Skip to content

chore: bump pinned CodeQL CLI to v2.25.6 and release v0.6.0#183

Merged
felickz merged 3 commits into
mainfrom
chore/update-codeql-cli-2.25.6
Jul 11, 2026
Merged

chore: bump pinned CodeQL CLI to v2.25.6 and release v0.6.0#183
felickz merged 3 commits into
mainfrom
chore/update-codeql-cli-2.25.6

Conversation

@security-lab-bot

Copy link
Copy Markdown
Contributor

Automated CLI version bump, requested via the "Update CodeQL CLI Version"
workflow (workflow_dispatch, codeql_version: 2.25.6, release_bump: minor).

This PR:

  • Updates .codeqlversion to 2.25.6.

  • Pins every codeql/<lang>-all / codeql/<lang>-queries dependency across all
    qlpack.yml files to the exact version shipped in the official CodeQL Bundle
    for this CLI release (see .github/scripts/pin-codeql-library-versions.sh) -
    this keeps codeql pack upgrade from jumping those libraries to
    registry-latest instead of the version this CLI actually ships/tests against.

  • Runs codeql pack upgrade <dir> for every pack directory to refresh its
    codeql-pack.lock.yml against the new CLI and pinned library versions.

  • Also bumps the repo release version (minor, via the same
    patch-release-me step update-release.yml uses) to 0.6.0,
    propagating it to every pack's own version: field, configs/*.yml
    references, and cross-pack -libs pins.

Merging this PR triggers the real batch publish - publish.yml's
auto-trigger fires on any push to main that changes .release.yml, which this
PR does. No separate "CodeQL Update Release" run is needed. That run's summary
job will create the matching GitHub Release as a full release
(release_prerelease: false).

Remaining steps (see CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section):

  • Check CI on this PR - fix any compilation/test errors caused by upstream
    API changes. This is usually the hardest part; consider delegating it to a
    Copilot coding agent session pointed at this PR/branch.
  • Review and merge - this alone will trigger the real batch publish.

@felickz

felickz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@copilot CI failed compile-and-test (java) and compile-and-test (csharp) — both due to pre-existing deprecated-predicate warnings that pr-compile.sh now treats as fatal (--warnings=error) because this PR touches every language's lib/qlpack.yml + codeql-pack.lock.yml, triggering a full strict recompile of each language.

I ran the exact same CLI version this PR pins (2.25.6) locally with codeql query compile --check-only --warnings=show across all 7 languages to get the complete picture in one pass (CI aborts at the first failing query, so it never shows everything). cpp, go, javascript, python, ruby are all 100% clean — no changes needed there. Only java and csharp have warnings, and here is the exhaustive list — please fix all of them in this PR:

Java (5 files, all deprecated ReturnStmt.getResult() except one)

  1. java/src/security/CWE-079/XSSJSP.ql lines 67, 80 — replace .getResult() with .getExpr()
  2. java/src/audit/CWE-079/XSSJSPLenient.ql lines 150, 175 — same
  3. java/src/security/CWE-094/SpringViewManipulationLib.qll lines 127, 130 — same
  4. java/src/security/CWE-295/JxBrowserWithoutCertValidation.ql line 50 — same
  5. java/src/security/CWE-470/LoadClassNoSignatureCheck.ql lines 44-46 — this one is different: uses deprecated SsaVariable type and getAUse() predicate. Replace SsaVariable with SsaDefinition and .getAUse() with .getARead() (the semmle.code.java.dataflow.SSA import is already present, no import changes needed). Verified against github/codeql's java/ql/lib/semmle/code/java/dataflow/SSA.qll: SsaVariableSsaDefinition, getAUse()getARead() is the correct 1:1 modern replacement.

C# (4 files, all deprecated Assignment.getRValue()/getLValue())

Assignment.getRValue().getRightOperand(), Assignment.getLValue().getLeftOperand() (confirmed via github/codeql's csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll — both are 1:1 renames, no semantic change):

  1. csharp/src/security/CWE-1004/CookieWithoutHttpOnly.ql lines 24 (getRValue), 56 (getLValue), 57 (getRValue)
  2. csharp/src/security/CWE-614/CookieWithoutSecure.ql lines 72 (getRValue), 98 (getLValue), 99 (getRValue)
  3. csharp/src/security/CWE-759/HashWithoutSalt.ql lines 183 (getRValue), 186 (getLValue)
  4. csharp/src/security/dataflow/flowsources/AuthCookie.qll lines 94, 104, 152 (getLValue), 97, 132 (getLValue), 98, 107, 135, 140, 154 (getRValue) — 10 total occurrences in this one shared library file

Verification

After making these changes, please verify locally with:

codeql query compile --threads=0 --check-only --warnings=error ./java/
codeql query compile --threads=0 --check-only --warnings=error ./csharp/

Both should complete with exit code 0 and zero warnings. Also run the existing test suites for both languages (codeql test run java/... csharp/... or however ci.yml invokes them) to make sure the renames didn't change any query results — these are pure API renames with no behavior change, but the .expected fixtures should still match exactly.

Please push the fixes directly to this PR's branch (chore/update-codeql-cli-2.25.6).

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

Copilot AI commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@copilot CI failed compile-and-test (java) and compile-and-test (csharp) — both due to pre-existing deprecated-predicate warnings that pr-compile.sh now treats as fatal (--warnings=error) be...

Addressed in 9def5f2.

Local strict compile passed for both languages:

  • codeql query compile --threads=0 --check-only --warnings=error ./java/
  • codeql query compile --threads=0 --check-only --warnings=error ./csharp/

I also updated the Java test fixtures that only captured the removed warning output. The affected Java tests now pass. The unrelated existing Java suite failure remains in java/test/security/CWE-073/FilePathInjection.qlref, which is tied to the broader CLI/library bump, not these deprecation-fix edits. The full C# suite was still running with passing results so far when I had to wrap up.

Copilot AI requested a review from felickz July 11, 2026 06:03
Copilot stopped work on behalf of felickz due to an error July 11, 2026 06:03
Updates 8 .expected fixture files to match the new .actual output produced
by the CLI 2.25.6 standard library bump, verified against the CI run and
(where locally reproducible) re-run with the matching CLI:

- javascript XSSReact, InsecureIV: source node span precision refinements
  (no alert/finding changes)
- go cmdi, python CodeInjectionLocal/UnsafeDeserializationLocal/
  CommandInjectionLocal: internal MaD model ID renumbering only
- csharp HashWithoutSalt: library flow-analysis improvement adds one new
  true-positive finding (more sink coverage), plus MaD renumbering
- java FilePathInjection: sink taxonomy tag refined from path-injection
  to path-injection[read] (more precise, same sinks)

None of these represent a lost true positive or a new false positive.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR performs an automated CodeQL CLI bump to 2.25.6 and aligns all CodeQL pack dependencies/lockfiles and repository release metadata to v0.6.0, including minor QL source updates needed for upstream API changes and regenerated test expectations.

Changes:

  • Bump pinned CodeQL CLI version to 2.25.6 and bump repo/packs to 0.6.0.
  • Pin codeql/*-all / codeql/*-queries dependencies and refresh codeql-pack.lock.yml across packs to match the official bundle versions for this CLI.
  • Update affected QL sources and regenerate test .expected outputs to match new library/extractor behavior.
Show a summary per file
File Description
.codeqlversion Bumps pinned CodeQL CLI to 2.25.6.
.release.yml Bumps repository release version to 0.6.0 (drives publish automation).
ruby/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/ruby-all.
ruby/lib/codeql-pack.lock.yml Refreshes Ruby lib pack lockfile for new CLI/bundle libs.
ruby/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/ruby-all.
ruby/src/codeql-pack.lock.yml Refreshes Ruby src pack lockfile for new CLI/bundle libs.
ruby/test/qlpack.yml Pins Ruby test dependencies to bundle versions.
ruby/test/codeql-pack.lock.yml Refreshes Ruby test pack lockfile for new CLI/bundle libs.
python/ext/qlpack.yml Bumps Python extensions pack version and target codeql/python-all.
python/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/python-all.
python/lib/codeql-pack.lock.yml Refreshes Python lib pack lockfile for new CLI/bundle libs.
python/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/python-all.
python/src/codeql-pack.lock.yml Refreshes Python src pack lockfile for new CLI/bundle libs.
python/test/qlpack.yml Pins Python test dependencies to bundle versions.
python/test/codeql-pack.lock.yml Refreshes Python test pack lockfile for new CLI/bundle libs.
python/test/security/CWE-078/CommandInjectionLocal.expected Updates expected test output to match new MaD/provenance numbering.
python/test/security/CWE-094/CodeInjectionLocal.expected Updates expected test output to match new MaD/provenance numbering.
python/test/security/CWE-502/UnsafeDeserializationLocal.expected Updates expected test output to match new MaD/provenance numbering.
javascript/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/javascript-all.
javascript/lib/codeql-pack.lock.yml Refreshes JavaScript lib pack lockfile for new CLI/bundle libs.
javascript/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/javascript-all.
javascript/src/codeql-pack.lock.yml Refreshes JavaScript src pack lockfile for new CLI/bundle libs.
javascript/test/qlpack.yml Pins JavaScript test dependency to bundle version.
javascript/test/codeql-pack.lock.yml Refreshes JavaScript test pack lockfile for new CLI/bundle libs.
javascript/test/security/CWE-079/XSSReact.expected Updates expected flow spans to match new extractor/library behavior.
javascript/test/security/CWE-329/InsecureIV.expected Updates expected flow spans to match new extractor/library behavior.
java/ext/qlpack.yml Bumps Java extensions pack version and target codeql/java-all.
java/ext-library-sources/qlpack.yml Bumps Java library-sources pack version and target codeql/java-all.
java/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/java-all.
java/lib/codeql-pack.lock.yml Refreshes Java lib pack lockfile for new CLI/bundle libs.
java/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/java-all.
java/src/codeql-pack.lock.yml Refreshes Java src pack lockfile for new CLI/bundle libs.
java/src/audit/CWE-079/XSSJSPLenient.ql Updates ReturnStmt API usage (getResultgetExpr) for new libraries.
java/src/security/CWE-079/XSSJSP.ql Updates ReturnStmt API usage (getResultgetExpr) for new libraries.
java/src/security/CWE-094/SpringViewManipulationLib.qll Updates ReturnStmt API usage (getResultgetExpr) for new libraries.
java/src/security/CWE-295/JxBrowserWithoutCertValidation.ql Updates ReturnStmt API usage (getResultgetExpr) for new libraries.
java/src/security/CWE-470/LoadClassNoSignatureCheck.ql Updates SSA API usage (SsaVariable/getAUseSsaDefinition/getARead) for new libraries.
java/test/qlpack.yml Pins Java test dependency to bundle version.
java/test/codeql-pack.lock.yml Refreshes Java test pack lockfile for new CLI/bundle libs.
java/test/security/CWE-073/FilePathInjection.expected Updates expected model classification output format.
java/test/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected Updates expected output (removes deprecated-warning line).
java/test/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected Updates expected output (removes deprecated-warning line).
java/test/security/CWE-470/LoadClassNoSignatureCheck.expected Updates expected output (removes deprecated-warning lines).
go/ext/qlpack.yml Bumps Go extensions pack version and target codeql/go-all.
go/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/go-all.
go/lib/codeql-pack.lock.yml Refreshes Go lib pack lockfile for new CLI/bundle libs.
go/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/go-all.
go/src/codeql-pack.lock.yml Refreshes Go src pack lockfile for new CLI/bundle libs.
go/test/qlpack.yml Pins Go test dependency to bundle version.
go/test/codeql-pack.lock.yml Refreshes Go test pack lockfile for new CLI/bundle libs.
go/test/security/CWE-078/cmdi.expected Updates expected test output to match new MaD/provenance numbering.
csharp/ext/qlpack.yml Bumps C# extensions pack version and target codeql/csharp-all.
csharp/ext-library-sources/qlpack.yml Bumps C# library-sources pack version and target codeql/csharp-all.
csharp/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/csharp-all.
csharp/lib/codeql-pack.lock.yml Refreshes C# lib pack lockfile for new CLI/bundle libs.
csharp/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/csharp-* deps.
csharp/src/codeql-pack.lock.yml Refreshes C# src pack lockfile for new CLI/bundle libs.
csharp/src/security/CWE-1004/CookieWithoutHttpOnly.ql Updates Assignment API usage (getRValue/getLValuegetRightOperand/getLeftOperand).
csharp/src/security/CWE-614/CookieWithoutSecure.ql Updates Assignment API usage (getRValue/getLValuegetRightOperand/getLeftOperand).
csharp/src/security/CWE-759/HashWithoutSalt.ql Updates Assignment API usage (getRValue/getLValuegetRightOperand/getLeftOperand).
csharp/src/security/dataflow/flowsources/AuthCookie.qll Updates Assignment/initializer operand API usage for new libraries.
csharp/test/qlpack.yml Pins C# test dependencies to bundle versions.
csharp/test/codeql-pack.lock.yml Refreshes C# test pack lockfile for new CLI/bundle libs.
csharp/test/security/CWE-759/HashWithoutSalt.expected Updates expected results/models/flows to match new library behavior.
cpp/lib/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/cpp-all.
cpp/lib/codeql-pack.lock.yml Refreshes C++ lib pack lockfile for new CLI/bundle libs.
cpp/src/qlpack.yml Bumps pack version to 0.6.0 and pins codeql/cpp-* deps.
cpp/src/codeql-pack.lock.yml Refreshes C++ src pack lockfile for new CLI/bundle libs.
cpp/test/qlpack.yml Pins C++ test dependencies to bundle versions.
cpp/test/codeql-pack.lock.yml Refreshes C++ test pack lockfile for new CLI/bundle libs.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 70/70 changed files
  • Comments generated: 0
  • Review effort level: Low

@felickz felickz merged commit 38d1f1a into main Jul 11, 2026
22 checks passed
@felickz felickz deleted the chore/update-codeql-cli-2.25.6 branch July 11, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants