Upgrade CI toolchain to CodeQL 2.4.0

Also reformat code (the autoformatter has changed slightly)
2026-05-03 20:58:03 +02:00 · 2020-12-07 12:35:07 +00:00
parent a794e05c74
commit 563f74bd45
10 changed files with 51 additions and 32 deletions
--- a/.github/workflows/codeqltest.yml
+++ b/.github/workflows/codeqltest.yml
@@ -20,7 +20,7 @@ jobs:
        echo "Done"
        cd $HOME
        echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.4.0/codeql.zip -L -o codeql.zip
        echo "Done"
        echo "Unpacking CodeQL CLI..."
        unzip -q codeql.zip
@@ -65,7 +65,7 @@ jobs:
        echo "Done"
        cd $HOME
        echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.4.0/codeql.zip -L -o codeql.zip
        echo "Done"
        echo "Unpacking CodeQL CLI..."
        unzip -q codeql.zip
@@ -98,7 +98,7 @@ jobs:
        echo "Done"
        cd "$HOME"
        echo "Downloading CodeQL CLI..."
-        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -OutFile codeql.zip
+        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.4.0/codeql.zip -OutFile codeql.zip
        echo "Done"
        echo "Unpacking CodeQL CLI..."
        Expand-Archive codeql.zip -DestinationPath $HOME
--- a/ql/src/Security/CWE-327/InsecureTLS.ql
+++ b/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -167,9 +167,11 @@ class TlsInsecureCipherSuitesFlowConfig extends TaintTracking::Configuration {
    exists(DataFlow::ValueEntity val |
      val.hasQualifiedName("crypto/tls", suiteName) and
      suiteName =
-        ["TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
-            "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"]
+        [
+          "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+        ]
    |
      source = val.getARead()
    )
--- a/ql/src/semmle/go/Architectures.qll
+++ b/ql/src/semmle/go/Architectures.qll
@@ -14,12 +14,15 @@ class Architecture extends string {
  int bitSize;

  Architecture() {
-    this in ["386", "amd64p32", "arm", "armbe", "mips", "mipsle", "mips64p32", "mips64p32le", "ppc",
-          "s390", "sparc"] and
+    this in [
+        "386", "amd64p32", "arm", "armbe", "mips", "mipsle", "mips64p32", "mips64p32le", "ppc",
+        "s390", "sparc"
+      ] and
    bitSize = 32
    or
-    this in ["amd64", "arm64", "arm64be", "ppc64", "ppc64le", "mips64", "mips64le", "s390x",
-          "sparc64"] and
+    this in [
+        "amd64", "arm64", "arm64be", "ppc64", "ppc64le", "mips64", "mips64le", "s390x", "sparc64"
+      ] and
    bitSize = 64
  }

--- a/ql/src/semmle/go/frameworks/Echo.qll
+++ b/ql/src/semmle/go/frameworks/Echo.qll
@@ -17,8 +17,10 @@ private module Echo {
    EchoContextSource() {
      exists(DataFlow::MethodCallNode call, string methodName |
        methodName =
-          ["Param", "ParamValues", "QueryParam", "QueryParams", "QueryString", "FormValue",
-              "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"] and
+          [
+            "Param", "ParamValues", "QueryParam", "QueryParams", "QueryString", "FormValue",
+            "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"
+          ] and
        call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
        this = call.getResult(0)
      )
--- a/ql/src/semmle/go/frameworks/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -15,8 +15,10 @@ private module GoRestfulHttp {
    GoRestfulSourceMethod() {
      this
          .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request",
-            ["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
-                "PathParameter", "PathParameters"])
+            [
+              "QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
+              "PathParameter", "PathParameters"
+            ])
    }
  }

--- a/ql/src/semmle/go/frameworks/Revel.qll
+++ b/ql/src/semmle/go/frameworks/Revel.qll
@@ -53,8 +53,9 @@ module Revel {
      exists(string fieldName |
        this.getField().hasQualifiedName(packagePath(), "Request", fieldName)
      |
-        fieldName in ["Header", "ContentType", "AcceptLanguages", "Locale", "URL", "Form",
-              "MultipartForm"]
+        fieldName in [
+            "Header", "ContentType", "AcceptLanguages", "Locale", "URL", "Form", "MultipartForm"
+          ]
      )
    }
  }
@@ -65,9 +66,10 @@ module Revel {
      this
          .getTarget()
          .hasQualifiedName(packagePath(), "Request",
-            ["FormValue", "PostFormValue", "GetQuery", "GetForm", "GetMultipartForm", "GetBody",
-                "Cookie", "GetHttpHeader", "GetRequestURI", "MultipartReader", "Referer",
-                "UserAgent"])
+            [
+              "FormValue", "PostFormValue", "GetQuery", "GetForm", "GetMultipartForm", "GetBody",
+              "Cookie", "GetHttpHeader", "GetRequestURI", "MultipartReader", "Referer", "UserAgent"
+            ])
    }
  }

--- a/ql/src/semmle/go/frameworks/SQL.qll
+++ b/ql/src/semmle/go/frameworks/SQL.qll
@@ -195,8 +195,10 @@ module SQL {
        meth.hasQualifiedName(package, "DB", name) and
        this = meth.getACall().getArgument(0) and
        package = Gorm::packagePath() and
-        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having",
-              "Joins", "Exec", "Distinct", "Pluck"]
+        name in [
+            "Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins",
+            "Exec", "Distinct", "Pluck"
+          ]
      )
    }
  }
--- a/ql/src/semmle/go/frameworks/Testing.qll
+++ b/ql/src/semmle/go/frameworks/Testing.qll
@@ -75,11 +75,13 @@ module TestFile {
        is.getPath() = pkg and
        is.getFile() = this
      |
-        pkg in ["gen/thrifttest", "github.com/golang/mock/gomock", "github.com/onsi/ginkgo",
-              "github.com/onsi/gomega", "github.com/stretchr/testify/assert",
-              "github.com/stretchr/testify/http", "github.com/stretchr/testify/mock",
-              "github.com/stretchr/testify/require", "github.com/stretchr/testify/suite",
-              "gotest.tools/assert", "k8s.io/client-go/testing", "net/http/httptest", "testing"]
+        pkg in [
+            "gen/thrifttest", "github.com/golang/mock/gomock", "github.com/onsi/ginkgo",
+            "github.com/onsi/gomega", "github.com/stretchr/testify/assert",
+            "github.com/stretchr/testify/http", "github.com/stretchr/testify/mock",
+            "github.com/stretchr/testify/require", "github.com/stretchr/testify/suite",
+            "gotest.tools/assert", "k8s.io/client-go/testing", "net/http/httptest", "testing"
+          ]
      )
    }
  }
--- a/ql/src/semmle/go/frameworks/XNetHtml.qll
+++ b/ql/src/semmle/go/frameworks/XNetHtml.qll
@@ -27,8 +27,10 @@ module XNetHtml {

    override predicate hasTaintFlow(DataFlow::FunctionInput input, DataFlow::FunctionOutput output) {
      getName() =
-        ["UnescapeString", "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions",
-            "NewTokenizer", "NewTokenizerFragment"] and
+        [
+          "UnescapeString", "Parse", "ParseFragment", "ParseFragmentWithOptions",
+          "ParseWithOptions", "NewTokenizer", "NewTokenizerFragment"
+        ] and
      input.isParameter(0) and
      output.isResult(0)
      or
--- a/ql/src/semmle/go/security/ExternalAPIs.qll
+++ b/ql/src/semmle/go/security/ExternalAPIs.qll
@@ -17,8 +17,9 @@ private import Logrus
 abstract class SafeExternalAPIFunction extends Function { }

 private predicate isDefaultSafePackage(Package package) {
-  package.getPath() in ["time", "unicode/utf8",
-        package("http://gopkg.in/go-playground/validator", "")]
+  package.getPath() in [
+      "time", "unicode/utf8", package("http://gopkg.in/go-playground/validator", "")
+    ]
 }

 /** The default set of "safe" external APIs. */
@@ -126,8 +127,9 @@ Package getAPackageWithModels() {
  result = getAPackageWithFunctionModels()
  or
  // An incomplete list of packages which have been modelled but do not have any function models
-  result.getPath() in [Logrus::packagePath(), GolangOrgXNetWebsocket::packagePath(),
-        GorillaWebsocket::packagePath()]
+  result.getPath() in [
+      Logrus::packagePath(), GolangOrgXNetWebsocket::packagePath(), GorillaWebsocket::packagePath()
+    ]
 }

 /** Holds if `n` is a sink for XSS, SQL injection or request forgery. */