hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/rust-mad

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-06-11 16:39:10 +02:00
parent 5f474a7185 fbcd9eaf09
commit 051704e59d
1104 changed files with 33004 additions and 12030 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/validate-change-notes.yml vendored
View File

@@ -31,4 +31,4 @@ jobs:
- name: Fail if there are any errors with existing change notes
run: |
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental

8
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.4.11
No user-facing changes.
## 0.4.10
No user-facing changes.
## 0.4.9
No user-facing changes.

6
actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md Normal file
View File

@@ -0,0 +1,6 @@
---
category: minorAnalysis
---
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with
complex interpolations of shell commands or quoted strings.

3
actions/ql/lib/change-notes/released/0.4.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.10
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.11.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.11
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.9
lastReleaseVersion: 0.4.11

4
actions/ql/lib/codeql/actions/Ast.qll
View File

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
string getNormalizedExpression() { result = normalizeExpr(expression) }
}
/** A common class for `env` in workflow, job or step. */
abstract class Env extends AstNode instanceof EnvImpl {
/** An `env` in workflow, job or step. */
class Env extends AstNode instanceof EnvImpl {
/** Gets an environment variable value given its name. */
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }

138
actions/ql/lib/codeql/actions/Bash.qll
View File

@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
)
}
private string lineProducer(int i) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
/**
* Gets the line at 0-based index `lineIndex` within this shell script,
* assuming newlines as separators.
*/
private string lineProducer(int lineIndex) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
}
private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
exists(string line | line = this.lineProducer(k) |
exists(int i, int j |
cmdSubs =
// $() cmd substitution
line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
.regexpReplaceAll("^\\$\\(", "")
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + k + ":" + i + ":" + j
)
or
exists(int i, int j |
// `...` cmd substitution
cmdSubs =
line.regexpFind("\\`[^\\`]+\\`", i, j)
.regexpReplaceAll("^\\`", "")
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + k + ":" + i + ":" + j
)
private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
this.commandInSubstitution(lineIndex, command, id)
or
this.commandInBackticks(lineIndex, command, id)
}
/**
* Holds if there is a command substitution `$(command)` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInSubstitution(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
// Look for the command inside a $(...) command substitution
this.lineProducer(lineIndex)
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
occurrenceOffset)
// trim starting $( - TODO do this in first regex
.regexpReplaceAll("^\\$\\(", "")
// trim ending ) - TODO do this in first regex
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
this.cmdSubstitutionReplacement(old, new, _)
/**
* Holds if `command` is a command in backticks `` `...` `` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInBackticks(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
this.lineProducer(lineIndex)
.regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
// trim leading backtick - TODO do this in first regex
.regexpReplaceAll("^\\`", "")
// trim trailing backtick - TODO do this in first regex
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
// rank commands by their unique IDs
commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
// since we cannot output (command, ID) tuples from the rank operation,
// we need to work out the specific command associated with the resulting ID
this.cmdSubstitutionReplacement(command, commandId, _)
}
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
this.cmdSubstitutionReplacement(result, _, i)
}
/**
* Holds if `quotedStr` is a string in double quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// double quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
/**
* Holds if `quotedStr` is a string in single quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// single quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
private predicate quotedStringReplacement(string quotedStr, string id) {
exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
exists(int i, int j |
// double quoted string
quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
exists(int lineIndex |
this.doubleQuotedString(lineIndex, quotedStr, id)
or
exists(int i, int j |
// single quoted string
quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
this.singleQuotedString(lineIndex, quotedStr, id)
) and
// Only do this for strings that might otherwise disrupt subsequent parsing
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
}
private predicate rankedQuotedStringReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
this.quotedStringReplacement(old, new)
private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
// rank quoted strings by their nearly-unique IDs
quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
// since we cannot output (string, ID) tuples from the rank operation,
// we need to work out the specific string associated with the resulting ID
this.quotedStringReplacement(quotedString, quotedStringId)
}
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.10-dev
version: 0.4.12-dev
library: true
warnOnImplicitThis: true
dependencies:

10
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.6.3
No user-facing changes.
## 0.6.2
### Minor Analysis Improvements
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
## 0.6.1
No user-facing changes.

7
actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md → actions/ql/src/change-notes/released/0.6.2.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.6.2
### Minor Analysis Improvements
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

3
actions/ql/src/change-notes/released/0.6.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.3
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.1
lastReleaseVersion: 0.6.3

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.2-dev
version: 0.6.4-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

81
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml vendored Normal file
View File

@@ -0,0 +1,81 @@
name: Workflow with complex interpolation
on:
workflow_dispatch:
inputs:
choice-a:
required: true
type: choice
description: choice-a
default: a1
options:
- a1
- a2
- a3
string-b:
required: false
type: string
description: string-b
string-c:
required: false
type: string
description: string-c
list-d:
required: true
type: string
default: d1 d2
description: list-d whitespace separated
list-e:
required: false
type: string
description: list-e whitespace separated
choice-f:
required: true
type: choice
description: choice-f
options:
- false
- true
env:
DRY_TEST: false
B: ${{ github.event.inputs.string-b }}
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Produce values
id: produce-values
run: |
echo "region=region" >> $GITHUB_OUTPUT
echo "zone=zone" >> $GITHUB_OUTPUT
- name: Step with complex interpolation
id: complex
env:
CHOICE_A: ${{ github.event.inputs.choice-a }}
STRING_B: ${{ github.event.inputs.string-b }}
STRING_C: ${{ github.event.inputs.string-c }}
LIST_D: ${{ github.event.inputs.list-d }}
LIST_E: ${{ github.event.inputs.list-e }}
CHOICE_F: ${{ github.event.inputs.choice-f }}
REGION: ${{ steps.produce-values.outputs.region }}
ZONE: ${{ steps.produce-values.outputs.zone }}
DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
FUNCTION_NAME: my-function
USER_EMAIL: 'example@example.com'
TYPE: type
RANGE: '0-100'
run: |
comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
# Similar commands that use JSON payloads with string interpolation.
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
shell: bash

10
cpp/bulk_generation_targets.yml Normal file
View File

@@ -0,0 +1,10 @@
language: cpp
strategy: dca
destination: cpp/ql/lib/ext/generated
targets:
- name: openssl
with-sinks: false
with-sources: false
- name: sqlite
with-sinks: false
with-sources: false

9
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql Normal file
View File

@@ -0,0 +1,9 @@
class BuiltinType extends @builtintype {
string toString() { none() }
}
from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
where
builtintypes(id, name, kind, size, sign, alignment) and
if kind = 62 then new_kind = 1 else new_kind = kind
select id, name, new_kind, size, sign, alignment

2492
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2491
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Support __mfp8 type
compatibility: backwards
builtintypes.rel: run builtintypes.qlo

9
cpp/misc/bulk_generation_targets.json
View File

@@ -1,9 +0,0 @@
{
"strategy": "dca",
"language": "cpp",
"targets": [
{ "name": "openssl", "with-sources": false, "with-sinks": false },
{ "name": "sqlite", "with-sources": false, "with-sinks": false }
],
"destination": "cpp/ql/lib/ext/generated"
}

30
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,33 @@
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
## 4.3.1
### Bug Fixes

4
cpp/ql/lib/change-notes/2025-05-15-class-aggregate-literals.md
View File

@@ -1,4 +0,0 @@
---
category: fix
---
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

4
cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
View File

@@ -1,4 +0,0 @@
---
category: fix
---
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.

4
cpp/ql/lib/change-notes/2025-05-16-wmain-support.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added support for `wmain` as part of the ArgvSource model.

9
cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
View File

@@ -1,9 +0,0 @@
---
category: breaking
---
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.

6
cpp/ql/lib/change-notes/2025-05-23-windows-sources.md
View File

@@ -1,6 +0,0 @@
---
category: feature
---
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.

4
cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.

23
cpp/ql/lib/change-notes/released/5.0.0.md Normal file
View File

@@ -0,0 +1,23 @@
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

7
cpp/ql/lib/change-notes/2025-05-28-using-template.md → cpp/ql/lib/change-notes/released/5.1.0.md
View File

@@ -1,4 +1,5 @@
---
category: feature
---
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.3.1
lastReleaseVersion: 5.1.0

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 4.3.2-dev
version: 5.1.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

3
cpp/ql/lib/semmle/code/cpp/Type.qll
View File

@@ -839,6 +839,9 @@ private predicate floatingPointTypeMapping(
or
// _Complex _Float128
kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
or
// __mfp8
kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
}
/**

1
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -691,6 +691,7 @@ case @builtintype.kind of
| 59 = @complex_std_float64 // _Complex _Float64
| 60 = @complex_float64x // _Complex _Float64x
| 61 = @complex_std_float128 // _Complex _Float128
| 62 = @mfp8 // __mfp8
;
builtintypes(

12246
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

2491
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2492
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Support __mfp8 type
compatibility: full

10
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 1.4.2
No user-facing changes.
## 1.4.1
### Minor Analysis Improvements
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
## 1.4.0
### Query Metadata Changes

9
cpp/ql/src/change-notes/2025-05-14-openssl-sqlite-models.md → cpp/ql/src/change-notes/released/1.4.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
## 1.4.1
### Minor Analysis Improvements
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.

3
cpp/ql/src/change-notes/released/1.4.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.2
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.0
lastReleaseVersion: 1.4.2

4
cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
View File

@@ -98,8 +98,8 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
e.(FunctionCall).getTarget() = f or
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
) and
access = f.getParameter(arg).getAnAccess() and
e.(FunctionCall).getArgument(arg) = released and
access = f.getParameter(pragma[only_bind_into](arg)).getAnAccess() and
e.(FunctionCall).getArgument(pragma[only_bind_into](arg)) = released and
exprReleases(_,
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
)

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.4.1-dev
version: 1.4.3-dev
groups:
- cpp
- queries

2
cpp/ql/test/examples/expressions/PrintAST.expected
View File

@@ -324,7 +324,7 @@ Conversion3.cpp:
# 2| getExpr(): [CStyleCast] (int)...
# 2| Conversion = [IntegralConversion] integral conversion
# 2| Type = [IntType] int
# 2| Value = [CStyleCast] 1
# 2| Value = [CStyleCast] 5
# 2| ValueCategory = prvalue
# 2| getRightOperand().getFullyConverted(): [ParenthesisExpr] (...)
# 2| Type = [IntType] int

2
cpp/ql/test/library-tests/funcdname/funcdname.expected
View File

@@ -1,2 +1,2 @@
| Bar::(unnamed namespace)::B | Bar::<unnamed>::B |
| Foo::(unnamed namespace)::A | _ZN3Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
| Foo::(unnamed namespace)::A | _ZN35_INTERNAL_13_funcdname_cpp_?Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |

6
cpp/ql/test/library-tests/funcdname/funcdname.ql
View File

@@ -2,4 +2,8 @@ import cpp
from Function f, ReturnStmt r
where r.getEnclosingFunction() = f
select f.getQualifiedName(), r.getExpr().getValue().regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
select f.getQualifiedName(),
r.getExpr()
.getValue()
.regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
.regexpReplaceAll("cpp_[0-9a-f]+Foo37_", "cpp_?Foo37_")

81
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -58,6 +58,77 @@
#-----| Type = [LongType] unsigned long
#-----| getParameter(1): [Parameter] (unnamed parameter 1)
#-----| Type = [ScopedEnum] align_val_t
arm.cpp:
# 6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| <params>:
# 6| getParameter(0): [Parameter] a
# 6| Type = [CTypedefType] uint8x8_t
# 6| getParameter(1): [Parameter] b
# 6| Type = [CTypedefType] uint8x8_t
# 6| getEntryPoint(): [BlockStmt] { ... }
# 7| getStmt(0): [ReturnStmt] return ...
# 7| getExpr(): [AddExpr] ... + ...
# 7| Type = [GNUVectorType] __attribute((neon_vector_type(8))) unsigned char
# 7| ValueCategory = prvalue
# 7| getLeftOperand(): [VariableAccess] a
# 7| Type = [CTypedefType] uint8x8_t
# 7| ValueCategory = prvalue(load)
# 7| getRightOperand(): [VariableAccess] b
# 7| Type = [CTypedefType] uint8x8_t
# 7| ValueCategory = prvalue(load)
# 12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
# 12| <params>:
# 12| getParameter(0): [Parameter] (unnamed parameter 0)
# 12| Type = [CTypedefType] uint8x8_t
# 12| getParameter(1): [Parameter] (unnamed parameter 1)
# 12| Type = [CTypedefType] uint8x8_t
# 14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| <params>:
# 14| getParameter(0): [Parameter] a
# 14| Type = [CTypedefType] uint8x8_t
# 14| getParameter(1): [Parameter] b
# 14| Type = [CTypedefType] uint8x8_t
# 14| getEntryPoint(): [BlockStmt] { ... }
# 15| getStmt(0): [ReturnStmt] return ...
# 15| getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
# 15| Type = [CTypedefType] uint16x8_t
# 15| ValueCategory = prvalue
# 15| getArgument(0): [VariableAccess] a
# 15| Type = [CTypedefType] uint8x8_t
# 15| ValueCategory = prvalue(load)
# 15| getArgument(1): [VariableAccess] b
# 15| Type = [CTypedefType] uint8x8_t
# 15| ValueCategory = prvalue(load)
# 18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| <params>:
# 18| getParameter(0): [Parameter] a
# 18| Type = [CTypedefType] uint8x8_t
# 18| getParameter(1): [Parameter] b
# 18| Type = [CTypedefType] uint8x8_t
# 18| getEntryPoint(): [BlockStmt] { ... }
# 19| getStmt(0): [DeclStmt] declaration
# 19| getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
# 19| Type = [CTypedefType] uint8x8_t
# 19| getVariable().getInitializer(): [Initializer] initializer for c
# 19| getExpr(): [FunctionCall] call to vadd_u8
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue
# 19| getArgument(0): [VariableAccess] a
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue(load)
# 19| getArgument(1): [VariableAccess] b
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue(load)
# 20| getStmt(1): [ReturnStmt] return ...
# 20| getExpr(): [FunctionCall] call to vaddl_u8
# 20| Type = [CTypedefType] uint16x8_t
# 20| ValueCategory = prvalue
# 20| getArgument(0): [VariableAccess] a
# 20| Type = [CTypedefType] uint8x8_t
# 20| ValueCategory = prvalue(load)
# 20| getArgument(1): [VariableAccess] c
# 20| Type = [CTypedefType] uint8x8_t
# 20| ValueCategory = prvalue(load)
bad_asts.cpp:
# 5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
# 5| <params>:
@@ -23814,11 +23885,11 @@ ir.cpp:
# 2692| Conversion = [IntegralConversion] integral conversion
# 2692| Type = [LongType] unsigned long
# 2692| ValueCategory = prvalue
#-----| getExpr().getFullyConverted(): [CStyleCast] (int)...
#-----| Conversion = [IntegralConversion] integral conversion
#-----| Type = [IntType] int
#-----| Value = [CStyleCast] 1
#-----| ValueCategory = prvalue
# 2692| getExpr().getFullyConverted(): [CStyleCast] (int)...
# 2692| Conversion = [IntegralConversion] integral conversion
# 2692| Type = [IntType] int
# 2692| Value = [CStyleCast] 1
# 2692| ValueCategory = prvalue
# 2693| getStmt(1): [ReturnStmt] return ...
# 2693| getExpr(): [VariableAccess] y
# 2693| Type = [IntType] int

89
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

@@ -1,3 +1,86 @@
arm.cpp:
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| Block 0
# 6| v6_1(void) = EnterFunction :
# 6| m6_2(unknown) = AliasedDefinition :
# 6| m6_3(unknown) = InitializeNonLocal :
# 6| m6_4(unknown) = Chi : total:m6_2, partial:m6_3
# 6| r6_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 6| m6_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_5
# 6| r6_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 6| m6_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_7
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, m6_6
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, m6_8
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
# 7| m7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
# 6| r6_9(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 6| v6_10(void) = ReturnValue : &:r6_9, m7_7
# 6| v6_11(void) = AliasedUse : m6_3
# 6| v6_12(void) = ExitFunction :
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| Block 0
# 14| v14_1(void) = EnterFunction :
# 14| m14_2(unknown) = AliasedDefinition :
# 14| m14_3(unknown) = InitializeNonLocal :
# 14| m14_4(unknown) = Chi : total:m14_2, partial:m14_3
# 14| r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 14| m14_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_5
# 14| r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 14| m14_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_7
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, m14_6
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, m14_8
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
# 15| m15_8(unknown) = ^CallSideEffect : ~m14_4
# 15| m15_9(unknown) = Chi : total:m14_4, partial:m15_8
# 15| m15_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
# 14| r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 14| v14_10(void) = ReturnValue : &:r14_9, m15_10
# 14| v14_11(void) = AliasedUse : ~m15_9
# 14| v14_12(void) = ExitFunction :
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| Block 0
# 18| v18_1(void) = EnterFunction :
# 18| m18_2(unknown) = AliasedDefinition :
# 18| m18_3(unknown) = InitializeNonLocal :
# 18| m18_4(unknown) = Chi : total:m18_2, partial:m18_3
# 18| r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 18| m18_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_5
# 18| r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 18| m18_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_7
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, m18_6
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, m18_8
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
# 19| m19_8(unknown) = ^CallSideEffect : ~m18_4
# 19| m19_9(unknown) = Chi : total:m18_4, partial:m19_8
# 19| m19_10(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, m18_6
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, m19_10
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
# 20| m20_8(unknown) = ^CallSideEffect : ~m19_9
# 20| m20_9(unknown) = Chi : total:m19_9, partial:m20_8
# 20| m20_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
# 18| r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 18| v18_10(void) = ReturnValue : &:r18_9, m20_10
# 18| v18_11(void) = AliasedUse : ~m20_9
# 18| v18_12(void) = ExitFunction :
bad_asts.cpp:
# 9| int Bad::S::MemberFunction<int 6>(int)
# 9| Block 0
@@ -19457,11 +19540,11 @@ ir.cpp:
# 2691| m2691_3(unknown) = InitializeNonLocal :
# 2691| m2691_4(unknown) = Chi : total:m2691_2, partial:m2691_3
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
#-----| r0_1(int) = Constant[1] :
#-----| m0_2(int) = Store[y] : &:r2692_1, r0_1
# 2692| r2692_2(int) = Constant[1] :
# 2692| m2692_3(int) = Store[y] : &:r2692_1, r2692_2
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m0_2
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m2692_3
# 2693| m2693_4(int) = Store[#return] : &:r2693_1, r2693_3
# 2691| r2691_5(glval<int>) = VariableAddress[#return] :
# 2691| v2691_6(void) = ReturnValue : &:r2691_5, m2693_4

21
cpp/ql/test/library-tests/ir/ir/arm.cpp Normal file
View File

@@ -0,0 +1,21 @@
// semmle-extractor-options: --edg --target --edg linux_arm64
typedef __Uint8x8_t uint8x8_t;
typedef __Uint16x8_t uint16x8_t;
uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
return a + b;
}
// Workaround: the frontend only exposes this when the arm_neon.h
// header is encountered.
uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
return __builtin_aarch64_uaddlv8qi_uuu (a, b);
}
uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
uint8x8_t c = vadd_u8(a, b);
return vaddl_u8(a, c);
}

81
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -1,3 +1,80 @@
arm.cpp:
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| Block 0
# 6| v6_1(void) = EnterFunction :
# 6| mu6_2(unknown) = AliasedDefinition :
# 6| mu6_3(unknown) = InitializeNonLocal :
# 6| r6_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 6| mu6_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_4
# 6| r6_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 6| mu6_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_6
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, ~m?
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, ~m?
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
# 7| mu7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
# 6| r6_8(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 6| v6_9(void) = ReturnValue : &:r6_8, ~m?
# 6| v6_10(void) = AliasedUse : ~m?
# 6| v6_11(void) = ExitFunction :
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| Block 0
# 14| v14_1(void) = EnterFunction :
# 14| mu14_2(unknown) = AliasedDefinition :
# 14| mu14_3(unknown) = InitializeNonLocal :
# 14| r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 14| mu14_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_4
# 14| r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 14| mu14_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_6
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, ~m?
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, ~m?
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
# 15| mu15_8(unknown) = ^CallSideEffect : ~m?
# 15| mu15_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
# 14| r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 14| v14_9(void) = ReturnValue : &:r14_8, ~m?
# 14| v14_10(void) = AliasedUse : ~m?
# 14| v14_11(void) = ExitFunction :
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| Block 0
# 18| v18_1(void) = EnterFunction :
# 18| mu18_2(unknown) = AliasedDefinition :
# 18| mu18_3(unknown) = InitializeNonLocal :
# 18| r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 18| mu18_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_4
# 18| r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 18| mu18_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_6
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, ~m?
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, ~m?
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
# 19| mu19_8(unknown) = ^CallSideEffect : ~m?
# 19| mu19_9(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, ~m?
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, ~m?
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
# 20| mu20_8(unknown) = ^CallSideEffect : ~m?
# 20| mu20_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
# 18| r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 18| v18_9(void) = ReturnValue : &:r18_8, ~m?
# 18| v18_10(void) = AliasedUse : ~m?
# 18| v18_11(void) = ExitFunction :
bad_asts.cpp:
# 9| int Bad::S::MemberFunction<int 6>(int)
# 9| Block 0
@@ -17775,8 +17852,8 @@ ir.cpp:
# 2691| mu2691_2(unknown) = AliasedDefinition :
# 2691| mu2691_3(unknown) = InitializeNonLocal :
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
#-----| r0_1(int) = Constant[1] :
#-----| mu0_2(int) = Store[y] : &:r2692_1, r0_1
# 2692| r2692_2(int) = Constant[1] :
# 2692| mu2692_3(int) = Store[y] : &:r2692_1, r2692_2
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
# 2693| r2693_3(int) = Load[y] : &:r2693_2, ~m?

4
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -1011,10 +1011,10 @@ void test_overflow() {
range(x); // $ range===2147483647
const int y = 256;
range(y); // $ range===256
if ((x + y) <= 512) {
if ((x + y) <= 512) { // $ overflow=+
range(x); // $ range===2147483647
range(y); // $ range===256
range(x + y); // $ range===-2147483393
range(x + y); // $ range=<=2147483903 overflow=+
}
}

6
cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
View File

@@ -1,4 +1,10 @@
uniqueEnclosingCallable
| builtin.c:14:3:14:16 | ... * ... | Node should have one enclosing callable but has 0. |
| builtin.c:14:3:14:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
| builtin.c:14:10:14:10 | 4 | Node should have one enclosing callable but has 0. |
| builtin.c:15:3:15:16 | ... * ... | Node should have one enclosing callable but has 0. |
| builtin.c:15:3:15:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
| builtin.c:15:10:15:10 | 4 | Node should have one enclosing callable but has 0. |
| enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
| enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
| enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |

8
cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected
View File

@@ -1,13 +1,13 @@
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 | 1 |
| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 | 2 |
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:6:3:6:6 | one1 | 1 |
| test.cpp:3:8:3:8 | C<2> | 0 | int | test.cpp:7:3:7:13 | ... + ... | 2 |
| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x | x |
| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T | <none> |
| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X | X |
| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int | <none> |
| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 | 2 |
| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long | <none> |
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 | 2 |
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | test.cpp:13:9:13:9 | 2 | 2 |
| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T | <none> |
| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X | X |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int | <none> |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 | 0 |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | test.cpp:18:8:18:14 | 0 | 0 |

1
cpp/ql/test/library-tests/templates/type_instantiations/types.expected
View File

@@ -25,6 +25,7 @@
| file://:0:0:0:0 | __float128 |
| file://:0:0:0:0 | __fp16 |
| file://:0:0:0:0 | __int128 |
| file://:0:0:0:0 | __mfp8 |
| file://:0:0:0:0 | __va_list_tag |
| file://:0:0:0:0 | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && |

1
cpp/ql/test/library-tests/type_sizes/type_sizes.expected
View File

@@ -46,6 +46,7 @@
| file://:0:0:0:0 | __float128 | 16 |
| file://:0:0:0:0 | __fp16 | 2 |
| file://:0:0:0:0 | __int128 | 16 |
| file://:0:0:0:0 | __mfp8 | 1 |
| file://:0:0:0:0 | __va_list_tag | 24 |
| file://:0:0:0:0 | __va_list_tag & | 8 |
| file://:0:0:0:0 | __va_list_tag && | 8 |

1
cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
View File

@@ -27,6 +27,7 @@
| file://:0:0:0:0 | __float128 | __float128 |
| file://:0:0:0:0 | __fp16 | __fp16 |
| file://:0:0:0:0 | __int128 | __int128 |
| file://:0:0:0:0 | __mfp8 | __mfp8 |
| file://:0:0:0:0 | __va_list_tag & | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && | __va_list_tag && |
| file://:0:0:0:0 | auto | auto |

1
cpp/ql/test/library-tests/variables/variables/types.expected
View File

@@ -26,6 +26,7 @@
| __float128 | Float128Type | | | | |
| __fp16 | BinaryFloatingPointType, RealNumberType | | | | |
| __int128 | Int128Type | | | | |
| __mfp8 | BinaryFloatingPointType, RealNumberType | | | | |
| __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | __va_list_tag | | |
| __va_list_tag && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType | | __va_list_tag | | |

8
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.42
No user-facing changes.
## 1.7.41
No user-facing changes.
## 1.7.40
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.41.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.41
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.42.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.42
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.40
lastReleaseVersion: 1.7.42

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.41-dev
version: 1.7.43-dev
groups:
- csharp
- solorigate

8
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.42
No user-facing changes.
## 1.7.41
No user-facing changes.
## 1.7.40
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.41.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.41
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.42.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.42
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.40
lastReleaseVersion: 1.7.42

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.41-dev
version: 1.7.43-dev
groups:
- csharp
- solorigate

1
csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
View File

@@ -11,6 +11,7 @@ ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
ql/csharp/ql/src/Performance/UseTryGetValue.ql
ql/csharp/ql/src/Useless code/DefaultToString.ql
ql/csharp/ql/src/Useless code/IntGetHashCode.ql

10
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 5.1.8
No user-facing changes.
## 5.1.7
### Minor Analysis Improvements
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
## 5.1.6
No user-facing changes.

7
csharp/ql/lib/change-notes/2025-05-14-dotnet-models.md → csharp/ql/lib/change-notes/released/5.1.7.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 5.1.7
### Minor Analysis Improvements
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).

3
csharp/ql/lib/change-notes/released/5.1.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.1.8
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.1.6
lastReleaseVersion: 5.1.8

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.1.7-dev
version: 5.1.9-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

13
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 1.2.2
No user-facing changes.
## 1.2.1
### Minor Analysis Improvements
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
## 1.2.0
### Query Metadata Changes

1
csharp/ql/src/Performance/StringConcatenationInLoop.ql
View File

@@ -7,6 +7,7 @@
* @id cs/string-concatenation-in-loop
* @tags efficiency
* maintainability
* quality
*/
import csharp

4
csharp/ql/src/change-notes/2025-04-10-uncontrolled-format-string.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.

4
csharp/ql/src/change-notes/2025-05-15-gethashcode-is-not-defined.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.

4
csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.

4
csharp/ql/src/change-notes/2025-05-22-missed-readonly-modifier.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.

8
csharp/ql/src/change-notes/released/1.2.1.md Normal file
View File

@@ -0,0 +1,8 @@
## 1.2.1
### Minor Analysis Improvements
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.

3
csharp/ql/src/change-notes/released/1.2.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.2.2
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.0
lastReleaseVersion: 1.2.2

143
csharp/ql/src/codeql-suites/csharp-security-and-quality.qls
View File

@@ -1,4 +1,143 @@
- description: Security-and-quality queries for C#
- queries: .
- apply: security-and-quality-selectors.yml
from: codeql/suite-helpers
- include:
kind:
- problem
- path-problem
precision:
- high
- very-high
tags contain:
- security
- include:
kind:
- problem
- path-problem
precision: medium
problem.severity:
- error
- warning
tags contain:
- security
- include:
id:
- cs/asp/response-write
- cs/call-to-gc
- cs/call-to-object-tostring
- cs/call-to-obsolete-method
- cs/call-to-unmanaged-code
- cs/cast-from-abstract-to-concrete-collection
- cs/cast-of-this-to-type-parameter
- cs/catch-nullreferenceexception
- cs/catch-of-all-exceptions
- cs/chained-type-tests
- cs/class-implements-icloneable
- cs/class-missing-equals
- cs/class-name-comparison
- cs/class-name-matches-base-class
- cs/coalesce-of-identical-expressions
- cs/comparison-of-identical-expressions
- cs/complex-block
- cs/complex-condition
- cs/constant-comparison
- cs/constant-condition
- cs/coupled-types
- cs/dereferenced-value-is-always-null
- cs/dereferenced-value-may-be-null
- cs/dispose-not-called-on-throw
- cs/downcast-of-this
- cs/empty-block
- cs/empty-catch-block
- cs/empty-collection
- cs/empty-lock-statement
- cs/equality-on-floats
- cs/equals-on-arrays
- cs/equals-on-unrelated-types
- cs/equals-uses-as
- cs/equals-uses-is
- cs/expose-implementation
- cs/field-masks-base-field
- cs/gethashcode-is-not-defined
- cs/impossible-array-cast
- cs/inconsistent-compareto-and-equals
- cs/inconsistent-equals-and-gethashcode
- cs/inconsistent-lock-sequence
- cs/index-out-of-bounds
- cs/inefficient-containskey
- cs/invalid-dynamic-call
- cs/invalid-string-formatting
- cs/linq/inconsistent-enumeration
- cs/linq/missed-all
- cs/linq/missed-cast
- cs/linq/missed-oftype
- cs/linq/missed-select
- cs/linq/missed-where
- cs/linq/useless-select
- cs/local-not-disposed
- cs/local-shadows-member
- cs/lock-this
- cs/locked-wait
- cs/loss-of-precision
- cs/mishandling-japanese-era
- cs/misleading-indentation
- cs/missed-readonly-modifier
- cs/missed-ternary-operator
- cs/missed-using-statement
- cs/nested-if-statements
- cs/nested-loops-with-same-variable
- cs/non-short-circuit
- cs/null-argument-to-equals
- cs/path-combine
- cs/recursive-equals-call
- cs/recursive-operator-equals-call
- cs/reference-equality-on-valuetypes
- cs/reference-equality-with-object
- cs/rethrown-exception-variable
- cs/self-assignment
- cs/simplifiable-boolean-expression
- cs/static-field-written-by-instance
- cs/string-concatenation-in-loop
- cs/stringbuilder-creation-in-loop
- cs/stringbuilder-initialized-with-character
- cs/test-for-negative-container-size
- cs/too-many-ref-parameters
- cs/type-test-of-this
- cs/unchecked-cast-in-equals
- cs/unmanaged-code
- cs/unsafe-double-checked-lock
- cs/unsafe-sync-on-field
- cs/unsafe-year-construction
- cs/unsynchronized-getter
- cs/unsynchronized-static-access
- cs/unused-collection
- cs/unused-label
- cs/unused-property-value
- cs/useless-assignment-to-local
- cs/useless-cast-to-self
- cs/useless-gethashcode-call
- cs/useless-if-statement
- cs/useless-tostring-call
- cs/useless-type-test
- cs/useless-upcast
- cs/virtual-call-in-constructor
- cs/wrong-compareto-signature
- cs/wrong-equals-signature
- cs/xmldoc/missing-summary
- include:
kind:
- diagnostic
- include:
kind:
- metric
tags contain:
- summary
- exclude:
deprecated: //
- exclude:
query path:
- /^experimental\/.*/
- Metrics/Summaries/FrameworkCoverage.ql
- exclude:
tags contain:
- modeleditor
- modelgenerator

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.2.1-dev
version: 1.2.3-dev
groups:
- csharp
- queries

4
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -4,9 +4,9 @@
:stub-columns: 1
Language,Variants,Compilers,Extensions
C/C++,"C89, C99, C11, C17, C23, C++98, C++03, C++11, C++14, C++17, C++20, C++23 [1]_ [2]_ [3]_","Clang (including clang-cl [4]_ and armclang) extensions (up to Clang 17.0),
C/C++,"C89, C99, C11, C17, C23, C++98, C++03, C++11, C++14, C++17, C++20, C++23 [1]_ [2]_ [3]_","Clang (including clang-cl [4]_ and armclang) extensions (up to Clang 19.1.0),
GNU extensions (up to GCC 13.2),
GNU extensions (up to GCC 15.0),
Microsoft extensions (up to VS 2022),

1
go/documentation/library-coverage/coverage.csv
View File

@@ -5,6 +5,7 @@ archive/zip,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
bufio,,,17,,,,,,,,,,,,,,,,,,,,,,,17,
bytes,,,43,,,,,,,,,,,,,,,,,,,,,,,43,
clevergo.tech/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,,,
cloud.google.com/go/bigquery,1,,,,,,,,,,,,,,1,,,,,,,,,,,,
compress/bzip2,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
compress/flate,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
compress/gzip,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
1 package sink source summary sink:command-injection sink:credentials-key sink:jwt sink:log-injection sink:nosql-injection sink:path-injection sink:regex-use[0] sink:regex-use[1] sink:regex-use[c] sink:request-forgery sink:request-forgery[TCP Addr + Port] sink:sql-injection sink:url-redirection sink:url-redirection[0] sink:url-redirection[receiver] sink:xpath-injection source:commandargs source:database source:environment source:file source:remote source:stdin summary:taint summary:value
5 bufio 17 17
6 bytes 43 43
7 clevergo.tech/clevergo 1 1
8 cloud.google.com/go/bigquery 1 1
9 compress/bzip2 1 1
10 compress/flate 4 4
11 compress/gzip 3 3

6
go/documentation/library-coverage/coverage.rst
View File

@@ -37,6 +37,7 @@ Go framework & library support
`XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
`appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
`beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
`bigquery <https://pkg.go.dev/cloud.google.com/go/bigquery>`_,``cloud.google.com/go/bigquery*``,,,1
`chi <https://go-chi.io/>`_,``github.com/go-chi/chi*``,3,,
`cristalhq/jwt <https://github.com/cristalhq/jwt>`_,``github.com/cristalhq/jwt*``,,,1
`env <https://github.com/caarlos0/env>`_,``github.com/caarlos0/env*``,5,2,
@@ -53,7 +54,7 @@ Go framework & library support
`goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
`gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
`gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
`gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",16,4,48
`gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``, ``github.com/kanikanema/gorqlite*``",24,6,72
`goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
`htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
`json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
@@ -73,6 +74,5 @@ Go framework & library support
`xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
`yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
`zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
Others,``github.com/kanikanema/gorqlite``,8,2,24
Totals,,688,1069,1556
Totals,,688,1069,1557

3
go/documentation/library-coverage/frameworks.csv
View File

@@ -3,6 +3,7 @@ Standard library,https://pkg.go.dev/std, archive/* bufio bytes cmp compress/* co
appleboy/gin-jwt,https://github.com/appleboy/gin-jwt,github.com/appleboy/gin-jwt*
Afero,https://github.com/spf13/afero,github.com/spf13/afero*
beego,https://beego.me/,github.com/astaxie/beego* github.com/beego/beego*
bigquery,https://pkg.go.dev/cloud.google.com/go/bigquery,cloud.google.com/go/bigquery*
Bun,https://bun.uptrace.dev/,github.com/uptrace/bun*
CleverGo,https://github.com/clevergo/clevergo,clevergo.tech/clevergo* github.com/clevergo/clevergo*
Couchbase official client(gocb),https://github.com/couchbase/gocb,github.com/couchbase/gocb* gopkg.in/couchbase/gocb*
@@ -35,7 +36,7 @@ golang.org/x/net,https://pkg.go.dev/golang.org/x/net,golang.org/x/net*
goproxy,https://github.com/elazarl/goproxy,github.com/elazarl/goproxy*
gorilla/mux,https://github.com/gorilla/mux,github.com/gorilla/mux*
gorilla/websocket,https://github.com/gorilla/websocket,github.com/gorilla/websocket*
gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite*
gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite* github.com/kanikanema/gorqlite*
goxpath,https://github.com/ChrisTrenkamp/goxpath/wiki,github.com/ChrisTrenkamp/goxpath*
htmlquery,https://github.com/antchfx/htmlquery,github.com/antchfx/htmlquery*
Iris,https://www.iris-go.com/,github.com/kataras/iris*
1 Framework name URL Package prefixes
3 appleboy/gin-jwt https://github.com/appleboy/gin-jwt github.com/appleboy/gin-jwt*
4 Afero https://github.com/spf13/afero github.com/spf13/afero*
5 beego https://beego.me/ github.com/astaxie/beego* github.com/beego/beego*
6 bigquery https://pkg.go.dev/cloud.google.com/go/bigquery cloud.google.com/go/bigquery*
7 Bun https://bun.uptrace.dev/ github.com/uptrace/bun*
8 CleverGo https://github.com/clevergo/clevergo clevergo.tech/clevergo* github.com/clevergo/clevergo*
9 Couchbase official client(gocb) https://github.com/couchbase/gocb github.com/couchbase/gocb* gopkg.in/couchbase/gocb*
36 goproxy https://github.com/elazarl/goproxy github.com/elazarl/goproxy*
37 gorilla/mux https://github.com/gorilla/mux github.com/gorilla/mux*
38 gorilla/websocket https://github.com/gorilla/websocket github.com/gorilla/websocket*
39 gorqlite https://github.com/rqlite/gorqlite github.com/raindog308/gorqlite* github.com/rqlite/gorqlite* github.com/raindog308/gorqlite* github.com/rqlite/gorqlite* github.com/kanikanema/gorqlite*
40 goxpath https://github.com/ChrisTrenkamp/goxpath/wiki github.com/ChrisTrenkamp/goxpath*
41 htmlquery https://github.com/antchfx/htmlquery github.com/antchfx/htmlquery*
42 Iris https://www.iris-go.com/ github.com/kataras/iris*

6
go/extractor/go.mod
View File

@@ -9,8 +9,8 @@ toolchain go1.24.0
// when adding or removing dependencies, run
// bazel mod tidy
require (
golang.org/x/mod v0.24.0
golang.org/x/tools v0.33.0
golang.org/x/mod v0.25.0
golang.org/x/tools v0.34.0
)
require golang.org/x/sync v0.14.0 // indirect
require golang.org/x/sync v0.15.0 // indirect

12
go/extractor/go.sum
View File

@@ -1,8 +1,8 @@
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=

8
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.0.25
No user-facing changes.
## 1.0.24
No user-facing changes.
## 1.0.23
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.24.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.24
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.25.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.25
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.23
lastReleaseVersion: 1.0.25

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.24-dev
version: 1.0.26-dev
groups:
- go
- queries

1
go/ql/integration-tests/query-suite/go-code-scanning.qls.expected
View File

@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql

1
go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
View File

@@ -30,6 +30,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql

1
go/ql/integration-tests/query-suite/go-security-extended.qls.expected
View File

@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
ql/go/ql/src/Security/CWE-089/StringBreak.ql

1
go/ql/integration-tests/query-suite/not_included_in_qls.expected
View File

@@ -21,7 +21,6 @@ ql/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
ql/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
ql/go/ql/src/experimental/CWE-74/DsnInjection.ql
ql/go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql
ql/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
ql/go/ql/src/experimental/CWE-918/SSRF.ql

Some files were not shown because too many files have changed in this diff Show More