mirror of
https://github.com/github/codeql.git
synced 2026-04-23 07:45:17 +02:00
Merge branch 'main' into redsun82/rust-extract-libs
This commit is contained in:
2
.github/workflows/validate-change-notes.yml
vendored
2
.github/workflows/validate-change-notes.yml
vendored
@@ -31,4 +31,4 @@ jobs:
|
||||
- name: Fail if there are any errors with existing change notes
|
||||
|
||||
run: |
|
||||
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|
||||
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
|
||||
|
||||
20
MODULE.bazel
20
MODULE.bazel
@@ -239,24 +239,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
||||
|
||||
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
|
||||
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
|
||||
|
||||
lfs_files(
|
||||
lfs_archive(
|
||||
name = "ripunzip-linux",
|
||||
srcs = ["//misc/ripunzip:ripunzip-linux"],
|
||||
executable = True,
|
||||
src = "//misc/ripunzip:ripunzip-Linux.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
)
|
||||
|
||||
lfs_files(
|
||||
lfs_archive(
|
||||
name = "ripunzip-windows",
|
||||
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
|
||||
executable = True,
|
||||
src = "//misc/ripunzip:ripunzip-Windows.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
)
|
||||
|
||||
lfs_files(
|
||||
lfs_archive(
|
||||
name = "ripunzip-macos",
|
||||
srcs = ["//misc/ripunzip:ripunzip-macos"],
|
||||
executable = True,
|
||||
src = "//misc/ripunzip:ripunzip-macOS.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
)
|
||||
|
||||
register_toolchains(
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed performance issues in the parsing of Bash scripts in workflow files,
|
||||
which led to out-of-disk errors when analysing certain workflow files with
|
||||
complex interpolations of shell commands or quoted strings.
|
||||
3
actions/ql/lib/change-notes/released/0.4.10.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.10.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
3
actions/ql/lib/change-notes/released/0.4.11.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.11.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.9
|
||||
lastReleaseVersion: 0.4.11
|
||||
|
||||
@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
|
||||
string getNormalizedExpression() { result = normalizeExpr(expression) }
|
||||
}
|
||||
|
||||
/** A common class for `env` in workflow, job or step. */
|
||||
abstract class Env extends AstNode instanceof EnvImpl {
|
||||
/** An `env` in workflow, job or step. */
|
||||
class Env extends AstNode instanceof EnvImpl {
|
||||
/** Gets an environment variable value given its name. */
|
||||
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
|
||||
|
||||
|
||||
@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
|
||||
)
|
||||
}
|
||||
|
||||
private string lineProducer(int i) {
|
||||
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
|
||||
/**
|
||||
* Gets the line at 0-based index `lineIndex` within this shell script,
|
||||
* assuming newlines as separators.
|
||||
*/
|
||||
private string lineProducer(int lineIndex) {
|
||||
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
|
||||
}
|
||||
|
||||
private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
|
||||
exists(string line | line = this.lineProducer(k) |
|
||||
exists(int i, int j |
|
||||
cmdSubs =
|
||||
// $() cmd substitution
|
||||
line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
|
||||
.regexpReplaceAll("^\\$\\(", "")
|
||||
.regexpReplaceAll("\\)$", "") and
|
||||
id = "cmdsubs:" + k + ":" + i + ":" + j
|
||||
)
|
||||
or
|
||||
exists(int i, int j |
|
||||
// `...` cmd substitution
|
||||
cmdSubs =
|
||||
line.regexpFind("\\`[^\\`]+\\`", i, j)
|
||||
.regexpReplaceAll("^\\`", "")
|
||||
.regexpReplaceAll("\\`$", "") and
|
||||
id = "cmd:" + k + ":" + i + ":" + j
|
||||
)
|
||||
private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
|
||||
this.commandInSubstitution(lineIndex, command, id)
|
||||
or
|
||||
this.commandInBackticks(lineIndex, command, id)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is a command substitution `$(command)` in
|
||||
* the line at `lineIndex` in the shell script,
|
||||
* and `id` is a unique identifier for this command.
|
||||
*/
|
||||
private predicate commandInSubstitution(int lineIndex, string command, string id) {
|
||||
exists(int occurrenceIndex, int occurrenceOffset |
|
||||
command =
|
||||
// Look for the command inside a $(...) command substitution
|
||||
this.lineProducer(lineIndex)
|
||||
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
|
||||
occurrenceOffset)
|
||||
// trim starting $( - TODO do this in first regex
|
||||
.regexpReplaceAll("^\\$\\(", "")
|
||||
// trim ending ) - TODO do this in first regex
|
||||
.regexpReplaceAll("\\)$", "") and
|
||||
id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
|
||||
)
|
||||
}
|
||||
|
||||
private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
|
||||
old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
|
||||
this.cmdSubstitutionReplacement(old, new, _)
|
||||
/**
|
||||
* Holds if `command` is a command in backticks `` `...` `` in
|
||||
* the line at `lineIndex` in the shell script,
|
||||
* and `id` is a unique identifier for this command.
|
||||
*/
|
||||
private predicate commandInBackticks(int lineIndex, string command, string id) {
|
||||
exists(int occurrenceIndex, int occurrenceOffset |
|
||||
command =
|
||||
this.lineProducer(lineIndex)
|
||||
.regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
|
||||
// trim leading backtick - TODO do this in first regex
|
||||
.regexpReplaceAll("^\\`", "")
|
||||
// trim trailing backtick - TODO do this in first regex
|
||||
.regexpReplaceAll("\\`$", "") and
|
||||
id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
|
||||
)
|
||||
}
|
||||
|
||||
private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
|
||||
// rank commands by their unique IDs
|
||||
commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
|
||||
// since we cannot output (command, ID) tuples from the rank operation,
|
||||
// we need to work out the specific command associated with the resulting ID
|
||||
this.cmdSubstitutionReplacement(command, commandId, _)
|
||||
}
|
||||
|
||||
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
|
||||
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
|
||||
this.cmdSubstitutionReplacement(result, _, i)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `quotedStr` is a string in double quotes in
|
||||
* the line at `lineIndex` in the shell script,
|
||||
* and `id` is a unique identifier for this quoted string.
|
||||
*/
|
||||
private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
|
||||
exists(int occurrenceIndex, int occurrenceOffset |
|
||||
// double quoted string
|
||||
quotedStr =
|
||||
this.cmdSubstitutedLineProducer(lineIndex)
|
||||
.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
|
||||
id =
|
||||
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
|
||||
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `quotedStr` is a string in single quotes in
|
||||
* the line at `lineIndex` in the shell script,
|
||||
* and `id` is a unique identifier for this quoted string.
|
||||
*/
|
||||
private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
|
||||
exists(int occurrenceIndex, int occurrenceOffset |
|
||||
// single quoted string
|
||||
quotedStr =
|
||||
this.cmdSubstitutedLineProducer(lineIndex)
|
||||
.regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
|
||||
id =
|
||||
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
|
||||
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||
)
|
||||
}
|
||||
|
||||
private predicate quotedStringReplacement(string quotedStr, string id) {
|
||||
exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
|
||||
exists(int i, int j |
|
||||
// double quoted string
|
||||
quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
|
||||
id =
|
||||
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
|
||||
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||
)
|
||||
exists(int lineIndex |
|
||||
this.doubleQuotedString(lineIndex, quotedStr, id)
|
||||
or
|
||||
exists(int i, int j |
|
||||
// single quoted string
|
||||
quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
|
||||
id =
|
||||
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
|
||||
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||
)
|
||||
this.singleQuotedString(lineIndex, quotedStr, id)
|
||||
) and
|
||||
// Only do this for strings that might otherwise disrupt subsequent parsing
|
||||
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
|
||||
}
|
||||
|
||||
private predicate rankedQuotedStringReplacements(int i, string old, string new) {
|
||||
old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
|
||||
this.quotedStringReplacement(old, new)
|
||||
private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
|
||||
// rank quoted strings by their nearly-unique IDs
|
||||
quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
|
||||
// since we cannot output (string, ID) tuples from the rank operation,
|
||||
// we need to work out the specific string associated with the resulting ID
|
||||
this.quotedStringReplacement(quotedString, quotedStringId)
|
||||
}
|
||||
|
||||
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.10-dev
|
||||
version: 0.4.12-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
3
actions/ql/src/change-notes/released/0.6.3.md
Normal file
3
actions/ql/src/change-notes/released/0.6.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.1
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.2-dev
|
||||
version: 0.6.4-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
81
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml
vendored
Normal file
81
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml
vendored
Normal file
@@ -0,0 +1,81 @@
|
||||
name: Workflow with complex interpolation
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
choice-a:
|
||||
required: true
|
||||
type: choice
|
||||
description: choice-a
|
||||
default: a1
|
||||
options:
|
||||
- a1
|
||||
- a2
|
||||
- a3
|
||||
string-b:
|
||||
required: false
|
||||
type: string
|
||||
description: string-b
|
||||
string-c:
|
||||
required: false
|
||||
type: string
|
||||
description: string-c
|
||||
list-d:
|
||||
required: true
|
||||
type: string
|
||||
default: d1 d2
|
||||
description: list-d whitespace separated
|
||||
list-e:
|
||||
required: false
|
||||
type: string
|
||||
description: list-e whitespace separated
|
||||
choice-f:
|
||||
required: true
|
||||
type: choice
|
||||
description: choice-f
|
||||
options:
|
||||
- false
|
||||
- true
|
||||
|
||||
env:
|
||||
DRY_TEST: false
|
||||
B: ${{ github.event.inputs.string-b }}
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Produce values
|
||||
id: produce-values
|
||||
run: |
|
||||
echo "region=region" >> $GITHUB_OUTPUT
|
||||
echo "zone=zone" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Step with complex interpolation
|
||||
id: complex
|
||||
env:
|
||||
CHOICE_A: ${{ github.event.inputs.choice-a }}
|
||||
STRING_B: ${{ github.event.inputs.string-b }}
|
||||
STRING_C: ${{ github.event.inputs.string-c }}
|
||||
LIST_D: ${{ github.event.inputs.list-d }}
|
||||
LIST_E: ${{ github.event.inputs.list-e }}
|
||||
CHOICE_F: ${{ github.event.inputs.choice-f }}
|
||||
REGION: ${{ steps.produce-values.outputs.region }}
|
||||
ZONE: ${{ steps.produce-values.outputs.zone }}
|
||||
DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
|
||||
FUNCTION_NAME: my-function
|
||||
USER_EMAIL: 'example@example.com'
|
||||
TYPE: type
|
||||
RANGE: '0-100'
|
||||
|
||||
run: |
|
||||
comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
|
||||
comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
|
||||
c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
|
||||
c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
|
||||
# Similar commands that use JSON payloads with string interpolation.
|
||||
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
|
||||
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
|
||||
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
|
||||
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
|
||||
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
|
||||
shell: bash
|
||||
10
cpp/bulk_generation_targets.yml
Normal file
10
cpp/bulk_generation_targets.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
language: cpp
|
||||
strategy: dca
|
||||
destination: cpp/ql/lib/ext/generated
|
||||
targets:
|
||||
- name: openssl
|
||||
with-sinks: false
|
||||
with-sources: false
|
||||
- name: sqlite
|
||||
with-sinks: false
|
||||
with-sources: false
|
||||
@@ -11,7 +11,7 @@ int getKind(int kind) {
|
||||
if kind = 14
|
||||
then result = 6 // Represent MSFT #import as #include
|
||||
else
|
||||
if kind = 15 or kind = 6
|
||||
if kind = 15 or kind = 16
|
||||
then result = 3 // Represent #elifdef and #elifndef as #elif
|
||||
else result = kind
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
class BuiltinType extends @builtintype {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
|
||||
where
|
||||
builtintypes(id, name, kind, size, sign, alignment) and
|
||||
if kind = 62 then new_kind = 1 else new_kind = kind
|
||||
select id, name, new_kind, size, sign, alignment
|
||||
2492
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme
Normal file
2492
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,3 @@
|
||||
description: Support __mfp8 type
|
||||
compatibility: backwards
|
||||
builtintypes.rel: run builtintypes.qlo
|
||||
@@ -1,9 +0,0 @@
|
||||
{
|
||||
"strategy": "dca",
|
||||
"language": "cpp",
|
||||
"targets": [
|
||||
{ "name": "openssl", "with-sources": false, "with-sinks": false },
|
||||
{ "name": "sqlite", "with-sources": false, "with-sinks": false }
|
||||
],
|
||||
"destination": "cpp/ql/lib/ext/generated"
|
||||
}
|
||||
@@ -1,3 +1,33 @@
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
|
||||
## 4.3.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
23
cpp/ql/lib/change-notes/released/5.0.0.md
Normal file
23
cpp/ql/lib/change-notes/released/5.0.0.md
Normal file
@@ -0,0 +1,23 @@
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
5
cpp/ql/lib/change-notes/released/5.1.0.md
Normal file
5
cpp/ql/lib/change-notes/released/5.1.0.md
Normal file
@@ -0,0 +1,5 @@
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 4.3.1
|
||||
lastReleaseVersion: 5.1.0
|
||||
|
||||
@@ -4,42 +4,15 @@ private import OpenSSLOperationBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
private import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(ECKeyGenOperation c | c.getAlgorithmArg() = sink.asExpr())
|
||||
}
|
||||
}
|
||||
|
||||
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
|
||||
|
||||
class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
|
||||
ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
|
||||
|
||||
override Expr getOutputArg() {
|
||||
result = this.(Call) // return value of call
|
||||
}
|
||||
|
||||
Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
override Expr getInputArg() {
|
||||
// there is no 'input', in the sense that no data is being manipulated by the operation.
|
||||
// There is an input of an algorithm, but that is not the intention of the operation input arg.
|
||||
none()
|
||||
}
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
|
||||
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
|
||||
result = this.getOutputNode()
|
||||
}
|
||||
|
||||
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
|
||||
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
|
||||
DataFlow::exprNode(this.getAlgorithmArg()))
|
||||
result.asExpr() = this.(Call).getArgument(0)
|
||||
}
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
|
||||
private import OpenSSLOperationBase
|
||||
|
||||
module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
|
||||
@@ -34,19 +35,12 @@ Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
|
||||
}
|
||||
|
||||
// TODO: need to add key consumer
|
||||
abstract class EVP_Cipher_Initializer extends Call {
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
abstract class EVP_Cipher_Initializer extends EVPInitialize {
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
abstract Expr getKeyArg();
|
||||
|
||||
abstract Expr getIVArg();
|
||||
|
||||
// abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
|
||||
abstract Expr getOperationSubtypeArg();
|
||||
|
||||
Crypto::KeyOperationSubtype getCipherOperationSubtype() {
|
||||
override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
|
||||
if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
|
||||
then result instanceof Crypto::TEncryptMode
|
||||
else
|
||||
|
||||
@@ -4,36 +4,23 @@ private import EVPCipherInitializer
|
||||
private import OpenSSLOperationBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
|
||||
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
|
||||
class EVP_Cipher_Update_Call extends EVPUpdate {
|
||||
EVP_Cipher_Update_Call() {
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
|
||||
]
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(EVP_Cipher_Operation c | c.getAlgorithmArg() = sink.asExpr())
|
||||
}
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(3) }
|
||||
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
|
||||
}
|
||||
|
||||
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
|
||||
|
||||
// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
|
||||
// import OpenSSLOperation
|
||||
// class EVPCipherOutput extends CipherOutputArtifact {
|
||||
// EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
|
||||
// override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
|
||||
// }
|
||||
//
|
||||
/**
|
||||
* see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
|
||||
* Base configuration for all EVP cipher operations.
|
||||
* NOTE: cannot extend instance of OpenSSLOperation, as we need to override
|
||||
* elements of OpenSSLOperation (i.e., we are creating an instance)
|
||||
*/
|
||||
abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
Expr getAlgorithmArg() { this.getInitCall().getAlgorithmArg() = result }
|
||||
|
||||
abstract class EVP_Cipher_Operation extends EVPOperation, Crypto::KeyOperationInstance {
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
|
||||
@@ -43,54 +30,35 @@ abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperati
|
||||
result instanceof Crypto::TDecryptMode and
|
||||
this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
|
||||
or
|
||||
result = this.getInitCall().getCipherOperationSubtype() and
|
||||
result = this.getInitCall().getKeyOperationSubtype() and
|
||||
this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
|
||||
}
|
||||
|
||||
EVP_Cipher_Initializer getInitCall() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
}
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
|
||||
this.getInitCall().getIVArg() = result.asExpr()
|
||||
}
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
|
||||
this.getInitCall().getKeyArg() = result.asExpr()
|
||||
// todo: or track to the EVP_PKEY_CTX_new
|
||||
}
|
||||
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
|
||||
result = EVPOperation.super.getOutputArtifact()
|
||||
}
|
||||
|
||||
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
|
||||
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
|
||||
DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
|
||||
result = EVPOperation.super.getInputConsumer()
|
||||
}
|
||||
}
|
||||
|
||||
class EVP_Cipher_Call extends EVP_Cipher_Operation {
|
||||
class EVP_Cipher_Call extends EVPOperation, EVP_Cipher_Operation {
|
||||
EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
|
||||
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(2) }
|
||||
}
|
||||
|
||||
// NOTE: not modeled as cipher operations, these are intermediate calls
|
||||
class EVP_Cipher_Update_Call extends Call {
|
||||
EVP_Cipher_Update_Call() {
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
|
||||
]
|
||||
}
|
||||
|
||||
Expr getInputArg() { result = this.(Call).getArgument(3) }
|
||||
|
||||
DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
|
||||
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
}
|
||||
|
||||
class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
|
||||
class EVP_Cipher_Final_Call extends EVPFinal, EVP_Cipher_Operation {
|
||||
EVP_Cipher_Final_Call() {
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
|
||||
@@ -98,26 +66,12 @@ class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
|
||||
]
|
||||
}
|
||||
|
||||
EVP_Cipher_Update_Call getUpdateCalls() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
/**
|
||||
* Output is both from update calls and from the final call.
|
||||
*/
|
||||
override Expr getOutputArg() {
|
||||
result = EVPFinal.super.getOutputArg()
|
||||
or
|
||||
result = EVP_Cipher_Operation.super.getOutputArg()
|
||||
}
|
||||
|
||||
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
|
||||
}
|
||||
|
||||
class EVP_PKEY_Operation extends EVP_Cipher_Operation {
|
||||
EVP_PKEY_Operation() {
|
||||
this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
|
||||
}
|
||||
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(3) }
|
||||
// TODO: how PKEY is initialized is different that symmetric cipher
|
||||
// Consider making an entirely new class for this and specializing
|
||||
// the get init call
|
||||
}
|
||||
|
||||
class EVPCipherInputArgument extends Expr {
|
||||
EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
|
||||
}
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
import cpp
|
||||
private import OpenSSLOperationBase
|
||||
|
||||
abstract class EVP_Hash_Initializer extends Call {
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
abstract Expr getAlgorithmArg();
|
||||
}
|
||||
abstract class EVP_Hash_Initializer extends EVPInitialize { }
|
||||
|
||||
class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
|
||||
EVP_DigestInit_Variant_Calls() {
|
||||
|
||||
@@ -8,118 +8,78 @@ private import OpenSSLOperationBase
|
||||
private import EVPHashInitializer
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
|
||||
// import EVPHashConsumers
|
||||
abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
class EVP_Digest_Update_Call extends EVPUpdate {
|
||||
EVP_Digest_Update_Call() { this.(Call).getTarget().getName() = "EVP_DigestUpdate" }
|
||||
|
||||
Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
|
||||
|
||||
EVP_Hash_Initializer getInitCall() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
}
|
||||
|
||||
/**
|
||||
* By default, the algorithm value comes from the init call.
|
||||
* There are variants where this isn't true, in which case the
|
||||
* subclass should override this method.
|
||||
*/
|
||||
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
|
||||
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
|
||||
DataFlow::exprNode(this.getAlgorithmArg()))
|
||||
}
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(1) }
|
||||
}
|
||||
|
||||
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(EVP_Hash_Operation c | c.getAlgorithmArg() = sink.asExpr())
|
||||
}
|
||||
}
|
||||
|
||||
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
|
||||
|
||||
//https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
|
||||
class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
|
||||
class EVP_Q_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
|
||||
EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
|
||||
|
||||
//override Crypto::AlgorithmConsumer getAlgorithmConsumer() { }
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
override EVP_Hash_Initializer getInitCall() {
|
||||
// This variant of digest does not use an init
|
||||
// and even if it were used, the init would be ignored/undefined
|
||||
none()
|
||||
}
|
||||
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(5) }
|
||||
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(3) }
|
||||
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(5) }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
|
||||
|
||||
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
|
||||
// The operation is a direct algorithm consumer
|
||||
// NOTE: the operation itself is already modeld as a value consumer, so we can
|
||||
// simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
|
||||
this = result
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
|
||||
result = EVPOperation.super.getOutputArtifact()
|
||||
}
|
||||
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
|
||||
result = EVPOperation.super.getInputConsumer()
|
||||
}
|
||||
}
|
||||
|
||||
class EVP_Digest_Operation extends EVP_Hash_Operation {
|
||||
class EVP_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
|
||||
EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
|
||||
|
||||
// There is no context argument for this function
|
||||
override Expr getContextArg() { none() }
|
||||
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
|
||||
|
||||
override EVP_Hash_Initializer getInitCall() {
|
||||
// This variant of digest does not use an init
|
||||
// and even if it were used, the init would be ignored/undefined
|
||||
none()
|
||||
}
|
||||
|
||||
override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(2) }
|
||||
|
||||
override Expr getInputArg() { result = this.(Call).getArgument(0) }
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
|
||||
result = EVPOperation.super.getOutputArtifact()
|
||||
}
|
||||
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
|
||||
result = EVPOperation.super.getInputConsumer()
|
||||
}
|
||||
}
|
||||
|
||||
// NOTE: not modeled as hash operations, these are intermediate calls
|
||||
class EVP_Digest_Update_Call extends Call {
|
||||
EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] }
|
||||
|
||||
Expr getInputArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
|
||||
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
}
|
||||
|
||||
class EVP_Digest_Final_Call extends EVP_Hash_Operation {
|
||||
class EVP_Digest_Final_Call extends EVPFinal, Crypto::HashOperationInstance {
|
||||
EVP_Digest_Final_Call() {
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
|
||||
]
|
||||
}
|
||||
|
||||
EVP_Digest_Update_Call getUpdateCalls() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
}
|
||||
|
||||
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
|
||||
|
||||
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
|
||||
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
|
||||
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
|
||||
result = EVPFinal.super.getOutputArtifact()
|
||||
}
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
|
||||
result = EVPFinal.super.getInputConsumer()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,21 +1,162 @@
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
|
||||
/**
|
||||
* A class for all OpenSSL operations.
|
||||
*/
|
||||
abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
|
||||
/**
|
||||
* Expression that specifies the algorithm for the operation.
|
||||
* Will be an argument of the operation in the simplest case.
|
||||
*/
|
||||
abstract Expr getAlgorithmArg();
|
||||
|
||||
/**
|
||||
* Algorithm is specified in initialization call or is implicitly established by the key.
|
||||
*/
|
||||
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
|
||||
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
|
||||
DataFlow::exprNode(this.getAlgorithmArg()))
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A Call to initialization functions from the EVP API.
|
||||
* These are not operations in the sense of Crypto::OperationInstance,
|
||||
* but they are used to initialize the context for the operation.
|
||||
*/
|
||||
abstract class EVPInitialize extends Call {
|
||||
/**
|
||||
* Gets the context argument that ties together initialization, updates and/or final calls.
|
||||
*/
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
/**
|
||||
* Gets the type of key operation, none if not applicable.
|
||||
*/
|
||||
Crypto::KeyOperationSubtype getKeyOperationSubtype() { none() }
|
||||
|
||||
/**
|
||||
* Explicitly specified algorithm or none if implicit (e.g., established by the key).
|
||||
* None if not applicable.
|
||||
*/
|
||||
Expr getAlgorithmArg() { none() }
|
||||
|
||||
/**
|
||||
* Gets the key for the operation, none if not applicable.
|
||||
*/
|
||||
Expr getKeyArg() { none() }
|
||||
|
||||
/**
|
||||
* Gets the IV/nonce, none if not applicable.
|
||||
*/
|
||||
Expr getIVArg() { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Call to update functions from the EVP API.
|
||||
* These are not operations in the sense of Crypto::OperationInstance,
|
||||
* but they are used to update the context for the operation.
|
||||
*/
|
||||
abstract class EVPUpdate extends Call {
|
||||
/**
|
||||
* Gets the context argument that ties together initialization, updates and/or final calls.
|
||||
*/
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
/**
|
||||
* Update calls always have some input data like plaintext or message digest.
|
||||
*/
|
||||
abstract Expr getInputArg();
|
||||
|
||||
/**
|
||||
* Can be an argument of a call or a return value of a function.
|
||||
* Update calls sometimes have some output data like a plaintext.
|
||||
*/
|
||||
Expr getOutputArg() { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* Flows from algorithm values to operations, specific to OpenSSL
|
||||
*/
|
||||
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(EVPOperation c | c.getAlgorithmArg() = sink.asExpr())
|
||||
}
|
||||
}
|
||||
|
||||
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
|
||||
|
||||
/**
|
||||
* The base class for all operations of the EVP API.
|
||||
* This captures one-shot APIs (with and without an initilizer call) and final calls.
|
||||
* Provides some default methods for Crypto::KeyOperationInstance class
|
||||
*/
|
||||
abstract class EVPOperation extends OpenSSLOperation {
|
||||
/**
|
||||
* Gets the context argument that ties together initialization, updates and/or final calls.
|
||||
*/
|
||||
Expr getContextArg() { result = this.(Call).getArgument(0) }
|
||||
|
||||
/**
|
||||
* Some input data like plaintext or message digest.
|
||||
* Either argument provided direcly in the call or all arguments that were provided in update calls.
|
||||
*/
|
||||
abstract Expr getInputArg();
|
||||
|
||||
/**
|
||||
* Some output data like ciphertext or signature.
|
||||
*/
|
||||
abstract Expr getOutputArg();
|
||||
|
||||
DataFlow::Node getInputNode() {
|
||||
// Assumed to be default to asExpr
|
||||
result.asExpr() = this.getInputArg()
|
||||
/**
|
||||
* Overwrite with an explicitly specified algorithm or leave base implementation to find it in the initialization call.
|
||||
*/
|
||||
override Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
|
||||
|
||||
/**
|
||||
* Finds the initialization call, may be none.
|
||||
*/
|
||||
EVPInitialize getInitCall() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
}
|
||||
|
||||
DataFlow::Node getOutputNode() {
|
||||
if exists(Call c | c.getAnArgument() = this)
|
||||
then result.asDefiningArgument() = this
|
||||
else result.asExpr() = this
|
||||
Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
|
||||
result = DataFlow::exprNode(this.getOutputArg())
|
||||
}
|
||||
|
||||
/**
|
||||
* Input consumer is the input argument of the call.
|
||||
*/
|
||||
Crypto::ConsumerInputDataFlowNode getInputConsumer() {
|
||||
result = DataFlow::exprNode(this.getInputArg())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The final calls of the EVP API.
|
||||
*/
|
||||
abstract class EVPFinal extends EVPOperation {
|
||||
/**
|
||||
* All update calls that were executed before this final call.
|
||||
*/
|
||||
EVPUpdate getUpdateCalls() {
|
||||
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the input data provided to all update calls.
|
||||
* If more input data was provided in the final call, override the method.
|
||||
*/
|
||||
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
|
||||
|
||||
/**
|
||||
* Gets the output data provided to all update calls.
|
||||
* If more output data was provided in the final call, override the method.
|
||||
*/
|
||||
override Expr getOutputArg() { result = this.getUpdateCalls().getOutputArg() }
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 4.3.2-dev
|
||||
version: 5.1.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -174,7 +174,27 @@ class UsingDeclarationEntry extends UsingEntry {
|
||||
*/
|
||||
Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
|
||||
|
||||
override string toString() { result = "using " + this.getDeclaration().getDescription() }
|
||||
/**
|
||||
* Gets the member that is referenced by this using declaration, where the member depends on a
|
||||
* type template parameter.
|
||||
*
|
||||
* For example:
|
||||
* ```
|
||||
* template <typename T>
|
||||
* class A {
|
||||
* using T::m;
|
||||
* };
|
||||
* ```
|
||||
* Here, `getReferencedMember()` yields the member `m` of `T`. Observe that,
|
||||
* as `T` is not instantiated, `m` is represented by a `Literal` and not
|
||||
* a `Declaration`.
|
||||
*/
|
||||
Literal getReferencedMember() { usings(underlyingElement(this), unresolveElement(result), _, _) }
|
||||
|
||||
override string toString() {
|
||||
result = "using " + this.getDeclaration().getDescription() or
|
||||
result = "using " + this.getReferencedMember()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -839,6 +839,9 @@ private predicate floatingPointTypeMapping(
|
||||
or
|
||||
// _Complex _Float128
|
||||
kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
|
||||
or
|
||||
// __mfp8
|
||||
kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -691,6 +691,7 @@ case @builtintype.kind of
|
||||
| 59 = @complex_std_float64 // _Complex _Float64
|
||||
| 60 = @complex_float64x // _Complex _Float64x
|
||||
| 61 = @complex_std_float128 // _Complex _Float128
|
||||
| 62 = @mfp8 // __mfp8
|
||||
;
|
||||
|
||||
builtintypes(
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,2 @@
|
||||
description: Support __mfp8 type
|
||||
compatibility: full
|
||||
@@ -1,3 +1,13 @@
|
||||
## 1.4.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.4.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
|
||||
## 1.4.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
## 1.4.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
3
cpp/ql/src/change-notes/released/1.4.2.md
Normal file
3
cpp/ql/src/change-notes/released/1.4.2.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.4.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.4.0
|
||||
lastReleaseVersion: 1.4.2
|
||||
|
||||
@@ -98,8 +98,8 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
||||
e.(FunctionCall).getTarget() = f or
|
||||
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
||||
) and
|
||||
access = f.getParameter(arg).getAnAccess() and
|
||||
e.(FunctionCall).getArgument(arg) = released and
|
||||
access = f.getParameter(pragma[only_bind_into](arg)).getAnAccess() and
|
||||
e.(FunctionCall).getArgument(pragma[only_bind_into](arg)) = released and
|
||||
exprReleases(_,
|
||||
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
|
||||
)
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.4.1-dev
|
||||
version: 1.4.3-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -324,7 +324,7 @@ Conversion3.cpp:
|
||||
# 2| getExpr(): [CStyleCast] (int)...
|
||||
# 2| Conversion = [IntegralConversion] integral conversion
|
||||
# 2| Type = [IntType] int
|
||||
# 2| Value = [CStyleCast] 1
|
||||
# 2| Value = [CStyleCast] 5
|
||||
# 2| ValueCategory = prvalue
|
||||
# 2| getRightOperand().getFullyConverted(): [ParenthesisExpr] (...)
|
||||
# 2| Type = [IntType] int
|
||||
|
||||
@@ -1,8 +1,16 @@
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:13:124:30 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
|
||||
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:13:144:22 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |
|
||||
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:39:124:44 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
|
||||
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:46:144:51 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |
|
||||
|
||||
@@ -9,3 +9,6 @@
|
||||
| multi.c:5:27:5:36 | // Multi 3 | declaration of multi3 |
|
||||
| templates.cpp:3:3:3:8 | // Foo | declaration of foo |
|
||||
| templates.cpp:7:3:7:8 | // Bar | definition of bar |
|
||||
| templates.cpp:16:3:16:20 | // using T::member | using member |
|
||||
| templates.cpp:19:3:19:28 | // using T::nested::member | using member |
|
||||
| templates.cpp:25:3:25:20 | // using T::member | using member |
|
||||
|
||||
@@ -10,3 +10,18 @@ class Cl {
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
template <typename T>
|
||||
class Derived : public T {
|
||||
// using T::member
|
||||
using T::member;
|
||||
|
||||
// using T::nested::member
|
||||
using T::nested::member;
|
||||
};
|
||||
|
||||
template <typename T>
|
||||
class Base {
|
||||
// using T::member
|
||||
using T::member;
|
||||
};
|
||||
@@ -1,2 +1,2 @@
|
||||
| Bar::(unnamed namespace)::B | Bar::<unnamed>::B |
|
||||
| Foo::(unnamed namespace)::A | _ZN3Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
|
||||
| Foo::(unnamed namespace)::A | _ZN35_INTERNAL_13_funcdname_cpp_?Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
|
||||
|
||||
@@ -2,4 +2,8 @@ import cpp
|
||||
|
||||
from Function f, ReturnStmt r
|
||||
where r.getEnclosingFunction() = f
|
||||
select f.getQualifiedName(), r.getExpr().getValue().regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
|
||||
select f.getQualifiedName(),
|
||||
r.getExpr()
|
||||
.getValue()
|
||||
.regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
|
||||
.regexpReplaceAll("cpp_[0-9a-f]+Foo37_", "cpp_?Foo37_")
|
||||
|
||||
@@ -58,6 +58,77 @@
|
||||
#-----| Type = [LongType] unsigned long
|
||||
#-----| getParameter(1): [Parameter] (unnamed parameter 1)
|
||||
#-----| Type = [ScopedEnum] align_val_t
|
||||
arm.cpp:
|
||||
# 6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
|
||||
# 6| <params>:
|
||||
# 6| getParameter(0): [Parameter] a
|
||||
# 6| Type = [CTypedefType] uint8x8_t
|
||||
# 6| getParameter(1): [Parameter] b
|
||||
# 6| Type = [CTypedefType] uint8x8_t
|
||||
# 6| getEntryPoint(): [BlockStmt] { ... }
|
||||
# 7| getStmt(0): [ReturnStmt] return ...
|
||||
# 7| getExpr(): [AddExpr] ... + ...
|
||||
# 7| Type = [GNUVectorType] __attribute((neon_vector_type(8))) unsigned char
|
||||
# 7| ValueCategory = prvalue
|
||||
# 7| getLeftOperand(): [VariableAccess] a
|
||||
# 7| Type = [CTypedefType] uint8x8_t
|
||||
# 7| ValueCategory = prvalue(load)
|
||||
# 7| getRightOperand(): [VariableAccess] b
|
||||
# 7| Type = [CTypedefType] uint8x8_t
|
||||
# 7| ValueCategory = prvalue(load)
|
||||
# 12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
|
||||
# 12| <params>:
|
||||
# 12| getParameter(0): [Parameter] (unnamed parameter 0)
|
||||
# 12| Type = [CTypedefType] uint8x8_t
|
||||
# 12| getParameter(1): [Parameter] (unnamed parameter 1)
|
||||
# 12| Type = [CTypedefType] uint8x8_t
|
||||
# 14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
|
||||
# 14| <params>:
|
||||
# 14| getParameter(0): [Parameter] a
|
||||
# 14| Type = [CTypedefType] uint8x8_t
|
||||
# 14| getParameter(1): [Parameter] b
|
||||
# 14| Type = [CTypedefType] uint8x8_t
|
||||
# 14| getEntryPoint(): [BlockStmt] { ... }
|
||||
# 15| getStmt(0): [ReturnStmt] return ...
|
||||
# 15| getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
|
||||
# 15| Type = [CTypedefType] uint16x8_t
|
||||
# 15| ValueCategory = prvalue
|
||||
# 15| getArgument(0): [VariableAccess] a
|
||||
# 15| Type = [CTypedefType] uint8x8_t
|
||||
# 15| ValueCategory = prvalue(load)
|
||||
# 15| getArgument(1): [VariableAccess] b
|
||||
# 15| Type = [CTypedefType] uint8x8_t
|
||||
# 15| ValueCategory = prvalue(load)
|
||||
# 18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
|
||||
# 18| <params>:
|
||||
# 18| getParameter(0): [Parameter] a
|
||||
# 18| Type = [CTypedefType] uint8x8_t
|
||||
# 18| getParameter(1): [Parameter] b
|
||||
# 18| Type = [CTypedefType] uint8x8_t
|
||||
# 18| getEntryPoint(): [BlockStmt] { ... }
|
||||
# 19| getStmt(0): [DeclStmt] declaration
|
||||
# 19| getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
|
||||
# 19| Type = [CTypedefType] uint8x8_t
|
||||
# 19| getVariable().getInitializer(): [Initializer] initializer for c
|
||||
# 19| getExpr(): [FunctionCall] call to vadd_u8
|
||||
# 19| Type = [CTypedefType] uint8x8_t
|
||||
# 19| ValueCategory = prvalue
|
||||
# 19| getArgument(0): [VariableAccess] a
|
||||
# 19| Type = [CTypedefType] uint8x8_t
|
||||
# 19| ValueCategory = prvalue(load)
|
||||
# 19| getArgument(1): [VariableAccess] b
|
||||
# 19| Type = [CTypedefType] uint8x8_t
|
||||
# 19| ValueCategory = prvalue(load)
|
||||
# 20| getStmt(1): [ReturnStmt] return ...
|
||||
# 20| getExpr(): [FunctionCall] call to vaddl_u8
|
||||
# 20| Type = [CTypedefType] uint16x8_t
|
||||
# 20| ValueCategory = prvalue
|
||||
# 20| getArgument(0): [VariableAccess] a
|
||||
# 20| Type = [CTypedefType] uint8x8_t
|
||||
# 20| ValueCategory = prvalue(load)
|
||||
# 20| getArgument(1): [VariableAccess] c
|
||||
# 20| Type = [CTypedefType] uint8x8_t
|
||||
# 20| ValueCategory = prvalue(load)
|
||||
bad_asts.cpp:
|
||||
# 5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
|
||||
# 5| <params>:
|
||||
@@ -23814,11 +23885,11 @@ ir.cpp:
|
||||
# 2692| Conversion = [IntegralConversion] integral conversion
|
||||
# 2692| Type = [LongType] unsigned long
|
||||
# 2692| ValueCategory = prvalue
|
||||
#-----| getExpr().getFullyConverted(): [CStyleCast] (int)...
|
||||
#-----| Conversion = [IntegralConversion] integral conversion
|
||||
#-----| Type = [IntType] int
|
||||
#-----| Value = [CStyleCast] 1
|
||||
#-----| ValueCategory = prvalue
|
||||
# 2692| getExpr().getFullyConverted(): [CStyleCast] (int)...
|
||||
# 2692| Conversion = [IntegralConversion] integral conversion
|
||||
# 2692| Type = [IntType] int
|
||||
# 2692| Value = [CStyleCast] 1
|
||||
# 2692| ValueCategory = prvalue
|
||||
# 2693| getStmt(1): [ReturnStmt] return ...
|
||||
# 2693| getExpr(): [VariableAccess] y
|
||||
# 2693| Type = [IntType] int
|
||||
|
||||
@@ -1,3 +1,86 @@
|
||||
arm.cpp:
|
||||
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
|
||||
# 6| Block 0
|
||||
# 6| v6_1(void) = EnterFunction :
|
||||
# 6| m6_2(unknown) = AliasedDefinition :
|
||||
# 6| m6_3(unknown) = InitializeNonLocal :
|
||||
# 6| m6_4(unknown) = Chi : total:m6_2, partial:m6_3
|
||||
# 6| r6_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 6| m6_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_5
|
||||
# 6| r6_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 6| m6_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_7
|
||||
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
|
||||
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, m6_6
|
||||
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, m6_8
|
||||
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
|
||||
# 7| m7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
|
||||
# 6| r6_9(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
|
||||
# 6| v6_10(void) = ReturnValue : &:r6_9, m7_7
|
||||
# 6| v6_11(void) = AliasedUse : m6_3
|
||||
# 6| v6_12(void) = ExitFunction :
|
||||
|
||||
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
|
||||
# 14| Block 0
|
||||
# 14| v14_1(void) = EnterFunction :
|
||||
# 14| m14_2(unknown) = AliasedDefinition :
|
||||
# 14| m14_3(unknown) = InitializeNonLocal :
|
||||
# 14| m14_4(unknown) = Chi : total:m14_2, partial:m14_3
|
||||
# 14| r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 14| m14_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_5
|
||||
# 14| r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 14| m14_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_7
|
||||
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
|
||||
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, m14_6
|
||||
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, m14_8
|
||||
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
|
||||
# 15| m15_8(unknown) = ^CallSideEffect : ~m14_4
|
||||
# 15| m15_9(unknown) = Chi : total:m14_4, partial:m15_8
|
||||
# 15| m15_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
|
||||
# 14| r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 14| v14_10(void) = ReturnValue : &:r14_9, m15_10
|
||||
# 14| v14_11(void) = AliasedUse : ~m15_9
|
||||
# 14| v14_12(void) = ExitFunction :
|
||||
|
||||
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
|
||||
# 18| Block 0
|
||||
# 18| v18_1(void) = EnterFunction :
|
||||
# 18| m18_2(unknown) = AliasedDefinition :
|
||||
# 18| m18_3(unknown) = InitializeNonLocal :
|
||||
# 18| m18_4(unknown) = Chi : total:m18_2, partial:m18_3
|
||||
# 18| r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 18| m18_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_5
|
||||
# 18| r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 18| m18_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_7
|
||||
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
|
||||
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
|
||||
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, m18_6
|
||||
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, m18_8
|
||||
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
|
||||
# 19| m19_8(unknown) = ^CallSideEffect : ~m18_4
|
||||
# 19| m19_9(unknown) = Chi : total:m18_4, partial:m19_8
|
||||
# 19| m19_10(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
|
||||
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
|
||||
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, m18_6
|
||||
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
|
||||
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, m19_10
|
||||
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
|
||||
# 20| m20_8(unknown) = ^CallSideEffect : ~m19_9
|
||||
# 20| m20_9(unknown) = Chi : total:m19_9, partial:m20_8
|
||||
# 20| m20_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
|
||||
# 18| r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 18| v18_10(void) = ReturnValue : &:r18_9, m20_10
|
||||
# 18| v18_11(void) = AliasedUse : ~m20_9
|
||||
# 18| v18_12(void) = ExitFunction :
|
||||
|
||||
bad_asts.cpp:
|
||||
# 9| int Bad::S::MemberFunction<int 6>(int)
|
||||
# 9| Block 0
|
||||
@@ -19457,11 +19540,11 @@ ir.cpp:
|
||||
# 2691| m2691_3(unknown) = InitializeNonLocal :
|
||||
# 2691| m2691_4(unknown) = Chi : total:m2691_2, partial:m2691_3
|
||||
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
|
||||
#-----| r0_1(int) = Constant[1] :
|
||||
#-----| m0_2(int) = Store[y] : &:r2692_1, r0_1
|
||||
# 2692| r2692_2(int) = Constant[1] :
|
||||
# 2692| m2692_3(int) = Store[y] : &:r2692_1, r2692_2
|
||||
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
|
||||
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
|
||||
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m0_2
|
||||
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m2692_3
|
||||
# 2693| m2693_4(int) = Store[#return] : &:r2693_1, r2693_3
|
||||
# 2691| r2691_5(glval<int>) = VariableAddress[#return] :
|
||||
# 2691| v2691_6(void) = ReturnValue : &:r2691_5, m2693_4
|
||||
|
||||
21
cpp/ql/test/library-tests/ir/ir/arm.cpp
Normal file
21
cpp/ql/test/library-tests/ir/ir/arm.cpp
Normal file
@@ -0,0 +1,21 @@
|
||||
// semmle-extractor-options: --edg --target --edg linux_arm64
|
||||
|
||||
typedef __Uint8x8_t uint8x8_t;
|
||||
typedef __Uint16x8_t uint16x8_t;
|
||||
|
||||
uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
|
||||
return a + b;
|
||||
}
|
||||
|
||||
// Workaround: the frontend only exposes this when the arm_neon.h
|
||||
// header is encountered.
|
||||
uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
|
||||
|
||||
uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
|
||||
return __builtin_aarch64_uaddlv8qi_uuu (a, b);
|
||||
}
|
||||
|
||||
uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
|
||||
uint8x8_t c = vadd_u8(a, b);
|
||||
return vaddl_u8(a, c);
|
||||
}
|
||||
@@ -1,3 +1,80 @@
|
||||
arm.cpp:
|
||||
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
|
||||
# 6| Block 0
|
||||
# 6| v6_1(void) = EnterFunction :
|
||||
# 6| mu6_2(unknown) = AliasedDefinition :
|
||||
# 6| mu6_3(unknown) = InitializeNonLocal :
|
||||
# 6| r6_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 6| mu6_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_4
|
||||
# 6| r6_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 6| mu6_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_6
|
||||
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
|
||||
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, ~m?
|
||||
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, ~m?
|
||||
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
|
||||
# 7| mu7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
|
||||
# 6| r6_8(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
|
||||
# 6| v6_9(void) = ReturnValue : &:r6_8, ~m?
|
||||
# 6| v6_10(void) = AliasedUse : ~m?
|
||||
# 6| v6_11(void) = ExitFunction :
|
||||
|
||||
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
|
||||
# 14| Block 0
|
||||
# 14| v14_1(void) = EnterFunction :
|
||||
# 14| mu14_2(unknown) = AliasedDefinition :
|
||||
# 14| mu14_3(unknown) = InitializeNonLocal :
|
||||
# 14| r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 14| mu14_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_4
|
||||
# 14| r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 14| mu14_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_6
|
||||
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
|
||||
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, ~m?
|
||||
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, ~m?
|
||||
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
|
||||
# 15| mu15_8(unknown) = ^CallSideEffect : ~m?
|
||||
# 15| mu15_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
|
||||
# 14| r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 14| v14_9(void) = ReturnValue : &:r14_8, ~m?
|
||||
# 14| v14_10(void) = AliasedUse : ~m?
|
||||
# 14| v14_11(void) = ExitFunction :
|
||||
|
||||
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
|
||||
# 18| Block 0
|
||||
# 18| v18_1(void) = EnterFunction :
|
||||
# 18| mu18_2(unknown) = AliasedDefinition :
|
||||
# 18| mu18_3(unknown) = InitializeNonLocal :
|
||||
# 18| r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 18| mu18_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_4
|
||||
# 18| r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 18| mu18_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_6
|
||||
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
|
||||
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
|
||||
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, ~m?
|
||||
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
|
||||
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, ~m?
|
||||
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
|
||||
# 19| mu19_8(unknown) = ^CallSideEffect : ~m?
|
||||
# 19| mu19_9(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
|
||||
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
|
||||
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
|
||||
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, ~m?
|
||||
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
|
||||
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, ~m?
|
||||
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
|
||||
# 20| mu20_8(unknown) = ^CallSideEffect : ~m?
|
||||
# 20| mu20_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
|
||||
# 18| r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
|
||||
# 18| v18_9(void) = ReturnValue : &:r18_8, ~m?
|
||||
# 18| v18_10(void) = AliasedUse : ~m?
|
||||
# 18| v18_11(void) = ExitFunction :
|
||||
|
||||
bad_asts.cpp:
|
||||
# 9| int Bad::S::MemberFunction<int 6>(int)
|
||||
# 9| Block 0
|
||||
@@ -17775,8 +17852,8 @@ ir.cpp:
|
||||
# 2691| mu2691_2(unknown) = AliasedDefinition :
|
||||
# 2691| mu2691_3(unknown) = InitializeNonLocal :
|
||||
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
|
||||
#-----| r0_1(int) = Constant[1] :
|
||||
#-----| mu0_2(int) = Store[y] : &:r2692_1, r0_1
|
||||
# 2692| r2692_2(int) = Constant[1] :
|
||||
# 2692| mu2692_3(int) = Store[y] : &:r2692_1, r2692_2
|
||||
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
|
||||
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
|
||||
# 2693| r2693_3(int) = Load[y] : &:r2693_2, ~m?
|
||||
|
||||
@@ -1011,10 +1011,10 @@ void test_overflow() {
|
||||
range(x); // $ range===2147483647
|
||||
const int y = 256;
|
||||
range(y); // $ range===256
|
||||
if ((x + y) <= 512) {
|
||||
if ((x + y) <= 512) { // $ overflow=+
|
||||
range(x); // $ range===2147483647
|
||||
range(y); // $ range===256
|
||||
range(x + y); // $ range===-2147483393
|
||||
range(x + y); // $ range=<=2147483903 overflow=+
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
uniqueEnclosingCallable
|
||||
| builtin.c:14:3:14:16 | ... * ... | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:14:3:14:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:14:10:14:10 | 4 | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:3:15:16 | ... * ... | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:3:15:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:10:15:10 | 4 | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 | 1 |
|
||||
| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 | 2 |
|
||||
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:6:3:6:6 | one1 | 1 |
|
||||
| test.cpp:3:8:3:8 | C<2> | 0 | int | test.cpp:7:3:7:13 | ... + ... | 2 |
|
||||
| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x | x |
|
||||
| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T | <none> |
|
||||
| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X | X |
|
||||
| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int | <none> |
|
||||
| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 | 2 |
|
||||
| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long | <none> |
|
||||
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 | 2 |
|
||||
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | test.cpp:13:9:13:9 | 2 | 2 |
|
||||
| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T | <none> |
|
||||
| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X | X |
|
||||
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int | <none> |
|
||||
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 | 0 |
|
||||
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | test.cpp:18:8:18:14 | 0 | 0 |
|
||||
|
||||
@@ -25,6 +25,7 @@
|
||||
| file://:0:0:0:0 | __float128 |
|
||||
| file://:0:0:0:0 | __fp16 |
|
||||
| file://:0:0:0:0 | __int128 |
|
||||
| file://:0:0:0:0 | __mfp8 |
|
||||
| file://:0:0:0:0 | __va_list_tag |
|
||||
| file://:0:0:0:0 | __va_list_tag & |
|
||||
| file://:0:0:0:0 | __va_list_tag && |
|
||||
|
||||
@@ -46,6 +46,7 @@
|
||||
| file://:0:0:0:0 | __float128 | 16 |
|
||||
| file://:0:0:0:0 | __fp16 | 2 |
|
||||
| file://:0:0:0:0 | __int128 | 16 |
|
||||
| file://:0:0:0:0 | __mfp8 | 1 |
|
||||
| file://:0:0:0:0 | __va_list_tag | 24 |
|
||||
| file://:0:0:0:0 | __va_list_tag & | 8 |
|
||||
| file://:0:0:0:0 | __va_list_tag && | 8 |
|
||||
|
||||
@@ -27,6 +27,7 @@
|
||||
| file://:0:0:0:0 | __float128 | __float128 |
|
||||
| file://:0:0:0:0 | __fp16 | __fp16 |
|
||||
| file://:0:0:0:0 | __int128 | __int128 |
|
||||
| file://:0:0:0:0 | __mfp8 | __mfp8 |
|
||||
| file://:0:0:0:0 | __va_list_tag & | __va_list_tag & |
|
||||
| file://:0:0:0:0 | __va_list_tag && | __va_list_tag && |
|
||||
| file://:0:0:0:0 | auto | auto |
|
||||
|
||||
@@ -26,6 +26,7 @@
|
||||
| __float128 | Float128Type | | | | |
|
||||
| __fp16 | BinaryFloatingPointType, RealNumberType | | | | |
|
||||
| __int128 | Int128Type | | | | |
|
||||
| __mfp8 | BinaryFloatingPointType, RealNumberType | | | | |
|
||||
| __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
|
||||
| __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | __va_list_tag | | |
|
||||
| __va_list_tag && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType | | __va_list_tag | | |
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.40
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.40
|
||||
lastReleaseVersion: 1.7.42
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.41-dev
|
||||
version: 1.7.43-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.40
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.40
|
||||
lastReleaseVersion: 1.7.42
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.41-dev
|
||||
version: 1.7.43-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -11,6 +11,7 @@ ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
|
||||
ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
|
||||
ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
|
||||
ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
|
||||
ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
|
||||
ql/csharp/ql/src/Performance/UseTryGetValue.ql
|
||||
ql/csharp/ql/src/Useless code/DefaultToString.ql
|
||||
ql/csharp/ql/src/Useless code/IntGetHashCode.ql
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 5.1.8
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 5.1.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
|
||||
|
||||
## 5.1.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 5.1.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
|
||||
3
csharp/ql/lib/change-notes/released/5.1.8.md
Normal file
3
csharp/ql/lib/change-notes/released/5.1.8.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 5.1.8
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.1.6
|
||||
lastReleaseVersion: 5.1.8
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 5.1.7-dev
|
||||
version: 5.1.9-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,3 +1,16 @@
|
||||
## 1.2.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
|
||||
## 1.2.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @id cs/string-concatenation-in-loop
|
||||
* @tags efficiency
|
||||
* maintainability
|
||||
* quality
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
8
csharp/ql/src/change-notes/released/1.2.1.md
Normal file
8
csharp/ql/src/change-notes/released/1.2.1.md
Normal file
@@ -0,0 +1,8 @@
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
3
csharp/ql/src/change-notes/released/1.2.2.md
Normal file
3
csharp/ql/src/change-notes/released/1.2.2.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.2.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.2.0
|
||||
lastReleaseVersion: 1.2.2
|
||||
|
||||
@@ -1,4 +1,143 @@
|
||||
- description: Security-and-quality queries for C#
|
||||
- queries: .
|
||||
- apply: security-and-quality-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
- include:
|
||||
kind:
|
||||
- problem
|
||||
- path-problem
|
||||
precision:
|
||||
- high
|
||||
- very-high
|
||||
tags contain:
|
||||
- security
|
||||
- include:
|
||||
kind:
|
||||
- problem
|
||||
- path-problem
|
||||
precision: medium
|
||||
problem.severity:
|
||||
- error
|
||||
- warning
|
||||
tags contain:
|
||||
- security
|
||||
- include:
|
||||
id:
|
||||
- cs/asp/response-write
|
||||
- cs/call-to-gc
|
||||
- cs/call-to-object-tostring
|
||||
- cs/call-to-obsolete-method
|
||||
- cs/call-to-unmanaged-code
|
||||
- cs/cast-from-abstract-to-concrete-collection
|
||||
- cs/cast-of-this-to-type-parameter
|
||||
- cs/catch-nullreferenceexception
|
||||
- cs/catch-of-all-exceptions
|
||||
- cs/chained-type-tests
|
||||
- cs/class-implements-icloneable
|
||||
- cs/class-missing-equals
|
||||
- cs/class-name-comparison
|
||||
- cs/class-name-matches-base-class
|
||||
- cs/coalesce-of-identical-expressions
|
||||
- cs/comparison-of-identical-expressions
|
||||
- cs/complex-block
|
||||
- cs/complex-condition
|
||||
- cs/constant-comparison
|
||||
- cs/constant-condition
|
||||
- cs/coupled-types
|
||||
- cs/dereferenced-value-is-always-null
|
||||
- cs/dereferenced-value-may-be-null
|
||||
- cs/dispose-not-called-on-throw
|
||||
- cs/downcast-of-this
|
||||
- cs/empty-block
|
||||
- cs/empty-catch-block
|
||||
- cs/empty-collection
|
||||
- cs/empty-lock-statement
|
||||
- cs/equality-on-floats
|
||||
- cs/equals-on-arrays
|
||||
- cs/equals-on-unrelated-types
|
||||
- cs/equals-uses-as
|
||||
- cs/equals-uses-is
|
||||
- cs/expose-implementation
|
||||
- cs/field-masks-base-field
|
||||
- cs/gethashcode-is-not-defined
|
||||
- cs/impossible-array-cast
|
||||
- cs/inconsistent-compareto-and-equals
|
||||
- cs/inconsistent-equals-and-gethashcode
|
||||
- cs/inconsistent-lock-sequence
|
||||
- cs/index-out-of-bounds
|
||||
- cs/inefficient-containskey
|
||||
- cs/invalid-dynamic-call
|
||||
- cs/invalid-string-formatting
|
||||
- cs/linq/inconsistent-enumeration
|
||||
- cs/linq/missed-all
|
||||
- cs/linq/missed-cast
|
||||
- cs/linq/missed-oftype
|
||||
- cs/linq/missed-select
|
||||
- cs/linq/missed-where
|
||||
- cs/linq/useless-select
|
||||
- cs/local-not-disposed
|
||||
- cs/local-shadows-member
|
||||
- cs/lock-this
|
||||
- cs/locked-wait
|
||||
- cs/loss-of-precision
|
||||
- cs/mishandling-japanese-era
|
||||
- cs/misleading-indentation
|
||||
- cs/missed-readonly-modifier
|
||||
- cs/missed-ternary-operator
|
||||
- cs/missed-using-statement
|
||||
- cs/nested-if-statements
|
||||
- cs/nested-loops-with-same-variable
|
||||
- cs/non-short-circuit
|
||||
- cs/null-argument-to-equals
|
||||
- cs/path-combine
|
||||
- cs/recursive-equals-call
|
||||
- cs/recursive-operator-equals-call
|
||||
- cs/reference-equality-on-valuetypes
|
||||
- cs/reference-equality-with-object
|
||||
- cs/rethrown-exception-variable
|
||||
- cs/self-assignment
|
||||
- cs/simplifiable-boolean-expression
|
||||
- cs/static-field-written-by-instance
|
||||
- cs/string-concatenation-in-loop
|
||||
- cs/stringbuilder-creation-in-loop
|
||||
- cs/stringbuilder-initialized-with-character
|
||||
- cs/test-for-negative-container-size
|
||||
- cs/too-many-ref-parameters
|
||||
- cs/type-test-of-this
|
||||
- cs/unchecked-cast-in-equals
|
||||
- cs/unmanaged-code
|
||||
- cs/unsafe-double-checked-lock
|
||||
- cs/unsafe-sync-on-field
|
||||
- cs/unsafe-year-construction
|
||||
- cs/unsynchronized-getter
|
||||
- cs/unsynchronized-static-access
|
||||
- cs/unused-collection
|
||||
- cs/unused-label
|
||||
- cs/unused-property-value
|
||||
- cs/useless-assignment-to-local
|
||||
- cs/useless-cast-to-self
|
||||
- cs/useless-gethashcode-call
|
||||
- cs/useless-if-statement
|
||||
- cs/useless-tostring-call
|
||||
- cs/useless-type-test
|
||||
- cs/useless-upcast
|
||||
- cs/virtual-call-in-constructor
|
||||
- cs/wrong-compareto-signature
|
||||
- cs/wrong-equals-signature
|
||||
- cs/xmldoc/missing-summary
|
||||
- include:
|
||||
kind:
|
||||
- diagnostic
|
||||
- include:
|
||||
kind:
|
||||
- metric
|
||||
tags contain:
|
||||
- summary
|
||||
- exclude:
|
||||
deprecated: //
|
||||
- exclude:
|
||||
query path:
|
||||
- /^experimental\/.*/
|
||||
- Metrics/Summaries/FrameworkCoverage.ql
|
||||
- exclude:
|
||||
tags contain:
|
||||
- modeleditor
|
||||
- modelgenerator
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.2.1-dev
|
||||
version: 1.2.3-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -0,0 +1,187 @@
|
||||
.. _codeql-cli-2.21.4:
|
||||
|
||||
==========================
|
||||
CodeQL 2.21.4 (2025-06-02)
|
||||
==========================
|
||||
|
||||
.. contents:: Contents
|
||||
:depth: 2
|
||||
:local:
|
||||
:backlinks: none
|
||||
|
||||
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
|
||||
|
||||
Security Coverage
|
||||
-----------------
|
||||
|
||||
CodeQL 2.21.4 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).
|
||||
|
||||
CodeQL CLI
|
||||
----------
|
||||
|
||||
Deprecations
|
||||
~~~~~~~~~~~~
|
||||
|
||||
* The :code:`clang_vector_types`, :code:`clang_attributes`, and :code:`flax-vector-conversions` command line options have been removed from the C/C++ extractor. These options were introduced as workarounds to frontend limitations in earlier versions of the extractor and are no longer needed when calling the extractor directly.
|
||||
|
||||
Miscellaneous
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.7.
|
||||
|
||||
Query Packs
|
||||
-----------
|
||||
|
||||
Minor Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Added flow model for the :code:`SQLite` and :code:`OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
|
||||
C#
|
||||
""
|
||||
|
||||
* The precision of the query :code:`cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
* The queries :code:`cs/password-in-configuration`, :code:`cs/hardcoded-credentials` and :code:`cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
* The precision of the query :code:`cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant :code:`e1.Equals(e2)` implies :code:`e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
* The precision of the query :code:`cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to :code:`System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
|
||||
Golang
|
||||
""""""
|
||||
|
||||
* The query :code:`go/hardcoded-credentials` has been removed from all query suites.
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* The query :code:`java/hardcoded-credential-api-call` has been removed from all query suites.
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* The queries :code:`js/hardcoded-credentials` and :code:`js/password-in-configuration-file` have been removed from all query suites.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* The query :code:`py/hardcoded-credentials` has been removed from all query suites.
|
||||
|
||||
Ruby
|
||||
""""
|
||||
|
||||
* The query :code:`rb/hardcoded-credentials` has been removed from all query suites.
|
||||
|
||||
Swift
|
||||
"""""
|
||||
|
||||
* The queries :code:`swift/hardcoded-key` and :code:`swift/constant-password` have been removed from all query suites.
|
||||
|
||||
GitHub Actions
|
||||
""""""""""""""
|
||||
|
||||
* The query :code:`actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions :code:`deploy-pages`, :code:`delete-package-versions`, :code:`ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
|
||||
Language Libraries
|
||||
------------------
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ArrayAggregateLiteral`\ s.
|
||||
* Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ClassAggregateLiteral`\ s.
|
||||
|
||||
Ruby
|
||||
""""
|
||||
|
||||
* Bug Fixes
|
||||
* The Ruby printAst.qll library now orders AST nodes slightly differently: child nodes that do not literally appear in the source code, but whose parent nodes do, are assigned a deterministic order based on a combination of source location and logical order within the parent. This fixes the non-deterministic ordering that sometimes occurred depending on evaluation order. The effect may also be visible in downstream uses of the printAst library, such as the AST view in the VSCode extension.
|
||||
|
||||
Breaking Changes
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Deleted the deprecated :code:`userInputArgument` predicate and its convenience accessor from the :code:`Security.qll`.
|
||||
* Deleted the deprecated :code:`userInputReturned` predicate and its convenience accessor from the :code:`Security.qll`.
|
||||
* Deleted the deprecated :code:`userInputReturn` predicate from the :code:`Security.qll`.
|
||||
* Deleted the deprecated :code:`isUserInput` predicate and its convenience accessor from the :code:`Security.qll`.
|
||||
* Deleted the deprecated :code:`userInputArgument` predicate from the :code:`SecurityOptions.qll`.
|
||||
* Deleted the deprecated :code:`userInputReturned` predicate from the :code:`SecurityOptions.qll`.
|
||||
|
||||
Swift
|
||||
"""""
|
||||
|
||||
* Deleted the deprecated :code:`parseContent` predicate from the :code:`ExternalFlow.qll`.
|
||||
* Deleted the deprecated :code:`hasLocationInfo` predicate from the :code:`DataFlowPublic.qll`.
|
||||
* Deleted the deprecated :code:`SummaryComponent` class from the :code:`FlowSummary.qll`.
|
||||
* Deleted the deprecated :code:`SummaryComponentStack` class from the :code:`FlowSummary.qll`.
|
||||
* Deleted the deprecated :code:`SummaryComponent` module from the :code:`FlowSummary.qll`.
|
||||
* Deleted the deprecated :code:`SummaryComponentStack` module from the :code:`FlowSummary.qll`.
|
||||
* Deleted the deprecated :code:`RequiredSummaryComponentStack` class from the :code:`FlowSummary.qll`.
|
||||
|
||||
Minor Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
C#
|
||||
""
|
||||
|
||||
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* Improved analysis for :code:`ES6 classes` mixed with :code:`function prototypes`, leading to more accurate call graph resolution.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* The Python extractor now extracts files in hidden directories by default. If you would like to skip files in hidden directories, add :code:`paths-ignore: ["**/.*/**"]` to your `Code Scanning config <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan>`__. If you would like to skip all hidden files, you can use :code:`paths-ignore: ["**/.*"]`. When using the CodeQL CLI for extraction, specify the configuration (creating the configuration file if necessary) using the :code:`--codescanning-config` option.
|
||||
|
||||
Ruby
|
||||
""""
|
||||
|
||||
* Captured variables are currently considered live when the capturing function exits normally. Now they are also considered live when the capturing function exits via an exception.
|
||||
|
||||
Swift
|
||||
"""""
|
||||
|
||||
* Updated to allow analysis of Swift 6.1.1.
|
||||
* :code:`TypeValueExpr` experimental AST leaf is now implemented in the control flow library
|
||||
|
||||
Deprecated APIs
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* The predicate :code:`getValue()` on :code:`SpringRequestMappingMethod` is now deprecated. Use :code:`getAValue()` instead.
|
||||
* Java now uses the shared :code:`BasicBlock` library. This means that the names of several member predicates have been changed to align with the names used in other languages. The old predicates have been deprecated. The :code:`BasicBlock` class itself no longer extends :code:`ControlFlowNode` - the predicate :code:`getFirstNode` can be used to fix any QL code that somehow relied on this.
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Added local flow source models for :code:`ReadFile`, :code:`ReadFileEx`, :code:`MapViewOfFile`, :code:`MapViewOfFile2`, :code:`MapViewOfFile3`, :code:`MapViewOfFile3FromApp`, :code:`MapViewOfFileEx`, :code:`MapViewOfFileFromApp`, :code:`MapViewOfFileNuma2`, and :code:`NtReadFile`.
|
||||
* Added the :code:`pCmdLine` arguments of :code:`WinMain` and :code:`wWinMain` as local flow sources.
|
||||
* Added source models for :code:`GetCommandLineA`, :code:`GetCommandLineW`, :code:`GetEnvironmentStringsA`, :code:`GetEnvironmentStringsW`, :code:`GetEnvironmentVariableA`, and :code:`GetEnvironmentVariableW`.
|
||||
* Added summary models for :code:`CommandLineToArgvA` and :code:`CommandLineToArgvW`.
|
||||
* Added support for :code:`wmain` as part of the ArgvSource model.
|
||||
|
||||
Shared Libraries
|
||||
----------------
|
||||
|
||||
Breaking Changes
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Static Single Assignment (SSA)
|
||||
""""""""""""""""""""""""""""""
|
||||
|
||||
* Adjusted the Guards interface in the SSA data flow integration to distinguish :code:`hasBranchEdge` from :code:`controlsBranchEdge`. Any breakage can be fixed by implementing one with the other as a reasonable fallback solution.
|
||||
@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
codeql-cli-2.21.4
|
||||
codeql-cli-2.21.3
|
||||
codeql-cli-2.21.2
|
||||
codeql-cli-2.21.1
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user