hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/rust-extract-libs

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-06-11 12:13:10 +02:00
committed by GitHub
parent 78bb41e47b fbcd9eaf09
commit 58266e6ca8
1140 changed files with 32121 additions and 10849 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/validate-change-notes.yml vendored
View File

@@ -31,4 +31,4 @@ jobs:
- name: Fail if there are any errors with existing change notes
run: |
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental

20
MODULE.bazel
View File

@@ -239,24 +239,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
lfs_files(
lfs_archive(
name = "ripunzip-linux",
srcs = ["//misc/ripunzip:ripunzip-linux"],
executable = True,
src = "//misc/ripunzip:ripunzip-Linux.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_files(
lfs_archive(
name = "ripunzip-windows",
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
executable = True,
src = "//misc/ripunzip:ripunzip-Windows.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_files(
lfs_archive(
name = "ripunzip-macos",
srcs = ["//misc/ripunzip:ripunzip-macos"],
executable = True,
src = "//misc/ripunzip:ripunzip-macOS.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
register_toolchains(

8
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.4.11
No user-facing changes.
## 0.4.10
No user-facing changes.
## 0.4.9
No user-facing changes.

6
actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md Normal file
View File

@@ -0,0 +1,6 @@
---
category: minorAnalysis
---
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with
complex interpolations of shell commands or quoted strings.

3
actions/ql/lib/change-notes/released/0.4.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.10
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.11.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.11
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.9
lastReleaseVersion: 0.4.11

4
actions/ql/lib/codeql/actions/Ast.qll
View File

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
string getNormalizedExpression() { result = normalizeExpr(expression) }
}
/** A common class for `env` in workflow, job or step. */
abstract class Env extends AstNode instanceof EnvImpl {
/** An `env` in workflow, job or step. */
class Env extends AstNode instanceof EnvImpl {
/** Gets an environment variable value given its name. */
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }

138
actions/ql/lib/codeql/actions/Bash.qll
View File

@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
)
}
private string lineProducer(int i) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
/**
* Gets the line at 0-based index `lineIndex` within this shell script,
* assuming newlines as separators.
*/
private string lineProducer(int lineIndex) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
}
private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
exists(string line | line = this.lineProducer(k) |
exists(int i, int j |
cmdSubs =
// $() cmd substitution
line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
.regexpReplaceAll("^\\$\\(", "")
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + k + ":" + i + ":" + j
)
or
exists(int i, int j |
// `...` cmd substitution
cmdSubs =
line.regexpFind("\\`[^\\`]+\\`", i, j)
.regexpReplaceAll("^\\`", "")
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + k + ":" + i + ":" + j
)
private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
this.commandInSubstitution(lineIndex, command, id)
or
this.commandInBackticks(lineIndex, command, id)
}
/**
* Holds if there is a command substitution `$(command)` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInSubstitution(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
// Look for the command inside a $(...) command substitution
this.lineProducer(lineIndex)
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
occurrenceOffset)
// trim starting $( - TODO do this in first regex
.regexpReplaceAll("^\\$\\(", "")
// trim ending ) - TODO do this in first regex
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
this.cmdSubstitutionReplacement(old, new, _)
/**
* Holds if `command` is a command in backticks `` `...` `` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInBackticks(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
this.lineProducer(lineIndex)
.regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
// trim leading backtick - TODO do this in first regex
.regexpReplaceAll("^\\`", "")
// trim trailing backtick - TODO do this in first regex
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
// rank commands by their unique IDs
commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
// since we cannot output (command, ID) tuples from the rank operation,
// we need to work out the specific command associated with the resulting ID
this.cmdSubstitutionReplacement(command, commandId, _)
}
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
this.cmdSubstitutionReplacement(result, _, i)
}
/**
* Holds if `quotedStr` is a string in double quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// double quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
/**
* Holds if `quotedStr` is a string in single quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// single quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
private predicate quotedStringReplacement(string quotedStr, string id) {
exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
exists(int i, int j |
// double quoted string
quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
exists(int lineIndex |
this.doubleQuotedString(lineIndex, quotedStr, id)
or
exists(int i, int j |
// single quoted string
quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
this.singleQuotedString(lineIndex, quotedStr, id)
) and
// Only do this for strings that might otherwise disrupt subsequent parsing
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
}
private predicate rankedQuotedStringReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
this.quotedStringReplacement(old, new)
private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
// rank quoted strings by their nearly-unique IDs
quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
// since we cannot output (string, ID) tuples from the rank operation,
// we need to work out the specific string associated with the resulting ID
this.quotedStringReplacement(quotedString, quotedStringId)
}
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.10-dev
version: 0.4.12-dev
library: true
warnOnImplicitThis: true
dependencies:

10
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.6.3
No user-facing changes.
## 0.6.2
### Minor Analysis Improvements
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
## 0.6.1
No user-facing changes.

7
actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md → actions/ql/src/change-notes/released/0.6.2.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.6.2
### Minor Analysis Improvements
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

3
actions/ql/src/change-notes/released/0.6.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.3
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.1
lastReleaseVersion: 0.6.3

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.2-dev
version: 0.6.4-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

81
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml vendored Normal file
View File

@@ -0,0 +1,81 @@
name: Workflow with complex interpolation
on:
workflow_dispatch:
inputs:
choice-a:
required: true
type: choice
description: choice-a
default: a1
options:
- a1
- a2
- a3
string-b:
required: false
type: string
description: string-b
string-c:
required: false
type: string
description: string-c
list-d:
required: true
type: string
default: d1 d2
description: list-d whitespace separated
list-e:
required: false
type: string
description: list-e whitespace separated
choice-f:
required: true
type: choice
description: choice-f
options:
- false
- true
env:
DRY_TEST: false
B: ${{ github.event.inputs.string-b }}
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Produce values
id: produce-values
run: |
echo "region=region" >> $GITHUB_OUTPUT
echo "zone=zone" >> $GITHUB_OUTPUT
- name: Step with complex interpolation
id: complex
env:
CHOICE_A: ${{ github.event.inputs.choice-a }}
STRING_B: ${{ github.event.inputs.string-b }}
STRING_C: ${{ github.event.inputs.string-c }}
LIST_D: ${{ github.event.inputs.list-d }}
LIST_E: ${{ github.event.inputs.list-e }}
CHOICE_F: ${{ github.event.inputs.choice-f }}
REGION: ${{ steps.produce-values.outputs.region }}
ZONE: ${{ steps.produce-values.outputs.zone }}
DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
FUNCTION_NAME: my-function
USER_EMAIL: 'example@example.com'
TYPE: type
RANGE: '0-100'
run: |
comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
# Similar commands that use JSON payloads with string interpolation.
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
shell: bash

10
cpp/bulk_generation_targets.yml Normal file
View File

@@ -0,0 +1,10 @@
language: cpp
strategy: dca
destination: cpp/ql/lib/ext/generated
targets:
- name: openssl
with-sinks: false
with-sources: false
- name: sqlite
with-sinks: false
with-sources: false

2
cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql
View File

@@ -11,7 +11,7 @@ int getKind(int kind) {
if kind = 14
then result = 6 // Represent MSFT #import as #include
else
if kind = 15 or kind = 6
if kind = 15 or kind = 16
then result = 3 // Represent #elifdef and #elifndef as #elif
else result = kind
}

9
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql Normal file
View File

@@ -0,0 +1,9 @@
class BuiltinType extends @builtintype {
string toString() { none() }
}
from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
where
builtintypes(id, name, kind, size, sign, alignment) and
if kind = 62 then new_kind = 1 else new_kind = kind
select id, name, new_kind, size, sign, alignment

2492
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2491
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3
cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Support __mfp8 type
compatibility: backwards
builtintypes.rel: run builtintypes.qlo

9
cpp/misc/bulk_generation_targets.json
View File

@@ -1,9 +0,0 @@
{
"strategy": "dca",
"language": "cpp",
"targets": [
{ "name": "openssl", "with-sources": false, "with-sinks": false },
{ "name": "sqlite", "with-sources": false, "with-sinks": false }
],
"destination": "cpp/ql/lib/ext/generated"
}

30
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,33 @@
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
## 4.3.1
### Bug Fixes

4
cpp/ql/lib/change-notes/2025-05-15-class-aggregate-literals.md
View File

@@ -1,4 +0,0 @@
---
category: fix
---
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

4
cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
View File

@@ -1,4 +0,0 @@
---
category: fix
---
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.

4
cpp/ql/lib/change-notes/2025-05-16-wmain-support.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added support for `wmain` as part of the ArgvSource model.

9
cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
View File

@@ -1,9 +0,0 @@
---
category: breaking
---
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.

6
cpp/ql/lib/change-notes/2025-05-23-windows-sources.md
View File

@@ -1,6 +0,0 @@
---
category: feature
---
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.

4
cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.

23
cpp/ql/lib/change-notes/released/5.0.0.md Normal file
View File

@@ -0,0 +1,23 @@
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

5
cpp/ql/lib/change-notes/released/5.1.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.3.1
lastReleaseVersion: 5.1.0

31
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll
View File

@@ -4,42 +4,15 @@ private import OpenSSLOperationBase
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
private import semmle.code.cpp.dataflow.new.DataFlow
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}
predicate isSink(DataFlow::Node sink) {
exists(ECKeyGenOperation c | c.getAlgorithmArg() = sink.asExpr())
}
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
override Expr getOutputArg() {
result = this.(Call) // return value of call
}
Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
override Expr getInputArg() {
// there is no 'input', in the sense that no data is being manipulated by the operation.
// There is an input of an algorithm, but that is not the intention of the operation input arg.
none()
}
override Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
result = this.getOutputNode()
}
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getAlgorithmArg()))
result.asExpr() = this.(Call).getArgument(0)
}
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {

14
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll
View File

@@ -5,6 +5,7 @@
private import experimental.quantum.Language
private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
private import OpenSSLOperationBase
module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
@@ -34,19 +35,12 @@ Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
}
// TODO: need to add key consumer
abstract class EVP_Cipher_Initializer extends Call {
Expr getContextArg() { result = this.(Call).getArgument(0) }
abstract class EVP_Cipher_Initializer extends EVPInitialize {
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
abstract Expr getKeyArg();
abstract Expr getIVArg();
// abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
abstract Expr getOperationSubtypeArg();
Crypto::KeyOperationSubtype getCipherOperationSubtype() {
override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
then result instanceof Crypto::TEncryptMode
else

96
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll
View File

@@ -4,36 +4,23 @@ private import EVPCipherInitializer
private import OpenSSLOperationBase
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
class EVP_Cipher_Update_Call extends EVPUpdate {
EVP_Cipher_Update_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
]
}
predicate isSink(DataFlow::Node sink) {
exists(EVP_Cipher_Operation c | c.getAlgorithmArg() = sink.asExpr())
}
override Expr getInputArg() { result = this.(Call).getArgument(3) }
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
// import OpenSSLOperation
// class EVPCipherOutput extends CipherOutputArtifact {
// EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
// override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
// }
//
/**
* see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
* Base configuration for all EVP cipher operations.
* NOTE: cannot extend instance of OpenSSLOperation, as we need to override
* elements of OpenSSLOperation (i.e., we are creating an instance)
*/
abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
Expr getContextArg() { result = this.(Call).getArgument(0) }
Expr getAlgorithmArg() { this.getInitCall().getAlgorithmArg() = result }
abstract class EVP_Cipher_Operation extends EVPOperation, Crypto::KeyOperationInstance {
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
@@ -43,54 +30,35 @@ abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperati
result instanceof Crypto::TDecryptMode and
this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
or
result = this.getInitCall().getCipherOperationSubtype() and
result = this.getInitCall().getKeyOperationSubtype() and
this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
}
EVP_Cipher_Initializer getInitCall() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
this.getInitCall().getIVArg() = result.asExpr()
}
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
this.getInitCall().getKeyArg() = result.asExpr()
// todo: or track to the EVP_PKEY_CTX_new
}
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
result = EVPOperation.super.getOutputArtifact()
}
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
result = EVPOperation.super.getInputConsumer()
}
}
class EVP_Cipher_Call extends EVP_Cipher_Operation {
class EVP_Cipher_Call extends EVPOperation, EVP_Cipher_Operation {
EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
override Expr getInputArg() { result = this.(Call).getArgument(2) }
}
// NOTE: not modeled as cipher operations, these are intermediate calls
class EVP_Cipher_Update_Call extends Call {
EVP_Cipher_Update_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
]
}
Expr getInputArg() { result = this.(Call).getArgument(3) }
DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
Expr getContextArg() { result = this.(Call).getArgument(0) }
}
class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
class EVP_Cipher_Final_Call extends EVPFinal, EVP_Cipher_Operation {
EVP_Cipher_Final_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
@@ -98,26 +66,12 @@ class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
]
}
EVP_Cipher_Update_Call getUpdateCalls() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
/**
* Output is both from update calls and from the final call.
*/
override Expr getOutputArg() {
result = EVPFinal.super.getOutputArg()
or
result = EVP_Cipher_Operation.super.getOutputArg()
}
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
}
class EVP_PKEY_Operation extends EVP_Cipher_Operation {
EVP_PKEY_Operation() {
this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
}
override Expr getInputArg() { result = this.(Call).getArgument(3) }
// TODO: how PKEY is initialized is different that symmetric cipher
// Consider making an entirely new class for this and specializing
// the get init call
}
class EVPCipherInputArgument extends Expr {
EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
}

7
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashInitializer.qll
View File

@@ -1,10 +1,7 @@
import cpp
private import OpenSSLOperationBase
abstract class EVP_Hash_Initializer extends Call {
Expr getContextArg() { result = this.(Call).getArgument(0) }
abstract Expr getAlgorithmArg();
}
abstract class EVP_Hash_Initializer extends EVPInitialize { }
class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
EVP_DigestInit_Variant_Calls() {

100
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll
View File

@@ -8,118 +8,78 @@ private import OpenSSLOperationBase
private import EVPHashInitializer
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
// import EVPHashConsumers
abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
Expr getContextArg() { result = this.(Call).getArgument(0) }
class EVP_Digest_Update_Call extends EVPUpdate {
EVP_Digest_Update_Call() { this.(Call).getTarget().getName() = "EVP_DigestUpdate" }
Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
EVP_Hash_Initializer getInitCall() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
/**
* By default, the algorithm value comes from the init call.
* There are variants where this isn't true, in which case the
* subclass should override this method.
*/
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getAlgorithmArg()))
}
override Expr getInputArg() { result = this.(Call).getArgument(1) }
}
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}
predicate isSink(DataFlow::Node sink) {
exists(EVP_Hash_Operation c | c.getAlgorithmArg() = sink.asExpr())
}
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
//https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
class EVP_Q_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
//override Crypto::AlgorithmConsumer getAlgorithmConsumer() { }
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
override EVP_Hash_Initializer getInitCall() {
// This variant of digest does not use an init
// and even if it were used, the init would be ignored/undefined
none()
}
override Expr getOutputArg() { result = this.(Call).getArgument(5) }
override Expr getInputArg() { result = this.(Call).getArgument(3) }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Expr getOutputArg() { result = this.(Call).getArgument(5) }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
// The operation is a direct algorithm consumer
// NOTE: the operation itself is already modeld as a value consumer, so we can
// simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
this = result
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
result = EVPOperation.super.getOutputArtifact()
}
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
result = EVPOperation.super.getInputConsumer()
}
}
class EVP_Digest_Operation extends EVP_Hash_Operation {
class EVP_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
// There is no context argument for this function
override Expr getContextArg() { none() }
override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
override EVP_Hash_Initializer getInitCall() {
// This variant of digest does not use an init
// and even if it were used, the init would be ignored/undefined
none()
}
override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
override Expr getInputArg() { result = this.(Call).getArgument(0) }
override Expr getOutputArg() { result = this.(Call).getArgument(2) }
override Expr getInputArg() { result = this.(Call).getArgument(0) }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
result = EVPOperation.super.getOutputArtifact()
}
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
result = EVPOperation.super.getInputConsumer()
}
}
// NOTE: not modeled as hash operations, these are intermediate calls
class EVP_Digest_Update_Call extends Call {
EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] }
Expr getInputArg() { result = this.(Call).getArgument(1) }
DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
Expr getContextArg() { result = this.(Call).getArgument(0) }
}
class EVP_Digest_Final_Call extends EVP_Hash_Operation {
class EVP_Digest_Final_Call extends EVPFinal, Crypto::HashOperationInstance {
EVP_Digest_Final_Call() {
this.(Call).getTarget().getName() in [
"EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
]
}
EVP_Digest_Update_Call getUpdateCalls() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
result = EVPFinal.super.getOutputArtifact()
}
override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
result = EVPFinal.super.getInputConsumer()
}
}

157
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
View File

@@ -1,21 +1,162 @@
private import experimental.quantum.Language
private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
/**
* A class for all OpenSSL operations.
*/
abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
/**
* Expression that specifies the algorithm for the operation.
* Will be an argument of the operation in the simplest case.
*/
abstract Expr getAlgorithmArg();
/**
* Algorithm is specified in initialization call or is implicitly established by the key.
*/
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getAlgorithmArg()))
}
}
/**
* A Call to initialization functions from the EVP API.
* These are not operations in the sense of Crypto::OperationInstance,
* but they are used to initialize the context for the operation.
*/
abstract class EVPInitialize extends Call {
/**
* Gets the context argument that ties together initialization, updates and/or final calls.
*/
Expr getContextArg() { result = this.(Call).getArgument(0) }
/**
* Gets the type of key operation, none if not applicable.
*/
Crypto::KeyOperationSubtype getKeyOperationSubtype() { none() }
/**
* Explicitly specified algorithm or none if implicit (e.g., established by the key).
* None if not applicable.
*/
Expr getAlgorithmArg() { none() }
/**
* Gets the key for the operation, none if not applicable.
*/
Expr getKeyArg() { none() }
/**
* Gets the IV/nonce, none if not applicable.
*/
Expr getIVArg() { none() }
}
/**
* A Call to update functions from the EVP API.
* These are not operations in the sense of Crypto::OperationInstance,
* but they are used to update the context for the operation.
*/
abstract class EVPUpdate extends Call {
/**
* Gets the context argument that ties together initialization, updates and/or final calls.
*/
Expr getContextArg() { result = this.(Call).getArgument(0) }
/**
* Update calls always have some input data like plaintext or message digest.
*/
abstract Expr getInputArg();
/**
* Can be an argument of a call or a return value of a function.
* Update calls sometimes have some output data like a plaintext.
*/
Expr getOutputArg() { none() }
}
/**
* Flows from algorithm values to operations, specific to OpenSSL
*/
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}
predicate isSink(DataFlow::Node sink) {
exists(EVPOperation c | c.getAlgorithmArg() = sink.asExpr())
}
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
/**
* The base class for all operations of the EVP API.
* This captures one-shot APIs (with and without an initilizer call) and final calls.
* Provides some default methods for Crypto::KeyOperationInstance class
*/
abstract class EVPOperation extends OpenSSLOperation {
/**
* Gets the context argument that ties together initialization, updates and/or final calls.
*/
Expr getContextArg() { result = this.(Call).getArgument(0) }
/**
* Some input data like plaintext or message digest.
* Either argument provided direcly in the call or all arguments that were provided in update calls.
*/
abstract Expr getInputArg();
/**
* Some output data like ciphertext or signature.
*/
abstract Expr getOutputArg();
DataFlow::Node getInputNode() {
// Assumed to be default to asExpr
result.asExpr() = this.getInputArg()
/**
* Overwrite with an explicitly specified algorithm or leave base implementation to find it in the initialization call.
*/
override Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
/**
* Finds the initialization call, may be none.
*/
EVPInitialize getInitCall() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
DataFlow::Node getOutputNode() {
if exists(Call c | c.getAnArgument() = this)
then result.asDefiningArgument() = this
else result.asExpr() = this
Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
result = DataFlow::exprNode(this.getOutputArg())
}
/**
* Input consumer is the input argument of the call.
*/
Crypto::ConsumerInputDataFlowNode getInputConsumer() {
result = DataFlow::exprNode(this.getInputArg())
}
}
/**
* The final calls of the EVP API.
*/
abstract class EVPFinal extends EVPOperation {
/**
* All update calls that were executed before this final call.
*/
EVPUpdate getUpdateCalls() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
/**
* Gets the input data provided to all update calls.
* If more input data was provided in the final call, override the method.
*/
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
/**
* Gets the output data provided to all update calls.
* If more output data was provided in the final call, override the method.
*/
override Expr getOutputArg() { result = this.getUpdateCalls().getOutputArg() }
}

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 4.3.2-dev
version: 5.1.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

22
cpp/ql/lib/semmle/code/cpp/Namespace.qll
View File

@@ -174,7 +174,27 @@ class UsingDeclarationEntry extends UsingEntry {
*/
Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
override string toString() { result = "using " + this.getDeclaration().getDescription() }
/**
* Gets the member that is referenced by this using declaration, where the member depends on a
* type template parameter.
*
* For example:
* ```
* template <typename T>
* class A {
* using T::m;
* };
* ```
* Here, `getReferencedMember()` yields the member `m` of `T`. Observe that,
* as `T` is not instantiated, `m` is represented by a `Literal` and not
* a `Declaration`.
*/
Literal getReferencedMember() { usings(underlyingElement(this), unresolveElement(result), _, _) }
override string toString() {
result = "using " + this.getDeclaration().getDescription() or
result = "using " + this.getReferencedMember()
}
}
/**

3
cpp/ql/lib/semmle/code/cpp/Type.qll
View File

@@ -839,6 +839,9 @@ private predicate floatingPointTypeMapping(
or
// _Complex _Float128
kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
or
// __mfp8
kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
}
/**

1
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -691,6 +691,7 @@ case @builtintype.kind of
| 59 = @complex_std_float64 // _Complex _Float64
| 60 = @complex_float64x // _Complex _Float64x
| 61 = @complex_std_float128 // _Complex _Float128
| 62 = @mfp8 // __mfp8
;
builtintypes(

12246
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

2491
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2492
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Support __mfp8 type
compatibility: full

10
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 1.4.2
No user-facing changes.
## 1.4.1
### Minor Analysis Improvements
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
## 1.4.0
### Query Metadata Changes

9
cpp/ql/src/change-notes/2025-05-14-openssl-sqlite-models.md → cpp/ql/src/change-notes/released/1.4.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
## 1.4.1
### Minor Analysis Improvements
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.

3
cpp/ql/src/change-notes/released/1.4.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.2
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.0
lastReleaseVersion: 1.4.2

4
cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
View File

@@ -98,8 +98,8 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
e.(FunctionCall).getTarget() = f or
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
) and
access = f.getParameter(arg).getAnAccess() and
e.(FunctionCall).getArgument(arg) = released and
access = f.getParameter(pragma[only_bind_into](arg)).getAnAccess() and
e.(FunctionCall).getArgument(pragma[only_bind_into](arg)) = released and
exprReleases(_,
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
)

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.4.1-dev
version: 1.4.3-dev
groups:
- cpp
- queries

2
cpp/ql/test/examples/expressions/PrintAST.expected
View File

@@ -324,7 +324,7 @@ Conversion3.cpp:
# 2| getExpr(): [CStyleCast] (int)...
# 2| Conversion = [IntegralConversion] integral conversion
# 2| Type = [IntType] int
# 2| Value = [CStyleCast] 1
# 2| Value = [CStyleCast] 5
# 2| ValueCategory = prvalue
# 2| getRightOperand().getFullyConverted(): [ParenthesisExpr] (...)
# 2| Type = [IntType] int

24
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.expected
View File

@@ -1,8 +1,16 @@
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |

4
cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.expected
View File

@@ -1,2 +1,2 @@
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:13:124:30 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:13:144:22 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:39:124:44 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:46:144:51 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |

3
cpp/ql/test/library-tests/comments/binding/commentBinding.expected
View File

@@ -9,3 +9,6 @@
| multi.c:5:27:5:36 | // Multi 3 | declaration of multi3 |
| templates.cpp:3:3:3:8 | // Foo | declaration of foo |
| templates.cpp:7:3:7:8 | // Bar | definition of bar |
| templates.cpp:16:3:16:20 | // using T::member | using member |
| templates.cpp:19:3:19:28 | // using T::nested::member | using member |
| templates.cpp:25:3:25:20 | // using T::member | using member |

15
cpp/ql/test/library-tests/comments/binding/templates.cpp
View File

@@ -10,3 +10,18 @@ class Cl {
}
};
template <typename T>
class Derived : public T {
// using T::member
using T::member;
// using T::nested::member
using T::nested::member;
};
template <typename T>
class Base {
// using T::member
using T::member;
};

2
cpp/ql/test/library-tests/funcdname/funcdname.expected
View File

@@ -1,2 +1,2 @@
| Bar::(unnamed namespace)::B | Bar::<unnamed>::B |
| Foo::(unnamed namespace)::A | _ZN3Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
| Foo::(unnamed namespace)::A | _ZN35_INTERNAL_13_funcdname_cpp_?Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |

6
cpp/ql/test/library-tests/funcdname/funcdname.ql
View File

@@ -2,4 +2,8 @@ import cpp
from Function f, ReturnStmt r
where r.getEnclosingFunction() = f
select f.getQualifiedName(), r.getExpr().getValue().regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
select f.getQualifiedName(),
r.getExpr()
.getValue()
.regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
.regexpReplaceAll("cpp_[0-9a-f]+Foo37_", "cpp_?Foo37_")

81
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -58,6 +58,77 @@
#-----| Type = [LongType] unsigned long
#-----| getParameter(1): [Parameter] (unnamed parameter 1)
#-----| Type = [ScopedEnum] align_val_t
arm.cpp:
# 6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| <params>:
# 6| getParameter(0): [Parameter] a
# 6| Type = [CTypedefType] uint8x8_t
# 6| getParameter(1): [Parameter] b
# 6| Type = [CTypedefType] uint8x8_t
# 6| getEntryPoint(): [BlockStmt] { ... }
# 7| getStmt(0): [ReturnStmt] return ...
# 7| getExpr(): [AddExpr] ... + ...
# 7| Type = [GNUVectorType] __attribute((neon_vector_type(8))) unsigned char
# 7| ValueCategory = prvalue
# 7| getLeftOperand(): [VariableAccess] a
# 7| Type = [CTypedefType] uint8x8_t
# 7| ValueCategory = prvalue(load)
# 7| getRightOperand(): [VariableAccess] b
# 7| Type = [CTypedefType] uint8x8_t
# 7| ValueCategory = prvalue(load)
# 12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
# 12| <params>:
# 12| getParameter(0): [Parameter] (unnamed parameter 0)
# 12| Type = [CTypedefType] uint8x8_t
# 12| getParameter(1): [Parameter] (unnamed parameter 1)
# 12| Type = [CTypedefType] uint8x8_t
# 14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| <params>:
# 14| getParameter(0): [Parameter] a
# 14| Type = [CTypedefType] uint8x8_t
# 14| getParameter(1): [Parameter] b
# 14| Type = [CTypedefType] uint8x8_t
# 14| getEntryPoint(): [BlockStmt] { ... }
# 15| getStmt(0): [ReturnStmt] return ...
# 15| getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
# 15| Type = [CTypedefType] uint16x8_t
# 15| ValueCategory = prvalue
# 15| getArgument(0): [VariableAccess] a
# 15| Type = [CTypedefType] uint8x8_t
# 15| ValueCategory = prvalue(load)
# 15| getArgument(1): [VariableAccess] b
# 15| Type = [CTypedefType] uint8x8_t
# 15| ValueCategory = prvalue(load)
# 18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| <params>:
# 18| getParameter(0): [Parameter] a
# 18| Type = [CTypedefType] uint8x8_t
# 18| getParameter(1): [Parameter] b
# 18| Type = [CTypedefType] uint8x8_t
# 18| getEntryPoint(): [BlockStmt] { ... }
# 19| getStmt(0): [DeclStmt] declaration
# 19| getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
# 19| Type = [CTypedefType] uint8x8_t
# 19| getVariable().getInitializer(): [Initializer] initializer for c
# 19| getExpr(): [FunctionCall] call to vadd_u8
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue
# 19| getArgument(0): [VariableAccess] a
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue(load)
# 19| getArgument(1): [VariableAccess] b
# 19| Type = [CTypedefType] uint8x8_t
# 19| ValueCategory = prvalue(load)
# 20| getStmt(1): [ReturnStmt] return ...
# 20| getExpr(): [FunctionCall] call to vaddl_u8
# 20| Type = [CTypedefType] uint16x8_t
# 20| ValueCategory = prvalue
# 20| getArgument(0): [VariableAccess] a
# 20| Type = [CTypedefType] uint8x8_t
# 20| ValueCategory = prvalue(load)
# 20| getArgument(1): [VariableAccess] c
# 20| Type = [CTypedefType] uint8x8_t
# 20| ValueCategory = prvalue(load)
bad_asts.cpp:
# 5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
# 5| <params>:
@@ -23814,11 +23885,11 @@ ir.cpp:
# 2692| Conversion = [IntegralConversion] integral conversion
# 2692| Type = [LongType] unsigned long
# 2692| ValueCategory = prvalue
#-----| getExpr().getFullyConverted(): [CStyleCast] (int)...
#-----| Conversion = [IntegralConversion] integral conversion
#-----| Type = [IntType] int
#-----| Value = [CStyleCast] 1
#-----| ValueCategory = prvalue
# 2692| getExpr().getFullyConverted(): [CStyleCast] (int)...
# 2692| Conversion = [IntegralConversion] integral conversion
# 2692| Type = [IntType] int
# 2692| Value = [CStyleCast] 1
# 2692| ValueCategory = prvalue
# 2693| getStmt(1): [ReturnStmt] return ...
# 2693| getExpr(): [VariableAccess] y
# 2693| Type = [IntType] int

89
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

@@ -1,3 +1,86 @@
arm.cpp:
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| Block 0
# 6| v6_1(void) = EnterFunction :
# 6| m6_2(unknown) = AliasedDefinition :
# 6| m6_3(unknown) = InitializeNonLocal :
# 6| m6_4(unknown) = Chi : total:m6_2, partial:m6_3
# 6| r6_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 6| m6_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_5
# 6| r6_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 6| m6_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_7
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, m6_6
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, m6_8
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
# 7| m7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
# 6| r6_9(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 6| v6_10(void) = ReturnValue : &:r6_9, m7_7
# 6| v6_11(void) = AliasedUse : m6_3
# 6| v6_12(void) = ExitFunction :
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| Block 0
# 14| v14_1(void) = EnterFunction :
# 14| m14_2(unknown) = AliasedDefinition :
# 14| m14_3(unknown) = InitializeNonLocal :
# 14| m14_4(unknown) = Chi : total:m14_2, partial:m14_3
# 14| r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 14| m14_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_5
# 14| r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 14| m14_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_7
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, m14_6
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, m14_8
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
# 15| m15_8(unknown) = ^CallSideEffect : ~m14_4
# 15| m15_9(unknown) = Chi : total:m14_4, partial:m15_8
# 15| m15_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
# 14| r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 14| v14_10(void) = ReturnValue : &:r14_9, m15_10
# 14| v14_11(void) = AliasedUse : ~m15_9
# 14| v14_12(void) = ExitFunction :
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| Block 0
# 18| v18_1(void) = EnterFunction :
# 18| m18_2(unknown) = AliasedDefinition :
# 18| m18_3(unknown) = InitializeNonLocal :
# 18| m18_4(unknown) = Chi : total:m18_2, partial:m18_3
# 18| r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 18| m18_6(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_5
# 18| r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 18| m18_8(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_7
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, m18_6
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, m18_8
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
# 19| m19_8(unknown) = ^CallSideEffect : ~m18_4
# 19| m19_9(unknown) = Chi : total:m18_4, partial:m19_8
# 19| m19_10(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, m18_6
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, m19_10
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
# 20| m20_8(unknown) = ^CallSideEffect : ~m19_9
# 20| m20_9(unknown) = Chi : total:m19_9, partial:m20_8
# 20| m20_10(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
# 18| r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 18| v18_10(void) = ReturnValue : &:r18_9, m20_10
# 18| v18_11(void) = AliasedUse : ~m20_9
# 18| v18_12(void) = ExitFunction :
bad_asts.cpp:
# 9| int Bad::S::MemberFunction<int 6>(int)
# 9| Block 0
@@ -19457,11 +19540,11 @@ ir.cpp:
# 2691| m2691_3(unknown) = InitializeNonLocal :
# 2691| m2691_4(unknown) = Chi : total:m2691_2, partial:m2691_3
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
#-----| r0_1(int) = Constant[1] :
#-----| m0_2(int) = Store[y] : &:r2692_1, r0_1
# 2692| r2692_2(int) = Constant[1] :
# 2692| m2692_3(int) = Store[y] : &:r2692_1, r2692_2
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m0_2
# 2693| r2693_3(int) = Load[y] : &:r2693_2, m2692_3
# 2693| m2693_4(int) = Store[#return] : &:r2693_1, r2693_3
# 2691| r2691_5(glval<int>) = VariableAddress[#return] :
# 2691| v2691_6(void) = ReturnValue : &:r2691_5, m2693_4

21
cpp/ql/test/library-tests/ir/ir/arm.cpp Normal file
View File

@@ -0,0 +1,21 @@
// semmle-extractor-options: --edg --target --edg linux_arm64
typedef __Uint8x8_t uint8x8_t;
typedef __Uint16x8_t uint16x8_t;
uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
return a + b;
}
// Workaround: the frontend only exposes this when the arm_neon.h
// header is encountered.
uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
return __builtin_aarch64_uaddlv8qi_uuu (a, b);
}
uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
uint8x8_t c = vadd_u8(a, b);
return vaddl_u8(a, c);
}

81
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -1,3 +1,80 @@
arm.cpp:
# 6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
# 6| Block 0
# 6| v6_1(void) = EnterFunction :
# 6| mu6_2(unknown) = AliasedDefinition :
# 6| mu6_3(unknown) = InitializeNonLocal :
# 6| r6_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 6| mu6_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r6_4
# 6| r6_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 6| mu6_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r6_6
# 7| r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 7| r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 7| r7_3(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r7_2, ~m?
# 7| r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 7| r7_5(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r7_4, ~m?
# 7| r7_6(__attribute((neon_vector_type(8))) unsigned char) = Add : r7_3, r7_5
# 7| mu7_7(__attribute((neon_vector_type(8))) unsigned char) = Store[#return] : &:r7_1, r7_6
# 6| r6_8(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] :
# 6| v6_9(void) = ReturnValue : &:r6_8, ~m?
# 6| v6_10(void) = AliasedUse : ~m?
# 6| v6_11(void) = ExitFunction :
# 14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
# 14| Block 0
# 14| v14_1(void) = EnterFunction :
# 14| mu14_2(unknown) = AliasedDefinition :
# 14| mu14_3(unknown) = InitializeNonLocal :
# 14| r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 14| mu14_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r14_4
# 14| r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 14| mu14_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r14_6
# 15| r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 15| r15_2(glval<unknown>) = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] :
# 15| r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 15| r15_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r15_3, ~m?
# 15| r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 15| r15_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r15_5, ~m?
# 15| r15_7(__attribute((neon_vector_type(8))) unsigned short) = Call[__builtin_aarch64_uaddlv8qi_uuu] : func:r15_2, 0:r15_4, 1:r15_6
# 15| mu15_8(unknown) = ^CallSideEffect : ~m?
# 15| mu15_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r15_1, r15_7
# 14| r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 14| v14_9(void) = ReturnValue : &:r14_8, ~m?
# 14| v14_10(void) = AliasedUse : ~m?
# 14| v14_11(void) = ExitFunction :
# 18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
# 18| Block 0
# 18| v18_1(void) = EnterFunction :
# 18| mu18_2(unknown) = AliasedDefinition :
# 18| mu18_3(unknown) = InitializeNonLocal :
# 18| r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 18| mu18_5(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[a] : &:r18_4
# 18| r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 18| mu18_7(__attribute((neon_vector_type(8))) unsigned char) = InitializeParameter[b] : &:r18_6
# 19| r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 19| r19_2(glval<unknown>) = FunctionAddress[vadd_u8] :
# 19| r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 19| r19_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r19_3, ~m?
# 19| r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b] :
# 19| r19_6(__attribute((neon_vector_type(8))) unsigned char) = Load[b] : &:r19_5, ~m?
# 19| r19_7(__attribute((neon_vector_type(8))) unsigned char) = Call[vadd_u8] : func:r19_2, 0:r19_4, 1:r19_6
# 19| mu19_8(unknown) = ^CallSideEffect : ~m?
# 19| mu19_9(__attribute((neon_vector_type(8))) unsigned char) = Store[c] : &:r19_1, r19_7
# 20| r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 20| r20_2(glval<unknown>) = FunctionAddress[vaddl_u8] :
# 20| r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a] :
# 20| r20_4(__attribute((neon_vector_type(8))) unsigned char) = Load[a] : &:r20_3, ~m?
# 20| r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[c] :
# 20| r20_6(__attribute((neon_vector_type(8))) unsigned char) = Load[c] : &:r20_5, ~m?
# 20| r20_7(__attribute((neon_vector_type(8))) unsigned short) = Call[vaddl_u8] : func:r20_2, 0:r20_4, 1:r20_6
# 20| mu20_8(unknown) = ^CallSideEffect : ~m?
# 20| mu20_9(__attribute((neon_vector_type(8))) unsigned short) = Store[#return] : &:r20_1, r20_7
# 18| r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return] :
# 18| v18_9(void) = ReturnValue : &:r18_8, ~m?
# 18| v18_10(void) = AliasedUse : ~m?
# 18| v18_11(void) = ExitFunction :
bad_asts.cpp:
# 9| int Bad::S::MemberFunction<int 6>(int)
# 9| Block 0
@@ -17775,8 +17852,8 @@ ir.cpp:
# 2691| mu2691_2(unknown) = AliasedDefinition :
# 2691| mu2691_3(unknown) = InitializeNonLocal :
# 2692| r2692_1(glval<int>) = VariableAddress[y] :
#-----| r0_1(int) = Constant[1] :
#-----| mu0_2(int) = Store[y] : &:r2692_1, r0_1
# 2692| r2692_2(int) = Constant[1] :
# 2692| mu2692_3(int) = Store[y] : &:r2692_1, r2692_2
# 2693| r2693_1(glval<int>) = VariableAddress[#return] :
# 2693| r2693_2(glval<int>) = VariableAddress[y] :
# 2693| r2693_3(int) = Load[y] : &:r2693_2, ~m?

4
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -1011,10 +1011,10 @@ void test_overflow() {
range(x); // $ range===2147483647
const int y = 256;
range(y); // $ range===256
if ((x + y) <= 512) {
if ((x + y) <= 512) { // $ overflow=+
range(x); // $ range===2147483647
range(y); // $ range===256
range(x + y); // $ range===-2147483393
range(x + y); // $ range=<=2147483903 overflow=+
}
}

6
cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
View File

@@ -1,4 +1,10 @@
uniqueEnclosingCallable
| builtin.c:14:3:14:16 | ... * ... | Node should have one enclosing callable but has 0. |
| builtin.c:14:3:14:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
| builtin.c:14:10:14:10 | 4 | Node should have one enclosing callable but has 0. |
| builtin.c:15:3:15:16 | ... * ... | Node should have one enclosing callable but has 0. |
| builtin.c:15:3:15:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
| builtin.c:15:10:15:10 | 4 | Node should have one enclosing callable but has 0. |
| enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
| enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
| enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |

8
cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected
View File

@@ -1,13 +1,13 @@
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 | 1 |
| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 | 2 |
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:6:3:6:6 | one1 | 1 |
| test.cpp:3:8:3:8 | C<2> | 0 | int | test.cpp:7:3:7:13 | ... + ... | 2 |
| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x | x |
| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T | <none> |
| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X | X |
| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int | <none> |
| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 | 2 |
| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long | <none> |
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 | 2 |
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | test.cpp:13:9:13:9 | 2 | 2 |
| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T | <none> |
| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X | X |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int | <none> |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 | 0 |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | test.cpp:18:8:18:14 | 0 | 0 |

1
cpp/ql/test/library-tests/templates/type_instantiations/types.expected
View File

@@ -25,6 +25,7 @@
| file://:0:0:0:0 | __float128 |
| file://:0:0:0:0 | __fp16 |
| file://:0:0:0:0 | __int128 |
| file://:0:0:0:0 | __mfp8 |
| file://:0:0:0:0 | __va_list_tag |
| file://:0:0:0:0 | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && |

1
cpp/ql/test/library-tests/type_sizes/type_sizes.expected
View File

@@ -46,6 +46,7 @@
| file://:0:0:0:0 | __float128 | 16 |
| file://:0:0:0:0 | __fp16 | 2 |
| file://:0:0:0:0 | __int128 | 16 |
| file://:0:0:0:0 | __mfp8 | 1 |
| file://:0:0:0:0 | __va_list_tag | 24 |
| file://:0:0:0:0 | __va_list_tag & | 8 |
| file://:0:0:0:0 | __va_list_tag && | 8 |

1
cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
View File

@@ -27,6 +27,7 @@
| file://:0:0:0:0 | __float128 | __float128 |
| file://:0:0:0:0 | __fp16 | __fp16 |
| file://:0:0:0:0 | __int128 | __int128 |
| file://:0:0:0:0 | __mfp8 | __mfp8 |
| file://:0:0:0:0 | __va_list_tag & | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && | __va_list_tag && |
| file://:0:0:0:0 | auto | auto |

1
cpp/ql/test/library-tests/variables/variables/types.expected
View File

@@ -26,6 +26,7 @@
| __float128 | Float128Type | | | | |
| __fp16 | BinaryFloatingPointType, RealNumberType | | | | |
| __int128 | Int128Type | | | | |
| __mfp8 | BinaryFloatingPointType, RealNumberType | | | | |
| __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | __va_list_tag | | |
| __va_list_tag && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType | | __va_list_tag | | |

8
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.42
No user-facing changes.
## 1.7.41
No user-facing changes.
## 1.7.40
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.41.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.41
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.42.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.42
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.40
lastReleaseVersion: 1.7.42

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.41-dev
version: 1.7.43-dev
groups:
- csharp
- solorigate

8
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.42
No user-facing changes.
## 1.7.41
No user-facing changes.
## 1.7.40
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.41.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.41
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.42.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.42
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.40
lastReleaseVersion: 1.7.42

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.41-dev
version: 1.7.43-dev
groups:
- csharp
- solorigate

1
csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
View File

@@ -11,6 +11,7 @@ ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
ql/csharp/ql/src/Performance/UseTryGetValue.ql
ql/csharp/ql/src/Useless code/DefaultToString.ql
ql/csharp/ql/src/Useless code/IntGetHashCode.ql

10
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 5.1.8
No user-facing changes.
## 5.1.7
### Minor Analysis Improvements
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
## 5.1.6
No user-facing changes.

7
csharp/ql/lib/change-notes/2025-05-14-dotnet-models.md → csharp/ql/lib/change-notes/released/5.1.7.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 5.1.7
### Minor Analysis Improvements
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).

3
csharp/ql/lib/change-notes/released/5.1.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.1.8
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.1.6
lastReleaseVersion: 5.1.8

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.1.7-dev
version: 5.1.9-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

13
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 1.2.2
No user-facing changes.
## 1.2.1
### Minor Analysis Improvements
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
## 1.2.0
### Query Metadata Changes

1
csharp/ql/src/Performance/StringConcatenationInLoop.ql
View File

@@ -7,6 +7,7 @@
* @id cs/string-concatenation-in-loop
* @tags efficiency
* maintainability
* quality
*/
import csharp

4
csharp/ql/src/change-notes/2025-04-10-uncontrolled-format-string.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.

4
csharp/ql/src/change-notes/2025-05-15-gethashcode-is-not-defined.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.

4
csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.

4
csharp/ql/src/change-notes/2025-05-22-missed-readonly-modifier.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.

8
csharp/ql/src/change-notes/released/1.2.1.md Normal file
View File

@@ -0,0 +1,8 @@
## 1.2.1
### Minor Analysis Improvements
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.

3
csharp/ql/src/change-notes/released/1.2.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.2.2
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.0
lastReleaseVersion: 1.2.2

143
csharp/ql/src/codeql-suites/csharp-security-and-quality.qls
View File

@@ -1,4 +1,143 @@
- description: Security-and-quality queries for C#
- queries: .
- apply: security-and-quality-selectors.yml
from: codeql/suite-helpers
- include:
kind:
- problem
- path-problem
precision:
- high
- very-high
tags contain:
- security
- include:
kind:
- problem
- path-problem
precision: medium
problem.severity:
- error
- warning
tags contain:
- security
- include:
id:
- cs/asp/response-write
- cs/call-to-gc
- cs/call-to-object-tostring
- cs/call-to-obsolete-method
- cs/call-to-unmanaged-code
- cs/cast-from-abstract-to-concrete-collection
- cs/cast-of-this-to-type-parameter
- cs/catch-nullreferenceexception
- cs/catch-of-all-exceptions
- cs/chained-type-tests
- cs/class-implements-icloneable
- cs/class-missing-equals
- cs/class-name-comparison
- cs/class-name-matches-base-class
- cs/coalesce-of-identical-expressions
- cs/comparison-of-identical-expressions
- cs/complex-block
- cs/complex-condition
- cs/constant-comparison
- cs/constant-condition
- cs/coupled-types
- cs/dereferenced-value-is-always-null
- cs/dereferenced-value-may-be-null
- cs/dispose-not-called-on-throw
- cs/downcast-of-this
- cs/empty-block
- cs/empty-catch-block
- cs/empty-collection
- cs/empty-lock-statement
- cs/equality-on-floats
- cs/equals-on-arrays
- cs/equals-on-unrelated-types
- cs/equals-uses-as
- cs/equals-uses-is
- cs/expose-implementation
- cs/field-masks-base-field
- cs/gethashcode-is-not-defined
- cs/impossible-array-cast
- cs/inconsistent-compareto-and-equals
- cs/inconsistent-equals-and-gethashcode
- cs/inconsistent-lock-sequence
- cs/index-out-of-bounds
- cs/inefficient-containskey
- cs/invalid-dynamic-call
- cs/invalid-string-formatting
- cs/linq/inconsistent-enumeration
- cs/linq/missed-all
- cs/linq/missed-cast
- cs/linq/missed-oftype
- cs/linq/missed-select
- cs/linq/missed-where
- cs/linq/useless-select
- cs/local-not-disposed
- cs/local-shadows-member
- cs/lock-this
- cs/locked-wait
- cs/loss-of-precision
- cs/mishandling-japanese-era
- cs/misleading-indentation
- cs/missed-readonly-modifier
- cs/missed-ternary-operator
- cs/missed-using-statement
- cs/nested-if-statements
- cs/nested-loops-with-same-variable
- cs/non-short-circuit
- cs/null-argument-to-equals
- cs/path-combine
- cs/recursive-equals-call
- cs/recursive-operator-equals-call
- cs/reference-equality-on-valuetypes
- cs/reference-equality-with-object
- cs/rethrown-exception-variable
- cs/self-assignment
- cs/simplifiable-boolean-expression
- cs/static-field-written-by-instance
- cs/string-concatenation-in-loop
- cs/stringbuilder-creation-in-loop
- cs/stringbuilder-initialized-with-character
- cs/test-for-negative-container-size
- cs/too-many-ref-parameters
- cs/type-test-of-this
- cs/unchecked-cast-in-equals
- cs/unmanaged-code
- cs/unsafe-double-checked-lock
- cs/unsafe-sync-on-field
- cs/unsafe-year-construction
- cs/unsynchronized-getter
- cs/unsynchronized-static-access
- cs/unused-collection
- cs/unused-label
- cs/unused-property-value
- cs/useless-assignment-to-local
- cs/useless-cast-to-self
- cs/useless-gethashcode-call
- cs/useless-if-statement
- cs/useless-tostring-call
- cs/useless-type-test
- cs/useless-upcast
- cs/virtual-call-in-constructor
- cs/wrong-compareto-signature
- cs/wrong-equals-signature
- cs/xmldoc/missing-summary
- include:
kind:
- diagnostic
- include:
kind:
- metric
tags contain:
- summary
- exclude:
deprecated: //
- exclude:
query path:
- /^experimental\/.*/
- Metrics/Summaries/FrameworkCoverage.ql
- exclude:
tags contain:
- modeleditor
- modelgenerator

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.2.1-dev
version: 1.2.3-dev
groups:
- csharp
- queries

187
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.4.rst Normal file
View File

@@ -0,0 +1,187 @@
.. _codeql-cli-2.21.4:
==========================
CodeQL 2.21.4 (2025-06-02)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.21.4 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).
CodeQL CLI
----------
Deprecations
~~~~~~~~~~~~
* The :code:`clang_vector_types`, :code:`clang_attributes`, and :code:`flax-vector-conversions` command line options have been removed from the C/C++ extractor. These options were introduced as workarounds to frontend limitations in earlier versions of the extractor and are no longer needed when calling the extractor directly.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.7.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Added flow model for the :code:`SQLite` and :code:`OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
C#
""
* The precision of the query :code:`cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
* The queries :code:`cs/password-in-configuration`, :code:`cs/hardcoded-credentials` and :code:`cs/hardcoded-connection-string-credentials` have been removed from all query suites.
* The precision of the query :code:`cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant :code:`e1.Equals(e2)` implies :code:`e1.GetHashCode() == e2.GetHashCode()` are taken into account.
* The precision of the query :code:`cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to :code:`System.Text.CompositeFormat.Parse` are now considered a format like method call.
Golang
""""""
* The query :code:`go/hardcoded-credentials` has been removed from all query suites.
Java/Kotlin
"""""""""""
* The query :code:`java/hardcoded-credential-api-call` has been removed from all query suites.
JavaScript/TypeScript
"""""""""""""""""""""
* The queries :code:`js/hardcoded-credentials` and :code:`js/password-in-configuration-file` have been removed from all query suites.
Python
""""""
* The query :code:`py/hardcoded-credentials` has been removed from all query suites.
Ruby
""""
* The query :code:`rb/hardcoded-credentials` has been removed from all query suites.
Swift
"""""
* The queries :code:`swift/hardcoded-key` and :code:`swift/constant-password` have been removed from all query suites.
GitHub Actions
""""""""""""""
* The query :code:`actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions :code:`deploy-pages`, :code:`delete-package-versions`, :code:`ai-inference`. This should lead to better alert messages and better fix suggestions.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ArrayAggregateLiteral`\ s.
* Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ClassAggregateLiteral`\ s.
Ruby
""""
* Bug Fixes
* The Ruby printAst.qll library now orders AST nodes slightly differently: child nodes that do not literally appear in the source code, but whose parent nodes do, are assigned a deterministic order based on a combination of source location and logical order within the parent. This fixes the non-deterministic ordering that sometimes occurred depending on evaluation order. The effect may also be visible in downstream uses of the printAst library, such as the AST view in the VSCode extension.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`userInputArgument` predicate and its convenience accessor from the :code:`Security.qll`.
* Deleted the deprecated :code:`userInputReturned` predicate and its convenience accessor from the :code:`Security.qll`.
* Deleted the deprecated :code:`userInputReturn` predicate from the :code:`Security.qll`.
* Deleted the deprecated :code:`isUserInput` predicate and its convenience accessor from the :code:`Security.qll`.
* Deleted the deprecated :code:`userInputArgument` predicate from the :code:`SecurityOptions.qll`.
* Deleted the deprecated :code:`userInputReturned` predicate from the :code:`SecurityOptions.qll`.
Swift
"""""
* Deleted the deprecated :code:`parseContent` predicate from the :code:`ExternalFlow.qll`.
* Deleted the deprecated :code:`hasLocationInfo` predicate from the :code:`DataFlowPublic.qll`.
* Deleted the deprecated :code:`SummaryComponent` class from the :code:`FlowSummary.qll`.
* Deleted the deprecated :code:`SummaryComponentStack` class from the :code:`FlowSummary.qll`.
* Deleted the deprecated :code:`SummaryComponent` module from the :code:`FlowSummary.qll`.
* Deleted the deprecated :code:`SummaryComponentStack` module from the :code:`FlowSummary.qll`.
* Deleted the deprecated :code:`RequiredSummaryComponentStack` class from the :code:`FlowSummary.qll`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
JavaScript/TypeScript
"""""""""""""""""""""
* Improved analysis for :code:`ES6 classes` mixed with :code:`function prototypes`, leading to more accurate call graph resolution.
Python
""""""
* The Python extractor now extracts files in hidden directories by default. If you would like to skip files in hidden directories, add :code:`paths-ignore: ["**/.*/**"]` to your `Code Scanning config <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan>`__. If you would like to skip all hidden files, you can use :code:`paths-ignore: ["**/.*"]`. When using the CodeQL CLI for extraction, specify the configuration (creating the configuration file if necessary) using the :code:`--codescanning-config` option.
Ruby
""""
* Captured variables are currently considered live when the capturing function exits normally. Now they are also considered live when the capturing function exits via an exception.
Swift
"""""
* Updated to allow analysis of Swift 6.1.1.
* :code:`TypeValueExpr` experimental AST leaf is now implemented in the control flow library
Deprecated APIs
~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* The predicate :code:`getValue()` on :code:`SpringRequestMappingMethod` is now deprecated. Use :code:`getAValue()` instead.
* Java now uses the shared :code:`BasicBlock` library. This means that the names of several member predicates have been changed to align with the names used in other languages. The old predicates have been deprecated. The :code:`BasicBlock` class itself no longer extends :code:`ControlFlowNode` - the predicate :code:`getFirstNode` can be used to fix any QL code that somehow relied on this.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added local flow source models for :code:`ReadFile`, :code:`ReadFileEx`, :code:`MapViewOfFile`, :code:`MapViewOfFile2`, :code:`MapViewOfFile3`, :code:`MapViewOfFile3FromApp`, :code:`MapViewOfFileEx`, :code:`MapViewOfFileFromApp`, :code:`MapViewOfFileNuma2`, and :code:`NtReadFile`.
* Added the :code:`pCmdLine` arguments of :code:`WinMain` and :code:`wWinMain` as local flow sources.
* Added source models for :code:`GetCommandLineA`, :code:`GetCommandLineW`, :code:`GetEnvironmentStringsA`, :code:`GetEnvironmentStringsW`, :code:`GetEnvironmentVariableA`, and :code:`GetEnvironmentVariableW`.
* Added summary models for :code:`CommandLineToArgvA` and :code:`CommandLineToArgvW`.
* Added support for :code:`wmain` as part of the ArgvSource model.
Shared Libraries
----------------
Breaking Changes
~~~~~~~~~~~~~~~~
Static Single Assignment (SSA)
""""""""""""""""""""""""""""""
* Adjusted the Guards interface in the SSA data flow integration to distinguish :code:`hasBranchEdge` from :code:`controlsBranchEdge`. Any breakage can be fixed by implementing one with the other as a reasonable fallback solution.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.21.4
codeql-cli-2.21.3
codeql-cli-2.21.2
codeql-cli-2.21.1

Some files were not shown because too many files have changed in this diff Show More