changelog for 2.5.5

hmakholm · hmakholm · commit 769affc296ea · 2021-05-17T21:04:32.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,70 @@
 # CodeQL CLI changelog
 
+<!-- *********************************
+     **                             **
+     **   DO NOT EDIT THIS FILE!    **
+     **                             **
+     *********************************
+.
+     Pull requests should instead drop Markdown snippets in the
+     subdirectory `unreleased-changelog-entries` found next to
+     the authoritative copy of this file in semmle-code.
+     Please include a three-hash heading such as "Bugs fixed"
+     and format your snippet as a list item.
+.
+     (Okay, if you're the CLI release manager following the
+     checklist for a CLI release, you can edit here. But then
+     you know what to do).
+-->
+
+## Release 2.5.5 (2021-05-17)
+
+- The bundled extractors are updated to match the versions currently
+  used on LGTM.com. These are newer than the last release (1.27) of
+  LGTM Enterprise. If you plan to upload databases to an LGTM
+  Enterprise 1.27 instance, you need to create them with release
+  2.4.6.
+
+### Potentially breaking changes
+
+- When scanning the disk for QL packs and extractors, directories of
+  the form `.../SOMETHING/SOMETHING.testproj` (where the two
+  `SOMETHING` are identical) will now be ignored.  Names of this form
+  are used by `codeql test run` for ephemeral test databases, which
+  can sometimes contain files that confuse QL compilations.
+
+### Features added
+
+- Query writers can now optionally use `@severity` in place of
+  `@problem.severity` in the metadata for alert queries. SARIF
+  consumers should continue to consume this severity information using
+  the `rule.defaultConfiguration.level` property for SARIF v2.1.0, and
+  corresponding properties for other versions of SARIF. They should
+  not depend on the value stored in the `rule.properties` property
+  bag, since this will contain either `@problem.severity` or
+  `@severity` based on exactly what was written in the query metadata.
+
+- When exporting analysis results to SARIF v2.1.0, results and metric
+  results now contain a [reporting descriptor reference object][1]
+  that specifies the rule that produced them. For metric results, this
+  new property replaces the `metric` property.
+
+  [1]: https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541300
+
+- `codeql database analyze` now outputs a table that summarises the
+  results of metric queries that were part of the analysis. This can
+  be suppressed by passing the `--no-print-metrics-summary` flag.
+
+### Bugs fixed
+
+- When using the `--sarif-group-rules-by-pack` flag to place the SARIF
+  rule object for each query underneath its corresponding query pack
+  in `runs[].tool.extensions`, the `rule` property of result objects
+  can now be used to look up the rule within the `rules` property of
+  the appropriate query pack in `runs[].tool.extensions`. Previously,
+  rule lookup for result objects in the SARIF output was not
+  well-defined when the `--sarif-group-rules-by-pack` flag was passed.
+
 ## Release 2.5.4 (2021-05-03)
 
 - This release is identical to release 2.5.3, except that
@@ -9,10 +74,7 @@
   `--sarif-category` was autogenerated if not present.
 - Code Scanning users should upgrade to this version and
   avoid 2.5.3.
-- If you plan to upload databases to an LGTM
-  Enterprise 1.27 instance, you need to create them with release
-  2.4.6.
-  
+
 ## Release 2.5.3 (2021-04-30)
 
 - The bundled extractors are updated to match the versions currently
