Fix minor issues with change notes

Author: jketema

cpp/ql/lib/CHANGELOG.md

@@ -6,7 +6,7 @@
 
 ### Deprecated APIs
 
-* The predicates single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
 * The recently introduced new data flow and taint tracking APIs have had a
   number of module and predicate renamings. The old APIs remain in place for
   now.

cpp/ql/lib/change-notes/released/0.7.0.md

@@ -6,7 +6,7 @@
 
 ### Deprecated APIs
 
-* The predicates single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
 * The recently introduced new data flow and taint tracking APIs have had a
   number of module and predicate renamings. The old APIs remain in place for
   now.

java/ql/lib/CHANGELOG.md

@@ -18,13 +18,17 @@
 * Added a summary model for the `java.lang.UnsupportedOperationException(String)` constructor.
 * The filenames embedded in `Compilation.toString()` now use `/` as the path separator on all platforms.
 * Added models for the following packages:
-  * java.lang
-  * java.net
-  * java.nio.file
-* Added models for the following packages:
-  * java.io
-  * java.lang.module
-  * org.apache.commons.io
+  * `java.lang`
+  * `java.net`
+  * `java.nio.file`
+  * `java.io`
+  * `java.lang.module`
+  * `org.apache.commons.httpclient.util`
+  * `org.apache.commons.io`
+  * `org.apache.http.client`
+  * `org.eclipse.jetty.client`
+  * `com.google.common.io`
+  * `kotlin.io`
 * Added the `TaintedPathQuery.qll` library to provide the `TaintedPathFlow` and `TaintedPathLocalFlow` taint-tracking modules to reason about tainted path vulnerabilities.
 * Added the `ZipSlipQuery.qll` library to provide the `ZipSlipFlow` taint-tracking module to reason about zip-slip vulnerabilities.
 * Added the `InsecureBeanValidationQuery.qll` library to provide the `BeanValidationFlow` taint-tracking module to reason about bean validation vulnerabilities.
@@ -35,32 +39,21 @@
 * Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by `java/index-out-of-bounds` and `java/constant-comparison`.
 * A new models as data sink kind `command-injection` has been added.
 * The queries `java/command-line-injection` and `java/concatenated-command-line` now can be extended using the `command-injection` models as data sink kind.
-* Added models for the following packages:
-
-  * com.google.common.io
-  * java.lang
-  * java.nio.file
-  * kotlin.io
-  * org.apache.commons.httpclient.util
-  * org.apache.http.client
-  * org.eclipse.jetty.client
-* Added more sink and summary dataflow models for the following packages:
-  * `hudson.model`
-  * `hudson.scm`
-  * `hudson.util`
-* Added more sink and summary dataflow models for the following packages:
-  * `hudson.cli`
-  * `hudson.lifecycle`
-  * `hudson`
-  * `hudson.util.io`
-* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
 * Added more sink and summary dataflow models for the following packages:
   * `java.net`
   * `java.nio.file`
   * `javax.imageio.stream`
   * `javax.naming`
   * `javax.servlet`
   * `org.geogebra.web.full.main`
+  * `hudson`
+  * `hudson.cli`
+  * `hudson.lifecycle`
+  * `hudson.model`
+  * `hudson.scm`
+  * `hudson.util`
+  * `hudson.util.io`
+* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
 * Added a summary model for the `nativeSQL` method of the `java.sql.Connection` interface.
 * Added sink and summary dataflow models for the Jenkins and Netty frameworks.
 * The Models as Data syntax for selecting the qualifier has been changed from `-1` to `this` (e.g. `Argument[-1]` is now written as `Argument[this]`).

java/ql/lib/change-notes/released/0.6.0.md

@@ -18,13 +18,17 @@
 * Added a summary model for the `java.lang.UnsupportedOperationException(String)` constructor.
 * The filenames embedded in `Compilation.toString()` now use `/` as the path separator on all platforms.
 * Added models for the following packages:
-  * java.lang
-  * java.net
-  * java.nio.file
-* Added models for the following packages:
-  * java.io
-  * java.lang.module
-  * org.apache.commons.io
+  * `java.lang`
+  * `java.net`
+  * `java.nio.file`
+  * `java.io`
+  * `java.lang.module`
+  * `org.apache.commons.httpclient.util`
+  * `org.apache.commons.io`
+  * `org.apache.http.client`
+  * `org.eclipse.jetty.client`
+  * `com.google.common.io`
+  * `kotlin.io`
 * Added the `TaintedPathQuery.qll` library to provide the `TaintedPathFlow` and `TaintedPathLocalFlow` taint-tracking modules to reason about tainted path vulnerabilities.
 * Added the `ZipSlipQuery.qll` library to provide the `ZipSlipFlow` taint-tracking module to reason about zip-slip vulnerabilities.
 * Added the `InsecureBeanValidationQuery.qll` library to provide the `BeanValidationFlow` taint-tracking module to reason about bean validation vulnerabilities.
@@ -35,32 +39,21 @@
 * Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by `java/index-out-of-bounds` and `java/constant-comparison`.
 * A new models as data sink kind `command-injection` has been added.
 * The queries `java/command-line-injection` and `java/concatenated-command-line` now can be extended using the `command-injection` models as data sink kind.
-* Added models for the following packages:
-
-  * com.google.common.io
-  * java.lang
-  * java.nio.file
-  * kotlin.io
-  * org.apache.commons.httpclient.util
-  * org.apache.http.client
-  * org.eclipse.jetty.client
-* Added more sink and summary dataflow models for the following packages:
-  * `hudson.model`
-  * `hudson.scm`
-  * `hudson.util`
-* Added more sink and summary dataflow models for the following packages:
-  * `hudson.cli`
-  * `hudson.lifecycle`
-  * `hudson`
-  * `hudson.util.io`
-* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
 * Added more sink and summary dataflow models for the following packages:
   * `java.net`
   * `java.nio.file`
   * `javax.imageio.stream`
   * `javax.naming`
   * `javax.servlet`
   * `org.geogebra.web.full.main`
+  * `hudson`
+  * `hudson.cli`
+  * `hudson.lifecycle`
+  * `hudson.model`
+  * `hudson.scm`
+  * `hudson.util`
+  * `hudson.util.io`
+* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
 * Added a summary model for the `nativeSQL` method of the `java.sql.Connection` interface.
 * Added sink and summary dataflow models for the Jenkins and Netty frameworks.
 * The Models as Data syntax for selecting the qualifier has been changed from `-1` to `this` (e.g. `Argument[-1]` is now written as `Argument[this]`).

python/ql/lib/CHANGELOG.md

@@ -13,7 +13,7 @@
 
 ### Bug Fixes
 
-* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular, `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
 
 ## 0.8.3
 

python/ql/lib/change-notes/released/0.9.0.md

@@ -13,4 +13,4 @@
 
 ### Bug Fixes
 
-* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular, `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

ruby/ql/lib/CHANGELOG.md

@@ -11,7 +11,7 @@
 * Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby 
 3.1 and 3.2.
 * The clear-text storage (`rb/clear-text-storage-sensitive-data`) and logging (`rb/clear-text-logging-sensitive-data`) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.
-* Accesses of `params` in Sinatra applications are now recognised as HTTP input accesses.
+* Accesses of `params` in Sinatra applications are now recognized as HTTP input accesses.
 * Data flow is tracked from Sinatra route handlers to ERB files.
 * Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.
 

ruby/ql/lib/change-notes/released/0.6.0.md

@@ -11,7 +11,7 @@
 * Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby 
 3.1 and 3.2.
 * The clear-text storage (`rb/clear-text-storage-sensitive-data`) and logging (`rb/clear-text-logging-sensitive-data`) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.
-* Accesses of `params` in Sinatra applications are now recognised as HTTP input accesses.
+* Accesses of `params` in Sinatra applications are now recognized as HTTP input accesses.
 * Data flow is tracked from Sinatra route handlers to ERB files.
 * Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.