Merge branch 'main' into robertbrignull/nightly-codeql

Author: robertbrignull

.github/dependabot.yml

@@ -7,16 +7,10 @@ updates:
       day: "thursday" # Thursday is arbitrary
     labels:
       - "Update dependencies"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday" # Thursday is arbitrary
     labels:
       - "Update dependencies"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

.markdownlint.json

@@ -1,4 +1,7 @@
 {
+  "ul-style": {
+    "style": "dash"
+  },
   "MD013": false,
   "MD041": false
 }

CODE_OF_CONDUCT.md

@@ -14,21 +14,21 @@ appearance, race, religion, or sexual identity and orientation.
 Examples of behavior that contributes to creating a positive environment
 include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
+- The use of sexualized language or imagery and unwelcome sexual attention or
   advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
   address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+- Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
 ## Our Responsibilities
@@ -55,7 +55,7 @@ a project may be further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at opensource@github.com. All
+reported by contacting the project team at <opensource@github.com>. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -22,12 +22,12 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 Here are a few things you can do that will increase the likelihood of your pull request being accepted:
 
-* Follow the [style guide][style].
-* Write tests:
-  * [Tests that don't require the VS Code API are located here](extensions/ql-vscode/test).
-  * [Integration tests that do require the VS Code API are located here](extensions/ql-vscode/src/vscode-tests).
-* Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
-* Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
+- Follow the [style guide][style].
+- Write tests:
+  - [Tests that don't require the VS Code API are located here](extensions/ql-vscode/test).
+  - [Integration tests that do require the VS Code API are located here](extensions/ql-vscode/src/vscode-tests).
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
+- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 
 ## Setting up a local build
 
@@ -99,6 +99,6 @@ More information about Storybook can be found inside the **Overview** page once
 
 ## Resources
 
-* [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
-* [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
-* [GitHub Help](https://help.github.com)
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
+- [GitHub Help](https://help.github.com)

README.md

@@ -11,11 +11,11 @@ To see what has changed in the last few versions of the extension, see the [Chan
 
 ## Features
 
-* Enables you to use CodeQL to query databases and discover problems in codebases.
-* Shows the flow of data through the results of path queries, which is essential for triaging security results.
-* Provides an easy way to run queries from the large, open source repository of [CodeQL security queries](https://github.com/github/codeql).
-* Adds IntelliSense to support you writing and editing your own CodeQL query and library files.
-* Supports you running CodeQL queries against thousands of repositories on GitHub using multi-repository variant analysis.
+- Enables you to use CodeQL to query databases and discover problems in codebases.
+- Shows the flow of data through the results of path queries, which is essential for triaging security results.
+- Provides an easy way to run queries from the large, open source repository of [CodeQL security queries](https://github.com/github/codeql).
+- Adds IntelliSense to support you writing and editing your own CodeQL query and library files.
+- Supports you running CodeQL queries against thousands of repositories on GitHub using multi-repository variant analysis.
 
 ## Project goals and scope
 
@@ -25,8 +25,8 @@ This project will track new feature development in CodeQL and, whenever appropri
 
 This extension depends on the following two extensions for required functionality. They will be installed automatically when you install VS Code CodeQL.
 
-* [Test Adapter Converter](https://marketplace.visualstudio.com/items?itemName=ms-vscode.test-adapter-converter)
-* [Test Explorer UI](https://marketplace.visualstudio.com/items?itemName=hbenl.vscode-test-explorer)
+- [Test Adapter Converter](https://marketplace.visualstudio.com/items?itemName=ms-vscode.test-adapter-converter)
+- [Test Explorer UI](https://marketplace.visualstudio.com/items?itemName=hbenl.vscode-test-explorer)
 
 ## Contributing
 

docs/releasing.md

@@ -1,33 +1,33 @@
 # Releasing (write access required)
 
 1. Determine the new version number. We default to increasing the patch version number, but make our own judgement about whether a change is big enough to warrant a minor version bump. Common reasons for a minor bump could include:
-    * Making substantial new features available to all users. This can include lifting a feature flag.
-    * Breakage in compatibility with recent versions of the CLI.
-    * Minimum required version of VS Code is increased.
-    * New telemetry events are added.
-    * Deprecation or removal of commands.
-    * Accumulation of many changes, none of which are individually big enough to warrant a minor bump, but which together are. This does not include changes which are purely internal to the extension, such as refactoring, or which are only available behind a feature flag.
+    - Making substantial new features available to all users. This can include lifting a feature flag.
+    - Breakage in compatibility with recent versions of the CLI.
+    - Minimum required version of VS Code is increased.
+    - New telemetry events are added.
+    - Deprecation or removal of commands.
+    - Accumulation of many changes, none of which are individually big enough to warrant a minor bump, but which together are. This does not include changes which are purely internal to the extension, such as refactoring, or which are only available behind a feature flag.
 1. Create a release branch named after the new version (e.g. `v1.3.6`):
-    * For a regular scheduled release this branch will be based on latest `main`.
-        * Make sure your local copy of `main` is up to date so you are including all changes.
-    * To do a minimal bug-fix release, base the release branch on the tag from the most recent release and then add only the changes you want to release.
-        * Choose this option if you want to release a specific set of changes (e.g. a bug fix) and don't want to incur extra risk by including other changes that have been merged to the `main` branch.
+    - For a regular scheduled release this branch will be based on latest `main`.
+        - Make sure your local copy of `main` is up to date so you are including all changes.
+    - To do a minimal bug-fix release, base the release branch on the tag from the most recent release and then add only the changes you want to release.
+        - Choose this option if you want to release a specific set of changes (e.g. a bug fix) and don't want to incur extra risk by including other changes that have been merged to the `main` branch.
 
         ```bash
         git checkout -b <new_release_branch> <previous_release_tag>
         ```
 
 1. Run the ["Run CLI tests" workflow](https://github.com/github/vscode-codeql/actions/workflows/cli-test.yml) and make sure the tests are green.
-    * You can skip this step if you are releasing from `main` and there were no merges since the most recent daily scheduled run of this workflow.
+    - You can skip this step if you are releasing from `main` and there were no merges since the most recent daily scheduled run of this workflow.
 1. Double-check the `CHANGELOG.md` contains all desired change comments and has the version to be released with date at the top.
-    * Go through PRs that have been merged since the previous release and make sure they are properly accounted for.
-    * Make sure all changelog entries have links back to their PR(s) if appropriate.
+    - Go through PRs that have been merged since the previous release and make sure they are properly accounted for.
+    - Make sure all changelog entries have links back to their PR(s) if appropriate.
 1. Double-check that the extension `package.json` and `package-lock.json` have the version you intend to release. If you are doing a patch release (as opposed to minor or major version) this should already be correct.
 1. Commit any changes made during steps 4 and 5 with a commit message the same as the branch name (e.g. `v1.3.6`).
 1. Open a PR for this release.
-    * The PR diff should contain:
-        * Any missing bits from steps 4 and 5. Most of the time, this will just be updating `CHANGELOG.md` with today's date.
-        * If releasing from a branch other than `main`, this PR will also contain the extension changes being released.
+    - The PR diff should contain:
+        - Any missing bits from steps 4 and 5. Most of the time, this will just be updating `CHANGELOG.md` with today's date.
+        - If releasing from a branch other than `main`, this PR will also contain the extension changes being released.
 1. Build the extension using `npm run build` and install it on your VS Code using "Install from VSIX".
 1. Go through [our test plan](./test-plan.md) to ensure that the extension is working as expected.
 1. Create a new tag on the release branch with your new version (named after the release), e.g.
@@ -37,22 +37,22 @@
     ```
 
 1. Merge the release PR into `main`.
-    * If there are conflicts in the changelog, make sure to place any new changelog entries at the top, above the section for the current release, as these new entries are not part of the current release and should be placed in the "unreleased" section.
-    * The release PR must be merged before pushing the tag to ensure that we always release a commit that is present on the `main` branch. It's not required that the commit is the head of the `main` branch, but there should be no chance of a future release accidentally not including changes from this release.
+    - If there are conflicts in the changelog, make sure to place any new changelog entries at the top, above the section for the current release, as these new entries are not part of the current release and should be placed in the "unreleased" section.
+    - The release PR must be merged before pushing the tag to ensure that we always release a commit that is present on the `main` branch. It's not required that the commit is the head of the `main` branch, but there should be no chance of a future release accidentally not including changes from this release.
 1. Push the new tag up:
 
     ```bash
     git push origin refs/tags/v1.3.6
     ```
 
 1. Find the [Release](https://github.com/github/vscode-codeql/actions?query=workflow%3ARelease) workflow run that was just triggered by pushing the tag, and monitor the status of the release build.
-    * DO NOT approve the "publish" stages of the workflow yet.
+    - DO NOT approve the "publish" stages of the workflow yet.
 1. Download the VSIX from the draft GitHub release at the top of [the releases page](https://github.com/github/vscode-codeql/releases) that is created when the release build finishes.
 1. Unzip the `.vsix` and inspect its `package.json` to make sure the version is what you expect,
    or look at the source if there's any doubt the right code is being shipped.
 1. Install the `.vsix` file into your vscode IDE and ensure the extension can load properly. Run a single command (like run query, or add database).
 1. Approve the deployments of the [Release](https://github.com/github/vscode-codeql/actions?query=workflow%3ARelease) workflow run. This will automatically publish to Open VSX and VS Code Marketplace.
-    * If there is an authentication failure when publishing, be sure to check that the authentication keys haven't expired. See below.
+    - If there is an authentication failure when publishing, be sure to check that the authentication keys haven't expired. See below.
 1. Go to the draft GitHub release in [the releases page](https://github.com/github/vscode-codeql/releases), click 'Edit', add some summary description, and publish it.
 1. Confirm the new release is marked as the latest release.
 1. If documentation changes need to be published, notify documentation team that release has been made.

docs/testing.md

@@ -2,14 +2,14 @@
 
 We have several types of tests:
 
-* Unit tests: these live in the `tests/unit-tests/` directory
-* View tests: these live in `src/view/variant-analysis/__tests__/`
-* VSCode integration tests:
-  * `test/vscode-tests/activated-extension` tests: These are intended to cover functionality that require the full extension to be activated but don't require the CLI. This suite is not run against multiple versions of the CLI in CI.
-  * `test/vscode-tests/no-workspace` tests: These are intended to cover functionality around not having a workspace. The extension is not activated in these tests.
-  * `test/vscode-tests/minimal-workspace` tests: These are intended to cover functionality that need a workspace but don't require the full extension to be activated.
-* CLI integration tests: these live in `test/vscode-tests/cli-integration`
-  * These tests are intended to cover functionality that is related to the integration between the CodeQL CLI and the extension. These tests are run against each supported versions of the CLI in CI.
+- Unit tests: these live in the `tests/unit-tests/` directory
+- View tests: these live in `src/view/variant-analysis/__tests__/`
+- VSCode integration tests:
+  - `test/vscode-tests/activated-extension` tests: These are intended to cover functionality that require the full extension to be activated but don't require the CLI. This suite is not run against multiple versions of the CLI in CI.
+  - `test/vscode-tests/no-workspace` tests: These are intended to cover functionality around not having a workspace. The extension is not activated in these tests.
+  - `test/vscode-tests/minimal-workspace` tests: These are intended to cover functionality that need a workspace but don't require the full extension to be activated.
+- CLI integration tests: these live in `test/vscode-tests/cli-integration`
+  - These tests are intended to cover functionality that is related to the integration between the CodeQL CLI and the extension. These tests are run against each supported versions of the CLI in CI.
 
 The CLI integration tests require an instance of the CodeQL CLI to run so they will require some extra setup steps. When adding new tests to our test suite, please be mindful of whether they need to be in the cli-integration folder. If the tests don't depend on the CLI, they are better suited to being a VSCode integration test.
 
@@ -26,9 +26,9 @@ Pre-requisites:
 
 Then, from the `extensions/ql-vscode` directory, use the appropriate command to run the tests:
 
-* Unit tests: `npm run test:unit`
-* View Tests: `npm run test:view`
-* VSCode integration tests: `npm run test:vscode-integration`
+- Unit tests: `npm run test:unit`
+- View Tests: `npm run test:view`
+- VSCode integration tests: `npm run test:vscode-integration`
 
 #### Running CLI integration tests from the terminal
 
@@ -48,9 +48,9 @@ Alternatively, you can run the tests inside of VSCode. There are several VSCode
 
 You will need to run tests using a task from inside of VS Code, under the "Run and Debug" view:
 
-* Unit tests: run the _Launch Unit Tests_ task
-* View Tests: run the _Launch Unit Tests - React_ task
-* VSCode integration tests: run the _Launch Unit Tests - No Workspace_ and _Launch Unit Tests - Minimal Workspace_ tasks
+- Unit tests: run the _Launch Unit Tests_ task
+- View Tests: run the _Launch Unit Tests - React_ task
+- VSCode integration tests: run the _Launch Unit Tests - No Workspace_ and _Launch Unit Tests - Minimal Workspace_ tasks
 
 #### Running CLI integration tests from VSCode
 

extensions/ql-vscode/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## [UNRELEASED]
 
+- Add a prompt for downloading a GitHub database when opening a GitHub repository. [#3138](https://github.com/github/vscode-codeql/pull/3138)
+- Avoid showing a popup when hovering over source elements in database source files. [#3125](https://github.com/github/vscode-codeql/pull/3125)
+- Add comparison of alerts when comparing query results. This allows viewing path explanations for differences in alerts. [#3113](https://github.com/github/vscode-codeql/pull/3113)
+
+## 1.11.0 - 13 December 2023
+
+- Add a new method modeling panel to classify methods as sources/sinks/summaries while in the context of the source code. [#3128](https://github.com/github/vscode-codeql/pull/3128)
+- Adds the ability to add multiple classifications per method in the CodeQL Model Editor. [#3128](https://github.com/github/vscode-codeql/pull/3128)
+- Switch add and delete button positions in the CodeQL Model Editor. [#3123](https://github.com/github/vscode-codeql/pull/3123)
 - Add a prompt to the "Quick query" command to encourage users in single-folder workspaces to use "Create query" instead. [#3082](https://github.com/github/vscode-codeql/pull/3082)
 - Remove support for CodeQL CLI versions older than 2.11.6. [#3087](https://github.com/github/vscode-codeql/pull/3087)
 - Preserve focus on results viewer when showing a location in a file. [#3088](https://github.com/github/vscode-codeql/pull/3088)
@@ -14,7 +23,7 @@
 - Add new CodeQL views for managing databases and queries:
   1. A queries panel that shows all queries in your workspace. It allows you to view, create, and run queries in one place.
   2. A language selector, which allows you to quickly filter databases and queries by language.
-  
+
   For more information, see the [documentation](https://codeql.github.com/docs/codeql-for-visual-studio-code/analyzing-your-projects/#filtering-databases-and-queries-by-language).
 - When adding a CodeQL database, we no longer add the database source folder to the workspace by default (since this caused bugs in single-folder workspaces). [#3047](https://github.com/github/vscode-codeql/pull/3047)
   - You can manually add individual database source folders to the workspace with the "Add Database Source to Workspace" right-click command in the databases view.