hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 04:30:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/rust-windows

Browse Source
This commit is contained in:
Paolo Tranquilli
2024-09-17 16:16:48 +02:00
committed by GitHub
parent afb9ffa50e c7e3682597
commit 26d2e355bb
49 changed files with 7001 additions and 1826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll
View File

@@ -29,7 +29,7 @@ module BaseSsa {
) {
exists(ControlFlow::ControlFlow::BasicBlocks::EntryBlock entry |
c = entry.getCallable() and
// In case `c` has multiple bodies, we want each body to gets its own implicit
// In case `c` has multiple bodies, we want each body to get its own implicit
// entry definition. In case `c` doesn't have multiple bodies, the line below
// is simply the same as `bb = entry`, because `entry.getFirstNode().getASuccessor()`
// will be in the entry block.

236
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -267,8 +267,9 @@ module VariableCapture {
private predicate closureFlowStep(ControlFlow::Nodes::ExprNode e1, ControlFlow::Nodes::ExprNode e2) {
e1 = LocalFlow::getALastEvalNode(e2)
or
exists(Ssa::Definition def |
LocalFlow::ssaDefAssigns(def.getAnUltimateDefinition(), e1) and
exists(Ssa::Definition def, AssignableDefinition adef |
LocalFlow::defAssigns(adef, _, e1) and
def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and
exists(def.getAReadAtNode(e2))
)
}
@@ -492,6 +493,30 @@ module VariableCapture {
}
}
/** Provides logic related to SSA. */
module SsaFlow {
private module Impl = SsaImpl::DataFlowIntegration;
Impl::Node asNode(Node n) {
n = TSsaNode(result)
or
result.(Impl::ExprNode).getExpr() = n.(ExprNode).getControlFlowNode()
or
result.(Impl::ExprPostUpdateNode).getExpr() =
n.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode()
or
result.(Impl::ParameterNode).getParameter() = n.(ExplicitParameterNode).getSsaDefinition()
}
predicate localFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo, boolean isUseStep) {
Impl::localFlowStep(def, asNode(nodeFrom), asNode(nodeTo), isUseStep)
}
predicate localMustFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
Impl::localMustFlowStep(def, asNode(nodeFrom), asNode(nodeTo))
}
}
/** Provides predicates related to local data flow. */
module LocalFlow {
class LocalExprStepConfiguration extends ControlFlowReachabilityConfiguration {
@@ -617,105 +642,6 @@ module LocalFlow {
any(LocalExprStepConfiguration x).hasDefPath(_, value, def, cfnDef)
}
predicate ssaDefAssigns(Ssa::ExplicitDefinition ssaDef, ControlFlow::Nodes::ExprNode value) {
exists(AssignableDefinition def, ControlFlow::Node cfnDef |
any(LocalExprStepConfiguration conf).hasDefPath(_, value, def, cfnDef) and
ssaDef.getADefinition() = def and
ssaDef.getControlFlowNode() = cfnDef
)
}
/**
* An uncertain SSA definition. Either an uncertain explicit definition or an
* uncertain qualifier definition.
*
* Restricts `Ssa::UncertainDefinition` by excluding implicit call definitions,
* as we---conservatively---consider such definitions to be certain.
*/
class UncertainExplicitSsaDefinition extends Ssa::UncertainDefinition {
UncertainExplicitSsaDefinition() {
this instanceof Ssa::ExplicitDefinition
or
this =
any(Ssa::ImplicitQualifierDefinition qdef |
qdef.getQualifierDefinition() instanceof UncertainExplicitSsaDefinition
)
}
}
/** An SSA definition into which another SSA definition may flow. */
private class SsaInputDefinitionExtNode extends SsaDefinitionExtNode {
SsaInputDefinitionExtNode() {
def instanceof Ssa::PhiNode
or
def instanceof SsaImpl::PhiReadNode
or
def instanceof LocalFlow::UncertainExplicitSsaDefinition
}
}
/**
* Holds if `nodeFrom` is a last node referencing SSA definition `def`, which
* can reach `next`.
*/
private predicate localFlowSsaInputFromDef(
Node nodeFrom, SsaImpl::DefinitionExt def, SsaInputDefinitionExtNode next
) {
exists(ControlFlow::BasicBlock bb, int i |
SsaImpl::lastRefBeforeRedefExt(def, bb, i, next.getDefinitionExt()) and
def.definesAt(_, bb, i, _) and
def = getSsaDefinitionExt(nodeFrom) and
nodeFrom != next
)
}
/**
* Holds if `read` is a last node reading SSA definition `def`, which
* can reach `next`.
*/
predicate localFlowSsaInputFromRead(
Node read, SsaImpl::DefinitionExt def, SsaInputDefinitionExtNode next
) {
exists(ControlFlow::BasicBlock bb, int i |
SsaImpl::lastRefBeforeRedefExt(def, bb, i, next.getDefinitionExt()) and
read.asExprAtNode(bb.getNode(i)) instanceof AssignableRead
)
}
private SsaImpl::DefinitionExt getSsaDefinitionExt(Node n) {
result = n.(SsaDefinitionExtNode).getDefinitionExt()
or
result = n.(ExplicitParameterNode).getSsaDefinition()
}
/**
* Holds if there is a local use-use flow step from `nodeFrom` to `nodeTo`
* involving SSA definition `def`.
*/
predicate localSsaFlowStepUseUse(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
exists(ControlFlow::Node cfnFrom, ControlFlow::Node cfnTo |
SsaImpl::adjacentReadPairSameVarExt(def, cfnFrom, cfnTo) and
nodeTo = TExprNode(cfnTo) and
nodeFrom = TExprNode(cfnFrom)
)
}
/**
* Holds if there is a local flow step from `nodeFrom` to `nodeTo` involving
* SSA definition `def`.
*/
predicate localSsaFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
// Flow from SSA definition/parameter to first read
def = getSsaDefinitionExt(nodeFrom) and
SsaImpl::firstReadSameVarExt(def, nodeTo.(ExprNode).getControlFlowNode())
or
// Flow from read to next read
localSsaFlowStepUseUse(def, nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
or
// Flow into phi (read)/uncertain SSA definition node from def
localFlowSsaInputFromDef(nodeFrom, def, nodeTo)
}
/**
* Holds if the source variable of SSA definition `def` is an instance field.
*/
@@ -800,10 +726,7 @@ module LocalFlow {
node2.asExpr() instanceof AssignExpr
)
or
exists(SsaImpl::Definition def |
def = getSsaDefinitionExt(node1) and
exists(SsaImpl::getAReadAtNode(def, node2.(ExprNode).getControlFlowNode()))
)
SsaFlow::localMustFlowStep(_, node1, node2)
or
node2 = node1.(LocalFunctionCreationNode).getAnAccess(true)
or
@@ -827,23 +750,15 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
(
LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
or
exists(SsaImpl::DefinitionExt def |
exists(SsaImpl::DefinitionExt def, boolean isUseStep |
SsaFlow::localFlowStep(def, nodeFrom, nodeTo, isUseStep) and
not LocalFlow::usesInstanceField(def) and
not def instanceof VariableCapture::CapturedSsaDefinitionExt
|
LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo)
isUseStep = false
or
LocalFlow::localSsaFlowStepUseUse(def, nodeFrom, nodeTo) and
not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _) and
nodeFrom != nodeTo
or
// Flow into phi (read)/uncertain SSA definition node from read
exists(Node read | LocalFlow::localFlowSsaInputFromRead(read, def, nodeTo) |
nodeFrom = read and
not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
or
nodeFrom.(PostUpdateNode).getPreUpdateNode() = read
)
isUseStep = true and
not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
)
or
nodeTo.(ObjectCreationNode).getPreUpdateNode() = nodeFrom.(ObjectInitializerNode)
@@ -1099,11 +1014,7 @@ private module Cached {
cached
newtype TNode =
TExprNode(ControlFlow::Nodes::ElementNode cfn) { cfn.getAstNode() instanceof Expr } or
TSsaDefinitionExtNode(SsaImpl::DefinitionExt def) {
// Handled by `TExplicitParameterNode` below
not def instanceof Ssa::ImplicitParameterDefinition and
def.getBasicBlock() = any(DataFlowCallable c).getAControlFlowNode().getBasicBlock()
} or
TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
TAssignableDefinitionNode(AssignableDefinition def, ControlFlow::Node cfn) {
cfn = def.getExpr().getAControlFlowNode()
} or
@@ -1166,17 +1077,7 @@ private module Cached {
predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) {
LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
or
LocalFlow::localSsaFlowStepUseUse(_, nodeFrom, nodeTo) and
nodeFrom != nodeTo
or
LocalFlow::localSsaFlowStep(_, nodeFrom, nodeTo)
or
// Flow into phi (read)/uncertain SSA definition node from read
exists(Node read | LocalFlow::localFlowSsaInputFromRead(read, _, nodeTo) |
nodeFrom = read
or
nodeFrom.(PostUpdateNode).getPreUpdateNode() = read
)
SsaFlow::localFlowStep(_, nodeFrom, nodeTo, _)
or
// Simple flow through library code is included in the exposed local
// step relation, even though flow is technically inter-procedural
@@ -1245,7 +1146,7 @@ import Cached
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) {
n instanceof SsaDefinitionExtNode
n instanceof SsaNode
or
exists(Parameter p | p = n.(ParameterNode).getParameter() | not p.fromSource())
or
@@ -1279,13 +1180,16 @@ predicate nodeIsHidden(Node n) {
n instanceof CaptureNode
}
/** An SSA definition, viewed as a node in a data flow graph. */
class SsaDefinitionExtNode extends NodeImpl, TSsaDefinitionExtNode {
/** An SSA node. */
abstract class SsaNode extends NodeImpl, TSsaNode {
SsaImpl::DataFlowIntegration::SsaNode node;
SsaImpl::DefinitionExt def;
SsaDefinitionExtNode() { this = TSsaDefinitionExtNode(def) }
SsaNode() {
this = TSsaNode(node) and
def = node.getDefinitionExt()
}
/** Gets the underlying SSA definition. */
SsaImpl::DefinitionExt getDefinitionExt() { result = def }
override DataFlowCallable getEnclosingCallableImpl() {
@@ -1298,9 +1202,57 @@ class SsaDefinitionExtNode extends NodeImpl, TSsaDefinitionExtNode {
result = def.(Ssa::Definition).getControlFlowNode()
}
override Location getLocationImpl() { result = def.getLocation() }
override Location getLocationImpl() { result = node.getLocation() }
override string toStringImpl() { result = def.toString() }
override string toStringImpl() { result = node.toString() }
}
/** An (extended) SSA definition, viewed as a node in a data flow graph. */
class SsaDefinitionExtNode extends SsaNode {
override SsaImpl::DataFlowIntegration::SsaDefinitionExtNode node;
}
/**
* A node that represents an input to an SSA phi (read) definition.
*
* This allows for barrier guards to filter input to phi nodes. For example, in
*
* ```csharp
* var x = taint;
* if (x != "safe")
* {
* x = "safe";
* }
* sink(x);
* ```
*
* the `false` edge out of `x != "safe"` guards the input from `x = taint` into the
* `phi` node after the condition.
*
* It is also relevant to filter input into phi read nodes:
*
* ```csharp
* var x = taint;
* if (b)
* {
* if (x != "safe1")
* {
* return;
* }
* } else {
* if (x != "safe2")
* {
* return;
* }
* }
*
* sink(x);
* ```
*
* both inputs into the phi read node after the outer condition are guarded.
*/
class SsaInputNode extends SsaNode {
override SsaImpl::DataFlowIntegration::SsaInputNode node;
}
/** A definition, viewed as a node in a data flow graph. */
@@ -2946,7 +2898,7 @@ private predicate delegateCreationStep(Node nodeFrom, Node nodeTo) {
/** Extra data-flow steps needed for lambda flow analysis. */
predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) {
exists(SsaImpl::DefinitionExt def |
LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo) and
SsaFlow::localFlowStep(def, nodeFrom, nodeTo, _) and
preservesValue = true
|
LocalFlow::usesInstanceField(def)

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
View File

@@ -171,8 +171,14 @@ signature predicate guardChecksSig(Guard g, Expr e, AbstractValue v);
* in data flow and taint tracking.
*/
module BarrierGuard<guardChecksSig/3 guardChecks> {
private import SsaImpl as SsaImpl
/** Gets a node that is safely guarded by the given guard check. */
ExprNode getABarrierNode() {
pragma[nomagic]
Node getABarrierNode() {
SsaFlow::asNode(result) =
SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
or
exists(Guard g, Expr e, AbstractValue v |
guardChecks(g, e, v) and
g.controlsNode(result.getControlFlowNode(), e, v)

185
csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
View File

@@ -6,6 +6,7 @@ import csharp
private import codeql.ssa.Ssa as SsaImplCommon
private import AssignableDefinitions
private import semmle.code.csharp.controlflow.internal.PreSsa
private import semmle.code.csharp.controlflow.Guards as Guards
private module SsaInput implements SsaImplCommon::InputSig<Location> {
class BasicBlock = ControlFlow::BasicBlock;
@@ -49,7 +50,7 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
}
}
private import SsaImplCommon::Make<Location, SsaInput> as Impl
import SsaImplCommon::Make<Location, SsaInput> as Impl
class Definition = Impl::Definition;
@@ -761,24 +762,6 @@ private predicate adjacentDefReachesRead(
)
}
private predicate adjacentDefReachesReadExt(
DefinitionExt def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
SsaInput::BasicBlock bb2, int i2
) {
Impl::adjacentDefReadExt(def, v, bb1, i1, bb2, i2) and
(
def.definesAt(v, bb1, i1, _)
or
SsaInput::variableRead(bb1, i1, v, true)
)
or
exists(SsaInput::BasicBlock bb3, int i3 |
adjacentDefReachesReadExt(def, v, bb1, i1, bb3, i3) and
SsaInput::variableRead(bb3, i3, v, false) and
Impl::adjacentDefReadExt(def, v, bb3, i3, bb2, i2)
)
}
/** Same as `adjacentDefRead`, but skips uncertain reads. */
pragma[nomagic]
private predicate adjacentDefSkipUncertainReads(
@@ -790,17 +773,6 @@ private predicate adjacentDefSkipUncertainReads(
)
}
/** Same as `adjacentDefReadExt`, but skips uncertain reads. */
pragma[nomagic]
private predicate adjacentDefSkipUncertainReadsExt(
DefinitionExt def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
) {
exists(SsaInput::SourceVariable v |
adjacentDefReachesReadExt(def, v, bb1, i1, bb2, i2) and
SsaInput::variableRead(bb2, i2, v, true)
)
}
private predicate adjacentDefReachesUncertainRead(
Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
) {
@@ -810,16 +782,6 @@ private predicate adjacentDefReachesUncertainRead(
)
}
pragma[nomagic]
private predicate adjacentDefReachesUncertainReadExt(
DefinitionExt def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
) {
exists(SsaInput::SourceVariable v |
adjacentDefReachesReadExt(def, v, bb1, i1, bb2, i2) and
SsaInput::variableRead(bb2, i2, v, false)
)
}
/** Same as `lastRefRedef`, but skips uncertain reads. */
pragma[nomagic]
private predicate lastRefSkipUncertainReads(Definition def, SsaInput::BasicBlock bb, int i) {
@@ -874,7 +836,7 @@ private module Cached {
predicate implicitEntryDefinition(ControlFlow::ControlFlow::BasicBlock bb, Ssa::SourceVariable v) {
exists(ControlFlow::ControlFlow::BasicBlocks::EntryBlock entry, Callable c |
c = entry.getCallable() and
// In case `c` has multiple bodies, we want each body to gets its own implicit
// In case `c` has multiple bodies, we want each body to get its own implicit
// entry definition. In case `c` doesn't have multiple bodies, the line below
// is simply the same as `bb = entry`, because `entry.getFirstNode().getASuccessor()`
// will be in the entry block.
@@ -969,19 +931,6 @@ private module Cached {
)
}
/**
* Holds if the value defined at SSA definition `def` can reach a read at `cfn`,
* without passing through any other read.
*/
cached
predicate firstReadSameVarExt(DefinitionExt def, ControlFlow::Node cfn) {
exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
def.definesAt(_, bb1, i1, _) and
adjacentDefSkipUncertainReadsExt(def, bb1, i1, bb2, i2) and
cfn = bb2.getNode(i2)
)
}
/**
* Holds if the read at `cfn2` is a read of the same SSA definition `def`
* as the read at `cfn1`, and `cfn2` can be reached from `cfn1` without
@@ -997,23 +946,6 @@ private module Cached {
)
}
/**
* Holds if the read at `cfn2` is a read of the same SSA definition `def`
* as the read at `cfn1`, and `cfn2` can be reached from `cfn1` without
* passing through another read.
*/
cached
predicate adjacentReadPairSameVarExt(
DefinitionExt def, ControlFlow::Node cfn1, ControlFlow::Node cfn2
) {
exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
cfn1 = bb1.getNode(i1) and
variableReadActual(bb1, i1, _) and
adjacentDefSkipUncertainReadsExt(def, bb1, i1, bb2, i2) and
cfn2 = bb2.getNode(i2)
)
}
cached
predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
Impl::lastRefRedef(def, bb, i, next) and
@@ -1025,21 +957,6 @@ private module Cached {
)
}
cached
predicate lastRefBeforeRedefExt(
DefinitionExt def, ControlFlow::BasicBlock bb, int i, DefinitionExt next
) {
exists(SsaInput::SourceVariable v |
Impl::lastRefRedefExt(def, v, bb, i, next) and
not SsaInput::variableRead(bb, i, v, false)
)
or
exists(SsaInput::BasicBlock bb0, int i0 |
Impl::lastRefRedefExt(def, _, bb0, i0, next) and
adjacentDefReachesUncertainReadExt(def, bb, i, bb0, i0)
)
}
cached
predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
exists(ControlFlow::BasicBlock bb, int i |
@@ -1065,6 +982,41 @@ private module Cached {
outRefExitRead(bb, i, v)
)
}
cached
module DataFlowIntegration {
import DataFlowIntegrationImpl
cached
predicate localFlowStep(DefinitionExt def, Node nodeFrom, Node nodeTo, boolean isUseStep) {
DataFlowIntegrationImpl::localFlowStep(def, nodeFrom, nodeTo, isUseStep)
}
cached
predicate localMustFlowStep(DefinitionExt def, Node nodeFrom, Node nodeTo) {
DataFlowIntegrationImpl::localMustFlowStep(def, nodeFrom, nodeTo)
}
signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::AbstractValue v);
cached // nothing is actually cached
module BarrierGuard<guardChecksSig/3 guardChecks> {
private predicate guardChecksAdjTypes(
DataFlowIntegrationInput::Guard g, DataFlowIntegrationInput::Expr e, boolean branch
) {
exists(Guards::AbstractValues::BooleanValue v |
guardChecks(g, e.getAstNode(), v) and
branch = v.getValue()
)
}
private Node getABarrierNodeImpl() {
result = DataFlowIntegrationImpl::BarrierGuard<guardChecksAdjTypes/3>::getABarrierNode()
}
predicate getABarrierNode = getABarrierNodeImpl/0;
}
}
}
import Cached
@@ -1122,3 +1074,64 @@ class PhiReadNode extends DefinitionExt, Impl::PhiReadNode {
result = this.getSourceVariable().getEnclosingCallable()
}
}
private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
private import csharp as Cs
private import semmle.code.csharp.controlflow.BasicBlocks
class Expr extends ControlFlow::Node {
predicate hasCfgNode(ControlFlow::BasicBlock bb, int i) { this = bb.getNode(i) }
}
Expr getARead(Definition def) { exists(getAReadAtNode(def, result)) }
predicate ssaDefAssigns(WriteDefinition def, Expr value) {
// exclude flow directly from RHS to SSA definition, as we instead want to
// go from RHS to matching assingnable definition, and from there to SSA definition
none()
}
class Parameter = Ssa::ImplicitParameterDefinition;
predicate ssaDefInitializesParam(WriteDefinition def, Parameter p) { def = p }
/**
* Allows for flow into uncertain defintions that are not call definitions,
* as we, conservatively, consider such definitions to be certain.
*/
predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
def instanceof Ssa::ExplicitDefinition
or
def =
any(Ssa::ImplicitQualifierDefinition qdef |
allowFlowIntoUncertainDef(qdef.getQualifierDefinition())
)
}
class Guard extends Guards::Guard {
predicate hasCfgNode(ControlFlow::BasicBlock bb, int i) {
this.getAControlFlowNode() = bb.getNode(i)
}
}
/** Holds if the guard `guard` controls block `bb` upon evaluating to `branch`. */
predicate guardControlsBlock(Guard guard, ControlFlow::BasicBlock bb, boolean branch) {
exists(ConditionBlock conditionBlock, ControlFlow::SuccessorTypes::ConditionalSuccessor s |
guard.getAControlFlowNode() = conditionBlock.getLastNode() and
s.getValue() = branch and
conditionBlock.controls(bb, s)
)
}
/** Gets an immediate conditional successor of basic block `bb`, if any. */
ControlFlow::BasicBlock getAConditionalBasicBlockSuccessor(
ControlFlow::BasicBlock bb, boolean branch
) {
exists(ControlFlow::SuccessorTypes::ConditionalSuccessor s |
result = bb.getASuccessorByType(s) and
s.getValue() = branch
)
}
}
private module DataFlowIntegrationImpl = Impl::DataFlowIntegration<DataFlowIntegrationInput>;

74
csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
View File

@@ -12,18 +12,21 @@
| CSharp7.cs:15:9:15:11 | SSA entry def(this.field) | CSharp7.cs:15:18:15:22 | access to field field |
| CSharp7.cs:15:9:15:11 | this | CSharp7.cs:15:18:15:22 | this access |
| CSharp7.cs:19:9:19:11 | this | CSharp7.cs:19:16:19:20 | this access |
| CSharp7.cs:20:9:20:11 | SSA param(value) | CSharp7.cs:20:24:20:28 | access to parameter value |
| CSharp7.cs:20:9:20:11 | this | CSharp7.cs:20:16:20:20 | this access |
| CSharp7.cs:20:9:20:11 | value | CSharp7.cs:20:24:20:28 | access to parameter value |
| CSharp7.cs:20:9:20:11 | value | CSharp7.cs:20:9:20:11 | SSA param(value) |
| CSharp7.cs:20:24:20:28 | access to parameter value | CSharp7.cs:20:16:20:20 | access to field field |
| CSharp7.cs:23:5:23:27 | this | CSharp7.cs:14:9:14:13 | this access |
| CSharp7.cs:24:6:24:28 | this | CSharp7.cs:24:35:24:39 | this access |
| CSharp7.cs:29:19:29:19 | i | CSharp7.cs:31:16:31:16 | access to parameter i |
| CSharp7.cs:29:19:29:19 | SSA param(i) | CSharp7.cs:31:16:31:16 | access to parameter i |
| CSharp7.cs:29:19:29:19 | i | CSharp7.cs:29:19:29:19 | SSA param(i) |
| CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:16:31:20 | ... > ... |
| CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:24:31:24 | access to parameter i |
| CSharp7.cs:31:24:31:24 | access to parameter i | CSharp7.cs:31:16:31:59 | ... ? ... : ... |
| CSharp7.cs:39:9:39:9 | access to parameter x | CSharp7.cs:39:9:39:21 | SSA def(x) |
| CSharp7.cs:39:13:39:21 | "tainted" | CSharp7.cs:39:9:39:9 | access to parameter x |
| CSharp7.cs:42:19:42:19 | x | CSharp7.cs:44:13:44:13 | access to parameter x |
| CSharp7.cs:42:19:42:19 | SSA param(x) | CSharp7.cs:44:13:44:13 | access to parameter x |
| CSharp7.cs:42:19:42:19 | x | CSharp7.cs:42:19:42:19 | SSA param(x) |
| CSharp7.cs:44:9:44:9 | access to parameter y | CSharp7.cs:44:9:44:13 | SSA def(y) |
| CSharp7.cs:44:13:44:13 | access to parameter x | CSharp7.cs:44:9:44:9 | access to parameter y |
| CSharp7.cs:47:10:47:10 | this | CSharp7.cs:49:9:49:24 | this access |
@@ -86,7 +89,8 @@
| CSharp7.cs:77:22:77:28 | (..., ...) | CSharp7.cs:77:9:77:18 | (..., ...) |
| CSharp7.cs:77:23:77:24 | "" | CSharp7.cs:77:9:77:28 | ... = ... |
| CSharp7.cs:77:27:77:27 | access to local variable x | CSharp7.cs:77:9:77:28 | ... = ... |
| CSharp7.cs:80:21:80:21 | x | CSharp7.cs:82:20:82:20 | access to parameter x |
| CSharp7.cs:80:21:80:21 | SSA param(x) | CSharp7.cs:82:20:82:20 | access to parameter x |
| CSharp7.cs:80:21:80:21 | x | CSharp7.cs:80:21:80:21 | SSA param(x) |
| CSharp7.cs:85:10:85:18 | this | CSharp7.cs:90:18:90:28 | this access |
| CSharp7.cs:87:13:87:14 | access to local variable t1 | CSharp7.cs:87:13:87:34 | SSA def(t1) |
| CSharp7.cs:87:13:87:34 | SSA def(t1) | CSharp7.cs:88:28:88:29 | access to local variable t1 |
@@ -133,40 +137,51 @@
| CSharp7.cs:121:28:121:36 | "DefUse3" | CSharp7.cs:121:22:121:24 | access to local variable m12 |
| CSharp7.cs:121:28:121:36 | "DefUse3" | CSharp7.cs:121:22:121:36 | ... = ... |
| CSharp7.cs:127:9:127:12 | this | CSharp7.cs:133:24:133:25 | this access |
| CSharp7.cs:129:20:129:20 | x | CSharp7.cs:129:32:129:32 | access to parameter x |
| CSharp7.cs:129:20:129:20 | SSA param(x) | CSharp7.cs:129:32:129:32 | access to parameter x |
| CSharp7.cs:129:20:129:20 | x | CSharp7.cs:129:20:129:20 | SSA param(x) |
| CSharp7.cs:129:32:129:32 | access to parameter x | CSharp7.cs:129:32:129:36 | ... + ... |
| CSharp7.cs:129:36:129:36 | 1 | CSharp7.cs:129:32:129:36 | ... + ... |
| CSharp7.cs:131:22:131:22 | t | CSharp7.cs:131:39:131:39 | access to parameter t |
| CSharp7.cs:131:22:131:22 | SSA param(t) | CSharp7.cs:131:39:131:39 | access to parameter t |
| CSharp7.cs:131:22:131:22 | t | CSharp7.cs:131:22:131:22 | SSA param(t) |
| CSharp7.cs:133:24:133:25 | delegate creation of type Func<Int32> | CSharp7.cs:133:19:133:20 | access to local variable f4 |
| CSharp7.cs:133:24:133:25 | this access | CSharp7.cs:154:16:154:17 | this access |
| CSharp7.cs:137:29:137:29 | x | CSharp7.cs:137:34:137:34 | access to parameter x |
| CSharp7.cs:137:29:137:29 | SSA param(x) | CSharp7.cs:137:34:137:34 | access to parameter x |
| CSharp7.cs:137:29:137:29 | x | CSharp7.cs:137:29:137:29 | SSA param(x) |
| CSharp7.cs:137:29:137:38 | (...) => ... | CSharp7.cs:137:24:137:25 | access to local variable f5 |
| CSharp7.cs:137:34:137:34 | access to parameter x | CSharp7.cs:137:34:137:38 | ... + ... |
| CSharp7.cs:137:38:137:38 | 1 | CSharp7.cs:137:34:137:38 | ... + ... |
| CSharp7.cs:139:20:139:20 | x | CSharp7.cs:139:26:139:26 | access to parameter x |
| CSharp7.cs:139:20:139:20 | SSA param(x) | CSharp7.cs:139:26:139:26 | access to parameter x |
| CSharp7.cs:139:20:139:20 | x | CSharp7.cs:139:20:139:20 | SSA param(x) |
| CSharp7.cs:139:26:139:26 | access to parameter x | CSharp7.cs:139:26:139:30 | ... > ... |
| CSharp7.cs:139:26:139:26 | access to parameter x | CSharp7.cs:139:41:139:41 | access to parameter x |
| CSharp7.cs:139:34:139:34 | 1 | CSharp7.cs:139:34:139:46 | ... + ... |
| CSharp7.cs:139:34:139:46 | ... + ... | CSharp7.cs:139:26:139:50 | ... ? ... : ... |
| CSharp7.cs:139:38:139:46 | call to local function f7 | CSharp7.cs:139:34:139:46 | ... + ... |
| CSharp7.cs:139:50:139:50 | 0 | CSharp7.cs:139:26:139:50 | ... ? ... : ... |
| CSharp7.cs:141:20:141:20 | x | CSharp7.cs:141:29:141:29 | access to parameter x |
| CSharp7.cs:145:24:145:24 | x | CSharp7.cs:145:33:145:33 | access to parameter x |
| CSharp7.cs:141:20:141:20 | SSA param(x) | CSharp7.cs:141:29:141:29 | access to parameter x |
| CSharp7.cs:141:20:141:20 | x | CSharp7.cs:141:20:141:20 | SSA param(x) |
| CSharp7.cs:145:24:145:24 | SSA param(x) | CSharp7.cs:145:33:145:33 | access to parameter x |
| CSharp7.cs:145:24:145:24 | x | CSharp7.cs:145:24:145:24 | SSA param(x) |
| CSharp7.cs:149:20:152:9 | (...) => ... | CSharp7.cs:149:16:149:16 | access to local variable a |
| CSharp7.cs:157:10:157:17 | this | CSharp7.cs:169:9:169:9 | this access |
| CSharp7.cs:160:18:160:18 | t | CSharp7.cs:160:24:160:24 | access to parameter t |
| CSharp7.cs:162:26:162:26 | u | CSharp7.cs:166:22:166:22 | access to parameter u |
| CSharp7.cs:160:18:160:18 | SSA param(t) | CSharp7.cs:160:24:160:24 | access to parameter t |
| CSharp7.cs:160:18:160:18 | t | CSharp7.cs:160:18:160:18 | SSA param(t) |
| CSharp7.cs:162:26:162:26 | SSA param(u) | CSharp7.cs:166:22:166:22 | access to parameter u |
| CSharp7.cs:162:26:162:26 | u | CSharp7.cs:162:26:162:26 | SSA param(u) |
| CSharp7.cs:165:13:165:16 | this access | CSharp7.cs:166:20:166:20 | this access |
| CSharp7.cs:169:9:169:9 | this access | CSharp7.cs:170:9:170:9 | this access |
| CSharp7.cs:173:10:173:19 | this | CSharp7.cs:180:21:180:21 | this access |
| CSharp7.cs:175:16:175:18 | access to local variable src | CSharp7.cs:175:16:175:30 | SSA def(src) |
| CSharp7.cs:175:16:175:30 | SSA def(src) | CSharp7.cs:180:23:180:25 | access to local variable src |
| CSharp7.cs:175:22:175:30 | "tainted" | CSharp7.cs:175:16:175:18 | access to local variable src |
| CSharp7.cs:176:25:176:25 | s | CSharp7.cs:176:33:176:33 | access to parameter s |
| CSharp7.cs:176:25:176:25 | SSA param(s) | CSharp7.cs:176:33:176:33 | access to parameter s |
| CSharp7.cs:176:25:176:25 | s | CSharp7.cs:176:25:176:25 | SSA param(s) |
| CSharp7.cs:176:31:176:34 | call to local function g | CSharp7.cs:176:31:176:39 | ... + ... |
| CSharp7.cs:176:38:176:39 | "" | CSharp7.cs:176:31:176:39 | ... + ... |
| CSharp7.cs:177:25:177:25 | s | CSharp7.cs:177:31:177:31 | access to parameter s |
| CSharp7.cs:178:25:178:25 | s | CSharp7.cs:178:37:178:37 | access to parameter s |
| CSharp7.cs:177:25:177:25 | SSA param(s) | CSharp7.cs:177:31:177:31 | access to parameter s |
| CSharp7.cs:177:25:177:25 | s | CSharp7.cs:177:25:177:25 | SSA param(s) |
| CSharp7.cs:178:25:178:25 | SSA param(s) | CSharp7.cs:178:37:178:37 | access to parameter s |
| CSharp7.cs:178:25:178:25 | s | CSharp7.cs:178:25:178:25 | SSA param(s) |
| CSharp7.cs:180:21:180:21 | this access | CSharp7.cs:181:21:181:21 | this access |
| CSharp7.cs:180:21:180:26 | call to local function f | CSharp7.cs:180:13:180:17 | access to local variable sink1 |
| CSharp7.cs:180:23:180:25 | [post] access to local variable src | CSharp7.cs:181:23:181:25 | access to local variable src |
@@ -205,8 +220,10 @@
| CSharp7.cs:198:26:198:35 | this access | CSharp7.cs:199:9:199:18 | this access |
| CSharp7.cs:198:33:198:34 | access to local variable r1 | CSharp7.cs:199:16:199:17 | access to local variable r1 |
| CSharp7.cs:199:22:199:22 | 3 | CSharp7.cs:199:9:199:22 | ... = ... |
| CSharp7.cs:202:24:202:24 | p | CSharp7.cs:205:20:205:20 | access to parameter p |
| CSharp7.cs:204:28:204:28 | q | CSharp7.cs:204:44:204:44 | access to parameter q |
| CSharp7.cs:202:24:202:24 | SSA param(p) | CSharp7.cs:205:20:205:20 | access to parameter p |
| CSharp7.cs:202:24:202:24 | p | CSharp7.cs:202:24:202:24 | SSA param(p) |
| CSharp7.cs:204:28:204:28 | SSA param(q) | CSharp7.cs:204:44:204:44 | access to parameter q |
| CSharp7.cs:204:28:204:28 | q | CSharp7.cs:204:28:204:28 | SSA param(q) |
| CSharp7.cs:215:9:215:9 | access to parameter x | CSharp7.cs:215:9:215:17 | SSA def(x) |
| CSharp7.cs:215:13:215:17 | false | CSharp7.cs:215:9:215:9 | access to parameter x |
| CSharp7.cs:219:10:219:13 | this | CSharp7.cs:221:13:221:20 | this access |
@@ -224,8 +241,8 @@
| CSharp7.cs:232:16:232:23 | SSA def(o) | CSharp7.cs:233:13:233:13 | access to local variable o |
| CSharp7.cs:232:20:232:23 | null | CSharp7.cs:232:16:232:16 | access to local variable o |
| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:233:18:233:23 | Int32 i1 |
| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:235:13:235:42 | [input] SSA phi read(o) |
| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:237:18:237:18 | access to local variable o |
| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
| CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
| CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
@@ -235,19 +252,25 @@
| CSharp7.cs:233:28:233:29 | access to local variable i1 | CSharp7.cs:235:38:235:39 | access to local variable i1 |
| CSharp7.cs:233:28:233:33 | ... > ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
| CSharp7.cs:233:28:233:33 | ... > ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
| CSharp7.cs:235:13:235:42 | [input] SSA phi read(o) | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:235:33:235:36 | "int " | CSharp7.cs:235:31:235:41 | $"..." |
| CSharp7.cs:235:38:235:39 | access to local variable i1 | CSharp7.cs:235:31:235:41 | $"..." |
| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:237:23:237:31 | String s1 |
| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:239:13:239:45 | [input] SSA phi read(o) |
| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:241:18:241:18 | access to local variable o |
| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:237:23:237:31 | SSA def(s1) | CSharp7.cs:239:41:239:42 | access to local variable s1 |
| CSharp7.cs:237:23:237:31 | String s1 | CSharp7.cs:237:23:237:31 | SSA def(s1) |
| CSharp7.cs:239:13:239:45 | [input] SSA phi read(o) | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:239:33:239:39 | "string " | CSharp7.cs:239:31:239:44 | $"..." |
| CSharp7.cs:239:41:239:42 | access to local variable s1 | CSharp7.cs:239:31:239:44 | $"..." |
| CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:242:9:243:9 | [input] SSA phi read(o) |
| CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:244:18:244:18 | access to local variable o |
| CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:242:9:243:9 | [input] SSA phi read(o) | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:244:18:244:28 | [input] SSA phi read(o) |
| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:244:23:244:28 | Object v1 |
| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:245:9:246:9 | [input] SSA phi read(o) |
| CSharp7.cs:244:18:244:28 | [input] SSA phi read(o) | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:245:9:246:9 | [input] SSA phi read(o) | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
| CSharp7.cs:248:9:274:9 | SSA phi read(o) | CSharp7.cs:248:17:248:17 | access to local variable o |
| CSharp7.cs:248:17:248:17 | access to local variable o | CSharp7.cs:254:27:254:27 | access to local variable o |
| CSharp7.cs:248:17:248:17 | access to local variable o | CSharp7.cs:257:18:257:23 | Int32 i2 |
@@ -281,14 +304,16 @@
| CSharp7.cs:283:13:283:16 | access to local variable list | CSharp7.cs:283:13:283:62 | SSA def(list) |
| CSharp7.cs:283:13:283:62 | SSA def(list) | CSharp7.cs:285:39:285:42 | access to local variable list |
| CSharp7.cs:283:20:283:62 | call to method Select<KeyValuePair<Int32,String>,(Int32,String)> | CSharp7.cs:283:13:283:16 | access to local variable list |
| CSharp7.cs:283:32:283:35 | item | CSharp7.cs:283:41:283:44 | access to parameter item |
| CSharp7.cs:283:32:283:35 | SSA param(item) | CSharp7.cs:283:41:283:44 | access to parameter item |
| CSharp7.cs:283:32:283:35 | item | CSharp7.cs:283:32:283:35 | SSA param(item) |
| CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:41:283:48 | access to property Key |
| CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:51:283:54 | access to parameter item |
| CSharp7.cs:283:51:283:54 | access to parameter item | CSharp7.cs:283:51:283:60 | access to property Value |
| CSharp7.cs:285:39:285:42 | access to local variable list | CSharp7.cs:287:36:287:39 | access to local variable list |
| CSharp7.cs:287:36:287:39 | access to local variable list | CSharp7.cs:289:32:289:35 | access to local variable list |
| CSharp7.cs:297:18:297:18 | access to local variable x | CSharp7.cs:297:18:297:22 | SSA def(x) |
| CSharp7.cs:297:18:297:22 | SSA def(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |
| CSharp7.cs:297:18:297:22 | SSA def(x) | CSharp7.cs:297:18:297:22 | [input] SSA phi(x) |
| CSharp7.cs:297:18:297:22 | [input] SSA phi(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |
| CSharp7.cs:297:22:297:22 | 0 | CSharp7.cs:297:18:297:18 | access to local variable x |
| CSharp7.cs:297:25:297:25 | SSA phi(x) | CSharp7.cs:297:25:297:25 | access to local variable x |
| CSharp7.cs:297:25:297:25 | access to local variable x | CSharp7.cs:297:25:297:30 | ... < ... |
@@ -301,5 +326,6 @@
| CSharp7.cs:297:35:297:44 | [true] ... is ... | CSharp7.cs:297:25:297:44 | [true] ... && ... |
| CSharp7.cs:297:40:297:44 | Int32 y | CSharp7.cs:297:40:297:44 | SSA def(y) |
| CSharp7.cs:297:40:297:44 | SSA def(y) | CSharp7.cs:299:31:299:31 | access to local variable y |
| CSharp7.cs:297:47:297:49 | SSA def(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |
| CSharp7.cs:297:47:297:49 | SSA def(x) | CSharp7.cs:297:47:297:49 | [input] SSA phi(x) |
| CSharp7.cs:297:47:297:49 | [input] SSA phi(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |
| CSharp7.cs:297:49:297:49 | access to local variable x | CSharp7.cs:297:47:297:49 | SSA def(x) |

83
csharp/ql/test/library-tests/dataflow/barrier-guards/BarrierFlow.cs Normal file
View File

@@ -0,0 +1,83 @@
class BarrierFlow
{
static object Source(object source) => throw null;
public static void Sink(object o) { }
void M1()
{
var x = Source(1);
Sink(x); // $ hasValueFlow=1
}
void M2()
{
var x = Source(2);
if (x != "safe")
{
Sink(x); // $ hasValueFlow=2
}
}
void M3()
{
var x = Source(3);
if (x == "safe")
{
Sink(x);
}
}
void M4()
{
var x = Source(4);
if (x != "safe")
{
x = "safe";
}
Sink(x);
}
void M5()
{
var x = Source(5);
if (x == "safe")
{
}
else
{
x = "safe";
}
Sink(x);
}
void M6(bool b)
{
var x = Source(6);
if (b)
{
if (x != "safe1")
{
return;
}
}
else
{
if (x != "safe2")
{
return;
}
}
Sink(x);
}
}

18
csharp/ql/test/library-tests/dataflow/barrier-guards/barrier-flow.expected Normal file
View File

@@ -0,0 +1,18 @@
models
edges
| BarrierFlow.cs:10:13:10:13 | access to local variable x : Object | BarrierFlow.cs:12:14:12:14 | access to local variable x | provenance | |
| BarrierFlow.cs:10:17:10:25 | call to method Source : Object | BarrierFlow.cs:10:13:10:13 | access to local variable x : Object | provenance | |
| BarrierFlow.cs:17:13:17:13 | access to local variable x : Object | BarrierFlow.cs:21:18:21:18 | access to local variable x | provenance | |
| BarrierFlow.cs:17:17:17:25 | call to method Source : Object | BarrierFlow.cs:17:13:17:13 | access to local variable x : Object | provenance | |
nodes
| BarrierFlow.cs:10:13:10:13 | access to local variable x : Object | semmle.label | access to local variable x : Object |
| BarrierFlow.cs:10:17:10:25 | call to method Source : Object | semmle.label | call to method Source : Object |
| BarrierFlow.cs:12:14:12:14 | access to local variable x | semmle.label | access to local variable x |
| BarrierFlow.cs:17:13:17:13 | access to local variable x : Object | semmle.label | access to local variable x : Object |
| BarrierFlow.cs:17:17:17:25 | call to method Source : Object | semmle.label | call to method Source : Object |
| BarrierFlow.cs:21:18:21:18 | access to local variable x | semmle.label | access to local variable x |
subpaths
testFailures
#select
| BarrierFlow.cs:12:14:12:14 | access to local variable x | BarrierFlow.cs:10:17:10:25 | call to method Source : Object | BarrierFlow.cs:12:14:12:14 | access to local variable x | $@ | BarrierFlow.cs:10:17:10:25 | call to method Source : Object | call to method Source : Object |
| BarrierFlow.cs:21:18:21:18 | access to local variable x | BarrierFlow.cs:17:17:17:25 | call to method Source : Object | BarrierFlow.cs:21:18:21:18 | access to local variable x | $@ | BarrierFlow.cs:17:17:17:25 | call to method Source : Object | call to method Source : Object |

35
csharp/ql/test/library-tests/dataflow/barrier-guards/barrier-flow.ql Normal file
View File

@@ -0,0 +1,35 @@
/**
* @kind path-problem
*/
import csharp
import semmle.code.csharp.controlflow.Guards
private predicate stringConstCompare(Guard guard, Expr testedNode, AbstractValue value) {
guard
.isEquality(any(StringLiteral lit), testedNode,
value.(AbstractValues::BooleanValue).getValue())
}
class StringConstCompareBarrier extends DataFlow::Node {
StringConstCompareBarrier() {
this = DataFlow::BarrierGuard<stringConstCompare/3>::getABarrierNode()
}
}
import TestUtilities.InlineFlowTest
import PathGraph
module FlowConfig implements DataFlow::ConfigSig {
predicate isSource = DefaultFlowConfig::isSource/1;
predicate isSink = DefaultFlowConfig::isSink/1;
predicate isBarrier(DataFlow::Node n) { n instanceof StringConstCompareBarrier }
}
import ValueFlowTest<FlowConfig>
from PathNode source, PathNode sink
where flowPath(source, sink)
select sink, source, sink, "$@", source, source.toString()

1006
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

File diff suppressed because it is too large Load Diff

1006
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

File diff suppressed because it is too large Load Diff

3
csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.expected
View File

@@ -92,7 +92,8 @@
| Tuples.cs:51:14:51:14 | [post] access to local variable y | Tuples.cs:52:14:52:14 | access to local variable y |
| Tuples.cs:51:14:51:14 | access to local variable y | Tuples.cs:52:14:52:14 | access to local variable y |
| Tuples.cs:52:14:52:20 | access to field Item2 | Tuples.cs:52:14:52:20 | (...) ... |
| Tuples.cs:55:27:55:27 | s | Tuples.cs:75:18:75:18 | access to parameter s |
| Tuples.cs:55:27:55:27 | SSA param(s) | Tuples.cs:75:18:75:18 | access to parameter s |
| Tuples.cs:55:27:55:27 | s | Tuples.cs:55:27:55:27 | SSA param(s) |
| Tuples.cs:57:13:57:14 | access to local variable o1 | Tuples.cs:57:13:57:34 | SSA def(o1) |
| Tuples.cs:57:13:57:34 | SSA def(o1) | Tuples.cs:59:18:59:19 | access to local variable o1 |
| Tuples.cs:57:18:57:34 | call to method Source<String> | Tuples.cs:57:13:57:14 | access to local variable o1 |

33
docs/codeql/_templates/layout.html
View File

@@ -1,7 +1,7 @@
{#
Override alabaster/layout.html template to customize the template
used to generate the CodeQL documentation.
The classes used in this template are provided by the GitHub Primer https://primer.style/css/.
The CSS for the primer can be found at https://unpkg.com/@primer/css/dist/primer.css
@@ -59,37 +59,34 @@
CodeQL resources
<div class="dropdown-caret"></div>
</summary>
<ul class="dropdown-menu dropdown-menu-se dropdown-menu-dark">
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL tools
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-for-visual-studio-code">CodeQL for VS Code</a>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-cli">CodeQL CLI</a>
</li>
<li><a class="dropdown-item" href="codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL guides
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/writing-codeql-queries">Writing CodeQL queries</a></li>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-language-guides">CodeQL language guides</a>
<li><a class="dropdown-item" href="writing-codeql-queries">Writing CodeQL queries</a></li>
<li><a class="dropdown-item" href="codeql-language-guides">CodeQL language guides</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Reference docs
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/ql-language-reference/">QL language
<li><a class="dropdown-item" href="ql-language-reference/">QL language
reference</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-standard-libraries">CodeQL
<li><a class="dropdown-item" href="../codeql-standard-libraries">CodeQL
standard-libraries</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-query-help">CodeQL
<li><a class="dropdown-item" href="../codeql-query-help">CodeQL
query help</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Source files
</div>
<li><a class="dropdown-item" href="https://github.com/github/codeql">CodeQL repository</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Academic
</div>
<li><a class="dropdown-item" href="../publications">QL publications</a>
</ul>
</details>
@@ -165,12 +162,12 @@
</li>
</ul>
<ul class="list-style-none d-flex text-gray">
<li class="mr-3">&copy;
<li class="mr-3">&copy;
<script type="text/javascript">document.write(new Date().getFullYear());</script> GitHub, Inc.</li>
<li class="mr-3"><a
href="https://docs.github.com/github/site-policy/github-terms-of-service"
href="https://docs.github.com/site-policy/github-terms/github-terms-of-service"
class="link-gray">Terms </a></li>
<li><a href="https://docs.github.com/github/site-policy/github-privacy-statement"
<li><a href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement"
class="link-gray">Privacy </a></li>
</ul>
</div>

4
docs/codeql/codeql-language-guides/codeql-for-cpp.rst
View File

@@ -28,6 +28,10 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`CodeQL library for C and C++ <codeql-library-for-cpp>`: When analyzing C or C++ code, you can use the large collection of classes in the CodeQL library for C and C++.
- `CodeQL CTF: U-Boot Challenge <https://securitylab.github.com/ctf/uboot/>`__: Follow the steps that members of GitHub Security Lab went through to find 13 CWE vulnerabilities in U-Boot.
- `CodeQL CTF: SEGV Hunt <https://securitylab.github.com/ctf/segv/>`__: Follow the steps that members of GitHub Security Lab went through to find unsafe uses of ``alloca`` in the GNU C Library (glibc).
- :doc:`Functions in C and C++ <functions-in-cpp>`: You can use CodeQL to explore functions in C and C++ code.
- :doc:`Expressions, types, and statements in C and C++ <expressions-types-and-statements-in-cpp>`: You can use CodeQL to explore expressions, types, and statements in C and C++ code to find, for example, incorrect assignments.

4
docs/codeql/codeql-language-guides/codeql-for-go.rst
View File

@@ -17,7 +17,9 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`CodeQL library for Go <codeql-library-for-go>`: When you're analyzing a Go program, you can make use of the large collection of classes in the CodeQL library for Go.
- `CodeQL CTF: Go and don't return <https://securitylab.github.com/ctf/go-and-dont-return/>`__: Follow the steps that members of GitHub Security Lab went through to find a high severity vulnerability in MinIO, an Amazon S3-compatible object store.
- :doc:`Abstract syntax tree classes for working with Go programs <abstract-syntax-tree-classes-for-working-with-go-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of Go programs.
- :doc:`Modeling data flow in Go libraries <modeling-data-flow-in-go-libraries>`: When analyzing a Go program, CodeQL does not examine the source code for external packages.
- :doc:`Modeling data flow in Go libraries <modeling-data-flow-in-go-libraries>`: When analyzing a Go program, CodeQL does not examine the source code for external packages.
To track the flow of untrusted data through a library, you can create a model of the library.

4
docs/codeql/codeql-language-guides/codeql-for-java.rst
View File

@@ -28,7 +28,9 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`CodeQL library for Java and Kotlin <codeql-library-for-java>`: When analyzing Java/Kotlin code, you can use the large collection of classes in the CodeQL library for Java/Kotlin.
- :doc:`Analyzing data flow in Java and Kotlin <analyzing-data-flow-in-java>`: You can use CodeQL to track the flow of data through a Java/Kotlin program to its use.
- :doc:`Analyzing data flow in Java and Kotlin <analyzing-data-flow-in-java>`: You can use CodeQL to track the flow of data through a Java/Kotlin program to its use.
- `CodeQL CTF: CodeQL and Chill <https://securitylab.github.com/ctf/codeql-and-chill/>`__: Follow the steps that members of GitHub Security Lab went through to track the flow of tainted data from user-controlled bean properties to custom error messages, and identify the known injection vulnerabilities.
- :doc:`Java and Kotlin types <types-in-java>`: You can use CodeQL to find out information about data types used in Java/Kotlin code. This allows you to write queries to identify specific type-related issues.

2
docs/codeql/codeql-language-guides/codeql-for-javascript.rst
View File

@@ -25,6 +25,8 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`CodeQL library for TypeScript <codeql-library-for-typescript>`: When you're analyzing a TypeScript program, you can make use of the large collection of classes in the CodeQL library for TypeScript.
- `CodeQL CTF: XSS-unsafe jQuery plugins <https://securitylab.github.com/ctf/jquery/>`__: Follow the steps that members of GitHub Security Lab went through to find cross-site scripting vulnerabilities in Bootstrap's jQuery plugins.
- :doc:`Analyzing data flow in JavaScript and TypeScript <analyzing-data-flow-in-javascript-and-typescript>`: This topic describes how data flow analysis is implemented in the CodeQL libraries for JavaScript/TypeScript and includes examples to help you write your own data flow queries.
- :doc:`Using flow labels for precise data flow analysis <using-flow-labels-for-precise-data-flow-analysis>`: You can associate flow labels with each value tracked by the flow analysis to determine whether the flow contains potential vulnerabilities.

51
docs/codeql/codeql-overview/about-codeql.rst
View File

@@ -2,18 +2,33 @@
.. _about-codeql:
.. meta::
:description: Introduction to CodeQL, a language and toolchain for code analysis.
:keywords: CodeQL, code analysis, CodeQL analysis, security vulnerabilities, variant analysis, resources, tutorials, interactive training, GitHub Security Lab, security researchers, CodeQL databases
About CodeQL
============
CodeQL is the analysis engine used by developers to automate security checks, and by
security researchers to perform variant analysis.
CodeQL is a language and toolchain for code analysis. It is designed to allow security researchers to scale their knowledge of a single vulnerability to identify variants of that vulnerability across a wide range of codebases. It is also designed to allow developers to automate security checks and integrate them into their development workflows.
In CodeQL, code is treated like data. Security vulnerabilities, bugs,
and other errors are modeled as queries that can be executed against databases
extracted from code. You can run the standard CodeQL queries, written by GitHub
researchers and community contributors, or write your own to use in custom
analyses. Queries that find potential bugs highlight the result directly in the
source file.
Resources for learning CodeQL
-----------------------------
- **CodeQL docs site:** contains information on the CodeQL language and libraries, with tutorials and guides to help you learn how to write your own queries.
- :doc:`CodeQL queries <../writing-codeql-queries/codeql-queries>`: A general, language-neutral overview of the key components of a query.
- :doc:`QL tutorials <../writing-codeql-queries/ql-tutorials>`: Solve puzzles to learn the basics of QL before you analyze code with CodeQL. The tutorials teach you how to write queries and introduce you to key logic concepts along the way.
- :doc:`CodeQL language guides <../codeql-language-guides/index>`: Guides to the CodeQL libraries for each language, including the classes and predicates that are available for use in queries, with worked examples.
- **GitHub Security Lab:** is GitHub's own security research team. They've created a range of resources to help you learn how to use CodeQL to find security vulnerabilities in real-world codebases.
- `Secure code game <https://github.com/skills/secure-code-game>`__: A series of interactive sessions that guide you from finding insecure code patterns manually, through to using CodeQL to find insecure code patterns automatically.
- `Security Lab CTF <https://securitylab.github.com/ctf/>`__: A series of Capture the Flag (CTF) challenges that are designed to help you learn how to use CodeQL to find security vulnerabilities in real-world codebases.
- `Security Lab blog <https://github.blog/tag/github-security-lab/>`__: A series of blog posts that describe how CodeQL is used by security researchers to find security vulnerabilities in real-world codebases.
About variant analysis
----------------------
@@ -30,6 +45,8 @@ queries. Then, develop or iterate over the query to automatically find logical
variants of the same bug that could be missed using traditional manual
techniques.
When you have a query that finds variants of a vulnerability, you can use multi-repository variant analysis to run that query across a large number of codebases, and identify all of the places where that vulnerability exists. For more information, see `Running CodeQL queries at scale with multi-repository variant analysis <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis>`__ in the GitHub docs.
CodeQL analysis
---------------
@@ -39,11 +56,13 @@ CodeQL analysis consists of three steps:
#. Running CodeQL queries against the database
#. Interpreting the query results
For information on the CodeQL toolchain and on running CodeQL to analyze a codebase, see the `CodeQL CLI <https://docs.github.com/en/code-security/codeql-cli>`__, `CodeQL for Visual Studio Code <https://docs.github.com/en/code-security/codeql-for-vs-code>`__, and `About code scanning with CodeQL <https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql>`__ in the GitHub docs.
Database creation
~~~~~~~~~~~~~~~~~
To create a database, CodeQL first extracts a single relational representation
of each source file in the codebase.
of each source file in the codebase.
For compiled languages, extraction works by monitoring the normal build process.
Each time a compiler is invoked to process a source file, a copy of that file is
@@ -52,7 +71,7 @@ syntactic data about the abstract syntax tree and semantic data about name
binding and type information.
For interpreted languages, the extractor runs directly on the source code,
resolving dependencies to give an accurate representation of the codebase.
resolving dependencies to give an accurate representation of the codebase.
There is one :ref:`extractor <extractor>` for each language supported by CodeQL
to ensure that the extraction process is as accurate as possible. For
@@ -72,7 +91,7 @@ against it. CodeQL queries are written in a specially-designed object-oriented
query language called QL. You can run the queries checked out from the CodeQL
repo (or custom queries that you've written yourself) using the `CodeQL
for VS Code extension <https://docs.github.com/en/code-security/codeql-for-vs-code/>`__ or the `CodeQL CLI
<https://docs.github.com/en/code-security/codeql-cli>`__. For more information about queries, see ":ref:`About CodeQL queries <about-codeql-queries>`."
<https://docs.github.com/en/code-security/codeql-cli>`__. For more information about queries, see ":ref:`About CodeQL queries <about-codeql-queries>`."
.. _interpret-query-results:
@@ -95,7 +114,7 @@ code.
Following interpretation, results are output for code review and triaging. In
CodeQL for Visual Studio Code, interpreted query results are automatically
displayed in the source code. Results generated by the CodeQL CLI can be output
into a number of different formats for use with different tools.
into a number of different formats for use with different tools.
About CodeQL databases
@@ -104,7 +123,7 @@ About CodeQL databases
CodeQL databases contain queryable data extracted from a codebase, for a single
language at a particular point in time. The database contains a full,
hierarchical representation of the code, including a representation of the
abstract syntax tree, the data flow graph, and the control flow graph.
abstract syntax tree, the data flow graph, and the control flow graph.
Each language has its own unique database schema that defines the relations used
to create a database. The schema provides an interface between the initial
@@ -114,13 +133,13 @@ every language construct.
For each language, the CodeQL libraries define classes to provide a layer of
abstraction over the database tables. This provides an object-oriented view of
the data which makes it easier to write queries.
the data which makes it easier to write queries.
For example, in a CodeQL database for a Java program, two key tables are:
- The ``expressions`` table containing a row for every single expression in the
source code that was analyzed during the build process.
- The ``statements`` table containing a row for every single statement in the
source code that was analyzed during the build process.
- The ``statements`` table containing a row for every single statement in the
source code that was analyzed during the build process.
The CodeQL library defines classes to provide a layer of abstraction over each

19
docs/codeql/codeql-overview/codeql-tools.rst
View File

@@ -5,17 +5,16 @@
CodeQL tools
============
GitHub provides the CodeQL command-line interface and CodeQL for Visual Studio
Code for performing CodeQL analysis on open source codebases.
GitHub provides the CodeQL command-line interface and CodeQL for Visual Studio Code for performing CodeQL analysis on open source codebases. For information on the use cases for each tool, see ":ref:`Running CodeQL queries <running-codeql-queries>`."
CodeQL command-line interface
-----------------------------
The CodeQL command-line interface (CLI) is primarily used to create databases for
security research. You can also query CodeQL databases directly from the command line
The CodeQL command-line interface (CLI) is primarily used to create databases for
security research. You can also query CodeQL databases directly from the command line
or using the Visual Studio Code extension.
The CodeQL CLI can be downloaded from `GitHub releases <https://github.com/github/codeql-cli-binaries/releases>`__.
For more information, see "`CodeQL CLI <https://docs.github.com/en/code-security/codeql-cli>`__" and the `CLI changelog <https://github.com/github/codeql-cli-binaries/blob/main/CHANGELOG.md>`__.
The CodeQL CLI can be downloaded from "`GitHub releases <https://github.com/github/codeql-cli-binaries/releases>`__."
For more information, see "`CodeQL CLI <https://docs.github.com/en/code-security/codeql-cli>`__" and the ":ref:`Change log <codeql-changes>`."
CodeQL packs
-----------------------------
@@ -38,15 +37,15 @@ maintained by GitHub are:
- ``codeql/python-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib>`__)
- ``codeql/ruby-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src>`__)
- ``codeql/ruby-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib>`__)
- ``codeql/swift-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src>`__)
- ``codeql/swift-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib>`__)
For more information, see "`About CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs>`__."
CodeQL bundle
-----------------------------
The CodeQL bundle consists of the CodeQL CLI together with the standard CodeQL query and library packs
maintained by GitHub. The bundle can be downloaded from `GitHub releases <https://github.com/github/codeql-action/releases>`__.
Use this when running `code scanning with CodeQL <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql>`__ on GitHub Actions or in another CI system.
The CodeQL bundle consists of the CodeQL CLI together with the standard CodeQL query and library packs maintained by GitHub. The bundle is used by the CodeQL action in GitHub to generate code scanning results. If you use an external CI system, you can download the bundle from `GitHub releases <https://github.com/github/codeql-action/releases>`__, generate code scanning results, and upload them to GitHub.
CodeQL for Visual Studio Code
-----------------------------
@@ -54,4 +53,4 @@ CodeQL for Visual Studio Code
You can analyze CodeQL databases in Visual Studio Code using the CodeQL
extension, which provides an enhanced environment for writing and running custom
queries and viewing the results. For more information, see "`CodeQL
for Visual Studio Code <https://docs.github.com/en/code-security/codeql-for-vs-code/>`__."
for Visual Studio Code <https://docs.github.com/en/code-security/codeql-for-vs-code/>`__."

182
docs/codeql/index.html
View File

@@ -35,13 +35,6 @@
<ul class="dropdown-menu dropdown-menu-se dropdown-menu-dark">
<li><a class="dropdown-item" href="codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL tools
</div>
<li><a class="dropdown-item" href="codeql-for-visual-studio-code">CodeQL for VS Code</a>
<li><a class="dropdown-item" href="https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli">CodeQL CLI</a>
</li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL guides
</div>
@@ -62,6 +55,11 @@
Source files
</div>
<li><a class="dropdown-item" href="https://github.com/github/codeql">CodeQL repository</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Academic
</div>
<li><a class="dropdown-item" href="../publications">QL publications</a>
</ul>
</details>
</div>
@@ -70,32 +68,30 @@
<div class="blankslate">
<img src="https://ghicons.github.com/assets/images/blue/svg/Code%20QL.svg" class="mb-3" />
<h1>CodeQL documentation</h1>
<p class="f2">Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code
analysis
engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a
<p class="f2">CodeQL enables you to query code as though it were data. Write a query to find all variants of a
vulnerability, eradicating it forever. Then share your query to help others do the same.</p>
</div>
<div class="d-flex flex-column flex-md-row flex-justify-center">
<div class="Box col-lg-5 col-sm-12 border-0">
<div class="Box-header border-0 bg-white">
<h3 class="Box-title text-mono f3 text-center">
BACKGROUND INFORMATION
</h3>
<h2 class="Box-title text-mono f2 text-center">
CODEQL RELEASE INFORMATION
</h2>
</div>
<div class="Box-body border-bottom-0">
<div class="Subhead border-0">
<a href="codeql-overview/about-codeql">
<div class="Subhead-heading f4 text-center">About CodeQL</div>
</a>
<div class="Subhead-description">Learn more about how CodeQL works...</div>
</div>
<div class="Subhead border-0">
<a href="codeql-overview/supported-languages-and-frameworks/">
<div class="Subhead-heading f4 text-center">Supported languages and frameworks</div>
</a>
<div class="Subhead-description">View the languages, libraries, and frameworks supported in the
latest version of CodeQL...</div>
latest release of CodeQL...</div>
</div>
<div class="Subhead border-0">
<a href="codeql-overview/about-codeql">
<div class="Subhead-heading f4 text-center">Change logs</div>
</a>
<div class="Subhead-description">Read about the improvements to the queries, libraries, and tooling in each release...</div>
</div>
<div class="Subhead border-0">
<a href="codeql-overview/system-requirements/">
@@ -105,90 +101,83 @@
latest version of CodeQL...</div>
</div>
<div class="Subhead border-0">
<a href="../publications">
<div class="Subhead-heading f4 text-center">Academic publications</div>
<a href="codeql-overview/supported-languages-and-frameworks/">
<div class="Subhead-heading f4 text-center">CodeQL cverage of CWEs</div>
</a>
<div class="Subhead-description">Read academic articles published by the team behind CodeQL...
</div>
<div class="Subhead-description">Detailed information on the coverage of Common Weakness Enumerations (CWEs) in the latest release...</div>
</div>
</div>
</div>
<div class="Box col-lg-5 col-sm-12 border-0">
<div class="Box-header border-0 bg-white">
<h3 class="Box-title text-mono f3 text-center">
CODEQL TOOLS
</h3>
<h2 class="Box-title text-mono f2 text-center">
LEARN TO WRITE CODEQL
</h2>
</div>
<div class="Box-body border-bottom-0">
<div class="Subhead border-0">
<a href="https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli">
<div class="Subhead-heading f4 text-center">CodeQL CLI</div>
</a>
<div class="Subhead-description border-bottom-0">The CodeQL command-line interface (CLI) is used
to create
databases for security research....</div>
</div>
<div class="Subhead border-0">
<a href="codeql-for-visual-studio-code">
<div class="Subhead-heading f4 text-center">CodeQL for Visual Studio Code</div>
</a>
<div class="Subhead-description">CodeQL for Visual Studio Code adds rich language
support for CodeQL...</div>
</div>
<div class="Subhead border-0">
<a
href="https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning">
<div class="Subhead-heading f4 text-center">Code scanning with CodeQL</div>
</a>
<div class="Subhead-description">Use code scanning with CodeQL to analyze the code in a GitHub
repository to find
security
vulnerabilities...</div>
</div>
<div class="Subhead border-0">
<a href="codeql-overview/about-codeql">
<div class="Subhead-heading f4 text-center">About CodeQL</div>
</a>
<div class="Subhead-description">Learn what CodeQL is and how it works...</div>
</div>
<div class="Subhead border-0">
<a href="writing-codeql-queries">
<div class="Subhead-heading f4 text-center">Writing CodeQL queries</div>
</a>
<div class="Subhead-description">Get to know more about queries and learn some key
query-writing skills by solving puzzles...</div>
</div>
<div class="Subhead border-0">
<a href="codeql-language-guides">
<div class="Subhead-heading f4 text-center">CodeQL language guides</div>
</a>
<div class="Subhead-description">Experiment and learn how to write effective and efficient
queries for CodeQL databases generated from the languages supported in CodeQL
analysis...</div>
</div>
<div class="Subhead border-0">
<a href="writing-codeql-queries/running-codeql-queries">
<div class="Subhead-heading f4 text-center">Running CodeQL queries</div>
</a>
<div class="Subhead-description">Learn about the options available for running CodeQL queries on one or multiple codebases...</div>
</div>
</div>
</div>
</div>
<div class="d-flex flex-column flex-md-row flex-justify-center">
<div class="Box col-lg-5 col-sm-12 border-0">
<div class="Box-header border-0 bg-white">
<h3 class="Box-title text-mono f3 text-center">
CODEQL GUIDES
</h3>
<h2 class="Box-title text-mono f2 text-center">
CODEQL RESOURCES
</h2>
</div>
<div class="Box-body border-bottom-0">
<div class="Subhead border-0">
<a href="writing-codeql-queries">
<div class="Subhead-heading f4 text-center">Writing CodeQL queries</div>
</a>
<div class="Subhead-description">Get to know more about queries and learn some key
query-writing skills by solving puzzles.....</div>
</div>
<div class="Subhead border-0">
<a href="codeql-language-guides">
<div class="Subhead-heading f4 text-center">CodeQL language guides</div>
</a>
<div class="Subhead-description">Experiment and learn how to write effective and efficient
queries for CodeQL databases generated from the languages supported in CodeQL
analysis...</div>
<div class="Subhead border-0">
<a href="https://github.com/github/codeql-cli-binaries/releases">
<div class="Subhead-heading f4 text-center">CodeQL CLI releases</div>
</a>
<div class="Subhead-description">Download the latest version of the CodeQL CLI...</div>
</div>
<div class="Subhead border-0">
<a href="https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql">
<div class="Subhead-heading f4 text-center">CodeQL extension for Visual Studio Code</div>
</a>
<div class="Subhead-description">Download the extension from the Visual Studio Code Marketplace...</div>
</div>
<div class="Subhead border-0">
<a href="https://github.com/github/codeql">
<div class="Subhead-heading f4 text-center">CodeQL repository</div>
</a>
<div class="Subhead-description">Contribute to the source code of the libraries and queries for CodeQL...
</div>
</div>
</div>
<div class="Box col-lg-5 col-sm-12 border-0">
<div class="Box-header border-0 bg-white">
<h3 class="Box-title text-mono f3 text-center">
<h2 class="Box-title text-mono f2 text-center">
CODEQL REFERENCE DOCS
</h3>
</h2>
</div>
<div class="Box-body border-bottom-0">
<div class="Subhead border-0">
@@ -213,10 +202,8 @@
<div class="Subhead-description">View the query help for the queries included in the code
scanning query suites...</div>
</div>
</div>
</div>
</div>
</article>
<div class="footer mt-6 bg-gray-light border-y border-gray-dark no-print">
@@ -234,7 +221,7 @@
</a>
</div>
<div class="col-6 col-sm-3 col-lg-2 mb-6 mb-md-2 pr-3 pr-lg-0 pl-lg-4">
<h4 class="mb-3 text-mono text-gray-light text-normal">Product</h4>
<h3 class="mb-3 text-mono text-gray-light text-normal">Product</h3>
<ul class="list-style-none text-gray f5">
<li class="lh-condensed mb-3"><a href="https://github.com/features"
data-ga-click="Footer, go to features, text:features" class="link-gray">Features</a>
@@ -242,6 +229,9 @@
<li class="lh-condensed mb-3"><a href="https://github.com/security"
data-ga-click="Footer, go to security, text:security" class="link-gray">Security</a>
</li>
<li class="lh-condensed mb-3"><a href="https://github.com/features/copilot"
data-ga-click="Footer, go to copilot, text:copilot"
class="link-gray">Copilot</a></li>
<li class="lh-condensed mb-3"><a href="https://github.com/enterprise"
data-ga-click="Footer, go to enterprise, text:enterprise"
class="link-gray">Enterprise</a></li>
@@ -256,16 +246,16 @@
</ul>
</div>
<div class="col-6 col-sm-3 col-lg-2 mb-6 mb-md-2 pr-3 pr-md-0 pl-md-4">
<h4 class="mb-3 text-mono text-gray-light text-normal">Platform</h4>
<h3 class="mb-3 text-mono text-gray-light text-normal">Platform</h3>
<ul class="list-style-none f5">
<li class="lh-condensed mb-3"><a href="https://developer.github.com/"
<li class="lh-condensed mb-3"><a href="https://docs.github.com/get-started/exploring-integrations/about-building-integrations"
data-ga-click="Footer, go to api, text:api" class="link-gray">Developer API</a></li>
<li class="lh-condensed mb-3"><a href="http://partner.github.com/"
data-ga-click="Footer, go to partner, text:partner" class="link-gray">Partners</a></li>
<li class="lh-condensed mb-3"><a href="https://atom.io"
data-ga-click="Footer, go to atom, text:atom" class="link-gray">Atom</a></li>
<li class="lh-condensed mb-3"><a href="http://electron.atom.io/"
data-ga-click="Footer, go to electron, text:electron" class="link-gray">Electron</a>
<li class="lh-condensed mb-3"><a href="https://github.com/edu"
data-ga-click="Footer, go to education, text:education" class="link-gray">Education</a></li>
<li class="lh-condensed mb-3"><a href="https://cli.github.com/"
data-ga-click="Footer, go to cli, text:cli" class="link-gray">GitHub CLI</a>
</li>
<li class="lh-condensed mb-3"><a href="https://desktop.github.com/"
data-ga-click="Footer, go to desktop, text:desktop" class="link-gray">GitHub Desktop</a>
@@ -273,9 +263,9 @@
</ul>
</div>
<div class="col-6 col-sm-3 col-lg-2 mb-6 mb-md-2 pr-3 pr-md-0 pl-md-4">
<h4 class="mb-3 text-mono text-gray-light text-normal">Support</h4>
<h3 class="mb-3 text-mono text-gray-light text-normal">Support</h3>
<ul class="list-style-none f5">
<li class="lh-condensed mb-3"><a href="/" class="link-gray">Help</a></li>
<li class="lh-condensed mb-3"><a href="https://docs.github.com" class="link-gray">GitHub Docs</a></li>
<li class="lh-condensed mb-3"><a href="https://github.community" class="link-gray">Community
Forum</a></li>
<li class="lh-condensed mb-3"><a href="https://services.github.com/"
@@ -287,12 +277,12 @@
</ul>
</div>
<div class="col-6 col-sm-3 col-lg-2 mb-6 mb-md-2 pr-3 pr-md-0 pl-md-4">
<h4 class="mb-3 text-mono text-gray-light text-normal">Company</h4>
<h3 class="mb-3 text-mono text-gray-light text-normal">Company</h3>
<ul class="list-style-none f5">
<li class="lh-condensed mb-3"><a href="https://github.com/about" class="link-gray">About</a>
</li>
<li class="lh-condensed mb-3"><a href="https://github.blog/" class="link-gray">Blog</a></li>
<li class="lh-condensed mb-3"><a href="https://github.com/about/careers"
<li class="lh-condensed mb-3"><a href="https://github.careers/"
class="link-gray">Careers</a></li>
<li class="lh-condensed mb-3"><a href="https://github.com/about/press"
class="link-gray">Press</a></li>
@@ -359,9 +349,9 @@
<li class="mr-3">&copy;
<script type="text/javascript">document.write(new Date().getFullYear());</script> GitHub, Inc.</li>
<li class="mr-3"><a
href="https://docs.github.com/github/site-policy/github-terms-of-service"
href="https://docs.github.com/site-policy/github-terms/github-terms-of-service"
class="link-gray">Terms </a></li>
<li><a href="https://docs.github.com/github/site-policy/github-privacy-statement"
<li><a href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement"
class="link-gray">Privacy </a></li>
</ul>
</div>

3
docs/codeql/writing-codeql-queries/index.rst
View File

@@ -9,8 +9,11 @@ Get to know more about queries and learn some key query-writing skills by solvin
- :ref:`QL tutorials <ql-tutorials>`: Solve puzzles to learn the basics of QL before you analyze code with CodeQL. The tutorials teach you how to write queries and introduce you to key logic concepts along the way.
- :ref:`Running CodeQL queries <running-codeql-queries>`: Guide to running queries as you try out the tutorials and start to develop your own queries.
.. toctree::
:hidden:
codeql-queries
ql-tutorials
running-codeql-queries

38
docs/codeql/writing-codeql-queries/running-codeql-queries.rst Normal file
View File

@@ -0,0 +1,38 @@
:tocdepth: 1
.. _running-codeql-queries:
.. meta::
:description: Overview of how to run CodeQL queries locally, in GitHub, or in your CI system.
:keywords: CodeQL, code analysis, CodeQL analysis, code scanning, GitHub code scanning, writing a new query, testing a new query, code scanning alerts
Running CodeQL queries
======================
There are several options available for running one or more CodeQL queries on a codebase. The best option depends on what your aims are.
Work through a CodeQL tutorial
------------------------------
If you're working through a CodeQL tutorial, the CodeQL extension for Visual Studio Code allows you to run the queries in the tutorial. Unless you want to run the query on a specific code base, it's easiest to run queries on one of the many CodeQL databases that are available on GitHub. To get started, see "`Installing CodeQL for Visual Studio Code <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code>`__".
Develop a new CodeQL query
--------------------------
If you're developing a new query, the CodeQL extension for Visual Studio Code allows you to run a query and compare the results with previous runs as you refine the query. The extension also provides autocomplete suggestions, syntax highlighting, and other features that make it easier to write and debug queries. To get started, see "`Installing CodeQL for Visual Studio Code <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code>`__".
When you're ready to test the query on a wide range of codebases, you can choose from the pre-defined sets of CodeQL databases or define a custom group of codebases to run the query against. For more information, see "`Running CodeQL queries at scale with multi-repository variant analysis <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis>`__".
Run your query against a specific codebase
-------------------------------------------
If the codebase that you want to run your query against doesn't have a CodeQL database, you can create one using the CodeQL CLI. For more information, see "`Setting up the CodeQL CLI <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli>`__" and "`Preparing your code for CodeQL analysis <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis>`__".
Once you have created a CodeQL database, you can make the database available to the CodeQL extension in Visual Studio Code, or run the query using the CodeQL CLI. For more information, see "`Analyzing your code with CodeQL queries <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries>`__".
Run the standard CodeQL queries
-------------------------------
The easiest way to run the standard CodeQL queries on a repository hosted on the GitHub platform is to enable code scanning with CodeQL (this requires GitHub Actions to be enabled). When you enable default setup, you can choose from a default set of security queries or an extended set of security queries. Any results are shown as code scanning alerts on the **Security** tab of the repository. For more information, see "`Configuring default setup for code scanning <https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning>`__".
If you want to run the standard CodeQL queries on a repository where GitHub Actions are disabled, you can use the CodeQL CLI in your existing CI system. For more information, see "`Using code scanning with your existing CI system <https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system>`__".

1233
java/downgrades/376ce7dad79375c0772b8edb938da82ca5271ba1/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1265
java/downgrades/376ce7dad79375c0772b8edb938da82ca5271ba1/semmlecode.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

11
java/downgrades/376ce7dad79375c0772b8edb938da82ca5271ba1/typeVars.ql Normal file
View File

@@ -0,0 +1,11 @@
class TypeVariable extends @typevariable {
string toString() { none() }
}
class ClassOrInterfaceOrCallable extends @classorinterfaceorcallable {
string toString() { none() }
}
from TypeVariable id, string nodeName, int pos, ClassOrInterfaceOrCallable parentid
where typeVars(id, nodeName, pos, parentid)
select id, nodeName, pos, 0, parentid

3
java/downgrades/376ce7dad79375c0772b8edb938da82ca5271ba1/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Remove deprecated entries
compatibility: partial
typeVars.rel: run typeVars.qlo

2
java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
View File

@@ -325,7 +325,7 @@ open class KotlinFileExtractor(
// parameter S of
// `class Generic<T> { public <S> Generic(T t, S s) { ... } }` will have `tp.index` 1,
// not 0).
tw.writeTypeVars(id, tp.name.asString(), apparentIndex, 0, parentId)
tw.writeTypeVars(id, tp.name.asString(), apparentIndex, parentId)
val locId = tw.getLocation(tp)
tw.writeHasLocation(id, locId)

2
java/ql/automodel/src/AutomodelAlertSinkUtil.qll
View File

@@ -99,7 +99,7 @@ class PotentialSinkModelExpr extends Expr {
) and
(if argIdx = -1 then input = "Argument[this]" else input = "Argument[" + argIdx + "]") and
package = callable.getDeclaringType().getPackage().getName() and
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
type = callable.getDeclaringType().getErasure().(RefType).getNestedName() and
subtypes = considerSubtypes(callable) and
name = callable.getName() and
signature = ExternalFlow::paramsString(callable)

2
java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
View File

@@ -378,7 +378,7 @@ class ApplicationModeMetadataExtractor extends string {
package = callable.getDeclaringType().getPackage().getName() and
// we're using the erased types because the MaD convention is to not specify type parameters.
// Whether something is or isn't a sink doesn't usually depend on the type parameters.
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
type = callable.getDeclaringType().getErasure().(RefType).getNestedName() and
subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
name = callable.getName() and
signature = ExternalFlow::paramsString(callable) and

2
java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll
View File

@@ -319,7 +319,7 @@ class FrameworkModeMetadataExtractor extends string {
package = callable.getDeclaringType().getPackage().getName() and
// we're using the erased types because the MaD convention is to not specify type parameters.
// Whether something is or isn't a sink doesn't usually depend on the type parameters.
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
type = callable.getDeclaringType().getErasure().(RefType).getNestedName() and
subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
name = callable.getName() and
signature = ExternalFlow::paramsString(callable) and

4
java/ql/lib/change-notes/2024-09-16-nestedName.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: deprecated
---
* The `RefType.nestedName()` predicate has been deprecated, and `RefType.getNestedName()` added to replace it.

62
java/ql/lib/config/semmlecode.dbscheme
View File

@@ -138,21 +138,6 @@ compilation_time(
float seconds : float ref
);
/**
* An error or warning generated by the extractor.
* The diagnostic message `diagnostic` was generated during compiler
* invocation `compilation`, and is the `file_number_diagnostic_number`th
* message generated while extracting the `file_number`th file of that
* invocation.
*/
#keyset[compilation, file_number, file_number_diagnostic_number]
diagnostic_for(
unique int diagnostic : @diagnostic ref,
int compilation : @compilation ref,
int file_number : int ref,
int file_number_diagnostic_number : int ref
);
/**
* The `cpu_seconds` and `elapsed_seconds` are the CPU time and elapsed
* time (respectively) that the original compilation (not the extraction)
@@ -191,6 +176,21 @@ diagnostics(
int location: @location_default ref
);
/**
* An error or warning generated by the extractor.
* The diagnostic message `diagnostic` was generated during compiler
* invocation `compilation`, and is the `file_number_diagnostic_number`th
* message generated while extracting the `file_number`th file of that
* invocation.
*/
#keyset[compilation, file_number, file_number_diagnostic_number]
diagnostic_for(
unique int diagnostic : @diagnostic ref,
int compilation : @compilation ref,
int file_number : int ref,
int file_number_diagnostic_number : int ref
);
/*
* External artifacts
*/
@@ -202,41 +202,10 @@ externalData(
string value : string ref
);
snapshotDate(
unique date snapshotDate : date ref
);
sourceLocationPrefix(
string prefix : string ref
);
/*
* Duplicate code
*/
duplicateCode(
unique int id : @duplication,
string relativePath : string ref,
int equivClass : int ref
);
similarCode(
unique int id : @similarity,
string relativePath : string ref,
int equivClass : int ref
);
@duplication_or_similarity = @duplication | @similarity
tokens(
int id : @duplication_or_similarity ref,
int offset : int ref,
int beginLine : int ref,
int beginColumn : int ref,
int endLine : int ref,
int endColumn : int ref
);
/*
* SMAP
*/
@@ -516,7 +485,6 @@ typeVars(
unique int id: @typevariable,
string nodeName: string ref,
int pos: int ref,
int kind: int ref, // deprecated
int parentid: @classorinterfaceorcallable ref
);

667
java/ql/lib/config/semmlecode.dbscheme.stats
View File

@@ -16,14 +16,6 @@
<k>@externalDataElement</k>
<v>1</v>
</e>
<e>
<k>@duplication</k>
<v>1</v>
</e>
<e>
<k>@similarity</k>
<v>1</v>
</e>
<e>
<k>@file</k>
<v>1291911</v>
@@ -3965,17 +3957,6 @@
</dep>
</dependencies>
</relation>
<relation>
<name>snapshotDate</name>
<cardinality>1</cardinality>
<columnsizes>
<e>
<k>snapshotDate</k>
<v>1</v>
</e>
</columnsizes>
<dependencies/>
</relation>
<relation>
<name>sourceLocationPrefix</name>
<cardinality>569</cardinality>
@@ -3987,522 +3968,6 @@
</columnsizes>
<dependencies/>
</relation>
<relation>
<name>duplicateCode</name>
<cardinality>1</cardinality>
<columnsizes>
<e>
<k>id</k>
<v>1</v>
</e>
<e>
<k>relativePath</k>
<v>1</v>
</e>
<e>
<k>equivClass</k>
<v>1</v>
</e>
</columnsizes>
<dependencies>
<dep>
<src>id</src>
<trg>relativePath</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>equivClass</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>relativePath</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>relativePath</src>
<trg>equivClass</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>equivClass</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>equivClass</src>
<trg>relativePath</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>
<name>similarCode</name>
<cardinality>1</cardinality>
<columnsizes>
<e>
<k>id</k>
<v>1</v>
</e>
<e>
<k>relativePath</k>
<v>1</v>
</e>
<e>
<k>equivClass</k>
<v>1</v>
</e>
</columnsizes>
<dependencies>
<dep>
<src>id</src>
<trg>relativePath</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>equivClass</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>relativePath</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>relativePath</src>
<trg>equivClass</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>equivClass</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>equivClass</src>
<trg>relativePath</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>
<name>tokens</name>
<cardinality>1</cardinality>
<columnsizes>
<e>
<k>id</k>
<v>1</v>
</e>
<e>
<k>offset</k>
<v>1</v>
</e>
<e>
<k>beginLine</k>
<v>1</v>
</e>
<e>
<k>beginColumn</k>
<v>1</v>
</e>
<e>
<k>endLine</k>
<v>1</v>
</e>
<e>
<k>endColumn</k>
<v>1</v>
</e>
</columnsizes>
<dependencies>
<dep>
<src>id</src>
<trg>offset</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>beginLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>beginColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>endLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>endColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>offset</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>offset</src>
<trg>beginLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>offset</src>
<trg>beginColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>offset</src>
<trg>endLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>offset</src>
<trg>endColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginLine</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginLine</src>
<trg>offset</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginLine</src>
<trg>beginColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginLine</src>
<trg>endLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginLine</src>
<trg>endColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginColumn</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginColumn</src>
<trg>offset</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginColumn</src>
<trg>beginLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginColumn</src>
<trg>endLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>beginColumn</src>
<trg>endColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endLine</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endLine</src>
<trg>offset</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endLine</src>
<trg>beginLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endLine</src>
<trg>beginColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endLine</src>
<trg>endColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endColumn</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endColumn</src>
<trg>offset</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endColumn</src>
<trg>beginLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endColumn</src>
<trg>beginColumn</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
<dep>
<src>endColumn</src>
<trg>endLine</trg>
<val>
<hist>
<budget>12</budget>
<bs/>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>
<name>smap_header</name>
<cardinality>1</cardinality>
@@ -13510,10 +12975,6 @@
<k>pos</k>
<v>1048</v>
</e>
<e>
<k>kind</k>
<v>262</v>
</e>
<e>
<k>parentid</k>
<v>612137</v>
@@ -13552,22 +13013,6 @@
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>kind</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>864332</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>parentid</trg>
@@ -13671,22 +13116,6 @@
</hist>
</val>
</dep>
<dep>
<src>nodeName</src>
<trg>kind</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>11797</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>nodeName</src>
<trg>parentid</trg>
@@ -13805,22 +13234,6 @@
</hist>
</val>
</dep>
<dep>
<src>pos</src>
<trg>kind</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1048</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>pos</src>
<trg>parentid</trg>
@@ -13852,70 +13265,6 @@
</hist>
</val>
</dep>
<dep>
<src>kind</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>3297</a>
<b>3298</b>
<v>262</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>kind</src>
<trg>nodeName</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>45</a>
<b>46</b>
<v>262</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>kind</src>
<trg>pos</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>4</a>
<b>5</b>
<v>262</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>kind</src>
<trg>parentid</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>2335</a>
<b>2336</b>
<v>262</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>parentid</src>
<trg>id</trg>
@@ -13994,22 +13343,6 @@
</hist>
</val>
</dep>
<dep>
<src>parentid</src>
<trg>kind</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>612137</v>
</b>
</bs>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>

2
java/ql/lib/semmle/code/Location.qll
View File

@@ -34,7 +34,7 @@ predicate hasName(Element e, string name) {
or
localvars(e, name, _, _)
or
typeVars(e, name, _, _, _)
typeVars(e, name, _, _)
or
wildcards(e, name, _)
or

2
java/ql/lib/semmle/code/java/Annotation.qll
View File

@@ -255,7 +255,7 @@ class Annotatable extends Element {
*/
predicate hasAnnotation(string package, string name) {
exists(AnnotationType at | at = this.getAnAnnotation().getType() |
at.nestedName() = name and at.getPackage().getName() = package
at.getNestedName() = name and at.getPackage().getName() = package
)
}

2
java/ql/lib/semmle/code/java/Element.qll
View File

@@ -117,5 +117,5 @@ private predicate hasChildElement(Element parent, Element e) {
or
fields(e, _, _, parent, _)
or
typeVars(e, _, _, _, parent)
typeVars(e, _, _, parent)
}

24
java/ql/lib/semmle/code/java/Generics.qll
View File

@@ -39,7 +39,7 @@ import Type
* For example, `X` in `class X<T> { }`.
*/
class GenericType extends ClassOrInterface {
GenericType() { typeVars(_, _, _, _, this) }
GenericType() { typeVars(_, _, _, this) }
/**
* Gets a parameterization of this generic type, where each use of
@@ -64,7 +64,7 @@ class GenericType extends ClassOrInterface {
/**
* Gets the `i`-th type parameter of this generic type.
*/
TypeVariable getTypeParameter(int i) { typeVars(result, _, i, _, this) }
TypeVariable getTypeParameter(int i) { typeVars(result, _, i, this) }
/**
* Gets a type parameter of this generic type.
@@ -139,10 +139,10 @@ abstract class BoundedType extends RefType, @boundedtype {
*/
class TypeVariable extends BoundedType, Modifiable, @typevariable {
/** Gets the generic type that is parameterized by this type parameter, if any. */
GenericType getGenericType() { typeVars(this, _, _, _, result) }
GenericType getGenericType() { typeVars(this, _, _, result) }
/** Gets the generic callable that is parameterized by this type parameter, if any. */
GenericCallable getGenericCallable() { typeVars(this, _, _, _, result) }
GenericCallable getGenericCallable() { typeVars(this, _, _, result) }
/**
* Gets an upper bound of this type parameter, or `Object`
@@ -196,7 +196,7 @@ class TypeVariable extends BoundedType, Modifiable, @typevariable {
}
/** Gets the index of `this` type variable. */
int getIndex() { typeVars(this, _, result, _, _) }
int getIndex() { typeVars(this, _, result, _) }
override string getAPrimaryQlClass() { result = "TypeVariable" }
}
@@ -327,7 +327,7 @@ class TypeBound extends @typebound {
class ParameterizedType extends ClassOrInterface {
ParameterizedType() {
typeArgs(_, _, this) or
typeVars(_, _, _, _, this)
typeVars(_, _, _, this)
}
/**
@@ -351,13 +351,13 @@ class ParameterizedType extends ClassOrInterface {
*/
RefType getATypeArgument() {
typeArgs(result, _, this) or
typeVars(result, _, _, _, this)
typeVars(result, _, _, this)
}
/** Gets the type argument of this parameterized type at the specified position. */
RefType getTypeArgument(int pos) {
typeArgs(result, pos, this) or
typeVars(result, _, pos, _, this)
typeVars(result, _, pos, this)
}
/** Gets the number of type arguments of this parameterized type. */
@@ -365,13 +365,13 @@ class ParameterizedType extends ClassOrInterface {
result =
count(int pos |
typeArgs(_, pos, this) or
typeVars(_, _, pos, _, this)
typeVars(_, _, pos, this)
)
}
/** Holds if this type originates from source code. */
override predicate fromSource() {
typeVars(_, _, _, _, this) and ClassOrInterface.super.fromSource()
typeVars(_, _, _, this) and ClassOrInterface.super.fromSource()
}
override string getAPrimaryQlClass() { result = "ParameterizedType" }
@@ -444,14 +444,14 @@ class GenericCallable extends Callable {
exists(Callable srcDecl |
methods(this, _, _, _, _, srcDecl) or constrs(this, _, _, _, _, srcDecl)
|
typeVars(_, _, _, _, srcDecl)
typeVars(_, _, _, srcDecl)
)
}
/**
* Gets the `i`-th type parameter of this generic callable.
*/
TypeVariable getTypeParameter(int i) { typeVars(result, _, i, _, this.getSourceDeclaration()) }
TypeVariable getTypeParameter(int i) { typeVars(result, _, i, this.getSourceDeclaration()) }
/**
* Gets a type parameter of this generic callable.

15
java/ql/lib/semmle/code/java/Type.qll
View File

@@ -592,7 +592,7 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
* to the name of the enclosing type, which might be a nested type as well.
*/
predicate hasQualifiedName(string package, string type) {
this.getPackage().hasName(package) and type = this.nestedName()
this.getPackage().hasName(package) and type = this.getNestedName()
}
/**
@@ -601,7 +601,7 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
override string getTypeDescriptor() {
result =
"L" + this.getPackage().getName().replaceAll(".", "/") + "/" +
this.getSourceDeclaration().nestedName() + ";"
this.getSourceDeclaration().getNestedName() + ";"
}
/**
@@ -615,8 +615,8 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
string getQualifiedName() {
exists(string pkgName | pkgName = this.getPackage().getName() |
if pkgName = ""
then result = this.nestedName()
else result = pkgName + "." + this.nestedName()
then result = this.getNestedName()
else result = pkgName + "." + this.getNestedName()
)
}
@@ -627,12 +627,15 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
* Otherwise the name of the nested type is prefixed with a `$` and appended to
* the name of the enclosing type, which might be a nested type as well.
*/
string nestedName() {
string getNestedName() {
not this instanceof NestedType and result = this.getName()
or
this.(NestedType).getEnclosingType().nestedName() + "$" + this.getName() = result
this.(NestedType).getEnclosingType().getNestedName() + "$" + this.getName() = result
}
/** DEPRECATED: Alias for `getNestedName`. */
deprecated string nestedName() { result = this.getNestedName() }
/**
* Gets the source declaration of this type.
*

4
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -422,10 +422,10 @@ private predicate elementSpec(
private string getNestedName(Type t) {
not t instanceof RefType and result = t.toString()
or
not t.(Array).getElementType() instanceof NestedType and result = t.(RefType).nestedName()
not t.(Array).getElementType() instanceof NestedType and result = t.(RefType).getNestedName()
or
result =
t.(Array).getElementType().(NestedType).getEnclosingType().nestedName() + "$" + t.getName()
t.(Array).getElementType().(NestedType).getEnclosingType().getNestedName() + "$" + t.getName()
}
private string getQualifiedName(Type t) {

1265
java/ql/lib/upgrades/dee651b58d1e5455ca2d07eca37775a21d772fcc/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1233
java/ql/lib/upgrades/dee651b58d1e5455ca2d07eca37775a21d772fcc/semmlecode.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

11
java/ql/lib/upgrades/dee651b58d1e5455ca2d07eca37775a21d772fcc/typeVars.ql Normal file
View File

@@ -0,0 +1,11 @@
class TypeVariable extends @typevariable {
string toString() { none() }
}
class ClassOrInterfaceOrCallable extends @classorinterfaceorcallable {
string toString() { none() }
}
from TypeVariable id, string nodeName, int pos, ClassOrInterfaceOrCallable parentid
where typeVars(id, nodeName, pos, _, parentid)
select id, nodeName, pos, parentid

7
java/ql/lib/upgrades/dee651b58d1e5455ca2d07eca37775a21d772fcc/upgrade.properties Normal file
View File

@@ -0,0 +1,7 @@
description: Remove deprecated entries
compatibility: full
duplicateCode.rel: delete
similarCode.rel: delete
tokens.rel: delete
snapshotDate.rel: delete
typeVars.rel: run typeVars.qlo

2
java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
View File

@@ -19,4 +19,4 @@ from InsecureTrustManagerFlow::PathNode source, InsecureTrustManagerFlow::PathNo
where InsecureTrustManagerFlow::flowPath(source, sink)
select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.",
source, "TrustManager",
source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName()
source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.getNestedName()

2
java/ql/src/Telemetry/ExternalApi.qll
View File

@@ -30,7 +30,7 @@ class ExternalApi extends Callable {
string getApiName() {
result =
this.getDeclaringType().getPackage() + "." +
this.getDeclaringType().getSourceDeclaration().nestedName() + "#" + this.getName() +
this.getDeclaringType().getSourceDeclaration().getNestedName() + "#" + this.getName() +
paramsString(this)
}

2
java/ql/src/utils/flowtestcasegenerator/FlowTestCaseUtils.qll
View File

@@ -101,7 +101,7 @@ string getShortNameIfPossible(Type t) {
getRootSourceDeclaration(t) = any(TestCase tc).getADesiredImport() and
exists(RefType replaced, string nestedName |
replaced = replaceTypeVariable(t).getSourceDeclaration() and
nestedName = replaced.nestedName().replaceAll("$", ".")
nestedName = replaced.getNestedName().replaceAll("$", ".")
|
if isImportable(getRootSourceDeclaration(t))
then result = nestedName

2
java/ql/src/utils/modeleditor/ModelEditor.qll
View File

@@ -27,7 +27,7 @@ class Endpoint extends Callable {
/**
* Gets the type name of this endpoint.
*/
string getTypeName() { result = this.getDeclaringType().nestedName() }
string getTypeName() { result = this.getDeclaringType().getNestedName() }
/**
* Gets the parameter types of this endpoint.

2
java/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
View File

@@ -154,7 +154,7 @@ private string isExtensible(Callable c) {
private predicate qualifiedName(Callable c, string package, string type) {
exists(RefType t | t = c.getDeclaringType() |
package = t.getCompilationUnit().getPackage().getName() and
type = t.getErasure().(J::RefType).nestedName()
type = t.getErasure().(J::RefType).getNestedName()
)
}

2
java/ql/test/library-tests/neutrals/neutralsinks/NeutralSinksTest.ql
View File

@@ -26,7 +26,7 @@ module NeutralSinkTest implements TestSig {
exists(Call call, Callable callable |
call.getCallee() = callable and
neutralModel(callable.getDeclaringType().getCompilationUnit().getPackage().getName(),
callable.getDeclaringType().getSourceDeclaration().nestedName(), callable.getName(),
callable.getDeclaringType().getSourceDeclaration().getNestedName(), callable.getName(),
[paramsString(callable), ""], "sink", _) and
call.getLocation() = location and
element = call.toString() and

1
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
View File

@@ -526,6 +526,7 @@ private module Cached {
|
isUseStep = false
or
isUseStep = true and
not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
)
or