diff --git a/cpp/ql/lib/semmle/code/cpp/Function.qll b/cpp/ql/lib/semmle/code/cpp/Function.qll index 8ddb07a868e..10b156e3fb6 100644 --- a/cpp/ql/lib/semmle/code/cpp/Function.qll +++ b/cpp/ql/lib/semmle/code/cpp/Function.qll @@ -171,12 +171,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function { * Gets the nth parameter of this function. There is no result for the * implicit `this` parameter, and there is no `...` varargs pseudo-parameter. */ + pragma[nomagic] Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) } /** * Gets a parameter of this function. There is no result for the implicit * `this` parameter, and there is no `...` varargs pseudo-parameter. */ + pragma[nomagic] Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) } /** diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs index 1ba8827c9d2..6701f993ac6 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs @@ -360,5 +360,22 @@ namespace Semmle.Extraction.CSharp return versionString.InformationalVersion; } } + + private static readonly HashSet errorsToIgnore = new HashSet + { + "CS7027", // Code signing failure + "CS1589", // XML referencing not supported + "CS1569" // Error writing XML documentation + }; + + /// + /// Retrieves the diagnostics from the compilation, filtering out those that should be ignored. + /// + protected List GetFilteredDiagnostics() => + compilation is not null + ? compilation.GetDiagnostics() + .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id)) + .ToList() + : []; } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs index ff3c2889bc9..b940b02cb5c 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs @@ -13,6 +13,14 @@ namespace Semmle.Extraction.CSharp { } + private void LogDiagnostics() + { + foreach (var error in GetFilteredDiagnostics()) + { + Logger.LogDebug($" Compilation error: {error}"); + } + } + public void Initialize(string outputPath, IEnumerable<(string, string)> compilationInfos, CSharpCompilation compilationIn, CommonOptions options) { compilation = compilationIn; @@ -20,6 +28,7 @@ namespace Semmle.Extraction.CSharp this.options = options; LogExtractorInfo(); SetReferencePaths(); + LogDiagnostics(); } } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs index 8a9856f1d31..9f2a1256f1a 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs @@ -136,11 +136,7 @@ namespace Semmle.Extraction.CSharp private int LogDiagnostics() { - var filteredDiagnostics = compilation! - .GetDiagnostics() - .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id)) - .ToList(); - + var filteredDiagnostics = GetFilteredDiagnostics(); foreach (var error in filteredDiagnostics) { Logger.LogError($" Compilation error: {error}"); @@ -148,7 +144,7 @@ namespace Semmle.Extraction.CSharp if (filteredDiagnostics.Count != 0) { - foreach (var reference in compilation.References) + foreach (var reference in compilation!.References) { Logger.LogInfo($" Resolved reference {reference.Display}"); } @@ -156,12 +152,5 @@ namespace Semmle.Extraction.CSharp return filteredDiagnostics.Count; } - - private static readonly HashSet errorsToIgnore = new HashSet - { - "CS7027", // Code signing failure - "CS1589", // XML referencing not supported - "CS1569" // Error writing XML documentation - }; } } diff --git a/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md b/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md new file mode 100644 index 00000000000..082f4562615 --- /dev/null +++ b/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Compilation errors are now included in the debug log when using build-mode none. diff --git a/docs/codeql/reusables/rust-further-reading.rst b/docs/codeql/reusables/rust-further-reading.rst index a82dee7f28e..c8d18cc77b0 100644 --- a/docs/codeql/reusables/rust-further-reading.rst +++ b/docs/codeql/reusables/rust-further-reading.rst @@ -1,2 +1,3 @@ - `CodeQL queries for Rust `__ +- `Example queries for Rust `__ - `CodeQL library reference for Rust `__ diff --git a/rust/ql/examples/qlpack.lock.yml b/rust/ql/examples/qlpack.lock.yml new file mode 100644 index 00000000000..06dd07fc7dc --- /dev/null +++ b/rust/ql/examples/qlpack.lock.yml @@ -0,0 +1,4 @@ +--- +dependencies: {} +compiled: false +lockVersion: 1.0.0 diff --git a/rust/ql/examples/qlpack.yml b/rust/ql/examples/qlpack.yml new file mode 100644 index 00000000000..41adabd2c70 --- /dev/null +++ b/rust/ql/examples/qlpack.yml @@ -0,0 +1,7 @@ +name: codeql/rust-examples +groups: + - rust + - examples +dependencies: + codeql/rust-all: ${workspace} +warnOnImplicitThis: true diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql new file mode 100644 index 00000000000..f2183945979 --- /dev/null +++ b/rust/ql/examples/snippets/empty_if.ql @@ -0,0 +1,18 @@ +/** + * @name Empty 'if' expression + * @description Finds 'if' expressions where the "then" branch is empty and no + * "else" branch exists. + * @id rust/examples/empty-if + * @tags example + */ + +import rust + +// find 'if' expressions... +from IfExpr ifExpr +where + // where the 'then' branch is empty + ifExpr.getThen().getStmtList().getNumberOfStmtOrExpr() = 0 and + // and no 'else' branch exists + not ifExpr.hasElse() +select ifExpr, "This 'if' expression is redundant." diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql new file mode 100644 index 00000000000..1f0e0a8e101 --- /dev/null +++ b/rust/ql/examples/snippets/simple_constant_password.ql @@ -0,0 +1,48 @@ +/** + * @name Constant password + * @description Finds places where a string literal is used in a function call + * argument that looks like a password. + * @id rust/examples/simple-constant-password + * @tags example + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking + +/** + * A data flow configuration for tracking flow from a string literal to a function + * call argument that looks like a password. For example: + * ``` + * fn set_password(password: &str) { ... } + * + * ... + * + * let pwd = "123456"; // source + * set_password(pwd); // sink (argument 0) + * ``` + */ +module ConstantPasswordConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + // `node` is a string literal + node.asExpr().getExpr() instanceof StringLiteralExpr + } + + predicate isSink(DataFlow::Node node) { + // `node` is an argument whose corresponding parameter name matches the pattern "pass%" + exists(CallExpr call, Function target, int argIndex, Variable v | + call.getStaticTarget() = target and + v.getParameter() = target.getParam(argIndex) and + v.getText().matches("pass%") and + call.getArg(argIndex) = node.asExpr().getExpr() + ) + } +} + +// instantiate the data flow configuration as a global taint tracking module +module ConstantPasswordFlow = TaintTracking::Global; + +// report flows from sources to sinks +from DataFlow::Node sourceNode, DataFlow::Node sinkNode +where ConstantPasswordFlow::flow(sourceNode, sinkNode) +select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString() diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql new file mode 100644 index 00000000000..0a991118a50 --- /dev/null +++ b/rust/ql/examples/snippets/simple_sql_injection.ql @@ -0,0 +1,39 @@ +/** + * @name Database query built from user-controlled sources + * @description Finds places where a value from a remote or local user input + * is used as the first argument of a call to `sqlx_core::query::query`. + * @id rust/examples/simple-sql-injection + * @tags example + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking +import codeql.rust.Concepts + +/** + * A data flow configuration for tracking flow from a user input (threat model + * source) to the first argument of a call to `sqlx_core::query::query`. + */ +module SqlInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + // `node` is a user input (threat model source) + node instanceof ActiveThreatModelSource + } + + predicate isSink(DataFlow::Node node) { + // `node` is the first argument of a call to `sqlx_core::query::query` + exists(CallExpr call | + call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and + call.getArg(0) = node.asExpr().getExpr() + ) + } +} + +// instantiate the data flow configuration as a global taint tracking module +module SqlInjectionFlow = TaintTracking::Global; + +// report flows from sources to sinks +from DataFlow::Node sourceNode, DataFlow::Node sinkNode +where SqlInjectionFlow::flow(sourceNode, sinkNode) +select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value" diff --git a/rust/ql/src/change-notes/2025-11-07-example-queries.md b/rust/ql/src/change-notes/2025-11-07-example-queries.md new file mode 100644 index 00000000000..9e11d4e0a93 --- /dev/null +++ b/rust/ql/src/change-notes/2025-11-07-example-queries.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added three example queries (`rust/examples/empty-if`, `rust/examples/simple-sql-injection` and `rust/examples/simple-constant-password`) to help developers learn to write CodeQL queries for Rust.