hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17472 from github/dbartol/rc-3.15-mergeback

Browse Source 
Mergeback from `rc/3.15`
This commit is contained in:
Chris Smowton
2024-09-16 09:10:45 +01:00
committed by GitHub
parent 39ce3fbd33 d6a7c87696
commit 030977003e
229 changed files with 1311 additions and 452 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
MODULE.bazel
View File

@@ -155,7 +155,7 @@ use_repo(
)
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
go_sdk.download(version = "1.22.2")
go_sdk.download(version = "1.23.1")
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")

4
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.4.2
No user-facing changes.
## 1.4.1
No user-facing changes.

3
cpp/ql/lib/change-notes/released/1.4.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.2
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.1
lastReleaseVersion: 1.4.2

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 1.4.2-dev
version: 1.4.3-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.2.2
No user-facing changes.
## 1.2.1
### Minor Analysis Improvements

3
cpp/ql/src/change-notes/released/1.2.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.2.2
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.1
lastReleaseVersion: 1.2.2

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.2.2-dev
version: 1.2.3-dev
groups:
- cpp
- queries

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.24
No user-facing changes.
## 1.7.23
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.24.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.24
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.23
lastReleaseVersion: 1.7.24

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.24-dev
version: 1.7.25-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.24
No user-facing changes.
## 1.7.23
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.24.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.24
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.23
lastReleaseVersion: 1.7.24

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.24-dev
version: 1.7.25-dev
groups:
- csharp
- solorigate

6
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.2.0
### New Features
* C# support for `build-mode: none` is now out of beta, and generally available.
## 1.1.0
### Major Analysis Improvements

5
csharp/ql/lib/change-notes/released/1.2.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 1.2.0
### New Features
* C# support for `build-mode: none` is now out of beta, and generally available.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.0
lastReleaseVersion: 1.2.0

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 1.1.1-dev
version: 1.2.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.7
No user-facing changes.
## 1.0.6
### Minor Analysis Improvements

3
csharp/ql/src/change-notes/released/1.0.7.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.7
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.6
lastReleaseVersion: 1.0.7

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.7-dev
version: 1.0.8-dev
groups:
- csharp
- queries

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst
View File

@@ -75,8 +75,8 @@ C#
* The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
* All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
@@ -134,8 +134,8 @@ JavaScript/TypeScript
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
@@ -162,8 +162,8 @@ Golang
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst
View File

@@ -40,8 +40,8 @@ C#
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
Java
""""
Java/Kotlin
"""""""""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
@@ -63,8 +63,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
@@ -80,8 +80,8 @@ C/C++
* :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
Java
""""
Java/Kotlin
"""""""""""
* Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
* Added :code:`Modifier.isInline()`.
@@ -126,7 +126,7 @@ Python
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst
View File

@@ -84,8 +84,8 @@ C/C++
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
* Added data flow models for :code:`java.util.Scanner`.
@@ -99,7 +99,7 @@ Ruby
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst
View File

@@ -37,8 +37,8 @@ Query Packs
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
@@ -55,16 +55,16 @@ Golang
* The query :code:`go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/path-injection` now recognises vulnerable APIs defined using the :code:`SinkModelCsv` class with the :code:`create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* A new query "Android :code:`WebView` that accepts all certificates" (:code:`java/improper-webview-certificate-validation`) has been added. This query finds implementations of :code:`WebViewClient`\ s that accept all certificates in the case of an SSL error.
@@ -82,8 +82,8 @@ C/C++
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Improved analysis of the Android class :code:`AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
* Added a data-flow model for the :code:`setProperty` method of :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.

24
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst
View File

@@ -40,8 +40,8 @@ C#
* Added better support for the SQLite framework in the SQL injection query.
* File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/static-initialization-vector` no longer requires a :code:`Cipher` object to be initialized with :code:`ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
* Improved sanitizers for :code:`java/sensitive-log`, which removes some false positives and improves performance a bit.
@@ -49,8 +49,8 @@ Java
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest.
* A new query "Use of RSA algorithm without OAEP" (:code:`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
@@ -84,8 +84,8 @@ Ruby
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The queries :code:`java/redos` and :code:`java/polynomial-redos` now have a tag for CWE-1333.
@@ -121,8 +121,8 @@ Golang
* Fixed data-flow to captured variable references.
* We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
Java
""""
Java/Kotlin
"""""""""""
* Added new flow steps for the classes :code:`java.nio.file.Path` and :code:`java.nio.file.Paths`.
* The class :code:`AndroidFragment` now also models the Android Jetpack version of the :code:`Fragment` class (:code:`androidx.fragment.app.Fragment`).
@@ -161,8 +161,8 @@ C#
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
Java/Kotlin
"""""""""""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
@@ -204,8 +204,8 @@ C/C++
* Added support for getting the link targets of global and namespace variables.
* Added a :code:`BlockAssignExpr` class, which models a :code:`memcpy`\ -like operation used in compiler generated copy/move constructors and assignment operations.
Java
""""
Java/Kotlin
"""""""""""
* Added a new predicate, :code:`requiresPermissions`, in the :code:`AndroidComponentXmlElement` and :code:`AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its :code:`android:permission` attribute.
* Added a new predicate, :code:`hasAnIntentFilterElement`, in the :code:`AndroidComponentXmlElement` class to detect if a component contains an intent filter element.

36
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.0.rst
View File

@@ -60,8 +60,8 @@ Golang
* The alert message of many queries have been changed to make the message consistent with other languages.
Java
""""
Java/Kotlin
"""""""""""
* The Java extractor now populates the :code:`Method` relating to a :code:`MethodAccess` consistently for calls using an explicit and implicit :code:`this` qualifier. Previously if the method :code:`foo` was inherited from a specialised generic type :code:`ParentType<String>`, then an explicit call :code:`this.foo()` would yield a :code:`MethodAccess` whose :code:`getMethod()` accessor returned the bound method :code:`ParentType<String>.foo`, whereas an implicitly-qualified :code:`foo()` :code:`MethodAccess`\ 's :code:`getMethod()` would return the unbound method :code:`ParentType.foo`. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result of :code:`MethodAccess.getMethod()` may need to tolerate bound generic methods in more circumstances. The queries :code:`java/iterator-remove-failure`, :code:`java/non-static-nested-class`, :code:`java/internal-representation-exposure`, :code:`java/subtle-inherited-call` and :code:`java/deprecated-call` have been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-\ :code:`this` case as well.
* Added taint model for arguments of :code:`java.net.URI` constructors to the queries :code:`java/path-injection` and :code:`java/path-injection-local`.
@@ -94,8 +94,8 @@ C/C++
* Added a new medium-precision query, :code:`cpp/missing-check-scanf`, which detects :code:`scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an `experimental query by @ihsinme <https://github.com/github/codeql/pull/8246>`__.
Java
""""
Java/Kotlin
"""""""""""
* The query "Server-side template injection" (:code:`java/server-side-template-injection`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/5935>`__.
* Added a new query, :code:`java/android/backup-enabled`, to detect if Android applications allow backups.
@@ -113,8 +113,8 @@ Golang
* Added the :code:`security-severity` tag and CWE tag to the :code:`go/insecure-hostkeycallback` query.
Java
""""
Java/Kotlin
"""""""""""
* Removed the :code:`@security-severity` tag from several queries not in the :code:`Security/` folder that also had missing :code:`security` tags.
@@ -139,8 +139,8 @@ C#
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Java
""""
Java/Kotlin
"""""""""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
@@ -157,8 +157,8 @@ Ruby
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`Member.getQualifiedName()` predicate result now includes the qualified name of the declaring type.
@@ -229,8 +229,8 @@ Ruby
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The virtual dispatch relation used in data flow now favors summary models over source code for dispatch to interface methods from :code:`java.util` unless there is evidence that a specific source implementation is reachable. This should provide increased precision for any projects that include, for example, custom :code:`List` or :code:`Map` implementations.
@@ -242,8 +242,8 @@ JavaScript/TypeScript
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added new sinks to the query :code:`java/android/implicit-pendingintents` to take into account the classes :code:`androidx.core.app.NotificationManagerCompat` and :code:`androidx.core.app.AlarmManagerCompat`.
* Added new flow steps for :code:`androidx.core.app.NotificationCompat` and its inner classes.
@@ -300,8 +300,8 @@ Golang
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
Java/Kotlin
"""""""""""
* The predicate :code:`Annotation.getAValue()` has been deprecated because it might lead to obtaining the value of the wrong annotation element by accident. :code:`getValue(string)` (or one of the value type specific predicates) should be used to explicitly specify the name of the annotation element.
* The predicate :code:`Annotation.getAValue(string)` has been renamed to :code:`getAnArrayValue(string)`.
@@ -335,8 +335,8 @@ C/C++
* Added subclasses of :code:`BuiltInOperations` for :code:`__is_same`, :code:`__is_function`, :code:`__is_layout_compatible`, :code:`__is_pointer_interconvertible_base_of`, :code:`__is_array`, :code:`__array_rank`, :code:`__array_extent`, :code:`__is_arithmetic`, :code:`__is_complete_type`, :code:`__is_compound`, :code:`__is_const`, :code:`__is_floating_point`, :code:`__is_fundamental`, :code:`__is_integral`, :code:`__is_lvalue_reference`, :code:`__is_member_function_pointer`, :code:`__is_member_object_pointer`, :code:`__is_member_pointer`, :code:`__is_object`, :code:`__is_pointer`, :code:`__is_reference`, :code:`__is_rvalue_reference`, :code:`__is_scalar`, :code:`__is_signed`, :code:`__is_unsigned`, :code:`__is_void`, and :code:`__is_volatile`.
Java
""""
Java/Kotlin
"""""""""""
* Added a new predicate, :code:`allowsBackup`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the :code:`android:allowBackup` attribute.
* The predicates of the CodeQL class :code:`Annotation` have been improved:

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.1.rst
View File

@@ -63,8 +63,8 @@ C#
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
Java
""""
Java/Kotlin
"""""""""""
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
* :code:`PathSanitizer.qll` has been promoted from experimental to the main query pack. This sanitizer was originally `submitted as part of an experimental query by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
@@ -81,8 +81,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/android/webview-debugging-enabled`, to detect instances of WebView debugging being enabled in production builds.
@@ -103,8 +103,8 @@ Golang
* Added support for :code:`BeegoInput.RequestBody` as a source of untrusted data.
Java
""""
Java/Kotlin
"""""""""""
* Added external flow sources for the intents received in exported Android services.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.2.rst
View File

@@ -114,8 +114,8 @@ C/C++
* Added a new medium-precision query, :code:`cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions.
* A new query "Uncontrolled data used in content resolution" (:code:`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's :code:`ContentResolver` without previous validation or sanitization.
@@ -132,8 +132,8 @@ Language Libraries
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added support for common patterns involving :code:`Stream.collect` and common collectors like :code:`Collectors.toList()`.
* The class :code:`TypeVariable` now also extends :code:`Modifiable`.
@@ -161,15 +161,15 @@ Ruby
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Deprecated :code:`ContextStartActivityMethod`. Use :code:`StartActivityMethod` instead.
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new predicate, :code:`hasIncompletePermissions`, in the :code:`AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.4.rst
View File

@@ -68,8 +68,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4926>`__.
* Added a new query, :code:`java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
@@ -98,8 +98,8 @@ C#
* The :code:`[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
Java
""""
Java/Kotlin
"""""""""""
* The ReDoS libraries in :code:`semmle.code.java.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
* Added data flow summaries for tainted Android intents sent to activities via :code:`Activity.startActivities`.
@@ -125,8 +125,8 @@ Ruby
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
* The new :code:`string Compilation.getInfo(string)` predicate provides access to some information about compilations.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.6.rst
View File

@@ -38,7 +38,7 @@ Query Packs
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Kotlin extraction will now fail if the Kotlin version in use is at least 1.7.30. This is to ensure using an as-yet-unsupported version is noticable, rather than silently failing to extract Kotlin code and therefore producing false-negative results.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.0.rst
View File

@@ -89,8 +89,8 @@ Golang
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
* The extensible predicates for Models as Data have been renamed (the :code:`ext` prefix has been removed). As an example, :code:`extSummaryModel` has been renamed to :code:`summaryModel`.
@@ -125,8 +125,8 @@ C#
* Added a new query, :code:`csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
* Added a new query, :code:`java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
@@ -152,8 +152,8 @@ Golang
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Java
""""
Java/Kotlin
"""""""""""
* We now correctly handle empty block comments, like :code:`/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.
@@ -230,8 +230,8 @@ Golang
* Queries that care about SQL, such as :code:`go/sql-injection`, now recognise SQL-consuming functions belonging to the :code:`gorqlite` and :code:`GoFrame` packages.
* :code:`rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
Java
""""
Java/Kotlin
"""""""""""
* Added more dataflow models for frequently-used JDK APIs.
* The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The :code:`ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.1.rst
View File

@@ -41,8 +41,8 @@ Golang
* Replacing "\r" or "\n" using the functions :code:`strings.ReplaceAll`, :code:`strings.Replace`, :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` has been added as a sanitizer for the queries "Log entries created from user input".
* The functions :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` have been added as sanitizers for the query "Potentially unsafe quoting".
Java
""""
Java/Kotlin
"""""""""""
* The name, description and alert message for the query :code:`java/concatenated-sql-query` have been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query's files have been renamed from :code:`SqlUnescaped.ql` and :code:`SqlUnescapedLib.qll` to :code:`SqlConcatenated.ql` and :code:`SqlConcatenatedLib.qll` respectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remains :code:`java/concatenated-sql-query`, so alerts should not be re-raised as a result of this change.
@@ -54,8 +54,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query :code:`java/android/websettings-allow-content-access` to detect Android WebViews which do not disable access to :code:`content://` urls.
@@ -88,8 +88,8 @@ C#
* C# 11: Added support for the unsigned right shift :code:`>>>` and unsigned right shift assignment :code:`>>>=` operators.
* Query id's have been aligned such that they are prefixed with :code:`cs` instead of :code:`csharp`.
Java
""""
Java/Kotlin
"""""""""""
* Added sink models for the constructors of :code:`org.springframework.jdbc.object.MappingSqlQuery` and :code:`org.springframework.jdbc.object.MappingSqlQueryWithParameters`.
* Added more dataflow models for frequently-used JDK APIs.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.2.rst
View File

@@ -39,8 +39,8 @@ Query Packs
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/android/sensitive-result-receiver`, to find instances of sensitive data being leaked to an untrusted :code:`ResultReceiver`.
@@ -70,8 +70,8 @@ C#
* C# 11: Added extractor support for :code:`ref` fields in :code:`ref struct` declarations.
Java
""""
Java/Kotlin
"""""""""""
* Added sink models for the :code:`createQuery`, :code:`createNativeQuery`, and :code:`createSQLQuery` methods of the :code:`org.hibernate.query.QueryProducer` interface.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.3.rst
View File

@@ -35,8 +35,8 @@ Query Packs
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
@@ -53,8 +53,8 @@ Golang
* Added a new query, :code:`go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
@@ -96,8 +96,8 @@ Golang
* Support for the Twirp framework has been added.
Java
""""
Java/Kotlin
"""""""""""
* Removed the first argument of :code:`java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
* Added the first argument of :code:`java.nio.file.Files#copy` as a "read-file" sink for the :code:`java/path-injection` query.
@@ -126,7 +126,7 @@ Golang
* Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of :code:`implementsComparable` has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
Java
""""
Java/Kotlin
"""""""""""
* Kotlin versions up to 1.8.20 are now supported.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.4.rst
View File

@@ -99,8 +99,8 @@ C#
* C# 11: Added extractor support for :code:`required` fields and properties.
* C# 11: Added library support for :code:`checked` operators.
Java
""""
Java/Kotlin
"""""""""""
* Added new sinks for :code:`java/hardcoded-credential-api-call` to identify the use of hardcoded secrets in the creation and verification of JWT tokens using :code:`com.auth0.jwt`. These sinks are from `an experimental query submitted by @luchua <https://github.com/github/codeql/pull/9036>`__.
* The Java extractor now supports builds against JDK 20.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.5.rst
View File

@@ -59,8 +59,8 @@ C/C++
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/android/arbitrary-apk-installation`, to detect installation of APKs from untrusted sources.
@@ -110,8 +110,8 @@ Golang
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Java
""""
Java/Kotlin
"""""""""""
* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom :code:`List.contains` implementations when the best inferrable type at the call site is simply :code:`List`.
* Added more sink and summary dataflow models for the following packages:
@@ -160,8 +160,8 @@ C#
* Deleted the deprecated :code:`OverridableMethod` and :code:`OverridableAccessor` classes.
* The :code:`unsafe` predicate for :code:`Modifiable` has been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant for :code:`unsafe` declarations extracted from assemblies.
Java
""""
Java/Kotlin
"""""""""""
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
* Deleted the deprecated :code:`getRepresentedString` predicate from the :code:`StringLiteral` class.
@@ -222,8 +222,8 @@ Golang
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
Java
""""
Java/Kotlin
"""""""""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.0.rst
View File

@@ -126,8 +126,8 @@ C/C++
* The query :code:`cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/insecure-ldap-auth` has been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4854>`__
@@ -157,8 +157,8 @@ Golang
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Java
""""
Java/Kotlin
"""""""""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
@@ -196,8 +196,8 @@ C/C++
* The :code:`BufferAccess` library (:code:`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside :code:`sizeof` or :code:`decltype` expressions). As a result, queries using this library may see fewer false positives.
Java
""""
Java/Kotlin
"""""""""""
* Fixed a bug in the regular expression used to identify sensitive information in :code:`SensitiveActions::getCommonSensitiveInfoRegex`. This may affect the results of the queries :code:`java/android/sensitive-communication`, :code:`java/android/sensitive-keyboard-cache`, and :code:`java/sensitive-log`.
* Added a summary model for the :code:`java.lang.UnsupportedOperationException(String)` constructor.
@@ -291,8 +291,8 @@ Golang
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`execTainted` predicate in :code:`CommandLineQuery.qll` has been deprecated and replaced with the predicate :code:`execIsTainted`.
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
@@ -316,7 +316,7 @@ C/C++
* Added overridable predicates :code:`getSizeExpr` and :code:`getSizeMult` to the :code:`BufferAccess` class (:code:`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
Java
""""
Java/Kotlin
"""""""""""
* Predicates :code:`Compilation.getExpandedArgument` and :code:`Compilation.getAnExpandedArgument` has been added.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.1.rst
View File

@@ -81,8 +81,8 @@ Golang
* Taking a slice is now considered a sanitizer for :code:`SafeUrlFlow`.
Java
""""
Java/Kotlin
"""""""""""
* Changed some models of Spring's :code:`FileCopyUtils.copy` to be path injection sinks instead of summaries.
* Added models for the following packages:
@@ -101,8 +101,8 @@ Python
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`sensitiveResultReceiver` predicate in :code:`SensitiveResultReceiverQuery.qll` has been deprecated and replaced with :code:`isSensitiveResultReceiver` in order to use the new dataflow API.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.3.rst
View File

@@ -61,8 +61,8 @@ JavaScript/TypeScript
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/groovy-injection` now recognizes :code:`groovy.text.TemplateEngine.createTemplate` as a sink.
* The queries :code:`java/xxe` and :code:`java/xxe-local` now recognize the second argument of calls to :code:`XPath.evaluate` as a sink.
@@ -107,8 +107,8 @@ Golang
* Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by :code:`CallNode.getArgument(int i)` and :code:`CallNode.getAnArgument()`, and hence aren't :code:`ArgumentNode`\ s. They now have one result, which is an :code:`ImplicitVarargsSlice` node. For example, a call :code:`f(a, b, c)` to a function :code:`f(T...)` is treated like :code:`f([]T{a, b, c})`. The old behaviour is preserved by :code:`CallNode.getSyntacticArgument(int i)` and :code:`CallNode.getASyntacticArgument()`. :code:`CallExpr.getArgument(int i)` and :code:`CallExpr.getAnArgument()` are unchanged, and will still have three results in the example given.
Java
""""
Java/Kotlin
"""""""""""
* Added SQL injection sinks for Spring JDBC's :code:`NamedParameterJdbcOperations`.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.4.rst
View File

@@ -46,8 +46,8 @@ Python
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`java/summary/lines-of-code` query now only counts lines of Java code. The new :code:`java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
@@ -135,8 +135,8 @@ C#
* :code:`xss` to :code:`js-injection`
* :code:`remote` to :code:`file-content-store`
Java
""""
Java/Kotlin
"""""""""""
* Added flow through the block arguments of :code:`kotlin.io.use` and :code:`kotlin.with`.
@@ -239,7 +239,7 @@ Swift
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Kotlin versions up to 1.9.0 are now supported.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.0.rst
View File

@@ -91,8 +91,8 @@ Golang
* The query "Arbitrary file write during zip extraction ("zip slip")" (:code:`go/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Java
""""
Java/Kotlin
"""""""""""
* The query "Arbitrary file write during archive extraction ("Zip Slip")" (:code:`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
@@ -124,8 +124,8 @@ C/C++
* The :code:`cpp/comparison-with-wider-type` query now correctly handles relational operations on signed operators. As a result the query may find more results.
Java
""""
Java/Kotlin
"""""""""""
* New models have been added for :code:`org.apache.commons.lang`.
* The query :code:`java/unsafe-deserialization` has been updated to take into account :code:`SerialKiller`, a library used to prevent deserialization of arbitrary classes.
@@ -162,8 +162,8 @@ C#
* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
Java
""""
Java/Kotlin
"""""""""""
* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
@@ -185,8 +185,8 @@ Golang
* When a result of path query flows through a function modeled using :code:`DataFlow::FunctionModel` or :code:`TaintTracking::FunctionModel`, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.
Java
""""
Java/Kotlin
"""""""""""
* Added automatically-generated dataflow models for :code:`javax.portlet`.
* Added a missing summary model for the method :code:`java.net.URL.toString`.
@@ -240,8 +240,8 @@ Golang
* The :code:`LogInjection::Configuration` taint flow configuration class has been deprecated. Use the :code:`LogInjection::Flow` module instead.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`ExecCallable` class in :code:`ExternalProcess.qll` has been deprecated.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.1.rst
View File

@@ -32,8 +32,8 @@ C/C++
* The :code:`cpp/uninitialized-local` query now excludes uninitialized uses that are explicitly cast to void and are expression statements. As a result, the query will report less false positives.
Java
""""
Java/Kotlin
"""""""""""
* The query "Unsafe resource fetching in Android WebView" (:code:`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where :code:`setJavascriptEnabled`, :code:`setAllowFileAccess`, :code:`setAllowUniversalAccessFromFileURLs`, and/or :code:`setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin :code:`apply` function.
@@ -104,8 +104,8 @@ Golang
* Support for `gqlgen <https://github.com/99designs/gqlgen>`__ has been added.
* Support for the `go-pg framework <https://github.com/go-pg/pg>`__ has been improved.
Java
""""
Java/Kotlin
"""""""""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
@@ -178,8 +178,8 @@ Golang
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.2.rst
View File

@@ -45,8 +45,8 @@ Query Packs
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The sanitizer in :code:`java/potentially-weak-cryptographic-algorithm` has been improved, so the query may yield additional results.
@@ -102,8 +102,8 @@ Golang
* Logrus' :code:`WithContext` methods are no longer treated as if they output the values stored in that context to a log message.
Java
""""
Java/Kotlin
"""""""""""
* Fixed a typo in the :code:`StdlibRandomSource` class in :code:`RandomDataSource.qll`, which caused the class to improperly model calls to the :code:`nextBytes` method. Queries relying on :code:`StdlibRandomSource` may see an increase in results.
* Improved the precision of virtual dispatch of :code:`java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of :code:`InputStream` if there is a high-confidence alternative (like a models-as-data summary).
@@ -126,8 +126,8 @@ Swift
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* A :code:`Diagnostic.getCompilationInfo()` predicate has been added.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.3.rst
View File

@@ -55,8 +55,8 @@ Python
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
@@ -73,8 +73,8 @@ C#
* The query library for :code:`cs/hardcoded-credentials` now excludes benign properties such as :code:`UserNameClaimType` and :code:`AllowedUserNameCharacters` from :code:`Microsoft.AspNetCore.Identity` options classes.
Java
""""
Java/Kotlin
"""""""""""
* Modified the :code:`getSecureAlgorithmName` predicate in :code:`Encryption.qll` to also include :code:`SHA-256` and :code:`SHA-512`. Previously only the versions of the names without dashes were considered secure.
* Add support for :code:`WithElement` and :code:`WithoutElement` for MaD access paths.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.4.rst
View File

@@ -66,8 +66,8 @@ C/C++
* Some queries that had repeated results corresponding to different levels of indirection for :code:`argv` now only have a single result.
* The :code:`cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
Java
""""
Java/Kotlin
"""""""""""
* The queries "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (:code:`java/xxe-local`) now recognize sinks in the MDHT library.
@@ -91,8 +91,8 @@ C/C++
* Added a new query, :code:`cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
Java
""""
Java/Kotlin
"""""""""""
* Added the :code:`java/trust-boundary-violation` query to detect trust boundary violations between HTTP requests and the HTTP session. Also added the :code:`trust-boundary-violation` sink kind for sinks which may cross a trust boundary, such as calls to the :code:`HttpSession#setAttribute` method.
@@ -136,8 +136,8 @@ Golang
* Added `http.Error <https://pkg.go.dev/net/http#Error>`__ to XSS sanitzers.
Java
""""
Java/Kotlin
"""""""""""
* Fixed the MaD signature specifications to use proper nested type names.
* Added new sanitizer to Java command injection model
@@ -172,8 +172,8 @@ C/C++
* Added :code:`DeleteOrDeleteArrayExpr` as a super type of :code:`DeleteExpr` and :code:`DeleteArrayExpr`
Java
""""
Java/Kotlin
"""""""""""
* Kotlin versions up to 1.9.10 are now supported.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.0.rst
View File

@@ -121,8 +121,8 @@ Language Libraries
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The regular expressions library no longer incorrectly matches mode flag characters against the input.
@@ -169,8 +169,8 @@ Golang
* Added Numeric and Boolean types to SQL injection sanitzers.
Java
""""
Java/Kotlin
"""""""""""
* Fixed a control-flow bug where case rule statements would incorrectly include a fall-through edge.
* Added support for default cases as proper guards in switch expressions to match switch statements.
@@ -207,8 +207,8 @@ Swift
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Kotlin versions up to 1.9.20 are now supported.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.1.rst
View File

@@ -63,8 +63,8 @@ Golang
* The query "Incorrect conversion between integer types" (:code:`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like :code:`uint32`) and converting it to the signed integer type of the same size (like :code:`int32`), which may lead to more results. It also treats :code:`int` and :code:`uint` more carefully, which may lead to more results or fewer incorrect results.
Java
""""
Java/Kotlin
"""""""""""
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
@@ -121,8 +121,8 @@ Golang
* Support has been added for file system access sinks in the following libraries: \ `net/http <https://pkg.go.dev/net/http>`__, `Afero <https://github.com/spf13/afero>`__, `beego <https://pkg.go.dev/github.com/astaxie/beego>`__, `Echo <https://pkg.go.dev/github.com/labstack/echo>`__, `Fiber <https://github.com/kataras/iris>`__, `Gin <https://pkg.go.dev/github.com/gin-gonic/gin>`__, `Iris <https://github.com/kataras/iris>`__.
* Added :code:`GoKit.qll` to :code:`go.qll` enabling the GoKit framework by default
Java
""""
Java/Kotlin
"""""""""""
* The :code:`isBarrier`, :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the :code:`ArithmeticTaintedLocalQuery`, :code:`ExternallyControlledFormatStringLocalQuery`, :code:`ImproperValidationOfArrayIndexQuery`, :code:`NumericCastTaintedQuery`, :code:`ResponseSplittingLocalQuery`, :code:`SqlTaintedLocalQuery`, and :code:`XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
@@ -209,7 +209,7 @@ Swift
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added predicate :code:`MemberRefExpr::getReceiverExpr`\

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.2.rst
View File

@@ -61,8 +61,8 @@ Golang
* The query :code:`go/incorrect-integer-conversion` now correctly recognizes more guards of the form :code:`if val <= x` to protect a conversion :code:`uintX(val)`.
Java
""""
Java/Kotlin
"""""""""""
* java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged :code:`lines-of-code`. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts.
* The query :code:`java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring.
@@ -105,8 +105,8 @@ Golang
* Added `Request.Cookie <https://pkg.go.dev/net/http#Request.Cookie>`__ to reflected XSS sanitizers.
Java
""""
Java/Kotlin
"""""""""""
* Java classes :code:`MethodAccess`, :code:`LValue` and :code:`RValue` were renamed to :code:`MethodCall`, :code:`VarWrite` and :code:`VarRead` respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.3.rst
View File

@@ -60,8 +60,8 @@ C#
* CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the :code:`cil` extractor option to :code:`true` or by setting the environment variable :code:`$CODEQL_EXTRACTOR_CSHARP_OPTION_CIL` to :code:`true`. This is the first step towards sun-setting the CIL extractor entirely.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/unsafe-deserialization` has been improved to detect insecure calls to :code:`ObjectMessage.getObject` in JMS.
@@ -193,8 +193,8 @@ Golang
* Added the `gin-contrib/cors <https://github.com/gin-contrib/cors>`__ library to the experimental query "CORS misconfiguration" (:code:`go/cors-misconfiguration`).
Java
""""
Java/Kotlin
"""""""""""
* The types :code:`java.util.SequencedCollection`, :code:`SequencedSet` and :code:`SequencedMap`, as well as the related :code:`Collections.unmodifiableSequenced*` methods are now modelled. This means alerts may be raised relating to data flow through these types and methods.
@@ -217,7 +217,7 @@ Swift
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* In :code:`SensitiveApi.qll`, :code:`javaApiCallablePasswordParam`, :code:`javaApiCallableUsernameParam`, :code:`javaApiCallableCryptoKeyParam`, and :code:`otherApiCallableCredentialParam` predicates have been deprecated. They have been replaced with a new class :code:`CredentialsSinkNode` and its child classes :code:`PasswordSink`, :code:`UsernameSink`, and :code:`CryptoKeySink`. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.4.rst
View File

@@ -81,8 +81,8 @@ Golang
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The diagnostic query :code:`java/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Java files, now considers any Java file seen during extraction, even one with some errors, to be extracted / scanned.
* Switch cases using binding patterns and :code:`case null[, default]` are now supported. Classes :code:`PatternCase` and :code:`NullDefaultCase` are introduced to represent new kinds of case statement.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.0.rst
View File

@@ -53,8 +53,8 @@ Query Packs
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The three queries :code:`java/insufficient-key-size`, :code:`java/server-side-template-injection`, and :code:`java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
@@ -77,8 +77,8 @@ Golang
* There was a bug in the query :code:`go/incorrect-integer-conversion` which meant that upper bound checks using a strict inequality (:code:`<`) and comparing against :code:`math.MaxInt` or :code:`math.MaxUint` were not considered correctly, which led to false positives. This has now been fixed.
Java
""""
Java/Kotlin
"""""""""""
* Modified the :code:`java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
* The query :code:`java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
@@ -98,8 +98,8 @@ C/C++
* Added a new query, :code:`cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
* The :code:`cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by :code:`cpp/missing-check-scanf` and will no longer be reported there.
Java
""""
Java/Kotlin
"""""""""""
* Added the :code:`java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the :code:`crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations.
@@ -153,8 +153,8 @@ Golang
* The XPath library, which is used for the XPath injection query (:code:`go/xml/xpath-injection`), now includes support for :code:`Parser` sinks from the `libxml2 <https://github.com/lestrrat-go/libxml2>`__ package.
* :code:`CallNode::getACallee` and related predicates now recognise more callees accessed via a function variable, in particular when the callee is stored into a global variable or is captured by an anonymous function. This may lead to new alerts where data-flow into such a callee is relevant.
Java
""""
Java/Kotlin
"""""""""""
* Added the :code:`Map#replace` and :code:`Map#replaceAll` methods to the :code:`MapMutator` class in :code:`semmle.code.java.Maps`.
@@ -219,8 +219,8 @@ C/C++
* The :code:`isUserInput`, :code:`userInputArgument`, and :code:`userInputReturned` predicates from :code:`SecurityOptions` have been deprecated. Use :code:`FlowSource` instead.
Java
""""
Java/Kotlin
"""""""""""
* Imports of the old dataflow libraries (e.g. :code:`semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the :code:`semmle.code.java.security` namespace.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.1.rst
View File

@@ -52,8 +52,8 @@ Golang
* The query :code:`go/insecure-randomness` now recognizes the selection of candidates from a predefined set using a weak RNG when the result is used in a sensitive operation. Also, false positives have been reduced by adding more sink exclusions for functions in the :code:`crypto` package not related to cryptographic operations.
* Added more sources and sinks to the query :code:`go/clear-text-logging`.
Java
""""
Java/Kotlin
"""""""""""
* A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
@@ -75,8 +75,8 @@ Swift
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added the :code:`java/exec-tainted-environment` query, to detect the injection of environment variables names or values from remote input.
@@ -91,8 +91,8 @@ Language Libraries
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Fixed regular expressions containing flags not being parsed correctly in some cases.
@@ -129,8 +129,8 @@ Golang
* Support for flow sources in `AWS Lambda function handlers <https://docs.aws.amazon.com/lambda/latest/dg/golang-handler.html>`__ has been added.
* Support for the `fasthttp framework <https://github.com/valyala/fasthttp/>`__ has been added.
Java
""""
Java/Kotlin
"""""""""""
* Deleted many deprecated predicates and classes with uppercase :code:`EJB`, :code:`JMX`, :code:`NFE`, :code:`DNS` etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated :code:`semmle/code/java/security/OverlyLargeRangeQuery.qll`, :code:`semmle/code/java/security/regexp/ExponentialBackTracking.qll`, :code:`semmle/code/java/security/regexp/NfaUtils.qll`, and :code:`semmle/code/java/security/regexp/NfaUtils.qll` files.
@@ -198,8 +198,8 @@ Golang
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new library :code:`semmle.code.java.security.Sanitizers` which contains a new sanitizer class :code:`SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
* Converted definitions of :code:`isBarrier` and sanitizer classes to use :code:`SimpleTypeSanitizer` instead of checking if :code:`node.getType()` is :code:`PrimitiveType` or :code:`BoxedType`.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.2.rst
View File

@@ -50,8 +50,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query :code:`java/android/sensitive-text` to detect instances of sensitive data being exposed through text fields without being properly masked.
* Added a new query :code:`java/android/sensitive-notification` to detect instances of sensitive data being exposed through Android notifications.
@@ -82,8 +82,8 @@ C#
* C# 12: Added extractor, QL library and data flow support for collection expressions like :code:`[1, y, 4, .. x]`.
* The C# extractor now accepts an extractor option :code:`logging.verbosity` that specifies the verbosity of the logs. The option is added via :code:`codeql database create --language=csharp -Ologging.verbosity=debug ...` or by setting the corresponding environment variable :code:`CODEQL_EXTRACTOR_CSHARP_OPTION_LOGGING_VERBOSITY`.
Java
""""
Java/Kotlin
"""""""""""
* Added models for the following packages:

24
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.3.rst
View File

@@ -62,8 +62,8 @@ Golang
* The query "Use of a hardcoded key for signing JWT" (:code:`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of :code:`go/hardcoded-credentials`. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/9378>`__.
Java
""""
Java/Kotlin
"""""""""""
* The sinks of the queries :code:`java/path-injection` and :code:`java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.
@@ -81,8 +81,8 @@ C#
* Added sanitizers for relative URLs, :code:`List.Contains()`, and checking the :code:`.Host` property on an URI to the :code:`cs/web/unvalidated-url-redirection` query.
Java
""""
Java/Kotlin
"""""""""""
* The sanitizer for the path injection queries has been improved to handle more cases where :code:`equals` is used to check an exact path match.
* The query :code:`java/unvalidated-url-redirection` now sanitizes results following the same logic as the query :code:`java/ssrf`. URLs where the destination cannot be controlled externally are no longer reported.
@@ -95,8 +95,8 @@ Golang
* The query "Missing JWT signature check" (:code:`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @am0o0 <https://github.com/github/codeql/pull/14075>`__.
Java
""""
Java/Kotlin
"""""""""""
* Added a new query :code:`java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a :code:`KeyStore`\ -backed key and thus may be bypassed.
@@ -108,8 +108,8 @@ Swift
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`security-severity` score of the query :code:`java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.
@@ -125,8 +125,8 @@ C#
* C# 12: The QL and data flow library now support primary constructors.
* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching.
Java
""""
Java/Kotlin
"""""""""""
* An extension point for sanitizers of the query :code:`java/unvalidated-url-redirection` has been added.
@@ -170,8 +170,8 @@ Swift
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`PathCreation` class in :code:`PathCreation.qll` has been deprecated.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.16.4.rst
View File

@@ -59,8 +59,8 @@ C#
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed. The changed queries are :code:`cs/code-injection`, :code:`cs/command-line-injection`, :code:`cs/user-controlled-bypass`, :code:`cs/count-untrusted-data-external-api`, :code:`cs/untrusted-data-to-external-api`, :code:`cs/ldap-injection`, :code:`cs/log-forging`, :code:`cs/xml/missing-validation`, :code:`cs/redos`, :code:`cs/regex-injection`, :code:`cs/resource-injection`, :code:`cs/sql-injection`, :code:`cs/path-injection`, :code:`cs/unsafe-deserialization-untrusted-input`, :code:`cs/web/unvalidated-url-redirection`, :code:`cs/xml/insecure-dtd-handling`, :code:`cs/xml/xpath-injection`, :code:`cs/web/xss`, and :code:`cs/uncontrolled-format-string`.
Java
""""
Java/Kotlin
"""""""""""
* To reduce the number of false positives in the query "Insertion of sensitive information into log files" (:code:`java/sensitive-log`), variables with names that contain "null" (case-insensitively) are no longer considered sources of sensitive information.
@@ -73,8 +73,8 @@ Ruby
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added a new query :code:`java/android/insecure-local-key-gen` for finding instances of keys generated for biometric authentication in an insecure way.
@@ -94,8 +94,8 @@ Golang
* Fixed dataflow out of a :code:`map` using a :code:`range` statement.
Java
""""
Java/Kotlin
"""""""""""
* Fixed the Java autobuilder overriding the version of Maven used by a project when the Maven wrapper :code:`mvnw` is in use and the :code:`maven-wrapper.jar` file is not present in the repository.
* Some flow steps related to :code:`android.text.Editable.toString` that were accidentally disabled have been re-enabled.
@@ -136,8 +136,8 @@ C#
* C#: The table :code:`expr_compiler_generated` has been deleted and its content has been added to :code:`compiler_generated`.
* Data flow via get only properties like :code:`public object Obj { get; }` is now captured by the data flow library.
Java
""""
Java/Kotlin
"""""""""""
* Java expressions with erroneous types (e.g. the result of a call whose callee couldn't be resolved during extraction) are now given a CodeQL :code:`ErrorType` more often.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.0.rst
View File

@@ -52,8 +52,8 @@ C#
* The :code:`Stored` variants of some queries (:code:`cs/stored-command-line-injection`, :code:`cs/web/stored-xss`, :code:`cs/stored-ldap-injection`, :code:`cs/xml/stored-xpath-injection`, :code:`cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the :code:`file` and :code:`database` threat models in your threat model configuration.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`java/missing-case-in-switch` query now gives only a single alert for each switch statement, giving some examples of the missing cases as well as a count of how many are missing.
@@ -79,8 +79,8 @@ Golang
* The query :code:`go/hardcoded-credentials` no longer discards string literals based on "weak password" heuristics.
* The query :code:`go/sql-injection` now recognizes more sinks in the package :code:`github.com/Masterminds/squirrel`.
Java
""""
Java/Kotlin
"""""""""""
* Variables named :code:`tokenImage` are no longer sources for the :code:`java/sensitive-log` query. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts.
* Added sanitizers for relative URLs, :code:`List.contains()`, and checking the host of a URI to the :code:`java/ssrf` and :code:`java/unvalidated-url-redirection` queries.
@@ -103,8 +103,8 @@ Golang
* The query "Slice memory allocation with excessive size value" (:code:`go/uncontrolled-allocation-size`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @Malayke <https://github.com/github/codeql/pull/15130>`__.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/unsafe-url-forward-dispatch-load` has been promoted from experimental to the main query pack as :code:`java/unvalidated-url-forward`. Its results will now appear by default. This query was originally submitted as an experimental query `by @haby0 <https://github.com/github/codeql/pull/6240>`__ and `by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
@@ -133,8 +133,8 @@ C#
* The CIL extractor has been deleted and the corresponding extractor option :code:`cil` has been removed. It is no longer possible to do CIL extraction.
* The QL library C# classes no longer extend their corresponding :code:`DotNet` classes. Furthermore, CIL related data flow functionality has been deleted and all :code:`DotNet` and :code:`CIL` related classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.
Java
""""
Java/Kotlin
"""""""""""
* The Java extractor no longer supports the :code:`ODASA_SNAPSHOT` legacy environment variable.
@@ -178,8 +178,8 @@ Golang
* The :code:`CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` option, which speeds up retrieval of dependency information, is now on by default. This was originally an external contribution by @xhd2015.
* Added dataflow sources for the package :code:`gopkg.in/macaron.v1`.
Java
""""
Java/Kotlin
"""""""""""
* Increased the precision of some dataflow models of the class :code:`java.net.URL` by distinguishing the parts of a URL.
* The Java extractor and QL libraries now support Java 22, including support for anonymous variables, lambda parameters and patterns.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.1.rst
View File

@@ -42,8 +42,8 @@ Query Packs
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`java/unknown-javadoc-parameter` now accepts :code:`@param` tags that apply to the parameters of a record.
@@ -79,8 +79,8 @@ Golang
* Data flow through variables declared in statements of the form :code:`x := y.(type)` at the beginning of type switches has been fixed, which may result in more alerts.
* Added strings.ReplaceAll, http.ParseMultipartForm sanitizers and remove path sanitizer.
Java
""""
Java/Kotlin
"""""""""""
* About 6,700 summary models and 6,800 neutral summary models for the JDK that were generated using data flow have been added. This may lead to new alerts being reported.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.2.rst
View File

@@ -87,8 +87,8 @@ Golang
* Deleted the deprecated :code:`CsvRemoteSource` alias. Use :code:`MaDRemoteSource` instead.
Java
""""
Java/Kotlin
"""""""""""
* Deleted the deprecated :code:`AssignLShiftExpr`, :code:`AssignRShiftExpr`, :code:`AssignURShiftExpr`, :code:`LShiftExpr`, :code:`RShiftExpr`, and :code:`URShiftExpr` aliases.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.3.rst
View File

@@ -49,8 +49,8 @@ Language Libraries
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The Java extractor no longer supports the :code:`ODASA_JAVA_LAYOUT`, :code:`ODASA_TOOLS` and :code:`ODASA_HOME` legacy environment variables.
* The Java extractor no longer supports the :code:`ODASA_BUILD_ERROR_DIR` legacy environment variable.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.4.rst
View File

@@ -30,8 +30,8 @@ Query Packs
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Removed :code:`local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by :code:`java/unvalidated-url-redirection-local` can be found by :code:`java/unvalidated-url-redirection`, if the :code:`local` threat model is enabled. The removed queries are :code:`java/path-injection-local`, :code:`java/command-line-injection-local`, :code:`java/xss-local`, :code:`java/sql-injection-local`, :code:`java/http-response-splitting-local`, :code:`java/improper-validation-of-array-construction-local`, :code:`java/improper-validation-of-array-index-local`, :code:`java/tainted-format-string-local`, :code:`java/tainted-arithmetic-local`, :code:`java/unvalidated-url-redirection-local`, :code:`java/xxe-local` and :code:`java/tainted-numeric-cast-local`.
@@ -49,8 +49,8 @@ Golang
* The query :code:`go/incorrect-integer-conversion` has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.
Java
""""
Java/Kotlin
"""""""""""
* The alert message for the query "Trust boundary violation" (:code:`java/trust-boundary-violation`) has been updated to include a link to the remote source.
* The sanitizer of the query :code:`java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.
@@ -74,8 +74,8 @@ JavaScript/TypeScript
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
@@ -89,8 +89,8 @@ Golang
* A bug has been fixed which meant flow was not followed through some ranged for loops. This may lead to more alerts being found.
* Added value flow models for the built-in functions :code:`append`, :code:`copy`, :code:`max` and :code:`min` using Models-as-Data. Removed the old-style models for :code:`max` and :code:`min`.
Java
""""
Java/Kotlin
"""""""""""
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes :code:`autobuild` or :code:`none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.5.rst
View File

@@ -77,8 +77,8 @@ C#
* .NET 8 Runtime models have been updated based on the newest version of the model generator. Furthermore, the database sources have been changed slightly to reduce result multiplicity.
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/spring-disabled-csrf-protection` detects disabling CSRF via :code:`ServerHttpSecurity$CsrfSpec::disable`.
* Added more :code:`java.io.File`\ -related sinks to the path injection query.
@@ -94,8 +94,8 @@ Language Libraries
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The precision of virtual dispatch has been improved. This increases precision in general for all data flow queries.
@@ -107,8 +107,8 @@ C/C++
* A partial model for the :code:`Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in :code:`Boost.Asio`, such as :code:`read_until` and :code:`write`.
Java
""""
Java/Kotlin
"""""""""""
* Support for Eclipse Compiler for Java (ecj) has been fixed to work with (a) runs that don't pass :code:`-noExit` and (b) runs that use post-Java-9 command-line arguments.

22
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.18.0.rst
View File

@@ -22,11 +22,9 @@ CodeQL CLI
Breaking Changes
~~~~~~~~~~~~~~~~
* A number of breaking changes have been made to the C and C++ CodeQL environment:
* A number of breaking changes have been made to the C and C++ CodeQL test environment as used by :code:`codeql test run`\ :
* The environment no longer defines any GNU-specific builtin macros.
If these macros are still needed, please define them via
:code:`semmle-extractor-options`.
* The test environment no longer defines any GNU-specific builtin macros. If these macros are still needed by a test, please define them via :code:`semmle-extractor-options`.
* The :code:`--force-recompute` option is no longer directly supported by
:code:`semmle-extractor-options`. Instead, :code:`--edg --force-recompute` should be specified.
@@ -71,16 +69,16 @@ Query Packs
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/weak-cryptographic-algorithm` no longer alerts about :code:`RSA/ECB` algorithm strings.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query :code:`java/tainted-permissions-check` now uses threat models. This means that :code:`local` sources are no longer included by default for this query, but can be added by enabling the :code:`local` threat model.
* Added more :code:`org.apache.commons.io.FileUtils`\ -related sinks to the path injection query.
@@ -107,8 +105,8 @@ Golang
* Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as :code:`io.copy(SomeGlobal, ...)` or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved.
Java
""""
Java/Kotlin
"""""""""""
* Support for :code:`codeql test run` for Kotlin sources has been fixed.
@@ -135,8 +133,8 @@ Golang
* DataFlow queries which previously used :code:`RemoteFlowSource` to define their sources have been modified to instead use :code:`ThreatModelFlowSource`. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to :code:`RemoteFlowSource`, so there should be no change in results for users using the default.
* Added the :code:`ThreatModelFlowSource` class to :code:`FlowSources.qll`. The :code:`ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go.
Java
""""
Java/Kotlin
"""""""""""
* Added models for the following packages:

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.18.1.rst
View File

@@ -72,8 +72,8 @@ C/C++
* The :code:`cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") query now produces fewer false positives.
Java
""""
Java/Kotlin
"""""""""""
* The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests which don't define an activity, content provider or service. We also only consider files which are under a folder containing such an Android Manifest for these queries. This should remove some false positive alerts.
@@ -113,8 +113,8 @@ Language Libraries
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The Java extractor no longer supports the :code:`SEMMLE_DIST` legacy environment variable.
@@ -126,8 +126,8 @@ Golang
* There was a bug which meant that the built-in function :code:`clear` was considered as a sanitizer in some cases when it shouldn't have been. This has now been fixed, which may lead to more alerts.
Java
""""
Java/Kotlin
"""""""""""
* Added a path-injection sink for :code:`hudson.FilePath.exists()`.
* Added summary models for :code:`org.apache.commons.io.IOUtils.toByteArray`.
@@ -146,8 +146,8 @@ Swift
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The predicate :code:`isAndroid` from the module :code:`semmle.code.java.security.AndroidCertificatePinningQuery` has been deprecated. Use :code:`semmle.code.java.frameworks.android.Android::inAndroidApplication(File)` instead.
@@ -161,8 +161,8 @@ C/C++
* Added subclasses of :code:`BuiltInOperations` for :code:`__builtin_has_attribute`, :code:`__builtin_is_corresponding_member`, :code:`__builtin_is_pointer_interconvertible_with_class`, :code:`__is_assignable_no_precondition_check`, :code:`__is_bounded_array`, :code:`__is_convertible`, :code:`__is_corresponding_member`, :code:`__is_nothrow_convertible`, :code:`__is_pointer_interconvertible_with_class`, :code:`__is_referenceable`, :code:`__is_same_as`, :code:`__is_trivially_copy_assignable`, :code:`__is_unbounded_array`, :code:`__is_valid_winrt_type`, :code:`_is_win_class`, :code:`__is_win_interface`, :code:`__reference_binds_to_temporary`, :code:`__reference_constructs_from_temporary`, and :code:`__reference_converts_from_temporary`.
* The class :code:`NewArrayExpr` adds a predicate :code:`getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
Java and Kotlin
"""""""""""""""
Java/Kotlin
"""""""""""
* Kotlin support is now out of beta, and generally available
* Kotlin versions up to 2.0.2*x* are now supported.

147
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.18.2.rst Normal file
View File

@@ -0,0 +1,147 @@
.. _codeql-cli-2.18.2:
==========================
CodeQL 2.18.2 (2024-08-13)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.18.2 runs a total of 423 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
Deprecations
~~~~~~~~~~~~
* Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.3.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Fixed false positives in the :code:`cpp/memory-may-not-be-freed` ("Memory may not be freed") query involving class methods that returned an allocated field of that class being misidentified as allocators.
* The :code:`cpp/incorrectly-checked-scanf` ("Incorrect return-value check for a 'scanf'-like function") query now produces fewer false positive results.
* The :code:`cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query no longer produces occasional false positive results inside template instantiations.
* The :code:`cpp/suspicious-allocation-size` ("Not enough memory allocated for array of pointer type") query no longer produces false positives on "variable size" :code:`struct`\ s.
Java/Kotlin
"""""""""""
* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the :code:`java/sensitive-log` query. They normally relate to things like :code:`java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts.
* The query "Unused classes and interfaces" (:code:`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with :code:`@test`.
* Alerts about exposing :code:`exception.getMessage()` in servlet responses are now split out of :code:`java/stack-trace-exposure` into its own query :code:`java/error-message-exposure`.
* Added the extensible abstract class :code:`SensitiveLoggerSource`. Now this class can be extended to add more sources to the :code:`java/sensitive-log` query or for customizations overrides.
Python
""""""
* Added models of :code:`streamlit` PyPI package.
Swift
"""""
* The :code:`swift/constant-salt` ("Use of constant salts") query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings.
* The :code:`swift/constant-salt` ("Use of constant salts") query message now contains a link to the source node.
New Queries
~~~~~~~~~~~
Python
""""""
* The :code:`py/cookie-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input.
Ruby
""""
* Added a new query, :code:`rb/weak-sensitive-data-hashing`, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The precision of :code:`cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") has been increased to :code:`high`. As a result, it will be run by default as part of the Code Scanning suite.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* The Java and Kotlin extractors no longer support the :code:`SOURCE_ARCHIVE` and :code:`TRAP_FOLDER` legacy environment variable.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data%3E>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The controlling expression of a :code:`constexpr if` is now always recognized as an unevaluated expression.
* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
* A :code:`UsingEnumDeclarationEntry` class has been added for C++ :code:`using enum` declarations. As part of this, synthesized :code:`UsingDeclarationEntry`\ s are no longer emitted for individual enumerators of the referenced enumeration.
Java/Kotlin
"""""""""""
* Added flow through some methods of the class :code:`java.net.URL` by ensuring that the fields of a URL are tainted.
* Added path-injection sinks for :code:`org.apache.tools.ant.taskdefs.Property.setFile` and :code:`org.apache.tools.ant.taskdefs.Property.setResource`.
* Adds models for request handlers using the :code:`org.lastaflute.web` web framework.
Python
""""""
* Added support for :code:`DictionaryElement[<key>]` and :code:`DictionaryElementAny` when Customizing Library Models for :code:`sourceModel` (see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/)
Swift
"""""
* The model for :code:`FileManager` no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value.
* An error in the model for :code:`URL.withUnsafeFileSystemRepresentation(_:)` has been corrected. This may result in new data flow paths being found during analysis.
New Features
~~~~~~~~~~~~
C/C++
"""""
* A :code:`getTemplateClass` predicate was added to the :code:`DeductionGuide` class to get the class template for which the deduction guide is a guide.
* An :code:`isExplicit` predicate was added to the :code:`Function` class that determines whether the function was declared as explicit.
* A :code:`getExplicitExpr` predicate was added to the :code:`Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
* A :code:`isDestroyingDeleteDeallocation` predicate was added to the :code:`NewOrNewArrayExpr` and :code:`DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete.
Java/Kotlin
"""""""""""
* Java support for :code:`build-mode: none` is now out of beta, and generally available.

108
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.18.3.rst Normal file
View File

@@ -0,0 +1,108 @@
.. _codeql-cli-2.18.3:
==========================
CodeQL 2.18.3 (2024-08-28)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.18.3 runs a total of 425 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
C#
""
* Attributes in the :code:`System.Runtime.CompilerServices` namespace are ignored when checking if a declaration requires documentation comments.
* C# build-mode :code:`none` analyses now report a warning on the CodeQL status page when there are significant analysis problems -- defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.
JavaScript/TypeScript
"""""""""""""""""""""
* Message events in the browser are now properly classified as client-side taint sources. Previously they were incorrectly classified as server-side taint sources, which resulted in some alerts being reported by the wrong query, such as server-side URL redirection instead of client-side URL redirection.
Swift
"""""
* False positive results from the :code:`swift/cleartext-transmission` ("Cleartext transmission of sensitive information") query involving :code:`tel:`, :code:`mailto:` and similar URLs have been fixed.
New Queries
~~~~~~~~~~~
Python
""""""
* The :code:`py/cookie-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being set without the :code:`Secure`, :code:`HttpOnly`, or :code:`SameSite` attributes set to secure values.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Golang
""""""
* Fixed an issue where :code:`io/ioutil.WriteFile`\ 's non-path arguments incorrectly generated :code:`go/path-injection` alerts when untrusted data was written to a file, or controlled the file's mode.
Java/Kotlin
"""""""""""
* Fixed an issue where analysis in :code:`build-mode: none` may very occasionally throw a :code:`CoderMalfunctionError` while resolving dependencies provided by a build system (Maven or Gradle), which could cause some dependency resolution and consequently alerts to vary unpredictably from one run to another.
* Fixed an issue where Java analysis in :code:`build-mode: none` would fail to resolve dependencies using the :code:`executable-war` Maven artifact type.
* Fixed an issue where analysis in :code:`build-mode: none` may fail to resolve dependencies of Gradle projects where the dependency uses a non-empty artifact classifier -- for example, :code:`someproject-1.2.3-tests.jar`, which has the classifier :code:`tests`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Added some new :code:`local` source models. Most prominently :code:`System.IO.Path.GetTempPath` and :code:`System.Environment.GetFolderPath`. This might produce more alerts, if the :code:`local` threat model is enabled.
* The extractor has been changed to not skip source files that have already been seen. This has an impact on source files that are compiled multiple times in the build process. Source files with conditional compilation preprocessor directives (such as :code:`#if`) are now extracted for each set of preprocessor symbols that are used during the build process.
Java/Kotlin
"""""""""""
* Threat-model for :code:`System.in` changed from :code:`commandargs` to newly created :code:`stdin` (both subgroups of :code:`local`).
Shared Libraries
----------------
Deprecated APIs
~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The source/sink grouping feature of the data flow library has been removed. It was introduced primarily for debugging, but has not proven useful.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.3.rst
View File

@@ -90,8 +90,8 @@ Language Libraries
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* :code:`CharacterLiteral`\ 's :code:`getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The :code:`RangeAnalysis` module and the :code:`java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.5.rst
View File

@@ -60,8 +60,8 @@ JavaScript/TypeScript
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The :code:`java/constant-comparison` query no longer raises false alerts regarding comparisons with Unicode surrogate character literals.
@@ -103,8 +103,8 @@ Language Libraries
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* :code:`CharacterLiteral`\ 's :code:`getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The :code:`RangeAnalysis` module now properly handles comparisons with Unicode surrogate character literals.
@@ -112,8 +112,8 @@ Java
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Data flow now propagates taint from remote source :code:`Parameter` types to read steps of their fields (e.g. :code:`tainted.publicField` or :code:`tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.0.rst
View File

@@ -79,8 +79,8 @@ C/C++
* The "Uncontrolled data in arithmetic expression" (cpp/uncontrolled-arithmetic) query has been enhanced to reduce false positive results and its @precision increased to high.
* A new :code:`cpp/very-likely-overrunning-write` query has been added to the default query suite for C/C++. The query reports some results that were formerly flagged by :code:`cpp/overrunning-write`.
Java
""""
Java/Kotlin
"""""""""""
* A new query "Use of implicit PendingIntents" (:code:`java/android/pending-intents`) has been added.
This query finds implicit and mutable :code:`PendingIntents` sent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects.
@@ -108,8 +108,8 @@ Ruby
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The "Random used only once" (:code:`java/random-used-once`) query no longer has a :code:`security-severity` score. This has been causing some tools to categorise it as a security query, when it is more useful as a code-quality query.
@@ -159,8 +159,8 @@ C#
* The :code:`codeql/csharp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/csharp-all` CodeQL pack.
Java
""""
Java/Kotlin
"""""""""""
* The :code:`codeql/java-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/java-all` CodeQL pack.

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.1.rst
View File

@@ -104,8 +104,8 @@ C/C++
* Added a new query, :code:`cpp/open-call-with-mode-argument`, to detect when :code:`open` or :code:`openat` is called with the :code:`O_CREAT` or :code:`O_TMPFILE` flag but when the :code:`mode` argument is omitted.
Java
""""
Java/Kotlin
"""""""""""
* A new query "Cleartext storage of sensitive information using a local database on Android" (:code:`java/android/cleartext-storage-database`) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.

12
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.2.rst
View File

@@ -36,8 +36,8 @@ Query Packs
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Add more classes to Netty request/response splitting. Change identification to :code:`java/netty-http-request-or-response-splitting`.
Identify request splitting differently from response splitting in query results.
@@ -58,8 +58,8 @@ JavaScript/TypeScript
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* A new query titled "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) has been added.
This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory.
@@ -137,8 +137,8 @@ C/C++
* Added a :code:`isStructuredBinding` predicate to the :code:`Variable` class which holds when the variable is declared as part of a structured binding declaration.
Java
""""
Java/Kotlin
"""""""""""
* Added predicates :code:`ClassOrInterface.getAPermittedSubtype` and :code:`isSealed` exposing information about sealed classes.

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.3.rst
View File

@@ -124,8 +124,8 @@ C/C++
* Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
Java
""""
Java/Kotlin
"""""""""""
* Add support for :code:`CharacterLiteral` in :code:`CompileTimeConstantExpr.getStringValue()`
@@ -152,8 +152,8 @@ Ruby
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added :code:`hasDescendant(RefType anc, Type sub)`
* Added :code:`RefType.getADescendant()`

24
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.4.rst
View File

@@ -38,8 +38,8 @@ C/C++
* The :code:`cpp/overflow-destination`, :code:`cpp/unclear-array-index-validation`, and :code:`cpp/uncontrolled-allocation-size` queries have been modernized and converted to :code:`path-problem` queries and provide more true positive results.
* The :code:`cpp/system-data-exposure` query has been increased from :code:`medium` to :code:`high` precision, following a number of improvements to the query logic.
Java
""""
Java/Kotlin
"""""""""""
* Updated "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
@@ -52,8 +52,8 @@ JavaScript/TypeScript
New Queries
~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The query "Insertion of sensitive information into log files" (:code:`java/sensitive-logging`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/3090>`__.
@@ -79,8 +79,8 @@ C#
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
Java
""""
Java/Kotlin
"""""""""""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
@@ -109,8 +109,8 @@ C#
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Java
""""
Java/Kotlin
"""""""""""
* Added new guards :code:`IsWindowsGuard`, :code:`IsSpecificWindowsVariant`, :code:`IsUnixGuard`, and :code:`IsSpecificUnixVariant` to detect OS specific guards.
* Added a new predicate :code:`getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc.).
@@ -150,8 +150,8 @@ C#
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
Java/Kotlin
"""""""""""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
@@ -193,8 +193,8 @@ C#
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.
Java
""""
Java/Kotlin
"""""""""""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.0.rst
View File

@@ -53,8 +53,8 @@ C/C++
* The :code:`cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (:code:`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (:code:`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
Java
""""
Java/Kotlin
"""""""""""
* Fixed "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) to resolve false-negatives when OS isn't properly used as logical guard.
* The :code:`SwitchCase.getRuleExpression()` predicate now gets expressions for case rules with an expression on the right-hand side of the arrow belonging to both :code:`SwitchStmt` and :code:`SwitchExpr`, and the corresponding :code:`getRuleStatement()` no longer returns an :code:`ExprStmt` in either case. Previously :code:`SwitchStmt` and :code:`SwitchExpr` behaved differently in
@@ -87,8 +87,8 @@ Ruby
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added the :code:`security-severity` tag to several queries.
@@ -120,8 +120,8 @@ C#
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
Java
""""
Java/Kotlin
"""""""""""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
* The :code:`getUrl` predicate of :code:`DeclaredRepository` in :code:`MavenPom.qll` has been renamed to :code:`getRepositoryUrl`.
@@ -153,8 +153,8 @@ C/C++
* The :code:`semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
Java
""""
Java/Kotlin
"""""""""""
* Added guard precondition support for assertion methods for popular testing libraries (e.g. Junit 4, Junit 5, TestNG).
@@ -192,7 +192,7 @@ C/C++
* A new library :code:`semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
Java
""""
Java/Kotlin
"""""""""""
* There are now QL classes ErrorExpr and ErrorStmt. These may be generated by upgrade or downgrade scripts when databases cannot be fully converted.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.1.rst
View File

@@ -27,8 +27,8 @@ Query Packs
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Query :code:`java/insecure-cookie` no longer produces a false positive if :code:`cookie.setSecure(...)` is called passing a constant that always equals :code:`true`.
@@ -59,8 +59,8 @@ Language Libraries
Bug Fixes
~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* The QL class :code:`JumpStmt` has been made the superclass of :code:`BreakStmt`, :code:`ContinueStmt` and :code:`YieldStmt`. This allows directly using its inherited predicates without having to explicitly cast to :code:`JumpStmt` first.
@@ -77,8 +77,8 @@ C#
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Java
""""
Java/Kotlin
"""""""""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
@@ -101,8 +101,8 @@ C/C++
* More Windows pool allocation functions are now detected as :code:`AllocationFunction`\ s.
* The :code:`semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
Java
""""
Java/Kotlin
"""""""""""
* Improved the data flow support for the Android class :code:`SharedPreferences$Editor`. Specifically, the fluent logic of some of its methods is now taken into account when calculating data flow.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.2.rst
View File

@@ -52,8 +52,8 @@ C/C++
* The "XML external entity expansion" (:code:`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces.
Java
""""
Java/Kotlin
"""""""""""
* Query :code:`java/insecure-cookie` now tolerates setting a cookie's secure flag to :code:`request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
* The query :code:`java/non-https-urls` has been simplified and no longer requires its sinks to be :code:`MethodAccess`\ es.
@@ -79,8 +79,8 @@ Python
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Query :code:`java/predictable-seed` now has a tag for CWE-337.
@@ -106,8 +106,8 @@ Python
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* Added models for the libraries OkHttp and Retrofit.
* Add taint models for the following :code:`File` methods:
@@ -150,8 +150,8 @@ JavaScript/TypeScript
New Features
~~~~~~~~~~~~
Java
""""
Java/Kotlin
"""""""""""
* A number of new classes and methods related to the upcoming Kotlin support have been added. These are not yet stable, as Kotlin support is still under development.

16
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.3.rst
View File

@@ -72,8 +72,8 @@ Golang
* Fixed sanitization by calls to :code:`strings.Replace` and :code:`strings.ReplaceAll` in queries :code:`go/log-injection` and :code:`go/unsafe-quoting`.
Java
""""
Java/Kotlin
"""""""""""
* Query :code:`java/sensitive-log` has received several improvements.
@@ -91,8 +91,8 @@ Golang
* A new query *Log entries created from user input* (:code:`go/log-injection`) has been added. The query reports user-provided data reaching calls to logging methods.
* Added a new query, :code:`go/unexpected-nil-value`, to find calls to :code:`Wrap` from :code:`pkg/errors` where the error argument is always nil.
Java
""""
Java/Kotlin
"""""""""""
* Two new queries "Inefficient regular expression" (:code:`java/redos`) and "Polynomial regular expression used on uncontrolled data" (:code:`java/polynomial-redos`) have been added.
These queries help find instances of Regular Expression Denial of Service vulnerabilities.
@@ -146,8 +146,8 @@ Golang
* Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.
* The method predicate :code:`getACalleeIncludingExternals` on :code:`DataFlow::CallNode` and the function :code:`viableCallable` in :code:`DataFlowDispatch` now also work for calls to functions via a variable, where the function can be determined using local flow.
Java
""""
Java/Kotlin
"""""""""""
* Fixed a sanitizer of the query :code:`java/android/intent-redirection`. Now, for an intent to be considered safe against intent redirection, both its package name and class name must be checked.
@@ -175,8 +175,8 @@ Golang
* The :code:`codeql/go-upgrades` CodeQL pack has been removed. All database upgrade scripts have been merged into the :code:`codeql/go-all` CodeQL pack.
Java
""""
Java/Kotlin
"""""""""""
* The QL class :code:`FloatingPointLiteral` has been renamed to :code:`FloatLiteral`.

2
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,8 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.18.3
codeql-cli-2.18.2
codeql-cli-2.18.1
codeql-cli-2.18.0
codeql-cli-2.17.6

2
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -16,7 +16,7 @@
.NET Core up to 3.1
.NET 5, .NET 6, .NET 7, .NET 8","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
Go (aka Golang), "Go up to 1.22", "Go 1.11 or more recent", ``.go``
Go (aka Golang), "Go up to 1.23", "Go 1.11 or more recent", ``.go``
Java,"Java 7 to 22 [5]_","javac (OpenJDK and Oracle JDK),
Eclipse compiler for Java (ECJ) [6]_",``.java``

2
go/actions/test/action.yml
View File

@@ -4,7 +4,7 @@ inputs:
go-test-version:
description: Which Go version to use for running the tests
required: false
default: ~1.22.0
default: "~1.23.1"
run-code-checks:
description: Whether to run formatting, code and qhelp generation checks
required: false

2
go/extractor/autobuilder/build-environment.go
View File

@@ -12,7 +12,7 @@ import (
)
var minGoVersion = util.NewSemVer("1.11")
var maxGoVersion = util.NewSemVer("1.22")
var maxGoVersion = util.NewSemVer("1.23")
type versionInfo struct {
goModVersion util.SemVer // The version of Go found in the go directive in the `go.mod` file.

16
go/extractor/extractor.go
View File

@@ -1507,9 +1507,24 @@ func extractSpec(tw *trap.Writer, spec ast.Spec, parent trap.Label, idx int) {
extractNodeLocation(tw, spec, lbl)
}
// Determines whether the given type is an alias.
func isAlias(tp types.Type) bool {
_, ok := tp.(*types.Alias)
return ok
}
// If the given type is a type alias, this function resolves it to its underlying type.
func resolveTypeAlias(tp types.Type) types.Type {
if isAlias(tp) {
return types.Unalias(tp) // tp.Underlying()
}
return tp
}
// extractType extracts type information for `tp` and returns its associated label;
// types are only extracted once, so the second time `extractType` is invoked it simply returns the label
func extractType(tw *trap.Writer, tp types.Type) trap.Label {
tp = resolveTypeAlias(tp)
lbl, exists := getTypeLabel(tw, tp)
if !exists {
var kind int
@@ -1666,6 +1681,7 @@ func extractType(tw *trap.Writer, tp types.Type) trap.Label {
// is constructed from their globally unique ID. This prevents cyclic type keys
// since type recursion in Go always goes through named types.
func getTypeLabel(tw *trap.Writer, tp types.Type) (trap.Label, bool) {
tp = resolveTypeAlias(tp)
lbl, exists := tw.Labeler.TypeLabels[tp]
if !exists {
switch tp := tp.(type) {

4
go/extractor/go.mod
View File

@@ -1,6 +1,8 @@
module github.com/github/codeql-go/extractor
go 1.22.0
go 1.23
toolchain go1.23.1
// when updating this, run
// bazel run @rules_go//go -- mod tidy

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.7
No user-facing changes.
## 1.0.6
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.7.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.7
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.6
lastReleaseVersion: 1.0.7

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.7-dev
version: 1.0.8-dev
groups:
- go
- queries

6
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.2.0
### Major Analysis Improvements
* Go 1.23 is now supported.
## 1.1.5
### Minor Analysis Improvements

5
go/ql/lib/change-notes/released/1.2.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 1.2.0
### Major Analysis Improvements
* Go 1.23 is now supported.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.5
lastReleaseVersion: 1.2.0

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 1.1.6-dev
version: 1.2.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.7
No user-facing changes.
## 1.0.6
No user-facing changes.

3
go/ql/src/change-notes/released/1.0.7.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.7
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.6
lastReleaseVersion: 1.0.7

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.0.7-dev
version: 1.0.8-dev
groups:
- go
- queries

2
go/ql/test/extractor-tests/diagnostics/CONSISTENCY/UnexpectedFrontendErrors.expected
View File

@@ -1,4 +1,4 @@
| -:0:0:0:0 | package ; expected main |
| -:0:0:0:0 | package ; expected package main |
| broken2/test1.go:4:2:4:2 | undefined: fmt |
| broken2/test1.go:5:2:5:2 | undefined: fmt |
| broken2/test1.go:5:14:5:14 | undefined: a |

Some files were not shown because too many files have changed in this diff Show More