hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13918 from github/post-release-prep/codeql-cli-2.14.2

Browse Source 
Post-release preparation for codeql-cli-2.14.2
This commit is contained in:
Henry Mercer
2023-08-11 16:28:16 +01:00
committed by GitHub
parent e39fb093e9 1213eba630
commit 75e6fd9c8e
141 changed files with 423 additions and 418 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 0.9.0
### Breaking Changes
* The `shouldPrintFunction` predicate from `PrintAstConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
* The `shouldPrintFunction` predicate from `PrintIRConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
### Major Analysis Improvements
* The `PrintAST` library now also prints global and namespace variables and their initializers.
### Minor Analysis Improvements
* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
## 0.8.1
### Deprecated APIs

4
cpp/ql/lib/change-notes/2023-07-20-print-global-variables.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* The `PrintAST` library now also prints global and namespace variables and their initializers.

4
cpp/ql/lib/change-notes/2023-08-07-removal-of-float128x.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.

15
cpp/ql/lib/change-notes/2023-07-19-rename-should-print-function.md → cpp/ql/lib/change-notes/released/0.9.0.md
View File

@@ -1,5 +1,14 @@
---
category: breaking
---
## 0.9.0
### Breaking Changes
* The `shouldPrintFunction` predicate from `PrintAstConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
* The `shouldPrintFunction` predicate from `PrintIRConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
### Major Analysis Improvements
* The `PrintAST` library now also prints global and namespace variables and their initializers.
### Minor Analysis Improvements
* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.9.0

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.8.2-dev
version: 0.9.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

5
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
View File

@@ -307,8 +307,3 @@ class SemConditionalExpr extends SemKnownExpr {
branch = false and result = falseResult
}
}
/** Holds if `upper = true` and `e <= bound` or `upper = false` and `e >= bound`. */
predicate semHasConstantBoundConstantSpecific(SemExpr e, float bound, boolean upper) {
Specific::hasConstantBoundConstantSpecific(e, bound, upper)
}

46
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
View File

@@ -434,50 +434,6 @@ module SemanticExprConfig {
/** Gets the expression associated with `instr`. */
SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
private predicate typeBounds(SemType t, float lb, float ub) {
exists(SemIntegerType integralType, float limit |
integralType = t and limit = 2.pow(8 * integralType.getByteSize())
|
if integralType instanceof SemBooleanType
then lb = 0 and ub = 1
else
if integralType.isSigned()
then (
lb = -(limit / 2) and ub = (limit / 2) - 1
) else (
lb = 0 and ub = limit - 1
)
)
or
// This covers all floating point types. The range is (-Inf, +Inf).
t instanceof SemFloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
}
/**
* Holds if `upper = true` and `e <= bound` or `upper = false` and `e >= bound` based
* only on type information.
*/
predicate hasConstantBoundConstantSpecific(Expr e, float bound, boolean upper) {
exists(
SemType converted, SemType unconverted, float unconvertedLb, float convertedLb,
float unconvertedUb, float convertedUb
|
unconverted = getSemanticType(e.getUnconverted().getResultIRType()) and
converted = getSemanticType(e.getConverted().getResultIRType()) and
typeBounds(unconverted, unconvertedLb, unconvertedUb) and
typeBounds(converted, convertedLb, convertedUb) and
(
upper = true and
unconvertedUb < convertedUb and
bound = unconvertedUb
or
upper = false and
unconvertedLb > convertedLb and
bound = unconvertedLb
)
)
}
}
predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;
@@ -501,5 +457,3 @@ IRBound::Bound getCppBound(SemBound bound) { bound = result }
SemGuard getSemanticGuard(IRGuards::IRGuardCondition guard) { result = guard }
IRGuards::IRGuardCondition getCppGuard(SemGuard guard) { guard = result }
predicate hasConstantBoundConstantSpecific = SemanticExprConfig::hasConstantBoundConstantSpecific/3;

19
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
View File

@@ -3,24 +3,10 @@
*/
private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
private import codeql.util.Unit
private import Reason as Reason
private import RangeAnalysisStage
private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
module CppLangImplConstant implements LangSig<FloatDelta> {
private module Param implements Reason::ParamSig {
class TypeReasonImpl = Unit;
}
class SemReason = Reason::Make<Param>::SemReason;
class SemNoReason = Reason::Make<Param>::SemNoReason;
class SemCondReason = Reason::Make<Param>::SemCondReason;
class SemTypeReason = Reason::Make<Param>::SemTypeReason;
/**
* Holds if the specified expression should be excluded from the result of `ssaRead()`.
*
@@ -74,10 +60,7 @@ module CppLangImplConstant implements LangSig<FloatDelta> {
/**
* Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
*/
predicate hasConstantBound(SemExpr e, float bound, boolean upper, SemReason reason) {
semHasConstantBoundConstantSpecific(e, bound, upper) and
reason instanceof SemTypeReason
}
predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
/**
* Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).

19
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
View File

@@ -61,23 +61,18 @@ private newtype TSemReason =
guard = any(ConstantStage::SemCondReason reason).getCond()
or
guard = any(RelativeStage::SemCondReason reason).getCond()
} or
TSemTypeReason()
}
private ConstantStage::SemReason constantReason(SemReason reason) {
ConstantStage::SemReason constantReason(SemReason reason) {
result instanceof ConstantStage::SemNoReason and reason instanceof SemNoReason
or
result.(ConstantStage::SemCondReason).getCond() = reason.(SemCondReason).getCond()
or
result instanceof ConstantStage::SemTypeReason and reason instanceof SemTypeReason
}
private RelativeStage::SemReason relativeReason(SemReason reason) {
RelativeStage::SemReason relativeReason(SemReason reason) {
result instanceof RelativeStage::SemNoReason and reason instanceof SemNoReason
or
result.(RelativeStage::SemCondReason).getCond() = reason.(SemCondReason).getCond()
or
result instanceof RelativeStage::SemTypeReason and reason instanceof SemTypeReason
}
import Public
@@ -116,12 +111,4 @@ module Public {
override string toString() { result = this.getCond().toString() }
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* based on type-information.
*/
class SemTypeReason extends SemReason, TSemTypeReason {
override string toString() { result = "TypeReason" }
}
}

18
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
View File

@@ -7,25 +7,9 @@ private import RangeAnalysisStage
private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.IntDelta
private import RangeAnalysisImpl
private import codeql.util.Unit
private import Reason as Reason
private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
module CppLangImplRelative implements LangSig<FloatDelta> {
private module Param implements Reason::ParamSig {
class TypeReasonImpl extends Unit {
TypeReasonImpl() { none() }
}
}
class SemReason = Reason::Make<Param>::SemReason;
class SemNoReason = Reason::Make<Param>::SemNoReason;
class SemCondReason = Reason::Make<Param>::SemCondReason;
class SemTypeReason = Reason::Make<Param>::SemTypeReason;
/**
* Holds if the specified expression should be excluded from the result of `ssaRead()`.
*
@@ -110,7 +94,7 @@ module CppLangImplRelative implements LangSig<FloatDelta> {
/**
* Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
*/
predicate hasConstantBound(SemExpr e, float bound, boolean upper, SemReason reason) { none() }
predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
/**
* Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).

126
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll
View File

@@ -113,37 +113,6 @@ signature module DeltaSig {
}
signature module LangSig<DeltaSig D> {
/** A reason for an inferred bound. */
class SemReason {
/**
* Returns `this` if `reason` is not a `SemTypeReason`. Otherwise,
* this predicate returns `SemTypeReason`.
*
* This predicate ensures that we propagate `SemTypeReason` all the way
* to the top-level of a call to `semBounded` if the inferred bound is
* based on type-information.
*/
bindingset[this, reason]
SemReason combineWith(SemReason reason);
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* without going through a bounding condition.
*/
class SemNoReason extends SemReason;
/** A reason for an inferred bound pointing to a condition. */
class SemCondReason extends SemReason {
SemGuard getCond();
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* based on type-information.
*/
class SemTypeReason extends SemReason;
/**
* Holds if the specified expression should be excluded from the result of `ssaRead()`.
*
@@ -155,7 +124,7 @@ signature module LangSig<DeltaSig D> {
/**
* Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
*/
predicate hasConstantBound(SemExpr e, D::Delta bound, boolean upper, SemReason reason);
predicate hasConstantBound(SemExpr e, D::Delta bound, boolean upper);
/**
* Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
@@ -280,14 +249,6 @@ module RangeStage<
DeltaSig D, BoundSig<D> Bounds, OverflowSig<D> OverflowParam, LangSig<D> LangParam,
UtilSig<D> UtilParam>
{
class SemReason = LangParam::SemReason;
class SemCondReason = LangParam::SemCondReason;
class SemNoReason = LangParam::SemNoReason;
class SemTypeReason = LangParam::SemTypeReason;
private import Bounds
private import LangParam
private import UtilParam
@@ -548,6 +509,36 @@ module RangeStage<
)
}
private newtype TSemReason =
TSemNoReason() or
TSemCondReason(SemGuard guard) { possibleReason(guard) }
/**
* A reason for an inferred bound. This can either be `CondReason` if the bound
* is due to a specific condition, or `NoReason` if the bound is inferred
* without going through a bounding condition.
*/
abstract class SemReason extends TSemReason {
/** Gets a textual representation of this reason. */
abstract string toString();
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* without going through a bounding condition.
*/
class SemNoReason extends SemReason, TSemNoReason {
override string toString() { result = "NoReason" }
}
/** A reason for an inferred bound pointing to a condition. */
class SemCondReason extends SemReason, TSemCondReason {
/** Gets the condition that is the reason for the bound. */
SemGuard getCond() { this = TSemCondReason(result) }
override string toString() { result = this.getCond().toString() }
}
/**
* Holds if `e + delta` is a valid bound for `v` at `pos`.
* - `upper = true` : `v <= e + delta`
@@ -560,13 +551,13 @@ module RangeStage<
semSsaUpdateStep(v, e, delta) and
pos.hasReadOfVar(v) and
(upper = true or upper = false) and
reason instanceof SemNoReason
reason = TSemNoReason()
or
exists(SemGuard guard, boolean testIsTrue |
pos.hasReadOfVar(v) and
guard = boundFlowCond(v, e, delta, upper, testIsTrue) and
semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
reason.(SemCondReason).getCond() = guard
reason = TSemCondReason(guard)
)
}
@@ -579,7 +570,7 @@ module RangeStage<
pos.hasReadOfVar(v) and
guard = semEqFlowCond(v, e, delta, false, testIsTrue) and
semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
reason.(SemCondReason).getCond() = guard
reason = TSemCondReason(guard)
)
}
@@ -709,7 +700,7 @@ module RangeStage<
// upper = true: v <= mid + d1 <= b + d1 + d2 = b + delta
// upper = false: v >= mid + d1 >= b + d1 + d2 = b + delta
delta = D::fromFloat(D::toFloat(d1) + D::toFloat(d2)) and
(if r1 instanceof SemNoReason then reason = r2 else reason = r1.combineWith(r2))
(if r1 instanceof SemNoReason then reason = r2 else reason = r1)
)
or
exists(D::Delta d, SemReason r1, SemReason r2 |
@@ -723,9 +714,9 @@ module RangeStage<
upper = false and delta = D::fromFloat(D::toFloat(d) + 1)
) and
(
reason = r1.combineWith(r2)
reason = r1
or
reason = r2.combineWith(r1) and not r2 instanceof SemNoReason
reason = r2 and not r2 instanceof SemNoReason
)
)
}
@@ -795,7 +786,7 @@ module RangeStage<
(upper = true or upper = false) and
fromBackEdge0 = false and
origdelta = D::fromFloat(0) and
reason instanceof SemNoReason
reason = TSemNoReason()
|
if semBackEdge(phi, inp, edge)
then
@@ -920,15 +911,14 @@ module RangeStage<
* Holds if `e` has an upper (for `upper = true`) or lower
* (for `upper = false`) bound of `b`.
*/
private predicate baseBound(SemExpr e, D::Delta b, boolean upper, SemReason reason) {
hasConstantBound(e, b, upper, reason)
private predicate baseBound(SemExpr e, D::Delta b, boolean upper) {
hasConstantBound(e, b, upper)
or
upper = false and
b = D::fromInt(0) and
semPositive(e.(SemBitAndExpr).getAnOperand()) and
// REVIEW: We let the language opt out here to preserve original results.
not ignoreZeroLowerBound(e) and
reason instanceof SemNoReason
not ignoreZeroLowerBound(e)
}
/**
@@ -1054,12 +1044,13 @@ module RangeStage<
(upper = true or upper = false) and
fromBackEdge = false and
origdelta = delta and
reason instanceof SemNoReason
reason = TSemNoReason()
or
baseBound(e, delta, upper, reason) and
baseBound(e, delta, upper) and
b instanceof SemZeroBound and
fromBackEdge = false and
origdelta = delta
origdelta = delta and
reason = TSemNoReason()
or
exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
boundedSsa(v, bb, b, delta, upper, fromBackEdge, origdelta, reason) and
@@ -1113,9 +1104,9 @@ module RangeStage<
boundedConditionalExpr(cond, b, upper, true, d1, fbe1, od1, r1) and
boundedConditionalExpr(cond, b, upper, false, d2, fbe2, od2, r2) and
(
delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1.combineWith(r2)
delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
or
delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2.combineWith(r1)
delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
)
|
upper = true and delta = D::fromFloat(D::toFloat(d1).maximum(D::toFloat(d2)))
@@ -1141,15 +1132,9 @@ module RangeStage<
delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
fromBackEdge = fbeLeft.booleanOr(fbeRight)
|
b = bLeft and
origdelta = odLeft and
reason = rLeft.combineWith(rRight) and
bRight instanceof SemZeroBound
b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
or
b = bRight and
origdelta = odRight and
reason = rRight.combineWith(rLeft) and
bLeft instanceof SemZeroBound
b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
)
or
exists(
@@ -1165,9 +1150,9 @@ module RangeStage<
(
if D::toFloat(d1).abs() > D::toFloat(d2).abs()
then (
d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1.combineWith(r2)
d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
) else (
d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2.combineWith(r1)
d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
)
)
|
@@ -1183,14 +1168,11 @@ module RangeStage<
boundedMulOperand(e, upper, true, dLeft, fbeLeft, odLeft, rLeft) and
boundedMulOperand(e, upper, false, dRight, fbeRight, odRight, rRight) and
delta = D::fromFloat(D::toFloat(dLeft) * D::toFloat(dRight)) and
fromBackEdge = fbeLeft.booleanOr(fbeRight) and
b instanceof SemZeroBound
fromBackEdge = fbeLeft.booleanOr(fbeRight)
|
origdelta = odLeft and
reason = rLeft.combineWith(rRight)
b instanceof SemZeroBound and origdelta = odLeft and reason = rLeft
or
origdelta = odRight and
reason = rRight.combineWith(rLeft)
b instanceof SemZeroBound and origdelta = odRight and reason = rRight
)
)
}

83
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Reason.qll
View File

@@ -1,83 +0,0 @@
/**
* Provides a `Make` parameterized module for constructing a `Reason` type that is used
* when implementing the `LangSig` module.
*/
private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
/** The necessary parameters that must be implemented to instantiate `Make`. */
signature module ParamSig {
class TypeReasonImpl;
}
/**
* The module that constructs a `Reason` type when provided with an implementation
* of `ParamSig`.
*/
module Make<ParamSig Param> {
private import Param
private newtype TSemReason =
TSemNoReason() or
TSemCondReason(SemGuard guard) or
TSemTypeReason(TypeReasonImpl trc)
/**
* A reason for an inferred bound. This can either be `CondReason` if the bound
* is due to a specific condition, or `NoReason` if the bound is inferred
* without going through a bounding condition.
*/
abstract class SemReason extends TSemReason {
/** Gets a textual representation of this reason. */
abstract string toString();
bindingset[this, reason]
abstract SemReason combineWith(SemReason reason);
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* without going through a bounding condition.
*/
class SemNoReason extends SemReason, TSemNoReason {
override string toString() { result = "NoReason" }
override SemReason combineWith(SemReason reason) { result = reason }
}
/** A reason for an inferred bound pointing to a condition. */
class SemCondReason extends SemReason, TSemCondReason {
/** Gets the condition that is the reason for the bound. */
SemGuard getCond() { this = TSemCondReason(result) }
override string toString() { result = this.getCond().toString() }
bindingset[this, reason]
override SemReason combineWith(SemReason reason) {
// Since we end up reporting a `SemReason` for the inferred bound we often pick somewhat
// arbitrarily between two `SemReason`s during the analysis. This isn't an issue for most reasons
// since they're mainly used for constructing alert messages. However, the `SemTypeReason` is
// supposed to be used in query logic to filter out bounds inferred by type-based analysis if
// the query author chooses to do so. So we need to ensure that if _any_ of the bounds that
// contribute to the final bound depends on type information then the `SemReason` we report must
// be a `SemTypeReason`. So when we need to combine this `SemCondReason` with a `SemTypeReason`
// the result should always be a `SemTypeReason`.
if reason instanceof SemTypeReason then result instanceof SemTypeReason else result = this
}
}
/**
* A reason for an inferred bound that indicates that the bound is inferred
* based on type-information.
*/
class SemTypeReason extends SemReason, TSemTypeReason {
TypeReasonImpl impl;
SemTypeReason() { this = TSemTypeReason(impl) }
override string toString() { result = "TypeReason" }
bindingset[this, reason]
override SemReason combineWith(SemReason reason) { result = this and exists(reason) }
}
}

3
cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll
View File

@@ -20,8 +20,7 @@ private Instruction getABoundIn(SemBound b, IRFunction func) {
pragma[inline]
private predicate boundedImpl(Instruction i, Instruction b, int delta) {
exists(SemBound bound, IRFunction func |
semBounded(getSemanticExpr(i), bound, delta, true,
any(SemReason reason | not reason instanceof SemTypeReason)) and
semBounded(getSemanticExpr(i), bound, delta, true, _) and
b = getABoundIn(bound, func) and
i.getEnclosingIRFunction() = func
)

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.2
No user-facing changes.
## 0.7.1
### Minor Analysis Improvements

3
cpp/ql/src/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.2
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

6
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
View File

@@ -28,8 +28,7 @@ Instruction getABoundIn(SemBound b, IRFunction func) {
pragma[inline]
predicate boundedImpl(Instruction i, Instruction b, int delta) {
exists(SemBound bound, IRFunction func |
semBounded(getSemanticExpr(i), bound, delta, true,
any(SemReason reason | not reason instanceof SemTypeReason)) and
semBounded(getSemanticExpr(i), bound, delta, true, _) and
b = getABoundIn(bound, func) and
pragma[only_bind_out](i.getEnclosingIRFunction()) = func
)
@@ -94,8 +93,7 @@ predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int size) {
bindingset[pai]
pragma[inline_late]
predicate constantUpperBounded(PointerArithmeticInstruction pai, int delta) {
semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), delta, true,
any(SemReason reason | not reason instanceof SemTypeReason))
semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), delta, true, _)
}
bindingset[pai, size]

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.7.2-dev
version: 0.7.3-dev
groups:
- cpp
- queries

18
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -195,18 +195,18 @@ int test13(char c, int i) {
int z = i+1; // $ overflow=+
range(z); // $ range="==InitializeParameter: i+1"
range(c + i + uc + x + y + z); // $ overflow=+- overflow=+ overflow=- MISSING: range=>=1
range((double)(c + i + uc + x + y + z)); // $ overflow=+ overflow=+- overflow=- range=<=4294967295 MISSING: range=>=1
range((double)(c + i + uc + x + y + z)); // $ overflow=+ overflow=+- overflow=- MISSING: range=>=1
return (double)(c + i + uc + x + y + z); // $ overflow=+- overflow=+ overflow=-
}
// Regression test for ODASA-6013.
int test14(int x) {
int x0 = (int)(char)x;
range(x0); // $ range=<=127 range=>=-128
range(x0);
int x1 = (int)(unsigned char)x;
range(x1); // $ range=<=255 range=>=0
range(x1);
int x2 = (int)(unsigned short)x;
range(x2); // $ range=<=65535 range=>=0
range(x2);
int x3 = (int)(unsigned int)x;
range(x3);
char c0 = x;
@@ -759,9 +759,9 @@ unsigned long mult_overflow() {
unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
if (ui >= 10) {
range(ui); // $ range=>=10
range((unsigned long)ui); // $ range=>=10 range=<=4294967295
unsigned long result = (unsigned long)ui * ui; // no overflow
range(result); // $ range=>=100 range=<=18446744065119617024
range((unsigned long)ui); // $ range=>=10
unsigned long result = (unsigned long)ui * ui; // $ overflow=+
range(result); // $ MISSING: range=>=100
return result; // BUG: upper bound should be >= 18446744065119617025
}
if (ul >= 10) {
@@ -888,7 +888,7 @@ void notequal_variations(short n, float f) {
}
if (n >= 5) {
if (2 * n - 10 == 0) { // no overflow
if (2 * n - 10 == 0) { // $ overflow=+
range(n); // $ range=>=5 MISSING: range===5
return;
}
@@ -936,7 +936,7 @@ void two_bounds_from_one_test(short ss, unsigned short us) {
range(ss); // -32768 .. 32767
}
if (ss + 1 < sizeof(int)) { // $ overflow=-
if (ss + 1 < sizeof(int)) { // $ overflow=+
range(ss); // -1 .. 2
}
}

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.2
No user-facing changes.
## 1.6.1
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.2
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.1
lastReleaseVersion: 1.6.2

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.6.2-dev
version: 1.6.3-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.2
No user-facing changes.
## 1.6.1
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.2
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.1
lastReleaseVersion: 1.6.2

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.6.2-dev
version: 1.6.3-dev
groups:
- csharp
- solorigate

4
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.2
No user-facing changes.
## 0.7.1
### New Features

3
csharp/ql/lib/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.2
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.7.2-dev
version: 0.7.3-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.2
No user-facing changes.
## 0.7.1
No user-facing changes.

3
csharp/ql/src/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.2
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.7.2-dev
version: 0.7.3-dev
groups:
- csharp
- queries

6
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.6.2
### Minor Analysis Improvements
* Logrus' `WithContext` methods are no longer treated as if they output the values stored in that context to a log message.
## 0.6.1
### New Features

7
go/ql/lib/change-notes/2023-07-28-logrus-with-context.md → go/ql/lib/change-notes/released/0.6.2.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.6.2
### Minor Analysis Improvements
* Logrus' `WithContext` methods are no longer treated as if they output the values stored in that context to a log message.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.1
lastReleaseVersion: 0.6.2

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.6.2-dev
version: 0.6.3-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.2
No user-facing changes.
## 0.6.1
No user-facing changes.

3
go/ql/src/change-notes/released/0.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.2
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.1
lastReleaseVersion: 0.6.2

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.6.2-dev
version: 0.6.3-dev
groups:
- go
- queries

14
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,17 @@
## 0.7.2
### New Features
* A `Diagnostic.getCompilationInfo()` predicate has been added.
### Minor Analysis Improvements
* Fixed a typo in the `StdlibRandomSource` class in `RandomDataSource.qll`, which caused the class to improperly model calls to the `nextBytes` method. Queries relying on `StdlibRandomSource` may see an increase in results.
* Improved the precision of virtual dispatch of `java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of `InputStream` if there is a high-confidence alternative (like a models-as-data summary).
* Added more dataflow steps for `java.io.InputStream`s that wrap other `java.io.InputStream`s.
* Added models for the Struts 2 framework.
* Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.
## 0.7.1
### New Features

5
java/ql/lib/change-notes/2023-07-12-add-models-for-struts2-framework.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Added models for the Struts 2 framework.

5
java/ql/lib/change-notes/2023-07-12-improve-sources-for-the-struts2-framework.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.

4
java/ql/lib/change-notes/2023-07-14-getCompilationInfo.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* A `Diagnostic.getCompilationInfo()` predicate has been added.

5
java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Improved the precision of virtual dispatch of `java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of `InputStream` if there is a high-confidence alternative (like a models-as-data summary).

4
java/ql/lib/change-notes/2023-07-19-inputstream-wrapper-steps.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added more dataflow steps for `java.io.InputStream`s that wrap other `java.io.InputStream`s.

4
java/ql/lib/change-notes/2023-08-07-randomdatasource-typo-fix.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed a typo in the `StdlibRandomSource` class in `RandomDataSource.qll`, which caused the class to improperly model calls to the `nextBytes` method. Queries relying on `StdlibRandomSource` may see an increase in results.

13
java/ql/lib/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,13 @@
## 0.7.2
### New Features
* A `Diagnostic.getCompilationInfo()` predicate has been added.
### Minor Analysis Improvements
* Fixed a typo in the `StdlibRandomSource` class in `RandomDataSource.qll`, which caused the class to improperly model calls to the `nextBytes` method. Queries relying on `StdlibRandomSource` may see an increase in results.
* Improved the precision of virtual dispatch of `java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of `InputStream` if there is a high-confidence alternative (like a models-as-data summary).
* Added more dataflow steps for `java.io.InputStream`s that wrap other `java.io.InputStream`s.
* Added models for the Struts 2 framework.
* Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.7.2-dev
version: 0.7.3-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

6
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.7.2
### Minor Analysis Improvements
* The sanitizer in `java/potentially-weak-cryptographic-algorithm` has been improved, so the query may yield additional results.
## 0.7.1
### Minor Analysis Improvements

7
java/ql/src/change-notes/2023-08-01-maybebrokencrypto-barrier.md → java/ql/src/change-notes/released/0.7.2.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.7.2
### Minor Analysis Improvements
* The sanitizer in `java/potentially-weak-cryptographic-algorithm` has been improved, so the query may yield additional results.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 0.7.2-dev
version: 0.7.3-dev
groups:
- java
- queries

6
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.7.2
### Minor Analysis Improvements
* Added `log-injection` as a customizable sink kind for log injection.
## 0.7.1
No user-facing changes.

9
javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md → javascript/ql/lib/change-notes/released/0.7.2.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* Added `log-injection` as a customizable sink kind for log injection.
## 0.7.2
### Minor Analysis Improvements
* Added `log-injection` as a customizable sink kind for log injection.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.7.2-dev
version: 0.7.3-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

4
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.2
No user-facing changes.
## 0.7.1
### Minor Analysis Improvements

3
javascript/ql/src/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.2
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.7.2-dev
version: 0.7.3-dev
groups:
- javascript
- queries

4
misc/suite-helpers/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.2
No user-facing changes.
## 0.6.1
No user-facing changes.

3
misc/suite-helpers/change-notes/released/0.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.2
No user-facing changes.

2
misc/suite-helpers/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.1
lastReleaseVersion: 0.6.2

2
misc/suite-helpers/qlpack.yml
View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers
version: 0.6.2-dev
version: 0.6.3-dev
groups: shared
warnOnImplicitThis: true

4
python/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.10.2
No user-facing changes.
## 0.10.1
### New Features

3
python/ql/lib/change-notes/released/0.10.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.10.2
No user-facing changes.

2
python/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.10.1
lastReleaseVersion: 0.10.2

2
python/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-all
version: 0.10.2-dev
version: 0.10.3-dev
groups: python
dbscheme: semmlecode.python.dbscheme
extractor: python

4
python/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.8.2
No user-facing changes.
## 0.8.1
### Minor Analysis Improvements

3
python/ql/src/change-notes/released/0.8.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.8.2
No user-facing changes.

2
python/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.2

2
python/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-queries
version: 0.8.2-dev
version: 0.8.3-dev
groups:
- python
- queries

4
ruby/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.2
No user-facing changes.
## 0.7.1
### New Features

3
ruby/ql/lib/change-notes/released/0.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.2
No user-facing changes.

2
ruby/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
ruby/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/ruby-all
version: 0.7.2-dev
version: 0.7.3-dev
groups: ruby
extractor: ruby
dbscheme: ruby.dbscheme

6
ruby/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.7.2
### New Queries
* Added a new experimental query, `rb/ldap-injection`, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
## 0.7.1
### New Queries

9
ruby/ql/src/change-notes/2023-05-28-ldap-injection-query.md → ruby/ql/src/change-notes/released/0.7.2.md
View File

@@ -1,4 +1,5 @@
---
category: newQuery
---
* Added a new experimental query, `rb/ldap-injection`, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
## 0.7.2
### New Queries
* Added a new experimental query, `rb/ldap-injection`, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.

2
ruby/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.2

2
ruby/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/ruby-queries
version: 0.7.2-dev
version: 0.7.3-dev
groups:
- ruby
- queries

7
shared/controlflow/change-notes/2023-06-27-initial-version.md → shared/controlflow/CHANGELOG.md
View File

@@ -1,4 +1,5 @@
---
category: majorAnalysis
---
## 0.0.1
### Major Analysis Improvements
* Initial release. Adds a shared library for control flow analyses.

5
shared/controlflow/change-notes/released/0.0.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.0.1
### Major Analysis Improvements
* Initial release. Adds a shared library for control flow analyses.

2
shared/controlflow/codeql-pack.release.yml Normal file
View File

@@ -0,0 +1,2 @@
---
lastReleaseVersion: 0.0.1

2
shared/controlflow/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/controlflow
version: 0.0.1-dev
version: 0.0.2-dev
groups: shared
library: true
dependencies:

13
shared/dataflow/change-notes/2023-08-02-dataflow-isSink.md → shared/dataflow/CHANGELOG.md
View File

@@ -1,4 +1,9 @@
---
category: feature
---
* The `StateConfigSig` signature now supports a unary `isSink` predicate that does not specify the `FlowState` for which the given node is a sink. Instead, any `FlowState` is considered a valid `FlowState` for such a sink.
## 0.0.1
### New Features
* The `StateConfigSig` signature now supports a unary `isSink` predicate that does not specify the `FlowState` for which the given node is a sink. Instead, any `FlowState` is considered a valid `FlowState` for such a sink.
### Minor Analysis Improvements
* Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.

4
shared/dataflow/change-notes/2023-08-02-dataflow-initial.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.

9
shared/dataflow/change-notes/released/0.0.1.md Normal file
View File

@@ -0,0 +1,9 @@
## 0.0.1
### New Features
* The `StateConfigSig` signature now supports a unary `isSink` predicate that does not specify the `FlowState` for which the given node is a sink. Instead, any `FlowState` is considered a valid `FlowState` for such a sink.
### Minor Analysis Improvements
* Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.

2
shared/dataflow/codeql-pack.release.yml Normal file
View File

@@ -0,0 +1,2 @@
---
lastReleaseVersion: 0.0.1

2
shared/dataflow/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/dataflow
version: 0.0.1-dev
version: 0.0.2-dev
groups: shared
library: true
dependencies:

4
shared/mad/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.1.2
No user-facing changes.
## 0.1.1
No user-facing changes.

3
shared/mad/change-notes/released/0.1.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.1.2
No user-facing changes.

2
shared/mad/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.1.1
lastReleaseVersion: 0.1.2

2
shared/mad/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/mad
version: 0.1.2-dev
version: 0.1.3-dev
groups: shared
library: true
dependencies:

4
shared/regex/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.1.2
No user-facing changes.
## 0.1.1
No user-facing changes.

Some files were not shown because too many files have changed in this diff Show More