Update release notes for code scanning features (#50760)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
ageorgou · May 29, 2024 · b5ad325 · b5ad325
1 parent e62595f
commit b5ad325
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 14 deletions.
diff --git a/content/admin/all-releases.md b/content/admin/all-releases.md
@@ -52,7 +52,7 @@ If you run analysis in an external CI system, we recommend using the same versio
 
 | {% data variables.product.product_name %} version | Recommended {% data variables.product.prodname_codeql_cli %} version |
 | ------------------------------------------------- | ---------------------- |
-| 3.13 | 2.16.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.6/)) |
+| 3.13 | 2.16.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.5/)) |
 | 3.12 | 2.15.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.15.5/)) |
 | 3.11 | 2.14.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.14.6/)) |
 | 3.10 | 2.13.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.13.5/)) |

diff --git a/data/release-notes/enterprise-server/3-13/0-rc1.yml b/data/release-notes/enterprise-server/3-13/0-rc1.yml
@@ -85,31 +85,37 @@ sections:
 
     - heading: Secret scanning
       notes:
-         # https://github.com/github/releases/issues/3566
+        # https://github.com/github/releases/issues/3566
         - |
-           In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
+          In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
         # https://github.com/github/releases/issues/3180
         - |
           To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
 
     - heading: Code scanning
       notes:
+        # https://github.com/github/releases/issues/3526
+        - |
+           Users can enable code scanning on repositories even if they don't contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)."
+        # https://github.com/github/releases/issues/3545
+        - |
+           Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
         # https://github.com/github/releases/issues/3771
         # https://github.com/github/releases/issues/3807
         # https://github.com/github/releases/issues/3818
         # https://github.com/github/releases/issues/3864
         # https://github.com/github/releases/issues/3894
         - |
-          The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.6 of the {% data variables.product.prodname_codeql_cli %} of the CodeQL CLI by default. See the [changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.6/) for this version.
-        # https://github.com/github/releases/issues/3526
-        - |
-           Users can enable code scanning on repositories even if they don’t contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)."
-       # https://github.com/github/releases/issues/3545
-        - |
-           Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
-       # https://github.com/github/releases/issues/3648
-        - |
-           To enable users to adopt the latest version of .NET / C# for their code base and continue using CodeQL to identify vulnerabilities, CodeQL code scanning supports C# 12 and .NET 8. For more information, see "[CodeQL 2.16.4](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.4/#c-2)" in the CodeQL documentation.
+          The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.5 of the {% data variables.product.prodname_codeql_cli %} by default, an upgrade from 2.15.5 compared to the previous {% data variables.product.prodname_ghe_server %} feature release. For a detailed list of changes included in each version, see the [{% data variables.product.prodname_codeql %} change logs](https://codeql.github.com/docs/codeql-overview/codeql-changelog/).
+          Significant changes include:
+          - Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
+          - Installation of Python dependencies is disabled for all Python scans by default. See the [GitHub Blog post](https://github.blog/changelog/2023-07-12-code-scanning-with-codeql-no-longer-installs-python-dependencies-automatically-for-new-users/).
+          - A new `python_executable_name` option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as `py.exe` on Windows machines). See the [changelog in the CodeQL documentation](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.3/#new-features).
+          - A fix for [CVE-2024-25129](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph), a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
+          - The code scanning UI now includes partially extracted files. See the [GitHub Blog post](https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/#:~:text=The%20measure%20of,the%20near%20future.).
+          - 2 new C/C++ queries: `cpp/use-of-unique-pointer-after-lifetime-ends` and `cpp/incorrectly-checked-scanf`
+          - 6 new Java queries: `java/insecure-randomness` , `java/exec-tainted-environment` , `java/android/sensitive-text`, `java/android/sensitive-notification`, `java/android/insecure-local-authentication`, and `java/android/insecure-local-key-gen`
+          - 2 new Swift queries: `swift/weak-password-hashing` and `swift/unsafe-unpacking`
 
     - heading: Code security
       notes:

diff --git a/data/variables/product.yml b/data/variables/product.yml
@@ -89,7 +89,7 @@ prodname_codeql_cli: 'CodeQL CLI'
 # CodeQL usually bumps its minor version for each minor version of GHES.
 # Update this whenever a new enterprise version of CodeQL is being prepared.
 codeql_cli_ghes_recommended_version: >-
-  {% ifversion ghes < 3.10 %}2.12.7{% elsif ghes < 3.11 %}2.13.5{% elsif ghes < 3.12 %}2.14.6{% elsif ghes < 3.13 %}2.15.5{% elsif ghes < 3.14 %}2.16.6{% endif %}
+  {% ifversion ghes < 3.10 %}2.12.7{% elsif ghes < 3.11 %}2.13.5{% elsif ghes < 3.12 %}2.14.6{% elsif ghes < 3.13 %}2.15.5{% elsif ghes < 3.14 %}2.16.5{% endif %}
 
 # Projects v2
 prodname_projects_v2: '{% ifversion ghes = 3.9 %}Projects (beta){% else %}Projects{% endif %}'