github · igfoo · Apr 15, 2025 · Apr 14, 2025
@@ -1,3 +1,7 @@
+## 0.4.7
+
+No user-facing changes.
+
 ## 0.4.6
 
 ### Bug Fixes

@@ -0,0 +1,3 @@
+## 0.4.7
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.4.7
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.7-dev
+version: 0.4.7
 library: true
 warnOnImplicitThis: true
 dependencies:

@@ -1,3 +1,9 @@
+## 0.5.4
+
+### Bug Fixes
+
+* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
+
 ## 0.5.3
 
 ### Bug Fixes

@@ -1,4 +1,5 @@
----
-category: fix
----
-* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
+## 0.5.4
+
+### Bug Fixes
+
+* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.3
+lastReleaseVersion: 0.5.4
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.4-dev
+version: 0.5.4
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

@@ -1,3 +1,10 @@
+## 4.2.0
+
+### New Features
+
+* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.)  are now represented as specifiers of those declarations.
+* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.
+
 ## 4.1.0
 
 ### New Features

@@ -1,5 +1,6 @@
----
-category: feature
----
+## 4.2.0
+
+### New Features
+
 * Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.)  are now represented as specifiers of those declarations.
 * A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.1.0
+lastReleaseVersion: 4.2.0
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.1.1-dev
+version: 4.2.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

@@ -1,3 +1,7 @@
+## 1.3.8
+
+No user-facing changes.
+
 ## 1.3.7
 
 ### Minor Analysis Improvements

@@ -0,0 +1,3 @@
+## 1.3.8
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.7
+lastReleaseVersion: 1.3.8
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.8-dev
+version: 1.3.8
 groups:
   - cpp
   - queries

@@ -1,3 +1,7 @@
+## 1.7.38
+
+No user-facing changes.
+
 ## 1.7.37
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.7.38
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.37
+lastReleaseVersion: 1.7.38
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.38-dev
+version: 1.7.38
 groups:
   - csharp
   - solorigate

@@ -1,3 +1,7 @@
+## 1.7.38
+
+No user-facing changes.
+
 ## 1.7.37
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.7.38
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.37
+lastReleaseVersion: 1.7.38
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.38-dev
+version: 1.7.38
 groups:
   - csharp
   - solorigate

@@ -1,3 +1,10 @@
+## 5.1.4
+
+### Minor Analysis Improvements
+
+* The *alignment* and *format* clauses in string interpolation expressions are now extracted. That is, in `$"Hello {name,align:format}"` *name*, *align* and *format* are extracted as children of the string interpolation *insert* `{name,align:format}`.
+* Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a `nameof` expression.
+
 ## 5.1.3
 
 ### Minor Analysis Improvements

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 5.1.4
+
+### Minor Analysis Improvements
+
 * The *alignment* and *format* clauses in string interpolation expressions are now extracted. That is, in `$"Hello {name,align:format}"` *name*, *align* and *format* are extracted as children of the string interpolation *insert* `{name,align:format}`.
+* Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a `nameof` expression.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.3
+lastReleaseVersion: 5.1.4
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.4-dev
+version: 5.1.4
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

@@ -1,3 +1,10 @@
+## 1.1.1
+
+### Minor Analysis Improvements
+
+* Enums and `System.DateTimeOffset` are now treated as *simple* types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others the `cs/log-forging` query.
+* The MaD models for the .NET 9 Runtime have been re-generated after a fix related to `out`/`ref` parameters.
+
 ## 1.1.0
 
 ### New Queries

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 1.1.1
+
+### Minor Analysis Improvements
+
 * Enums and `System.DateTimeOffset` are now treated as *simple* types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others the `cs/log-forging` query.
+* The MaD models for the .NET 9 Runtime have been re-generated after a fix related to `out`/`ref` parameters.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.1.1
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.1.1-dev
+version: 1.1.1
 groups:
   - csharp
   - queries

@@ -1,3 +1,7 @@
+## 1.0.21
+
+No user-facing changes.
+
 ## 1.0.20
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.0.21
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.20
+lastReleaseVersion: 1.0.21
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.21-dev
+version: 1.0.21
 groups:
   - go
   - queries

@@ -1,3 +1,9 @@
+## 4.2.3
+
+### Minor Analysis Improvements
+
+* Local source models for APIs reading from databases have been added for `github.com/gogf/gf/database/gdb` and `github.com/uptrace/bun`.
+
 ## 4.2.2
 
 ### Minor Analysis Improvements

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 4.2.3
+
+### Minor Analysis Improvements
+
 * Local source models for APIs reading from databases have been added for `github.com/gogf/gf/database/gdb` and `github.com/uptrace/bun`.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.2.2
+lastReleaseVersion: 4.2.3
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 4.2.3-dev
+version: 4.2.3
 groups: go
 dbscheme: go.dbscheme
 extractor: go

@@ -1,3 +1,7 @@
+## 1.1.12
+
+No user-facing changes.
+
 ## 1.1.11
 
 ### Minor Analysis Improvements

@@ -0,0 +1,3 @@
+## 1.1.12
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.11
+lastReleaseVersion: 1.1.12
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.1.12-dev
+version: 1.1.12
 groups:
   - go
   - queries

@@ -1,3 +1,10 @@
+## 7.1.3
+
+### Minor Analysis Improvements
+
+* Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
+* All existing modelling and support for `javax.persistence` now applies to `jakarta.persistence` as well.
+
 ## 7.1.2
 
 ### Minor Analysis Improvements

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 7.1.3
+
+### Minor Analysis Improvements
+
 * Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
+* All existing modelling and support for `javax.persistence` now applies to `jakarta.persistence` as well.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.2
+lastReleaseVersion: 7.1.3
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.1.3-dev
+version: 7.1.3
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

@@ -1,3 +1,7 @@
+## 1.4.1
+
+No user-facing changes.
+
 ## 1.4.0
 
 ### New Queries

@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.1
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.4.1-dev
+version: 1.4.1
 groups:
   - java
   - queries

@@ -1,3 +1,17 @@
+## 2.6.1
+
+### Minor Analysis Improvements
+
+* Data passed to the [NextResponse](https://nextjs.org/docs/app/api-reference/functions/next-response) constructor is now treated as a sink for `js/reflected-xss`.
+* Data received from [NextRequest](https://nextjs.org/docs/app/api-reference/functions/next-request) and [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) is now treated as a remote user input `source`.
+* Added support for the `make-dir` package.
+* Added support for the `open` package.
+* Added taint propagation for `Uint8Array`, `ArrayBuffer`, `SharedArrayBuffer` and `TextDecoder.decode()`.
+* Improved detection of `WebSocket` and `SockJS` usage.
+* Added data received from `WebSocket` clients as a remote flow source.
+* Added support for additional `mkdirp` methods as sinks in path-injection queries.
+* Added support for additional `rimraf` methods as sinks in path-injection queries.
+
 ## 2.6.0
 
 ### New Features