hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/main' into approximate-related-location

Browse Source
This commit is contained in:
Jonas Jensen
2025-07-09 10:10:20 +02:00
parent 0d7a842e2f 5722084dd5
commit 5a1246a586
552 changed files with 63571 additions and 20430 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
MODULE.bazel
View File

@@ -37,6 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
RUST_EDITION = "2024"
# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
RUST_VERSION = "1.86.0"
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
@@ -47,6 +48,29 @@ rust.toolchain(
"x86_64-apple-darwin",
"aarch64-apple-darwin",
],
# generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
sha256s = {
"rustc-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "4438b809ce4a083af31ed17aeeedcc8fc60ccffc0625bef1926620751b6989d7",
"rustc-1.86.0-x86_64-apple-darwin.tar.xz": "42b76253626febb7912541a30d3379f463dec89581aad4cb72c6c04fb5a71dc5",
"rustc-1.86.0-aarch64-apple-darwin.tar.xz": "23b8f52102249a47ab5bc859d54c9a3cb588a3259ba3f00f557d50edeca4fde9",
"rustc-1.86.0-x86_64-pc-windows-msvc.tar.xz": "fdde839fea274529a31e51eb85c6df1782cc8479c9d1bc24e2914d66a0de41ab",
"clippy-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "02aaff2c1407d2da8dba19aa4970dd873e311902b120a66cbcdbe51eb8836edf",
"clippy-1.86.0-x86_64-apple-darwin.tar.xz": "bb85efda7bbffaf124867f5ca36d50932b1e8f533c62ee923438afb32ff8fe9a",
"clippy-1.86.0-aarch64-apple-darwin.tar.xz": "239fa3a604b124f0312f2af08537874a1227dba63385484b468cca62e7c4f2f2",
"clippy-1.86.0-x86_64-pc-windows-msvc.tar.xz": "d00498f47d49219f032e2c5eeebdfc3d32317c0dc3d3fd7125327445bc482cb4",
"cargo-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "c5c1590f7e9246ad9f4f97cfe26ffa92707b52a769726596a9ef81565ebd908b",
"cargo-1.86.0-x86_64-apple-darwin.tar.xz": "af163eb02d1a178044d1b4f2375960efd47130f795f6e33d09e345454bb26f4e",
"cargo-1.86.0-aarch64-apple-darwin.tar.xz": "3cb13873d48c3e1e4cc684d42c245226a11fba52af6b047c3346ed654e7a05c0",
"cargo-1.86.0-x86_64-pc-windows-msvc.tar.xz": "e57a9d89619b5604899bac443e68927bdd371e40f2e03e18950b6ceb3eb67966",
"llvm-tools-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "282145ab7a63c98b625856f44b905b4dc726b497246b824632a5790debe95a78",
"llvm-tools-1.86.0-x86_64-apple-darwin.tar.xz": "b55706e92f7da989207c50c13c7add483a9fedd233bc431b106eca2a8f151ec9",
"llvm-tools-1.86.0-aarch64-apple-darwin.tar.xz": "04d3618c686845853585f036e3211eb9e18f2d290f4610a7a78bdc1fcce1ebd9",
"llvm-tools-1.86.0-x86_64-pc-windows-msvc.tar.xz": "721a17cc8dc219177e4277a3592253934ef08daa1e1b12eda669a67d15fad8dd",
"rust-std-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "67be7184ea388d8ce0feaf7fdea46f1775cfc2970930264343b3089898501d37",
"rust-std-1.86.0-x86_64-apple-darwin.tar.xz": "3b1140d54870a080080e84700143f4a342fbd02a410a319b05d9c02e7dcf44cc",
"rust-std-1.86.0-aarch64-apple-darwin.tar.xz": "0fb121fb3b8fa9027d79ff598500a7e5cd086ddbc3557482ed3fdda00832c61b",
"rust-std-1.86.0-x86_64-pc-windows-msvc.tar.xz": "3d5354b7b9cb950b58bff3fce18a652aa374bb30c8f70caebd3bd0b43cb41a33",
},
versions = [RUST_VERSION],
)
use_repo(rust, "rust_toolchains")

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.13
No user-facing changes.
## 0.4.12
### Minor Analysis Improvements

3
actions/ql/lib/change-notes/released/0.4.13.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.13
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.12
lastReleaseVersion: 0.4.13

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.13-dev
version: 0.4.14-dev
library: true
warnOnImplicitThis: true
dependencies:

4
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.5
No user-facing changes.
## 0.6.4
No user-facing changes.

3
actions/ql/src/change-notes/released/0.6.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.5
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.4
lastReleaseVersion: 0.6.5

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.5-dev
version: 0.6.6-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

3
cpp/bulk_generation_targets.yml
View File

@@ -2,6 +2,9 @@ language: cpp
strategy: dca
destination: cpp/ql/lib/ext/generated
targets:
- name: glibc
with-sinks: false
with-sources: false
- name: zlib
with-sinks: false
with-sources: false

2423
cpp/downgrades/5340d6d5f428557632b1a50113e406430f29ef7d/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2433
cpp/downgrades/5340d6d5f428557632b1a50113e406430f29ef7d/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/downgrades/5340d6d5f428557632b1a50113e406430f29ef7d/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Uncomment cases in dbscheme
compatibility: full

12
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,15 @@
## 5.3.0
### Deprecated APIs
* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
### Minor Analysis Improvements
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.
## 5.2.0
### Deprecated APIs

4
cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

4
cpp/ql/lib/change-notes/2025-06-24-float16 copy.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.

4
cpp/ql/lib/change-notes/2025-06-24-float16.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

4
cpp/ql/lib/change-notes/2025-06-27-locations.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.

11
cpp/ql/lib/change-notes/released/5.3.0.md Normal file
View File

@@ -0,0 +1,11 @@
## 5.3.0
### Deprecated APIs
* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
### Minor Analysis Improvements
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.2.0
lastReleaseVersion: 5.3.0

5494
cpp/ql/lib/ext/generated/glibc/glibc.model.yml Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 5.2.1-dev
version: 5.3.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll
View File

@@ -151,7 +151,7 @@ private module Cached {
)
or
// Similarly for `i++` and `++i` we pretend that the generated
// `StoreInstruction` is contains the result of the expression even though
// `StoreInstruction` contains the result of the expression even though
// this isn't totally aligned with the C/C++ standard.
exists(TranslatedCrementOperation tco |
store = tco.getInstruction(CrementStoreTag()) and

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
View File

@@ -4146,7 +4146,8 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
private predicate exprImmediatelyDiscarded(Expr expr) {
exists(ExprStmt s |
s = expr.getParent() and
not exists(StmtExpr se | s = se.getStmt().(BlockStmt).getLastStmt())
not exists(StmtExpr se | s = se.getStmt().(BlockStmt).getLastStmt()) and
not exists(expr.getConversion())
)
or
exists(CommaExpr c | c.getLeftOperand() = expr)

14
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -217,10 +217,6 @@ diagnostics(
/*- C++ dbscheme -*/
/*
* C++ dbscheme
*/
extractor_version(
string codeql_version: string ref,
string frontend_version: string ref
@@ -286,7 +282,6 @@ macro_argument_expanded(
string text: string ref
);
/*
case @function.kind of
0 = @unknown_function
| 1 = @normal_function
@@ -298,7 +293,6 @@ case @function.kind of
| 7 = @user_defined_literal
| 8 = @deduction_guide
;
*/
functions(
unique int id: @function,
@@ -718,9 +712,8 @@ decltypes(
boolean parentheses_would_change_meaning: boolean ref
);
/*
case @type_operator.kind of
| 0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
| 1 = @underlying_type
| 2 = @bases
| 3 = @direct_bases
@@ -741,7 +734,6 @@ case @type_operator.kind of
| 18 = @remove_volatile
| 19 = @remove_reference
;
*/
type_operators(
unique int id: @type_operator,
@@ -750,9 +742,8 @@ type_operators(
int base_type: @type ref
)
/*
case @usertype.kind of
| 0 = @unknown_usertype
0 = @unknown_usertype
| 1 = @struct
| 2 = @class
| 3 = @union
@@ -772,7 +763,6 @@ case @usertype.kind of
| 17 = @template_union
| 18 = @alias
;
*/
usertypes(
unique int id: @usertype,

1801
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

2433
cpp/ql/lib/upgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2423
cpp/ql/lib/upgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Uncomment cases in dbscheme
compatibility: full

9
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,12 @@
## 1.4.4
### Minor Analysis Improvements
* Added flow models for the Win32 API functions `CreateThread`, `CreateRemoteThread`, and `CreateRemoteThreadEx`.
* Added flow models for the GNU C Library.
* Fixed a number of false positives and false negatives in `cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.
* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.
## 1.4.3
### Minor Analysis Improvements

4
cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.

4
cpp/ql/src/change-notes/2025-07-01-global-vars-ubi-query-fixes.md.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed a number of false positives and false negatives in `cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.

4
cpp/ql/src/change-notes/2025-07-12-create-thread.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added flow models for the Win32 API functions `CreateThread`, `CreateRemoteThread`, and `CreateRemoteThreadEx`.

8
cpp/ql/src/change-notes/released/1.4.4.md Normal file
View File

@@ -0,0 +1,8 @@
## 1.4.4
### Minor Analysis Improvements
* Added flow models for the Win32 API functions `CreateThread`, `CreateRemoteThread`, and `CreateRemoteThreadEx`.
* Added flow models for the GNU C Library.
* Fixed a number of false positives and false negatives in `cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.
* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.3
lastReleaseVersion: 1.4.4

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.4.4-dev
version: 1.4.5-dev
groups:
- cpp
- queries

19
cpp/ql/test/library-tests/dataflow/asExpr/test.cpp
View File

@@ -37,4 +37,21 @@ void test_aggregate_literal() {
int xs[] = {1, 2, 3}; // $ asExpr=1 asExpr=2 asExpr=3 asExpr={...}
const int ys[] = {[0] = 4, [1] = 5, [0] = 6}; // $ asExpr=4 asExpr=5 asExpr=6 asExpr={...}
}
}
void test_postfix_crement(int *p, int q) {
p++; // $ asExpr="... ++" asIndirectExpr="... ++" asExpr=p asIndirectExpr=p
q++; // $ asExpr="... ++" asExpr=q
(p++); // $ asExpr="... ++" asIndirectExpr="... ++" asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
(q++); // $ asExpr="... ++" asExpr="q(... ++)"
(void)(p++); // $ asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
(void)(q++); // $ asExpr="q(... ++)"
(void)p++; // $ asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
(void)q++; // $ asExpr="q(... ++)"
int *p1 = p++; // $ asExpr="... ++" asIndirectExpr="... ++" asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
int q1 = q++; // $ asExpr="... ++" asExpr="q(... ++)"
(int*)(p++); // $ asExpr="... ++" asIndirectExpr="... ++" asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
(int)(q++); // $ asExpr="... ++" asExpr="q(... ++)"
int *p2 = (int*)(p++); // $ asExpr="... ++" asIndirectExpr="... ++" asExpr="p(... ++)" asIndirectExpr="p(*... ++)"
int q2 = (int)(q++); // $ asExpr="... ++" asExpr="q(... ++)"
}

918
cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected
View File

File diff suppressed because it is too large Load Diff

11529
cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected
View File

File diff suppressed because it is too large Load Diff

174
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -24262,6 +24262,180 @@ ir.cpp:
# 2725| getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
# 2725| Type = [PlainCharType] char
# 2725| ValueCategory = prvalue(load)
# 2728| [TopLevelFunction] void test_postfix_crement(int*, int)
# 2728| <params>:
# 2728| getParameter(0): [Parameter] p
# 2728| Type = [IntPointerType] int *
# 2728| getParameter(1): [Parameter] q
# 2728| Type = [IntType] int
# 2728| getEntryPoint(): [BlockStmt] { ... }
# 2729| getStmt(0): [ExprStmt] ExprStmt
# 2729| getExpr(): [PostfixIncrExpr] ... ++
# 2729| Type = [IntPointerType] int *
# 2729| ValueCategory = prvalue
# 2729| getOperand(): [VariableAccess] p
# 2729| Type = [IntPointerType] int *
# 2729| ValueCategory = lvalue
# 2730| getStmt(1): [ExprStmt] ExprStmt
# 2730| getExpr(): [PostfixIncrExpr] ... ++
# 2730| Type = [IntType] int
# 2730| ValueCategory = prvalue
# 2730| getOperand(): [VariableAccess] q
# 2730| Type = [IntType] int
# 2730| ValueCategory = lvalue
# 2731| getStmt(2): [ExprStmt] ExprStmt
# 2731| getExpr(): [PostfixIncrExpr] ... ++
# 2731| Type = [IntPointerType] int *
# 2731| ValueCategory = prvalue
# 2731| getOperand(): [VariableAccess] p
# 2731| Type = [IntPointerType] int *
# 2731| ValueCategory = lvalue
# 2731| getExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 2731| Type = [IntPointerType] int *
# 2731| ValueCategory = prvalue
# 2732| getStmt(3): [ExprStmt] ExprStmt
# 2732| getExpr(): [PostfixIncrExpr] ... ++
# 2732| Type = [IntType] int
# 2732| ValueCategory = prvalue
# 2732| getOperand(): [VariableAccess] q
# 2732| Type = [IntType] int
# 2732| ValueCategory = lvalue
# 2732| getExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 2732| Type = [IntType] int
# 2732| ValueCategory = prvalue
# 2733| getStmt(4): [ExprStmt] ExprStmt
# 2733| getExpr(): [PostfixIncrExpr] ... ++
# 2733| Type = [IntPointerType] int *
# 2733| ValueCategory = prvalue
# 2733| getOperand(): [VariableAccess] p
# 2733| Type = [IntPointerType] int *
# 2733| ValueCategory = lvalue
# 2733| getExpr().getFullyConverted(): [CStyleCast] (void)...
# 2733| Conversion = [VoidConversion] conversion to void
# 2733| Type = [VoidType] void
# 2733| ValueCategory = prvalue
# 2733| getExpr(): [ParenthesisExpr] (...)
# 2733| Type = [IntPointerType] int *
# 2733| ValueCategory = prvalue
# 2734| getStmt(5): [ExprStmt] ExprStmt
# 2734| getExpr(): [PostfixIncrExpr] ... ++
# 2734| Type = [IntType] int
# 2734| ValueCategory = prvalue
# 2734| getOperand(): [VariableAccess] q
# 2734| Type = [IntType] int
# 2734| ValueCategory = lvalue
# 2734| getExpr().getFullyConverted(): [CStyleCast] (void)...
# 2734| Conversion = [VoidConversion] conversion to void
# 2734| Type = [VoidType] void
# 2734| ValueCategory = prvalue
# 2734| getExpr(): [ParenthesisExpr] (...)
# 2734| Type = [IntType] int
# 2734| ValueCategory = prvalue
# 2735| getStmt(6): [ExprStmt] ExprStmt
# 2735| getExpr(): [PostfixIncrExpr] ... ++
# 2735| Type = [IntPointerType] int *
# 2735| ValueCategory = prvalue
# 2735| getOperand(): [VariableAccess] p
# 2735| Type = [IntPointerType] int *
# 2735| ValueCategory = lvalue
# 2735| getExpr().getFullyConverted(): [CStyleCast] (void)...
# 2735| Conversion = [VoidConversion] conversion to void
# 2735| Type = [VoidType] void
# 2735| ValueCategory = prvalue
# 2736| getStmt(7): [ExprStmt] ExprStmt
# 2736| getExpr(): [PostfixIncrExpr] ... ++
# 2736| Type = [IntType] int
# 2736| ValueCategory = prvalue
# 2736| getOperand(): [VariableAccess] q
# 2736| Type = [IntType] int
# 2736| ValueCategory = lvalue
# 2736| getExpr().getFullyConverted(): [CStyleCast] (void)...
# 2736| Conversion = [VoidConversion] conversion to void
# 2736| Type = [VoidType] void
# 2736| ValueCategory = prvalue
# 2737| getStmt(8): [DeclStmt] declaration
# 2737| getDeclarationEntry(0): [VariableDeclarationEntry] definition of p1
# 2737| Type = [IntPointerType] int *
# 2737| getVariable().getInitializer(): [Initializer] initializer for p1
# 2737| getExpr(): [PostfixIncrExpr] ... ++
# 2737| Type = [IntPointerType] int *
# 2737| ValueCategory = prvalue
# 2737| getOperand(): [VariableAccess] p
# 2737| Type = [IntPointerType] int *
# 2737| ValueCategory = lvalue
# 2738| getStmt(9): [DeclStmt] declaration
# 2738| getDeclarationEntry(0): [VariableDeclarationEntry] definition of q1
# 2738| Type = [IntType] int
# 2738| getVariable().getInitializer(): [Initializer] initializer for q1
# 2738| getExpr(): [PostfixIncrExpr] ... ++
# 2738| Type = [IntType] int
# 2738| ValueCategory = prvalue
# 2738| getOperand(): [VariableAccess] q
# 2738| Type = [IntType] int
# 2738| ValueCategory = lvalue
# 2739| getStmt(10): [ExprStmt] ExprStmt
# 2739| getExpr(): [PostfixIncrExpr] ... ++
# 2739| Type = [IntPointerType] int *
# 2739| ValueCategory = prvalue
# 2739| getOperand(): [VariableAccess] p
# 2739| Type = [IntPointerType] int *
# 2739| ValueCategory = lvalue
# 2739| getExpr().getFullyConverted(): [CStyleCast] (int *)...
# 2739| Conversion = [PointerConversion] pointer conversion
# 2739| Type = [IntPointerType] int *
# 2739| ValueCategory = prvalue
# 2739| getExpr(): [ParenthesisExpr] (...)
# 2739| Type = [IntPointerType] int *
# 2739| ValueCategory = prvalue
# 2740| getStmt(11): [ExprStmt] ExprStmt
# 2740| getExpr(): [PostfixIncrExpr] ... ++
# 2740| Type = [IntType] int
# 2740| ValueCategory = prvalue
# 2740| getOperand(): [VariableAccess] q
# 2740| Type = [IntType] int
# 2740| ValueCategory = lvalue
# 2740| getExpr().getFullyConverted(): [CStyleCast] (int)...
# 2740| Conversion = [IntegralConversion] integral conversion
# 2740| Type = [IntType] int
# 2740| ValueCategory = prvalue
# 2740| getExpr(): [ParenthesisExpr] (...)
# 2740| Type = [IntType] int
# 2740| ValueCategory = prvalue
# 2741| getStmt(12): [DeclStmt] declaration
# 2741| getDeclarationEntry(0): [VariableDeclarationEntry] definition of p2
# 2741| Type = [IntPointerType] int *
# 2741| getVariable().getInitializer(): [Initializer] initializer for p2
# 2741| getExpr(): [PostfixIncrExpr] ... ++
# 2741| Type = [IntPointerType] int *
# 2741| ValueCategory = prvalue
# 2741| getOperand(): [VariableAccess] p
# 2741| Type = [IntPointerType] int *
# 2741| ValueCategory = lvalue
# 2741| getExpr().getFullyConverted(): [CStyleCast] (int *)...
# 2741| Conversion = [PointerConversion] pointer conversion
# 2741| Type = [IntPointerType] int *
# 2741| ValueCategory = prvalue
# 2741| getExpr(): [ParenthesisExpr] (...)
# 2741| Type = [IntPointerType] int *
# 2741| ValueCategory = prvalue
# 2742| getStmt(13): [DeclStmt] declaration
# 2742| getDeclarationEntry(0): [VariableDeclarationEntry] definition of q2
# 2742| Type = [IntType] int
# 2742| getVariable().getInitializer(): [Initializer] initializer for q2
# 2742| getExpr(): [PostfixIncrExpr] ... ++
# 2742| Type = [IntType] int
# 2742| ValueCategory = prvalue
# 2742| getOperand(): [VariableAccess] q
# 2742| Type = [IntType] int
# 2742| ValueCategory = lvalue
# 2742| getExpr().getFullyConverted(): [CStyleCast] (int)...
# 2742| Conversion = [IntegralConversion] integral conversion
# 2742| Type = [IntType] int
# 2742| ValueCategory = prvalue
# 2742| getExpr(): [ParenthesisExpr] (...)
# 2742| Type = [IntType] int
# 2742| ValueCategory = prvalue
# 2743| getStmt(14): [ReturnStmt] return ...
ir23.cpp:
# 1| [TopLevelFunction] bool consteval_1()
# 1| <params>:

117
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

@@ -20156,6 +20156,123 @@ ir.cpp:
# 2724| v2724_12(void) = AliasedUse : ~m2725_8
# 2724| v2724_13(void) = ExitFunction :
# 2728| void test_postfix_crement(int*, int)
# 2728| Block 0
# 2728| v2728_1(void) = EnterFunction :
# 2728| m2728_2(unknown) = AliasedDefinition :
# 2728| m2728_3(unknown) = InitializeNonLocal :
# 2728| m2728_4(unknown) = Chi : total:m2728_2, partial:m2728_3
# 2728| r2728_5(glval<int *>) = VariableAddress[p] :
# 2728| m2728_6(int *) = InitializeParameter[p] : &:r2728_5
# 2728| r2728_7(int *) = Load[p] : &:r2728_5, m2728_6
# 2728| m2728_8(unknown) = InitializeIndirection[p] : &:r2728_7
# 2728| m2728_9(unknown) = Chi : total:m2728_4, partial:m2728_8
# 2728| r2728_10(glval<int>) = VariableAddress[q] :
# 2728| m2728_11(int) = InitializeParameter[q] : &:r2728_10
# 2729| r2729_1(glval<int *>) = VariableAddress[p] :
# 2729| r2729_2(int *) = Load[p] : &:r2729_1, m2728_6
# 2729| r2729_3(int) = Constant[1] :
# 2729| r2729_4(int *) = PointerAdd[4] : r2729_2, r2729_3
# 2729| m2729_5(int *) = Store[p] : &:r2729_1, r2729_4
# 2730| r2730_1(glval<int>) = VariableAddress[q] :
# 2730| r2730_2(int) = Load[q] : &:r2730_1, m2728_11
# 2730| r2730_3(int) = Constant[1] :
# 2730| r2730_4(int) = Add : r2730_2, r2730_3
# 2730| m2730_5(int) = Store[q] : &:r2730_1, r2730_4
# 2731| r2731_1(glval<int *>) = VariableAddress[p] :
# 2731| r2731_2(int *) = Load[p] : &:r2731_1, m2729_5
# 2731| r2731_3(int) = Constant[1] :
# 2731| r2731_4(int *) = PointerAdd[4] : r2731_2, r2731_3
# 2731| m2731_5(int *) = Store[p] : &:r2731_1, r2731_4
# 2731| r2731_6(int *) = CopyValue : r2731_2
# 2732| r2732_1(glval<int>) = VariableAddress[q] :
# 2732| r2732_2(int) = Load[q] : &:r2732_1, m2730_5
# 2732| r2732_3(int) = Constant[1] :
# 2732| r2732_4(int) = Add : r2732_2, r2732_3
# 2732| m2732_5(int) = Store[q] : &:r2732_1, r2732_4
# 2732| r2732_6(int) = CopyValue : r2732_2
# 2733| r2733_1(glval<int *>) = VariableAddress[p] :
# 2733| r2733_2(int *) = Load[p] : &:r2733_1, m2731_5
# 2733| r2733_3(int) = Constant[1] :
# 2733| r2733_4(int *) = PointerAdd[4] : r2733_2, r2733_3
# 2733| m2733_5(int *) = Store[p] : &:r2733_1, r2733_4
# 2733| r2733_6(int *) = CopyValue : r2733_2
# 2733| v2733_7(void) = Convert : r2733_6
# 2734| r2734_1(glval<int>) = VariableAddress[q] :
# 2734| r2734_2(int) = Load[q] : &:r2734_1, m2732_5
# 2734| r2734_3(int) = Constant[1] :
# 2734| r2734_4(int) = Add : r2734_2, r2734_3
# 2734| m2734_5(int) = Store[q] : &:r2734_1, r2734_4
# 2734| r2734_6(int) = CopyValue : r2734_2
# 2734| v2734_7(void) = Convert : r2734_6
# 2735| r2735_1(glval<int *>) = VariableAddress[p] :
# 2735| r2735_2(int *) = Load[p] : &:r2735_1, m2733_5
# 2735| r2735_3(int) = Constant[1] :
# 2735| r2735_4(int *) = PointerAdd[4] : r2735_2, r2735_3
# 2735| m2735_5(int *) = Store[p] : &:r2735_1, r2735_4
# 2735| r2735_6(int *) = CopyValue : r2735_2
# 2735| v2735_7(void) = Convert : r2735_6
# 2736| r2736_1(glval<int>) = VariableAddress[q] :
# 2736| r2736_2(int) = Load[q] : &:r2736_1, m2734_5
# 2736| r2736_3(int) = Constant[1] :
# 2736| r2736_4(int) = Add : r2736_2, r2736_3
# 2736| m2736_5(int) = Store[q] : &:r2736_1, r2736_4
# 2736| r2736_6(int) = CopyValue : r2736_2
# 2736| v2736_7(void) = Convert : r2736_6
# 2737| r2737_1(glval<int *>) = VariableAddress[p1] :
# 2737| r2737_2(glval<int *>) = VariableAddress[p] :
# 2737| r2737_3(int *) = Load[p] : &:r2737_2, m2735_5
# 2737| r2737_4(int) = Constant[1] :
# 2737| r2737_5(int *) = PointerAdd[4] : r2737_3, r2737_4
# 2737| m2737_6(int *) = Store[p] : &:r2737_2, r2737_5
# 2737| r2737_7(int *) = CopyValue : r2737_3
# 2737| m2737_8(int *) = Store[p1] : &:r2737_1, r2737_7
# 2738| r2738_1(glval<int>) = VariableAddress[q1] :
# 2738| r2738_2(glval<int>) = VariableAddress[q] :
# 2738| r2738_3(int) = Load[q] : &:r2738_2, m2736_5
# 2738| r2738_4(int) = Constant[1] :
# 2738| r2738_5(int) = Add : r2738_3, r2738_4
# 2738| m2738_6(int) = Store[q] : &:r2738_2, r2738_5
# 2738| r2738_7(int) = CopyValue : r2738_3
# 2738| m2738_8(int) = Store[q1] : &:r2738_1, r2738_7
# 2739| r2739_1(glval<int *>) = VariableAddress[p] :
# 2739| r2739_2(int *) = Load[p] : &:r2739_1, m2737_6
# 2739| r2739_3(int) = Constant[1] :
# 2739| r2739_4(int *) = PointerAdd[4] : r2739_2, r2739_3
# 2739| m2739_5(int *) = Store[p] : &:r2739_1, r2739_4
# 2739| r2739_6(int *) = CopyValue : r2739_2
# 2739| r2739_7(int *) = Convert : r2739_6
# 2740| r2740_1(glval<int>) = VariableAddress[q] :
# 2740| r2740_2(int) = Load[q] : &:r2740_1, m2738_6
# 2740| r2740_3(int) = Constant[1] :
# 2740| r2740_4(int) = Add : r2740_2, r2740_3
# 2740| m2740_5(int) = Store[q] : &:r2740_1, r2740_4
# 2740| r2740_6(int) = CopyValue : r2740_2
# 2740| r2740_7(int) = Convert : r2740_6
# 2741| r2741_1(glval<int *>) = VariableAddress[p2] :
# 2741| r2741_2(glval<int *>) = VariableAddress[p] :
# 2741| r2741_3(int *) = Load[p] : &:r2741_2, m2739_5
# 2741| r2741_4(int) = Constant[1] :
# 2741| r2741_5(int *) = PointerAdd[4] : r2741_3, r2741_4
# 2741| m2741_6(int *) = Store[p] : &:r2741_2, r2741_5
# 2741| r2741_7(int *) = CopyValue : r2741_3
# 2741| r2741_8(int *) = Convert : r2741_7
# 2741| m2741_9(int *) = Store[p2] : &:r2741_1, r2741_8
# 2742| r2742_1(glval<int>) = VariableAddress[q2] :
# 2742| r2742_2(glval<int>) = VariableAddress[q] :
# 2742| r2742_3(int) = Load[q] : &:r2742_2, m2740_5
# 2742| r2742_4(int) = Constant[1] :
# 2742| r2742_5(int) = Add : r2742_3, r2742_4
# 2742| m2742_6(int) = Store[q] : &:r2742_2, r2742_5
# 2742| r2742_7(int) = CopyValue : r2742_3
# 2742| r2742_8(int) = Convert : r2742_7
# 2742| m2742_9(int) = Store[q2] : &:r2742_1, r2742_8
# 2743| v2743_1(void) = NoOp :
# 2728| v2728_12(void) = ReturnIndirection[p] : &:r2728_7, m2728_8
# 2728| v2728_13(void) = ReturnVoid :
# 2728| v2728_14(void) = AliasedUse : ~m2728_9
# 2728| v2728_15(void) = ExitFunction :
ir23.cpp:
# 1| bool consteval_1()
# 1| Block 0

17
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -2725,4 +2725,21 @@ char UseBracketOperator(const WithBracketOperator x, int i) {
return x[i];
}
void test_postfix_crement(int *p, int q) {
p++;
q++;
(p++);
(q++);
(void)(p++);
(void)(q++);
(void)p++;
(void)q++;
int *p1 = p++;
int q1 = q++;
(int*)(p++);
(int)(q++);
int *p2 = (int*)(p++);
int q2 = (int)(q++);
}
// semmle-extractor-options: -std=c++20 --clang

115
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -18317,6 +18317,121 @@ ir.cpp:
# 2724| v2724_10(void) = AliasedUse : ~m?
# 2724| v2724_11(void) = ExitFunction :
# 2728| void test_postfix_crement(int*, int)
# 2728| Block 0
# 2728| v2728_1(void) = EnterFunction :
# 2728| mu2728_2(unknown) = AliasedDefinition :
# 2728| mu2728_3(unknown) = InitializeNonLocal :
# 2728| r2728_4(glval<int *>) = VariableAddress[p] :
# 2728| mu2728_5(int *) = InitializeParameter[p] : &:r2728_4
# 2728| r2728_6(int *) = Load[p] : &:r2728_4, ~m?
# 2728| mu2728_7(unknown) = InitializeIndirection[p] : &:r2728_6
# 2728| r2728_8(glval<int>) = VariableAddress[q] :
# 2728| mu2728_9(int) = InitializeParameter[q] : &:r2728_8
# 2729| r2729_1(glval<int *>) = VariableAddress[p] :
# 2729| r2729_2(int *) = Load[p] : &:r2729_1, ~m?
# 2729| r2729_3(int) = Constant[1] :
# 2729| r2729_4(int *) = PointerAdd[4] : r2729_2, r2729_3
# 2729| mu2729_5(int *) = Store[p] : &:r2729_1, r2729_4
# 2730| r2730_1(glval<int>) = VariableAddress[q] :
# 2730| r2730_2(int) = Load[q] : &:r2730_1, ~m?
# 2730| r2730_3(int) = Constant[1] :
# 2730| r2730_4(int) = Add : r2730_2, r2730_3
# 2730| mu2730_5(int) = Store[q] : &:r2730_1, r2730_4
# 2731| r2731_1(glval<int *>) = VariableAddress[p] :
# 2731| r2731_2(int *) = Load[p] : &:r2731_1, ~m?
# 2731| r2731_3(int) = Constant[1] :
# 2731| r2731_4(int *) = PointerAdd[4] : r2731_2, r2731_3
# 2731| mu2731_5(int *) = Store[p] : &:r2731_1, r2731_4
# 2731| r2731_6(int *) = CopyValue : r2731_2
# 2732| r2732_1(glval<int>) = VariableAddress[q] :
# 2732| r2732_2(int) = Load[q] : &:r2732_1, ~m?
# 2732| r2732_3(int) = Constant[1] :
# 2732| r2732_4(int) = Add : r2732_2, r2732_3
# 2732| mu2732_5(int) = Store[q] : &:r2732_1, r2732_4
# 2732| r2732_6(int) = CopyValue : r2732_2
# 2733| r2733_1(glval<int *>) = VariableAddress[p] :
# 2733| r2733_2(int *) = Load[p] : &:r2733_1, ~m?
# 2733| r2733_3(int) = Constant[1] :
# 2733| r2733_4(int *) = PointerAdd[4] : r2733_2, r2733_3
# 2733| mu2733_5(int *) = Store[p] : &:r2733_1, r2733_4
# 2733| r2733_6(int *) = CopyValue : r2733_2
# 2733| v2733_7(void) = Convert : r2733_6
# 2734| r2734_1(glval<int>) = VariableAddress[q] :
# 2734| r2734_2(int) = Load[q] : &:r2734_1, ~m?
# 2734| r2734_3(int) = Constant[1] :
# 2734| r2734_4(int) = Add : r2734_2, r2734_3
# 2734| mu2734_5(int) = Store[q] : &:r2734_1, r2734_4
# 2734| r2734_6(int) = CopyValue : r2734_2
# 2734| v2734_7(void) = Convert : r2734_6
# 2735| r2735_1(glval<int *>) = VariableAddress[p] :
# 2735| r2735_2(int *) = Load[p] : &:r2735_1, ~m?
# 2735| r2735_3(int) = Constant[1] :
# 2735| r2735_4(int *) = PointerAdd[4] : r2735_2, r2735_3
# 2735| mu2735_5(int *) = Store[p] : &:r2735_1, r2735_4
# 2735| r2735_6(int *) = CopyValue : r2735_2
# 2735| v2735_7(void) = Convert : r2735_6
# 2736| r2736_1(glval<int>) = VariableAddress[q] :
# 2736| r2736_2(int) = Load[q] : &:r2736_1, ~m?
# 2736| r2736_3(int) = Constant[1] :
# 2736| r2736_4(int) = Add : r2736_2, r2736_3
# 2736| mu2736_5(int) = Store[q] : &:r2736_1, r2736_4
# 2736| r2736_6(int) = CopyValue : r2736_2
# 2736| v2736_7(void) = Convert : r2736_6
# 2737| r2737_1(glval<int *>) = VariableAddress[p1] :
# 2737| r2737_2(glval<int *>) = VariableAddress[p] :
# 2737| r2737_3(int *) = Load[p] : &:r2737_2, ~m?
# 2737| r2737_4(int) = Constant[1] :
# 2737| r2737_5(int *) = PointerAdd[4] : r2737_3, r2737_4
# 2737| mu2737_6(int *) = Store[p] : &:r2737_2, r2737_5
# 2737| r2737_7(int *) = CopyValue : r2737_3
# 2737| mu2737_8(int *) = Store[p1] : &:r2737_1, r2737_7
# 2738| r2738_1(glval<int>) = VariableAddress[q1] :
# 2738| r2738_2(glval<int>) = VariableAddress[q] :
# 2738| r2738_3(int) = Load[q] : &:r2738_2, ~m?
# 2738| r2738_4(int) = Constant[1] :
# 2738| r2738_5(int) = Add : r2738_3, r2738_4
# 2738| mu2738_6(int) = Store[q] : &:r2738_2, r2738_5
# 2738| r2738_7(int) = CopyValue : r2738_3
# 2738| mu2738_8(int) = Store[q1] : &:r2738_1, r2738_7
# 2739| r2739_1(glval<int *>) = VariableAddress[p] :
# 2739| r2739_2(int *) = Load[p] : &:r2739_1, ~m?
# 2739| r2739_3(int) = Constant[1] :
# 2739| r2739_4(int *) = PointerAdd[4] : r2739_2, r2739_3
# 2739| mu2739_5(int *) = Store[p] : &:r2739_1, r2739_4
# 2739| r2739_6(int *) = CopyValue : r2739_2
# 2739| r2739_7(int *) = Convert : r2739_6
# 2740| r2740_1(glval<int>) = VariableAddress[q] :
# 2740| r2740_2(int) = Load[q] : &:r2740_1, ~m?
# 2740| r2740_3(int) = Constant[1] :
# 2740| r2740_4(int) = Add : r2740_2, r2740_3
# 2740| mu2740_5(int) = Store[q] : &:r2740_1, r2740_4
# 2740| r2740_6(int) = CopyValue : r2740_2
# 2740| r2740_7(int) = Convert : r2740_6
# 2741| r2741_1(glval<int *>) = VariableAddress[p2] :
# 2741| r2741_2(glval<int *>) = VariableAddress[p] :
# 2741| r2741_3(int *) = Load[p] : &:r2741_2, ~m?
# 2741| r2741_4(int) = Constant[1] :
# 2741| r2741_5(int *) = PointerAdd[4] : r2741_3, r2741_4
# 2741| mu2741_6(int *) = Store[p] : &:r2741_2, r2741_5
# 2741| r2741_7(int *) = CopyValue : r2741_3
# 2741| r2741_8(int *) = Convert : r2741_7
# 2741| mu2741_9(int *) = Store[p2] : &:r2741_1, r2741_8
# 2742| r2742_1(glval<int>) = VariableAddress[q2] :
# 2742| r2742_2(glval<int>) = VariableAddress[q] :
# 2742| r2742_3(int) = Load[q] : &:r2742_2, ~m?
# 2742| r2742_4(int) = Constant[1] :
# 2742| r2742_5(int) = Add : r2742_3, r2742_4
# 2742| mu2742_6(int) = Store[q] : &:r2742_2, r2742_5
# 2742| r2742_7(int) = CopyValue : r2742_3
# 2742| r2742_8(int) = Convert : r2742_7
# 2742| mu2742_9(int) = Store[q2] : &:r2742_1, r2742_8
# 2743| v2743_1(void) = NoOp :
# 2728| v2728_10(void) = ReturnIndirection[p] : &:r2728_6, ~m?
# 2728| v2728_11(void) = ReturnVoid :
# 2728| v2728_12(void) = AliasedUse : ~m?
# 2728| v2728_13(void) = ExitFunction :
ir23.cpp:
# 1| bool consteval_1()
# 1| Block 0

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.44
No user-facing changes.
## 1.7.43
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.44.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.44
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.43
lastReleaseVersion: 1.7.44

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.44-dev
version: 1.7.45-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.44
No user-facing changes.
## 1.7.43
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.44.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.44
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.43
lastReleaseVersion: 1.7.44

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.44-dev
version: 1.7.45-dev
groups:
- csharp
- solorigate

4
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 5.1.10
No user-facing changes.
## 5.1.9
No user-facing changes.

3
csharp/ql/lib/change-notes/released/5.1.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.1.10
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.1.9
lastReleaseVersion: 5.1.10

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.1.10-dev
version: 5.1.11-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

6
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.3.1
### Minor Analysis Improvements
* Added explicit SQL injection Models as Data models for `Microsoft.Data.SqlClient.SqlCommand` and `Microsoft.Data.SqlClient.SqlDataAdapter`. This reduces false negatives for the query `cs/sql-injection`.
## 1.3.0
### Query Metadata Changes

7
csharp/ql/src/change-notes/2025-06-25-sqlcommand-models.md → csharp/ql/src/change-notes/released/1.3.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.3.1
### Minor Analysis Improvements
* Added explicit SQL injection Models as Data models for `Microsoft.Data.SqlClient.SqlCommand` and `Microsoft.Data.SqlClient.SqlDataAdapter`. This reduces false negatives for the query `cs/sql-injection`.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.0
lastReleaseVersion: 1.3.1

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.3.1-dev
version: 1.3.2-dev
groups:
- csharp
- queries

202
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.1.rst Normal file
View File

@@ -0,0 +1,202 @@
.. _codeql-cli-2.22.1:
==========================
CodeQL 2.22.1 (2025-06-26)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.22.1 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 129 queries (covering 33 more CWE).
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* Rust language support is now in public preview.
Miscellaneous
~~~~~~~~~~~~~
* The version of :code:`jgit` used by the CodeQL CLI has been updated to :code:`6.10.1.202505221210-r`.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Added flow model for the following libraries: :code:`madler/zlib`, :code:`google/brotli`, :code:`libidn/libidn2`, :code:`libssh2/libssh2/`, :code:`nghttp2/nghttp2`, :code:`libuv/libuv/`, and :code:`curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
C#
""
* The queries :code:`cs/dereferenced-value-is-always-null` and :code:`cs/dereferenced-value-may-be-null` have been improved to reduce false positives. The queries no longer assume that expressions are dereferenced when passed as the receiver (:code:`this` parameter) to extension methods where that parameter is a nullable type.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/loop-iteration-skipped-due-to-shifting` query now has the :code:`reliability` tag.
* Fixed false positives in the :code:`js/loop-iteration-skipped-due-to-shifting` query when the return value of :code:`splice` is used to decide whether to adjust the loop counter.
* Fixed false positives in the :code:`js/template-syntax-in-string-literal` query where template syntax in string concatenation and "manual string interpolation" patterns were incorrectly flagged.
* The :code:`js/useless-expression` query now correctly flags only the innermost expressions with no effect, avoiding duplicate alerts on compound expressions.
Python
""""""
* The :code:`py/iter-returns-non-self` query has been modernized, and no longer alerts for certain cases where an equivalent iterator is returned.
New Queries
~~~~~~~~~~~
Rust
""""
* Initial public preview release.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Query metadata tags have been systematically updated for many C# queries. Primary categorization as either :code:`reliability` or :code:`maintainability`, and relevant sub-category tags such as :code:`readability`, :code:`useless-code`, :code:`complexity`, :code:`performance`, :code:`correctness`, :code:`error-handling`, and :code:`concurrency`. Aligns with the established `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__.
* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`cs/uncontrolled-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact.
Golang
""""""
* The tag :code:`quality` has been added to multiple Go quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories.
* The tag :code:`external/cwe/cwe-129` has been added to :code:`go/constant-length-comparison`.
* The tag :code:`external/cwe/cwe-193` has been added to :code:`go/index-out-of-bounds`.
* The tag :code:`external/cwe/cwe-197` has been added to :code:`go/shift-out-of-range`.
* The tag :code:`external/cwe/cwe-248` has been added to :code:`go/redundant-recover`.
* The tag :code:`external/cwe/cwe-252` has been added to :code:`go/missing-error-check` and :code:`go/unhandled-writable-file-close`.
* The tag :code:`external/cwe/cwe-480` has been added to :code:`go/mistyped-exponentiation`.
* The tag :code:`external/cwe/cwe-570` has been added to :code:`go/impossible-interface-nil-check` and :code:`go/comparison-of-identical-expressions`.
* The tag :code:`external/cwe/cwe-571` has been added to :code:`go/negative-length-check` and :code:`go/comparison-of-identical-expressions`.
* The tag :code:`external/cwe/cwe-783` has been added to :code:`go/whitespace-contradicts-precedence`.
* The tag :code:`external/cwe/cwe-835` has been added to :code:`go/inconsistent-loop-direction`.
* The tag :code:`error-handling` has been added to :code:`go/missing-error-check`, :code:`go/unhandled-writable-file-close`, and :code:`go/unexpected-nil-value`.
* The tag :code:`useless-code` has been added to :code:`go/useless-assignment-to-field`, :code:`go/useless-assignment-to-local`, :code:`go/useless-expression`, and :code:`go/unreachable-statement`.
* The tag :code:`logic` has been removed from :code:`go/index-out-of-bounds` and :code:`go/unexpected-nil-value`.
* The tags :code:`call` and :code:`defer` have been removed from :code:`go/unhandled-writable-file-close`.
* The tags :code:`correctness` and :code:`quality` have been reordered in :code:`go/missing-error-check` and :code:`go/unhandled-writable-file-close`.
* The tag :code:`maintainability` has been changed to :code:`reliability` for :code:`go/unhandled-writable-file-close`.
* The tag order has been standardized to have :code:`quality` first, followed by the top-level category (:code:`reliability` or :code:`maintainability`), then sub-category tags, and finally CWE tags.
* The description text has been updated in :code:`go/whitespace-contradicts-precedence` to change "may even indicate" to "may indicate".
Java/Kotlin
"""""""""""
* The tag :code:`quality` has been added to multiple Java quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories.
* The tag :code:`external/cwe/cwe-571` has been added to :code:`java/equals-on-unrelated-types`.
* The tag :code:`readability` has been added to :code:`java/missing-override-annotation`, :code:`java/deprecated-call`, :code:`java/inconsistent-javadoc-throws`, :code:`java/unknown-javadoc-parameter`, :code:`java/jdk-internal-api-access`, :code:`java/underscore-identifier`, :code:`java/misleading-indentation`, :code:`java/inefficient-empty-string-test`, :code:`java/non-static-nested-class`, :code:`inefficient-string-constructor`, and :code:`java/constants-only-interface`.
* The tag :code:`useless-code` has been added to :code:`java/useless-type-test`, and :code:`java/useless-tostring-call`.
* The tag :code:`complexity` has been added to :code:`java/chained-type-tests`, and :code:`java/abstract-to-concrete-cast`.
* The tag :code:`error-handling` has been added to :code:`java/ignored-error-status-of-call`, and :code:`java/uncaught-number-format-exception`.
* The tag :code:`correctness` has been added to :code:`java/evaluation-to-constant`, :code:`java/whitespace-contradicts-precedence`, :code:`java/empty-container`, :code:`java/string-buffer-char-init`, :code:`java/call-to-object-tostring`, :code:`java/print-array` and :code:`java/internal-representation-exposure`.
* The tag :code:`performance` has been added to :code:`java/input-resource-leak`, :code:`java/database-resource-leak`, :code:`java/output-resource-leak`, :code:`java/inefficient-key-set-iterator`, :code:`java/inefficient-output-stream`, and :code:`java/inefficient-boxed-constructor`.
* The tag :code:`correctness` has been removed from :code:`java/call-to-thread-run`, :code:`java/unsafe-double-checked-locking`, :code:`java/unsafe-double-checked-locking-init-order`, :code:`java/non-sync-override`, :code:`java/sync-on-boxed-types`, :code:`java/unsynchronized-getter`, :code:`java/input-resource-leak`, :code:`java/output-resource-leak`, :code:`java/database-resource-leak`, and :code:`java/ignored-error-status-of-call`.
* The tags :code:`maintainability` has been removed from :code:`java/string-buffer-char-init`, :code:`java/inefficient-key-set-iterator`, :code:`java/inefficient-boxed-constructor`, and :code:`java/internal-representation-exposure`.
* The tags :code:`reliability` has been removed from :code:`java/subtle-inherited-call`, :code:`java/print-array`, and :code:`java/call-to-object-tostring`.
* The tags :code:`maintainability` and :code:`useless-code` have been removed from :code:`java/evaluation-to-constant`.
* The tags :code:`maintainability` and :code:`readability` have been removed from :code:`java/whitespace-contradicts-precedence`.
* The tags :code:`maintainability` and :code:`useless-code` have been removed from :code:`java/empty-container`.
* Adjusts the :code:`@precision` from high to medium for :code:`java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.
* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`java/tainted-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`quality` tag has been added to multiple JavaScript quality queries, with tags for :code:`reliability` or :code:`maintainability` categories and their sub-categories. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories.
* Added :code:`reliability` tag to the :code:`js/suspicious-method-name-declaration` query.
* Added :code:`reliability` and :code:`language-features` tags to the :code:`js/template-syntax-in-string-literal` query.
Python
""""""
* The tag :code:`quality` has been added to multiple Python quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories.
Ruby
""""
* Update query metadata tags for :code:`rb/database-query-in-loop` and :code:`rb/useless-assignment-to-local` to align with the established
\ `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__.
Swift
"""""
* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`swift/uncontrolled-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* :code:`resolveTypedefs` now properly resolves typedefs for :code:`ArrayType`\ s.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* Java :code:`assert` statements are now assumed to be executed for the purpose of analysing control flow. This improves precision for a number of queries.
JavaScript/TypeScript
"""""""""""""""""""""
* Calls to :code:`sinon.match()` are no longer incorrectly identified as regular expression operations.
* Improved data flow tracking through middleware to handle default value and similar patterns.
* Added :code:`req._parsedUrl` as a remote input source.
* Improved taint tracking through calls to :code:`serialize-javascript`.
* Removed :code:`encodeURI` and :code:`escape` functions from the sanitizer list for request forgery.
* The JavaScript extractor now skips generated JavaScript files if the original TypeScript files are already present. It also skips any files in the output directory specified in the :code:`compilerOptions` part of the :code:`tsconfig.json` file.
* Added support for Axios instances in the :code:`axios` module.
GitHub Actions
""""""""""""""
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with complex interpolations of shell commands or quoted strings.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`ThrowingFunction` class (:code:`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the :code:`AlwaysSehThrowingFunction` class instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a predicate :code:`getAnAttribute` to :code:`Namespace` to retrieve a namespace attribute.
* The Microsoft-specific :code:`__leave` statement is now supported.
* A new class :code:`LeaveStmt` extending :code:`JumpStmt` was added to represent :code:`__leave` statements.
* Added a predicate :code:`hasParameterList` to :code:`LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
Rust
""""
* Initial public preview release.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.22.1
codeql-cli-2.22.0
codeql-cli-2.21.4
codeql-cli-2.21.3

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.27
No user-facing changes.
## 1.0.26
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.27.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.27
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.26
lastReleaseVersion: 1.0.27

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.27-dev
version: 1.0.28-dev
groups:
- go
- queries

11
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 4.3.0
### Deprecated APIs
* The class `BuiltinType` is now deprecated. Use the new replacement `BuiltinTypeEntity` instead.
* The class `DeclaredType` is now deprecated. Use the new replacement `DeclaredTypeEntity` instead.
### Minor Analysis Improvements
* Previously, `DefinedType.getBaseType` gave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.
## 4.2.8
No user-facing changes.

4
go/ql/lib/change-notes/2025-06-03-fix-definedtype-getbasetype.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Previously, `DefinedType.getBaseType` gave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.

5
go/ql/lib/change-notes/2025-06-05-deprecate-DeclaredType-BuiltinType.md
View File

@@ -1,5 +0,0 @@
---
category: deprecated
---
* The class `BuiltinType` is now deprecated. Use the new replacement `BuiltinTypeEntity` instead.
* The class `DeclaredType` is now deprecated. Use the new replacement `DeclaredTypeEntity` instead.

10
go/ql/lib/change-notes/released/4.3.0.md Normal file
View File

@@ -0,0 +1,10 @@
## 4.3.0
### Deprecated APIs
* The class `BuiltinType` is now deprecated. Use the new replacement `BuiltinTypeEntity` instead.
* The class `DeclaredType` is now deprecated. Use the new replacement `DeclaredTypeEntity` instead.
### Minor Analysis Improvements
* Previously, `DefinedType.getBaseType` gave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.2.8
lastReleaseVersion: 4.3.0

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 4.2.9-dev
version: 4.3.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.4.1
No user-facing changes.
## 1.4.0
### Query Metadata Changes

3
go/ql/src/change-notes/released/1.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.1
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.0
lastReleaseVersion: 1.4.1

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.4.1-dev
version: 1.4.2-dev
groups:
- go
- queries

1236
java/downgrades/1b8f5f4c747e4249f4731796ccaa0661c7434d8a/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1232
java/downgrades/1b8f5f4c747e4249f4731796ccaa0661c7434d8a/semmlecode.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3
java/downgrades/1b8f5f4c747e4249f4731796ccaa0661c7434d8a/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Add overlayChangedFiles relation
compatibility: full
overlayChangedFiles.rel: delete

2
java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected
View File

@@ -77,6 +77,8 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingMethodNam
ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql
ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql
ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql

2
java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected
View File

@@ -75,6 +75,8 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingMethodNam
ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql
ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql
ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql

4
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 7.3.3
No user-facing changes.
## 7.3.2
### Minor Analysis Improvements

3
java/ql/lib/change-notes/released/7.3.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 7.3.3
No user-facing changes.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 7.3.2
lastReleaseVersion: 7.3.3

4
java/ql/lib/config/semmlecode.dbscheme
View File

@@ -211,6 +211,10 @@ databaseMetadata(
string value : string ref
);
overlayChangedFiles(
string path: string ref
);
/*
* SMAP
*/

11
java/ql/lib/config/semmlecode.dbscheme.stats
View File

@@ -4004,6 +4004,17 @@
</dep>
</dependencies>
</relation>
<relation>
<name>overlayChangedFiles</name>
<cardinality>50</cardinality>
<columnsizes>
<e>
<k>path</k>
<v>50</v>
</e>
</columnsizes>
<dependencies/>
</relation>
<relation>
<name>smap_header</name>
<cardinality>1</cardinality>

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 7.3.3-dev
version: 7.3.4-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

1
java/ql/lib/semmle/code/java/Type.qll
View File

@@ -422,6 +422,7 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
* This does not include itself, unless this type is part of a cycle
* in the type hierarchy.
*/
overlay[caller?]
RefType getAStrictAncestor() { result = this.getASupertype().getAnAncestor() }
/**

3
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
View File

@@ -203,6 +203,7 @@ module TempDirSystemGetPropertyDirectlyToMkdir =
/**
* A `MethodCall` against a method that creates a temporary file or directory in a shared temporary directory.
*/
overlay[local?]
abstract class MethodCallInsecureFileCreation extends MethodCall {
/**
* Gets the type of entity created (e.g. `file`, `directory`, ...).
@@ -218,6 +219,7 @@ abstract class MethodCallInsecureFileCreation extends MethodCall {
/**
* An insecure call to `java.io.File.createTempFile`.
*/
overlay[local?]
class MethodCallInsecureFileCreateTempFile extends MethodCallInsecureFileCreation {
MethodCallInsecureFileCreateTempFile() {
this.getMethod() instanceof MethodFileCreateTempFile and
@@ -246,6 +248,7 @@ class MethodGuavaFilesCreateTempFile extends Method {
/**
* A call to the `com.google.common.io.Files.createTempDir` method.
*/
overlay[local?]
class MethodCallInsecureGuavaFilesCreateTempFile extends MethodCallInsecureFileCreation {
MethodCallInsecureGuavaFilesCreateTempFile() {
this.getMethod() instanceof MethodGuavaFilesCreateTempFile

1232
java/ql/lib/upgrades/38d02c063878000356a3e5db49d5a6a8f38efe24/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1236
java/ql/lib/upgrades/38d02c063878000356a3e5db49d5a6a8f38efe24/semmlecode.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
java/ql/lib/upgrades/38d02c063878000356a3e5db49d5a6a8f38efe24/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Add overlayChangedFiles relation
compatibility: full

6
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.6.1
### Minor Analysis Improvements
* Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular `java/dereferenced-value-may-be-null`, which now has fewer false positives, and `java/useless-null-check` and `java/constant-comparison`, which gain additional true positives.
## 1.6.0
### Query Metadata Changes

2
java/ql/src/Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.md
View File

@@ -1,6 +1,6 @@
## Overview
According to the Java documentation on `ScheduledThreadPoolExecutor`, it is not a good idea to set `corePoolSize` to zero, since doing so indicates the executor to keep 0 threads in its pool and the executor will serve no purpose.
According to the Java documentation on `ScheduledThreadPoolExecutor`, it is not a good idea to set `corePoolSize` to zero, since doing so instructs the executor to keep 0 threads in its pool and the executor will serve no purpose.
## Recommendation

9
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
View File

@@ -16,6 +16,7 @@
import java
import semmle.code.java.dataflow.FlowSources
overlay[local?]
abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
int vulnerableArgumentIndex;
@@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
abstract string splittingType();
}
overlay[local?]
abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Request splitting or response splitting" }
@@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext
/**
* Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
*/
overlay[local?]
abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Request splitting" }
@@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec
/**
* Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
*/
overlay[local?]
abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Response splitting" }
}
overlay[local?]
private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpHeadersClassInstantiation() {
@@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
}
}
overlay[local?]
private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpResponseClassInstantiation() {
@@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli
}
}
overlay[local?]
private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpRequestClassInstantiation() {
@@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt
}
}
overlay[local?]
private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultFullHttpResponseClassInstantiation() {
@@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response
}
}
overlay[local?]
private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
{
InsecureDefaultFullHttpRequestClassInstantiation() {

54
java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.md Normal file
View File

@@ -0,0 +1,54 @@
## Overview
Record types were introduced in Java 16 as a mechanism to provide simpler data handling as an alternative to regular classes. However, record classes behave slightly differently during serialization. Namely any `writeObject`, `readObject`, `readObjectNoData`, `writeExternal`, and `readExternal` methods and `serialPersistentFields` fields declared in these classes cannot be used to affect the serialization process of any `Record` data type.
## Recommendation
Some level of serialization customization is offered by the Java 16 Record feature. The `writeReplace` and `readResolve` methods in a record that implements `java.io.Serializable` can be used to replace the object to be serialized. Otherwise, no further customization of serialization of records is possible, and it is better to consider using a regular class implementing `java.io.Serializable` or `java.io.Externalizable` when customization is needed.
## Example
```java
record T1() implements Serializable {
@Serial
private static final ObjectStreamField[] serialPersistentFields = new ObjectStreamField[0]; // NON_COMPLIANT
@Serial
private void writeObject(ObjectOutputStream out) throws IOException {} // NON_COMPLIANT
@Serial
private void readObject(ObjectOutputStream out) throws IOException {}// NON_COMPLIANT
@Serial
private void readObjectNoData(ObjectOutputStream out) throws IOException { // NON_COMPLIANT
}
}
record T2() implements Externalizable {
@Override
public void writeExternal(ObjectOutput out) throws IOException { // NON_COMPLIANT
}
@Override
public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException { // NON_COMPLIANT
}
}
record T3() implements Serializable {
public Object writeReplace(ObjectOutput out) throws ObjectStreamException { // COMPLIANT
return new Object();
}
public Object readResolve(ObjectInput in) throws ObjectStreamException { // COMPLIANT
return new Object();
}
}
```
## References
- Oracle Serialization Documentation: [Serialization of Records](https://docs.oracle.com/en/java/javase/16/docs/specs/serialization/serial-arch.html#serialization-of-records)
- Java Record: [Feature Specification](https://openjdk.org/jeps/395)

24
java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql Normal file
View File

@@ -0,0 +1,24 @@
/**
* @id java/ignored-serialization-member-of-record-class
* @name Ignored serialization member of record class
* @description Using certain members of a record class during serialization will result in
* those members being ignored.
* @previous-id java/useless-members-of-the-records-class
* @kind problem
* @precision very-high
* @problem.severity warning
* @tags quality
* reliability
* correctness
*/
import java
from Record record, Member m
where
record.getAMember() = m and
m.hasName([
"writeObject", "readObject", "readObjectNoData", "writeExternal", "readExternal",
"serialPersistentFields"
])
select m, "Ignored serialization member found in record class $@.", record, record.getName()

111
java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md Normal file
View File

@@ -0,0 +1,111 @@
## Overview
This query detects non-explicit control and whitespace characters in Java literals.
Such characters are often introduced accidentally and can be invisible or hard to recognize, leading to bugs when the actual contents of the string contain control characters.
## Recommendation
To avoid issues, use the encoded versions of control characters (e.g. ASCII `\n`, `\t`, or Unicode `U+000D`, `U+0009`).
This makes the literals (e.g. string literals) more readable, and also helps to make the surrounding code less error-prone and more maintainable.
## Example
The following examples illustrate good and bad code:
Bad:
```java
char tabulationChar = ' '; // Non compliant
String tabulationCharInsideString = "A B"; // Non compliant
String fooZeroWidthSpacebar = "foobar"; // Non compliant
```
Good:
```java
char escapedTabulationChar = '\t';
String escapedTabulationCharInsideString = "A\tB"; // Compliant
String fooUnicodeSpacebar = "foo\u0020bar"; // Compliant
String foo2Spacebar = "foo bar"; // Compliant
String foo3Spacebar = "foo bar"; // Compliant
```
## Implementation notes
This query detects Java literals that contain reserved control characters and/or non-printable whitespace characters, such as:
- Decimal and hexidecimal representations of ASCII control characters (code points 0-8, 11, 14-31, and 127).
- Invisible characters (e.g. zero-width space, zero-width joiner).
- Unicode C0 control codes, plus the delete character (U+007F), such as:
| Escaped Unicode | ASCII Decimal | Description |
| --------------- | ------------- | ------------------------- |
| `\u0000` | 0 | null character |
| `\u0001` | 1 | start of heading |
| `\u0002` | 2 | start of text |
| `\u0003` | 3 | end of text |
| `\u0004` | 4 | end of transmission |
| `\u0005` | 5 | enquiry |
| `\u0006` | 6 | acknowledge |
| `\u0007` | 7 | bell |
| `\u0008` | 8 | backspace |
| `\u000B` | 11 | vertical tab |
| `\u000E` | 14 | shift out |
| `\u000F` | 15 | shift in |
| `\u0010` | 16 | data link escape |
| `\u0011` | 17 | device control 1 |
| `\u0012` | 18 | device control 2 |
| `\u0013` | 19 | device control 3 |
| `\u0014` | 20 | device control 4 |
| `\u0015` | 21 | negative acknowledge |
| `\u0016` | 22 | synchronous idle |
| `\u0017` | 23 | end of transmission block |
| `\u0018` | 24 | cancel |
| `\u0019` | 25 | end of medium |
| `\u001A` | 26 | substitute |
| `\u001B` | 27 | escape |
| `\u001C` | 28 | file separator |
| `\u001D` | 29 | group separator |
| `\u001E` | 30 | record separator |
| `\u001F` | 31 | unit separator |
| `\u007F` | 127 | delete |
- Zero-width Unicode characters (e.g. zero-width space, zero-width joiner), such as:
| Escaped Unicode | Description |
| --------------- | ------------------------- |
| `\u200B` | zero-width space |
| `\u200C` | zero-width non-joiner |
| `\u200D` | zero-width joiner |
| `\u2028` | line separator |
| `\u2029` | paragraph separator |
| `\u2060` | word joiner |
| `\uFEFF` | zero-width no-break space |
The following list outlines the _**explicit exclusions from query scope**_:
- any number of simple space characters (`U+0020`, ASCII 32).
- an escape character sequence (e.g. `\t`), or the Unicode equivalent (e.g. `\u0009`), for printable whitespace characters:
| Character Sequence | Escaped Unicode | ASCII Decimal | Description |
| ------------------ | --------------- | ------------- | --------------- |
| `\t` | \u0009 | 9 | horizontal tab |
| `\n` | \u000A | 10 | line feed |
| `\f` | \u000C | 12 | form feed |
| `\r` | \u000D | 13 | carriage return |
| | \u0020 | 32 | space |
- character literals (i.e. single quotes) containing control characters.
- literals defined within "likely" test methods, such as:
- JUnit test methods
- methods annotated with `@Test`
- methods of a class annotated with `@Test`
- methods with names containing "test"
## References
- Unicode: [Unicode Control Characters](https://www.unicode.org/charts/PDF/U0000.pdf).
- Wikipedia: [Unicode C0 control codes](https://en.wikipedia.org/wiki/C0_and_C1_control_codes).
- Wikipedia: [Unicode characters with property "WSpace=yes" or "White_Space=yes"](https://en.wikipedia.org/wiki/Unicode_character_property#Whitespace).
- Java API Specification: [Java String Literals](https://docs.oracle.com/javase/tutorial/java/data/characters.html).
- Java API Specification: [Java Class Charset](https://docs.oracle.com/javase/8/docs/api///?java/nio/charset/Charset.html).

51
java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql Normal file
View File

@@ -0,0 +1,51 @@
/**
* @id java/non-explicit-control-and-whitespace-chars-in-literals
* @name Non-explicit control and whitespace characters
* @description Non-explicit control and whitespace characters in literals make code more difficult
* to read and may lead to incorrect program behavior.
* @kind problem
* @precision very-high
* @problem.severity warning
* @tags quality
* correctness
* maintainability
* readability
*/
import java
/**
* A `Literal` that has a Unicode control character within its
* literal value (as returned by `getLiteral()` member predicate).
*/
class ReservedUnicodeInLiteral extends Literal {
private int indexStart;
ReservedUnicodeInLiteral() {
not this instanceof CharacterLiteral and
exists(int codePoint |
this.getLiteral().codePointAt(indexStart) = codePoint and
(
// Unicode C0 control characters
codePoint < 32 and not codePoint in [9, 10, 12, 13]
or
codePoint = 127 // delete control character
or
codePoint = 8203 // zero-width space
)
)
}
/** Gets the starting index of the Unicode control sequence. */
int getIndexStart() { result = indexStart }
}
from ReservedUnicodeInLiteral literal, int charIndex, int codePoint
where
literal.getIndexStart() = charIndex and
literal.getLiteral().codePointAt(charIndex) = codePoint and
not literal.getEnclosingCallable() instanceof LikelyTestMethod and
not literal.getFile().isKotlinSourceFile()
select literal,
"Literal value contains control or non-printable whitespace character(s) starting with Unicode code point "
+ codePoint + " at index " + charIndex + "."

7
java/ql/src/change-notes/2025-06-17-improved-guards.md → java/ql/src/change-notes/released/1.6.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.6.1
### Minor Analysis Improvements
* Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular `java/dereferenced-value-may-be-null`, which now has fewer false positives, and `java/useless-null-check` and `java/constant-comparison`, which gain additional true positives.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.0
lastReleaseVersion: 1.6.1

Some files were not shown because too many files have changed in this diff Show More