Merge pull request #15447 from github/henrymercer/2.16.0-mergeback

henrymercer · web-flow · commit 720d87391dfa · 2024-01-26T15:42:05.000Z
Merge `codeql-cli-2.16.0` back into `codeql-cli-2.16.1`
diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.0.rst
@@ -50,6 +50,14 @@ Improvements
 Query Packs
 -----------
 
+Bug Fixes
+~~~~~~~~~
+
+Java
+""""
+
+*   The three queries :code:`java/insufficient-key-size`, :code:`java/server-side-template-injection`, and :code:`java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
+
 Minor Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -81,14 +89,6 @@ Swift
 
 *   Added additional sinks for the "Cleartext logging of sensitive information" (:code:`swift/cleartext-logging`) query. Some of these sinks are heuristic (imprecise) in nature.
 
-Deprecated Queries
-~~~~~~~~~~~~~~~~~~
-
-Java
-""""
-
-*   The three queries :code:`java/insufficient-key-size`, :code:`java/server-side-template-injection`, and :code:`java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
-
 New Queries
 ~~~~~~~~~~~
 
diff --git a/java/ql/src/change-notes/released/0.8.6.md b/java/ql/src/change-notes/released/0.8.6.md
@@ -1,9 +1,5 @@
 ## 0.8.6
 
-### Deprecated Queries
-
-* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
-
 ### New Queries
 
 * Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations. 
@@ -13,3 +9,7 @@
 * Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
 * The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
 * Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
+
+### Bug Fixes
+
+* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
