Merge branch 'main' into fix/path-injection-read-subkind

Author: MarkLee131

cpp/ql/src/CHANGELOG.md

@@ -7,7 +7,7 @@
 * The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
 
 ## 1.6.0
 

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp

@@ -14,7 +14,7 @@ function may behave unpredictably.</p>
 <p>This may indicate a misspelled function name, or that the required header containing
 the function declaration has not been included.</p>
 
-<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
+<p>Note: This query is not compatible with <code>build-mode: none</code> databases, and produces
 no results on those databases.</p>
 
 </overview>

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

@@ -18,7 +18,7 @@ import TooManyArguments
 import semmle.code.cpp.commons.Exclusions
 
 /*
- * This query is not compatible with build mode: none databases, and produces
+ * This query is not compatible with build-mode: none databases, and produces
  * no results on those databases.
  */
 

cpp/ql/src/change-notes/released/1.6.1.md

@@ -7,4 +7,4 @@
 * The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.

csharp/ql/lib/CHANGELOG.md

@@ -64,9 +64,9 @@ No user-facing changes.
 * When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
 * Updated the generated .NET “models as data” runtime models to cover .NET 10.
 * C# 14: Support for *implicit* span conversions in the QL library.
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
 * Added autobuilder and `build-mode: none` support for `.slnx` solution files.
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
 * Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
 
 ### Bug Fixes

csharp/ql/lib/change-notes/released/5.4.5.md

@@ -5,9 +5,9 @@
 * When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
 * Updated the generated .NET “models as data” runtime models to cover .NET 10.
 * C# 14: Support for *implicit* span conversions in the QL library.
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
 * Added autobuilder and `build-mode: none` support for `.slnx` solution files.
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
 * Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
 
 ### Bug Fixes

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.0.rst

@@ -152,9 +152,9 @@ C#
 *   When a code-scanning configuration specifies the :code:`paths:` and/or :code:`paths-ignore:` settings, these are now taken into account by the C# extractor's search for :code:`.config`, :code:`.props`, XML and project files.
 *   Updated the generated .NET “models as data” runtime models to cover .NET 10.
 *   C# 14: Support for *implicit* span conversions in the QL library.
-*   Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and :code:`build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+*   Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and :code:`build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
 *   Added autobuilder and :code:`build-mode: none` support for :code:`.slnx` solution files.
-*   In :code:`build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+*   In :code:`build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
 *   Added implicit reads of :code:`System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
 
 Golang

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.3.rst

@@ -0,0 +1,124 @@
+.. _codeql-cli-2.25.3:
+
+==========================
+CodeQL 2.25.3 (2026-05-01)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.3 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE).
+
+CodeQL CLI
+----------
+
+Improvements
+~~~~~~~~~~~~
+
+*   The :code:`codeql database finalize` command now accepts the :code:`--working-dir` flag. When specified, any extractor pre-finalize scripts will be run in that directory. If the flag is not used, the scripts will run in the source root directory (maintaining existing behavior). The flag will also be automatically passed through when running the higher-level
+    :code:`codeql database create` command.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Fixed alert messages in :code:`actions/artifact-poisoning/critical` and :code:`actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added :code:`AllocationFunction` models for :code:`aligned_alloc`, :code:`std::aligned_alloc`, and :code:`bsl::aligned_alloc`.
+*   The "Comparison of narrow type with wide type in loop condition" (:code:`cpp/comparison-with-wider-type`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite.
+*   The "Multiplication result converted to larger type" (:code:`cpp/integer-multiplication-cast-to-long`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite.
+*   The "Suspicious add with sizeof" (:code:`cpp/suspicious-add-sizeof`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite.
+*   The "Wrong type of arguments to formatting function" (:code:`cpp/wrong-type-format-argument`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite.
+*   The "Implicit function declaration" (:code:`cpp/implicit-function-declaration`) query has been upgraded to :code:`high` precision. However, for :code:`build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+
+C#
+""
+
+*   The query :code:`cs/useless-tostring-call` has been updated to avoid false positive results in calls to :code:`StringBuilder.AppendLine` and calls of the form :code:`base.ToString()`. Moreover, the alert message has been made more precise.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The query :code:`js/missing-rate-limiting` now takes Fastify per-route rate limiting into account.
+
+Python
+""""""
+
+*   The :code:`py/bind-socket-all-network-interfaces` query now uses the global data-flow library, leading to better precision and more results. Also, wrappers of :code:`socket.socket` in the :code:`eventlet` and :code:`gevent` libraries are now also recognized as socket binding operations.
+
+GitHub Actions
+""""""""""""""
+
+*   The query :code:`actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The deprecated :code:`NonThrowingFunction` class has been removed, use :code:`NonCppThrowingFunction` instead.
+*   The deprecated :code:`ThrowingFunction` class has been removed, use :code:`AlwaysSehThrowingFunction` instead.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   Upgraded to allow analysis of Swift 6.3.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   The queries "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (:code:`java/xxe-local`) now recognize sinks in the Woodstox StAX library when :code:`com.ctc.wstx.stax.WstxInputFactory` or :code:`org.codehaus.stax2.XMLInputFactory2` are used directly.
+
+Python
+""""""
+
+*   The Python extractor now supports the new :code:`lazy import ...` and :code:`lazy from ... import ...` (as defined in `PEP-810 <https://peps.python.org/pep-0810/>`__) that will be part of Python 3.15.
+
+GitHub Actions
+""""""""""""""
+
+*   Removed false positive injection sink models for the :code:`context` input of :code:`docker/build-push-action` and the :code:`allowed-endpoints` input of :code:`step-security/harden-runner`.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The predicates :code:`get[L|R]Value` in the class :code:`Assignment` have been deprecated. Use :code:`get[Left|Right]Operand` instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a subclass :code:`AutoconfConfigureTestFile` of :code:`ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.25.3
    codeql-cli-2.25.2
    codeql-cli-2.25.1
    codeql-cli-2.25.0

java/ql/lib/semmle/code/java/Expr.qll

@@ -2732,11 +2732,6 @@ class PatternExpr extends Expr {
    */
   LocalVariableDeclExpr asBindingOrUnnamedPattern() { result = this }
 
-  /**
-   * DEPRECATED: alias for `asBindingOrUnnamedPattern`.
-   */
-  deprecated LocalVariableDeclExpr asBindingPattern() { result = this.asBindingOrUnnamedPattern() }
-
   /**
    * Gets this pattern cast to a record pattern.
    */