Merge branch 'main' into redsun82/update-py-deps

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+
 ## 0.4.2
 
 ### Bug Fixes

actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md → actions/ql/lib/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
-category: feature
----
-* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 0.5.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+
 ## 0.4.2
 
 No user-facing changes.

actions/ql/src/change-notes/2025-02-06-curate-suites.md → actions/ql/src/change-notes/released/0.5.0.md

@@ -1,6 +1,7 @@
----
-category: breaking
----
+## 0.5.0
+
+### Breaking Changes
+
 * The following queries have been removed from the `code-scanning` and `security-extended` suites.
   Any existing alerts for these queries will be closed automatically.
   * `actions/if-expression-always-true/critical`
@@ -18,3 +19,7 @@ category: breaking
   * `actions/code-injection/medium`
   * `actions/artifact-poisoning/medium`
   * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.5.0

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.4.3-dev
+version: 0.5.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 4.0.1
+
+No user-facing changes.
+
 ## 4.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/4.0.1.md

@@ -0,0 +1,3 @@
+## 4.0.1
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.0
+lastReleaseVersion: 4.0.1

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.0.1-dev
+version: 4.0.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.4
+
+No user-facing changes.
+
 ## 1.3.3
 
 ### Minor Analysis Improvements

cpp/ql/src/change-notes/released/1.3.4.md

@@ -0,0 +1,3 @@
+## 1.3.4
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.3
+lastReleaseVersion: 1.3.4

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.4-dev
+version: 1.3.5-dev
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.34
+
+No user-facing changes.
+
 ## 1.7.33
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.34.md

@@ -0,0 +1,3 @@
+## 1.7.34
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.33
+lastReleaseVersion: 1.7.34

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.34-dev
+version: 1.7.35-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.34
+
+No user-facing changes.
+
 ## 1.7.33
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.34.md

@@ -0,0 +1,3 @@
+## 1.7.34
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.33
+lastReleaseVersion: 1.7.34

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.34-dev
+version: 1.7.35-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 5.1.0
+
+### Deprecated APIs
+
+* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
+  class have been deprecated in favor of the newly added `dominatingEdge`
+  predicate.
+
+### Minor Analysis Improvements
+
+* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
+* C# 13: Add generated models for .NET 9.
+* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
+* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.
+
 ## 5.0.0
 
 ### Breaking Changes

csharp/ql/lib/change-notes/released/5.1.0.md

@@ -0,0 +1,14 @@
+## 5.1.0
+
+### Deprecated APIs
+
+* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
+  class have been deprecated in favor of the newly added `dominatingEdge`
+  predicate.
+
+### Minor Analysis Improvements
+
+* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
+* C# 13: Add generated models for .NET 9.
+* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
+* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.0.0
+lastReleaseVersion: 5.1.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.0.1-dev
+version: 5.1.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.17
+
+No user-facing changes.
+
 ## 1.0.16
 
 ### Minor Analysis Improvements

csharp/ql/src/change-notes/released/1.0.17.md

@@ -0,0 +1,3 @@
+## 1.0.17
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.16
+lastReleaseVersion: 1.0.17

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.17-dev
+version: 1.0.18-dev
 groups:
   - csharp
   - queries

go/documentation/library-coverage/coverage.rst

@@ -8,32 +8,43 @@ Go framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total)
    `Afero <https://github.com/spf13/afero>`_,``github.com/spf13/afero*``,,,34
+   `Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,,,63
    `CleverGo <https://github.com/clevergo/clevergo>`_,"``clevergo.tech/clevergo*``, ``github.com/clevergo/clevergo*``",,,2
    `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,16
    `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,8
    `Echo <https://echo.labstack.com/>`_,``github.com/labstack/echo*``,12,2,3
    `Fiber <https://github.com/gofiber/fiber>`_,``github.com/gofiber/fiber*``,,,5
    `Fosite <https://github.com/ory/fosite>`_,``github.com/ory/fosite*``,,,2
+   `GORM <https://gorm.io>`_,"``github.com/go-gorm/gorm*``, ``github.com/jinzhu/gorm*``, ``gorm.io/gorm*``",45,3,39
    `Gin <https://github.com/gin-gonic/gin>`_,``github.com/gin-gonic/gin*``,46,2,3
    `Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,270
    `Go JOSE <https://github.com/go-jose/go-jose>`_,"``github.com/go-jose/go-jose*``, ``github.com/square/go-jose*``, ``gopkg.in/square/go-jose*``, ``gopkg.in/go-jose/go-jose*``",,16,12
    `Go kit <https://gokit.io/>`_,``github.com/go-kit/kit*``,,,1
    `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
+   `GoDotEnv <https://github.com/joho/godotenv>`_,``github.com/joho/godotenv*``,4,,
+   `GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,,,51
    `Gokogiri <https://github.com/moovweb/gokogiri>`_,"``github.com/jbowtie/gokogiri*``, ``github.com/moovweb/gokogiri*``",,,10
    `Iris <https://www.iris-go.com/>`_,``github.com/kataras/iris*``,,,14
    `Kubernetes <https://kubernetes.io/>`_,"``k8s.io/api*``, ``k8s.io/apimachinery*``",,57,
    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,290
    `Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
+   `MongoDB Go Driver <https://www.mongodb.com/docs/drivers/go/current/>`_,``go.mongodb.org/mongo-driver*``,,,14
    `Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
    `SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
-   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,607,104
+   `Squirrel <https://github.com/Masterminds/squirrel>`_,"``github.com/Masterminds/squirrel*``, ``github.com/lann/squirrel*``, ``gopkg.in/Masterminds/squirrel``",,,96
+   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,104
+   `XORM <https://xorm.io>`_,"``github.com/go-xorm/xorm*``, ``xorm.io/xorm*``",,,68
    `XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
    `appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
    `chi <https://go-chi.io/>`_,``github.com/go-chi/chi*``,3,,
    `cristalhq/jwt <https://github.com/cristalhq/jwt>`_,``github.com/cristalhq/jwt*``,,,1
+   `env <https://github.com/caarlos0/env>`_,``github.com/caarlos0/env*``,5,2,
+   `envconfig <https://github.com/kelseyhightower/envconfig>`_,``github.com/kelseyhightower/envconfig*``,6,,
+   `envy <https://github.com/gobuffalo/envy>`_,``github.com/gobuffalo/envy*``,7,,
    `fasthttp <https://github.com/valyala/fasthttp>`_,``github.com/valyala/fasthttp*``,50,5,35
    `gf-jwt <https://github.com/gogf/gf-jwt>`_,``github.com/gogf/gf-jwt*``,,,1
+   `go-envparse <https://github.com/hashicorp/go-envparse>`_,``github.com/hashicorp/go-envparse*``,1,,
    `go-pg <https://pg.uptrace.dev/>`_,``github.com/go-pg/pg*``,,6,
    `go-restful <https://github.com/emicklei/go-restful>`_,``github.com/emicklei/go-restful*``,7,,
    `go-sh <https://github.com/codeskyblue/go-sh>`_,``github.com/codeskyblue/go-sh*``,,,4
@@ -42,6 +53,7 @@ Go framework & library support
    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
    `gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
    `gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
+   `gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",,,48
    `goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
    `htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
    `json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
@@ -54,12 +66,12 @@ Go framework & library support
    `lestrrat-go/libxml2 <https://github.com/lestrrat-go/libxml2>`_,``github.com/lestrrat-go/libxml2*``,,,3
    `nhooyr.io/websocket <https://nhooyr.io/websocket>`_,``nhooyr.io/websocket*``,2,,
    `protobuf <https://pkg.go.dev/google.golang.org/protobuf>`_,"``github.com/golang/protobuf*``, ``google.golang.org/protobuf*``",,16,
+   `sqlx <http://jmoiron.github.io/sqlx/>`_,``github.com/jmoiron/sqlx*``,49,11,12
    `ws <https://github.com/gobwas/ws>`_,``github.com/gobwas/ws*``,2,,
    `xmlpath <https://gopkg.in/xmlpath.v2>`_,"``gopkg.in/xmlpath*``, ``github.com/go-xmlpath/xmlpath*``, ``github.com/crankycoder/xmlpath*``, ``launchpad.net/xmlpath*``, ``github.com/masterzen/xmlpath*``, ``github.com/going/toolkit/xmlpath*``, ``gopkg.in/go-xmlpath/xmlpath*``",,,14
    `xmlquery <https://github.com/antchfx/xmlquery>`_,``github.com/antchfx/xmlquery*``,,,8
    `xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
    `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-   Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``weak``, ``xorm.io/xorm``",117,18,391
    Totals,,459,947,1532
 

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.17
+
+No user-facing changes.
+
 ## 1.0.16
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.17.md

@@ -0,0 +1,3 @@
+## 1.0.17
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.16
+lastReleaseVersion: 1.0.17

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.17-dev
+version: 1.0.18-dev
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,16 @@
+## 4.1.0
+
+### Deprecated APIs
+
+* The class `NamedType` has been deprecated. Use the new class `DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
+* The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
+* The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
+
+### Minor Analysis Improvements
+
+* Taint models have been added for the `weak` package, which was added in Go 1.24.
+* Taint models have been added for the interfaces `TextAppender` and `BinaryAppender` in the `encoding` package, which were added in Go 1.24.
+
 ## 4.0.0
 
 ### Breaking Changes