hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into changedocs-2.23.2

Browse Source
This commit is contained in:
Jon Janego
2025-10-08 11:00:45 -05:00
committed by GitHub
parent 9c610e8bab d39c8d155c
commit 4534d67107
588 changed files with 24111 additions and 5840 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
docs/codeql/codeql-language-guides/basic-query-for-rust-code.rst Normal file
View File

@@ -0,0 +1,131 @@
.. _basic-query-for-rust-code:
Basic query for Rust code
==========================
Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension.
.. include:: ../reusables/vs-code-basic-instructions/setup-to-run-queries.rst
About the query
---------------
The query we're going to run performs a basic search of the code for ``if`` expressions that are redundant, in the sense that they have an empty ``then`` branch. For example, code such as:
.. code-block:: rust
if error {
// we should handle the error
}
.. include:: ../reusables/vs-code-basic-instructions/find-database.rst
Running a quick query
---------------------
.. include:: ../reusables/vs-code-basic-instructions/run-quick-query-1.rst
#. In the quick query tab, delete the content and paste in the following query.
.. code-block:: ql
import rust
from IfExpr ifExpr
where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0
select ifExpr, "This 'if' expression is redundant."
.. include:: ../reusables/vs-code-basic-instructions/run-quick-query-2.rst
.. image:: ../images/codeql-for-visual-studio-code/basic-rust-query-results-1.png
:align: center
If any matching code is found, click a link in the ``ifExpr`` column to open the file and highlight the matching ``if`` expression.
.. image:: ../images/codeql-for-visual-studio-code/basic-rust-query-results-2.png
:align: center
.. include:: ../reusables/vs-code-basic-instructions/note-store-quick-query.rst
About the query structure
~~~~~~~~~~~~~~~~~~~~~~~~~
After the initial ``import`` statement, this simple query comprises three parts that serve similar purposes to the FROM, WHERE, and SELECT parts of an SQL query.
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| Query part | Purpose | Details |
+==================================================================================+===================================================================================================================+======================================================================================================+
| ``import rust`` | Imports the standard CodeQL AST libraries for Rust. | Every query begins with one or more ``import`` statements. |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``from IfExpr ifExpr`` | Defines the variables for the query. | We use: an ``IfExpr`` variable for ``if`` expressions. |
| | Declarations are of the form: | |
| | ``<type> <variable name>`` | |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0`` | Defines a condition on the variables. | ``ifExpr.getThen()``: gets the ``then`` branch of the ``if`` expression. |
| | | ``.(BlockExpr)``: requires that the ``then`` branch is a block expression (``{ }``). |
| | | ``.getStmtList()``: gets the list of things in the block. |
| | | ``.getNumberOfStmtOrExpr() = 0``: requires that there are no statements or expressions in the block. |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``select ifExpr, "This 'if' expression is redundant."`` | Defines what to report for each match. | Reports the resulting ``if`` expression with a string that explains the problem. |
| | | |
| | ``select`` statements for queries that are used to find instances of poor coding practice are always in the form: | |
| | ``select <program element>, "<alert message>"`` | |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
Extend the query
----------------
Query writing is an inherently iterative process. You write a simple query and then, when you run it, you discover examples that you had not previously considered, or opportunities for improvement.
Remove false positive results
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Browsing the results of our basic query shows that it could be improved. Among the results you are likely to find examples of ``if`` expressions with an ``else`` branch, where an empty ``then`` branch does serve a purpose. For example:
.. code-block:: rust
if (option == "-verbose") {
// nothing to do - handled earlier
} else {
handleError("unrecognized option")
}
In this case, identifying the ``if`` expression with the empty ``then`` branch as redundant is a false positive. One solution to this is to modify the query to select ``if`` expressions where both the ``then`` and ``else`` branches are missing.
To exclude ``if`` expressions that have an ``else`` branch:
#. Add the following to the where clause:
.. code-block:: ql
and not exists(ifExpr.getElse())
The ``where`` clause is now:
.. code-block:: ql
where
ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and
not exists(ifExpr.getElse())
#. Re-run the query.
There are now fewer results because ``if`` expressions with an ``else`` branch are no longer included.
Further reading
---------------
.. include:: ../reusables/rust-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst
.. Article-specific substitutions for the reusables used in docs/codeql/reusables/vs-code-basic-instructions
.. |language-text| replace:: Rust
.. |language-code| replace:: ``rust``
.. |example-url| replace:: https://github.com/rust-lang/rustlings
.. |image-quick-query| image:: ../images/codeql-for-visual-studio-code/quick-query-tab-rust.png
.. |result-col-1| replace:: The first column corresponds to the expression ``ifExpr`` and is linked to the location in the source code of the project where ``ifExpr`` occurs.

4
docs/codeql/codeql-language-guides/codeql-for-rust.rst
View File

@@ -9,8 +9,12 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
.. toctree::
:hidden:
basic-query-for-rust-code
codeql-library-for-rust
analyzing-data-flow-in-rust
- :doc:`Basic query for Rust code <basic-query-for-rust-code>`: Learn to write and run a simple CodeQL query.
- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
- :doc:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`: You can use CodeQL to track the flow of data through a Rust program to places where the data is used.

4
docs/codeql/codeql-overview/system-requirements.rst
View File

@@ -42,6 +42,10 @@ For Ruby extraction:
- On Windows, the ``msvcp140.dll`` must be installed and available on the system. This can be installed by downloading the appropriate Microsoft Visual C++ Redistributable for Visual Studio.
For Rust extraction:
- ``rustup`` and ``cargo`` must be installed.
For Java extraction:
- There must be a ``java`` or ``java.exe`` executable available on the ``PATH``, and the ``JAVA_HOME`` environment variable must point to the corresponding JDK's home directory.

BIN
docs/codeql/images/codeql-for-visual-studio-code/basic-rust-query-results-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/basic-rust-query-results-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/quick-query-tab-rust.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

37
docs/codeql/ql-language-reference/annotations.rst
View File

@@ -97,13 +97,27 @@ own body, or they must inherit from another class that overrides ``isSource``:
// doesn't need to override `isSource`, because it inherits it from ConfigA
}
.. index:: additional
.. _additional:
``additional``
==============
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |non-member predicates|, |modules|, |aliases|, |signatures|
The ``additional`` annotation can be used on declarations in explicit modules.
All declarations that are not required by a module signature in modules that implement |module signatures| must be annotated with ``additional``.
Omitting ``additional`` on such declarations, or using the annotation in any other context, will result in a compiler error.
Other than that, the annotation has no effect.
.. index:: cached
.. _cached:
``cached``
==========
**Available for**: |classes|, |algebraic datatypes|, |characteristic predicates|, |member predicates|, |non-member predicates|, |modules|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |characteristic predicates|, |member predicates|, |non-member predicates|, |modules|
The ``cached`` annotation indicates that an entity should be evaluated in its entirety and
stored in the evaluation cache. All later references to this entity will use the
@@ -126,7 +140,7 @@ body must also be annotated with ``cached``, otherwise a compiler error is repor
``deprecated``
==============
**Available for**: |classes|, |algebraic datatypes|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|, |signatures|
The ``deprecated`` annotation is applied to names that are outdated and scheduled for removal
in a future release of QL.
@@ -151,6 +165,16 @@ For example, the name ``DataFlowNode`` is deprecated and has the following QLDoc
This QLDoc comment appears when you use the name ``DataFlowNode`` in a QL editor.
.. index:: extensible
.. _extensible:
``extensible``
==============
**Available for**: |non-member predicates|
The ``extensible`` annotation is used to mark predicates that are populated at evaluation time through data extensions.
.. index:: external
.. _external:
@@ -235,7 +259,7 @@ warning.
``private``
===========
**Available for**: |classes|, |algebraic datatypes|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|, |signatures|
The ``private`` annotation is used to prevent names from being exported.
@@ -461,7 +485,7 @@ For more information, see ":ref:`monotonic-aggregates`."
Binding sets
============
**Available for**: |classes|, |characteristic predicates|, |member predicates|, |non-member predicates|
**Available for**: |classes|, |characteristic predicates|, |member predicates|, |non-member predicates|, |predicate signatures|, |type signatures|
``bindingset[...]``
-------------------
@@ -490,4 +514,9 @@ The ``bindingset`` annotation takes a comma-separated list of variables.
.. |aliases| replace:: :ref:`aliases <aliases>`
.. |type-aliases| replace:: :ref:`type aliases <type-aliases>`
.. |algebraic datatypes| replace:: :ref:`algebraic datatypes <algebraic-datatypes>`
.. |type unions| replace:: :ref:`type unions <type-unions>`
.. |expressions| replace:: :ref:`expressions <expressions>`
.. |signatures| replace:: :ref:`signatures <signatures>`
.. |predicate signatures| replace:: :ref:`predicate signatures <predicate-signatures>`
.. |type signatures| replace:: :ref:`type signatures <type-signatures>`
.. |module signatures| replace:: :ref:`module signatures <module-signatures>`

2
docs/codeql/ql-language-reference/formulas.rst
View File

@@ -193,7 +193,7 @@ information on cartesian products, see ":ref:`Troubleshooting query performance
<troubleshooting-query-performance>`".
It is possible to enable warnings about implicit this receivers for `CodeQL packs
<https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#warnonimplicitthis>`__
<https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#warnonimplicitthis>`__
through the ``warnOnImplicitThis`` property.
.. _parenthesized-formulas:

9
docs/codeql/ql-language-reference/ql-language-specification.rst
View File

@@ -36,7 +36,7 @@ Architecture
A *QL program* consists of a query module defined in a QL file and a number of library modules defined in QLL files that it imports (see "`Import directives <#import-directives>`__"). The module in the QL file includes one or more queries (see "`Queries <#queries>`__"). A module may also include *import directives* (see "`Import directives <#import-directives>`__"), non-member predicates (see "`Non-member predicates <#non-member-predicates>`__"), class definitions (see "`Classes <#classes>`__"), and module definitions (see "`Modules <#modules>`__").
QL programs are interpreted in the context of a *database* and a *library path* . The database provides a number of definitions: database types (see "`Types <#types>`__"), entities (see "`Values <#values>`__"), built-in predicates (see "`Built-ins <#built-ins>`__"), and the *database content* of built-in predicates and external predicates (see "`Evaluation <#evaluation>`__"). The library path is a sequence of file-system directories that hold QLL files.
QL programs are interpreted in the context of a *database* and a *library path* . The database provides a number of definitions: database types (see "`Types <#types>`__"), entities (see "`Values <#values>`__"), built-in predicates (see "`Built-ins <#built-ins>`__"), and the *database content* of built-in predicates, external predicates, and extensible predicates (see "`Evaluation <#evaluation>`__"). The library path is a sequence of file-system directories that hold QLL files.
A QL program can be *evaluated* (see "`Evaluation <#evaluation>`__") to produce a set of tuples of values (see "`Values <#values>`__").
@@ -935,6 +935,7 @@ When a predicate is a top-level clause in a module, it is called a non-member pr
A valid non-member predicate can be annotated with ``additional``, ``cached``, ``deprecated``, ``extensible``, ``external``, ``transient``, ``private``, and ``query``.
Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
Note, the annotations ``extensible`` and ``external`` cannot both be used on the same non-member predicate.
The head of the predicate gives a name, an optional *result type*, and a sequence of variables declarations that are *arguments*:
@@ -952,7 +953,7 @@ The body of a predicate is of one of three forms:
In the first form, with just a semicolon, the predicate is said to not have a body. In the second form, the body of the predicate is the given formula (see "`Formulas <#formulas>`__"). In the third form, the body is a higher-order relation.
A valid non-member predicate must have a body, either a formula or a higher-order relation, unless it is external, in which case it must not have a body.
A valid non-member predicate must have a body, either a formula or a higher-order relation, unless it is external or extensible, in which case it must not have a body.
The typing environment for the body of the formula, if present, maps the variables in the head of the predicate to their associated types. If the predicate has a result type, then the typing environment also maps ``result`` to the result type.
@@ -1053,7 +1054,7 @@ A member predicate ``p`` with enclosing class ``C`` *shadows* a member predicate
Member predicates have one or more *root definitions*. If a member predicate overrides no other member predicate, then it is its own root definition. Otherwise, its root definitions are those of any member predicate that it overrides.
A valid member predicate must have a body unless it is abstract or external, in which case it must not have a body.
A valid member predicate must have a body unless it is abstract, in which case it must not have a body.
A valid member predicate must override another member predicate if it is annotated override.
@@ -2180,7 +2181,7 @@ If a QL program has no valid stratification, then the program itself is not vali
Layer evaluation
~~~~~~~~~~~~~~~~
The store is first initialized with the *database content* of all built-in predicates and external predicates. The database content of a predicate is a set of ordered tuples that are included in the database.
The store is first initialized with the *database content* of all built-in predicates, external predicates, and extensible predicates. The database content of a predicate is a set of ordered tuples that are included in the database.
Each layer of the stratification is *populated* in order. To populate a layer, each predicate in the layer is repeatedly populated until the store stops changing. The way that a predicate is populated is as follows:

12
docs/codeql/ql-language-reference/signatures.rst
View File

@@ -10,6 +10,10 @@ Signatures
Parameterized modules use signatures as a type system for their parameters.
There are three categories of signatures: **predicate signatures**, **type signatures**, and **module signatures**.
.. index:: predicate signature
.. _predicate-signatures:
Predicate signatures
====================
@@ -36,6 +40,10 @@ For example:
signature int operator(int lhs, int rhs);
.. index:: type signature
.. _type-signatures:
Type signatures
===============
@@ -66,6 +74,10 @@ For example:
string toString();
}
.. index:: module signature
.. _module-signatures:
Module signatures
=================

2
docs/codeql/reusables/extractors.rst
View File

@@ -20,7 +20,7 @@
- ``python``
* - Ruby
- ``ruby``
- Rust
* - Rust
- ``rust``
* - Swift
- ``swift``

10
docs/codeql/reusables/supported-frameworks.rst
View File

@@ -313,7 +313,6 @@ Rust built-in support
Provided by the current versions of the
CodeQL query pack ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__)
and the CodeQL library pack ``codeql/rust-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib>`__).
All support is experimental.
.. csv-table::
:header-rows: 1
@@ -324,12 +323,15 @@ All support is experimental.
Name, Category
`actix-web <https://crates.io/crates/actix-web>`__, Web framework
alloc, Standard library
`async-std <https://crates.io/crates/async-std>`__, Asynchronous programming library
`biscotti <https://crates.io/crates/biscotti>`__, Cookie management
`clap <http://crates.io/crates/clap>`__, Utility library
`cookie <https://crates.io/crates/cookie>`__, Cookie management
core, Standard library
`digest <https://crates.io/crates/digest>`__, Cryptography library
`futures-executor <https://crates.io/crates/futures-executor>`__, Utility library
`futures <https://crates.io/crates/futures>`__, Asynchronous programming library
`futures-rustls <https://crates.io/crates/futures-rustls>`__, Network communicator
`hyper <https://crates.io/crates/hyper>`__, HTTP library
`hyper-util <https://crates.io/crates/hyper-util>`__, HTTP library
`libc <https://crates.io/crates/libc>`__, Utility library
`log <https://crates.io/crates/log>`__, Logging library
`md5 <https://crates.io/crates/md5>`__, Utility library
@@ -345,12 +347,14 @@ All support is experimental.
`rusqlite <https://crates.io/crates/rusqlite>`__, Database
std, Standard library
`rust-crypto <https://crates.io/crates/rust-crypto>`__, Cryptography library
`rustls <https://crates.io/crates/rustls>`__, Network communicator
`serde <https://crates.io/crates/serde>`__, Serialization
`smallvec <https://crates.io/crates/smallvec>`__, Utility library
`sqlx <https://crates.io/crates/sqlx>`__, Database
`tokio <https://crates.io/crates/tokio>`__, Asynchronous IO
`tokio-postgres <https://crates.io/crates/tokio-postgres>`__, Database
`url <https://crates.io/crates/url>`__, Utility library
`warp <https://crates.io/crates/warp>`__, Web framework
Swift built-in support
================================

7
docs/codeql/writing-codeql-queries/creating-path-queries.rst
View File

@@ -33,6 +33,7 @@ For more language-specific information on analyzing data flow, see:
- ":ref:`Analyzing data flow in JavaScript/TypeScript <analyzing-data-flow-in-javascript-and-typescript>`"
- ":ref:`Analyzing data flow in Python <analyzing-data-flow-in-python>`"
- ":ref:`Analyzing data flow in Ruby <analyzing-data-flow-in-ruby>`"
- ":ref:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`"
- ":ref:`Analyzing data flow in Swift <analyzing-data-flow-in-swift>`"
Path query examples
@@ -59,7 +60,7 @@ You should use the following template:
*/
import <language>
// For some languages (Java/C++/Python/Swift) you need to explicitly import the data flow library, such as
// For some languages (Java/C++/Python/Rust/Swift) you need to explicitly import the data flow library, such as
// import semmle.code.java.dataflow.DataFlow or import codeql.swift.dataflow.DataFlow
...
@@ -124,7 +125,7 @@ Declaring sources and sinks
You must provide information about the ``source`` and ``sink`` in your path query. These are objects that correspond to the nodes of the paths that you are exploring.
The name and the type of the ``source`` and the ``sink`` must be declared in the ``from`` statement of the query, and the types must be compatible with the nodes of the graph computed by the ``edges`` predicate.
If you are querying C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, or Ruby code (and you have used ``import MyFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the module resulting from the application of the ``Global<..>`` module in the data flow library. You should declare both of these objects in the ``from`` statement.
If you are querying C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, or Rust code (and you have used ``import MyFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the module resulting from the application of the ``Global<..>`` module in the data flow library. You should declare both of these objects in the ``from`` statement.
For example:
.. code-block:: ql
@@ -145,7 +146,7 @@ The configuration module must be defined to include definitions of sources and s
- ``isSource()`` defines where data may flow from.
- ``isSink()`` defines where data may flow to.
For more information on using the configuration class in your analysis see the sections on global data flow in ":ref:`Analyzing data flow in C/C++ <analyzing-data-flow-in-cpp>`," ":ref:`Analyzing data flow in C# <analyzing-data-flow-in-csharp>`," and ":ref:`Analyzing data flow in Python <analyzing-data-flow-in-python>`."
For more information on using the configuration class in your analysis see the sections on global data flow in ":ref:`Analyzing data flow in C/C++ <analyzing-data-flow-in-cpp>`," ":ref:`Analyzing data flow in C# <analyzing-data-flow-in-csharp>`," ":ref:`Analyzing data flow in Python <analyzing-data-flow-in-python>`," and ":ref:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`."
You can also create a configuration for different frameworks and environments by extending the ``Configuration`` class. For more information, see ":ref:`Types <defining-a-class>`" in the QL language reference.