Merge pull request github#16130 from github/sitedocs/2.17.0

Add changelog for 2.17.0

Author: turbo

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.0.rst

@@ -53,8 +53,7 @@ New Features
     |link-code-paths-and-code-paths-ignore-configuration-1|_.
 
 *   In the VS Code extension, recursive calls will be marked with inlay hints. These can be disabled with the global inlay hints setting
-    (:code:`editor.inlayHints.enabled`). If you just want to disable them for
-    codeql the settings can be scoped to just codeql files (language id is :code:`ql`).
+    (:code:`editor.inlayHints.enabled`). If you just want to disable them for codeql the settings can be scoped to just codeql files (language id is :code:`ql`).
     See `Language Specific Editor Settings <https://code.visualstudio.com/docs/getstarted/settings#_language-specific-editor-settings>`__ in the VS Code documentation for more information.
 
 *   The CLI now gives a more helpful error message when asked to run queries on a database that has not been finalized.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.6.rst

@@ -38,12 +38,11 @@ New Features
 Known Issues
 ~~~~~~~~~~~~
 
-*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql  github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1.
+*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1.
 
     This issue occurs when uploading certain kinds of diagnostic information and causes the subcommand to fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`.
 
-    Customers who wish to use CodeQL 2.12.6 or 2.13.0 can
-    work around the problem by passing :code:`--no-sarif-include-diagnostics` to any invocations of :code:`codeql database analyze` or :code:`codeql database interpret-results`.
+    Customers who wish to use CodeQL 2.12.6 or 2.13.0 can work around the problem by passing :code:`--no-sarif-include-diagnostics` to any invocations of :code:`codeql database analyze` or :code:`codeql database interpret-results`.
 
 Query Packs
 -----------

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.0.rst

@@ -73,7 +73,7 @@ New Features
 Known Issues
 ~~~~~~~~~~~~
 
-*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql  github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1. For more information, see the
+*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1. For more information, see the
     "Known issues" section for CodeQL 2.12.6.
 
 Query Packs

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.3.rst

@@ -26,8 +26,7 @@ Bug Fixes
 
 *   Fixed a bug that could have caused the compiler to incorrectly infer that a class matched a type signature. The bug only affected classes with overriding member predicates that had stronger binding sets than their root definitions.
 
-*   Fixed a bug where a query could not be run from VS Code when there were packs nested within sibling directories
-    of the query.
+*   Fixed a bug where a query could not be run from VS Code when there were packs nested within sibling directories of the query.
 
 New Features
 ~~~~~~~~~~~~

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.6.rst

@@ -0,0 +1,25 @@
+.. _codeql-cli-2.16.6:
+
+==========================
+CodeQL 2.16.6 (2024-03-26)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.16.6 runs a total of 409 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 132 queries (covering 34 more CWE).
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixes a bug where extractor logs would be output at a lower than expected verbosity level when using the :code:`codeql database create` command.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.0.rst

@@ -0,0 +1,220 @@
+.. _codeql-cli-2.17.0:
+
+==========================
+CodeQL 2.17.0 (2024-04-04)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.17.0 runs a total of 410 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE).
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--[no-]analysis-summary-v2` and :code:`--[no-]new-analysis-summary` options that were used to enable (or disable) improved summary information printed at the end of a :code:`codeql database analyze` invocation are no longer supported.
+    Improved summary information is now enabled for all invocations.
+*   Support for overwriting default CodeQL SARIF run properties using the
+    :code:`--sarif-run-property` command line option has been removed. This removes the ability to overwrite the :code:`semmle.formatSpecifier`, :code:`metricResults`, and
+    :code:`codeqlConfigSummary` properties in the SARIF run file.
+
+Improvements
+~~~~~~~~~~~~
+
+*   TRAP import (a part of :code:`codeql database create` and :code:`codeql database finalize`)
+    now performs better in low-memory situations. (Put another way, it now needs less RAM to achieve the same performance as before.)
+    
+*   The worst-case performance of transitive closure computation (using the :code:`+` or :code:`*` postfix operators or the :code:`fastTC` higher-order primitive in QL) has been greatly improved.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.2.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`Stored` variants of some queries (:code:`cs/stored-command-line-injection`, :code:`cs/web/stored-xss`, :code:`cs/stored-ldap-injection`, :code:`cs/xml/stored-xpath-injection`, :code:`cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the :code:`file` and :code:`database` threat models in your threat model configuration.
+
+Java
+""""
+
+*   The :code:`java/missing-case-in-switch` query now gives only a single alert for each switch statement, giving some examples of the missing cases as well as a count of how many are missing.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Missing return-value check for a 'scanf'-like function" query (:code:`cpp/missing-check-scanf`) has been converted to a :code:`path-problem` query.
+*   The "Potentially uninitialized local variable" query (:code:`cpp/uninitialized-local`) has been converted to a :code:`path-problem` query.
+*   Added models for :code:`GLib` allocation and deallocation functions.
+
+C#
+""
+
+*   The alert message of :code:`cs/wrong-compareto-signature` has been changed to remove unnecessary element references.
+*   Data flow queries that track flow from *local* flow sources now use the current *threat model* configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses *remote* flow sources. The changed queries are :code:`cs/code-injection`, :code:`cs/resource-injection`, :code:`cs/sql-injection`, and :code:`cs/uncontrolled-format-string`.
+
+Golang
+""""""
+
+*   The query :code:`go/hardcoded-credentials` no longer discards string literals based on "weak password" heuristics.
+*   The query :code:`go/sql-injection` now recognizes more sinks in the package :code:`github.com/Masterminds/squirrel`.
+
+Java
+""""
+
+*   Variables named :code:`tokenImage` are no longer sources for  the :code:`java/sensitive-log` query. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts.
+*   Added sanitizers for relative URLs, :code:`List.contains()`, and checking the host of a URI to the :code:`java/ssrf` and :code:`java/unvalidated-url-redirection` queries.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The call graph has been improved, leading to more alerts for data flow based queries.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new query, :code:`cpp/type-confusion`, to detect casts to invalid types.
+
+Golang
+""""""
+
+*   The query "Slice memory allocation with excessive size value" (:code:`go/uncontrolled-allocation-size`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @Malayke <https://github.com/github/codeql/pull/15130>`__.
+
+Java
+""""
+
+*   The query :code:`java/unsafe-url-forward-dispatch-load` has been promoted from experimental to the main query pack as :code:`java/unvalidated-url-forward`. Its results will now appear by default. This query was originally submitted as an experimental query `by @haby0 <https://github.com/github/codeql/pull/6240>`__ and `by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`@precision medium` metadata was added to the :code:`cpp/boost/tls-settings-misconfiguration` and :code:`cpp/boost/use-of-deprecated-hardcoded-security-protocol` queries, and these queries are now included in the security-extended suite. The :code:`@name` metadata of these queries were also updated.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`@precision` of the :code:`js/unsafe-external-link` has been reduced to :code:`low` to reflect the fact that modern browsers do not expose the opening window for such links. This mitigates the potential security risk of having a link with :code:`target="_blank"`.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The CIL extractor has been deleted and the corresponding extractor option :code:`cil` has been removed. It is no longer possible to do CIL extraction.
+*   The QL library C# classes no longer extend their corresponding :code:`DotNet` classes. Furthermore, CIL related data flow functionality has been deleted and all :code:`DotNet` and :code:`CIL` related classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.
+
+Java
+""""
+
+*   The Java extractor no longer supports the :code:`ODASA_SNAPSHOT` legacy environment variable.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 5.4.
+
+Swift
+"""""
+
+*   Upgraded to Swift 5.10
+*   New AST node is extracted: :code:`ThenStmt`
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added destructors for temporary objects with extended lifetimes to the intermediate representation.
+
+C#
+""
+
+*   Added new source models for the :code:`Dapper` package. These models can be enabled by enabling the :code:`database` threat model.
+*   Additional models have been added for :code:`System.IO`. These are primarily source models with the :code:`file` threat model, and summaries related to reading from a file or stream.
+*   Support for C# 12 / .NET8.
+*   Added the :code:`windows-registry` source kind and threat model to represent values which come from the registry on Windows.
+*   The models for :code:`System.Net.Http.HttpRequestMessage` have been modified to better model the flow of tainted URIs.
+*   The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the :code:`commandargs` and :code:`environment` threat models.
+*   The :code:`cs/assembly-path-injection` query has been modified so that it's sources rely on :code:`ThreatModelFlowSource`. In order to restore results from command line arguments, you should enable the :code:`commandargs` threat model.
+*   The models for :code:`System.IO.TextReader` have been modified to better model the flow of tainted text from a :code:`TextReader`.
+
+Golang
+""""""
+
+*   The :code:`CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` option, which speeds up retrieval of dependency information, is now on by default. This was originally an external contribution by @xhd2015.
+*   Added dataflow sources for the package :code:`gopkg.in/macaron.v1`.
+
+Java
+""""
+
+*   Increased the precision of some dataflow models of the class :code:`java.net.URL` by distinguishing the parts of a URL.
+*   The Java extractor and QL libraries now support Java 22, including support for anonymous variables, lambda parameters and patterns.
+*   Pattern cases with multiple patterns and that fall through to or from other pattern cases are now supported. The :code:`PatternCase` class gains the new :code:`getPatternAtIndex` and :code:`getAPattern` predicates, and deprecates :code:`getPattern`.
+*   Added a :code:`path-injection` sink for the :code:`open` methods of the :code:`android.os.ParcelFileDescriptor` class.
+
+Ruby
+""""
+
+*   Data flow is now tracked through :code:`ActiveRecord` scopes.
+*   Modeled instances of :code:`ActionDispatch::Http::UploadedFile` that can be obtained from element reads of :code:`ActionController::Parameters`, with calls to :code:`original_filename`, :code:`content_type`, and :code:`read` now propagating taint from their receiver.
+*   The second argument, :code:`subquery_name`, of the :code:`ActiveRecord::QueryMethods::from` method, is now recognized as an sql injection sink.
+*   Calls to :code:`Typhoeus::Request.new` are now considered as instances of the :code:`Http::Client::Request` concept, with the response body being treated as a remote flow source.
+*   New command injection sinks have been added, including :code:`Process.spawn`, :code:`Process.exec`, :code:`Terrapin::CommandLine` and the :code:`open4` gem.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a :code:`TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
+*   Added a predicate :code:`GuardCondition.comparesEq/4` to query whether an expression is compared to a constant.
+*   Added a predicate :code:`GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
+*   Added a predicate :code:`GuardCondition.comparesLt/4` to query whether an expression is compared to a constant.
+*   Added a predicate :code:`GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
+*   Added a predicate :code:`GuardCondition.valueControls` to query whether a basic block is guarded by a particular :code:`case` of a :code:`switch` statement.
+
+Shared Libraries
+----------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   Path explanations now include flow that goes through callbacks passed into library functions. For example, if :code:`map` is a library function, then in :code:`result = map(xs, x => x + 1)` we will now include the step from :code:`x` to :code:`x + 1` in the path explanation, instead of going directly from :code:`xs` to :code:`result`. Note that this change does not affect actual query results, but only how path explanations are computed.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,8 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.17.0
+   codeql-cli-2.16.6
    codeql-cli-2.16.5
    codeql-cli-2.16.4
    codeql-cli-2.16.3