diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 5dec13e72b5..c458d28ec7d 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,18 @@ +## 0.11.0 + +### Breaking Changes + +* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead. + +### New Features + +* Added a new class `AdditionalCallTarget` for specifying additional call targets. + +### Minor Analysis Improvements + +* More field accesses are identified as `ImplicitThisFieldAccess`. +* Added support for new floating-point types in C23 and C++23. + ## 0.10.1 ### Minor Analysis Improvements diff --git a/cpp/ql/lib/change-notes/2023-09-04-more-floating-point-types.md b/cpp/ql/lib/change-notes/2023-09-04-more-floating-point-types.md deleted file mode 100644 index 9c30d6eddd8..00000000000 --- a/cpp/ql/lib/change-notes/2023-09-04-more-floating-point-types.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added support for new floating-point types in C23 and C++23. diff --git a/cpp/ql/lib/change-notes/2023-10-12-additional-call-targets.md b/cpp/ql/lib/change-notes/2023-10-12-additional-call-targets.md deleted file mode 100644 index f87fba1f172..00000000000 --- a/cpp/ql/lib/change-notes/2023-10-12-additional-call-targets.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added a new class `AdditionalCallTarget` for specifying additional call targets. diff --git a/cpp/ql/lib/change-notes/2023-10-20-implicit-this.md b/cpp/ql/lib/change-notes/2023-10-20-implicit-this.md deleted file mode 100644 index 7d915e15849..00000000000 --- a/cpp/ql/lib/change-notes/2023-10-20-implicit-this.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* More field accesses are identified as `ImplicitThisFieldAccess`. diff --git a/cpp/ql/lib/change-notes/2023-10-24-remove-getlocation-from-folder.md b/cpp/ql/lib/change-notes/2023-10-24-remove-getlocation-from-folder.md deleted file mode 100644 index f2b168949a6..00000000000 --- a/cpp/ql/lib/change-notes/2023-10-24-remove-getlocation-from-folder.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: breaking ---- -* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead. diff --git a/cpp/ql/lib/change-notes/released/0.11.0.md b/cpp/ql/lib/change-notes/released/0.11.0.md new file mode 100644 index 00000000000..1e8ddaff040 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.11.0.md @@ -0,0 +1,14 @@ +## 0.11.0 + +### Breaking Changes + +* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead. + +### New Features + +* Added a new class `AdditionalCallTarget` for specifying additional call targets. + +### Minor Analysis Improvements + +* More field accesses are identified as `ImplicitThisFieldAccess`. +* Added support for new floating-point types in C23 and C++23. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index af7510b3cd6..fce68697d68 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.10.1 +lastReleaseVersion: 0.11.0 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 06ce6589b7b..28a3d13cd58 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.10.2-dev +version: 0.11.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 992e995094e..20bdf7afe45 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -44,11 +44,12 @@ private newtype TIRDataFlowNode = TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) { Ssa::isModifiableByCall(operand, indirectionIndex) } or - TRawIndirectOperand(Operand op, int indirectionIndex) { - Ssa::hasRawIndirectOperand(op, indirectionIndex) + TRawIndirectOperand0(Node0Impl node, int indirectionIndex) { + Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex) } or - TRawIndirectInstruction(Instruction instr, int indirectionIndex) { - Ssa::hasRawIndirectInstruction(instr, indirectionIndex) + TRawIndirectInstruction0(Node0Impl node, int indirectionIndex) { + not exists(node.asOperand()) and + Ssa::hasRawIndirectInstruction(node.asInstruction(), indirectionIndex) } or TFinalParameterNode(Parameter p, int indirectionIndex) { exists(Ssa::FinalParameterUse use | @@ -918,48 +919,146 @@ Type getTypeImpl(Type t, int indirectionIndex) { result instanceof UnknownType } -/** - * INTERNAL: Do not use. - * - * A node that represents the indirect value of an operand in the IR - * after `index` number of loads. - */ -class RawIndirectOperand extends Node, TRawIndirectOperand { - Operand operand; - int indirectionIndex; +private module RawIndirectNodes { + /** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an operand in the IR + * after `index` number of loads. + */ + private class RawIndirectOperand0 extends Node, TRawIndirectOperand0 { + Node0Impl node; + int indirectionIndex; - RawIndirectOperand() { this = TRawIndirectOperand(operand, indirectionIndex) } + RawIndirectOperand0() { this = TRawIndirectOperand0(node, indirectionIndex) } - /** Gets the underlying instruction. */ - Operand getOperand() { result = operand } + /** Gets the underlying instruction. */ + Operand getOperand() { result = node.asOperand() } - /** Gets the underlying indirection index. */ - int getIndirectionIndex() { result = indirectionIndex } + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } - override Declaration getFunction() { result = this.getOperand().getDef().getEnclosingFunction() } + override Declaration getFunction() { + result = this.getOperand().getDef().getEnclosingFunction() + } - override Declaration getEnclosingCallable() { result = this.getFunction() } + override Declaration getEnclosingCallable() { result = this.getFunction() } - override DataFlowType getType() { - exists(int sub, DataFlowType type, boolean isGLValue | - type = getOperandType(operand, isGLValue) and - if isGLValue = true then sub = 1 else sub = 0 - | - result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub) - ) + override DataFlowType getType() { + exists(int sub, DataFlowType type, boolean isGLValue | + type = getOperandType(this.getOperand(), isGLValue) and + if isGLValue = true then sub = 1 else sub = 0 + | + result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub) + ) + } + + final override Location getLocationImpl() { + if exists(this.getOperand().getLocation()) + then result = this.getOperand().getLocation() + else result instanceof UnknownDefaultLocation + } + + override string toStringImpl() { + result = operandNode(this.getOperand()).toStringImpl() + " indirection" + } } - final override Location getLocationImpl() { - if exists(this.getOperand().getLocation()) - then result = this.getOperand().getLocation() - else result instanceof UnknownDefaultLocation + /** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an instruction in the IR + * after `index` number of loads. + */ + private class RawIndirectInstruction0 extends Node, TRawIndirectInstruction0 { + Node0Impl node; + int indirectionIndex; + + RawIndirectInstruction0() { this = TRawIndirectInstruction0(node, indirectionIndex) } + + /** Gets the underlying instruction. */ + Instruction getInstruction() { result = node.asInstruction() } + + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } + + override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() } + + override Declaration getEnclosingCallable() { result = this.getFunction() } + + override DataFlowType getType() { + exists(int sub, DataFlowType type, boolean isGLValue | + type = getInstructionType(this.getInstruction(), isGLValue) and + if isGLValue = true then sub = 1 else sub = 0 + | + result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub) + ) + } + + final override Location getLocationImpl() { + if exists(this.getInstruction().getLocation()) + then result = this.getInstruction().getLocation() + else result instanceof UnknownDefaultLocation + } + + override string toStringImpl() { + result = instructionNode(this.getInstruction()).toStringImpl() + " indirection" + } } - override string toStringImpl() { - result = operandNode(this.getOperand()).toStringImpl() + " indirection" + /** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an operand in the IR + * after a number of loads. + */ + class RawIndirectOperand extends Node { + int indirectionIndex; + Operand operand; + + RawIndirectOperand() { + exists(Node0Impl node | operand = node.asOperand() | + this = TRawIndirectOperand0(node, indirectionIndex) + or + this = TRawIndirectInstruction0(node, indirectionIndex) + ) + } + + /** Gets the operand associated with this node. */ + Operand getOperand() { result = operand } + + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } + } + + /** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an instruction in the IR + * after a number of loads. + */ + class RawIndirectInstruction extends Node { + int indirectionIndex; + Instruction instr; + + RawIndirectInstruction() { + exists(Node0Impl node | instr = node.asInstruction() | + this = TRawIndirectOperand0(node, indirectionIndex) + or + this = TRawIndirectInstruction0(node, indirectionIndex) + ) + } + + /** Gets the instruction associated with this node. */ + Instruction getInstruction() { result = instr } + + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } } } +import RawIndirectNodes + /** * INTERNAL: do not use. * @@ -1021,48 +1120,6 @@ class UninitializedNode extends Node { LocalVariable getLocalVariable() { result = v } } -/** - * INTERNAL: Do not use. - * - * A node that represents the indirect value of an instruction in the IR - * after `index` number of loads. - */ -class RawIndirectInstruction extends Node, TRawIndirectInstruction { - Instruction instr; - int indirectionIndex; - - RawIndirectInstruction() { this = TRawIndirectInstruction(instr, indirectionIndex) } - - /** Gets the underlying instruction. */ - Instruction getInstruction() { result = instr } - - /** Gets the underlying indirection index. */ - int getIndirectionIndex() { result = indirectionIndex } - - override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() } - - override Declaration getEnclosingCallable() { result = this.getFunction() } - - override DataFlowType getType() { - exists(int sub, DataFlowType type, boolean isGLValue | - type = getInstructionType(instr, isGLValue) and - if isGLValue = true then sub = 1 else sub = 0 - | - result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub) - ) - } - - final override Location getLocationImpl() { - if exists(this.getInstruction().getLocation()) - then result = this.getInstruction().getLocation() - else result instanceof UnknownDefaultLocation - } - - override string toStringImpl() { - result = instructionNode(this.getInstruction()).toStringImpl() + " indirection" - } -} - private module GetConvertedResultExpression { private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag @@ -1600,26 +1657,29 @@ private module Cached { predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) } private predicate indirectionOperandFlow(RawIndirectOperand nodeFrom, Node nodeTo) { - // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`. - exists(int ind, LoadInstruction load | - hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and - nodeHasInstruction(nodeTo, load, ind - 1) - ) - or - // If an operand flows to an instruction, then the indirection of - // the operand also flows to the indirection of the instruction. - exists(Operand operand, Instruction instr, int indirectionIndex | - simpleInstructionLocalFlowStep(operand, instr) and - hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and - hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex)) - ) - or - // If there's indirect flow to an operand, then there's also indirect - // flow to the operand after applying some pointer arithmetic. - exists(PointerArithmeticInstruction pointerArith, int indirectionIndex | - hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(), - pragma[only_bind_into](indirectionIndex)) and - hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex)) + nodeFrom != nodeTo and + ( + // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`. + exists(int ind, LoadInstruction load | + hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and + nodeHasInstruction(nodeTo, load, ind - 1) + ) + or + // If an operand flows to an instruction, then the indirection of + // the operand also flows to the indirection of the instruction. + exists(Operand operand, Instruction instr, int indirectionIndex | + simpleInstructionLocalFlowStep(operand, instr) and + hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and + hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex)) + ) + or + // If there's indirect flow to an operand, then there's also indirect + // flow to the operand after applying some pointer arithmetic. + exists(PointerArithmeticInstruction pointerArith, int indirectionIndex | + hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(), + pragma[only_bind_into](indirectionIndex)) and + hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex)) + ) ) } @@ -1645,6 +1705,7 @@ private module Cached { private predicate indirectionInstructionFlow( RawIndirectInstruction nodeFrom, IndirectOperand nodeTo ) { + nodeFrom != nodeTo and // If there's flow from an instruction to an operand, then there's also flow from the // indirect instruction to the indirect operand. exists(Operand operand, Instruction instr, int indirectionIndex | diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index b5fba0867ac..487feb533c4 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### New Queries diff --git a/cpp/ql/src/change-notes/released/0.8.2.md b/cpp/ql/src/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/cpp/ql/src/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index ae91e0bd858..7f07ad77a21 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.8.2-dev +version: 0.8.3-dev groups: - cpp - queries diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected index 15a601b27f0..c46629218fd 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected @@ -29,7 +29,6 @@ edges | test.cpp:69:10:69:10 | arr indirection [post update] [p] | test.cpp:70:5:70:7 | arr indirection [p] | | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... | | test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] | -| test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:70:5:70:7 | arr indirection [p] | | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:79:9:79:11 | arr indirection [p] | | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:83:9:83:11 | arr indirection [p] | | test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p | diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index f6284e9713a..0f5ccbe3f7e 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -83,7 +83,6 @@ edges | A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:10:152:13 | b | | A.cpp:153:10:153:10 | d indirection [b indirection, c] | A.cpp:153:13:153:13 | b indirection [c] | | A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:10:153:16 | c | -| A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:13:153:13 | b indirection [c] | | A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:10:154:13 | c | | A.cpp:159:12:159:18 | new | A.cpp:160:29:160:29 | b | | A.cpp:160:18:160:60 | call to MyList [head] | A.cpp:161:38:161:39 | l1 indirection [head] | @@ -97,10 +96,8 @@ edges | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] | | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:181:32:181:35 | next indirection [next indirection, head] | | A.cpp:165:10:165:11 | l3 indirection [next indirection, next indirection, head] | A.cpp:165:14:165:17 | next indirection [next indirection, head] | -| A.cpp:165:14:165:17 | next indirection [next indirection, head] | A.cpp:165:14:165:17 | next indirection [next indirection, head] | | A.cpp:165:14:165:17 | next indirection [next indirection, head] | A.cpp:165:20:165:23 | next indirection [head] | | A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:10:165:29 | head | -| A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:20:165:23 | next indirection [head] | | A.cpp:167:44:167:44 | l indirection [next indirection, head] | A.cpp:167:47:167:50 | next indirection [head] | | A.cpp:167:44:167:44 | l indirection [next indirection, next indirection, head] | A.cpp:167:47:167:50 | next indirection [next indirection, head] | | A.cpp:167:47:167:50 | next indirection [head] | A.cpp:169:12:169:12 | l indirection [head] | @@ -121,7 +118,6 @@ edges | B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:44:16:44:17 | b1 indirection [elem1] | | B.cpp:9:10:9:11 | b2 indirection [box1 indirection, elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] | | B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:10:9:24 | elem1 | -| B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] | | B.cpp:15:15:15:27 | new | B.cpp:16:37:16:37 | e | | B.cpp:16:16:16:38 | call to Box1 [elem2] | B.cpp:17:25:17:26 | b1 indirection [elem2] | | B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | call to Box1 [elem2] | @@ -131,7 +127,6 @@ edges | B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:44:16:44:17 | b1 indirection [elem2] | | B.cpp:19:10:19:11 | b2 indirection [box1 indirection, elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] | | B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:10:19:24 | elem2 | -| B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] | | B.cpp:33:16:33:17 | e1 | B.cpp:35:7:35:22 | ... = ... | | B.cpp:33:26:33:27 | e2 | B.cpp:36:7:36:22 | ... = ... | | B.cpp:35:7:35:22 | ... = ... | B.cpp:35:13:35:17 | this indirection [post update] [elem1] | @@ -196,17 +191,12 @@ edges | D.cpp:58:20:58:23 | box indirection [post update] [elem] | D.cpp:58:15:58:17 | boxfield indirection [post update] [box indirection, elem] | | D.cpp:59:5:59:7 | this indirection [boxfield indirection, box indirection, elem] | D.cpp:63:8:63:10 | this indirection [boxfield indirection, box indirection, elem] | | D.cpp:63:8:63:10 | this indirection [boxfield indirection, box indirection, elem] | D.cpp:64:10:64:17 | this indirection [boxfield indirection, box indirection, elem] | -| D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] | D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] | | D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] | D.cpp:64:20:64:22 | box indirection [elem] | | D.cpp:64:10:64:17 | this indirection [boxfield indirection, box indirection, elem] | D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] | | D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:10:64:28 | elem | -| D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:20:64:22 | box indirection [elem] | | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | E.cpp:21:13:21:16 | data indirection [buffer indirection] | | E.cpp:21:13:21:16 | data indirection [buffer indirection] | E.cpp:21:18:21:23 | buffer indirection | -| E.cpp:21:13:21:16 | data indirection [buffer indirection] | E.cpp:21:18:21:23 | buffer indirection | -| E.cpp:21:18:21:23 | buffer indirection | E.cpp:21:18:21:23 | buffer indirection | -| E.cpp:21:18:21:23 | buffer indirection | E.cpp:21:18:21:23 | buffer indirection | | E.cpp:28:21:28:23 | argument_source output argument | E.cpp:31:10:31:12 | raw indirection | | E.cpp:29:21:29:29 | argument_source output argument | E.cpp:29:24:29:29 | b indirection [post update] [buffer indirection] | | E.cpp:29:24:29:29 | b indirection [post update] [buffer indirection] | E.cpp:32:10:32:10 | b indirection [buffer indirection] | @@ -214,9 +204,6 @@ edges | E.cpp:30:23:30:26 | p indirection [post update] [data, buffer indirection] | E.cpp:33:18:33:19 | & ... indirection [data, buffer indirection] | | E.cpp:30:28:30:33 | data indirection [post update] [buffer indirection] | E.cpp:30:23:30:26 | p indirection [post update] [data, buffer indirection] | | E.cpp:32:10:32:10 | b indirection [buffer indirection] | E.cpp:32:13:32:18 | buffer indirection | -| E.cpp:32:10:32:10 | b indirection [buffer indirection] | E.cpp:32:13:32:18 | buffer indirection | -| E.cpp:32:13:32:18 | buffer indirection | E.cpp:32:13:32:18 | buffer indirection | -| E.cpp:32:13:32:18 | buffer indirection | E.cpp:32:13:32:18 | buffer indirection | | E.cpp:33:18:33:19 | & ... indirection [data, buffer indirection] | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | | aliasing.cpp:9:3:9:22 | ... = ... | aliasing.cpp:9:6:9:7 | s indirection [post update] [m1] | | aliasing.cpp:9:6:9:7 | s indirection [post update] [m1] | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | @@ -311,11 +298,9 @@ edges | arrays.cpp:43:8:43:8 | o indirection [indirect indirection, arr, data] | arrays.cpp:43:10:43:17 | indirect indirection [arr, data] | | arrays.cpp:43:8:43:25 | access to array indirection [data] | arrays.cpp:43:27:43:30 | data | | arrays.cpp:43:10:43:17 | indirect indirection [arr, data] | arrays.cpp:43:8:43:25 | access to array indirection [data] | -| arrays.cpp:43:10:43:17 | indirect indirection [arr, data] | arrays.cpp:43:10:43:17 | indirect indirection [arr, data] | | arrays.cpp:44:8:44:8 | o indirection [indirect indirection, arr, data] | arrays.cpp:44:10:44:17 | indirect indirection [arr, data] | | arrays.cpp:44:8:44:25 | access to array indirection [data] | arrays.cpp:44:27:44:30 | data | | arrays.cpp:44:10:44:17 | indirect indirection [arr, data] | arrays.cpp:44:8:44:25 | access to array indirection [data] | -| arrays.cpp:44:10:44:17 | indirect indirection [arr, data] | arrays.cpp:44:10:44:17 | indirect indirection [arr, data] | | arrays.cpp:48:3:48:40 | ... = ... | arrays.cpp:48:22:48:25 | access to array indirection [post update] [data] | | arrays.cpp:48:5:48:12 | o indirection [post update] [indirect indirection, ptr indirection, data] | arrays.cpp:49:8:49:8 | o indirection [indirect indirection, ptr indirection, data] | | arrays.cpp:48:5:48:12 | o indirection [post update] [indirect indirection, ptr indirection, data] | arrays.cpp:50:8:50:8 | o indirection [indirect indirection, ptr indirection, data] | @@ -325,13 +310,11 @@ edges | arrays.cpp:49:8:49:8 | o indirection [indirect indirection, ptr indirection, data] | arrays.cpp:49:10:49:17 | indirect indirection [ptr indirection, data] | | arrays.cpp:49:8:49:25 | access to array indirection [data] | arrays.cpp:49:27:49:30 | data | | arrays.cpp:49:10:49:17 | indirect indirection [ptr indirection, data] | arrays.cpp:49:8:49:25 | access to array indirection [data] | -| arrays.cpp:49:10:49:17 | indirect indirection [ptr indirection, data] | arrays.cpp:49:10:49:17 | indirect indirection [ptr indirection, data] | | arrays.cpp:49:10:49:17 | indirect indirection [ptr indirection, data] | arrays.cpp:49:20:49:22 | ptr indirection [data] | | arrays.cpp:49:20:49:22 | ptr indirection [data] | arrays.cpp:49:8:49:25 | access to array indirection [data] | | arrays.cpp:50:8:50:8 | o indirection [indirect indirection, ptr indirection, data] | arrays.cpp:50:10:50:17 | indirect indirection [ptr indirection, data] | | arrays.cpp:50:8:50:25 | access to array indirection [data] | arrays.cpp:50:27:50:30 | data | | arrays.cpp:50:10:50:17 | indirect indirection [ptr indirection, data] | arrays.cpp:50:8:50:25 | access to array indirection [data] | -| arrays.cpp:50:10:50:17 | indirect indirection [ptr indirection, data] | arrays.cpp:50:10:50:17 | indirect indirection [ptr indirection, data] | | arrays.cpp:50:10:50:17 | indirect indirection [ptr indirection, data] | arrays.cpp:50:20:50:22 | ptr indirection [data] | | arrays.cpp:50:20:50:22 | ptr indirection [data] | arrays.cpp:50:8:50:25 | access to array indirection [data] | | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:16 | ... = ... | @@ -411,13 +394,11 @@ edges | by_reference.cpp:110:8:110:12 | outer indirection [inner_nested, a] | by_reference.cpp:110:14:110:25 | inner_nested indirection [a] | | by_reference.cpp:110:14:110:25 | inner_nested indirection [a] | by_reference.cpp:110:27:110:27 | a | | by_reference.cpp:111:8:111:12 | outer indirection [inner_ptr indirection, a] | by_reference.cpp:111:14:111:22 | inner_ptr indirection [a] | -| by_reference.cpp:111:14:111:22 | inner_ptr indirection [a] | by_reference.cpp:111:14:111:22 | inner_ptr indirection [a] | | by_reference.cpp:111:14:111:22 | inner_ptr indirection [a] | by_reference.cpp:111:25:111:25 | a | | by_reference.cpp:112:8:112:12 | outer indirection [a] | by_reference.cpp:112:14:112:14 | a | | by_reference.cpp:114:8:114:13 | pouter indirection [inner_nested, a] | by_reference.cpp:114:16:114:27 | inner_nested indirection [a] | | by_reference.cpp:114:16:114:27 | inner_nested indirection [a] | by_reference.cpp:114:29:114:29 | a | | by_reference.cpp:115:8:115:13 | pouter indirection [inner_ptr indirection, a] | by_reference.cpp:115:16:115:24 | inner_ptr indirection [a] | -| by_reference.cpp:115:16:115:24 | inner_ptr indirection [a] | by_reference.cpp:115:16:115:24 | inner_ptr indirection [a] | | by_reference.cpp:115:16:115:24 | inner_ptr indirection [a] | by_reference.cpp:115:27:115:27 | a | | by_reference.cpp:116:8:116:13 | pouter indirection [a] | by_reference.cpp:116:16:116:16 | a | | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:27:122:38 | outer indirection [post update] [inner_nested, a] | @@ -435,13 +416,11 @@ edges | by_reference.cpp:130:8:130:12 | outer indirection [inner_nested, a] | by_reference.cpp:130:14:130:25 | inner_nested indirection [a] | | by_reference.cpp:130:14:130:25 | inner_nested indirection [a] | by_reference.cpp:130:27:130:27 | a | | by_reference.cpp:131:8:131:12 | outer indirection [inner_ptr indirection, a] | by_reference.cpp:131:14:131:22 | inner_ptr indirection [a] | -| by_reference.cpp:131:14:131:22 | inner_ptr indirection [a] | by_reference.cpp:131:14:131:22 | inner_ptr indirection [a] | | by_reference.cpp:131:14:131:22 | inner_ptr indirection [a] | by_reference.cpp:131:25:131:25 | a | | by_reference.cpp:132:8:132:12 | outer indirection [a] | by_reference.cpp:132:14:132:14 | a | | by_reference.cpp:134:8:134:13 | pouter indirection [inner_nested, a] | by_reference.cpp:134:16:134:27 | inner_nested indirection [a] | | by_reference.cpp:134:16:134:27 | inner_nested indirection [a] | by_reference.cpp:134:29:134:29 | a | | by_reference.cpp:135:8:135:13 | pouter indirection [inner_ptr indirection, a] | by_reference.cpp:135:16:135:24 | inner_ptr indirection [a] | -| by_reference.cpp:135:16:135:24 | inner_ptr indirection [a] | by_reference.cpp:135:16:135:24 | inner_ptr indirection [a] | | by_reference.cpp:135:16:135:24 | inner_ptr indirection [a] | by_reference.cpp:135:27:135:27 | a | | by_reference.cpp:136:8:136:13 | pouter indirection [a] | by_reference.cpp:136:16:136:16 | a | | clearning.cpp:32:3:32:25 | ... = ... | clearning.cpp:32:6:32:6 | s indirection [post update] [x indirection] | @@ -460,9 +439,6 @@ edges | clearning.cpp:54:5:54:5 | s indirection [post update] [x indirection] | clearning.cpp:55:8:55:8 | s indirection [x indirection] | | clearning.cpp:54:5:54:5 | x indirection | clearning.cpp:54:3:54:7 | ... ++ indirection | | clearning.cpp:55:8:55:8 | s indirection [x indirection] | clearning.cpp:55:10:55:10 | x indirection | -| clearning.cpp:55:8:55:8 | s indirection [x indirection] | clearning.cpp:55:10:55:10 | x indirection | -| clearning.cpp:55:10:55:10 | x indirection | clearning.cpp:55:10:55:10 | x indirection | -| clearning.cpp:55:10:55:10 | x indirection | clearning.cpp:55:10:55:10 | x indirection | | clearning.cpp:60:3:60:22 | ... = ... | clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] | | clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] | clearning.cpp:61:3:61:3 | s indirection [x indirection] | | clearning.cpp:60:11:60:20 | call to user_input | clearning.cpp:60:3:60:22 | ... = ... | @@ -474,9 +450,6 @@ edges | clearning.cpp:61:5:61:5 | s indirection [post update] [x indirection] | clearning.cpp:62:8:62:8 | s indirection [x indirection] | | clearning.cpp:61:5:61:5 | x indirection | clearning.cpp:61:3:61:7 | ... ++ indirection | | clearning.cpp:62:8:62:8 | s indirection [x indirection] | clearning.cpp:62:10:62:10 | x indirection | -| clearning.cpp:62:8:62:8 | s indirection [x indirection] | clearning.cpp:62:10:62:10 | x indirection | -| clearning.cpp:62:10:62:10 | x indirection | clearning.cpp:62:10:62:10 | x indirection | -| clearning.cpp:62:10:62:10 | x indirection | clearning.cpp:62:10:62:10 | x indirection | | clearning.cpp:74:20:74:22 | argument_source output argument | clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] | | clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] | clearning.cpp:76:8:76:8 | s indirection [val indirection] | | clearning.cpp:76:8:76:8 | s indirection [val indirection] | clearning.cpp:76:7:76:12 | * ... | @@ -620,14 +593,12 @@ edges | conflated.cpp:54:13:54:13 | next indirection [post update] [y] | conflated.cpp:54:7:54:10 | ll indirection [post update] [next indirection, y] | | conflated.cpp:54:17:54:26 | call to user_input | conflated.cpp:54:3:54:28 | ... = ... | | conflated.cpp:55:8:55:9 | ll indirection [next indirection, y] | conflated.cpp:55:12:55:15 | next indirection [y] | -| conflated.cpp:55:12:55:15 | next indirection [y] | conflated.cpp:55:12:55:15 | next indirection [y] | | conflated.cpp:55:12:55:15 | next indirection [y] | conflated.cpp:55:18:55:18 | y | | conflated.cpp:60:3:60:28 | ... = ... | conflated.cpp:60:13:60:13 | next indirection [post update] [y] | | conflated.cpp:60:7:60:10 | ll indirection [post update] [next indirection, y] | conflated.cpp:61:8:61:9 | ll indirection [next indirection, y] | | conflated.cpp:60:13:60:13 | next indirection [post update] [y] | conflated.cpp:60:7:60:10 | ll indirection [post update] [next indirection, y] | | conflated.cpp:60:17:60:26 | call to user_input | conflated.cpp:60:3:60:28 | ... = ... | | conflated.cpp:61:8:61:9 | ll indirection [next indirection, y] | conflated.cpp:61:12:61:15 | next indirection [y] | -| conflated.cpp:61:12:61:15 | next indirection [y] | conflated.cpp:61:12:61:15 | next indirection [y] | | conflated.cpp:61:12:61:15 | next indirection [y] | conflated.cpp:61:18:61:18 | y | | constructors.cpp:18:9:18:9 | this indirection [a_] | constructors.cpp:18:22:18:23 | this indirection [a_] | | constructors.cpp:18:22:18:23 | a_ | constructors.cpp:18:9:18:9 | a indirection | @@ -672,42 +643,36 @@ edges | qualifiers.cpp:22:23:22:23 | call to getInner indirection [post update] [a] | qualifiers.cpp:22:5:22:9 | getInner output argument [inner indirection, a] | | qualifiers.cpp:22:27:22:36 | call to user_input | qualifiers.cpp:22:5:22:38 | ... = ... | | qualifiers.cpp:23:10:23:14 | outer indirection [inner indirection, a] | qualifiers.cpp:23:16:23:20 | inner indirection [a] | -| qualifiers.cpp:23:16:23:20 | inner indirection [a] | qualifiers.cpp:23:16:23:20 | inner indirection [a] | | qualifiers.cpp:23:16:23:20 | inner indirection [a] | qualifiers.cpp:23:23:23:23 | a | | qualifiers.cpp:27:5:27:9 | getInner output argument [inner indirection, a] | qualifiers.cpp:28:10:28:14 | outer indirection [inner indirection, a] | | qualifiers.cpp:27:11:27:18 | setA output argument [a] | qualifiers.cpp:27:5:27:9 | getInner output argument [inner indirection, a] | | qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:9:21:9:25 | value | | qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:27:11:27:18 | setA output argument [a] | | qualifiers.cpp:28:10:28:14 | outer indirection [inner indirection, a] | qualifiers.cpp:28:16:28:20 | inner indirection [a] | -| qualifiers.cpp:28:16:28:20 | inner indirection [a] | qualifiers.cpp:28:16:28:20 | inner indirection [a] | | qualifiers.cpp:28:16:28:20 | inner indirection [a] | qualifiers.cpp:28:23:28:23 | a | | qualifiers.cpp:32:17:32:21 | getInner output argument [inner indirection, a] | qualifiers.cpp:33:10:33:14 | outer indirection [inner indirection, a] | | qualifiers.cpp:32:23:32:30 | pointerSetA output argument [a] | qualifiers.cpp:32:17:32:21 | getInner output argument [inner indirection, a] | | qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:12:40:12:44 | value | | qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:32:23:32:30 | pointerSetA output argument [a] | | qualifiers.cpp:33:10:33:14 | outer indirection [inner indirection, a] | qualifiers.cpp:33:16:33:20 | inner indirection [a] | -| qualifiers.cpp:33:16:33:20 | inner indirection [a] | qualifiers.cpp:33:16:33:20 | inner indirection [a] | | qualifiers.cpp:33:16:33:20 | inner indirection [a] | qualifiers.cpp:33:23:33:23 | a | | qualifiers.cpp:37:19:37:35 | referenceSetA output argument [a] | qualifiers.cpp:37:20:37:24 | getInner output argument [inner indirection, a] | | qualifiers.cpp:37:20:37:24 | getInner output argument [inner indirection, a] | qualifiers.cpp:38:10:38:14 | outer indirection [inner indirection, a] | | qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:13:42:13:46 | value | | qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:37:19:37:35 | referenceSetA output argument [a] | | qualifiers.cpp:38:10:38:14 | outer indirection [inner indirection, a] | qualifiers.cpp:38:16:38:20 | inner indirection [a] | -| qualifiers.cpp:38:16:38:20 | inner indirection [a] | qualifiers.cpp:38:16:38:20 | inner indirection [a] | | qualifiers.cpp:38:16:38:20 | inner indirection [a] | qualifiers.cpp:38:23:38:23 | a | | qualifiers.cpp:42:5:42:40 | ... = ... | qualifiers.cpp:42:25:42:25 | * ... indirection [post update] [a] | | qualifiers.cpp:42:7:42:11 | getInner output argument [inner indirection, a] | qualifiers.cpp:43:10:43:14 | outer indirection [inner indirection, a] | | qualifiers.cpp:42:25:42:25 | * ... indirection [post update] [a] | qualifiers.cpp:42:7:42:11 | getInner output argument [inner indirection, a] | | qualifiers.cpp:42:29:42:38 | call to user_input | qualifiers.cpp:42:5:42:40 | ... = ... | | qualifiers.cpp:43:10:43:14 | outer indirection [inner indirection, a] | qualifiers.cpp:43:16:43:20 | inner indirection [a] | -| qualifiers.cpp:43:16:43:20 | inner indirection [a] | qualifiers.cpp:43:16:43:20 | inner indirection [a] | | qualifiers.cpp:43:16:43:20 | inner indirection [a] | qualifiers.cpp:43:23:43:23 | a | | qualifiers.cpp:47:5:47:42 | ... = ... | qualifiers.cpp:47:27:47:27 | call to getInner indirection [post update] [a] | | qualifiers.cpp:47:6:47:11 | getInner output argument [inner indirection, a] | qualifiers.cpp:48:10:48:14 | outer indirection [inner indirection, a] | | qualifiers.cpp:47:27:47:27 | call to getInner indirection [post update] [a] | qualifiers.cpp:47:6:47:11 | getInner output argument [inner indirection, a] | | qualifiers.cpp:47:31:47:40 | call to user_input | qualifiers.cpp:47:5:47:42 | ... = ... | | qualifiers.cpp:48:10:48:14 | outer indirection [inner indirection, a] | qualifiers.cpp:48:16:48:20 | inner indirection [a] | -| qualifiers.cpp:48:16:48:20 | inner indirection [a] | qualifiers.cpp:48:16:48:20 | inner indirection [a] | | qualifiers.cpp:48:16:48:20 | inner indirection [a] | qualifiers.cpp:48:23:48:23 | a | | realistic.cpp:53:9:53:66 | ... = ... | realistic.cpp:53:35:53:43 | userInput indirection [post update] [bufferLen] | | realistic.cpp:53:13:53:15 | foo indirection [post update] [bar, baz indirection, userInput, bufferLen] | realistic.cpp:61:21:61:23 | foo indirection [bar, baz indirection, userInput, bufferLen] | @@ -717,7 +682,6 @@ edges | realistic.cpp:53:47:53:66 | call to user_input | realistic.cpp:53:9:53:66 | ... = ... | | realistic.cpp:61:21:61:23 | foo indirection [bar, baz indirection, userInput, bufferLen] | realistic.cpp:61:21:61:30 | access to array indirection [baz indirection, userInput, bufferLen] | | realistic.cpp:61:21:61:30 | access to array indirection [baz indirection, userInput, bufferLen] | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | -| realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:14:61:55 | bufferLen | | simple.cpp:18:9:18:9 | this indirection [a_] | simple.cpp:18:22:18:23 | this indirection [a_] | @@ -796,7 +760,6 @@ edges | struct_init.c:31:8:31:12 | outer indirection [nestedAB, a] | struct_init.c:31:14:31:21 | nestedAB indirection [a] | | struct_init.c:31:14:31:21 | nestedAB indirection [a] | struct_init.c:31:23:31:23 | a | | struct_init.c:33:8:33:12 | outer indirection [pointerAB indirection, a] | struct_init.c:33:14:33:22 | pointerAB indirection [a] | -| struct_init.c:33:14:33:22 | pointerAB indirection [a] | struct_init.c:33:14:33:22 | pointerAB indirection [a] | | struct_init.c:33:14:33:22 | pointerAB indirection [a] | struct_init.c:33:25:33:25 | a | | struct_init.c:36:10:36:24 | & ... indirection [a] | struct_init.c:14:24:14:25 | ab indirection [a] | | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] | struct_init.c:36:10:36:24 | & ... indirection [a] | @@ -808,7 +771,6 @@ edges | struct_init.c:43:5:43:7 | & ... indirection [a] | struct_init.c:41:23:44:3 | definition of outer indirection [post update] [pointerAB indirection, a] | | struct_init.c:46:10:46:14 | outer indirection [pointerAB indirection, a] | struct_init.c:46:16:46:24 | pointerAB indirection [a] | | struct_init.c:46:16:46:24 | pointerAB indirection [a] | struct_init.c:14:24:14:25 | ab indirection [a] | -| struct_init.c:46:16:46:24 | pointerAB indirection [a] | struct_init.c:46:16:46:24 | pointerAB indirection [a] | nodes | A.cpp:23:10:23:10 | c | semmle.label | c | | A.cpp:25:7:25:17 | ... = ... | semmle.label | ... = ... | @@ -1019,7 +981,6 @@ nodes | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | semmle.label | p indirection [data, buffer indirection] | | E.cpp:21:13:21:16 | data indirection [buffer indirection] | semmle.label | data indirection [buffer indirection] | | E.cpp:21:18:21:23 | buffer indirection | semmle.label | buffer indirection | -| E.cpp:21:18:21:23 | buffer indirection | semmle.label | buffer indirection | | E.cpp:28:21:28:23 | argument_source output argument | semmle.label | argument_source output argument | | E.cpp:29:21:29:29 | argument_source output argument | semmle.label | argument_source output argument | | E.cpp:29:24:29:29 | b indirection [post update] [buffer indirection] | semmle.label | b indirection [post update] [buffer indirection] | @@ -1029,7 +990,6 @@ nodes | E.cpp:31:10:31:12 | raw indirection | semmle.label | raw indirection | | E.cpp:32:10:32:10 | b indirection [buffer indirection] | semmle.label | b indirection [buffer indirection] | | E.cpp:32:13:32:18 | buffer indirection | semmle.label | buffer indirection | -| E.cpp:32:13:32:18 | buffer indirection | semmle.label | buffer indirection | | E.cpp:33:18:33:19 | & ... indirection [data, buffer indirection] | semmle.label | & ... indirection [data, buffer indirection] | | aliasing.cpp:9:3:9:22 | ... = ... | semmle.label | ... = ... | | aliasing.cpp:9:6:9:7 | s indirection [post update] [m1] | semmle.label | s indirection [post update] [m1] | @@ -1277,7 +1237,6 @@ nodes | clearning.cpp:54:5:54:5 | x indirection | semmle.label | x indirection | | clearning.cpp:55:8:55:8 | s indirection [x indirection] | semmle.label | s indirection [x indirection] | | clearning.cpp:55:10:55:10 | x indirection | semmle.label | x indirection | -| clearning.cpp:55:10:55:10 | x indirection | semmle.label | x indirection | | clearning.cpp:60:3:60:22 | ... = ... | semmle.label | ... = ... | | clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] | | clearning.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input | @@ -1288,7 +1247,6 @@ nodes | clearning.cpp:61:5:61:5 | x indirection | semmle.label | x indirection | | clearning.cpp:62:8:62:8 | s indirection [x indirection] | semmle.label | s indirection [x indirection] | | clearning.cpp:62:10:62:10 | x indirection | semmle.label | x indirection | -| clearning.cpp:62:10:62:10 | x indirection | semmle.label | x indirection | | clearning.cpp:74:20:74:22 | argument_source output argument | semmle.label | argument_source output argument | | clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] | | clearning.cpp:76:7:76:12 | * ... | semmle.label | * ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected index 64e99a6c629..094234a77be 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected @@ -2,11 +2,9 @@ edges | test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection | | test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection | | test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument | -| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:45:22:52 | userName indirection | | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection | | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection | | test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument | -| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:35:50:43 | envCflags indirection | | test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection | | test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection | | test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index c2d7723194d..c9fd98569cc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -4,7 +4,6 @@ edges | test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] | | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... | | test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] | -| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:19:5:19:7 | str indirection [string] | | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] | | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] | | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] | @@ -16,7 +15,6 @@ edges | test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] | | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... | | test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | -| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:91:5:91:7 | str indirection [string] | | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] | | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] | | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] | @@ -26,7 +24,6 @@ edges | test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] | | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] | | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... | -| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:148:5:148:7 | str indirection [string] | | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] | | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] | | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index f24a5f8d04a..20f1faa1bf9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -22,31 +22,19 @@ edges | tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection | | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection | | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection | -| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection | | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | p indirection | -| tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection | tests.cpp:37:2:37:2 | p indirection | | tests.cpp:37:2:37:2 | p indirection | tests.cpp:37:2:37:2 | p indirection | -| tests.cpp:37:2:37:2 | p indirection | tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection | | tests.cpp:37:2:37:2 | p indirection | tests.cpp:38:2:38:2 | p indirection | -| tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection | tests.cpp:38:2:38:2 | p indirection | | tests.cpp:38:2:38:2 | p indirection | tests.cpp:38:2:38:2 | p indirection | | tests.cpp:38:2:38:2 | p indirection | tests.cpp:39:2:39:2 | p indirection | -| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection | | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | p indirection | -| tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection | tests.cpp:53:2:53:2 | p indirection | | tests.cpp:53:2:53:2 | p indirection | tests.cpp:53:2:53:2 | p indirection | -| tests.cpp:53:2:53:2 | p indirection | tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection | | tests.cpp:53:2:53:2 | p indirection | tests.cpp:55:2:55:2 | p indirection | -| tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection | tests.cpp:55:2:55:2 | p indirection | | tests.cpp:55:2:55:2 | p indirection | tests.cpp:55:2:55:2 | p indirection | | tests.cpp:55:2:55:2 | p indirection | tests.cpp:56:2:56:2 | p indirection | -| tests.cpp:55:2:55:2 | p indirection | tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection | | tests.cpp:55:2:55:2 | p indirection | tests.cpp:57:2:57:2 | p indirection | -| tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection | tests.cpp:57:2:57:2 | p indirection | | tests.cpp:57:2:57:2 | p indirection | tests.cpp:57:2:57:2 | p indirection | -| tests.cpp:57:2:57:2 | p indirection | tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection | | tests.cpp:57:2:57:2 | p indirection | tests.cpp:59:2:59:2 | p indirection | -| tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection | tests.cpp:59:2:59:2 | p indirection | | tests.cpp:59:2:59:2 | p indirection | tests.cpp:59:2:59:2 | p indirection | | tests.cpp:59:2:59:2 | p indirection | tests.cpp:60:2:60:2 | p indirection | | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection | @@ -104,25 +92,19 @@ nodes | tests.cpp:28:23:28:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | | tests.cpp:31:2:31:2 | p indirection | semmle.label | p indirection | | tests.cpp:35:23:35:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | -| tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:37:2:37:2 | p indirection | semmle.label | p indirection | | tests.cpp:37:2:37:2 | p indirection | semmle.label | p indirection | -| tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:38:2:38:2 | p indirection | semmle.label | p indirection | | tests.cpp:38:2:38:2 | p indirection | semmle.label | p indirection | | tests.cpp:39:2:39:2 | p indirection | semmle.label | p indirection | | tests.cpp:51:23:51:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | -| tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:53:2:53:2 | p indirection | semmle.label | p indirection | | tests.cpp:53:2:53:2 | p indirection | semmle.label | p indirection | -| tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:55:2:55:2 | p indirection | semmle.label | p indirection | | tests.cpp:55:2:55:2 | p indirection | semmle.label | p indirection | | tests.cpp:56:2:56:2 | p indirection | semmle.label | p indirection | -| tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:57:2:57:2 | p indirection | semmle.label | p indirection | | tests.cpp:57:2:57:2 | p indirection | semmle.label | p indirection | -| tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection | | tests.cpp:59:2:59:2 | p indirection | semmle.label | p indirection | | tests.cpp:59:2:59:2 | p indirection | semmle.label | p indirection | | tests.cpp:60:2:60:2 | p indirection | semmle.label | p indirection | diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs index 25bbd1c83f7..2021411be0f 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs @@ -99,6 +99,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching var existsNetCoreRefNugetPackage = false; var existsNetFrameworkRefNugetPackage = false; + var existsNetstandardLibRefNugetPackage = false; + var existsNetstandardLibNugetPackage = false; // Find DLLs in the .Net / Asp.Net Framework // This block needs to come after the nuget restore, because the nuget restore might fetch the .NET Core/Framework reference assemblies. @@ -106,8 +108,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { existsNetCoreRefNugetPackage = IsNugetPackageAvailable("microsoft.netcore.app.ref"); existsNetFrameworkRefNugetPackage = IsNugetPackageAvailable("microsoft.netframework.referenceassemblies"); + existsNetstandardLibRefNugetPackage = IsNugetPackageAvailable("netstandard.library.ref"); + existsNetstandardLibNugetPackage = IsNugetPackageAvailable("netstandard.library"); - if (existsNetCoreRefNugetPackage || existsNetFrameworkRefNugetPackage) + if (existsNetCoreRefNugetPackage + || existsNetFrameworkRefNugetPackage + || existsNetstandardLibRefNugetPackage + || existsNetstandardLibNugetPackage) { progressMonitor.LogInfo("Found .NET Core/Framework DLLs in NuGet packages. Not adding installation directory."); } @@ -125,7 +132,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching UseReference(filename); } - RemoveUnnecessaryNugetPackages(existsNetCoreRefNugetPackage, existsNetFrameworkRefNugetPackage); + RemoveUnnecessaryNugetPackages(existsNetCoreRefNugetPackage, existsNetFrameworkRefNugetPackage, existsNetstandardLibRefNugetPackage, existsNetstandardLibNugetPackage); ResolveConflicts(); // Output the findings @@ -160,7 +167,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching DateTime.Now - startTime); } - private void RemoveUnnecessaryNugetPackages(bool existsNetCoreRefNugetPackage, bool existsNetFrameworkRefNugetPackage) + private void RemoveUnnecessaryNugetPackages(bool existsNetCoreRefNugetPackage, bool existsNetFrameworkRefNugetPackage, + bool existsNetstandardLibRefNugetPackage, bool existsNetstandardLibNugetPackage) { RemoveNugetAnalyzerReferences(); RemoveRuntimeNugetPackageReferences(); @@ -172,10 +180,38 @@ namespace Semmle.Extraction.CSharp.DependencyFetching RemoveNugetPackageReference("microsoft.aspnetcore.app.ref"); } - if (existsNetCoreRefNugetPackage && existsNetFrameworkRefNugetPackage) + // Multiple dotnet framework packages could be present. We keep only one. + // The order of the packages is important, we're keeping the first one that is present in the nuget cache. + var packagesInPrioOrder = new (bool isPresent, string prefix)[] { - // Multiple packages are available, we keep only one: - RemoveNugetPackageReference("microsoft.netframework.referenceassemblies."); + // net7.0, ... net5.0, netcoreapp3.1, netcoreapp3.0 + (existsNetCoreRefNugetPackage, "microsoft.netcore.app.ref"), + // net48, ..., net20 + (existsNetFrameworkRefNugetPackage, "microsoft.netframework.referenceassemblies."), + // netstandard2.1 + (existsNetstandardLibRefNugetPackage, "netstandard.library.ref"), + // netstandard2.0 + (existsNetstandardLibNugetPackage, "netstandard.library") + }; + + for (var i = 0; i < packagesInPrioOrder.Length; i++) + { + var (isPresent, _) = packagesInPrioOrder[i]; + if (!isPresent) + { + continue; + } + + // Package is present, remove all the lower priority packages: + for (var j = i + 1; j < packagesInPrioOrder.Length; j++) + { + var (otherIsPresent, otherPrefix) = packagesInPrioOrder[j]; + if (otherIsPresent) + { + RemoveNugetPackageReference(otherPrefix); + } + } + break; } // TODO: There could be multiple `microsoft.netframework.referenceassemblies` packages, diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 6d013d8ce69..8e37908e0fc 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.2 + +No user-facing changes. + ## 1.7.1 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.2.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.2.md new file mode 100644 index 00000000000..b950385c16d --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.2.md @@ -0,0 +1,3 @@ +## 1.7.2 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 7bdec0d85c7..39bbba86c19 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.1 +lastReleaseVersion: 1.7.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index ab51dd17629..2adbcb7101e 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.2-dev +version: 1.7.3-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 6d013d8ce69..8e37908e0fc 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.2 + +No user-facing changes. + ## 1.7.1 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.2.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.2.md new file mode 100644 index 00000000000..b950385c16d --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.2.md @@ -0,0 +1,3 @@ +## 1.7.2 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 7bdec0d85c7..39bbba86c19 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.1 +lastReleaseVersion: 1.7.2 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index a7e94bb3774..2b213c24246 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.2-dev +version: 1.7.3-dev groups: - csharp - solorigate diff --git a/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected b/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected index eebdb8558eb..6c99dc08de7 100644 --- a/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected +++ b/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected @@ -168,6 +168,5 @@ | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/WindowsBase.dll | | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/mscorlib.dll | | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/netstandard.dll | -| /netstandard.library/2.0.3/build/netstandard2.0/ref/System.ComponentModel.Composition.dll | | /newtonsoft.json/12.0.1/lib/portable-net45+win8+wp8+wpa81/Newtonsoft.Json.dll | | /nunit/3.13.3/lib/netstandard2.0/nunit.framework.dll | diff --git a/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected b/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected index 1eae4e66233..ef691089afb 100644 --- a/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected +++ b/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected @@ -212,6 +212,5 @@ | /microsoft.windowsdesktop.app.ref/7.0.2/ref/net7.0/UIAutomationTypes.dll | | /microsoft.windowsdesktop.app.ref/7.0.2/ref/net7.0/WindowsBase.dll | | /microsoft.windowsdesktop.app.ref/7.0.2/ref/net7.0/WindowsFormsIntegration.dll | -| /netstandard.library/2.0.3/build/netstandard2.0/ref/System.ComponentModel.Composition.dll | | /newtonsoft.json/12.0.1/lib/portable-net45+win8+wp8+wpa81/Newtonsoft.Json.dll | | /nunit/3.13.3/lib/netstandard2.0/nunit.framework.dll | diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index 8c7b2cd062c..71fbec9d4fe 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/released/0.8.2.md b/csharp/ql/lib/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 2ac975f1003..574de8bf003 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.8.2-dev +version: 0.8.3-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/lib/semmle/code/csharp/AnnotatedType.qll b/csharp/ql/lib/semmle/code/csharp/AnnotatedType.qll index 83bffc9b2a8..b45b743c40c 100644 --- a/csharp/ql/lib/semmle/code/csharp/AnnotatedType.qll +++ b/csharp/ql/lib/semmle/code/csharp/AnnotatedType.qll @@ -251,15 +251,21 @@ private int getElementTypeFlags(@has_type_annotation element) { result = strictsum(int b | type_annotation(element, b) | b) } +private predicate specificTypeParameterNullability( + TypeParameterConstraints constraints, Type type, @nullability n +) { + specific_type_parameter_nullability(constraints, type, n) + or + specific_type_parameter_nullability(constraints, getTypeRef(type), n) +} + private Annotations::Nullability getTypeParameterNullability( TypeParameterConstraints constraints, Type type ) { - if specific_type_parameter_nullability(constraints, getTypeRef(type), _) - then - specific_type_parameter_nullability(constraints, getTypeRef(type), - Annotations::getNullability(result)) + if specificTypeParameterNullability(constraints, type, _) + then specificTypeParameterNullability(constraints, type, Annotations::getNullability(result)) else ( - specific_type_parameter_constraints(constraints, getTypeRef(type)) and + type = constraints.getATypeConstraint() and result instanceof Annotations::NoNullability ) } diff --git a/csharp/ql/lib/semmle/code/csharp/Attribute.qll b/csharp/ql/lib/semmle/code/csharp/Attribute.qll index 13769295428..f60ffcd6a40 100644 --- a/csharp/ql/lib/semmle/code/csharp/Attribute.qll +++ b/csharp/ql/lib/semmle/code/csharp/Attribute.qll @@ -62,7 +62,12 @@ private string getAttributeName(Attribute a) { */ class Attribute extends TopLevelExprParent, @attribute { /** Gets the type of this attribute. */ - Class getType() { attributes(this, _, getTypeRef(result), _) } + Class getType() { + attributes(this, _, result, _) + or + not attributes(this, _, any(Type t), _) and + attributes(this, _, getTypeRef(result), _) + } /** Gets the element that this attribute is attached to. */ Attributable getTarget() { attributes(this, _, _, result) } diff --git a/csharp/ql/lib/semmle/code/csharp/Callable.qll b/csharp/ql/lib/semmle/code/csharp/Callable.qll index 00091f66ddc..6c9fd828132 100644 --- a/csharp/ql/lib/semmle/code/csharp/Callable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Callable.qll @@ -236,7 +236,12 @@ class Method extends Callable, Virtualizable, Attributable, @method { override ValueOrRefType getDeclaringType() { methods(this, _, result, _, _) } - override Type getReturnType() { methods(this, _, _, getTypeRef(result), _) } + override Type getReturnType() { + methods(this, _, _, result, _) + or + not methods(this, _, _, any(Type t), _) and + methods(this, _, _, getTypeRef(result), _) + } override Method getUnboundDeclaration() { methods(this, _, _, _, result) } @@ -453,7 +458,12 @@ class Operator extends Callable, Member, Attributable, Overridable, @operator { override ValueOrRefType getDeclaringType() { operators(this, _, _, result, _, _) } - override Type getReturnType() { operators(this, _, _, _, getTypeRef(result), _) } + override Type getReturnType() { + operators(this, _, _, _, result, _) + or + not operators(this, _, _, _, any(Type t), _) and + operators(this, _, _, _, getTypeRef(result), _) + } override Operator getUnboundDeclaration() { operators(this, _, _, _, _, result) } diff --git a/csharp/ql/lib/semmle/code/csharp/Event.qll b/csharp/ql/lib/semmle/code/csharp/Event.qll index 810cffa927a..a7079952478 100644 --- a/csharp/ql/lib/semmle/code/csharp/Event.qll +++ b/csharp/ql/lib/semmle/code/csharp/Event.qll @@ -23,7 +23,12 @@ class Event extends DeclarationWithAccessors, @event { override ValueOrRefType getDeclaringType() { events(this, _, result, _, _) } - override DelegateType getType() { events(this, _, _, getTypeRef(result), _) } + override DelegateType getType() { + events(this, _, _, result, _) + or + not events(this, _, _, any(Type t), _) and + events(this, _, _, getTypeRef(result), _) + } /** Gets an `add` or `remove` accessor of this event, if any. */ EventAccessor getAnEventAccessor() { result.getDeclaration() = this } diff --git a/csharp/ql/lib/semmle/code/csharp/Generics.qll b/csharp/ql/lib/semmle/code/csharp/Generics.qll index 51c1dbc19fd..ce9c94daaab 100644 --- a/csharp/ql/lib/semmle/code/csharp/Generics.qll +++ b/csharp/ql/lib/semmle/code/csharp/Generics.qll @@ -261,7 +261,11 @@ class TypeParameter extends DotNet::TypeParameter, Type, @type_parameter { */ class TypeParameterConstraints extends Element, @type_parameter_constraints { /** Gets a specific type constraint, if any. */ - Type getATypeConstraint() { specific_type_parameter_constraints(this, getTypeRef(result)) } + Type getATypeConstraint() { + specific_type_parameter_constraints(this, result) + or + specific_type_parameter_constraints(this, getTypeRef(result)) + } /** Gets an annotated specific type constraint, if any. */ AnnotatedType getAnAnnotatedTypeConstraint() { result.appliesToTypeConstraint(this) } @@ -413,9 +417,19 @@ class ConstructedType extends ValueOrRefType, ConstructedGeneric { override Location getALocation() { result = this.getUnboundDeclaration().getALocation() } - override Type getTypeArgument(int n) { type_arguments(getTypeRef(result), n, this) } + override Type getTypeArgument(int n) { + type_arguments(result, n, this) + or + not type_arguments(any(Type t), n, this) and + type_arguments(getTypeRef(result), n, this) + } - override UnboundGenericType getUnboundGeneric() { constructed_generic(this, getTypeRef(result)) } + override UnboundGenericType getUnboundGeneric() { + constructed_generic(this, result) + or + not constructed_generic(this, any(Type t)) and + constructed_generic(this, getTypeRef(result)) + } final override Type getChild(int n) { result = this.getTypeArgument(n) } @@ -587,7 +601,12 @@ class UnboundGenericMethod extends Method, UnboundGeneric { class ConstructedMethod extends Method, ConstructedGeneric { override Location getALocation() { result = this.getUnboundDeclaration().getALocation() } - override Type getTypeArgument(int n) { type_arguments(getTypeRef(result), n, this) } + override Type getTypeArgument(int n) { + type_arguments(result, n, this) + or + not type_arguments(any(Type t), n, this) and + type_arguments(getTypeRef(result), n, this) + } override UnboundGenericMethod getUnboundGeneric() { constructed_generic(this, result) } diff --git a/csharp/ql/lib/semmle/code/csharp/Member.qll b/csharp/ql/lib/semmle/code/csharp/Member.qll index eb62a2f0b5c..a884f314c15 100644 --- a/csharp/ql/lib/semmle/code/csharp/Member.qll +++ b/csharp/ql/lib/semmle/code/csharp/Member.qll @@ -215,7 +215,12 @@ class Overridable extends Declaration, TOverridable { * to members that can be declared on an interface, i.e. methods, properties, * indexers and events. */ - Interface getExplicitlyImplementedInterface() { explicitly_implements(this, getTypeRef(result)) } + Interface getExplicitlyImplementedInterface() { + explicitly_implements(this, result) + or + not explicitly_implements(this, any(Interface i)) and + explicitly_implements(this, getTypeRef(result)) + } /** * Holds if this member implements an interface member explicitly. diff --git a/csharp/ql/lib/semmle/code/csharp/Property.qll b/csharp/ql/lib/semmle/code/csharp/Property.qll index 15c707321c8..bb127b48f2a 100644 --- a/csharp/ql/lib/semmle/code/csharp/Property.qll +++ b/csharp/ql/lib/semmle/code/csharp/Property.qll @@ -120,7 +120,12 @@ class Property extends DotNet::Property, DeclarationWithGetSetAccessors, @proper override ValueOrRefType getDeclaringType() { properties(this, _, result, _, _) } - override Type getType() { properties(this, _, _, getTypeRef(result), _) } + override Type getType() { + properties(this, _, _, result, _) + or + not properties(this, _, _, any(Type t), _) and + properties(this, _, _, getTypeRef(result), _) + } /** * Holds if this property is automatically implemented. For example, `P1` @@ -260,7 +265,12 @@ class Indexer extends DeclarationWithGetSetAccessors, Parameterizable, @indexer override ValueOrRefType getDeclaringType() { indexers(this, _, result, _, _) } - override Type getType() { indexers(this, _, _, getTypeRef(result), _) } + override Type getType() { + indexers(this, _, _, result, _) + or + not indexers(this, _, _, any(Type t), _) and + indexers(this, _, _, getTypeRef(result), _) + } override IndexerAccess getAnAccess() { result.getTarget() = this } diff --git a/csharp/ql/lib/semmle/code/csharp/Stmt.qll b/csharp/ql/lib/semmle/code/csharp/Stmt.qll index 451f993db1f..334afa4b944 100644 --- a/csharp/ql/lib/semmle/code/csharp/Stmt.qll +++ b/csharp/ql/lib/semmle/code/csharp/Stmt.qll @@ -984,7 +984,12 @@ class CatchClause extends Stmt, @catch { * } * ``` */ - ExceptionClass getCaughtExceptionType() { catch_type(this, getTypeRef(result), _) } + ExceptionClass getCaughtExceptionType() { + catch_type(this, result, _) + or + not catch_type(this, any(Type t), _) and + catch_type(this, getTypeRef(result), _) + } /** * Gets the `catch` filter clause, if any. For example, the filter expression diff --git a/csharp/ql/lib/semmle/code/csharp/Type.qll b/csharp/ql/lib/semmle/code/csharp/Type.qll index 797196d2cc4..f262688d277 100644 --- a/csharp/ql/lib/semmle/code/csharp/Type.qll +++ b/csharp/ql/lib/semmle/code/csharp/Type.qll @@ -110,9 +110,16 @@ class ValueOrRefType extends DotNet::ValueOrRefType, Type, Attributable, @value_ parent_namespace_declaration(this, result) } + private Class getExplicitBaseClass() { + extend(this, result) + or + not extend(this, any(Class c)) and + extend(this, getTypeRef(result)) + } + /** Gets the immediate base class of this class, if any. */ final Class getBaseClass() { - extend(this, getTypeRef(result)) + result = this.getExplicitBaseClass() or not extend(this, _) and not isObjectClass(this) and @@ -122,7 +129,11 @@ class ValueOrRefType extends DotNet::ValueOrRefType, Type, Attributable, @value_ } /** Gets an immediate base interface of this type, if any. */ - Interface getABaseInterface() { implement(this, getTypeRef(result)) } + Interface getABaseInterface() { + implement(this, result) + or + implement(this, getTypeRef(result)) + } /** Gets an immediate base type of this type, if any. */ override ValueOrRefType getABaseType() { @@ -672,7 +683,12 @@ class Enum extends ValueType, @enum_type { * } * ``` */ - IntegralType getUnderlyingType() { enum_underlying_type(this, getTypeRef(result)) } + IntegralType getUnderlyingType() { + enum_underlying_type(this, result) + or + not enum_underlying_type(this, any(Type t)) and + enum_underlying_type(this, getTypeRef(result)) + } /** * Gets an `enum` constant declared in this `enum`, for example `Even` @@ -855,7 +871,12 @@ class Interface extends RefType, @interface_type { */ class DelegateType extends RefType, Parameterizable, @delegate_type { /** Gets the return type of this delegate. */ - Type getReturnType() { delegate_return_type(this, getTypeRef(result)) } + Type getReturnType() { + delegate_return_type(this, result) + or + not delegate_return_type(this, any(Type t)) and + delegate_return_type(this, getTypeRef(result)) + } /** Gets the annotated return type of this delegate. */ AnnotatedType getAnnotatedReturnType() { result.appliesTo(this) } @@ -939,7 +960,12 @@ class UnmanagedCallingConvention extends CallingConvention { */ class FunctionPointerType extends Type, Parameterizable, @function_pointer_type { /** Gets the return type of this function pointer. */ - Type getReturnType() { function_pointer_return_type(this, getTypeRef(result)) } + Type getReturnType() { + function_pointer_return_type(this, result) + or + not function_pointer_return_type(this, any(Type t)) and + function_pointer_return_type(this, getTypeRef(result)) + } /** Gets the calling convention. */ CallingConvention getCallingConvention() { @@ -950,6 +976,9 @@ class FunctionPointerType extends Type, Parameterizable, @function_pointer_type /** Gets the unmanaged calling convention at index `i`. */ Type getUnmanagedCallingConvention(int i) { + has_unmanaged_calling_conventions(this, i, result) + or + not has_unmanaged_calling_conventions(this, i, any(Type t)) and has_unmanaged_calling_conventions(this, i, getTypeRef(result)) } @@ -979,7 +1008,12 @@ class NullableType extends ValueType, ConstructedType, @nullable_type { * Gets the underlying value type of this nullable type. * For example `int` in `int?`. */ - Type getUnderlyingType() { nullable_underlying_type(this, getTypeRef(result)) } + Type getUnderlyingType() { + nullable_underlying_type(this, result) + or + not nullable_underlying_type(this, any(Type t)) and + nullable_underlying_type(this, getTypeRef(result)) + } override UnboundGenericStruct getUnboundGeneric() { result.hasQualifiedName("System", "Nullable<>") @@ -1021,7 +1055,12 @@ class ArrayType extends DotNet::ArrayType, RefType, @array_type { predicate isMultiDimensional() { this.getRank() > 1 } /** Gets the element type of this array, for example `int` in `int[]`. */ - override Type getElementType() { array_element_type(this, _, _, getTypeRef(result)) } + override Type getElementType() { + array_element_type(this, _, _, result) + or + not array_element_type(this, _, _, any(Type t)) and + array_element_type(this, _, _, getTypeRef(result)) + } /** Holds if this array type has the same shape (dimension and rank) as `that` array type. */ predicate hasSameShapeAs(ArrayType that) { @@ -1076,7 +1115,12 @@ class ArrayType extends DotNet::ArrayType, RefType, @array_type { * A pointer type, for example `char*`. */ class PointerType extends DotNet::PointerType, Type, @pointer_type { - override Type getReferentType() { pointer_referent_type(this, getTypeRef(result)) } + override Type getReferentType() { + pointer_referent_type(this, result) + or + not pointer_referent_type(this, any(Type t)) and + pointer_referent_type(this, getTypeRef(result)) + } override string toStringWithTypes() { result = DotNet::PointerType.super.toStringWithTypes() } @@ -1134,7 +1178,12 @@ class UnknownType extends Type, @unknown_type { */ class TupleType extends ValueType, @tuple_type { /** Gets the underlying type of this tuple, which is of type `System.ValueTuple`. */ - Struct getUnderlyingType() { tuple_underlying_type(this, getTypeRef(result)) } + Struct getUnderlyingType() { + tuple_underlying_type(this, result) + or + not tuple_underlying_type(this, any(Type t)) and + tuple_underlying_type(this, getTypeRef(result)) + } /** * Gets the `n`th element of this tuple, indexed from 0. @@ -1196,7 +1245,11 @@ class TypeMention extends @type_mention { Type type; @type_mention_parent parent; - TypeMention() { type_mention(this, getTypeRef(type), parent) } + TypeMention() { + type_mention(this, type, parent) + or + type_mention(this, getTypeRef(type), parent) + } /** Gets the type being mentioned. */ Type getType() { result = type } diff --git a/csharp/ql/lib/semmle/code/csharp/TypeRef.qll b/csharp/ql/lib/semmle/code/csharp/TypeRef.qll index f13168dd20d..c2cf8eb545c 100644 --- a/csharp/ql/lib/semmle/code/csharp/TypeRef.qll +++ b/csharp/ql/lib/semmle/code/csharp/TypeRef.qll @@ -8,10 +8,13 @@ import csharp /** A typeref is a reference to a type in some assembly. */ private class TypeRef extends @typeref { + /** Gets the name of type being referenced. */ string getName() { typerefs(this, result) } + /** Gets a textual representation of this type reference. */ string toString() { result = this.getName() } + /** Gets the type being referenced. */ Type getReferencedType() { typeref_type(this, result) or @@ -27,8 +30,4 @@ private class TypeRef extends @typeref { * This is used for extensionals that can be supplied * as either type references or types. */ -@type_or_ref getTypeRef(Type type) { - result = type - or - result.(TypeRef).getReferencedType() = type -} +TypeRef getTypeRef(Type type) { result.getReferencedType() = type } diff --git a/csharp/ql/lib/semmle/code/csharp/Unification.qll b/csharp/ql/lib/semmle/code/csharp/Unification.qll index 1e01aebfb42..30a94efbe6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/Unification.qll +++ b/csharp/ql/lib/semmle/code/csharp/Unification.qll @@ -15,7 +15,7 @@ module Gvn { * but only if the enclosing type is not a `GenericType`. */ string getNameNested(Type t) { - exists(string name | name = t.getName() | + exists(string name | name = t.getUndecoratedName() | if not t instanceof NestedType or t.(NestedType).getDeclaringType() instanceof GenericType then result = name else result = getNameNested(t.(NestedType).getDeclaringType()) + "+" + name @@ -267,7 +267,7 @@ module Gvn { or this.isDeclaringTypeAt(i) and j = 1 and result = "." else ( - j = 0 and result = name.prefix(name.length() - children - 1) + "<" + j = 0 and result = name + "<" or j in [1 .. 2 * children - 1] and if j % 2 = 0 diff --git a/csharp/ql/lib/semmle/code/csharp/Using.qll b/csharp/ql/lib/semmle/code/csharp/Using.qll index ed51ce34213..384cd1cc01f 100644 --- a/csharp/ql/lib/semmle/code/csharp/Using.qll +++ b/csharp/ql/lib/semmle/code/csharp/Using.qll @@ -64,7 +64,12 @@ class UsingStaticDirective extends UsingDirective, @using_static_directive { * Gets the target of this type `using` directive, for example * `System.Console` in `using static System.Console`. */ - ValueOrRefType getTarget() { using_static_directives(this, getTypeRef(result)) } + ValueOrRefType getTarget() { + using_static_directives(this, result) + or + not using_static_directives(this, any(Type t)) and + using_static_directives(this, getTypeRef(result)) + } override string toString() { result = "using static ...;" } diff --git a/csharp/ql/lib/semmle/code/csharp/Variable.qll b/csharp/ql/lib/semmle/code/csharp/Variable.qll index 13254c90867..2057ef7da50 100644 --- a/csharp/ql/lib/semmle/code/csharp/Variable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Variable.qll @@ -195,7 +195,12 @@ class Parameter extends DotNet::Parameter, LocalScopeVariable, Attributable, Top override string getName() { params(this, result, _, _, _, _, _) } - override Type getType() { params(this, _, getTypeRef(result), _, _, _, _) } + override Type getType() { + params(this, _, result, _, _, _, _) + or + not params(this, _, any(Type t), _, _, _, _) and + params(this, _, getTypeRef(result), _, _, _, _) + } override Location getALocation() { param_location(this, result) } @@ -341,7 +346,12 @@ class LocalVariable extends LocalScopeVariable, @local_variable { override string getName() { localvars(this, _, result, _, _, _) } - override Type getType() { localvars(this, _, _, _, getTypeRef(result), _) } + override Type getType() { + localvars(this, _, _, _, result, _) + or + not localvars(this, _, _, _, any(Type t), _) and + localvars(this, _, _, _, getTypeRef(result), _) + } override Location getALocation() { localvar_location(this, result) } @@ -423,7 +433,12 @@ class Field extends Variable, AssignableMember, Attributable, TopLevelExprParent override string getName() { fields(this, _, result, _, _, _) } - override Type getType() { fields(this, _, _, _, getTypeRef(result), _) } + override Type getType() { + fields(this, _, _, _, result, _) + or + not fields(this, _, _, _, any(Type t), _) and + fields(this, _, _, _, getTypeRef(result), _) + } override Location getALocation() { field_location(this, result) } diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll index 2f090d3fd06..0e16e0da9c3 100644 --- a/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll +++ b/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll @@ -438,7 +438,12 @@ class LambdaExpr extends AnonymousFunctionExpr, @lambda_expr { predicate hasExplicitReturnType() { lambda_expr_return_type(this, _) } /** Gets the explicit return type of this lambda expression, if any. */ - Type getExplicitReturnType() { lambda_expr_return_type(this, getTypeRef(result)) } + Type getExplicitReturnType() { + lambda_expr_return_type(this, result) + or + not lambda_expr_return_type(this, any(Type t)) and + lambda_expr_return_type(this, getTypeRef(result)) + } override string toString() { result = "(...) => ..." } diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll index 4251a7ae8b6..2dae913e89b 100644 --- a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll +++ b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll @@ -42,7 +42,12 @@ class Expr extends DotNet::Expr, ControlFlowElement, @expr { override Location getALocation() { expr_location(this, result) } /** Gets the type of this expression. */ - override Type getType() { expressions(this, _, getTypeRef(result)) } + override Type getType() { + expressions(this, _, result) + or + not expressions(this, _, any(Type t)) and + expressions(this, _, getTypeRef(result)) + } /** Gets the annotated type of this expression. */ final AnnotatedType getAnnotatedType() { result.appliesTo(this) } diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index e1d837bb40b..7246cba39cb 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/csharp/ql/src/change-notes/released/0.8.2.md b/csharp/ql/src/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 54fe066d096..667ca875601 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.8.2-dev +version: 0.8.3-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/0.0.1.md b/go/ql/consistency-queries/change-notes/released/0.0.1.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/0.0.1.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml new file mode 100644 index 00000000000..c6933410b71 --- /dev/null +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -0,0 +1,2 @@ +--- +lastReleaseVersion: 0.0.1 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 01232241fc1..2b0a52a185e 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 0.0.0 +version: 0.0.2-dev groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 20567a56d40..62d802b584a 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.7.2 + +### Minor Analysis Improvements + +* Added [Request.Cookie](https://pkg.go.dev/net/http#Request.Cookie) to reflected XSS sanitizers. + +### Bug Fixes + +* Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing `Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results. + ## 0.7.1 ### Minor Analysis Improvements diff --git a/go/ql/lib/change-notes/2023-10-25-reflectedxss-cookie-sanitizer.md b/go/ql/lib/change-notes/2023-10-25-reflectedxss-cookie-sanitizer.md deleted file mode 100644 index efb8faee097..00000000000 --- a/go/ql/lib/change-notes/2023-10-25-reflectedxss-cookie-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added [Request.Cookie](https://pkg.go.dev/net/http#Request.Cookie) to reflected XSS sanitizers. \ No newline at end of file diff --git a/go/ql/lib/change-notes/2023-10-20-enclosing-callable-for-external-files.md b/go/ql/lib/change-notes/released/0.7.2.md similarity index 69% rename from go/ql/lib/change-notes/2023-10-20-enclosing-callable-for-external-files.md rename to go/ql/lib/change-notes/released/0.7.2.md index 59a646c2c8c..1124a5c1ecd 100644 --- a/go/ql/lib/change-notes/2023-10-20-enclosing-callable-for-external-files.md +++ b/go/ql/lib/change-notes/released/0.7.2.md @@ -1,4 +1,9 @@ ---- -category: fix ---- +## 0.7.2 + +### Minor Analysis Improvements + +* Added [Request.Cookie](https://pkg.go.dev/net/http#Request.Cookie) to reflected XSS sanitizers. + +### Bug Fixes + * Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing `Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index e007a9aec3e..fee171e9685 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.1 +lastReleaseVersion: 0.7.2 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index ddc9956180c..8069dc5d797 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.7.2-dev +version: 0.7.3-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 7ceadcda745..9770cc59b48 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.7.2 + +### Minor Analysis Improvements + +* The query `go/incorrect-integer-conversion` now correctly recognizes more guards of the form `if val <= x` to protect a conversion `uintX(val)`. + ## 0.7.1 ### Minor Analysis Improvements diff --git a/go/ql/src/change-notes/2023-10-27-incorrect-integer-conversion-guards.md b/go/ql/src/change-notes/released/0.7.2.md similarity index 77% rename from go/ql/src/change-notes/2023-10-27-incorrect-integer-conversion-guards.md rename to go/ql/src/change-notes/released/0.7.2.md index 2c5f163879f..e80b0ffa52a 100644 --- a/go/ql/src/change-notes/2023-10-27-incorrect-integer-conversion-guards.md +++ b/go/ql/src/change-notes/released/0.7.2.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.7.2 + +### Minor Analysis Improvements + * The query `go/incorrect-integer-conversion` now correctly recognizes more guards of the form `if val <= x` to protect a conversion `uintX(val)`. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index e007a9aec3e..fee171e9685 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.1 +lastReleaseVersion: 0.7.2 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 99573ffaa5d..44d31df731b 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.7.2-dev +version: 0.7.3-dev groups: - go - queries diff --git a/java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt b/java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt index bc9ee17debf..5a14abebf0a 100644 --- a/java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt +++ b/java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt @@ -3,6 +3,7 @@ package com.github.codeql import com.github.codeql.utils.getJvmName import com.github.codeql.utils.versions.* import com.intellij.openapi.vfs.StandardFileSystems +import org.jetbrains.kotlin.fir.java.JavaBinarySourceElement import org.jetbrains.kotlin.load.java.sources.JavaSourceElement import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass import org.jetbrains.kotlin.load.kotlin.VirtualFileKotlinClass @@ -80,6 +81,9 @@ fun getIrClassVirtualFile(irClass: IrClass): VirtualFile? { is BinaryJavaClass -> return element.virtualFile } } + is JavaBinarySourceElement -> { + return cSource.javaClass.virtualFile + } is KotlinJvmBinarySourceElement -> { val binaryClass = cSource.binaryClass when(binaryClass) { diff --git a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_5_0/JavaBinarySourceElement.kt b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_5_0/JavaBinarySourceElement.kt new file mode 100644 index 00000000000..2a5f9cf2a97 --- /dev/null +++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_5_0/JavaBinarySourceElement.kt @@ -0,0 +1,11 @@ +package org.jetbrains.kotlin.fir.java + +import org.jetbrains.kotlin.descriptors.SourceElement +import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass + +/* +We need this class to exist, but the compiler will never give us an +instance of it. +*/ +abstract class JavaBinarySourceElement private constructor(val javaClass: BinaryJavaClass): SourceElement { +} diff --git a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_9_255-SNAPSHOT/JavaBinarySourceElement.kt b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_9_255-SNAPSHOT/JavaBinarySourceElement.kt new file mode 100644 index 00000000000..80167cbcc8f --- /dev/null +++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_9_255-SNAPSHOT/JavaBinarySourceElement.kt @@ -0,0 +1,3 @@ +/* +The compiler provides this class, so we don't have to do anything. +*/ diff --git a/java/ql/automodel/src/change-notes/released/0.0.7.md b/java/ql/automodel/src/change-notes/released/0.0.7.md index a4e26791ae4..098fada6105 100644 --- a/java/ql/automodel/src/change-notes/released/0.0.7.md +++ b/java/ql/automodel/src/change-notes/released/0.0.7.md @@ -1,3 +1,3 @@ ## 0.0.7 -Support for extracting source candidates. +Support for extracting source candidates. \ No newline at end of file diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index aad04cf36de..0bfe85bbcf6 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,16 @@ +## 0.8.2 + +### Minor Analysis Improvements + +* Java classes `MethodAccess`, `LValue` and `RValue` were renamed to `MethodCall`, `VarWrite` and `VarRead` respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced. +* New class `NewClassExpr` was added to represent specifically an explicit `new ClassName(...)` invocation, in contrast to `ClassInstanceExpr` which also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference. +* Added up to date models related to Spring Framework 6's `org.springframework.http.ResponseEntity`. +* Added models for the following packages: + + * com.alibaba.fastjson2 + * javax.management + * org.apache.http.client.utils + ## 0.8.1 ### New Features diff --git a/java/ql/lib/change-notes/2023-10-17-new-models.md b/java/ql/lib/change-notes/2023-10-17-new-models.md deleted file mode 100644 index 2b1c5ae4247..00000000000 --- a/java/ql/lib/change-notes/2023-10-17-new-models.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -category: minorAnalysis ---- -* Added models for the following packages: - - * com.alibaba.fastjson2 - * javax.management - * org.apache.http.client.utils diff --git a/java/ql/lib/change-notes/2023-10-23-spring-6-models.md b/java/ql/lib/change-notes/2023-10-23-spring-6-models.md deleted file mode 100644 index 8c4f9f938f2..00000000000 --- a/java/ql/lib/change-notes/2023-10-23-spring-6-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added up to date models related to Spring Framework 6's `org.springframework.http.ResponseEntity`. diff --git a/java/ql/lib/change-notes/2023-10-24-java-renames.md b/java/ql/lib/change-notes/released/0.8.2.md similarity index 66% rename from java/ql/lib/change-notes/2023-10-24-java-renames.md rename to java/ql/lib/change-notes/released/0.8.2.md index e6aebad211c..15436016ac2 100644 --- a/java/ql/lib/change-notes/2023-10-24-java-renames.md +++ b/java/ql/lib/change-notes/released/0.8.2.md @@ -1,5 +1,12 @@ ---- -category: minorAnalysis ---- +## 0.8.2 + +### Minor Analysis Improvements + * Java classes `MethodAccess`, `LValue` and `RValue` were renamed to `MethodCall`, `VarWrite` and `VarRead` respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced. * New class `NewClassExpr` was added to represent specifically an explicit `new ClassName(...)` invocation, in contrast to `ClassInstanceExpr` which also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference. +* Added up to date models related to Spring Framework 6's `org.springframework.http.ResponseEntity`. +* Added models for the following packages: + + * com.alibaba.fastjson2 + * javax.management + * org.apache.http.client.utils diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 2261427469e..d081d963060 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.8.2-dev +version: 0.8.3-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index c0a6261d914..264532fc787 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.8.2 + +### Minor Analysis Improvements + +* java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged `lines-of-code`. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts. +* The query `java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/java/ql/src/change-notes/2023-10-16-spring-disabled-csrf-protection-improved.md b/java/ql/src/change-notes/2023-10-16-spring-disabled-csrf-protection-improved.md deleted file mode 100644 index 94462f0f8c3..00000000000 --- a/java/ql/src/change-notes/2023-10-16-spring-disabled-csrf-protection-improved.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring. diff --git a/java/ql/src/change-notes/2023-10-20-lines-of-code.md b/java/ql/src/change-notes/released/0.8.2.md similarity index 59% rename from java/ql/src/change-notes/2023-10-20-lines-of-code.md rename to java/ql/src/change-notes/released/0.8.2.md index b6b49aba7f9..eca4e923e25 100644 --- a/java/ql/src/change-notes/2023-10-20-lines-of-code.md +++ b/java/ql/src/change-notes/released/0.8.2.md @@ -1,4 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.8.2 + +### Minor Analysis Improvements + * java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged `lines-of-code`. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts. +* The query `java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 1491aeaf8a5..9a8ff49eefd 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.8.2-dev +version: 0.8.3-dev groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 53155773c3d..b72e86cd41d 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/released/0.8.2.md b/javascript/ql/lib/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index ebd48dfeffa..5842cd19576 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.8.2-dev +version: 0.8.3-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index 1effcdfa16d..922190dac29 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.8.2 + +### Minor Analysis Improvements + +* Added modeling for importing `express-rate-limit` using a named import. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/javascript/ql/src/change-notes/2023-10-26-express-rate-limit.md b/javascript/ql/src/change-notes/released/0.8.2.md similarity index 63% rename from javascript/ql/src/change-notes/2023-10-26-express-rate-limit.md rename to javascript/ql/src/change-notes/released/0.8.2.md index 28804e97908..a3d132b9000 100644 --- a/javascript/ql/src/change-notes/2023-10-26-express-rate-limit.md +++ b/javascript/ql/src/change-notes/released/0.8.2.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.8.2 + +### Minor Analysis Improvements + * Added modeling for importing `express-rate-limit` using a named import. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 3cba824d8f7..8ac34dd2fed 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 0.8.2-dev +version: 0.8.3-dev groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index a3fe08e3d49..f81fff6a15d 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.7.2 + +No user-facing changes. + ## 0.7.1 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/0.7.2.md b/misc/suite-helpers/change-notes/released/0.7.2.md new file mode 100644 index 00000000000..8693d609ec7 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/0.7.2.md @@ -0,0 +1,3 @@ +## 0.7.2 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index e007a9aec3e..fee171e9685 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.1 +lastReleaseVersion: 0.7.2 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index e8285dc5fcc..a9421fb41ba 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 0.7.2-dev +version: 0.7.3-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index e3d2d5574a0..c3739b0bfc1 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.11.2 + +### Minor Analysis Improvements + +* Added support for functions decorated with `contextlib.contextmanager`. +* Namespace packages in the form of regular packages with missing `__init__.py`-files are now allowed. This enables the analysis to resolve modules and functions inside such packages. + ## 0.11.1 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2023-10-17-contextmanager.md b/python/ql/lib/change-notes/2023-10-17-contextmanager.md deleted file mode 100644 index dabd03a7257..00000000000 --- a/python/ql/lib/change-notes/2023-10-17-contextmanager.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added support for functions decorated with `contextlib.contextmanager`. diff --git a/python/ql/lib/change-notes/2023-09-29-allow-namespace-packages.md b/python/ql/lib/change-notes/released/0.11.2.md similarity index 60% rename from python/ql/lib/change-notes/2023-09-29-allow-namespace-packages.md rename to python/ql/lib/change-notes/released/0.11.2.md index 6c064920b51..b9742da3fe0 100644 --- a/python/ql/lib/change-notes/2023-09-29-allow-namespace-packages.md +++ b/python/ql/lib/change-notes/released/0.11.2.md @@ -1,4 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.11.2 + +### Minor Analysis Improvements + +* Added support for functions decorated with `contextlib.contextmanager`. * Namespace packages in the form of regular packages with missing `__init__.py`-files are now allowed. This enables the analysis to resolve modules and functions inside such packages. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 924f56c785a..965b515cf93 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.11.1 +lastReleaseVersion: 0.11.2 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 5f7b50cc851..d6c26871000 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.11.2-dev +version: 0.11.3-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 2d64d52f78b..0360df4c4c5 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.9.2 + +No user-facing changes. + ## 0.9.1 No user-facing changes. diff --git a/python/ql/src/change-notes/released/0.9.2.md b/python/ql/src/change-notes/released/0.9.2.md new file mode 100644 index 00000000000..50442967c67 --- /dev/null +++ b/python/ql/src/change-notes/released/0.9.2.md @@ -0,0 +1,3 @@ +## 0.9.2 + +No user-facing changes. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 6789dcd18b7..e1eda519435 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.9.1 +lastReleaseVersion: 0.9.2 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 69ece304b76..3545c0cde79 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 0.9.2-dev +version: 0.9.3-dev groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index b531f75ca94..69474dff6bf 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/released/0.8.2.md b/ruby/ql/lib/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index f1cdda21fe7..58c41f1c48c 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.8.2-dev +version: 0.8.3-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 947a4b45d51..fa5327383b0 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.8.2 + +No user-facing changes. + ## 0.8.1 ### New Queries diff --git a/ruby/ql/src/change-notes/released/0.8.2.md b/ruby/ql/src/change-notes/released/0.8.2.md new file mode 100644 index 00000000000..11c1f6119a5 --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.8.2.md @@ -0,0 +1,3 @@ +## 0.8.2 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 2f693f95ba6..404110129dc 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.1 +lastReleaseVersion: 0.8.2 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 5c39f44f0a7..61a7f4b8433 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 0.8.2-dev +version: 0.8.3-dev groups: - ruby - queries diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index ea568563760..4b349473918 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.1.2 + +No user-facing changes. + ## 0.1.1 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/0.1.2.md b/shared/controlflow/change-notes/released/0.1.2.md new file mode 100644 index 00000000000..9b0e2e7d717 --- /dev/null +++ b/shared/controlflow/change-notes/released/0.1.2.md @@ -0,0 +1,3 @@ +## 0.1.2 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 11b94aac7fb..cfd0a23d6fd 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 0.1.2-dev +version: 0.1.3-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index 0a46c80290f..b09685bca27 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.1.2 + +### Bug Fixes + +* The API for debugging flow using partial flow has changed slightly. Instead of using `module Partial = FlowExploration` and choosing between `Partial::partialFlow` and `Partial::partialFlowRev`, you now choose between `module Partial = FlowExplorationFwd` and `module Partial = FlowExplorationRev`, and then always use `Partial::partialFlow`. + ## 0.1.1 No user-facing changes. diff --git a/shared/dataflow/change-notes/2023-10-27-partialflow-api.md b/shared/dataflow/change-notes/released/0.1.2.md similarity index 93% rename from shared/dataflow/change-notes/2023-10-27-partialflow-api.md rename to shared/dataflow/change-notes/released/0.1.2.md index 267e2980252..b53a47e34b2 100644 --- a/shared/dataflow/change-notes/2023-10-27-partialflow-api.md +++ b/shared/dataflow/change-notes/released/0.1.2.md @@ -1,4 +1,5 @@ ---- -category: fix ---- +## 0.1.2 + +### Bug Fixes + * The API for debugging flow using partial flow has changed slightly. Instead of using `module Partial = FlowExploration` and choosing between `Partial::partialFlow` and `Partial::partialFlowRev`, you now choose between `module Partial = FlowExplorationFwd` and `module Partial = FlowExplorationRev`, and then always use `Partial::partialFlow`. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index b5f082df407..c86f4e2827a 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 0.1.2-dev +version: 0.1.3-dev groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index 8b83d14599d..21731cd39e3 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/mad/change-notes/released/0.2.2.md b/shared/mad/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/mad/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 84e0167aa07..bb409ee82f8 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true dependencies: null diff --git a/shared/rangeanalysis/change-notes/2023-10-05-initial.md b/shared/rangeanalysis/CHANGELOG.md similarity index 62% rename from shared/rangeanalysis/change-notes/2023-10-05-initial.md rename to shared/rangeanalysis/CHANGELOG.md index 910b6962a93..c2ca7d0664f 100644 --- a/shared/rangeanalysis/change-notes/2023-10-05-initial.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.0.1 + +### Minor Analysis Improvements + * Initial release. Moves the range analysis library into its own qlpack. diff --git a/shared/rangeanalysis/change-notes/released/0.0.1.md b/shared/rangeanalysis/change-notes/released/0.0.1.md new file mode 100644 index 00000000000..c2ca7d0664f --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/0.0.1.md @@ -0,0 +1,5 @@ +## 0.0.1 + +### Minor Analysis Improvements + +* Initial release. Moves the range analysis library into its own qlpack. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml new file mode 100644 index 00000000000..c6933410b71 --- /dev/null +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -0,0 +1,2 @@ +--- +lastReleaseVersion: 0.0.1 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index fbe05924c5a..d3ea91c2053 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 0.0.1-dev +version: 0.0.2-dev groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index e9e382e822f..de288a996f4 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/regex/change-notes/released/0.2.2.md b/shared/regex/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/regex/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 7f71bac0795..45593edb1fc 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 14f5315d943..d5da42bc097 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/ssa/change-notes/released/0.2.2.md b/shared/ssa/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/ssa/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 2b7f36f8a0b..dfaee0ad8b4 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/shared/threat-models/CHANGELOG.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/shared/threat-models/change-notes/released/0.0.1.md b/shared/threat-models/change-notes/released/0.0.1.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/shared/threat-models/change-notes/released/0.0.1.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml new file mode 100644 index 00000000000..c6933410b71 --- /dev/null +++ b/shared/threat-models/codeql-pack.release.yml @@ -0,0 +1,2 @@ +--- +lastReleaseVersion: 0.0.1 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 71be8835aa7..8bf6774202c 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 0.0.0-dev +version: 0.0.2-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index 00fd8e38eb7..8f74494a95a 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/0.2.2.md b/shared/tutorial/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/tutorial/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index e946d9ff8d2..b35e04be888 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index d38fa8cd134..573bebe6351 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/0.2.2.md b/shared/typetracking/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/typetracking/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 57ceec740c1..0755439b4bc 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index 86271e826fc..69aa575c51f 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/typos/change-notes/released/0.2.2.md b/shared/typos/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/typos/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index adf718c55f3..4e7ade7b781 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index 389870529d1..47848666e35 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.2.2 + +### New Features + +* Added `FilePath` API for normalizing filepaths. + ## 0.2.1 No user-facing changes. diff --git a/shared/util/change-notes/2023-10-13-filepath-normalization.md b/shared/util/change-notes/2023-10-13-filepath-normalization.md deleted file mode 100644 index 3ffdadc85b3..00000000000 --- a/shared/util/change-notes/2023-10-13-filepath-normalization.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added `FilePath` API for normalizing filepaths. \ No newline at end of file diff --git a/shared/util/change-notes/released/0.2.2.md b/shared/util/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..1a9e2b9e6a1 --- /dev/null +++ b/shared/util/change-notes/released/0.2.2.md @@ -0,0 +1,5 @@ +## 0.2.2 + +### New Features + +* Added `FilePath` API for normalizing filepaths. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 0e4352a879b..9a0d20f61b6 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true dependencies: null diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index f7309a0c5e8..fe6a5127bce 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.2 + +No user-facing changes. + ## 0.2.1 No user-facing changes. diff --git a/shared/yaml/change-notes/released/0.2.2.md b/shared/yaml/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..98e69fd0772 --- /dev/null +++ b/shared/yaml/change-notes/released/0.2.2.md @@ -0,0 +1,3 @@ +## 0.2.2 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 4ecff12de0e..72bb02d1ebb 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 0.2.2-dev +version: 0.2.3-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index c6e233b82b6..a73f4d6a778 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.3.2 + +### Minor Analysis Improvements + +* Improved support for flow through captured variables that properly adheres to inter-procedural control flow. +* Added children of `UnspecifiedElement`, which will be present only in certain downgraded databases. +* Collection content is now automatically read at taint flow sinks. This removes the need to define an `allowImplicitRead` predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now. +* Added taint models for `StringProtocol.appendingFormat` and `String.decodeCString`. +* Added taint flow models for members of `Substring`. +* Added taint flow models for `RawRepresentable`. +* The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries. +* Added models of `StringProtocol` and `NSString` methods that evaluate regular expressions. +* Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/swift/ql/lib/change-notes/2023-08-31-open-existential-expr.md b/swift/ql/lib/change-notes/2023-08-31-open-existential-expr.md deleted file mode 100644 index 5d2a67ea711..00000000000 --- a/swift/ql/lib/change-notes/2023-08-31-open-existential-expr.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source. diff --git a/swift/ql/lib/change-notes/2023-10-05-regex-models.md b/swift/ql/lib/change-notes/2023-10-05-regex-models.md deleted file mode 100644 index 5e20981492c..00000000000 --- a/swift/ql/lib/change-notes/2023-10-05-regex-models.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Added models of `StringProtocol` and `NSString` methods that evaluate regular expressions. diff --git a/swift/ql/lib/change-notes/2023-10-06-autoclosure-cfg.md b/swift/ql/lib/change-notes/2023-10-06-autoclosure-cfg.md deleted file mode 100644 index a8d118b5984..00000000000 --- a/swift/ql/lib/change-notes/2023-10-06-autoclosure-cfg.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries. diff --git a/swift/ql/lib/change-notes/2023-10-13-rawrepresentable.md b/swift/ql/lib/change-notes/2023-10-13-rawrepresentable.md deleted file mode 100644 index 114afd58ab8..00000000000 --- a/swift/ql/lib/change-notes/2023-10-13-rawrepresentable.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Added taint flow models for `RawRepresentable`. diff --git a/swift/ql/lib/change-notes/2023-10-16-collection-content.md b/swift/ql/lib/change-notes/2023-10-16-collection-content.md deleted file mode 100644 index c2e50f53dcf..00000000000 --- a/swift/ql/lib/change-notes/2023-10-16-collection-content.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Collection content is now automatically read at taint flow sinks. This removes the need to define an `allowImplicitRead` predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now. diff --git a/swift/ql/lib/change-notes/2023-10-16-string.md b/swift/ql/lib/change-notes/2023-10-16-string.md deleted file mode 100644 index 9cb138f8c5e..00000000000 --- a/swift/ql/lib/change-notes/2023-10-16-string.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Added taint models for `StringProtocol.appendingFormat` and `String.decodeCString`. diff --git a/swift/ql/lib/change-notes/2023-10-16-substring.md b/swift/ql/lib/change-notes/2023-10-16-substring.md deleted file mode 100644 index be494a12184..00000000000 --- a/swift/ql/lib/change-notes/2023-10-16-substring.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Added taint flow models for members of `Substring`. diff --git a/swift/ql/lib/change-notes/2023-10-18-unspecified-element-children.md b/swift/ql/lib/change-notes/2023-10-18-unspecified-element-children.md deleted file mode 100644 index 917dba31551..00000000000 --- a/swift/ql/lib/change-notes/2023-10-18-unspecified-element-children.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Added children of `UnspecifiedElement`, which will be present only in certain downgraded databases. diff --git a/swift/ql/lib/change-notes/2023-10-27-variable-capture.md b/swift/ql/lib/change-notes/2023-10-27-variable-capture.md deleted file mode 100644 index 94c7201c30b..00000000000 --- a/swift/ql/lib/change-notes/2023-10-27-variable-capture.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved support for flow through captured variables that properly adheres to inter-procedural control flow. \ No newline at end of file diff --git a/swift/ql/lib/change-notes/released/0.3.2.md b/swift/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 00000000000..82c7fa90403 --- /dev/null +++ b/swift/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1,13 @@ +## 0.3.2 + +### Minor Analysis Improvements + +* Improved support for flow through captured variables that properly adheres to inter-procedural control flow. +* Added children of `UnspecifiedElement`, which will be present only in certain downgraded databases. +* Collection content is now automatically read at taint flow sinks. This removes the need to define an `allowImplicitRead` predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now. +* Added taint models for `StringProtocol.appendingFormat` and `String.decodeCString`. +* Added taint flow models for members of `Substring`. +* Added taint flow models for `RawRepresentable`. +* The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries. +* Added models of `StringProtocol` and `NSString` methods that evaluate regular expressions. +* Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 1f1bf6861b2..bef323df50c 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 0.3.2-dev +version: 0.3.3-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index 03ca56f798e..19e0e84c665 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.3.2 + +No user-facing changes. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/swift/ql/src/change-notes/released/0.3.2.md b/swift/ql/src/change-notes/released/0.3.2.md new file mode 100644 index 00000000000..b4dc17f03ec --- /dev/null +++ b/swift/ql/src/change-notes/released/0.3.2.md @@ -0,0 +1,3 @@ +## 0.3.2 + +No user-facing changes. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 8803b4d6084..556d751397f 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 0.3.2-dev +version: 0.3.3-dev groups: - swift - queries diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected index da56e96c094..65c4c5eb2c1 100644 --- a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected +++ b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected @@ -1,9 +1,4 @@ edges -| UnsafeJsEval.swift:165:10:165:37 | try ... | UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | -| UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:165:10:165:37 | try ... | -| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:205:7:205:7 | remoteString | -| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | -| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:211:24:211:37 | .utf8 | | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:265:13:265:13 | string | | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:268:13:268:13 | string | | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:276:13:276:13 | string | @@ -11,20 +6,23 @@ edges | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:285:13:285:13 | string | | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:299:13:299:13 | string | | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:204:7:204:66 | try! ... | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:265:13:265:13 | string | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:268:13:268:13 | string | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:276:13:276:13 | string | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:279:13:279:13 | string | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:285:13:285:13 | string | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:299:13:299:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string | -| UnsafeJsEval.swift:211:19:211:41 | call to Data.init(_:) | UnsafeJsEval.swift:214:24:214:24 | remoteData | -| UnsafeJsEval.swift:211:24:211:37 | .utf8 | UnsafeJsEval.swift:211:19:211:41 | call to Data.init(_:) | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:265:13:265:13 | string | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:268:13:268:13 | string | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:276:13:276:13 | string | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:279:13:279:13 | string | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:285:13:285:13 | string | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | UnsafeJsEval.swift:299:13:299:13 | string | +| UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:205:7:205:35 | try! ... | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string | +| UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | +| UnsafeJsEval.swift:211:19:211:60 | call to Data.init(_:) | UnsafeJsEval.swift:214:24:214:24 | remoteData | +| UnsafeJsEval.swift:211:24:211:56 | .utf8 | UnsafeJsEval.swift:211:19:211:60 | call to Data.init(_:) | +| UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:211:24:211:56 | .utf8 | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:265:13:265:13 | string | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:268:13:268:13 | string | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:276:13:276:13 | string | @@ -56,15 +54,15 @@ edges | UnsafeJsEval.swift:301:61:301:73 | .baseAddress | UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) | | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | nodes -| UnsafeJsEval.swift:165:10:165:37 | try ... | semmle.label | try ... | -| UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | -| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | semmle.label | call to getRemoteData() | | UnsafeJsEval.swift:204:7:204:66 | try! ... | semmle.label | try! ... | | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | -| UnsafeJsEval.swift:205:7:205:7 | remoteString | semmle.label | remoteString | -| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... | -| UnsafeJsEval.swift:211:19:211:41 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | -| UnsafeJsEval.swift:211:24:211:37 | .utf8 | semmle.label | .utf8 | +| UnsafeJsEval.swift:205:7:205:35 | try! ... | semmle.label | try! ... | +| UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | +| UnsafeJsEval.swift:208:7:208:58 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... | +| UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | +| UnsafeJsEval.swift:211:19:211:60 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | +| UnsafeJsEval.swift:211:24:211:56 | .utf8 | semmle.label | .utf8 | +| UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | semmle.label | call to String.init(decoding:as:) | | UnsafeJsEval.swift:214:24:214:24 | remoteData | semmle.label | remoteData | | UnsafeJsEval.swift:265:13:265:13 | string | semmle.label | string | @@ -99,16 +97,28 @@ nodes | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... | subpaths #select -| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | Evaluation of uncontrolled JavaScript from a remote source. | diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift index 437559f2acf..83d691d5f03 100644 --- a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift +++ b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift @@ -159,72 +159,72 @@ extension String { // --- tests --- -func getRemoteData() -> String { - let url = URL(string: "http://example.com/") - do { - return try String(contentsOf: url!) - } catch { - return "" - } -} + + + + + + + + func testAsync(_ sink: @escaping (String) async throws -> ()) { Task { let localString = "console.log('localString')" let localStringFragment = "'localStringFragment'" - let remoteString = getRemoteData() + let url = URL(string: "http://example.com/") try! await sink(localString) // GOOD: the HTML data is local try! await sink(try String(contentsOf: URL(string: "http://example.com/")!)) // BAD [NOT DETECTED - TODO]: HTML contains remote input, may access local secrets - try! await sink(remoteString) // BAD [NOT DETECTED - TODO] + try! await sink(try! String(contentsOf: url!)) // BAD [NOT DETECTED - TODO] try! await sink("console.log(" + localStringFragment + ")") // GOOD: the HTML data is local - try! await sink("console.log(" + remoteString + ")") // BAD [NOT DETECTED - TODO] + try! await sink("console.log(" + (try! String(contentsOf: url!)) + ")") // BAD [NOT DETECTED - TODO] let localData = Data(localString.utf8) - let remoteData = Data(remoteString.utf8) + let remoteData = Data((try! String(contentsOf: url!)).utf8) try! await sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED - TODO]: the data is remote try! await sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion - try! await sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion + try! await sink("console.log(" + String(Int(try! String(contentsOf: url!)) ?? 0) + ")") // GOOD: Primitive conversion try! await sink("console.log(" + (localStringFragment.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion - try! await sink("console.log(" + (remoteString.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion + try! await sink("console.log(" + ((try! String(contentsOf: url!)).count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion } } func testSync(_ sink: @escaping (String) -> ()) { let localString = "console.log('localString')" let localStringFragment = "'localStringFragment'" - let remoteString = getRemoteData() + let url = URL(string: "http://example.com/") sink(localString) // GOOD: the HTML data is local sink(try! String(contentsOf: URL(string: "http://example.com/")!)) // BAD: HTML contains remote input, may access local secrets - sink(remoteString) // BAD + sink(try! String(contentsOf: url!)) // BAD sink("console.log(" + localStringFragment + ")") // GOOD: the HTML data is local - sink("console.log(" + remoteString + ")") // BAD + sink("console.log(" + (try! String(contentsOf: url!)) + ")") // BAD let localData = Data(localString.utf8) - let remoteData = Data(remoteString.utf8) + let remoteData = Data((try! String(contentsOf: url!)).utf8) sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local sink(String(decoding: remoteData, as: UTF8.self)) // BAD: the data is remote sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion - sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion + sink("console.log(" + String(Int(try! String(contentsOf: url!)) ?? 0) + ")") // GOOD: Primitive conversion sink("console.log(" + (localStringFragment.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion - sink("console.log(" + (remoteString.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion + sink("console.log(" + ((try! String(contentsOf: url!)).count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion } func testUIWebView() { let webview = UIWebView() testAsync { string in - _ = await webview.stringByEvaluatingJavaScript(from: string) + _ = await webview.stringByEvaluatingJavaScript(from: string) // BAD [NOT DETECTED] } } @@ -232,7 +232,7 @@ func testWebView() { let webview = WebView() testAsync { string in - _ = await webview.stringByEvaluatingJavaScript(from: string) + _ = await webview.stringByEvaluatingJavaScript(from: string) // BAD [NOT DETECTED] } } @@ -240,22 +240,22 @@ func testWKWebView() { let webview = WKWebView() testAsync { string in - _ = try await webview.evaluateJavaScript(string) + _ = try await webview.evaluateJavaScript(string) // BAD [NOT DETECTED] } testAsync { string in - await webview.evaluateJavaScript(string) { _, _ in } + await webview.evaluateJavaScript(string) { _, _ in } // BAD [NOT DETECTED] } testAsync { string in - await webview.evaluateJavaScript(string, in: nil, in: WKContentWorld.defaultClient) { _ in } + await webview.evaluateJavaScript(string, in: nil, in: WKContentWorld.defaultClient) { _ in } // BAD [NOT DETECTED] } testAsync { string in - _ = try await webview.evaluateJavaScript(string, contentWorld: .defaultClient) + _ = try await webview.evaluateJavaScript(string, contentWorld: .defaultClient) // BAD [NOT DETECTED] } testAsync { string in - await webview.callAsyncJavaScript(string, in: nil, in: .defaultClient) { _ in () } + await webview.callAsyncJavaScript(string, in: nil, in: .defaultClient) { _ in () } // BAD [NOT DETECTED] } testAsync { string in - _ = try await webview.callAsyncJavaScript(string, contentWorld: WKContentWorld.defaultClient) + _ = try await webview.callAsyncJavaScript(string, contentWorld: WKContentWorld.defaultClient) // BAD [NOT DETECTED] } } @@ -263,10 +263,10 @@ func testWKUserContentController() { let ctrl = WKUserContentController() testSync { string in - ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentStart, forMainFrameOnly: false)) + ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentStart, forMainFrameOnly: false)) // BAD (multiple sources) } testSync { string in - ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentEnd, forMainFrameOnly: true, in: .defaultClient)) + ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentEnd, forMainFrameOnly: true, in: .defaultClient)) // BAD (multiple sources) } } @@ -274,10 +274,10 @@ func testJSContext() { let ctx = JSContext() testSync { string in - _ = ctx.evaluateScript(string) + _ = ctx.evaluateScript(string) // BAD (multiple sources) } testSync { string in - _ = ctx.evaluateScript(string, withSourceURL: URL(string: "https://example.com")) + _ = ctx.evaluateScript(string, withSourceURL: URL(string: "https://example.com")) // BAD (multiple sources) } } @@ -288,7 +288,7 @@ func testJSEvaluateScript() { defer { JSStringRelease(jsstr) } _ = JSEvaluateScript( /*ctx:*/ OpaquePointer(bitPattern: 0), - /*script:*/ jsstr, + /*script:*/ jsstr, // BAD (multiple sources) /*thisObject:*/ OpaquePointer(bitPattern: 0), /*sourceURL:*/ OpaquePointer(bitPattern: 0), /*startingLineNumber:*/ 0, @@ -302,7 +302,7 @@ func testJSEvaluateScript() { defer { JSStringRelease(jsstr) } _ = JSEvaluateScript( /*ctx:*/ OpaquePointer(bitPattern: 0), - /*script:*/ jsstr, + /*script:*/ jsstr, // BAD (multiple sources) /*thisObject:*/ OpaquePointer(bitPattern: 0), /*sourceURL:*/ OpaquePointer(bitPattern: 0), /*startingLineNumber:*/ 0,