From c9e1ebc8d88ba207ca596a120fbae1cecd3c47f5 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Mon, 2 Feb 2026 09:16:36 -0700 Subject: [PATCH 1/9] Fix typos in LICENSE.md This commit fixes the spelling of one word and corrects one subject-verb agreement mismatch in LICENSE.md file. --- LICENSE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 3ef032db..e8727085 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -33,7 +33,7 @@ below: * Use the Software to demonstrate the Software. * Test CodeQL queries that are released under an OSI-approved - Licence to confirm that new versions of those queries continue to + License to confirm that new versions of those queries continue to find the right vulnerabilities. Here's what you may also do with the Software, but only with an Open @@ -169,7 +169,7 @@ provision of these Terms will not constitute a waiver of such right or provision. _Entire Agreement._ These Terms, together with any open source -software licenses referenced above, constitutes the entire agreement +software licenses referenced above, constitute the entire agreement between you and GitHub regarding your use of the Software, superseding any prior agreements between you and GitHub (including, but not limited to, any prior versions of these Terms) regarding such use. From 3f1fd5f017d87e1f956b5a8d877ffd8cb4a5176d Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 5 Feb 2026 15:56:12 +0000 Subject: [PATCH 2/9] Add changenotes for 2.24.1 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad374a8..a636b80b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.24.1 (2026-02-05) + +### Miscellaneous + +- The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code. + ## Release 2.24.0 (2026-01-26) ### Miscellaneous From f4e1dee21aedb8d382f6ac4a3dfb514a8e4d0e3b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 20 Feb 2026 11:20:13 +0000 Subject: [PATCH 3/9] Update CHANGELOG.md for 2.24.2 --- CHANGELOG.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a636b80b..916665ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,12 @@ you know what to do). --> +## Release 2.24.2 (2026-02-20) + +### Bug Fixes + +- Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the `file:///` format instead of `file:/` for better interoperability with SARIF consumers. + ## Release 2.24.1 (2026-02-05) ### Miscellaneous @@ -82,7 +88,7 @@ This release was skipped. } ``` - The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly, + The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly, `--permissive` should no longer be passed. The above code will fail to parse, and we recommend the code being made `const`-correct. @@ -231,7 +237,7 @@ This release was skipped. - On macOS the `CODEQL_TRACER_RELOCATION_EXCLUDE` environment variable can now be used to exclude certain paths from the tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries - to be excluded. + to be excluded. ## Release 2.20.7 (2025-03-18) From 9231df8f23df70b6150bd79223c42d5e20c94934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 5 Mar 2026 17:08:45 +0100 Subject: [PATCH 4/9] Update CHANGELOG.md for 2.24.3 From f467d25f90410a13ab54482a71c991714ac8a3a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 5 Mar 2026 17:10:54 +0100 Subject: [PATCH 5/9] Update CHANGELOG for release 2.24.3 Added details about bug fixes in release 2.24.3, including race condition fix and spurious warnings. --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 916665ca..e429b8cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,13 @@ you know what to do). --> +## Release 2.24.3 (2026-03-05) + +### Bug Fixes + +- Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips `*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases. +- Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as `codeql query run`. + ## Release 2.24.2 (2026-02-20) ### Bug Fixes From 249f3d5b0553b743286d11218ae16297c13a9cc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 19 Mar 2026 13:15:33 +0100 Subject: [PATCH 6/9] Update CHANGELOG for release 2.25.0 Added release notes for version 2.25.0, including breaking changes and bug fixes. --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e429b8cd..489bd40d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,20 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> +## Release 2.25.0 (2026-03-19) + +### Breaking Changes + +- `codeql database interpret-results` and `codeql database analyze` no longer attempt to reconstruct file baseline information from databases created with CLI versions before 2.11.2. + +### Bug Fixes + +- Upgraded Jackson library from 2.16.1 to 2.18.6 to address a high-severity denial of service vulnerability (GHSA-72hv-8253-57qq) in jackson-core's async JSON parser. +- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.2 to 2.3. + +## Release 2.24.4 (2026-03-16) + +This release was skipped. ## Release 2.24.3 (2026-03-05) From 1ebe9749ba4d4fc7a4d4f4cb900c8c2fd6a52893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 27 Mar 2026 09:44:04 +0000 Subject: [PATCH 7/9] Update changelog for release 2.25.1 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 489bd40d..4f60231c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,16 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> +## Release 2.25.1 (2026-03-27) + +### Bug Fixes + +- Fixed a bug where extraction could fail on YAML files containing emoji.Collapse commentComment on lines R24 to R25henrymercer commented on Mar 26, 2026 henrymerceron Mar 26, 2026More actions + +### Miscellaneous + +- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.3 to 2.6. + ## Release 2.25.0 (2026-03-19) ### Breaking Changes From 0564862bef092139fbd761ee56dc3f2380555ef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 27 Mar 2026 10:49:07 +0100 Subject: [PATCH 8/9] Fix YAML extraction bug and upgrade snakeyaml --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f60231c..90fb0e7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ ### Bug Fixes -- Fixed a bug where extraction could fail on YAML files containing emoji.Collapse commentComment on lines R24 to R25henrymercer commented on Mar 26, 2026 henrymerceron Mar 26, 2026More actions +- Fixed a bug where extraction could fail on YAML files containing emoji. ### Miscellaneous From 2c725ac18f6b371750d317f5f98d247c75d4c85b Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 15 Apr 2026 11:44:22 +0100 Subject: [PATCH 9/9] Add changenotes for 2.25.2 --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90fb0e7d..0e93e384 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,14 @@ checklist for a CLI release, you can edit here. But then you know what to do). --> + +## Release 2.25.2 (2026-04-15) + +### Miscellaneous + +- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL + CLI has been updated to version 21.0.10. + ## Release 2.25.1 (2026-03-27) ### Bug Fixes