chore: bump pinned CodeQL CLI to v2.25.6 and release v0.6.0#183
Conversation
|
@copilot CI failed I ran the exact same CLI version this PR pins (2.25.6) locally with Java (5 files, all deprecated
|
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
Addressed in Local strict compile passed for both languages:
I also updated the Java test fixtures that only captured the removed warning output. The affected Java tests now pass. The unrelated existing Java suite failure remains in |
Updates 8 .expected fixture files to match the new .actual output produced by the CLI 2.25.6 standard library bump, verified against the CI run and (where locally reproducible) re-run with the matching CLI: - javascript XSSReact, InsecureIV: source node span precision refinements (no alert/finding changes) - go cmdi, python CodeInjectionLocal/UnsafeDeserializationLocal/ CommandInjectionLocal: internal MaD model ID renumbering only - csharp HashWithoutSalt: library flow-analysis improvement adds one new true-positive finding (more sink coverage), plus MaD renumbering - java FilePathInjection: sink taxonomy tag refined from path-injection to path-injection[read] (more precise, same sinks) None of these represent a lost true positive or a new false positive. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR performs an automated CodeQL CLI bump to 2.25.6 and aligns all CodeQL pack dependencies/lockfiles and repository release metadata to v0.6.0, including minor QL source updates needed for upstream API changes and regenerated test expectations.
Changes:
- Bump pinned CodeQL CLI version to
2.25.6and bump repo/packs to0.6.0. - Pin
codeql/*-all/codeql/*-queriesdependencies and refreshcodeql-pack.lock.ymlacross packs to match the official bundle versions for this CLI. - Update affected QL sources and regenerate test
.expectedoutputs to match new library/extractor behavior.
Show a summary per file
| File | Description |
|---|---|
.codeqlversion |
Bumps pinned CodeQL CLI to 2.25.6. |
.release.yml |
Bumps repository release version to 0.6.0 (drives publish automation). |
ruby/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/ruby-all. |
ruby/lib/codeql-pack.lock.yml |
Refreshes Ruby lib pack lockfile for new CLI/bundle libs. |
ruby/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/ruby-all. |
ruby/src/codeql-pack.lock.yml |
Refreshes Ruby src pack lockfile for new CLI/bundle libs. |
ruby/test/qlpack.yml |
Pins Ruby test dependencies to bundle versions. |
ruby/test/codeql-pack.lock.yml |
Refreshes Ruby test pack lockfile for new CLI/bundle libs. |
python/ext/qlpack.yml |
Bumps Python extensions pack version and target codeql/python-all. |
python/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/python-all. |
python/lib/codeql-pack.lock.yml |
Refreshes Python lib pack lockfile for new CLI/bundle libs. |
python/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/python-all. |
python/src/codeql-pack.lock.yml |
Refreshes Python src pack lockfile for new CLI/bundle libs. |
python/test/qlpack.yml |
Pins Python test dependencies to bundle versions. |
python/test/codeql-pack.lock.yml |
Refreshes Python test pack lockfile for new CLI/bundle libs. |
python/test/security/CWE-078/CommandInjectionLocal.expected |
Updates expected test output to match new MaD/provenance numbering. |
python/test/security/CWE-094/CodeInjectionLocal.expected |
Updates expected test output to match new MaD/provenance numbering. |
python/test/security/CWE-502/UnsafeDeserializationLocal.expected |
Updates expected test output to match new MaD/provenance numbering. |
javascript/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/javascript-all. |
javascript/lib/codeql-pack.lock.yml |
Refreshes JavaScript lib pack lockfile for new CLI/bundle libs. |
javascript/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/javascript-all. |
javascript/src/codeql-pack.lock.yml |
Refreshes JavaScript src pack lockfile for new CLI/bundle libs. |
javascript/test/qlpack.yml |
Pins JavaScript test dependency to bundle version. |
javascript/test/codeql-pack.lock.yml |
Refreshes JavaScript test pack lockfile for new CLI/bundle libs. |
javascript/test/security/CWE-079/XSSReact.expected |
Updates expected flow spans to match new extractor/library behavior. |
javascript/test/security/CWE-329/InsecureIV.expected |
Updates expected flow spans to match new extractor/library behavior. |
java/ext/qlpack.yml |
Bumps Java extensions pack version and target codeql/java-all. |
java/ext-library-sources/qlpack.yml |
Bumps Java library-sources pack version and target codeql/java-all. |
java/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/java-all. |
java/lib/codeql-pack.lock.yml |
Refreshes Java lib pack lockfile for new CLI/bundle libs. |
java/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/java-all. |
java/src/codeql-pack.lock.yml |
Refreshes Java src pack lockfile for new CLI/bundle libs. |
java/src/audit/CWE-079/XSSJSPLenient.ql |
Updates ReturnStmt API usage (getResult → getExpr) for new libraries. |
java/src/security/CWE-079/XSSJSP.ql |
Updates ReturnStmt API usage (getResult → getExpr) for new libraries. |
java/src/security/CWE-094/SpringViewManipulationLib.qll |
Updates ReturnStmt API usage (getResult → getExpr) for new libraries. |
java/src/security/CWE-295/JxBrowserWithoutCertValidation.ql |
Updates ReturnStmt API usage (getResult → getExpr) for new libraries. |
java/src/security/CWE-470/LoadClassNoSignatureCheck.ql |
Updates SSA API usage (SsaVariable/getAUse → SsaDefinition/getARead) for new libraries. |
java/test/qlpack.yml |
Pins Java test dependency to bundle version. |
java/test/codeql-pack.lock.yml |
Refreshes Java test pack lockfile for new CLI/bundle libs. |
java/test/security/CWE-073/FilePathInjection.expected |
Updates expected model classification output format. |
java/test/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected |
Updates expected output (removes deprecated-warning line). |
java/test/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected |
Updates expected output (removes deprecated-warning line). |
java/test/security/CWE-470/LoadClassNoSignatureCheck.expected |
Updates expected output (removes deprecated-warning lines). |
go/ext/qlpack.yml |
Bumps Go extensions pack version and target codeql/go-all. |
go/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/go-all. |
go/lib/codeql-pack.lock.yml |
Refreshes Go lib pack lockfile for new CLI/bundle libs. |
go/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/go-all. |
go/src/codeql-pack.lock.yml |
Refreshes Go src pack lockfile for new CLI/bundle libs. |
go/test/qlpack.yml |
Pins Go test dependency to bundle version. |
go/test/codeql-pack.lock.yml |
Refreshes Go test pack lockfile for new CLI/bundle libs. |
go/test/security/CWE-078/cmdi.expected |
Updates expected test output to match new MaD/provenance numbering. |
csharp/ext/qlpack.yml |
Bumps C# extensions pack version and target codeql/csharp-all. |
csharp/ext-library-sources/qlpack.yml |
Bumps C# library-sources pack version and target codeql/csharp-all. |
csharp/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/csharp-all. |
csharp/lib/codeql-pack.lock.yml |
Refreshes C# lib pack lockfile for new CLI/bundle libs. |
csharp/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/csharp-* deps. |
csharp/src/codeql-pack.lock.yml |
Refreshes C# src pack lockfile for new CLI/bundle libs. |
csharp/src/security/CWE-1004/CookieWithoutHttpOnly.ql |
Updates Assignment API usage (getRValue/getLValue → getRightOperand/getLeftOperand). |
csharp/src/security/CWE-614/CookieWithoutSecure.ql |
Updates Assignment API usage (getRValue/getLValue → getRightOperand/getLeftOperand). |
csharp/src/security/CWE-759/HashWithoutSalt.ql |
Updates Assignment API usage (getRValue/getLValue → getRightOperand/getLeftOperand). |
csharp/src/security/dataflow/flowsources/AuthCookie.qll |
Updates Assignment/initializer operand API usage for new libraries. |
csharp/test/qlpack.yml |
Pins C# test dependencies to bundle versions. |
csharp/test/codeql-pack.lock.yml |
Refreshes C# test pack lockfile for new CLI/bundle libs. |
csharp/test/security/CWE-759/HashWithoutSalt.expected |
Updates expected results/models/flows to match new library behavior. |
cpp/lib/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/cpp-all. |
cpp/lib/codeql-pack.lock.yml |
Refreshes C++ lib pack lockfile for new CLI/bundle libs. |
cpp/src/qlpack.yml |
Bumps pack version to 0.6.0 and pins codeql/cpp-* deps. |
cpp/src/codeql-pack.lock.yml |
Refreshes C++ src pack lockfile for new CLI/bundle libs. |
cpp/test/qlpack.yml |
Pins C++ test dependencies to bundle versions. |
cpp/test/codeql-pack.lock.yml |
Refreshes C++ test pack lockfile for new CLI/bundle libs. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 70/70 changed files
- Comments generated: 0
- Review effort level: Low
Automated CLI version bump, requested via the "Update CodeQL CLI Version"
workflow (
workflow_dispatch,codeql_version: 2.25.6,release_bump: minor).This PR:
Updates
.codeqlversionto2.25.6.Pins every
codeql/<lang>-all/codeql/<lang>-queriesdependency across allqlpack.ymlfiles to the exact version shipped in the official CodeQL Bundlefor this CLI release (see
.github/scripts/pin-codeql-library-versions.sh) -this keeps
codeql pack upgradefrom jumping those libraries toregistry-latest instead of the version this CLI actually ships/tests against.
Runs
codeql pack upgrade <dir>for every pack directory to refresh itscodeql-pack.lock.ymlagainst the new CLI and pinned library versions.Also bumps the repo release version (
minor, via the samepatch-release-mestepupdate-release.ymluses) to0.6.0,propagating it to every pack's own
version:field,configs/*.ymlreferences, and cross-pack
-libspins.Merging this PR triggers the real batch publish -
publish.yml'sauto-trigger fires on any push to
mainthat changes.release.yml, which thisPR does. No separate "CodeQL Update Release" run is needed. That run's
summaryjob will create the matching GitHub Release as a full release
(
release_prerelease: false).Remaining steps (see CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section):
API changes. This is usually the hardest part; consider delegating it to a
Copilot coding agent session pointed at this PR/branch.