hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into copilot/add-secure-cookie-test-cases

Browse Source
This commit is contained in:
Geoffrey White
2025-11-05 17:53:02 +00:00
committed by GitHub
parent e78018769b 5eac0f7953
commit 1e7acc5e1a
327 changed files with 1599 additions and 1051 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.20
No user-facing changes.
## 0.4.19
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.20.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.20
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.19
lastReleaseVersion: 0.4.20

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.20-dev
version: 0.4.21-dev
library: true
warnOnImplicitThis: true
dependencies:

4
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.12
No user-facing changes.
## 0.6.11
No user-facing changes.

3
actions/ql/src/change-notes/released/0.6.12.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.12
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.11
lastReleaseVersion: 0.6.12

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.12-dev
version: 0.6.13-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

6
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 6.0.1
### Bug Fixes
* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.
## 6.0.0
### Breaking Changes

4
cpp/ql/lib/change-notes/2025-10-16-range-analysis-performance.md
View File

@@ -1,4 +0,0 @@
---
category: fix
---
* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.

5
cpp/ql/lib/change-notes/released/6.0.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 6.0.1
### Bug Fixes
* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 6.0.0
lastReleaseVersion: 6.0.1

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 6.0.1-dev
version: 6.0.2-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.5.3
No user-facing changes.
## 1.5.2
No user-facing changes.

3
cpp/ql/src/change-notes/released/1.5.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.5.3
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.5.2
lastReleaseVersion: 1.5.3

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.5.3-dev
version: 1.5.4-dev
groups:
- cpp
- queries

2
csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
View File

@@ -182,7 +182,7 @@ namespace Semmle.Extraction.CSharp
var compilerCall = compilationData.CompilerCall;
var diagnosticName = compilerCall.GetDiagnosticName();
logger.LogInfo($" Processing compilation {diagnosticName} at {compilerCall.ProjectDirectory}");
var compilerArgs = compilerCall.GetArguments();
var compilerArgs = reader.ReadArguments(compilerCall);
var compilationIdentifierPath = string.Empty;
try

8
csharp/paket.dependencies
View File

@@ -4,16 +4,16 @@ source https://api.nuget.org/v3/index.json
# behave like nuget in choosing transitive dependency versions
strategy: max
nuget Basic.CompilerLog.Util 0.9.8
nuget Basic.CompilerLog.Util 0.9.21
nuget Mono.Posix.NETStandard
nuget Newtonsoft.Json
nuget xunit
nuget xunit.runner.visualstudio
nuget xunit.runner.utility
nuget Microsoft.NET.Test.Sdk
nuget Microsoft.CodeAnalysis.CSharp 4.12.0
nuget Microsoft.CodeAnalysis 4.12.0
nuget Microsoft.Build 17.12.6
nuget Microsoft.CodeAnalysis.CSharp 4.14.0
nuget Microsoft.CodeAnalysis 4.14.0
nuget Microsoft.Build 17.14.28
nuget Microsoft.Win32.Primitives
nuget System.Net.Primitives
nuget System.Security.Principal

273
csharp/paket.lock generated
View File

@@ -3,143 +3,148 @@ STRATEGY: MAX
RESTRICTION: == net9.0
NUGET
remote: https://api.nuget.org/v3/index.json
Basic.CompilerLog.Util (0.9.8)
MessagePack (>= 2.5.187)
Microsoft.CodeAnalysis (>= 4.12)
Microsoft.CodeAnalysis.CSharp (>= 4.12)
Microsoft.CodeAnalysis.VisualBasic (>= 4.12)
Microsoft.Extensions.ObjectPool (>= 9.0.2)
MSBuild.StructuredLogger (>= 2.2.243)
System.Buffers (>= 4.6)
Basic.CompilerLog.Util (0.9.21)
MessagePack (>= 3.1.4)
Microsoft.Bcl.Memory (>= 9.0.10)
Microsoft.CodeAnalysis (>= 4.8)
Microsoft.CodeAnalysis.CSharp (>= 4.8)
Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
Microsoft.Extensions.ObjectPool (>= 9.0.10)
MSBuild.StructuredLogger (>= 2.3.71)
NaturalSort.Extension (>= 4.4)
Humanizer.Core (2.14.1)
MessagePack (3.0.300)
MessagePack.Annotations (>= 3.0.300)
MessagePackAnalyzer (>= 3.0.300)
MessagePack (3.1.4)
MessagePack.Annotations (>= 3.1.4)
MessagePackAnalyzer (>= 3.1.4)
Microsoft.NET.StringTools (>= 17.11.4)
MessagePack.Annotations (3.0.300)
MessagePackAnalyzer (3.0.300)
Microsoft.Bcl.AsyncInterfaces (9.0)
Microsoft.Build (17.12.6)
Microsoft.Build.Framework (>= 17.12.6)
Microsoft.NET.StringTools (>= 17.12.6)
System.Collections.Immutable (>= 8.0)
System.Configuration.ConfigurationManager (>= 8.0)
System.Reflection.Metadata (>= 8.0)
System.Reflection.MetadataLoadContext (>= 8.0)
Microsoft.Build.Framework (17.12.6)
Microsoft.Build.Utilities.Core (17.12.6)
Microsoft.Build.Framework (>= 17.12.6)
Microsoft.NET.StringTools (>= 17.12.6)
System.Collections.Immutable (>= 8.0)
System.Configuration.ConfigurationManager (>= 8.0)
Microsoft.CodeAnalysis (4.12)
MessagePack.Annotations (3.1.4)
MessagePackAnalyzer (3.1.4)
Microsoft.Bcl.AsyncInterfaces (9.0.10)
Microsoft.Bcl.Memory (9.0.10)
Microsoft.Build (17.14.28)
Microsoft.Build.Framework (>= 17.14.28)
Microsoft.NET.StringTools (>= 17.14.28)
System.Configuration.ConfigurationManager (>= 9.0)
System.Diagnostics.EventLog (>= 9.0)
System.Reflection.MetadataLoadContext (>= 9.0)
System.Security.Cryptography.ProtectedData (>= 9.0)
Microsoft.Build.Framework (17.14.28)
Microsoft.Build.Utilities.Core (17.14.28)
Microsoft.Build.Framework (>= 17.14.28)
Microsoft.NET.StringTools (>= 17.14.28)
System.Collections.Immutable (>= 9.0)
System.Configuration.ConfigurationManager (>= 9.0)
System.Diagnostics.EventLog (>= 9.0)
System.Security.Cryptography.ProtectedData (>= 9.0)
Microsoft.CodeAnalysis (4.14)
Humanizer.Core (>= 2.14.1)
Microsoft.Bcl.AsyncInterfaces (>= 8.0)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.CSharp.Workspaces (4.12)
Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12)
Microsoft.Bcl.AsyncInterfaces (>= 9.0)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.CSharp.Workspaces (4.14)
Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.14)
System.Buffers (>= 4.5.1)
System.Collections.Immutable (>= 8.0)
System.Composition (>= 8.0)
System.IO.Pipelines (>= 8.0)
System.Collections.Immutable (>= 9.0)
System.Composition (>= 9.0)
System.IO.Pipelines (>= 9.0)
System.Memory (>= 4.5.5)
System.Numerics.Vectors (>= 4.5)
System.Reflection.Metadata (>= 8.0)
System.Reflection.Metadata (>= 9.0)
System.Runtime.CompilerServices.Unsafe (>= 6.0)
System.Text.Encoding.CodePages (>= 7.0)
System.Threading.Channels (>= 7.0)
System.Threading.Tasks.Extensions (>= 4.5.4)
Microsoft.CodeAnalysis.Analyzers (3.11)
Microsoft.CodeAnalysis.Common (4.12)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
System.Collections.Immutable (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.CSharp (4.12)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.Common (4.12)
System.Collections.Immutable (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.CSharp.Workspaces (4.12)
Microsoft.CodeAnalysis.Common (4.14)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
System.Collections.Immutable (>= 9.0)
System.Reflection.Metadata (>= 9.0)
Microsoft.CodeAnalysis.CSharp (4.14)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.Common (4.14)
System.Collections.Immutable (>= 9.0)
System.Reflection.Metadata (>= 9.0)
Microsoft.CodeAnalysis.CSharp.Workspaces (4.14)
Humanizer.Core (>= 2.14.1)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.Common (4.12)
Microsoft.CodeAnalysis.CSharp (4.12)
Microsoft.CodeAnalysis.Workspaces.Common (4.12)
System.Collections.Immutable (>= 8.0)
System.Composition (>= 8.0)
System.IO.Pipelines (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.Common (4.14)
Microsoft.CodeAnalysis.CSharp (4.14)
Microsoft.CodeAnalysis.Workspaces.Common (4.14)
System.Collections.Immutable (>= 9.0)
System.Composition (>= 9.0)
System.IO.Pipelines (>= 9.0)
System.Reflection.Metadata (>= 9.0)
System.Threading.Channels (>= 7.0)
Microsoft.CodeAnalysis.VisualBasic (4.12)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.Common (4.12)
System.Collections.Immutable (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12)
Microsoft.CodeAnalysis.VisualBasic (4.14)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.Common (4.14)
System.Collections.Immutable (>= 9.0)
System.Reflection.Metadata (>= 9.0)
Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.14)
Humanizer.Core (>= 2.14.1)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.Common (4.12)
Microsoft.CodeAnalysis.VisualBasic (4.12)
Microsoft.CodeAnalysis.Workspaces.Common (4.12)
System.Collections.Immutable (>= 8.0)
System.Composition (>= 8.0)
System.IO.Pipelines (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.Common (4.14)
Microsoft.CodeAnalysis.VisualBasic (4.14)
Microsoft.CodeAnalysis.Workspaces.Common (4.14)
System.Collections.Immutable (>= 9.0)
System.Composition (>= 9.0)
System.IO.Pipelines (>= 9.0)
System.Reflection.Metadata (>= 9.0)
System.Threading.Channels (>= 7.0)
Microsoft.CodeAnalysis.Workspaces.Common (4.12)
Microsoft.CodeAnalysis.Workspaces.Common (4.14)
Humanizer.Core (>= 2.14.1)
Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
Microsoft.CodeAnalysis.Common (4.12)
System.Collections.Immutable (>= 8.0)
System.Composition (>= 8.0)
System.IO.Pipelines (>= 8.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.CodeAnalysis.Analyzers (>= 3.11)
Microsoft.CodeAnalysis.Common (4.14)
System.Collections.Immutable (>= 9.0)
System.Composition (>= 9.0)
System.IO.Pipelines (>= 9.0)
System.Reflection.Metadata (>= 9.0)
System.Threading.Channels (>= 7.0)
Microsoft.CodeCoverage (17.12)
Microsoft.Extensions.ObjectPool (9.0.3)
Microsoft.NET.StringTools (17.12.6)
Microsoft.NET.Test.Sdk (17.12)
Microsoft.CodeCoverage (>= 17.12)
Microsoft.TestPlatform.TestHost (>= 17.12)
Microsoft.CodeCoverage (18.0)
Microsoft.Extensions.ObjectPool (9.0.10)
Microsoft.NET.StringTools (17.14.28)
Microsoft.NET.Test.Sdk (18.0)
Microsoft.CodeCoverage (>= 18.0)
Microsoft.TestPlatform.TestHost (>= 18.0)
Microsoft.NETCore.Platforms (7.0.4)
Microsoft.NETCore.Targets (5.0)
Microsoft.TestPlatform.ObjectModel (17.12)
System.Reflection.Metadata (>= 1.6)
Microsoft.TestPlatform.TestHost (17.12)
Microsoft.TestPlatform.ObjectModel (>= 17.12)
Newtonsoft.Json (>= 13.0.1)
Microsoft.TestPlatform.ObjectModel (18.0)
System.Reflection.Metadata (>= 8.0)
Microsoft.TestPlatform.TestHost (18.0)
Microsoft.TestPlatform.ObjectModel (>= 18.0)
Newtonsoft.Json (>= 13.0.3)
Microsoft.Win32.Primitives (4.3)
Microsoft.NETCore.Platforms (>= 1.1)
Microsoft.NETCore.Targets (>= 1.1)
System.Runtime (>= 4.3)
Mono.Posix.NETStandard (1.0)
MSBuild.StructuredLogger (2.2.386)
MSBuild.StructuredLogger (2.3.71)
Microsoft.Build.Framework (>= 17.5)
Microsoft.Build.Utilities.Core (>= 17.5)
System.Collections.Immutable (>= 8.0)
Newtonsoft.Json (13.0.3)
System.Buffers (4.6)
System.Collections.Immutable (9.0)
System.Composition (9.0)
System.Composition.AttributedModel (>= 9.0)
System.Composition.Convention (>= 9.0)
System.Composition.Hosting (>= 9.0)
System.Composition.Runtime (>= 9.0)
System.Composition.TypedParts (>= 9.0)
System.Composition.AttributedModel (9.0)
System.Composition.Convention (9.0)
System.Composition.AttributedModel (>= 9.0)
System.Composition.Hosting (9.0)
System.Composition.Runtime (>= 9.0)
System.Composition.Runtime (9.0)
System.Composition.TypedParts (9.0)
System.Composition.AttributedModel (>= 9.0)
System.Composition.Hosting (>= 9.0)
System.Composition.Runtime (>= 9.0)
System.Configuration.ConfigurationManager (9.0)
System.Diagnostics.EventLog (>= 9.0)
System.Security.Cryptography.ProtectedData (>= 9.0)
System.Diagnostics.EventLog (9.0)
NaturalSort.Extension (4.4)
Newtonsoft.Json (13.0.4)
System.Buffers (4.6.1)
System.Collections.Immutable (9.0.10)
System.Composition (9.0.10)
System.Composition.AttributedModel (>= 9.0.10)
System.Composition.Convention (>= 9.0.10)
System.Composition.Hosting (>= 9.0.10)
System.Composition.Runtime (>= 9.0.10)
System.Composition.TypedParts (>= 9.0.10)
System.Composition.AttributedModel (9.0.10)
System.Composition.Convention (9.0.10)
System.Composition.AttributedModel (>= 9.0.10)
System.Composition.Hosting (9.0.10)
System.Composition.Runtime (>= 9.0.10)
System.Composition.Runtime (9.0.10)
System.Composition.TypedParts (9.0.10)
System.Composition.AttributedModel (>= 9.0.10)
System.Composition.Hosting (>= 9.0.10)
System.Composition.Runtime (>= 9.0.10)
System.Configuration.ConfigurationManager (9.0.10)
System.Diagnostics.EventLog (>= 9.0.10)
System.Security.Cryptography.ProtectedData (>= 9.0.10)
System.Diagnostics.EventLog (9.0.10)
System.IO (4.3)
Microsoft.NETCore.Platforms (>= 1.1)
Microsoft.NETCore.Targets (>= 1.1)
@@ -157,55 +162,55 @@ NUGET
System.Threading.Tasks (>= 4.3)
System.IO.FileSystem.Primitives (4.3)
System.Runtime (>= 4.3)
System.IO.Pipelines (9.0)
System.Memory (4.6)
System.IO.Pipelines (9.0.10)
System.Memory (4.6.3)
System.Net.Primitives (4.3.1)
Microsoft.NETCore.Platforms (>= 1.1.1)
Microsoft.NETCore.Targets (>= 1.1.3)
System.Runtime (>= 4.3.1)
System.Runtime.Handles (>= 4.3)
System.Numerics.Vectors (4.6)
System.Reflection.Metadata (9.0)
System.Reflection.MetadataLoadContext (9.0)
System.Numerics.Vectors (4.6.1)
System.Reflection.Metadata (9.0.10)
System.Reflection.MetadataLoadContext (9.0.10)
System.Runtime (4.3.1)
Microsoft.NETCore.Platforms (>= 1.1.1)
Microsoft.NETCore.Targets (>= 1.1.3)
System.Runtime.CompilerServices.Unsafe (6.1)
System.Runtime.CompilerServices.Unsafe (6.1.2)
System.Runtime.Handles (4.3)
Microsoft.NETCore.Platforms (>= 1.1)
Microsoft.NETCore.Targets (>= 1.1)
System.Runtime (>= 4.3)
System.Security.Cryptography.ProtectedData (9.0)
System.Security.Cryptography.ProtectedData (9.0.10)
System.Security.Principal (4.3)
System.Runtime (>= 4.3)
System.Text.Encoding (4.3)
Microsoft.NETCore.Platforms (>= 1.1)
Microsoft.NETCore.Targets (>= 1.1)
System.Runtime (>= 4.3)
System.Text.Encoding.CodePages (9.0)
System.Threading.Channels (9.0)
System.Text.Encoding.CodePages (9.0.10)
System.Threading.Channels (9.0.10)
System.Threading.Tasks (4.3)
Microsoft.NETCore.Platforms (>= 1.1)
Microsoft.NETCore.Targets (>= 1.1)
System.Runtime (>= 4.3)
System.Threading.Tasks.Extensions (4.6)
System.Threading.Tasks.Extensions (4.6.3)
System.Threading.ThreadPool (4.3)
System.Runtime (>= 4.3)
System.Runtime.Handles (>= 4.3)
xunit (2.9.2)
xunit.analyzers (>= 1.16)
xunit.assert (>= 2.9.2)
xunit.core (2.9.2)
xunit (2.9.3)
xunit.analyzers (>= 1.18)
xunit.assert (>= 2.9.3)
xunit.core (2.9.3)
xunit.abstractions (2.0.3)
xunit.analyzers (1.17)
xunit.assert (2.9.2)
xunit.core (2.9.2)
xunit.extensibility.core (2.9.2)
xunit.extensibility.execution (2.9.2)
xunit.extensibility.core (2.9.2)
xunit.analyzers (1.24)
xunit.assert (2.9.3)
xunit.core (2.9.3)
xunit.extensibility.core (2.9.3)
xunit.extensibility.execution (2.9.3)
xunit.extensibility.core (2.9.3)
xunit.abstractions (>= 2.0.3)
xunit.extensibility.execution (2.9.2)
xunit.extensibility.core (2.9.2)
xunit.runner.utility (2.9.2)
xunit.extensibility.execution (2.9.3)
xunit.extensibility.core (2.9.3)
xunit.runner.utility (2.9.3)
xunit.abstractions (>= 2.0.3)
xunit.runner.visualstudio (2.8.2)
xunit.runner.visualstudio (3.1.5)

104
csharp/paket.main.bzl generated
View File

File diff suppressed because one or more lines are too long

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.51
No user-facing changes.
## 1.7.50
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.51.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.51
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.50
lastReleaseVersion: 1.7.51

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.51-dev
version: 1.7.52-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.51
No user-facing changes.
## 1.7.50
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.51.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.51
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.50
lastReleaseVersion: 1.7.51

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.51-dev
version: 1.7.52-dev
groups:
- csharp
- solorigate

2
csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected
View File

@@ -3,6 +3,7 @@
| [...]/csharp/tools/[...]/MessagePack.Annotations.dll |
| [...]/csharp/tools/[...]/MessagePack.dll |
| [...]/csharp/tools/[...]/Microsoft.Bcl.AsyncInterfaces.dll |
| [...]/csharp/tools/[...]/Microsoft.Bcl.Memory.dll |
| [...]/csharp/tools/[...]/Microsoft.Build.Framework.dll |
| [...]/csharp/tools/[...]/Microsoft.Build.Utilities.Core.dll |
| [...]/csharp/tools/[...]/Microsoft.Build.dll |
@@ -20,6 +21,7 @@
| [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
| [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
| [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
| [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
| [...]/csharp/tools/[...]/StructuredLogger.dll |
| [...]/csharp/tools/[...]/System.AppContext.dll |

35
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 5.3.0
### Deprecated APIs
* The class `AbstractValue` in the `Guards` library has been deprecated and replaced with the class `GuardValue`.
### Major Analysis Improvements
* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions. For example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
### Minor Analysis Improvements
* Added tracer support for macOS and Linux when the .NET CLI (`dotnet`) directly invokes the C# compiler (`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms.
* The extraction of location information for source code entities has been updated to use star IDs (`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication.
## 5.2.6
### Minor Analysis Improvements
@@ -128,7 +143,7 @@ No user-facing changes.
* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`:
- `[SupplyParameterFromForm]`
- `[SupplyParameterFromQuery]`
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
@@ -148,7 +163,7 @@ No user-facing changes.
- `System.Web.HttpUtility::ParseQueryString`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
## 3.1.1
@@ -186,8 +201,8 @@ No user-facing changes.
### Breaking Changes
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
### Minor Analysis Improvements
@@ -436,7 +451,7 @@ No user-facing changes.
### New Features
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
### Minor Analysis Improvements
@@ -571,7 +586,7 @@ No user-facing changes.
* Attributes on methods in CIL are now extracted (Bugfix).
* Support for `static virtual` and `static abstract` interface members.
* Support for *operators* in interface definitions.
* Support for *operators* in interface definitions.
* C# 11: Added support for the unsigned right shift `>>>` and unsigned right shift assignment `>>>=` operators.
* Query id's have been aligned such that they are prefixed with `cs` instead of `csharp`.
@@ -611,13 +626,13 @@ No user-facing changes.
### Minor Analysis Improvements
* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
## 0.4.0
### Deprecated APIs
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### Bug Fixes
@@ -630,7 +645,7 @@ No user-facing changes.
### Deprecated APIs
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### Minor Analysis Improvements
@@ -677,7 +692,7 @@ No user-facing changes.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features

4
csharp/ql/lib/change-notes/2025-10-04-deprecate-controlsblock.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: deprecated
---
* `ControlFlowElement.controlsBlock` has been deprecated in favor of the Guards library.

4
csharp/ql/lib/change-notes/2025-10-10-starid-locations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The extraction of location information for source code entities has been updated to use star IDs (`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication.

4
csharp/ql/lib/change-notes/2025-10-21-dotnet-rc2-tracing.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added tracer support for macOS and Linux when the .NET CLI (`dotnet`) directly invokes the C# compiler (`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms.

4
csharp/ql/lib/change-notes/2025-10-31-deprecate-abstractvalue.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The class `AbstractValue` in the `Guards` library has been deprecated and replaced with the class `GuardValue`.

4
csharp/ql/lib/change-notes/2025-11-03-roslyn-and-binlog.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Updated *roslyn* and *binlog* dependencies in the extractor, which may improve database and analysis quality.

16
csharp/ql/lib/change-notes/2025-10-03-nullness.md → csharp/ql/lib/change-notes/released/5.3.0.md
View File

@@ -1,4 +1,14 @@
---
category: majorAnalysis
---
## 5.3.0
### Deprecated APIs
* The class `AbstractValue` in the `Guards` library has been deprecated and replaced with the class `GuardValue`.
### Major Analysis Improvements
* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
### Minor Analysis Improvements
* Added tracer support for macOS and Linux when the .NET CLI (`dotnet`) directly invokes the C# compiler (`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms.
* The extraction of location information for source code entities has been updated to use star IDs (`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.2.6
lastReleaseVersion: 5.3.0

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.2.7-dev
version: 5.3.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

2
csharp/ql/lib/semmle/code/csharp/Caching.qll
View File

@@ -33,8 +33,6 @@ module Stages {
cached
private predicate forceCachingInSameStageRev() {
any(ControlFlowElement cfe).controlsBlock(_, _, _)
or
exists(GuardedExpr ge)
or
forceCachingInSameStageRev()

136
csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowElement.qll
View File

@@ -87,148 +87,20 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
result.getAControlFlowNode()
}
pragma[noinline]
private predicate immediatelyControlsBlockSplit0(
ConditionBlock cb, BasicBlock succ, ConditionalSuccessor s
) {
// Only calculate dominance by explicit recursion for split nodes;
// all other nodes can use regular CFG dominance
this instanceof Impl::SplitAstNode and
cb.getLastNode() = this.getAControlFlowNode() and
succ = cb.getASuccessor(s)
}
pragma[noinline]
private predicate immediatelyControlsBlockSplit1(
ConditionBlock cb, BasicBlock succ, ConditionalSuccessor s, BasicBlock pred, SuccessorType t
) {
this.immediatelyControlsBlockSplit0(cb, succ, s) and
pred = succ.getAPredecessorByType(t) and
pred != cb
}
pragma[noinline]
private predicate immediatelyControlsBlockSplit2(
ConditionBlock cb, BasicBlock succ, ConditionalSuccessor s, BasicBlock pred, SuccessorType t
) {
this.immediatelyControlsBlockSplit1(cb, succ, s, pred, t) and
(
succ.dominates(pred)
or
// `pred` might be another split of this element
pred.getLastNode().getAstNode() = this and
t = s
)
}
/**
* Holds if basic block `succ` is immediately controlled by this control flow
* element with conditional value `s`. That is, `succ` can only be reached from
* the callable entry point by going via the `s` edge out of *some* basic block
* `pred` ending with this element, and `pred` is an immediate predecessor
* of `succ`.
* DEPRECATED: Use `Guard` class instead.
*
* Moreover, this control flow element corresponds to multiple control flow nodes,
* which is why
*
* ```ql
* exists(ConditionBlock cb |
* cb.getLastNode() = this.getAControlFlowNode() |
* cb.immediatelyControls(succ, s)
* )
* ```
*
* does not work.
*
* `cb` records all of the possible condition blocks for this control flow element
* that a path from the callable entry point to `succ` may go through.
*/
pragma[nomagic]
private predicate immediatelyControlsBlockSplit(
BasicBlock succ, ConditionalSuccessor s, ConditionBlock cb
) {
this.immediatelyControlsBlockSplit0(cb, succ, s) and
forall(BasicBlock pred, SuccessorType t |
this.immediatelyControlsBlockSplit1(cb, succ, s, pred, t)
|
this.immediatelyControlsBlockSplit2(cb, succ, s, pred, t)
)
}
pragma[noinline]
private predicate controlsJoinBlockPredecessor(
JoinBlock controlled, ConditionalSuccessor s, int i, ConditionBlock cb
) {
this.controlsBlockSplit(controlled.getJoinBlockPredecessor(i), s, cb)
}
private predicate controlsJoinBlockSplit(JoinBlock controlled, ConditionalSuccessor s, int i) {
i = -1 and
this.controlsJoinBlockPredecessor(controlled, s, _, _)
or
this.controlsJoinBlockSplit(controlled, s, i - 1) and
(
this.controlsJoinBlockPredecessor(controlled, s, i, _)
or
controlled.dominates(controlled.getJoinBlockPredecessor(i))
)
}
cached
private predicate controlsBlockSplit(
BasicBlock controlled, ConditionalSuccessor s, ConditionBlock cb
) {
Stages::GuardsStage::forceCachingInSameStage() and
this.immediatelyControlsBlockSplit(controlled, s, cb)
or
// Equivalent with
//
// ```ql
// exists(JoinBlockPredecessor pred | pred = controlled.getAPredecessor() |
// this.controlsBlockSplit(pred, s)
// ) and
// forall(JoinBlockPredecessor pred | pred = controlled.getAPredecessor() |
// this.controlsBlockSplit(pred, s)
// or
// controlled.dominates(pred)
// )
// ```
//
// but uses no universal recursion for better performance.
exists(int last |
last = max(int i | exists(controlled.(JoinBlock).getJoinBlockPredecessor(i)))
|
this.controlsJoinBlockSplit(controlled, s, last)
) and
this.controlsJoinBlockPredecessor(controlled, s, _, cb)
or
not controlled instanceof JoinBlock and
this.controlsBlockSplit(controlled.getAPredecessor(), s, cb)
}
/**
* Holds if basic block `controlled` is controlled by this control flow element
* with conditional value `s`. That is, `controlled` can only be reached from
* the callable entry point by going via the `s` edge out of *some* basic block
* ending with this element.
*
* This predicate is different from
*
* ```ql
* exists(ConditionBlock cb |
* cb.getLastNode() = this.getAControlFlowNode() |
* cb.controls(controlled, s)
* )
* ```
*
* as control flow splitting is taken into account.
*
* `cb` records all of the possible condition blocks for this control flow element
* that a path from the callable entry point to `controlled` may go through.
*/
predicate controlsBlock(BasicBlock controlled, ConditionalSuccessor s, ConditionBlock cb) {
this.controlsBlockSplit(controlled, s, cb)
or
deprecated predicate controlsBlock(
BasicBlock controlled, ConditionalSuccessor s, ConditionBlock cb
) {
cb.getLastNode() = this.getAControlFlowNode() and
cb.edgeDominates(controlled, s)
}

11
csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
View File

@@ -49,8 +49,15 @@ private module GuardsInput implements
override predicate isNull() { any() }
}
private class BooleanConstant extends ConstantExpr instanceof BoolLiteral {
override boolean asBooleanValue() { result = super.getBoolValue() }
private predicate boolConst(Expr e, boolean b) {
e.getType() instanceof BoolType and
e.getValue() = b.toString()
}
private class BooleanConstant extends ConstantExpr {
BooleanConstant() { boolConst(this, _) }
override boolean asBooleanValue() { boolConst(this, result) }
}
private predicate intConst(Expr e, int i) {

36
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -2583,10 +2583,10 @@ class NodeRegion instanceof ControlFlow::BasicBlock {
* Holds if the nodes in `nr` are unreachable when the call context is `call`.
*/
predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) {
exists(ExplicitParameterNode paramNode, Guard guard, ControlFlow::BooleanSuccessor bs |
viableConstantBooleanParamArg(paramNode, bs.getValue().booleanNot(), call) and
exists(ExplicitParameterNode paramNode, Guard guard, GuardValue val |
viableConstantParamArg(paramNode, val.getDualValue(), call) and
paramNode.getSsaDefinition().getARead() = guard and
guard.controlsBlock(nr, bs, _)
guard.valueControls(nr, val)
)
}
@@ -2904,33 +2904,19 @@ class CastNode extends Node {
class DataFlowExpr = Expr;
/** Holds if `e` is an expression that always has the same Boolean value `val`. */
private predicate constantBooleanExpr(Expr e, boolean val) {
e.getType() instanceof BoolType and
e.getValue() = val.toString()
or
exists(Ssa::ExplicitDefinition def, Expr src |
e = def.getARead() and
src = def.getADefinition().getSource() and
constantBooleanExpr(src, val)
)
}
/** An argument that always has the same value. */
private class ConstantArgumentNode extends ExprNode {
ConstantArgumentNode() { Guards::InternalUtil::exprHasValue(this.(ArgumentNode).asExpr(), _) }
/** An argument that always has the same Boolean value. */
private class ConstantBooleanArgumentNode extends ExprNode {
ConstantBooleanArgumentNode() { constantBooleanExpr(this.(ArgumentNode).asExpr(), _) }
/** Gets the Boolean value of this expression. */
boolean getBooleanValue() { constantBooleanExpr(this.getExpr(), result) }
/** Gets the value of this expression. */
GuardValue getValue() { Guards::InternalUtil::exprHasValue(this.getExpr(), result) }
}
pragma[noinline]
private predicate viableConstantBooleanParamArg(
ParameterNode paramNode, boolean b, DataFlowCall call
) {
exists(ConstantBooleanArgumentNode arg |
private predicate viableConstantParamArg(ParameterNode paramNode, GuardValue val, DataFlowCall call) {
exists(ConstantArgumentNode arg |
viableParamArg(call, paramNode, arg) and
b = arg.getBooleanValue()
val = arg.getValue()
)
}

9
csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
View File

@@ -72,17 +72,10 @@ class ReverseDnsSource extends Source {
}
}
pragma[noinline]
private predicate conditionControlsCall0(
SensitiveExecutionMethodCall call, Expr e, ControlFlow::BooleanSuccessor s
) {
forex(BasicBlock bb | bb = call.getAControlFlowNode().getBasicBlock() | e.controlsBlock(bb, s, _))
}
private predicate conditionControlsCall(
SensitiveExecutionMethodCall call, SensitiveExecutionMethod def, Expr e, boolean cond
) {
exists(ControlFlow::BooleanSuccessor s | cond = s.getValue() | conditionControlsCall0(call, e, s)) and
e.(Guard).directlyControls(call.getBasicBlock(), cond) and
def = call.getTarget().getUnboundDeclaration()
}

10
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.4.3
### Minor Analysis Improvements
* The `cs/web/missing-x-frame-options` query now correctly handles configuration nested in root `<location>` elements.
## 1.4.2
No user-facing changes.
@@ -164,7 +170,7 @@ No user-facing changes.
### Minor Analysis Improvements
* C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query.
* C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query.
## 1.0.10
@@ -278,7 +284,7 @@ No user-facing changes.
### Minor Analysis Improvements
* Fixed a Log forging false positive when using `String.Replace` to sanitize the input.
* Fixed a Log forging false positive when using `String.Replace` to sanitize the input.
* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`
## 0.8.5

7
csharp/ql/src/change-notes/2025-10-17-location-in-web-config.md → csharp/ql/src/change-notes/released/1.4.3.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.4.3
### Minor Analysis Improvements
* the `cs/web/missing-x-frame-options` query now correctly handles configuration nested in root `<location>` elements.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.2
lastReleaseVersion: 1.4.3

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.4.3-dev
version: 1.4.4-dev
groups:
- csharp
- queries

2
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -26,7 +26,7 @@
Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
Rust [11]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
Swift [12]_ [13]_,"Swift 5.4-6.1","Swift compiler","``.swift``"
Swift [12]_ [13]_,"Swift 5.4-6.2","Swift compiler","``.swift``"
TypeScript [14]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
.. container:: footnote-group

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.34
No user-facing changes.
## 1.0.33
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.34.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.34
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.33
lastReleaseVersion: 1.0.34

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.34-dev
version: 1.0.35-dev
groups:
- go
- queries

4
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 5.0.1
No user-facing changes.
## 5.0.0
### Breaking Changes

3
go/ql/lib/change-notes/released/5.0.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.0.1
No user-facing changes.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.0.0
lastReleaseVersion: 5.0.1

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 5.0.1-dev
version: 5.0.2-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.4.8
No user-facing changes.
## 1.4.7
No user-facing changes.

3
go/ql/src/change-notes/released/1.4.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.8
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.7
lastReleaseVersion: 1.4.8

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.4.8-dev
version: 1.4.9-dev
groups:
- go
- queries

4
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 7.7.3
No user-facing changes.
## 7.7.2
### Minor Analysis Improvements

3
java/ql/lib/change-notes/released/7.7.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 7.7.3
No user-facing changes.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 7.7.2
lastReleaseVersion: 7.7.3

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 7.7.3-dev
version: 7.7.4-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

13
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 1.9.0
### New Queries
* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.
* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.
* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.
* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.
### Minor Analysis Improvements
* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.
## 1.8.2
No user-facing changes.

4
java/ql/src/change-notes/2025-06-22-query-escaping.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.

4
java/ql/src/change-notes/2025-06-22-query-not-thread-safe.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.

4
java/ql/src/change-notes/2025-06-22-query-safe-publication.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.

4
java/ql/src/change-notes/2025-10-02-http-only-cookie-promote.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.

4
java/ql/src/change-notes/2025-10-24-request-forgery-matches-sanitizer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.

12
java/ql/src/change-notes/released/1.9.0.md Normal file
View File

@@ -0,0 +1,12 @@
## 1.9.0
### New Queries
* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.
* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.
* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.
* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.
### Minor Analysis Improvements
* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.8.2
lastReleaseVersion: 1.9.0

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.8.3-dev
version: 1.9.1-dev
groups:
- java
- queries

47
java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.expected
View File

@@ -1,3 +1,8 @@
#select
| Test.java:40:47:40:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:40:47:40:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:49:47:49:52 | Nonce | Nonce |
| Test.java:49:47:49:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:49:47:49:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:40:47:40:52 | Nonce | Nonce |
| Test.java:76:48:76:54 | ivSpec1 | Test.java:19:38:19:40 | val : byte[] | Test.java:76:48:76:54 | ivSpec1 | Nonce source is reused, see alternate sink $@ | Test.java:82:49:82:55 | Nonce | Nonce |
| Test.java:82:49:82:55 | ivSpec2 | Test.java:19:38:19:40 | val : byte[] | Test.java:82:49:82:55 | ivSpec2 | Nonce source is reused, see alternate sink $@ | Test.java:76:48:76:54 | Nonce | Nonce |
edges
| Test.java:19:38:19:40 | val : byte[] | Test.java:20:16:20:18 | val : byte[] | provenance | |
| Test.java:20:16:20:18 | val : byte[] | Test.java:25:15:25:33 | getRandomWrapper1(...) : byte[] | provenance | |
@@ -11,38 +16,41 @@ edges
| Test.java:33:16:33:18 | val : byte[] | Test.java:63:21:63:40 | getRandomWrapper2b(...) : byte[] | provenance | |
| Test.java:33:16:33:18 | val : byte[] | Test.java:72:21:72:40 | getRandomWrapper2b(...) : byte[] | provenance | |
| Test.java:36:32:36:40 | iv : byte[] | Test.java:37:54:37:55 | iv : byte[] | provenance | |
| Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:40:47:40:52 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:40:47:40:52 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:45:21:45:40 | getRandomWrapper2A(...) : byte[] | Test.java:46:54:46:55 | iv : byte[] | provenance | |
| Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:49:47:49:52 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:49:47:49:52 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:54:21:54:40 | getRandomWrapper2b(...) : byte[] | Test.java:55:54:55:55 | iv : byte[] | provenance | |
| Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:58:47:58:52 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:58:47:58:52 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:63:21:63:40 | getRandomWrapper2b(...) : byte[] | Test.java:64:54:64:55 | iv : byte[] | provenance | |
| Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:67:47:67:52 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:67:47:67:52 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:72:21:72:40 | getRandomWrapper2b(...) : byte[] | Test.java:73:55:73:56 | iv : byte[] | provenance | |
| Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:76:48:76:54 | ivSpec1 | provenance | Sink:MaD:45890 |
| Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:76:48:76:54 | ivSpec1 | provenance | Sink:MaD:1 |
| Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:73:55:73:56 | iv : byte[] | Test.java:79:55:79:56 | iv : byte[] | provenance | |
| Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:82:49:82:55 | ivSpec2 | provenance | Sink:MaD:45890 |
| Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:82:49:82:55 | ivSpec2 | provenance | Sink:MaD:1 |
| Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:88:38:88:39 | iv : byte[] | Test.java:89:54:89:55 | iv : byte[] | provenance | |
| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:93:51:93:56 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:93:51:93:56 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
| Test.java:103:38:103:39 | iv : byte[] | Test.java:104:54:104:55 | iv : byte[] | provenance | |
| Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:107:47:107:52 | ivSpec | provenance | Sink:MaD:45890 |
| Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:107:47:107:52 | ivSpec | provenance | Sink:MaD:1 |
| Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
| Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
| Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
models
| 1 | Sink: javax.crypto; Cipher; true; init; (int,Key,AlgorithmParameterSpec); ; Argument[2]; encryption-iv; manual |
| 2 | Summary: javax.crypto.spec; IvParameterSpec; true; IvParameterSpec; ; ; Argument[0]; Argument[this]; taint; manual |
nodes
| Test.java:19:38:19:40 | val : byte[] | semmle.label | val : byte[] |
| Test.java:20:16:20:18 | val : byte[] | semmle.label | val : byte[] |
@@ -84,8 +92,3 @@ nodes
| Test.java:104:54:104:55 | iv : byte[] | semmle.label | iv : byte[] |
| Test.java:107:47:107:52 | ivSpec | semmle.label | ivSpec |
subpaths
#select
| Test.java:40:47:40:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:40:47:40:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:49:47:49:52 | Nonce | Nonce |
| Test.java:49:47:49:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:49:47:49:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:40:47:40:52 | Nonce | Nonce |
| Test.java:76:48:76:54 | ivSpec1 | Test.java:19:38:19:40 | val : byte[] | Test.java:76:48:76:54 | ivSpec1 | Nonce source is reused, see alternate sink $@ | Test.java:82:49:82:55 | Nonce | Nonce |
| Test.java:82:49:82:55 | ivSpec2 | Test.java:19:38:19:40 | val : byte[] | Test.java:82:49:82:55 | ivSpec2 | Nonce source is reused, see alternate sink $@ | Test.java:76:48:76:54 | Nonce | Nonce |

3
java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref
View File

@@ -1 +1,2 @@
experimental/quantum/Examples/ReusedNonce.ql
query: experimental/quantum/Examples/ReusedNonce.ql
postprocess: utils/test/PrettyPrintModels.ql

9
javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
View File

@@ -489,13 +489,18 @@ public class AutoBuild {
diagnosticsToClose.forEach(DiagnosticWriter::close);
}
if (!hasSeenCode()) {
// Fail extraction if no relevant files were found.
boolean seenRelevantFiles = EnvironmentVariables.isActionsExtractor()
? seenFiles // assume all files are relevant for Actions extractor
: hasSeenCode();
if (!seenRelevantFiles) {
if (seenFiles) {
warn("Only found JavaScript or TypeScript files that were empty or contained syntax errors.");
} else {
warn("No JavaScript or TypeScript code found.");
}
// ensuring that the finalize steps detects that no code was seen.
// Ensuring that the finalize steps detects that no code was seen.
// This is necessary to ensure we don't produce an overlay-base database without externs.
Path srcFolder = Paths.get(EnvironmentVariables.getWipDatabase(), "src");
try {
FileUtil8.recursiveDelete(srcFolder);

7
javascript/extractor/src/com/semmle/js/extractor/EnvironmentVariables.java
View File

@@ -18,6 +18,9 @@ public class EnvironmentVariables {
public static final String CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE_ENV_VAR =
"CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE";
public static final String CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE_ENV_VAR =
"CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE";
public static final String CODEQL_DIST_ENV_VAR = "CODEQL_DIST";
/**
@@ -94,4 +97,8 @@ public class EnvironmentVariables {
public static String getWipDatabase() {
return Env.systemEnv().getNonEmpty(CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE_ENV_VAR);
}
public static boolean isActionsExtractor() {
return Env.systemEnv().getNonEmpty(CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE_ENV_VAR) != null;
}
}

4
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 2.6.14
No user-facing changes.
## 2.6.13
No user-facing changes.

3
javascript/ql/lib/change-notes/released/2.6.14.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.6.14
No user-facing changes.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.6.13
lastReleaseVersion: 2.6.14

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.6.14-dev
version: 2.6.15-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

4
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 2.1.3
No user-facing changes.
## 2.1.2
No user-facing changes.

3
javascript/ql/src/change-notes/released/2.1.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.1.3
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.2
lastReleaseVersion: 2.1.3

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 2.1.3-dev
version: 2.1.4-dev
groups:
- javascript
- queries

4
misc/suite-helpers/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.34
No user-facing changes.
## 1.0.33
No user-facing changes.

3
misc/suite-helpers/change-notes/released/1.0.34.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.34
No user-facing changes.

2
misc/suite-helpers/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.33
lastReleaseVersion: 1.0.34

2
misc/suite-helpers/qlpack.yml
View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers
version: 1.0.34-dev
version: 1.0.35-dev
groups: shared
warnOnImplicitThis: true

3
python/ql/examples/snippets/builtin_object.ql
View File

@@ -8,7 +8,8 @@
*/
import python
private import LegacyPointsTo
from Expr e, string name
from ExprWithPointsTo e, string name
where e.pointsTo(Value::named(name)) and not name.charAt(_) = "."
select e

3
python/ql/examples/snippets/catch_exception.ql
View File

@@ -8,9 +8,10 @@
*/
import python
private import LegacyPointsTo
from ExceptStmt ex, ClassValue cls
where
cls.getName() = "MyExceptionClass" and
ex.getType().pointsTo(cls)
ex.getType().(ExprWithPointsTo).pointsTo(cls)
select ex

5
python/ql/examples/snippets/conditional_expression.ql
View File

@@ -9,10 +9,11 @@
*/
import python
private import LegacyPointsTo
from IfExp e, ClassObject cls1, ClassObject cls2
where
e.getBody().refersTo(_, cls1, _) and
e.getOrelse().refersTo(_, cls2, _) and
e.getBody().(ExprWithPointsTo).refersTo(_, cls1, _) and
e.getOrelse().(ExprWithPointsTo).refersTo(_, cls2, _) and
cls1 != cls2
select e

3
python/ql/examples/snippets/new_instance.ql
View File

@@ -8,9 +8,10 @@
*/
import python
private import LegacyPointsTo
from Call new, ClassValue cls
where
cls.getName() = "MyClass" and
new.getFunc().pointsTo(cls)
new.getFunc().(ExprWithPointsTo).pointsTo(cls)
select new

3
python/ql/examples/snippets/print.ql
View File

@@ -6,6 +6,7 @@
*/
import python
private import LegacyPointsTo
from AstNode print
where
@@ -13,5 +14,5 @@ where
print instanceof Print
or
/* Python 3 or with `from __future__ import print_function` */
print.(Call).getFunc().pointsTo(Value::named("print"))
print.(Call).getFunc().(ExprWithPointsTo).pointsTo(Value::named("print"))
select print

3
python/ql/examples/snippets/raise_exception.ql
View File

@@ -8,9 +8,10 @@
*/
import python
private import LegacyPointsTo
from Raise raise, ClassValue ex
where
ex.getName() = "AnException" and
raise.getException().pointsTo(ex.getASuperType())
raise.getException().(ExprWithPointsTo).pointsTo(ex.getASuperType())
select raise, "Don't raise instances of 'AnException'"

3
python/ql/examples/snippets/store_none.ql
View File

@@ -10,9 +10,10 @@
*/
import python
private import LegacyPointsTo
from SubscriptNode store
where
store.isStore() and
store.getIndex().pointsTo(Value::named("None"))
store.getIndex().(ControlFlowNodeWithPointsTo).pointsTo(Value::named("None"))
select store

6
python/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 4.1.0
### New Features
* Initial support for incremental Python databases via `codeql database create --overlay-base`/`--overlay-changes`.
## 4.0.17
### Bug Fixes

210
python/ql/lib/LegacyPointsTo.qll Normal file
View File

@@ -0,0 +1,210 @@
/**
* DEPRECATED: Using the methods in this module may lead to a degradation of performance. Use at
* your own peril.
*
* This module contains legacy points-to predicates and methods for various classes in the
* points-to analysis.
*
* Existing code that depends on, say, points-to predicates on `ControlFlowNode` should be modified
* to use `ControlFlowNodeWithPointsTo` instead. In particular, if inside a method call chain such
* as
*
* `someCallNode.getFunction().pointsTo(...)`
*
* an explicit cast should be added as follows
*
* `someCallNode.getFunction().(ControlFlowNodeWithPointsTo).pointsTo(...)`
*
* Similarly, if a bound variable has type `ControlFlowNode`, and a points-to method is called on
* it, the type should be changed to `ControlFlowNodeWithPointsTo`.
*/
private import python
private import semmle.python.pointsto.PointsTo
private import semmle.python.objects.Modules
/**
* An extension of `ControlFlowNode` that provides points-to predicates.
*/
class ControlFlowNodeWithPointsTo extends ControlFlowNode {
/** Gets the value that this ControlFlowNode points-to. */
predicate pointsTo(Value value) { this.pointsTo(_, value, _) }
/** Gets the value that this ControlFlowNode points-to. */
Value pointsTo() { this.pointsTo(_, result, _) }
/** Gets a value that this ControlFlowNode may points-to. */
Value inferredValue() { this.pointsTo(_, result, _) }
/** Gets the value and origin that this ControlFlowNode points-to. */
predicate pointsTo(Value value, ControlFlowNode origin) { this.pointsTo(_, value, origin) }
/** Gets the value and origin that this ControlFlowNode points-to, given the context. */
predicate pointsTo(Context context, Value value, ControlFlowNode origin) {
PointsTo::pointsTo(this, context, value, origin)
}
/**
* Gets what this flow node might "refer-to". Performs a combination of localized (intra-procedural) points-to
* analysis and global module-level analysis. This points-to analysis favours precision over recall. It is highly
* precise, but may not provide information for a significant number of flow-nodes.
* If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
*/
pragma[nomagic]
predicate refersTo(Object obj, ClassObject cls, ControlFlowNode origin) {
this.refersTo(_, obj, cls, origin)
}
/** Gets what this expression might "refer-to" in the given `context`. */
pragma[nomagic]
predicate refersTo(Context context, Object obj, ClassObject cls, ControlFlowNode origin) {
not obj = unknownValue() and
not cls = theUnknownType() and
PointsTo::points_to(this, context, obj, cls, origin)
}
/**
* Whether this flow node might "refer-to" to `value` which is from `origin`
* Unlike `this.refersTo(value, _, origin)` this predicate includes results
* where the class cannot be inferred.
*/
pragma[nomagic]
predicate refersTo(Object obj, ControlFlowNode origin) {
not obj = unknownValue() and
PointsTo::points_to(this, _, obj, _, origin)
}
/** Equivalent to `this.refersTo(value, _)` */
predicate refersTo(Object obj) { this.refersTo(obj, _) }
/**
* Check whether this control-flow node has complete points-to information.
* This would mean that the analysis managed to infer an over approximation
* of possible values at runtime.
*/
predicate hasCompletePointsToSet() {
// If the tracking failed, then `this` will be its own "origin". In that
// case, we want to exclude nodes for which there is also a different
// origin, as that would indicate that some paths failed and some did not.
this.refersTo(_, _, this) and
not exists(ControlFlowNode other | other != this and this.refersTo(_, _, other))
or
// If `this` is a use of a variable, then we must have complete points-to
// for that variable.
exists(SsaVariable v | v.getAUse() = this | varHasCompletePointsToSet(v))
}
}
/**
* Check whether a SSA variable has complete points-to information.
* This would mean that the analysis managed to infer an overapproximation
* of possible values at runtime.
*/
private predicate varHasCompletePointsToSet(SsaVariable var) {
// Global variables may be modified non-locally or concurrently.
not var.getVariable() instanceof GlobalVariable and
(
// If we have complete points-to information on the definition of
// this variable, then the variable has complete information.
var.getDefinition()
.(DefinitionNode)
.getValue()
.(ControlFlowNodeWithPointsTo)
.hasCompletePointsToSet()
or
// If this variable is a phi output, then we have complete
// points-to information about it if all phi inputs had complete
// information.
forex(SsaVariable phiInput | phiInput = var.getAPhiInput() |
varHasCompletePointsToSet(phiInput)
)
)
}
/**
* An extension of `Expr` that provides points-to predicates.
*/
class ExprWithPointsTo extends Expr {
/**
* NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
* Gets what this expression might "refer-to". Performs a combination of localized (intra-procedural) points-to
* analysis and global module-level analysis. This points-to analysis favours precision over recall. It is highly
* precise, but may not provide information for a significant number of flow-nodes.
* If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
* NOTE: For complex dataflow, involving multiple stages of points-to analysis, it may be more precise to use
* `ControlFlowNode.refersTo(...)` instead.
*/
predicate refersTo(Object obj, ClassObject cls, AstNode origin) {
this.refersTo(_, obj, cls, origin)
}
/**
* NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
* Gets what this expression might "refer-to" in the given `context`.
*/
predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
this.getAFlowNode()
.(ControlFlowNodeWithPointsTo)
.refersTo(context, obj, cls, origin.getAFlowNode())
}
/**
* NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
* Holds if this expression might "refer-to" to `value` which is from `origin`
* Unlike `this.refersTo(value, _, origin)`, this predicate includes results
* where the class cannot be inferred.
*/
pragma[nomagic]
predicate refersTo(Object obj, AstNode origin) {
this.getAFlowNode().(ControlFlowNodeWithPointsTo).refersTo(obj, origin.getAFlowNode())
}
/**
* NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
* Equivalent to `this.refersTo(value, _)`
*/
predicate refersTo(Object obj) { this.refersTo(obj, _) }
/**
* Holds if this expression might "point-to" to `value` which is from `origin`
* in the given `context`.
*/
predicate pointsTo(Context context, Value value, AstNode origin) {
this.getAFlowNode()
.(ControlFlowNodeWithPointsTo)
.pointsTo(context, value, origin.getAFlowNode())
}
/**
* Holds if this expression might "point-to" to `value` which is from `origin`.
*/
predicate pointsTo(Value value, AstNode origin) {
this.getAFlowNode().(ControlFlowNodeWithPointsTo).pointsTo(value, origin.getAFlowNode())
}
/**
* Holds if this expression might "point-to" to `value`.
*/
predicate pointsTo(Value value) { this.pointsTo(value, _) }
/** Gets a value that this expression might "point-to". */
Value pointsTo() { this.pointsTo(result) }
override string getAQlClass() { none() }
}
/**
* An extension of `Module` that provides points-to related methods.
*/
class ModuleWithPointsTo extends Module {
/** Gets a name exported by this module, that is the names that will be added to a namespace by 'from this-module import *' */
string getAnExport() {
py_exports(this, result)
or
exists(ModuleObjectInternal mod | mod.getSource() = this.getEntryNode() |
mod.(ModuleValue).exports(result)
)
}
override string getAQlClass() { none() }
}

21
python/ql/lib/analysis/DefinitionTracking.qll
View File

@@ -3,6 +3,7 @@
*/
import python
private import LegacyPointsTo
import semmle.python.pointsto.PointsTo
import IDEContextual
@@ -36,22 +37,22 @@ private predicate jump_to_defn(ControlFlowNode use, Definition defn) {
)
or
exists(PythonModuleObject mod |
use.(ImportExprNode).refersTo(mod) and
use.(ImportExprNode).(ControlFlowNodeWithPointsTo).refersTo(mod) and
defn.getAstNode() = mod.getModule()
)
or
exists(PythonModuleObject mod, string name |
use.(ImportMemberNode).getModule(name).refersTo(mod) and
use.(ImportMemberNode).getModule(name).(ControlFlowNodeWithPointsTo).refersTo(mod) and
scope_jump_to_defn_attribute(mod.getModule(), name, defn)
)
or
exists(PackageObject package |
use.(ImportExprNode).refersTo(package) and
use.(ImportExprNode).(ControlFlowNodeWithPointsTo).refersTo(package) and
defn.getAstNode() = package.getInitModule().getModule()
)
or
exists(PackageObject package, string name |
use.(ImportMemberNode).getModule(name).refersTo(package) and
use.(ImportMemberNode).getModule(name).(ControlFlowNodeWithPointsTo).refersTo(package) and
scope_jump_to_defn_attribute(package.getInitModule().getModule(), name, defn)
)
or
@@ -230,7 +231,7 @@ private predicate module_and_name_for_import_star_helper(
ModuleObject mod, string name, ImportStarNode im_star, ImportStarRefinement def
) {
im_star = def.getDefiningNode() and
im_star.getModule().refersTo(mod) and
im_star.getModule().(ControlFlowNodeWithPointsTo).refersTo(mod) and
name = def.getSourceVariable().getName()
}
@@ -239,7 +240,7 @@ pragma[noinline]
private predicate variable_not_redefined_by_import_star(EssaVariable var, ImportStarRefinement def) {
var = def.getInput() and
exists(ModuleObject mod |
def.getDefiningNode().(ImportStarNode).getModule().refersTo(mod) and
def.getDefiningNode().(ImportStarNode).getModule().(ControlFlowNodeWithPointsTo).refersTo(mod) and
not mod.exports(var.getSourceVariable().getName())
)
}
@@ -352,7 +353,9 @@ private predicate scope_jump_to_defn_attribute(ImportTimeScope s, string name, D
)
}
private predicate jump_to_defn_attribute(ControlFlowNode use, string name, Definition defn) {
private predicate jump_to_defn_attribute(
ControlFlowNodeWithPointsTo use, string name, Definition defn
) {
/* Local attribute */
exists(EssaVariable var |
use = var.getASourceUse() and
@@ -367,7 +370,7 @@ private predicate jump_to_defn_attribute(ControlFlowNode use, string name, Defin
/* Super attributes */
exists(AttrNode f, SuperBoundMethod sbm, Object function |
use = f.getObject(name) and
f.refersTo(sbm) and
f.(ControlFlowNodeWithPointsTo).refersTo(sbm) and
function = sbm.getFunction(_) and
function.getOrigin() = defn.getAstNode()
)
@@ -408,7 +411,7 @@ private predicate attribute_assignment_jump_to_defn_attribute(
private predicate sets_attribute(ArgumentRefinement def, string name) {
exists(CallNode call |
call = def.getDefiningNode() and
call.getFunction().refersTo(Object::builtin("setattr")) and
call.getFunction().(ControlFlowNodeWithPointsTo).refersTo(Object::builtin("setattr")) and
def.getInput().getAUse() = call.getArg(0) and
call.getArg(1).getNode().(StringLiteral).getText() = name
)

Some files were not shown because too many files have changed in this diff Show More