From b5ad3256c1f2b63bda42768ada13507f8c2e1651 Mon Sep 17 00:00:00 2001
From: Florin Coada <coadaflorin@github.com>
Date: Wed, 29 May 2024 14:06:19 +0300
Subject: [PATCH] Update release notes for code scanning features (#50760)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
---
 content/admin/all-releases.md                 |  2 +-
 .../enterprise-server/3-13/0-rc1.yml          | 30 +++++++++++--------
 data/variables/product.yml                    |  2 +-
 3 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/content/admin/all-releases.md b/content/admin/all-releases.md
index 3a8f4ce520..25cfd17698 100644
--- a/content/admin/all-releases.md
+++ b/content/admin/all-releases.md
@@ -52,7 +52,7 @@ If you run analysis in an external CI system, we recommend using the same versio
 
 | {% data variables.product.product_name %} version | Recommended {% data variables.product.prodname_codeql_cli %} version |
 | ------------------------------------------------- | ---------------------- |
-| 3.13 | 2.16.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.6/)) |
+| 3.13 | 2.16.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.5/)) |
 | 3.12 | 2.15.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.15.5/)) |
 | 3.11 | 2.14.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.14.6/)) |
 | 3.10 | 2.13.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.13.5/)) |
diff --git a/data/release-notes/enterprise-server/3-13/0-rc1.yml b/data/release-notes/enterprise-server/3-13/0-rc1.yml
index a756889403..021cad1330 100644
--- a/data/release-notes/enterprise-server/3-13/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-13/0-rc1.yml
@@ -85,31 +85,37 @@ sections:
 
     - heading: Secret scanning
       notes:
-         # https://github.com/github/releases/issues/3566
+        # https://github.com/github/releases/issues/3566
         - |
-           In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
+          In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
         # https://github.com/github/releases/issues/3180
         - |
           To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
 
     - heading: Code scanning
       notes:
+        # https://github.com/github/releases/issues/3526
+        - |
+           Users can enable code scanning on repositories even if they don't contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)."
+        # https://github.com/github/releases/issues/3545
+        - |
+           Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
         # https://github.com/github/releases/issues/3771
         # https://github.com/github/releases/issues/3807
         # https://github.com/github/releases/issues/3818
         # https://github.com/github/releases/issues/3864
         # https://github.com/github/releases/issues/3894
         - |
-          The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.6 of the {% data variables.product.prodname_codeql_cli %} of the CodeQL CLI by default. See the [changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.6/) for this version.
-        # https://github.com/github/releases/issues/3526
-        - |
-           Users can enable code scanning on repositories even if they don’t contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)."
-       # https://github.com/github/releases/issues/3545
-        - |
-           Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
-       # https://github.com/github/releases/issues/3648
-        - |
-           To enable users to adopt the latest version of .NET / C# for their code base and continue using CodeQL to identify vulnerabilities, CodeQL code scanning supports C# 12 and .NET 8. For more information, see "[CodeQL 2.16.4](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.4/#c-2)" in the CodeQL documentation.
+          The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.5 of the {% data variables.product.prodname_codeql_cli %} by default, an upgrade from 2.15.5 compared to the previous {% data variables.product.prodname_ghe_server %} feature release. For a detailed list of changes included in each version, see the [{% data variables.product.prodname_codeql %} change logs](https://codeql.github.com/docs/codeql-overview/codeql-changelog/).
+          Significant changes include:
+          - Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
+          - Installation of Python dependencies is disabled for all Python scans by default. See the [GitHub Blog post](https://github.blog/changelog/2023-07-12-code-scanning-with-codeql-no-longer-installs-python-dependencies-automatically-for-new-users/).
+          - A new `python_executable_name` option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as `py.exe` on Windows machines). See the [changelog in the CodeQL documentation](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.3/#new-features).
+          - A fix for [CVE-2024-25129](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph), a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
+          - The code scanning UI now includes partially extracted files. See the [GitHub Blog post](https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/#:~:text=The%20measure%20of,the%20near%20future.).
+          - 2 new C/C++ queries: `cpp/use-of-unique-pointer-after-lifetime-ends` and `cpp/incorrectly-checked-scanf`
+          - 6 new Java queries: `java/insecure-randomness` , `java/exec-tainted-environment` , `java/android/sensitive-text`, `java/android/sensitive-notification`, `java/android/insecure-local-authentication`, and `java/android/insecure-local-key-gen`
+          - 2 new Swift queries: `swift/weak-password-hashing` and `swift/unsafe-unpacking`
 
     - heading: Code security
       notes:
diff --git a/data/variables/product.yml b/data/variables/product.yml
index 8f01dcba9d..c0a3b53263 100644
--- a/data/variables/product.yml
+++ b/data/variables/product.yml
@@ -89,7 +89,7 @@ prodname_codeql_cli: 'CodeQL CLI'
 # CodeQL usually bumps its minor version for each minor version of GHES.
 # Update this whenever a new enterprise version of CodeQL is being prepared.
 codeql_cli_ghes_recommended_version: >-
-  {% ifversion ghes < 3.10 %}2.12.7{% elsif ghes < 3.11 %}2.13.5{% elsif ghes < 3.12 %}2.14.6{% elsif ghes < 3.13 %}2.15.5{% elsif ghes < 3.14 %}2.16.6{% endif %}
+  {% ifversion ghes < 3.10 %}2.12.7{% elsif ghes < 3.11 %}2.13.5{% elsif ghes < 3.12 %}2.14.6{% elsif ghes < 3.13 %}2.15.5{% elsif ghes < 3.14 %}2.16.5{% endif %}
 
 # Projects v2
 prodname_projects_v2: '{% ifversion ghes = 3.9 %}Projects (beta){% else %}Projects{% endif %}'