hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/cargo-upgrade

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-07-02 16:34:54 +02:00
committed by GitHub
parent 353d630c91 d17c931939
commit 6ec7fadb1b
134 changed files with 99316 additions and 54733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md
View File

@@ -1,6 +1,4 @@
# Environment Path Injection
## Description
## Overview
GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
## Recommendations
## Recommendation
Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
## Examples
## Example
### Incorrect Usage
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

10
actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md
View File

@@ -1,6 +1,4 @@
# Environment Path Injection
## Description
## Overview
GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
## Recommendations
## Recommendation
Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
## Examples
## Example
### Incorrect Usage
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

12
actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md
View File

@@ -1,6 +1,4 @@
# Environment Variable Injection
## Description
## Overview
GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
@@ -37,7 +35,7 @@ steps:
If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
## Recommendations
## Recommendation
1. **Do not allow untrusted data to influence environment variables**:
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
} >> "$GITHUB_ENV"
```
## Examples
## Example
### Example of Vulnerability
@@ -113,5 +111,5 @@ An attacker is be able to run arbitrary code by injecting environment variables
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

12
actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
View File

@@ -1,6 +1,4 @@
# Environment Variable Injection
## Description
## Overview
GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
@@ -37,7 +35,7 @@ steps:
If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
## Recommendations
## Recommendation
1. **Do not allow untrusted data to influence environment variables**:
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
} >> "$GITHUB_ENV"
```
## Examples
## Example
### Example of Vulnerability
@@ -113,5 +111,5 @@ An attacker would be able to run arbitrary code by injecting environment variabl
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

8
actions/ql/src/Security/CWE-094/CodeInjectionCritical.md
View File

@@ -1,18 +1,16 @@
# Code Injection in GitHub Actions
## Description
## Overview
Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
## Recommendations
## Recommendation
The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage

8
actions/ql/src/Security/CWE-094/CodeInjectionMedium.md
View File

@@ -1,18 +1,16 @@
# Code Injection in GitHub Actions
## Description
## Overview
Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
## Recommendations
## Recommendation
The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage

8
actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md
View File

@@ -1,13 +1,11 @@
# Use of Actions with known vulnerabilities
## Description
## Overview
The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities.
## Recommendations
## Recommendation
Either remove the component from the workflow or upgrade it to a version that is not vulnerable.
## References
- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)
- GitHub Docs: [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).

21
actions/ql/src/Security/CWE-275/MissingActionsPermissions.md
View File

@@ -1,12 +1,21 @@
# Actions Job and Workflow Permissions are not set
## Description
## Overview
If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.
## Recommendations
## Recommendation
Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task:
Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.
## Example
### Incorrect Usage
```yaml
name: "My workflow"
# No permissions block
```
### Correct Usage
```yaml
name: "My workflow"
@@ -27,4 +36,4 @@ jobs:
## References
- [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs)
- GitHub Docs: [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs).

10
actions/ql/src/Security/CWE-285/ImproperAccessControl.md
View File

@@ -1,14 +1,12 @@
# Improper Access Control
## Description
## Overview
Sometimes labels are used to approve GitHub Actions. An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed and approved by label.
## Recommendations
## Recommendation
When using labels, make sure that the code cannot be modified after it has been reviewed and the label has been set.
## Examples
## Example
### Incorrect Usage
@@ -57,4 +55,4 @@ jobs:
## References
- [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
- GitHub Docs: [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target).

12
actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md
View File

@@ -1,14 +1,12 @@
# Excessive Secrets Exposure
## Description
## Overview
When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.
## Recommendations
## Recommendation
Only pass those secrets that are needed by the workflow. Avoid using expressions such as `toJSON(secrets)` or dynamically accessed secrets such as `secrets[format('GH_PAT_%s', matrix.env)]` since the workflow will need to receive all secrets to decide at runtime which one needs to be used.
## Examples
## Example
### Incorrect Usage
@@ -48,5 +46,5 @@ env:
## References
- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow)
- [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md)
- GitHub Docs: [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow).
- poutine: [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md).

8
actions/ql/src/Security/CWE-312/SecretsInArtifacts.md
View File

@@ -1,6 +1,4 @@
# Storage of sensitive information in GitHub Actions artifact
## Description
## Overview
Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.
@@ -10,6 +8,8 @@ Only store information that is meant to be publicly available in a GitHub Action
## Example
### Incorrect Usage
The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact:
```yaml
@@ -28,6 +28,8 @@ jobs:
path: .
```
### Correct Usage
The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.
```yaml

10
actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md
View File

@@ -1,14 +1,12 @@
# Unmasked Secret Exposure
## Description
## Overview
Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.
## Recommendations
## Recommendation
Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.
## Examples
## Example
### Incorrect Usage
@@ -34,4 +32,4 @@ Avoid defining non-plain secrets. For example, do not define a new secret contai
## References
- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow)
- GitHub Docs: [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow).

14
actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md
View File

@@ -1,6 +1,4 @@
# Cache Poisoning in GitHub Actions
## Description
## Overview
GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows.
@@ -23,7 +21,7 @@ In GitHub Actions, cache scopes are primarily determined by the branch structure
Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`.
## Recommendations
## Recommendation
1. Avoid using caching in workflows that handle sensitive operations like releases.
2. If caching must be used:
@@ -34,7 +32,7 @@ Due to the above design, if something is cached in the context of the default br
4. Never run untrusted code in the context of the default branch.
5. Sign the cache value cryptographically and verify the signature before usage.
## Examples
## Example
### Incorrect Usage
@@ -78,6 +76,6 @@ jobs:
## References
- [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows)
- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/)
- Adnan Khan's Blog: [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/).
- GitHub Docs: [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows).
- Scribe Security Blog: [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/).

14
actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md
View File

@@ -1,6 +1,4 @@
# Cache Poisoning in GitHub Actions
## Description
## Overview
GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows.
@@ -23,7 +21,7 @@ In GitHub Actions, cache scopes are primarily determined by the branch structure
Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`.
## Recommendations
## Recommendation
1. Avoid using caching in workflows that handle sensitive operations like releases.
2. If caching must be used:
@@ -34,7 +32,7 @@ Due to the above design, if something is cached in the context of the default br
4. Never run untrusted code in the context of the default branch.
5. Sign the cache value cryptographically and verify the signature before usage.
## Examples
## Example
### Incorrect Usage
@@ -123,6 +121,6 @@ jobs:
## References
- [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows)
- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/)
- Adnan Khan's Blog: [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/).
- GitHub Docs: [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows).
- Scribe Security Blog: [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/).

14
actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md
View File

@@ -1,6 +1,4 @@
# Cache Poisoning in GitHub Actions
## Description
## Overview
GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows.
@@ -23,7 +21,7 @@ In GitHub Actions, cache scopes are primarily determined by the branch structure
Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`.
## Recommendations
## Recommendation
1. Avoid using caching in workflows that handle sensitive operations like releases.
2. If caching must be used:
@@ -34,7 +32,7 @@ Due to the above design, if something is cached in the context of the default br
4. Never run untrusted code in the context of the default branch.
5. Sign the cache value cryptographically and verify the signature before usage.
## Examples
## Example
### Incorrect Usage
@@ -80,6 +78,6 @@ jobs:
## References
- [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows)
- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/)
- Adnan Khan's Blog: [The Monsters in Your Build Cache GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/).
- GitHub Docs: [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows).
- Scribe Security Blog: [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/).

10
actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md
View File

@@ -1,17 +1,15 @@
# Untrusted Checkout TOCTOU (Time-of-check to time-of-use)
## Description
## Overview
Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check.
## Recommendations
## Recommendation
Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check:
- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`.
- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`.
## Examples
## Example
### Incorrect Usage (Deployment Environment Approval)
@@ -99,4 +97,4 @@ jobs:
## References
- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU)
- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU).

10
actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md
View File

@@ -1,17 +1,15 @@
# Untrusted Checkout TOCTOU (Time-of-check to time-of-use)
## Description
## Overview
Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check.
## Recommendations
## Recommendation
Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check:
- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`.
- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`.
## Examples
## Example
### Incorrect Usage (Deployment Environment Approval)
@@ -99,4 +97,4 @@ jobs:
## References
- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU)
- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU).

8
actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md
View File

@@ -1,6 +1,4 @@
# If Condition Always Evaluates to True
## Description
## Overview
GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`.
@@ -14,7 +12,7 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i
2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting.
3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios.
## Examples
## Example
### Correct Usage
@@ -60,4 +58,4 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i
## References
- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173)
- GitHub actions/runner Issues: [Expression Always True](https://github.com/actions/runner/issues/1173).

8
actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md
View File

@@ -1,6 +1,4 @@
# If Condition Always Evaluates to True
## Description
## Overview
GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`.
@@ -14,7 +12,7 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i
2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting.
3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios.
## Examples
## Example
### Correct Usage
@@ -60,4 +58,4 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i
## References
- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173)
- GitHub actions/runner Issues: [Expression Always True](https://github.com/actions/runner/issues/1173).

10
actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md
View File

@@ -1,16 +1,14 @@
# Artifact poisoning
## Description
## Overview
The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job.
## Recommendations
## Recommendation
- Always consider artifacts content as untrusted.
- Extract the contents of artifacts to a temporary folder so they cannot override existing files.
- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it.
## Examples
## Example
### Incorrect Usage
@@ -69,4 +67,4 @@ jobs:
## References
- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).

10
actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md
View File

@@ -1,16 +1,14 @@
# Artifact poisoning
## Description
## Overview
The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job.
## Recommendations
## Recommendation
- Always consider artifacts content as untrusted.
- Extract the contents of artifacts to a temporary folder so they cannot override existing files.
- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it.
## Examples
## Example
### Incorrect Usage
@@ -69,4 +67,4 @@ jobs:
## References
- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).

10
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md
View File

@@ -1,14 +1,12 @@
# Unpinned tag for 3rd party Action in workflow
## Description
## Overview
Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
## Recommendations
## Recommendation
Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
## Examples
## Example
### Incorrect Usage
@@ -24,4 +22,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
## References
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- GitHub Docs: [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).

10
actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
View File

@@ -1,10 +1,8 @@
# Execution of Untrusted Checked-out Code
## Description
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
## Recommendations
## Recommendation
- Avoid using `pull_request_target` unless necessary.
- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations.
@@ -14,7 +12,7 @@ The best practice is to handle the potentially untrusted pull request via the **
The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
## Examples
## Example
### Incorrect Usage
@@ -134,4 +132,4 @@ jobs:
## References
- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).

10
actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
View File

@@ -1,10 +1,8 @@
# Execution of Untrusted Checked-out Code
## Description
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
## Recommendations
## Recommendation
- Avoid using `pull_request_target` unless necessary.
- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations.
@@ -14,7 +12,7 @@ The best practice is to handle the potentially untrusted pull request via the **
The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
## Examples
## Example
### Incorrect Usage
@@ -134,4 +132,4 @@ jobs:
## References
- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).

10
actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
View File

@@ -1,10 +1,8 @@
# Execution of Untrusted Checked-out Code
## Description
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
## Recommendations
## Recommendation
- Avoid using `pull_request_target` unless necessary.
- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations.
@@ -14,7 +12,7 @@ The best practice is to handle the potentially untrusted pull request via the **
The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
## Examples
## Example
### Incorrect Usage
@@ -134,4 +132,4 @@ jobs:
## References
- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).

8
actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md
View File

@@ -1,13 +1,11 @@
# Unneccesary use of advanced configuration
## Description
## Overview
The CodeQL workflow does not use any custom settings and could be simplified by switching to the CodeQL default setup.
## Recommendations
## Recommendation
If there is no reason to have a custom configuration switch to the CodeQL default setup.
## References
- [GitHub Docs: Configuring Default Setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository)
- GitHub Docs: [Configuring Default Setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository).

16
actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md
View File

@@ -1,18 +1,16 @@
# Argument Injection in GitHub Actions
## Description
## Overview
Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution.
Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository.
## Recommendations
## Recommendation
When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments.
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage
@@ -35,7 +33,7 @@ An attacker may set the body of an Issue comment to `BAR/g;1e whoami;#` and the
## References
- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html).
- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/)
- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/)
- [GTFOBins](https://gtfobins.github.io/)
- Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).
- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/).
- Argument Injection Vectors: [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/).
- [GTFOBins](https://gtfobins.github.io/).

16
actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md
View File

@@ -1,18 +1,16 @@
# Argument Injection in GitHub Actions
## Description
## Overview
Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution.
Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository.
## Recommendations
## Recommendation
When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments.
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage
@@ -35,7 +33,7 @@ An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the
## References
- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html).
- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/)
- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/)
- [GTFOBins](https://gtfobins.github.io/)
- Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).
- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/).
- Argument Injection Vectors: [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/).
- [GTFOBins](https://gtfobins.github.io/).

10
actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.md
View File

@@ -1,14 +1,12 @@
# Unversioned Immutable Action
## Description
## Overview
This action is eligible for Immutable Actions, a new GitHub feature that is currently only available for internal users. Immutable Actions are released as packages in the GitHub package registry instead of resolved from a pinned SHA at the repository. The Immutable Action provides the same immutability as pinning the version to a SHA but with improved readability and additional security guarantees.
## Recommendations
## Recommendation
For internal users: when using [immutable actions](https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md) use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry.
## Examples
## Example
### Incorrect Usage
@@ -25,4 +23,4 @@ For internal users: when using [immutable actions](https://github.com/github/pac
## References
- [Consuming immutable actions]()
- [Consuming immutable actions]().

3
config/dbscheme-fragments.json
View File

@@ -1,11 +1,13 @@
{
"files": [
"cpp/ql/lib/semmlecode.cpp.dbscheme",
"javascript/ql/lib/semmlecode.javascript.dbscheme",
"python/ql/lib/semmlecode.python.dbscheme",
"ruby/ql/lib/ruby.dbscheme",
"ql/ql/src/ql.dbscheme"
],
"fragments": [
"/*- Compilations -*/",
"/*- External data -*/",
"/*- Files and folders -*/",
"/*- Diagnostic messages -*/",
@@ -21,6 +23,7 @@
"/*- DEPRECATED: Snapshot date -*/",
"/*- DEPRECATED: Duplicate code -*/",
"/*- DEPRECATED: Version control data -*/",
"/*- C++ dbscheme -*/",
"/*- JavaScript-specific part -*/",
"/*- Ruby dbscheme -*/",
"/*- Erb dbscheme -*/",

2428
cpp/downgrades/5491582ac8511726e12fae3e2399000f9201cd9a/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2451
cpp/downgrades/5491582ac8511726e12fae3e2399000f9201cd9a/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/downgrades/5491582ac8511726e12fae3e2399000f9201cd9a/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Remove unused external_package tables from the dbscheme
compatibility: full

9
cpp/downgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/functions.ql Normal file
View File

@@ -0,0 +1,9 @@
class Function extends @function {
string toString() { none() }
}
from Function f, string n, int k, int new_k
where
functions(f, n, k) and
if builtin_functions(f) then new_k = 6 else new_k = k
select f, n, new_k

2433
cpp/downgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2428
cpp/downgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

4
cpp/downgrades/801b2f03360d78c85f51fbad9b75956fa8d58b00/upgrade.properties Normal file
View File

@@ -0,0 +1,4 @@
description: Move builtin function identification to its own table
compatibility: full
functions.rel: run functions.qlo
builtin_functions.rel: delete

2451
cpp/downgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2475
cpp/downgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/downgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: sync dbscheme and delete svn tables
compatibility: full

1
cpp/ql/integration-tests/header-variant-tests/clang-pch/b.c
View File

@@ -4,4 +4,3 @@
int main() {
return ONE + TWO + THREE + FOUR;
}
// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/a.pch -Iextra_dummy_path

4
cpp/ql/lib/change-notes/2025-06-24-float16 copy.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.

19
cpp/ql/lib/semmle/code/cpp/Function.qll
View File

@@ -282,9 +282,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
* definition, if possible.)
*/
override Location getLocation() {
if exists(this.getDefinition())
then result = this.getDefinitionLocation()
else result = this.getADeclarationLocation()
if this instanceof BuiltInFunction
then result instanceof UnknownLocation // a dummy location for the built-in function
else
if exists(this.getDefinition())
then result = this.getDefinitionLocation()
else result = this.getADeclarationLocation()
}
/** Gets a child declaration of this function. */
@@ -896,17 +899,9 @@ class FunctionTemplateSpecialization extends Function {
* A GCC built-in function. For example: `__builtin___memcpy_chk`.
*/
class BuiltInFunction extends Function {
BuiltInFunction() { functions(underlyingElement(this), _, 6) }
/** Gets a dummy location for the built-in function. */
override Location getLocation() {
suppressUnusedThis(this) and
result instanceof UnknownLocation
}
BuiltInFunction() { builtin_functions(underlyingElement(this)) }
}
private predicate suppressUnusedThis(Function f) { any() }
/**
* A C++ user-defined literal [N4140 13.5.8].
*/

2
cpp/ql/lib/semmle/code/cpp/Location.qll
View File

@@ -8,7 +8,7 @@ import semmle.code.cpp.File
/**
* A location of a C/C++ artifact.
*/
class Location extends @location {
class Location extends @location_default {
/** Gets the container corresponding to this location. */
pragma[nomagic]
Container getContainer() { this.fullLocationInfo(result, _, _, _, _) }

4
cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
View File

@@ -504,6 +504,8 @@ class VacuousDestructorCall extends Expr, @vacuous_destructor_call {
*/
class ConstructorInit extends Expr, @ctorinit {
override string getAPrimaryQlClass() { result = "ConstructorInit" }
override string toString() { result = "constructor init" }
}
/**
@@ -512,6 +514,8 @@ class ConstructorInit extends Expr, @ctorinit {
*/
class ConstructorBaseInit extends ConstructorInit, ConstructorCall {
override string getAPrimaryQlClass() { result = "ConstructorBaseInit" }
override string toString() { result = "call to " + this.getTarget().getName() }
}
/**

294
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -1,3 +1,4 @@
/*- Compilations -*/
/**
* An invocation of the compiler. Note that more than one file may be
@@ -138,6 +139,7 @@ compilation_finished(
float elapsed_seconds : float ref
);
/*- External data -*/
/**
* External data, loaded from CSV files during snapshot creation. See
@@ -145,69 +147,75 @@ compilation_finished(
* for more information.
*/
externalData(
int id : @externalDataElement,
string path : string ref,
int column: int ref,
string value : string ref
int id : @externalDataElement,
string path : string ref,
int column: int ref,
string value : string ref
);
/*- Source location prefix -*/
/**
* The source location of the snapshot.
*/
sourceLocationPrefix(string prefix : string ref);
/**
* Information about packages that provide code used during compilation.
* The `id` is just a unique identifier.
* The `namespace` is typically the name of the package manager that
* provided the package (e.g. "dpkg" or "yum").
* The `package_name` is the name of the package, and `version` is its
* version (as a string).
*/
external_packages(
unique int id: @external_package,
string namespace : string ref,
string package_name : string ref,
string version : string ref
);
/*- Files and folders -*/
/**
* Holds if File `fileid` was provided by package `package`.
* The location of an element.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `file`.
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
header_to_external_package(
int fileid : @file ref,
int package : @external_package ref
locations_default(
unique int id: @location_default,
int file: @file ref,
int beginLine: int ref,
int beginColumn: int ref,
int endLine: int ref,
int endColumn: int ref
);
/*
* Version history
*/
files(
unique int id: @file,
string name: string ref
);
svnentries(
unique int id : @svnentry,
string revision : string ref,
string author : string ref,
date revisionDate : date ref,
int changeSize : int ref
)
folders(
unique int id: @folder,
string name: string ref
);
svnaffectedfiles(
int id : @svnentry ref,
int file : @file ref,
string action : string ref
)
@container = @file | @folder
svnentrymsg(
unique int id : @svnentry ref,
string message : string ref
)
containerparent(
int parent: @container ref,
unique int child: @container ref
);
svnchurn(
int commit : @svnentry ref,
int file : @file ref,
int addedLines : int ref,
int deletedLines : int ref
)
/*- Lines of code -*/
numlines(
int element_id: @sourceline ref,
int num_lines: int ref,
int num_code: int ref,
int num_comment: int ref
);
/*- Diagnostic messages -*/
diagnostics(
unique int id: @diagnostic,
int severity: int ref,
string error_tag: string ref,
string error_message: string ref,
string full_error_message: string ref,
int location: @location_default ref
);
/*- C++ dbscheme -*/
/*
* C++ dbscheme
@@ -218,61 +226,9 @@ extractor_version(
string frontend_version: string ref
)
@location = @location_default ;
/**
* The location of an element.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `file`.
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
locations_default(
/** The location of an element that is not an expression or a statement. */
unique int id: @location_default,
int container: @container ref,
int startLine: int ref,
int startColumn: int ref,
int endLine: int ref,
int endColumn: int ref
);
/** An element for which line-count information is available. */
@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable;
numlines(
int element_id: @sourceline ref,
int num_lines: int ref,
int num_code: int ref,
int num_comment: int ref
);
diagnostics(
unique int id: @diagnostic,
int severity: int ref,
string error_tag: string ref,
string error_message: string ref,
string full_error_message: string ref,
int location: @location ref
);
files(
unique int id: @file,
string name: string ref
);
folders(
unique int id: @folder,
string name: string ref
);
@container = @folder | @file
containerparent(
int parent: @container ref,
unique int child: @container ref
);
fileannotations(
int id: @file ref,
int kind: int ref,
@@ -298,7 +254,7 @@ case @macroinvocation.kind of
macroinvocations(
unique int id: @macroinvocation,
int macro_id: @ppd_define ref,
int location: @location ref,
int location: @location_default ref,
int kind: int ref
);
@@ -313,7 +269,7 @@ macroparent(
// to which a macro invocation is bound
macrolocationbind(
int id: @macroinvocation ref,
int location: @location ref
int location: @location_default ref
);
#keyset[invocation, argument_index]
@@ -332,12 +288,13 @@ macro_argument_expanded(
/*
case @function.kind of
1 = @normal_function
0 = @unknown_function
| 1 = @normal_function
| 2 = @constructor
| 3 = @destructor
| 4 = @conversion_function
| 5 = @operator
| 6 = @builtin_function // GCC built-in functions, e.g. __builtin___memcpy_chk
// ... 6 = @builtin_function deprecated // GCC built-in functions, e.g. __builtin___memcpy_chk
| 7 = @user_defined_literal
| 8 = @deduction_guide
;
@@ -349,6 +306,10 @@ functions(
int kind: int ref
);
builtin_functions(
int id: @function ref
)
function_entry_point(
int id: @function ref,
unique int entry_point: @stmt ref
@@ -419,7 +380,7 @@ fun_decls(
int function: @function ref,
int type_id: @type ref,
string name: string ref,
int location: @location ref
int location: @location_default ref
);
fun_def(unique int id: @fun_decl ref);
fun_specialized(unique int id: @fun_decl ref);
@@ -471,7 +432,7 @@ var_decls(
int variable: @variable ref,
int type_id: @type ref,
string name: string ref,
int location: @location ref
int location: @location_default ref
);
var_def(unique int id: @var_decl ref);
var_specialized(int id: @var_decl ref);
@@ -488,7 +449,7 @@ var_requires(
type_decls(
unique int id: @type_decl,
int type_id: @type ref,
int location: @location ref
int location: @location_default ref
);
type_def(unique int id: @type_decl ref);
type_decl_top(
@@ -502,8 +463,8 @@ type_requires(
namespace_decls(
unique int id: @namespace_decl,
int namespace_id: @namespace ref,
int location: @location ref,
int bodylocation: @location ref
int location: @location_default ref,
int bodylocation: @location_default ref
);
case @using.kind of
@@ -515,7 +476,7 @@ case @using.kind of
usings(
unique int id: @using,
int element_id: @element ref,
int location: @location ref,
int location: @location_default ref,
int kind: int ref
);
@@ -529,7 +490,7 @@ static_asserts(
unique int id: @static_assert,
int condition : @expr ref,
string message : string ref,
int location: @location ref,
int location: @location_default ref,
int enclosing : @element ref
);
@@ -585,7 +546,7 @@ enumconstants(
int index: int ref,
int type_id: @type ref,
string name: string ref,
int location: @location ref
int location: @location_default ref
);
@variable = @localscopevariable | @globalvariable | @membervariable;
@@ -889,7 +850,7 @@ is_proxy_class_for(
type_mentions(
unique int id: @type_mention,
int type_id: @type ref,
int location: @location ref,
int location: @location_default ref,
// a_symbol_reference_kind from the frontend.
int kind: int ref
);
@@ -946,7 +907,7 @@ template_template_argument_value(
concept_templates(
unique int concept_id: @concept_template,
string name: string ref,
int location: @location ref
int location: @location_default ref
);
concept_instantiation(
unique int to: @concept_id ref,
@@ -1050,7 +1011,7 @@ attributes(
int kind: int ref,
string name: string ref,
string name_space: string ref,
int location: @location ref
int location: @location_default ref
);
case @attribute.kind of
@@ -1067,7 +1028,7 @@ attribute_args(
int kind: int ref,
int attribute: @attribute ref,
int index: int ref,
int location: @location ref
int location: @location_default ref
);
case @attribute_arg.kind of
@@ -1156,7 +1117,7 @@ derivations(
int sub: @type ref,
int index: int ref,
int super: @type ref,
int location: @location ref
int location: @location_default ref
);
derspecifiers(
@@ -1190,7 +1151,7 @@ frienddecls(
unique int id: @frienddecl,
int type_id: @type ref,
int decl_id: @declaration ref,
int location: @location ref
int location: @location_default ref
);
@declaredtype = @usertype ;
@@ -1247,7 +1208,7 @@ frienddecls(
comments(
unique int id: @comment,
string contents: string ref,
int location: @location ref
int location: @location_default ref
);
commentbinding(
@@ -1369,7 +1330,7 @@ namequalifiers(
unique int id: @namequalifier,
unique int qualifiableelement: @namequalifiableelement ref,
int qualifyingelement: @namequalifyingelement ref,
int location: @location ref
int location: @location_default ref
);
varbind(
@@ -1638,7 +1599,7 @@ initialisers(
unique int init: @initialiser,
int var: @accessible ref,
unique int expr: @expr ref,
int location: @location ref
int location: @location_default ref
);
braced_initialisers(
@@ -1657,7 +1618,7 @@ expr_ancestor(
exprs(
unique int id: @expr,
int kind: int ref,
int location: @location ref
int location: @location_default ref
);
expr_reuse(
@@ -2131,7 +2092,7 @@ lambda_capture(
int field: @membervariable ref,
boolean captured_by_reference: boolean ref,
boolean is_implicit: boolean ref,
int location: @location ref
int location: @location_default ref
);
@funbindexpr = @routineexpr
@@ -2159,7 +2120,7 @@ fold(
stmts(
unique int id: @stmt,
int kind: int ref,
int location: @location ref
int location: @location_default ref
);
case @stmt.kind of
@@ -2344,7 +2305,7 @@ jumpinfo(
preprocdirects(
unique int id: @preprocdirect,
int kind: int ref,
int location: @location ref
int location: @location_default ref
);
case @preprocdirect.kind of
0 = @ppd_if
@@ -2400,76 +2361,73 @@ link_parent(
int link_target : @link_target ref
);
/* XML Files */
/*- XML Files -*/
xmlEncoding(unique int id: @file ref, string encoding: string ref);
xmlEncoding(
unique int id: @file ref,
string encoding: string ref
);
xmlDTDs(
unique int id: @xmldtd,
string root: string ref,
string publicId: string ref,
string systemId: string ref,
int fileid: @file ref
unique int id: @xmldtd,
string root: string ref,
string publicId: string ref,
string systemId: string ref,
int fileid: @file ref
);
xmlElements(
unique int id: @xmlelement,
string name: string ref,
int parentid: @xmlparent ref,
int idx: int ref,
int fileid: @file ref
unique int id: @xmlelement,
string name: string ref,
int parentid: @xmlparent ref,
int idx: int ref,
int fileid: @file ref
);
xmlAttrs(
unique int id: @xmlattribute,
int elementid: @xmlelement ref,
string name: string ref,
string value: string ref,
int idx: int ref,
int fileid: @file ref
unique int id: @xmlattribute,
int elementid: @xmlelement ref,
string name: string ref,
string value: string ref,
int idx: int ref,
int fileid: @file ref
);
xmlNs(
int id: @xmlnamespace,
string prefixName: string ref,
string URI: string ref,
int fileid: @file ref
int id: @xmlnamespace,
string prefixName: string ref,
string URI: string ref,
int fileid: @file ref
);
xmlHasNs(
int elementId: @xmlnamespaceable ref,
int nsId: @xmlnamespace ref,
int fileid: @file ref
int elementId: @xmlnamespaceable ref,
int nsId: @xmlnamespace ref,
int fileid: @file ref
);
xmlComments(
unique int id: @xmlcomment,
string text: string ref,
int parentid: @xmlparent ref,
int fileid: @file ref
unique int id: @xmlcomment,
string text: string ref,
int parentid: @xmlparent ref,
int fileid: @file ref
);
xmlChars(
unique int id: @xmlcharacters,
string text: string ref,
int parentid: @xmlparent ref,
int idx: int ref,
int isCDATA: int ref,
int fileid: @file ref
unique int id: @xmlcharacters,
string text: string ref,
int parentid: @xmlparent ref,
int idx: int ref,
int isCDATA: int ref,
int fileid: @file ref
);
@xmlparent = @file | @xmlelement;
@xmlnamespaceable = @xmlelement | @xmlattribute;
xmllocations(
int xmlElement: @xmllocatable ref,
int location: @location_default ref
int xmlElement: @xmllocatable ref,
int location: @location_default ref
);
@xmllocatable = @xmlcharacters
| @xmlelement
| @xmlcomment
| @xmlattribute
| @xmldtd
| @file
| @xmlnamespace;
@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;

4268
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

7
cpp/ql/lib/upgrades/5491582ac8511726e12fae3e2399000f9201cd9a/builtin_functions.ql Normal file
View File

@@ -0,0 +1,7 @@
class Function extends @function {
string toString() { none() }
}
from Function f
where functions(f, _, 6)
select f

9
cpp/ql/lib/upgrades/5491582ac8511726e12fae3e2399000f9201cd9a/functions.ql Normal file
View File

@@ -0,0 +1,9 @@
class Function extends @function {
string toString() { none() }
}
from Function f, string n, int k, int new_k
where
functions(f, n, k) and
if k = 6 then new_k = 1 else new_k = k
select f, n, new_k

2428
cpp/ql/lib/upgrades/5491582ac8511726e12fae3e2399000f9201cd9a/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2433
cpp/ql/lib/upgrades/5491582ac8511726e12fae3e2399000f9201cd9a/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

4
cpp/ql/lib/upgrades/5491582ac8511726e12fae3e2399000f9201cd9a/upgrade.properties Normal file
View File

@@ -0,0 +1,4 @@
description: Move builtin function identification to its own table
compatibility: full
functions.rel: run functions.qlo
builtin_functions.rel: run builtin_functions.qlo

2451
cpp/ql/lib/upgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2428
cpp/ql/lib/upgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

4
cpp/ql/lib/upgrades/827dbc206ea55377e032a8a934c8903fedc50fa0/upgrade.properties Normal file
View File

@@ -0,0 +1,4 @@
description: Remove unused external_package tables from the dbscheme
compatibility: full
external_packages.rel: delete
header_to_external_package.rel: delete

2475
cpp/ql/lib/upgrades/e70d0b653187b93d9688f21c9db46bb1cd46ab78/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2451
cpp/ql/lib/upgrades/e70d0b653187b93d9688f21c9db46bb1cd46ab78/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

6
cpp/ql/lib/upgrades/e70d0b653187b93d9688f21c9db46bb1cd46ab78/upgrade.properties Normal file
View File

@@ -0,0 +1,6 @@
description: sync dbscheme and delete svn tables
compatibility: full
svnentries.rel: delete
svnaffectedfiles.rel: delete
svnentrymsg.rel: delete
svnchurn.rel: delete

29
cpp/ql/src/Critical/GlobalUseBeforeInit.ql
View File

@@ -21,13 +21,29 @@ predicate initFunc(GlobalVariable v, Function f) {
)
}
/** Holds if `v` has an initializer in function `f` that dominates `node`. */
predicate dominatingInitInFunc(GlobalVariable v, Function f, ControlFlowNode node) {
exists(VariableAccess initAccess |
v.getAnAccess() = initAccess and
initAccess.isUsedAsLValue() and
initAccess.getEnclosingFunction() = f and
dominates(initAccess, node)
)
}
predicate safeAccess(VariableAccess access) {
// it is safe if the variable access is part of a `sizeof` expression
exists(SizeofExprOperator e | e.getAChild*() = access)
}
predicate useFunc(GlobalVariable v, Function f) {
exists(VariableAccess access |
v.getAnAccess() = access and
access.isRValue() and
access.getEnclosingFunction() = f
) and
not initFunc(v, f)
access.getEnclosingFunction() = f and
not safeAccess(access) and
not dominatingInitInFunc(v, f, access)
)
}
predicate uninitialisedBefore(GlobalVariable v, Function f) {
@@ -38,12 +54,14 @@ predicate uninitialisedBefore(GlobalVariable v, Function f) {
exists(Call call, Function g |
uninitialisedBefore(v, g) and
call.getEnclosingFunction() = g and
(not functionInitialises(f, v) or locallyUninitialisedAt(v, call)) and
(not functionInitialises(g, v) or locallyUninitialisedAt(v, call)) and
resolvedCall(call, f)
)
}
predicate functionInitialises(Function f, GlobalVariable v) {
initFunc(v, f)
or
exists(Call call |
call.getEnclosingFunction() = f and
initialisedBy(v, call)
@@ -60,7 +78,8 @@ predicate locallyUninitialisedAt(GlobalVariable v, Call call) {
exists(Call mid |
locallyUninitialisedAt(v, mid) and not initialisedBy(v, mid) and callPair(mid, call)
)
)
) and
not dominatingInitInFunc(v, call.getEnclosingFunction(), call)
}
predicate initialisedBy(GlobalVariable v, Call call) {

16
cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll
View File

@@ -26,12 +26,6 @@ private newtype LibraryT =
LibraryTElement(LibraryElement lib, string name, string version) {
lib.getName() = name and
lib.getVersion() = version
} or
LibraryTExternalPackage(@external_package ep, string name, string version) {
exists(string package_name |
external_packages(ep, _, package_name, version) and
name = package_name
)
}
/**
@@ -41,10 +35,7 @@ class Library extends LibraryT {
string name;
string version;
Library() {
this = LibraryTElement(_, name, version) or
this = LibraryTExternalPackage(_, name, version)
}
Library() { this = LibraryTElement(_, name, version) }
string getName() { result = name }
@@ -63,11 +54,6 @@ class Library extends LibraryT {
this = LibraryTElement(lib, _, _) and
result = lib.getAFile()
)
or
exists(@external_package ep |
this = LibraryTExternalPackage(ep, _, _) and
header_to_external_package(unresolveElement(result), ep)
)
}
}

4
cpp/ql/src/change-notes/2025-07-01-global-vars-ubi-query-fixes.md.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed a number of false positives and false negatives in `cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.

2
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -4717,7 +4717,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
| stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
| stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
| stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | (no string representation) | TAINT |
| stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | constructor init | TAINT |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |

6
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -15134,7 +15134,7 @@ ir.cpp:
# 1506| [Constructor] void Inheritance_Test_A::Inheritance_Test_A()
# 1506| <params>:
# 1506| <initializations>:
# 1506| getInitializer(0): (no string representation)
# 1506| getInitializer(0): [ConstructorInit] constructor init
# 1506| Type = [Struct] Inheritance_Test_B
# 1506| ValueCategory = prvalue
# 1506| getInitializer(1): [ConstructorFieldInit] constructor init of field x
@@ -17205,7 +17205,7 @@ ir.cpp:
# 1785| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1785| Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
# 1785| ValueCategory = lvalue
# 1785| getInitializer(1): (no string representation)
# 1785| getInitializer(1): [ConstructorInit] constructor init
# 1785| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1785| ValueCategory = prvalue
# 1785| getEntryPoint(): [BlockStmt] { ... }
@@ -17254,7 +17254,7 @@ ir.cpp:
# 1792| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1792| Type = [SpecifiedType] const CopyConstructorTestVirtualClass
# 1792| ValueCategory = lvalue
# 1792| getInitializer(1): (no string representation)
# 1792| getInitializer(1): [ConstructorInit] constructor init
# 1792| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1792| ValueCategory = prvalue
# 1792| getEntryPoint(): [BlockStmt] { ... }

1
cpp/ql/test/library-tests/ptr_to_member/segfault/exprs.expected
View File

@@ -4,6 +4,7 @@
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
| segfault.cpp:25:46:25:65 | constructor init | segfault.cpp:22:8:22:8 | S<T> |
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |

3
cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected
View File

@@ -1 +1,2 @@
| test.cpp:27:5:27:6 | f1 | The variable $@ is used in this function but may not be initialized when it is called. | test.cpp:14:5:14:5 | b | b |
| test.cpp:28:5:28:6 | f1 | The variable $@ is used in this function but may not be initialized when it is called. | test.cpp:14:5:14:5 | b | b |
| test.cpp:39:5:39:8 | main | The variable $@ is used in this function but may not be initialized when it is called. | test.cpp:14:5:14:5 | b | b |

12
cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp
View File

@@ -12,6 +12,7 @@ int vfprintf (FILE *, const char *, va_list);
int a = 1;
int b;
int *c;
int my_printf(const char * fmt, ...)
{
@@ -31,8 +32,15 @@ int f1()
return 0;
}
void f2() {
my_printf("%d\n", b); // GOOD
}
int main()
{
int b = f1();
unsigned size = sizeof(*c); // GOOD
my_printf("%d\n", b); // BAD
b = f1();
f2();
return 0;
}
}

39
csharp/ql/src/codeql-suites/csharp-security-and-quality.qls
View File

@@ -1,24 +1,7 @@
- description: Security-and-quality queries for C#
- queries: .
- include:
kind:
- problem
- path-problem
precision:
- high
- very-high
tags contain:
- security
- include:
kind:
- problem
- path-problem
precision: medium
problem.severity:
- error
- warning
tags contain:
- security
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- cs/asp/response-write
@@ -123,21 +106,3 @@
- cs/wrong-compareto-signature
- cs/wrong-equals-signature
- cs/xmldoc/missing-summary
- include:
kind:
- diagnostic
- include:
kind:
- metric
tags contain:
- summary
- exclude:
deprecated: //
- exclude:
query path:
- /^experimental\/.*/
- Metrics/Summaries/FrameworkCoverage.ql
- exclude:
tags contain:
- modeleditor
- modelgenerator

1
docs/codeql/query-help/rust-cwe.md
View File

@@ -5,3 +5,4 @@ An overview of CWE coverage for Rust in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/query-help-style-guide.md
View File

@@ -100,7 +100,7 @@ Note, if any code words are included in the `overview` and `recommendation` sect
## Including references
You should include one or more references, formatted as an unordered list (`- ...` or `* ...`) in Markdown or with `<li> ... </li>` for each item in XML, to provide further information about the problem that your query is designed to find. References can be of the following types:
You should include one or more references, formatted as an unordered list (`- ...` or `* ...`) in Markdown or with `<li> ... </li>` for each item in XML, to provide further information about the problem that your query is designed to find. Each reference should end in a full stop. References can be of the following types:
### Books
@@ -124,7 +124,7 @@ If you are citing an academic paper, we recommend adopting the reference style o
If you are citing a website, please use the following format, without breadcrumb trails:
>\<Name of website>: \<Name of page or anchor>
>\<Name of website>: \<Name of page or anchor>.
For example:
@@ -242,8 +242,8 @@ tab width settings cannot be taken into account.
## References
* Java SE Documentation: [Compound Statements](https://www.oracle.com/java/technologies/javase/codeconventions-statements.html#15395)
* Wikipedia: [Indentation style](https://en.wikipedia.org/wiki/Indentation_style)
* Java SE Documentation: [Compound Statements](https://www.oracle.com/java/technologies/javase/codeconventions-statements.html#15395).
* Wikipedia: [Indentation style](https://en.wikipedia.org/wiki/Indentation_style).
````
### XML example

26
go/ql/src/codeql-suites/go-security-and-quality.qls
View File

@@ -1,4 +1,28 @@
- description: Security-and-quality queries for Go
- queries: .
- apply: security-and-quality-selectors.yml
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- go/comparison-of-identical-expressions
- go/constant-length-comparison
- go/duplicate-branches
- go/duplicate-condition
- go/duplicate-switch-case
- go/impossible-interface-nil-check
- go/inconsistent-loop-direction
- go/index-out-of-bounds
- go/missing-error-check
- go/mistyped-exponentiation
- go/negative-length-check
- go/redundant-assignment
- go/redundant-operation
- go/redundant-recover
- go/shift-out-of-range
- go/unexpected-nil-value
- go/unhandled-writable-file-close
- go/unreachable-statement
- go/useless-assignment-to-field
- go/useless-assignment-to-local
- go/useless-expression
- go/whitespace-contradicts-precedence

9
java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.qhelp
View File

@@ -49,6 +49,15 @@ continue while the child thread is waiting, so that "Main thread activity" is pr
<li>
The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/concurrency/runthread.html">Defining and Starting a Thread</a>.
</li>
<li>
SEI CERT Oracle Coding Standard for Java: <a href="https://wiki.sei.cmu.edu/confluence/display/java/THI00-J.+Do+not+invoke+Thread.run()">THI00-J. Do not invoke Thread.run()</a>.
</li>
<li>
Java API Specification: <a href="https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/Thread.html">Thread</a>.
</li>
<li>
Java API Specification: <a href="https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/Runnable.html">Runnable</a>.
</li>
</references>

1
java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.ql
View File

@@ -6,6 +6,7 @@
* @problem.severity recommendation
* @precision high
* @id java/call-to-thread-run
* @previous-id java/run-method-called-on-java-lang-thread-directly
* @tags quality
* reliability
* concurrency

4
java/ql/src/Performance/StringReplaceAllWithNonRegex.md
View File

@@ -1,7 +1,3 @@
# Use of `String#replaceAll` with a first argument which is not a regular expression
Using `String#replaceAll` is less performant than `String#replace` when the first argument is not a regular expression.
## Overview
The `String#replaceAll` method is designed to work with regular expressions as its first parameter. When you use a simple string without any regex patterns (like special characters or syntax), it's more efficient to use `String#replace` instead. This is because `replaceAll` has to compile the input as a regular expression first, which adds unnecessary overhead when you are just replacing literal text.

8
java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md
View File

@@ -8,6 +8,8 @@ Avoid calling `finalize()` in application code. Allow the JVM to determine a gar
## Example
### Incorrect Usage
```java
class LocalCache {
private Collection<File> cacheFiles = ...;
@@ -19,9 +21,10 @@ void main() {
// ...
cache.finalize(); // NON_COMPLIANT
}
```
### Correct Usage
```java
import java.lang.AutoCloseable;
import java.lang.Override;
@@ -43,10 +46,9 @@ void main() {
// ...
}
}
```
# Implementation Notes
## Implementation Notes
This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method declarations overriding `finalize()`.

40
java/ql/src/codeql-suites/java-security-and-quality.qls
View File

@@ -1,24 +1,7 @@
- description: Security-and-quality queries for Java
- queries: .
- include:
kind:
- problem
- path-problem
precision:
- high
- very-high
tags contain:
- security
- include:
kind:
- problem
- path-problem
precision: medium
problem.severity:
- error
- warning
tags contain:
- security
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- java/abs-of-random
@@ -143,22 +126,3 @@
- java/wrong-object-serialization-signature
- java/wrong-readresolve-signature
- java/wrong-swing-event-adapter-signature
- include:
kind:
- diagnostic
- include:
kind:
- metric
tags contain:
- summary
- exclude:
deprecated: //
- exclude:
query path:
- /^experimental\/.*/
- Metrics/Summaries/FrameworkCoverage.ql
- /Diagnostics/Internal/.*/
- exclude:
tags contain:
- modeleditor
- modelgenerator

6
java/ql/test/query-tests/CallsToRunnableRun/CallsToRunnableRun.expected
View File

@@ -1 +1,5 @@
| CallsToRunnableRun.java:15:3:15:15 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |
| CallsToRunnableRun.java:67:5:67:16 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |
| CallsToRunnableRun.java:71:5:71:24 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |
| CallsToRunnableRun.java:75:5:75:24 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |
| CallsToRunnableRun.java:79:5:79:27 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |
| CallsToRunnableRun.java:83:5:83:27 | run(...) | Calling 'Thread.run()' rather than 'Thread.start()' will not spawn a new thread. |

111
java/ql/test/query-tests/CallsToRunnableRun/CallsToRunnableRun.java
View File

@@ -1,18 +1,95 @@
import java.lang.Runnable;
public class CallsToRunnableRun extends Thread implements Runnable{
private Thread wrapped;
private Runnable callback;
@Override
public void run() {
wrapped.run();
callback.run();
}
public void bad() {
wrapped.run();
callback.run();
}
class Job implements Runnable {
public void run() {
/* ... */
}
}
/**
* A class that subclasses `java.lang.Thread` and inherits its `.run()` method.
*/
class AnotherThread1 extends Thread {
AnotherThread1(Runnable runnable) {
super(runnable);
}
}
/**
* A class that directly subclasses `java.lang.Thread` and overrides its
* `.run()` method.
*/
class AnotherThread2 extends Thread {
AnotherThread2(Runnable runnable) {
super(runnable);
}
/**
* An overriding definition of `Thread.run`.
*/
@Override
public void run() {
super.run(); // COMPLIANT: called within a `run` method
}
}
/**
* A class that indirectly subclasses `java.lang.Thread` by subclassing
* `AnotherThread1` and inherits its `.run()`
* method.
*/
class YetAnotherThread1 extends AnotherThread1 {
YetAnotherThread1(Runnable runnable) {
super(runnable);
}
}
/**
* A class that indirectly subclasses `java.lang.Thread` by subclassing
* `AnotherThread2` and overrides its `.run()`
* method.
*/
class YetAnotherThread2 extends AnotherThread2 {
YetAnotherThread2(Runnable runnable) {
super(runnable);
}
/**
* An overriding definition of `AnotherThread.run`.
*/
@Override
public void run() {
super.run(); // COMPLIANT: called within a `run` method
}
}
class ThreadExample {
public void f() {
Thread thread = new Thread(new Job());
thread.run(); // $ Alert - `Thread.run()` called directly.
thread.start(); // COMPLIANT: Thread started with `.start()`.
AnotherThread1 anotherThread1 = new AnotherThread1(new Job());
anotherThread1.run(); // $ Alert - Inherited `Thread.run()` called on its instance.
anotherThread1.start(); // COMPLIANT: Inherited `Thread.start()` used to start the thread.
AnotherThread2 anotherThread2 = new AnotherThread2(new Job());
anotherThread2.run(); // $ Alert - Overriden `Thread.run()` called on its instance.
anotherThread2.start(); // COMPLIANT: Overriden `Thread.start()` used to start the thread.
YetAnotherThread1 yetAnotherThread1 = new YetAnotherThread1(new Job());
yetAnotherThread1.run(); // $ Alert - Inherited `AnotherThread1.run()` called on its instance.
yetAnotherThread1.start(); // COMPLIANT: Inherited `AnotherThread.start()` used to start the thread.
YetAnotherThread2 yetAnotherThread2 = new YetAnotherThread2(new Job());
yetAnotherThread2.run(); // $ Alert - Overriden `AnotherThread2.run()` called on its instance.
yetAnotherThread2.start(); // COMPLIANT: Overriden `AnotherThread2.start()` used to start the thread.
Runnable runnable = new Runnable() {
public void run() {
/* ... */ }
};
runnable.run(); // COMPLIANT: called on `Runnable` object.
Job job = new Job();
job.run(); // COMPLIANT: called on `Runnable` object.
}
}

3
java/ql/test/query-tests/CallsToRunnableRun/CallsToRunnableRun.qlref
View File

@@ -1 +1,2 @@
Likely Bugs/Concurrency/CallsToRunnableRun.ql
query: Likely Bugs/Concurrency/CallsToRunnableRun.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

34
javascript/ql/src/codeql-suites/javascript-security-and-quality.qls
View File

@@ -1,24 +1,7 @@
- description: Security-and-quality queries for JavaScript
- queries: .
- include:
kind:
- problem
- path-problem
precision:
- high
- very-high
tags contain:
- security
- include:
kind:
- problem
- path-problem
precision: medium
problem.severity:
- error
- warning
tags contain:
- security
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- js/node/assignment-to-exports-variable
@@ -123,16 +106,3 @@
- js/diagnostics/successfully-extracted-files
- js/summary/lines-of-code
- js/summary/lines-of-user-code
- include:
kind:
- diagnostic
- include:
kind:
- metric
tags contain:
- summary
- exclude:
deprecated: //
- exclude:
query path:
- /^experimental\/.*/

2
misc/scripts/generate-code-scanning-query-list.py
View File

@@ -30,7 +30,7 @@ arguments = parser.parse_args()
assert hasattr(arguments, "ignore_missing_query_packs")
# Define which languages and query packs to consider
languages = [ "actions", "cpp", "csharp", "go", "java", "javascript", "python", "ruby", "swift" ]
languages = [ "actions", "cpp", "csharp", "go", "java", "javascript", "python", "ruby", "rust", "swift" ]
packs = [ "code-scanning", "security-and-quality", "security-extended", "security-experimental", "code-quality"]
class CodeQL:

2
misc/scripts/shared-code-metrics.py
View File

@@ -11,7 +11,7 @@ import json
import yaml
# To add more languages, add them to this list:
languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ql', 'ruby', 'swift']
languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ql', 'ruby', 'rust', 'swift']
repo_location = Path(__file__).parent.parent.parent

5
misc/suite-helpers/security-and-frozen-quality-selectors.yml Normal file
View File

@@ -0,0 +1,5 @@
- description: Selectors for selecting the non-quality queries for the security-and-quality queries for a language
- apply: security-extended-selectors.yml
- exclude:
tags contain:
- 'model-generator'

137
python/extractor/tests/parser/soft_keywords_new.expected Normal file
View File

@@ -0,0 +1,137 @@
Module: [1, 0] - [21, 0]
body: [
Expr: [1, 0] - [1, 8]
value:
Subscript: [1, 0] - [1, 8]
value:
Name: [1, 0] - [1, 5]
variable: Variable('match', None)
ctx: Load
index:
Num: [1, 6] - [1, 7]
n: 1
text: '1'
ctx: Load
Assign: [2, 0] - [2, 12]
targets: [
Subscript: [2, 0] - [2, 8]
value:
Name: [2, 0] - [2, 5]
variable: Variable('match', None)
ctx: Load
index:
Num: [2, 6] - [2, 7]
n: 2
text: '2'
ctx: Store
]
value:
Num: [2, 11] - [2, 12]
n: 3
text: '3'
Assign: [4, 0] - [4, 13]
targets: [
Attribute: [4, 0] - [4, 9]
value:
Name: [4, 0] - [4, 5]
variable: Variable('match', None)
ctx: Load
attr: 'foo'
ctx: Store
]
value:
Num: [4, 12] - [4, 13]
n: 4
text: '4'
Expr: [6, 0] - [6, 7]
value:
Call: [6, 0] - [6, 7]
func:
Name: [6, 0] - [6, 5]
variable: Variable('match', None)
ctx: Load
positional_args: []
named_args: []
AnnAssign: [8, 0] - [8, 15]
value: None
annotation:
Name: [8, 11] - [8, 15]
variable: Variable('case', None)
ctx: Load
target:
Subscript: [8, 0] - [8, 8]
value:
Name: [8, 0] - [8, 5]
variable: Variable('match', None)
ctx: Load
index:
Num: [8, 6] - [8, 7]
n: 5
text: '5'
ctx: Store
Match: [12, 0] - [14, 12]
subject:
List: [12, 6] - [12, 9]
elts: [
Num: [12, 7] - [12, 8]
n: 6
text: '6'
]
ctx: Load
cases: [
Case: [13, 4] - [14, 12]
pattern:
MatchLiteralPattern: [13, 9] - [13, 10]
literal:
Num: [13, 9] - [13, 10]
n: 7
text: '7'
guard: None
body: [
Pass: [14, 8] - [14, 12]
]
]
Print: [17, 0] - [17, 19]
dest:
Num: [17, 9] - [17, 10]
n: 8
text: '8'
values: [
Str: [17, 12] - [17, 19]
s: 'hello'
prefix: '"'
implicitly_concatenated_parts: None
]
nl: True
Expr: [18, 0] - [18, 19]
value:
Tuple: [18, 0] - [18, 19]
elts: [
BinOp: [18, 0] - [18, 10]
left:
Name: [18, 0] - [18, 5]
variable: Variable('pront', None)
ctx: Load
op: RShift
right:
Num: [18, 9] - [18, 10]
n: 9
text: '9'
Str: [18, 12] - [18, 19]
s: 'world'
prefix: '"'
implicitly_concatenated_parts: None
]
ctx: Load
Expr: [20, 0] - [20, 10]
value:
Await: [20, 0] - [20, 10]
value:
List: [20, 6] - [20, 10]
elts: [
Num: [20, 7] - [20, 9]
n: 10
text: '10'
]
ctx: Load
]

20
python/extractor/tests/parser/soft_keywords_new.py Normal file
View File

@@ -0,0 +1,20 @@
match[1]
match[2] = 3
match.foo = 4
match()
match[5] : case
# match used "properly"
match [6]:
case 7:
pass
print >> 8, "hello" # Python 2-style print
pront >> 9, "world" # How this would be interpreted in Python 3
await [10] # In Python 2 this would be an indexing operation, but it's more likely to be an await.

5
python/extractor/tsg-python/tsp/grammar.js
View File

@@ -36,6 +36,7 @@ module.exports = grammar({
[$.tuple, $.tuple_pattern],
[$.list, $.list_pattern],
[$.with_item, $._collection_elements],
[$.match_statement, $.primary_expression],
],
supertypes: $ => [
@@ -349,7 +350,7 @@ module.exports = grammar({
))
)),
match_statement: $ => seq(
match_statement: $ => prec(-3, seq(
'match',
field('subject',
choice(
@@ -359,7 +360,7 @@ module.exports = grammar({
),
':',
field('cases', $.cases)
),
)),
cases: $ => repeat1($.case_block),

84
python/extractor/tsg-python/tsp/src/grammar.json
View File

@@ -1407,47 +1407,51 @@
}
},
"match_statement": {
"type": "SEQ",
"members": [
{
"type": "STRING",
"value": "match"
},
{
"type": "FIELD",
"name": "subject",
"content": {
"type": "CHOICE",
"members": [
{
"type": "SYMBOL",
"name": "expression"
},
{
"type": "ALIAS",
"content": {
"type": "PREC",
"value": -3,
"content": {
"type": "SEQ",
"members": [
{
"type": "STRING",
"value": "match"
},
{
"type": "FIELD",
"name": "subject",
"content": {
"type": "CHOICE",
"members": [
{
"type": "SYMBOL",
"name": "expression_list"
"name": "expression"
},
"named": true,
"value": "tuple"
}
]
{
"type": "ALIAS",
"content": {
"type": "SYMBOL",
"name": "expression_list"
},
"named": true,
"value": "tuple"
}
]
}
},
{
"type": "STRING",
"value": ":"
},
{
"type": "FIELD",
"name": "cases",
"content": {
"type": "SYMBOL",
"name": "cases"
}
}
},
{
"type": "STRING",
"value": ":"
},
{
"type": "FIELD",
"name": "cases",
"content": {
"type": "SYMBOL",
"name": "cases"
}
}
]
]
}
},
"cases": {
"type": "REPEAT1",
@@ -6675,6 +6679,10 @@
[
"with_item",
"_collection_elements"
],
[
"match_statement",
"primary_expression"
]
],
"precedences": [],

95760
python/extractor/tsg-python/tsp/src/parser.c
View File

File diff suppressed because it is too large Load Diff

3
python/extractor/tsg-python/tsp/src/tree_sitter/array.h
View File

@@ -14,6 +14,7 @@ extern "C" {
#include <string.h>
#ifdef _MSC_VER
#pragma warning(push)
#pragma warning(disable : 4101)
#elif defined(__GNUC__) || defined(__clang__)
#pragma GCC diagnostic push
@@ -278,7 +279,7 @@ static inline void _array__splice(Array *self, size_t element_size,
#define _compare_int(a, b) ((int)*(a) - (int)(b))
#ifdef _MSC_VER
#pragma warning(default : 4101)
#pragma warning(pop)
#elif defined(__GNUC__) || defined(__clang__)
#pragma GCC diagnostic pop
#endif

1
python/extractor/tsg-python/tsp/src/tree_sitter/parser.h
View File

@@ -123,6 +123,7 @@ struct TSLanguage {
unsigned (*serialize)(void *, char *);
void (*deserialize)(void *, const char *, unsigned);
} external_scanner;
const TSStateId *primary_state_ids;
};
/*

5
python/ql/lib/change-notes/2025-06-26-fix-match-as-identifier.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: fix
---
- The Python parser is now able to correctly parse expressions such as `match[1]` and `match()` where `match` is not used as a keyword.

126
python/ql/src/codeql-suites/python-security-and-quality.qls
View File

@@ -1,4 +1,128 @@
- description: Security-and-quality queries for Python
- queries: .
- apply: security-and-quality-selectors.yml
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- py/asserts-tuple
- py/attribute-shadows-method
- py/call-to-non-callable
- py/call/wrong-arguments
- py/call/wrong-named-argument
- py/call/wrong-named-class-argument
- py/call/wrong-number-class-arguments
- py/catch-base-exception
- py/commented-out-code
- py/comparison-missing-self
- py/comparison-of-constants
- py/comparison-of-identical-expressions
- py/comparison-using-is
- py/conflicting-attributes
- py/constant-conditional-expression
- py/cyclic-import
- py/deprecated-slice-method
- py/duplicate-key-dict-literal
- py/empty-except
- py/encoding-error
- py/equals-hash-mismatch
- py/exit-from-finally
- py/explicit-call-to-delete
- py/explicit-return-in-init
- py/file-not-closed
- py/hash-unhashable-value
- py/illegal-raise
- py/implicit-string-concatenation-in-list
- py/import-and-import-from
- py/import-deprecated-module
- py/import-of-mutable-attribute
- py/import-own-module
- py/imprecise-assert
- py/incomplete-ordering
- py/inconsistent-equality
- py/inconsistent-mro
- py/ineffectual-statement
- py/inheritance/incorrect-overridden-signature
- py/inheritance/incorrect-overriding-signature
- py/inheritance/signature-mismatch
- py/init-calls-subclass
- py/init-method-is-generator
- py/iter-returns-non-iterator
- py/iter-returns-non-self
- py/iteration-string-and-sequence
- py/leaking-list-comprehension
- py/loop-variable-capture
- py/member-test-non-container
- py/mismatched-multiple-assignment
- py/missing-call-to-delete
- py/missing-call-to-init
- py/missing-equals
- py/mixed-returns
- py/mixed-tuple-returns
- py/modification-of-default-value
- py/modification-of-locals
- py/multiple-calls-to-delete
- py/multiple-calls-to-init
- py/multiple-definition
- py/mutable-descriptor
- py/nested-loops-with-same-variable
- py/nested-loops-with-same-variable-reused
- py/non-iterable-in-for-loop
- py/not-named-cls
- py/not-named-self
- py/old-style-octal-literal
- py/overly-complex-delete
- py/overwritten-inherited-attribute
- py/percent-format/not-mapping
- py/percent-format/unsupported-character
- py/percent-format/wrong-arguments
- py/polluting-import
- py/print-during-import
- py/procedure-return-value-used
- py/property-in-old-style-class
- py/pythagorean
- py/raise-not-implemented
- py/raises-tuple
- py/redundant-assignment
- py/redundant-comparison
- py/redundant-else
- py/redundant-global-declaration
- py/regex/backspace-escape
- py/regex/duplicate-in-character-class
- py/regex/incomplete-special-group
- py/regex/unmatchable-caret
- py/regex/unmatchable-dollar
- py/repeated-import
- py/return-or-yield-outside-function
- py/should-use-with
- py/side-effect-in-assert
- py/slots-in-old-style-class
- py/special-method-wrong-signature
- py/str-format/missing-argument
- py/str-format/missing-named-argument
- py/str-format/mixed-fields
- py/str-format/surplus-argument
- py/str-format/surplus-named-argument
- py/super-in-old-style
- py/super-not-enclosing-class
- py/syntax-error
- py/test-equals-none
- py/truncated-division
- py/undefined-export
- py/undefined-placeholder-variable
- py/unexpected-raise-in-special-method
- py/unguarded-next-in-generator
- py/uninitialized-local-variable
- py/unnecessary-delete
- py/unnecessary-lambda
- py/unnecessary-pass
- py/unreachable-except
- py/unreachable-statement
- py/unsafe-cyclic-import
- py/unused-exception-object
- py/unused-global-variable
- py/unused-import
- py/unused-local-variable
- py/unused-loop-variable
- py/use-of-apply
- py/use-of-exit-or-quit
- py/useless-except

19
ruby/ql/lib/codeql/ruby/ast/internal/Literal.qll
View File

@@ -579,12 +579,27 @@ abstract class StringlikeLiteralImpl extends Expr, TStringlikeLiteral {
)
}
pragma[nomagic]
private StringComponentImpl getComponentImplRestricted(int n) {
result = this.getComponentImpl(n) and
strictsum(int length, int i | length = this.getComponentImpl(i).getValue().length() | length) <
10000
}
// 0 components results in the empty string
// if all interpolations have a known string value, we will get a result
// if all interpolations have a known string value, we will get a result, unless the
// combined length exceeds 10,000 characters
language[monotonicAggregates]
final string getStringValue() {
not exists(this.getComponentImpl(_)) and
result = ""
or
result =
concat(StringComponentImpl c, int i | c = this.getComponentImpl(i) | c.getValue() order by i)
strictconcat(StringComponentImpl c, int i |
c = this.getComponentImplRestricted(i)
|
c.getValue() order by i
)
}
}

7
ruby/ql/src/codeql-suites/ruby-security-and-quality.qls
View File

@@ -1,4 +1,9 @@
- description: Security-and-quality queries for Ruby
- queries: .
- apply: security-and-quality-selectors.yml
- apply: security-and-frozen-quality-selectors.yml
from: codeql/suite-helpers
- include:
id:
- rb/database-query-in-loop
- rb/uninitialized-local-variable
- rb/useless-assignment-to-local

15
ruby/ql/src/queries/variables/UninitializedLocal.md
View File

@@ -1,6 +1,4 @@
# Method call on `nil`
## Description
## Overview
In Ruby, it is not necessary to explicitly initialize variables.
If a local variable has not been explicitly initialized, it will have the value `nil`. If this happens unintentionally, though, the variable will not represent an object with the expected methods, and a method call on the variable will raise a `NoMethodError`.
@@ -11,7 +9,9 @@ This can be achieved by using a safe navigation or adding a check for `nil`.
Note: You do not need to explicitly initialize the variable, if you can make the program deal with the possible `nil` value. In particular, initializing the variable to `nil` will have no effect, as this is already the value of the variable. If `nil` is the only possible default value, you need to handle the `nil` value instead of initializing the variable.
## Examples
## Example
### Incorrect Usage
In the following code, the call to `create_file` may fail and then the call `f.close` will raise a `NoMethodError` since `f` will be `nil` at that point.
@@ -24,6 +24,8 @@ ensure
end
```
### Correct Usage
We can fix this by using safe navigation:
```ruby
def dump(x)
@@ -36,6 +38,5 @@ end
## References
- https://www.rubyguides.com/: [Nil](https://www.rubyguides.com/2018/01/ruby-nil/)
- https://ruby-doc.org/: [NoMethodError](https://ruby-doc.org/core-2.6.5/NoMethodError.html)
- RubyGuides: [Everything You Need To Know About Nil](https://www.rubyguides.com/2018/01/ruby-nil/).
- Ruby-Doc.org: [NoMethodError](https://ruby-doc.org/core-2.6.5/NoMethodError.html).

3633
rust/downgrades/8e9b0c516ae822286689672d1020707020128a19/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3638
rust/downgrades/8e9b0c516ae822286689672d1020707020128a19/rust.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
rust/downgrades/8e9b0c516ae822286689672d1020707020128a19/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Revert making `@assoc_item` and `@extern_item` subtypes of `@item`
compatibility: full

2
rust/extractor/src/generated/.generated.list generated
View File

@@ -1,2 +1,2 @@
mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7
top.rs d80090945fca0c60a08bee4c904b376f5c164a5df6c632c11d744a3c7926be31 d80090945fca0c60a08bee4c904b376f5c164a5df6c632c11d744a3c7926be31
top.rs 409eb2e5fb18cb360a7d255fc2d7926a78bcd2d3c9f8dcdfce0419cea49d1489 409eb2e5fb18cb360a7d255fc2d7926a78bcd2d3c9f8dcdfce0419cea49d1489

1386
rust/extractor/src/generated/top.rs generated
View File

File diff suppressed because it is too large Load Diff

17
rust/extractor/src/translate/base.rs
View File

@@ -164,23 +164,6 @@ impl Emission<ast::MacroCall> for Translator<'_> {
self.extract_macro_call_expanded(node, label);
}
}
// TODO: remove the manually written Label conversions. These can be auto-generated by
// ch
// anging the base class of AssocItem from AstNode to Item
impl From<Label<generated::AssocItem>> for Label<generated::Item> {
fn from(value: Label<generated::AssocItem>) -> Self {
// SAFETY: this is safe because every concrete instance of `@assoc_item` is also an instance of `@item`
unsafe { Self::from_untyped(value.as_untyped()) }
}
}
// TODO: remove the manually written Label conversions. These can be auto-generated by
// changing the base class of ExternItem from AstNode to Item
impl From<Label<generated::ExternItem>> for Label<generated::Item> {
fn from(value: Label<generated::ExternItem>) -> Self {
// SAFETY: this is safe because every concrete instance of `@extern_item` is also an instance of `@item`
unsafe { Self::from_untyped(value.as_untyped()) }
}
}
// see https://github.com/tokio-rs/tracing/issues/2730
macro_rules! dispatch_to_tracing {

Some files were not shown because too many files have changed in this diff Show More