Until this release, when a manifest file included a version range of a package (e.g. version < 3), when GitHub generated an SBOM for that package, it would not include a package URL (purl). We have improved SBOM generation so that now, when a manifest file references a package in a range, we will include the purl, but not the version field, which is an optional element in the specification. This will result in more complete data than we'd previously generated in the SBOM, helping users more clearly identify the packages being used in their repository.
Repository updates June 12th 2024
We’re excited to introduce enhancements to custom properties as well as updates to the push rule public beta.
Custom properties updates!
New property types
Multi selectallows a repo to have more than one value for a property defined. Now a repository can have a property that defines a compliance requirement with values for FedRamp and SOC2, for example.True/Falseallows you to set whether a given property is true or false for a given repository.
Target rulesets by repository visibility and more
In addition to targeting repositories with the custom properties you’ve created, we’ve now extended property targeting to include the ability to target by:
– Visibility: public, private, or internal
– Fork: true, false
– Language: select primary repository language.
Learn more in the custom properties documentation
What do you think? Start a discussion within GitHub Community.
Push rule delegated bypass public beta!
We are expanding on the push rule public beta with a new delegated bypass flow.
Previously to bypass push rules you had to be on the bypass list to push restricted content. Now with delegated bypass, contributors can propose bypassing a push rule and members of the bypass list can review those bypass requests to allow or deny the content.
Learn more about push rule delegated bypass in the repository rules documentation and join the push rule discussion in the GitHub Community.
CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.4 has been released and has now been rolled out to code scanning users on GitHub.com.
This changelog combines significant updates from the release of CodeQL 2.17.2,2.17.3, and 2.17.4:
- Copilot-powered autofixes are now available for queries that are part of the Extended query suite for languages supported by autofix (JS/TS, Go, Java, C#, Ruby, Python).
- All the local query variants have been removed from Java. Their behaviour can be replicated by using local threat models.
- Better caching for C++ analyses on pull requests improves scan times by a median 12%.
- Added support for C/C++ ZeroMQ (ZMQ) library, the Python pyramid framework and gradio package.
- A new query
cpp/iterator-to-expired-containerto detect the creation of iterator owned by temporary objects that are about to be destroyed. - The
py/header-injectionquery has been promoted to the main query pack and renamed topy/http-response-splitting.
For a full list of changes, please refer to the complete changelog for versions 2.17.2, 2.17.3, and 2.17.4. All new functionality will also be included in GHES 3.14. Users of GHES 3.13 or older can upgrade their CodeQL version.