From c22b8bd41dd90bce1a3c38253da287dfb814c59f Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Thu, 3 Apr 2025 15:43:41 +0200 Subject: [PATCH 01/30] Update CHANGELOG.md --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37710f2..305cd8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,14 @@ you know what to do). --> +## Release 2.21.0 (2025-04-03) + +### Miscellaneous + +- On macOS the `CODEQL_TRACER_RELOCATION_EXCLUDE` environment variable can now be used to exclude certain paths from the + tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries + to be excluded. + ## Release 2.20.7 (2025-03-18) - There are no user-facing changes in this release. From 518072067ef64dca25185591bf3cddd25acb3aa0 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Tue, 22 Apr 2025 12:33:47 +0100 Subject: [PATCH 02/30] Changelog: Update release notes for version 2.21.1 Add details about bug fixes in CodeQL analysis for GitHub Actions. Clarify behavior with `paths-ignore` and `paths` configurations to improve performance on large codebases. --- CHANGELOG.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 305cd8a..c5e2252 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,26 @@ you know what to do). --> +## Release 2.21.1 (2025-04-22) + +### Bugs fixed + +- Fixed a bug in CodeQL analysis for GitHub Actions in the presence + of a code scanning configuration file containing `paths-ignore` + exclusion patterns but not `paths` inclusion patterns. + Previously, such a configuration incorrectly led to all YAML, HTML, + JSON, and JS source files being extracted, + except for those filtered by `paths-ignore`. + This in turn led to performance issues on large codebases. + Now, only workflow and Action metadata YAML files relevant to the + GitHub Actions analysis will be extracted, + except for those filtered by `paths-ignore`. + This matches the default behavior when no configuration file + is provided. + The handling of `paths` inclusion patterns is unchanged: + if provided, only those paths will be considered, + except for those filtered by `paths-ignore`. + ## Release 2.21.0 (2025-04-03) ### Miscellaneous From d1e534e60eafaca3770361ddcfc6b53a06068d91 Mon Sep 17 00:00:00 2001 From: Nick Rolfe Date: Thu, 1 May 2025 13:34:25 +0100 Subject: [PATCH 03/30] Update changelog for 2.21.2 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5e2252..2a9962a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,13 @@ you know what to do). --> +## Release 2.21.2 (2025-05-01) + +### Bugs fixed + +- `codeql generate log-summary` now correctly includes `dependencies` + maps in predicate events for `COMPUTED_EXTENSIONAL` predicates. + ## Release 2.21.1 (2025-04-22) ### Bugs fixed From 9a367b9f8833da440fdde706789c18cb11f21624 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Thu, 15 May 2025 12:41:58 +0100 Subject: [PATCH 04/30] Update changelog for 2.21.3 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a9962a..9f8780a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.21.3 (2025-05-15) + +### Miscellaneous + +- Windows binaries for the CodeQL CLI are now built with `/guard:cf`, enabling [Control Flow Guard](https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard). + ## Release 2.21.2 (2025-05-01) ### Bugs fixed From f1c6d0410fc75afe3b3c146bee902cbd83e19fb8 Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Mon, 2 Jun 2025 13:43:16 +0200 Subject: [PATCH 05/30] Update CHANGELOG.md --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f8780a..df6571f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,20 @@ you know what to do). --> +## Release 2.21.4 (2025-06-02) + +### Deprecations + +- The `clang_vector_types`, `clang_attributes`, and `flax-vector-conversions` command + line options have been removed from the C/C++ extractor. These options were introduced + as workarounds to frontend limitations in earlier versions of the extractor and are + no longer needed when calling the extractor directly. + +### Miscellaneous + +- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL + CLI has been updated to version 21.0.7. + ## Release 2.21.3 (2025-05-15) ### Miscellaneous From 81e6755f40ec81a3583d4e2ba929819b0b0fc375 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Wed, 11 Jun 2025 08:40:32 -0700 Subject: [PATCH 06/30] Update CHANGELOG.md for 2.22.0 --- CHANGELOG.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index df6571f..48b2c6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,28 @@ you know what to do). --> +## Release 2.22.0 (2025-06-11) + +### Breaking changes + +- A number of breaking changes have been made to the C and C++ CodeQL test + environment as used by `codeql test run`: + - Options starting with a `/` are no longer supported by + `semmle-extractor-options`. Any option starting with a `/` should be + replaced by the equivalent option starting with a `-`, e.g., `/D` should be + replaced by `-D`. + - Preprocessor command line options of the form `-D#` are no + longer supported by `semmle-extractor-options`. `-D=` should be + used instead. + - The `/Fp` and `-o` options are no longer supported by + `semmle-extractor-options`. The options should be omitted. + - The `-emit-pch`, `-include-pch`, `/Yc`, and `/Yu` options, and the + `--preinclude` option taking a pre-compiled header as its argument, are no + longer supported by `semmle-extractor-options`. Any test that makes use of + this should be replaced by a test that invokes the CodeQL CLI with the + `create database` option and that runs the relevant queries on the created + database. + ## Release 2.21.4 (2025-06-02) ### Deprecations From 37a1db679b0bbb4e51158553a88d9bfa000efdf2 Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Thu, 26 Jun 2025 13:08:22 +0200 Subject: [PATCH 07/30] Update CHANGELOG.md for 2.22.1 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48b2c6e..925d692 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,16 @@ you know what to do). --> +## Release 2.22.1 (2025-06-26) + +### New features + +- Rust language support is now in public preview. + +### Miscellaneous + +- The version of `jgit` used by the CodeQL CLI has been updated to `6.10.1.202505221210-r`. + ## Release 2.22.0 (2025-06-11) ### Breaking changes From a744fb1decf08c0ba3b90f4944b8019c94bee4f5 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Tue, 29 Jul 2025 10:00:27 -0700 Subject: [PATCH 08/30] Update CHANGELOG.md for 2.22.2 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 925d692..013ee91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,17 @@ you know what to do). --> +## Release 2.22.2 (2025-07-29) + +### Bug fix + +- Fixes a bug in query suites where the `version` property of an `import` instruction was ignored. Previously, the following query suite would _not_ resolve to `v1.0.19` of `codeql/csharp-queries`. Instead it would resolve to the latest version. This is now fixed and the resolve pack version would be `v1.0.19`. + ``` + - from: codeql/csharp-queries + import: codeql-suites/csharp-security-and-quality.qls + version: 1.0.19 + ``` + ## Release 2.22.1 (2025-06-26) ### New features From d2abcd0678d06f9bb0375bc74e0bb4bda392014b Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Wed, 6 Aug 2025 13:28:32 -0700 Subject: [PATCH 09/30] Update CHANGELOG.md for 2.22.3 --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 013ee91..6ee09a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,14 @@ you know what to do). --> +## Release 2.22.3 (2025-08-06) + +### New features + +- The `codeql database cleanup` command now takes the `--cache-cleanup=overlay` + option, which trims the cache to just the data that will be useful when + evaluating against an overlay. + ## Release 2.22.2 (2025-07-29) ### Bug fix From 99380d934e6d13b263ce8d4bc8b62f51369c158b Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Thu, 21 Aug 2025 11:48:12 +0100 Subject: [PATCH 10/30] Update changelog for 2.22.4 release --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ee09a5..bc43e08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,10 @@ you know what to do). --> +## Release 2.22.4 (2025-08-21) + +- There are no user-facing changes in this release. + ## Release 2.22.3 (2025-08-06) ### New features From 108cd2005eae9cc5899871aa00aac279b3a8d3be Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Thu, 4 Sep 2025 17:01:49 +0200 Subject: [PATCH 11/30] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc43e08..441b99c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,13 @@ you know what to do). --> +## Release 2.23.0 (2025-09-04) + +### Miscellaneous + +- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL + CLI has been updated to version 21.0.8. + ## Release 2.22.4 (2025-08-21) - There are no user-facing changes in this release. From 56734edf29be6e0363e1a583ecb622c0b0b2476e Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Tue, 23 Sep 2025 14:37:48 +0100 Subject: [PATCH 12/30] Update CHANGELOG.md for 2.23.1 --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 441b99c..f559444 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,20 @@ you know what to do). --> +## Release 2.23.1 (2025-09-23) + +### New features + +- CodeQL now adds the sources and sinks of path alerts to the `relatedLocations` + property of SARIF results if they are not included as the primary location or + within the alert message. This means that path alerts will show on PRs if a + source or sink is added or modified, even for queries that don't follow the + common convention of selecting the sink as the primary location and mentioning + the source in the alert message. + +- CodeQL now populates file coverage information for GitHub Actions on + [the tool status page for code scanning](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository). + ## Release 2.23.0 (2025-09-04) ### Miscellaneous From 194e5fbf3a17ee992ee5aa145e5ef43c719caa99 Mon Sep 17 00:00:00 2001 From: Nick Rolfe Date: Thu, 2 Oct 2025 11:27:58 +0100 Subject: [PATCH 13/30] Changelog for 2.32.2 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f559444..ed6b7d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,16 @@ you know what to do). --> +## Release 2.23.2 (2025-10-02) + +### New features + +- CodeQL Go analysis now supports the "Git Source" type for [private package registries](https://docs.github.com/en/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). This is in addition to the existing support for the "GOPROXY server" type. + +### Fixes + +- The `codeql generate query-help` command now prepends the query's name (taken from the `.ql` file) as a level-one heading when processing markdown query help, for consistency with help generated from a `.qhelp` file. + ## Release 2.23.1 (2025-09-23) ### New features From 05e07ac5e52e3f77e1f77105f02437f982ada263 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 17 Oct 2025 14:20:03 +0100 Subject: [PATCH 14/30] Update CHANGELOG.md for 2.23.3 --- CHANGELOG.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed6b7d4..704643a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,13 +17,40 @@ you know what to do). --> +## Release 2.23.3 (2025-10-17) + +### Breaking changes + +- The `--permissive` command line option has been removed from the C/C++ extractor, + and passing the option will make the extractor fail. The option was introduced to + make the extractor accept the following invalid code, which is accepted by gcc with + the `-fpermissive` flag: + + ```cpp + void f(char*); + void g() { + const char* str = "string"; + f(str); + } + ``` + + The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly, + `--permissive` should no longer be passed. The above code will fail to parse, and we + recommend the code being made `const`-correct. + +### Bugs fixed + +- Fixed a bug that made many `codeql` subcommands fail with the + message `not in while, until, select, or repeat loop` on Linux or + macOS systems where `/bin/sh` is `zsh`. + ## Release 2.23.2 (2025-10-02) ### New features - CodeQL Go analysis now supports the "Git Source" type for [private package registries](https://docs.github.com/en/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). This is in addition to the existing support for the "GOPROXY server" type. -### Fixes +### Bugs Fixed - The `codeql generate query-help` command now prepends the query's name (taken from the `.ql` file) as a level-one heading when processing markdown query help, for consistency with help generated from a `.qhelp` file. From bbcf258d7eb900825504fb234aa27111119a895a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 6 Nov 2025 17:02:41 +0000 Subject: [PATCH 15/30] Add permissions to workflow Also update workflow a bit --- .github/workflows/label-issue.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/label-issue.yml b/.github/workflows/label-issue.yml index 9c2567c..7494234 100644 --- a/.github/workflows/label-issue.yml +++ b/.github/workflows/label-issue.yml @@ -6,11 +6,14 @@ on: jobs: label: name: Label issue - runs-on: ubuntu-latest - if: github.event.action == 'opened' + runs-on: ubuntu-slim + permissions: + issues: write steps: - name: Label issue + run: gh issue edit "$NUMBER" --add-label "$LABELS" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo '{"labels": ["CLI"]}' | gh api repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels --input - + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + LABELS: CLI From f66af530a4da7876739cd1d7d18f8ad989ea8757 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 13 Nov 2025 20:55:46 +0000 Subject: [PATCH 16/30] Update CHANGELOG.md for 2.23.5 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 704643a..69b2c36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,16 @@ you know what to do). --> +## Release 2.23.5 (2025-11-13) + +### Breaking changes + +- In order to make a `@kind path-problem` query diff-informed, the `getASelectedSourceLocation` and `getASelectedSinkLocation` predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink _in addition to_ any other locations that are selected by the query. See the [QLdoc](https://github.com/github/codeql/blob/d122534398c5eb9182a23a9ad65caa5937d627b5/shared/dataflow/codeql/dataflow/DataFlow.qll#L474) for more details. + +## Release 2.23.4 + +This release was skipped. + ## Release 2.23.3 (2025-10-17) ### Breaking changes From 7fa26143c5fe317c7c0e6e9e16be8c8c14652dbd Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 24 Nov 2025 09:38:34 +0100 Subject: [PATCH 17/30] Update CHANGELOG for release 2.23.6 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69b2c36..9fb7cb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.23.6 (2025-11-24) + +### Breaking changes + +- The LGTM results format for uploading to LGTM has been removed. + ## Release 2.23.5 (2025-11-13) ### Breaking changes From 2dd2c45a547668c46ec8a7b7c41af88cb024974e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 5 Dec 2025 15:26:00 +0100 Subject: [PATCH 18/30] Document deprecation of '--save-cache' flag Added deprecation notice for the '--save-cache' flag. --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fb7cb4..28f1d63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.23.7 (2025-12-05) + +### Deprecations + +- The `--save-cache` flag to `codeql database run-queries` and other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect. + ## Release 2.23.6 (2025-11-24) ### Breaking changes @@ -3995,3 +4001,4 @@ become available. ## Release 2.0.0 (2019-11-14) - First public release. + From 998e37ce3edfb2ea5ddf4c4f1b91ea5bd5733a73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 11 Dec 2025 17:34:07 +0100 Subject: [PATCH 19/30] Document release 2.23.8 in CHANGELOG.md Added release notes for version 2.23.8. --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 28f1d63..62520e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,9 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> +## Release 2.23.8 (2025-12-10) + +This release contains no CLI changes. ## Release 2.23.7 (2025-12-05) From fe40a78563ac3c0a2b6c621984bafdced2dba969 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Fri, 9 Jan 2026 17:29:47 +0000 Subject: [PATCH 20/30] Update CHANGELOG.md for 2.23.9 --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62520e9..a6ea842 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,13 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> + +## Release 2.23.9 (2026-01-09) + +### Deprecations + +- Support for Kotlin version 1.6 and 1.7 has been deprecated and will be removed from CodeQL version 2.24.1. Starting with version 2.24.1, users will need to use Kotlin version >= 1.8 to extract Kotlin databases. + ## Release 2.23.8 (2025-12-10) This release contains no CLI changes. @@ -4004,4 +4011,3 @@ become available. ## Release 2.0.0 (2019-11-14) - First public release. - From 6866fd9f6579dd1f86af647a08790a77a2f6d1b3 Mon Sep 17 00:00:00 2001 From: Nick Rolfe Date: Mon, 26 Jan 2026 12:42:45 +0000 Subject: [PATCH 21/30] Add changelog for 2.24.0 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6ea842..dad374a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,16 @@ you know what to do). --> +## Release 2.24.0 (2026-01-26) + +### Miscellaneous + +- The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal + documentation generation commands has been updated to version + [20260102.1](https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20260102.1). +- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL + CLI has been updated to version 21.0.9. + ## Release 2.23.9 (2026-01-09) ### Deprecations From c9e1ebc8d88ba207ca596a120fbae1cecd3c47f5 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Mon, 2 Feb 2026 09:16:36 -0700 Subject: [PATCH 22/30] Fix typos in LICENSE.md This commit fixes the spelling of one word and corrects one subject-verb agreement mismatch in LICENSE.md file. --- LICENSE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 3ef032d..e872708 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -33,7 +33,7 @@ below: * Use the Software to demonstrate the Software. * Test CodeQL queries that are released under an OSI-approved - Licence to confirm that new versions of those queries continue to + License to confirm that new versions of those queries continue to find the right vulnerabilities. Here's what you may also do with the Software, but only with an Open @@ -169,7 +169,7 @@ provision of these Terms will not constitute a waiver of such right or provision. _Entire Agreement._ These Terms, together with any open source -software licenses referenced above, constitutes the entire agreement +software licenses referenced above, constitute the entire agreement between you and GitHub regarding your use of the Software, superseding any prior agreements between you and GitHub (including, but not limited to, any prior versions of these Terms) regarding such use. From 3f1fd5f017d87e1f956b5a8d877ffd8cb4a5176d Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 5 Feb 2026 15:56:12 +0000 Subject: [PATCH 23/30] Add changenotes for 2.24.1 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad374a..a636b80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.24.1 (2026-02-05) + +### Miscellaneous + +- The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code. + ## Release 2.24.0 (2026-01-26) ### Miscellaneous From f4e1dee21aedb8d382f6ac4a3dfb514a8e4d0e3b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 20 Feb 2026 11:20:13 +0000 Subject: [PATCH 24/30] Update CHANGELOG.md for 2.24.2 --- CHANGELOG.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a636b80..916665c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.24.2 (2026-02-20) + +### Bug Fixes + +- Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the `file:///` format instead of `file:/` for better interoperability with SARIF consumers. + ## Release 2.24.1 (2026-02-05) ### Miscellaneous @@ -82,7 +88,7 @@ This release was skipped. } ``` - The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly, + The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly, `--permissive` should no longer be passed. The above code will fail to parse, and we recommend the code being made `const`-correct. @@ -231,7 +237,7 @@ This release was skipped. - On macOS the `CODEQL_TRACER_RELOCATION_EXCLUDE` environment variable can now be used to exclude certain paths from the tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries - to be excluded. + to be excluded. ## Release 2.20.7 (2025-03-18) From 9231df8f23df70b6150bd79223c42d5e20c94934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 5 Mar 2026 17:08:45 +0100 Subject: [PATCH 25/30] Update CHANGELOG.md for 2.24.3 From f467d25f90410a13ab54482a71c991714ac8a3a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 5 Mar 2026 17:10:54 +0100 Subject: [PATCH 26/30] Update CHANGELOG for release 2.24.3 Added details about bug fixes in release 2.24.3, including race condition fix and spurious warnings. --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 916665c..e429b8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,13 @@ you know what to do). --> +## Release 2.24.3 (2026-03-05) + +### Bug Fixes + +- Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips `*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases. +- Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as `codeql query run`. + ## Release 2.24.2 (2026-02-20) ### Bug Fixes From 249f3d5b0553b743286d11218ae16297c13a9cc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 19 Mar 2026 13:15:33 +0100 Subject: [PATCH 27/30] Update CHANGELOG for release 2.25.0 Added release notes for version 2.25.0, including breaking changes and bug fixes. --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e429b8c..489bd40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,20 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> +## Release 2.25.0 (2026-03-19) + +### Breaking Changes + +- `codeql database interpret-results` and `codeql database analyze` no longer attempt to reconstruct file baseline information from databases created with CLI versions before 2.11.2. + +### Bug Fixes + +- Upgraded Jackson library from 2.16.1 to 2.18.6 to address a high-severity denial of service vulnerability (GHSA-72hv-8253-57qq) in jackson-core's async JSON parser. +- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.2 to 2.3. + +## Release 2.24.4 (2026-03-16) + +This release was skipped. ## Release 2.24.3 (2026-03-05) From 1ebe9749ba4d4fc7a4d4f4cb900c8c2fd6a52893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 27 Mar 2026 09:44:04 +0000 Subject: [PATCH 28/30] Update changelog for release 2.25.1 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 489bd40..4f60231 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,16 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> +## Release 2.25.1 (2026-03-27) + +### Bug Fixes + +- Fixed a bug where extraction could fail on YAML files containing emoji.Collapse commentComment on lines R24 to R25henrymercer commented on Mar 26, 2026 henrymerceron Mar 26, 2026More actions + +### Miscellaneous + +- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.3 to 2.6. + ## Release 2.25.0 (2026-03-19) ### Breaking Changes From 0564862bef092139fbd761ee56dc3f2380555ef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 27 Mar 2026 10:49:07 +0100 Subject: [PATCH 29/30] Fix YAML extraction bug and upgrade snakeyaml --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f60231..90fb0e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ ### Bug Fixes -- Fixed a bug where extraction could fail on YAML files containing emoji.Collapse commentComment on lines R24 to R25henrymercer commented on Mar 26, 2026 henrymerceron Mar 26, 2026More actions +- Fixed a bug where extraction could fail on YAML files containing emoji. ### Miscellaneous From 2c725ac18f6b371750d317f5f98d247c75d4c85b Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 15 Apr 2026 11:44:22 +0100 Subject: [PATCH 30/30] Add changenotes for 2.25.2 --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90fb0e7..0e93e38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,14 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> + +## Release 2.25.2 (2026-04-15) + +### Miscellaneous + +- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL + CLI has been updated to version 21.0.10. + ## Release 2.25.1 (2026-03-27) ### Bug Fixes