` class. Use `hasQualifiedName` instead.
+
+### Minor Analysis Improvements
+
+* Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.10.0
diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.9.2-dev
+version: 0.10.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.8.15
+
+No user-facing changes.
+
 ## 0.8.14
 
 No user-facing changes.

diff --git a/csharp/ql/src/change-notes/released/0.8.15.md b/csharp/ql/src/change-notes/released/0.8.15.md
@@ -0,0 +1,3 @@
+## 0.8.15
+
+No user-facing changes.
diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.14
+lastReleaseVersion: 0.8.15
diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.15-dev
+version: 0.8.15
 groups:
   - csharp
   - queries

diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.14
+
+No user-facing changes.
+
 ## 0.0.13
 
 No user-facing changes.

diff --git a/go/ql/consistency-queries/change-notes/released/0.0.14.md b/go/ql/consistency-queries/change-notes/released/0.0.14.md
@@ -0,0 +1,3 @@
+## 0.0.14
+
+No user-facing changes.
diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.13
+lastReleaseVersion: 0.0.14
diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 0.0.14-dev
+version: 0.0.14
 groups:
   - go
   - queries

diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 0.8.0
+
+### Breaking Changes
+
+* Deleted the deprecated `CsvRemoteSource` alias. Use `MaDRemoteSource` instead.
+
+### Deprecated APIs
+
+* To make Go consistent with other language libraries, the `UntrustedFlowSource` name has been deprecated throughout. Use `RemoteFlowSource` instead, which replaces it. 
+* Where modules have classes named `UntrustedFlowAsSource`, these are also deprecated and the `Source` class in the same module or the `RemoteFlowSource` class should be used instead.
+
 ## 0.7.14
 
 ### Minor Analysis Improvements

diff --git a/go/ql/lib/change-notes/2024-04-26-outdated-deprecations.md b/go/ql/lib/change-notes/2024-04-26-outdated-deprecations.md
diff --git a/...tedflowsource-renamed-remoteflowsource.md → go/ql/lib/change-notes/released/0.8.0.md b/...tedflowsource-renamed-remoteflowsource.md → go/ql/lib/change-notes/released/0.8.0.md
@@ -1,5 +1,10 @@
----
-category: deprecated
----
+## 0.8.0
+
+### Breaking Changes
+
+* Deleted the deprecated `CsvRemoteSource` alias. Use `MaDRemoteSource` instead.
+
+### Deprecated APIs
+
 * To make Go consistent with other language libraries, the `UntrustedFlowSource` name has been deprecated throughout. Use `RemoteFlowSource` instead, which replaces it. 
 * Where modules have classes named `UntrustedFlowAsSource`, these are also deprecated and the `Source` class in the same module or the `RemoteFlowSource` class should be used instead.
diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.14
+lastReleaseVersion: 0.8.0
diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.7.15-dev
+version: 0.8.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go

diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.7.15
+
+### Minor Analysis Improvements
+
+* The query `go/incomplete-hostname-regexp` now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
+* Added some more barriers to flow for `go/incorrect-integer-conversion` to reduce false positives, especially around type switches.
+
 ## 0.7.14
 
 No user-facing changes.

diff --git a/go/ql/src/change-notes/2024-04-17-incorrect-integer-conversion-barriers.md b/go/ql/src/change-notes/2024-04-17-incorrect-integer-conversion-barriers.md
diff --git a/.../2024-04-24-incomplete-hostname-regexp.md → go/ql/src/change-notes/released/0.7.15.md b/.../2024-04-24-incomplete-hostname-regexp.md → go/ql/src/change-notes/released/0.7.15.md
@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 0.7.15
+
+### Minor Analysis Improvements
+
 * The query `go/incomplete-hostname-regexp` now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
+* Added some more barriers to flow for `go/incorrect-integer-conversion` to reduce false positives, especially around type switches.
diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.14
+lastReleaseVersion: 0.7.15
diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.7.15-dev
+version: 0.7.15
 groups:
   - go
   - queries

diff --git a/java/ql/automodel/src/CHANGELOG.md b/java/ql/automodel/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.22
+
+No user-facing changes.
+
 ## 0.0.21
 
 No user-facing changes.

diff --git a/java/ql/automodel/src/change-notes/released/0.0.22.md b/java/ql/automodel/src/change-notes/released/0.0.22.md
@@ -0,0 +1,3 @@
+## 0.0.22
+
+No user-facing changes.
diff --git a/java/ql/automodel/src/codeql-pack.release.yml b/java/ql/automodel/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.21
+lastReleaseVersion: 0.0.22
diff --git a/java/ql/automodel/src/qlpack.yml b/java/ql/automodel/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 0.0.22-dev
+version: 0.0.22
 groups:
     - java
     - automodel

diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.10.0
+
+### Breaking Changes
+
+* Deleted the deprecated `AssignLShiftExpr`, `AssignRShiftExpr`, `AssignURShiftExpr`, `LShiftExpr`, `RShiftExpr`, and `URShiftExpr` aliases.
+
 ## 0.9.1
 
 ### Minor Analysis Improvements

diff --git a/...notes/2024-04-26-outdated-deprecations.md → java/ql/lib/change-notes/released/0.10.0.md b/...notes/2024-04-26-outdated-deprecations.md → java/ql/lib/change-notes/released/0.10.0.md
@@ -1,4 +1,5 @@
----
-category: breaking
----
+## 0.10.0
+
+### Breaking Changes
+
 * Deleted the deprecated `AssignLShiftExpr`, `AssignRShiftExpr`, `AssignURShiftExpr`, `LShiftExpr`, `RShiftExpr`, and `URShiftExpr` aliases.
diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.10.0
diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.9.2-dev
+version: 0.10.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java