hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15756 from egregius313/egregius313/csharp/dataflow/threat-model/remove-addlocalsource

Browse Source 
C#: Remove `AddLocalSource` classes from queries
This commit is contained in:
Edward Minnix III
2024-03-10 22:56:28 -04:00
committed by GitHub
parent 58f2777532 3fdc7e95df
commit 7fe378e831
5 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
View File

@@ -68,8 +68,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
*/
deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
private class AddLocalSource extends Source instanceof LocalFlowSource { }
/** A source supported by the current threat model. */
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }

2
csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll
View File

@@ -67,8 +67,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
*/
deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
private class AddLocalSource extends Source instanceof LocalFlowSource { }
/** A source supported by the current threat model. */
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }

2
csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll
View File

@@ -78,8 +78,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
*/
deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
private class AddLocalSource extends Source instanceof LocalFlowSource { }
/** A source supported by the current threat model. */
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }

5
csharp/ql/src/change-notes/2024-03-06-remove-default-local-sources.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Data flow queries that track flow from *local* flow sources now use the current *threat model* configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses *remote* flow sources. The changed queries are `cs/code-injection`, `cs/resource-injection`, `cs/sql-injection`, and `cs/uncontrolled-format-string`.

7
csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.ext.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["local", true, 0]