Adjust @security-severity metadata for XSS and log injection queries

[owen-mc]

Increase the @security-severity of XSS queries from 6.1 (medium) to 7.8 (high) and reduce the @security-severity of log injection queries from 7.8 (high) to 6.1 (medium).

This was done for javascript two years ago. Note that one javascript XSS query (js/xss-through-dom) was excluded because it only identifies part of a vulnerability.

[Copilot]

Pull request overview

This PR adjusts CodeQL query metadata severities to align XSS queries with “high” severity and log injection queries with “medium” severity, and adds per-language change notes documenting the metadata updates.

Changes:

• Increase @security-severity from 6.1 → 7.8 for multiple XSS-related queries (Swift, Rust, Ruby, Python, Java, Go, C++).
• Decrease @security-severity from 7.8 → 6.1 for log injection queries (Ruby, Python, Java, Go).
• Add change-note entries under category: queryMetadata for each affected language.

Reviewed changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql	Raises XSS-related query severity to 7.8.
swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Swift metadata change.
rust/ql/src/queries/security/CWE-079/XSS.ql	Raises XSS query severity to 7.8.
rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Rust metadata change.
ruby/ql/src/queries/security/cwe-117/LogInjection.ql	Lowers log injection severity to 6.1.
ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql	Raises XSS-related query severity to 7.8.
ruby/ql/src/queries/security/cwe-079/StoredXSS.ql	Raises XSS query severity to 7.8.
ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql	Raises XSS query severity to 7.8.
ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Ruby metadata changes.
python/ql/src/Security/CWE-117/LogInjection.ql	Lowers log injection severity to 6.1.
python/ql/src/Security/CWE-079/ReflectedXss.ql	Raises XSS query severity to 7.8.
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql	Raises XSS-related query severity to 7.8.
python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Python metadata changes.
java/ql/src/Security/CWE/CWE-117/LogInjection.ql	Lowers log injection severity to 6.1.
java/ql/src/Security/CWE/CWE-079/XSS.ql	Raises XSS query severity to 7.8.
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql	Raises Android WebView XSS-related query severity to 7.8.
java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql	Raises Android WebView XSS-related query severity to 7.8.
java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Java metadata changes.
go/ql/src/Security/CWE-117/LogInjection.ql	Lowers log injection severity to 6.1.
go/ql/src/Security/CWE-079/StoredXss.ql	Raises stored XSS query severity to 7.8.
go/ql/src/Security/CWE-079/ReflectedXss.ql	Raises reflected XSS query severity to 7.8.
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql	Raises template escaping bypass XSS query severity to 7.8.
go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents Go metadata changes.
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql	Raises CGI XSS query severity to 7.8.
cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Documents C++ metadata change.
csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md	Adds C# change note entry (but no corresponding query metadata change in this PR).

---

You can also share your feedback on Copilot code review. Take the survey.

[tausbn]

Python 👍