hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5524 from hvitved/csharp/cleanup

Browse Source 
C#: Remove legacy queries and `@precision` tags from metric queries
This commit is contained in:
Tom Hvitved
2021-03-25 15:36:12 +01:00
committed by GitHub
parent 33c990f6b0 419fbe77ab
commit 90868a4788
56 changed files with 6 additions and 1775 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/identical-files.json
View File

@@ -376,7 +376,6 @@
],
"DuplicationProblems.inc.qhelp": [
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
],

2
csharp/change-notes/2021-03-24-remove-legacy-queries.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Legacy queries in the folders `external` and `filters` have all been removed.

2
csharp/change-notes/2021-03-24-remove-vuln-package-query.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query `VulnerablePackage.ql` has been removed.

1
csharp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
View File

@@ -5,7 +5,6 @@
* @kind treemap
* @treemap.warnOn highValues
* @metricType externalDependency
* @precision medium
* @id cs/external-dependencies
*/

16
csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp
View File

@@ -1,16 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Duplicated code increases overall code size, making the code base
harder to maintain and harder to understand. It also becomes harder to fix bugs,
since a programmer applying a fix to one copy has to always remember to update
other copies accordingly. Finally, code duplication is generally an indication of
a poorly designed or hastily written code base, which typically suffers from other
problems as well.
</p>
</overview>
</qhelp>

1
csharp/ql/src/Metrics/Files/FLinesOfCode.ql
View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision very-high
* @id cs/lines-of-code-in-files
* @tags maintainability
* complexity

1
csharp/ql/src/Metrics/Files/FLinesOfComment.ql
View File

@@ -5,7 +5,6 @@
* @treemap.warnOn lowValues
* @metricType file
* @metricAggregate avg sum max
* @precision very-high
* @id cs/lines-of-comments-in-files
* @tags maintainability
* documentation

1
csharp/ql/src/Metrics/Files/FLinesOfCommentedCode.ql
View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision high
* @id cs/lines-of-commented-out-code-in-files
* @tags maintainability
* documentation

30
csharp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.qhelp
View File

@@ -1,30 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
A file that contains many lines that are duplicated within the code base is problematic
for a number of reasons.
</p>
</overview>
<include src="DuplicationProblems.inc.qhelp" />
<recommendation>
<p>
Refactor files with lots of duplicated code to extract the common code into
shared classes and assemblies.
</p>
</recommendation>
<references>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Duplicate_code">Duplicate code</a>.</li>
<li>M. Fowler, <em>Refactoring</em>. Addison-Wesley, 1999.</li>
</references>
</qhelp>

27
csharp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
View File

@@ -1,27 +0,0 @@
/**
* @deprecated
* @name Duplicated lines in files
* @description The number of lines in a file, including code, comment and whitespace lines,
* which are duplicated in at least one other place.
* @kind treemap
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision high
* @id cs/duplicated-lines-in-files
* @tags testability
* modularity
*/
import external.CodeDuplication
from SourceFile f, int n
where
n =
count(int line |
exists(DuplicateBlock d | d.sourceFile() = f |
line in [d.sourceStartLine() .. d.sourceEndLine()] and
not whitelistedLineForDuplication(f, line)
)
)
select f, n order by n desc

1
csharp/ql/src/Metrics/Files/FNumberOfTests.ql
View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision medium
* @id cs/tests-in-files
* @tags maintainability
*/

335
csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll
View File

@@ -1,335 +0,0 @@
/**
* Provides a list of NuGet packages with known vulnerabilities.
*
* To add a new vulnerability follow the existing pattern.
* Create a new class that extends the abstract class `Vulnerability`,
* supplying the name and the URL, and override one (or both) of
* `matchesRange` and `matchesVersion`.
*/
import csharp
import Vulnerability
class MicrosoftAdvisory4021279 extends Vulnerability {
MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Text.Encodings.Web" and
(
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
name = "System.Net.Http" and
(
affected = "4.1.1" and fixed = "4.1.2"
or
affected = "4.3.1" and fixed = "4.3.2"
)
or
name = "System.Net.Http.WinHttpHandler" and
(
affected = "4.0.1" and fixed = "4.0.2"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
name = "System.Net.Security" and
(
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
(
name = "Microsoft.AspNetCore.Mvc"
or
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Abstractions"
or
name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
or
name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
or
name = "Microsoft.AspNetCore.Mvc.Localization"
or
name = "Microsoft.AspNetCore.Mvc.Razor.Host"
or
name = "Microsoft.AspNetCore.Mvc.Razor"
or
name = "Microsoft.AspNetCore.Mvc.TagHelpers"
or
name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
or
name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
) and
(
affected = "1.0.0" and fixed = "1.0.4"
or
affected = "1.1.0" and fixed = "1.1.3"
)
}
}
class CVE_2017_8700 extends Vulnerability {
CVE_2017_8700() { this = "CVE-2017-8700" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
) and
(
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
)
}
}
class CVE_2018_0765 extends Vulnerability {
CVE_2018_0765() { this = "CVE-2018-0765" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Security.Cryptography.Xml" and
affected = "0.0.0" and
fixed = "4.4.2"
}
}
class AspNetCore_Mar18 extends Vulnerability {
AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Server.Kestrel.Core"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
) and
affected = "2.0.0" and
fixed = "2.0.3"
or
name = "Microsoft.AspNetCore.All" and
affected = "2.0.0" and
fixed = "2.0.8"
}
}
class CVE_2018_8409 extends Vulnerability {
CVE_2018_8409() { this = "CVE-2018-8409" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
or
(name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
affected = "2.1.0" and
fixed = "2.1.4"
}
}
class CVE_2018_8171 extends Vulnerability {
CVE_2018_8171() { this = "CVE-2018-8171" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Identity" and
(
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
or
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
}
}
class CVE_2018_8356 extends Vulnerability {
CVE_2018_8356() { this = "CVE-2018-8356" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.Private.ServiceModel"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
) and
(
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
(
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and
(
affected = "4.0.0" and fixed = "4.0.4"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
name = "System.ServiceModel.NetTcp" and
(
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.1"
)
}
}
class ASPNETCore_Jul18 extends Vulnerability {
ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Server.Kestrel.Core" and
(
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.All" and
(
affected = "2.0.0" and fixed = "2.0.9"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.App" and
affected = "2.1.0" and
fixed = "2.1.2"
}
}
class CVE_2018_8292 extends Vulnerability {
CVE_2018_8292() { this = "CVE-2018-8292" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
override predicate matchesVersion(string name, Version affected, Version fixed) {
name = "System.Net.Http" and
(
affected = "2.0" or
affected = "4.0.0" or
affected = "4.1.0" or
affected = "1.1.1" or
affected = "4.1.2" or
affected = "4.3.0" or
affected = "4.3.1" or
affected = "4.3.2" or
affected = "4.3.3"
) and
fixed = "4.3.4"
}
}
class CVE_2018_0786 extends Vulnerability {
CVE_2018_0786() { this = "CVE-2018-0786" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
or
name = "System.Private.ServiceModel"
) and
(
affected = "4.4.0" and fixed = "4.4.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
(
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.Private.ServiceModel"
) and
affected = "4.1.0" and
fixed = "4.1.1"
or
(
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and
affected = "4.0.1" and
fixed = "4.0.2"
}
}
class CVE_2019_0657 extends Vulnerability {
CVE_2019_0657() { this = "CVE-2019-0657" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.NETCore.App" and
(
affected = "2.1.0" and fixed = "2.1.8"
or
affected = "2.2.0" and fixed = "2.2.2"
)
}
override predicate matchesVersion(string name, Version affected, Version fixed) {
name = "System.Private.Uri" and
affected = "4.3.0" and
fixed = "4.3.1"
}
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/97" }
}

93
csharp/ql/src/Security Features/CWE-937/Vulnerability.qll
View File

@@ -1,93 +0,0 @@
import csharp
/**
* A package reference in an XML file, for example in a
* `.csproj` file, a `.props` file, or a `packages.config` file.
*/
class Package extends XMLElement {
string name;
Version version;
Package() {
(this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
name = this.getAttributeValue("Include") and
version = this.getAttributeValue("Version")
or
this.getName() = "package" and
name = this.getAttributeValue("id") and
version = this.getAttributeValue("version")
}
/** Gets the name of the package, for example `System.IO.Pipelines`. */
string getPackageName() { result = name }
/** Gets the version of the package, for example `4.5.1`. */
Version getVersion() { result = version }
override string toString() { result = name + " " + version }
}
/**
* A vulnerability, where the name of the vulnerability is this string.
* One of `matchesRange` or `matchesVersion` must be overridden in order to
* specify which packages are vulnerable.
*/
abstract class Vulnerability extends string {
bindingset[this]
Vulnerability() { any() }
/**
* Holds if a package with name `name` is vulnerable from version `affected`
* until version `fixed`.
*/
predicate matchesRange(string name, Version affected, Version fixed) { none() }
/**
* Holds if a package with name `name` is vulnerable in version `affected`, and
* is fixed by version `fixed`.
*/
predicate matchesVersion(string name, Version affected, Version fixed) { none() }
/** Gets the URL describing the vulnerability. */
abstract string getUrl();
/**
* Holds if a package with name `name` and version `version`
* has this vulnerability. The fixed version is given by `fixed`.
*/
bindingset[name, version]
predicate isVulnerable(string name, Version version, Version fixed) {
exists(Version affected, string n | name.toLowerCase() = n.toLowerCase() |
matchesRange(n, affected, fixed) and
version.compareTo(fixed) < 0 and
version.compareTo(affected) >= 0
or
matchesVersion(n, affected, fixed) and
version.compareTo(affected) = 0
)
}
}
bindingset[name, version]
private Version getUltimateFix(string name, Version version) {
result = max(Version fix | any(Vulnerability v).isVulnerable(name, version, fix))
}
/**
* A package with a vulnerability.
*/
class VulnerablePackage extends Package {
Vulnerability vuln;
VulnerablePackage() { vuln.isVulnerable(this.getPackageName(), this.getVersion(), _) }
/** Gets the vulnerability of this package. */
Vulnerability getVulnerability() { result = vuln }
/** Gets the version of this package where the vulnerability is fixed. */
Version getFixedVersion() {
// This is needed because sometimes the "fixed" version of some
// vulnerabilities are themselves vulnerable to other vulnerabilities.
result = getUltimateFix(this.getPackageName(), this.getVersion())
}
}

43
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp
View File

@@ -1,43 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using a package with a known vulnerability is a security risk that could leave the
software vulnerable to attack.
</p>
<p>
This query reads the packages imported by the project build files and
<code>.config</code> files, and checks them against a list of packages with known
vulnerabilities.
</p>
</overview>
<recommendation>
<p>
Upgrade the package to the recommended version using, for example, the NuGet package manager,
or by editing the project files directly.
</p>
</recommendation>
<example>
<p>
The following example shows a C# project file referencing package <code>System.Net.Http</code>
version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
</p>
<sample src="VulnerablePackageBAD.csproj" />
<p>
The project file can be fixed by changing the version of the package to 4.3.4.
</p>
<sample src="VulnerablePackageGOOD.csproj" />
</example>
<references>
<li>
OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
</li>
</references>
</qhelp>

20
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql
View File

@@ -1,20 +0,0 @@
/**
* @name Using a package with a known vulnerability
* @description Using a package with a known vulnerability is a security risk.
* Upgrade the package to a version that does not contain the vulnerability.
* @kind problem
* @problem.severity error
* @precision high
* @id cs/use-of-vulnerable-package
* @tags security
* external/cwe/cwe-937
*/
import csharp
import Vulnerabilities
from Vulnerability vuln, VulnerablePackage package
where vuln = package.getVulnerability()
select package,
"Package '" + package + "' has vulnerability $@, and should be upgraded to version " +
package.getFixedVersion() + ".", vuln.getUrl(), vuln.toString()

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj
View File

@@ -1,15 +0,0 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.1" />
</ItemGroup>
</Project>

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj
View File

@@ -1,15 +0,0 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
</ItemGroup>
</Project>

305
csharp/ql/src/external/CodeDuplication.qll vendored
View File

@@ -1,305 +0,0 @@
import csharp
private string relativePath(File file) { result = file.getRelativePath().replaceAll("\\", "/") }
/**
* Holds if the `index`-th token of block `copy` is in file `file`, spanning
* column `sc` of line `sl` to column `ec` of line `el`.
*
* For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
*/
pragma[nomagic]
predicate tokenLocation(File file, int sl, int sc, int ec, int el, Copy copy, int index) {
file = copy.sourceFile() and
tokens(copy, index, sl, sc, ec, el)
}
class Copy extends @duplication_or_similarity {
private int lastToken() { result = max(int i | tokens(this, i, _, _, _, _) | i) }
int tokenStartingAt(Location loc) {
tokenLocation(loc.getFile(), loc.getStartLine(), loc.getStartColumn(), _, _, this, result)
}
int tokenEndingAt(Location loc) {
tokenLocation(loc.getFile(), _, _, loc.getEndLine(), loc.getEndColumn(), this, result)
}
int sourceStartLine() { tokens(this, 0, result, _, _, _) }
int sourceStartColumn() { tokens(this, 0, _, result, _, _) }
int sourceEndLine() { tokens(this, lastToken(), _, _, result, _) }
int sourceEndColumn() { tokens(this, lastToken(), _, _, _, result) }
int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() }
int getEquivalenceClass() { duplicateCode(this, _, result) or similarCode(this, _, result) }
File sourceFile() {
exists(string name | duplicateCode(this, name, _) or similarCode(this, name, _) |
name.replaceAll("\\", "/") = relativePath(result)
)
}
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
sourceFile().getAbsolutePath() = filepath and
startline = sourceStartLine() and
startcolumn = sourceStartColumn() and
endline = sourceEndLine() and
endcolumn = sourceEndColumn()
}
string toString() { none() }
}
class DuplicateBlock extends Copy, @duplication {
override string toString() { result = "Duplicate code: " + sourceLines() + " duplicated lines." }
}
class SimilarBlock extends Copy, @similarity {
override string toString() {
result = "Similar code: " + sourceLines() + " almost duplicated lines."
}
}
private Method sourceMethod() { method_location(result, _) and numlines(result, _, _, _) }
private int numberOfSourceMethods(Class c) {
result = count(Method m | m = sourceMethod() and m.getDeclaringType() = c)
}
private predicate blockCoversStatement(int equivClass, int first, int last, Stmt stmt) {
exists(DuplicateBlock b, Location loc |
stmt.getLocation() = loc and
first = b.tokenStartingAt(loc) and
last = b.tokenEndingAt(loc) and
b.getEquivalenceClass() = equivClass
)
}
private Stmt statementInMethod(Method m) {
result.getEnclosingCallable() = m and
not result instanceof BlockStmt
}
private predicate duplicateStatement(Method m1, Method m2, Stmt s1, Stmt s2) {
exists(int equivClass, int first, int last |
s1 = statementInMethod(m1) and
s2 = statementInMethod(m2) and
blockCoversStatement(equivClass, first, last, s1) and
blockCoversStatement(equivClass, first, last, s2) and
s1 != s2 and
m1 != m2
)
}
/** Holds if `duplicate` number of statements are duplicated in the methods. */
predicate duplicateStatements(Method m1, Method m2, int duplicate, int total) {
duplicate = strictcount(Stmt s | duplicateStatement(m1, m2, s, _)) and
total = strictcount(statementInMethod(m1))
}
/**
* Find pairs of methods are identical
*/
predicate duplicateMethod(Method m, Method other) {
exists(int total | duplicateStatements(m, other, total, total))
}
private predicate similarLines(File f, int line) {
exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()])
}
private predicate similarLinesPerEquivalenceClass(int equivClass, int lines, File f) {
lines =
strictsum(SimilarBlock b, int toSum |
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
toSum = b.sourceLines()
|
toSum
)
}
pragma[noopt]
private predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
exists(int numLines | numLines = f.getNumberOfLines() |
exists(int coveredApprox |
coveredApprox =
strictsum(int num |
exists(int equivClass |
similarLinesPerEquivalenceClass(equivClass, num, f) and
similarLinesPerEquivalenceClass(equivClass, num, otherFile) and
f != otherFile
)
) and
exists(int n, int product | product = coveredApprox * 100 and n = product / numLines | n > 75)
) and
exists(int notCovered |
notCovered =
count(int j |
j in [1 .. numLines] and
not similarLines(f, j)
) and
coveredLines = numLines - notCovered
)
)
}
private predicate duplicateLines(File f, int line) {
exists(DuplicateBlock b |
b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]
)
}
private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, File f) {
lines =
strictsum(DuplicateBlock b, int toSum |
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
toSum = b.sourceLines()
|
toSum
)
}
pragma[noopt]
private predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
exists(int numLines | numLines = f.getNumberOfLines() |
exists(int coveredApprox |
coveredApprox =
strictsum(int num |
exists(int equivClass |
duplicateLinesPerEquivalenceClass(equivClass, num, f) and
duplicateLinesPerEquivalenceClass(equivClass, num, otherFile) and
f != otherFile
)
) and
exists(int n, int product | product = coveredApprox * 100 and n = product / numLines | n > 75)
) and
exists(int notCovered |
notCovered =
count(int j |
j in [1 .. numLines] and
not duplicateLines(f, j)
) and
coveredLines = numLines - notCovered
)
)
}
/** Holds if the two files are not duplicated but have more than 80% similar lines. */
predicate similarFiles(File f, File other, int percent) {
exists(int covered, int total |
similarLinesCovered(f, covered, other) and
total = f.getNumberOfLines() and
covered * 100 / total = percent and
percent > 80
) and
not duplicateFiles(f, other, _)
}
/** Holds if the two files have more than 70% duplicated lines. */
predicate duplicateFiles(File f, File other, int percent) {
exists(int covered, int total |
duplicateLinesCovered(f, covered, other) and
total = f.getNumberOfLines() and
covered * 100 / total = percent and
percent > 70
)
}
pragma[noopt]
private predicate duplicateAnonymousClass(AnonymousClass c, AnonymousClass other) {
exists(int numDup |
numDup =
strictcount(Method m1 |
exists(Method m2 |
duplicateMethod(m1, m2) and
m1 = sourceMethod() and
m1.getDeclaringType() = c and
c instanceof AnonymousClass and
m2.getDeclaringType() = other and
other instanceof AnonymousClass and
c != other
)
) and
numDup = numberOfSourceMethods(c) and
numDup = numberOfSourceMethods(other) and
forall(Type t | c.getABaseType() = t | t = other.getABaseType())
)
}
pragma[noopt]
private predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) {
numDup =
strictcount(Method m1 |
exists(Method m2 |
duplicateMethod(m1, m2) and
m1 = sourceMethod() and
m1.getDeclaringType() = c and
m2.getDeclaringType() = other and
other instanceof Class and
c != other
)
) and
total = numberOfSourceMethods(c) and
exists(int n, int product | product = 100 * numDup and n = product / total | n > 80) and
not c instanceof AnonymousClass and
not other instanceof AnonymousClass
}
/** Holds if the methods in the two classes are more than 80% duplicated. */
predicate mostlyDuplicateClass(Class c, Class other, string message) {
exists(int numDup, int total |
mostlyDuplicateClassBase(c, other, numDup, total) and
(
total != numDup and
exists(string s1, string s2, string s3, string name |
s1 = " out of " and
s2 = " methods in " and
s3 = " are duplicated in $@." and
name = c.getName()
|
message = numDup + s1 + total + s2 + name + s3
)
or
total = numDup and
exists(string s1, string s2, string name |
s1 = "All methods in " and s2 = " are identical in $@." and name = c.getName()
|
message = s1 + name + s2
)
)
)
}
/** Holds if the two files are similar or duplicated. */
predicate fileLevelDuplication(File f, File other) {
similarFiles(f, other, _) or duplicateFiles(f, other, _)
}
/**
* Holds if the two classes are duplicated anonymous classes or more than 80% of
* their methods are duplicated.
*/
predicate classLevelDuplication(Class c, Class other) {
duplicateAnonymousClass(c, other) or mostlyDuplicateClass(c, other, _)
}
private Element whitelistedDuplicateElement() {
result instanceof UsingNamespaceDirective or
result instanceof UsingStaticDirective
}
/**
* Holds if the `line` in the `file` contains an element, such as a `using`
* directive, that is not considered for code duplication.
*/
predicate whitelistedLineForDuplication(File file, int line) {
exists(Location loc | loc = whitelistedDuplicateElement().getLocation() |
line = loc.getStartLine() and file = loc.getFile()
)
}

34
csharp/ql/src/external/DefectFilter.qll vendored
View File

@@ -1,34 +0,0 @@
import csharp
external predicate defectResults(
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
string message
);
class DefectResult extends int {
DefectResult() { defectResults(this, _, _, _, _, _, _, _) }
string getQueryPath() { defectResults(this, result, _, _, _, _, _, _) }
File getFile() {
exists(string path |
defectResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
)
}
int getStartLine() { defectResults(this, _, _, result, _, _, _, _) }
int getStartColumn() { defectResults(this, _, _, _, result, _, _, _) }
int getEndLine() { defectResults(this, _, _, _, _, result, _, _) }
int getEndColumn() { defectResults(this, _, _, _, _, _, result, _) }
string getMessage() { defectResults(this, _, _, _, _, _, _, result) }
string getURL() {
result =
"file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +
getEndLine() + ":" + getEndColumn()
}
}

22
csharp/ql/src/external/DuplicateMethod.cs vendored
View File

@@ -1,22 +0,0 @@
class Toolbox
{
private int x;
private int y;
public void move(int x, int y)
{
this.x = x;
this.y = y;
}
// ...
}
class Window
{
private int x;
private int y;
public void move(int x, int y)
{
this.x = x;
this.y = y;
}
// ...
}

35
csharp/ql/src/external/DuplicateMethod.qhelp vendored
View File

@@ -1,35 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Methods should not be duplicated at more than one place in the program. Duplicating code makes it harder to update
should a change need to be made. It also makes the code harder to read.</p>
</overview>
<recommendation>
<p>Determining how to address this issue requires some consideration. If the duplicate methods are in the same class
then it is normally possible to just remove one and replace all references to that method by references to the other
method. If the methods are in different classes then there might be a need to create a superclass that
contains the method, which both classes inherit. If it is not logical to create a superclass the method
could be moved into a separate utility class.</p>
</recommendation>
<example>
<p>In this example the Toolbox and the Window class both have the same move method. In this case it would be logical to
put this method as well as the x and y properties into a new superclass that Toolbox and Window extend.</p>
<sample src="DuplicateMethod.cs" />
</example>
<section title="Fixing Using a Superclass">
<p>The example could be easily fixed by moving the x and y properties as well as the move method to a parent class. Note
that the x and y properties have to be changed to protected if they are accessed from the Toolbox and Window classes.</p>
<sample src="DuplicateMethodFix.cs" />
</section>
<references>
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
</references>
</qhelp>

41
csharp/ql/src/external/DuplicateMethod.ql vendored
View File

@@ -1,41 +0,0 @@
/**
* @deprecated
* @name Duplicate method
* @description There is another identical implementation of this method. Extract the code to a common superclass or delegate to improve sharing.
* @kind problem
* @problem.severity recommendation
* @precision high
* @id cs/duplicate-method
* @tags testability
* maintainability
* useless-code
* duplicate-code
* statistical
* non-attributable
*/
import csharp
import CodeDuplication
predicate relevant(Method m) {
m.getNumberOfLinesOfCode() > 5 and not m.getName().matches("get%")
or
m.getNumberOfLinesOfCode() > 10
}
pragma[noopt]
predicate query(Method m, Method other) {
duplicateMethod(m, other) and
relevant(m) and
not exists(File f1, File f2 |
m.getFile() = f1 and fileLevelDuplication(f1, f2) and other.getFile() = f2
) and
not exists(Type t1, Type t2 |
m.getDeclaringType() = t1 and classLevelDuplication(t1, t2) and other.getDeclaringType() = t2
)
}
from Method m, Method other
where query(m, other)
select m, "Method " + m.getName() + " is duplicated in $@.", other,
other.getDeclaringType().getName() + "." + other.getName()

18
csharp/ql/src/external/DuplicateMethodFix.cs vendored
View File

@@ -1,18 +0,0 @@
class Container
{
protected int x;
protected int y;
public void move(int x, int y)
{
this.x = x;
this.y = y;
}
}
class Toolbox : Container
{
// ...
}
class Window : Container
{
// ...
}

79
csharp/ql/src/external/ExternalArtifact.qll vendored
View File

@@ -1,79 +0,0 @@
import csharp
class ExternalElement extends @external_element {
/** Gets a textual representation of this element. */
string toString() { none() }
/** Gets the location of this element. */
Location getLocation() { none() }
/** Gets the file containing this element. */
File getFile() { result = getLocation().getFile() }
}
class ExternalDefect extends ExternalElement, @externalDefect {
string getQueryPath() {
exists(string path |
externalDefects(this, path, _, _, _) and
result = path.replaceAll("\\", "/")
)
}
string getMessage() { externalDefects(this, _, _, result, _) }
float getSeverity() { externalDefects(this, _, _, _, result) }
override Location getLocation() { externalDefects(this, _, result, _, _) }
override string toString() {
result = getQueryPath() + ": " + getLocation() + " - " + getMessage()
}
}
class ExternalMetric extends ExternalElement, @externalMetric {
string getQueryPath() { externalMetrics(this, result, _, _) }
float getValue() { externalMetrics(this, _, _, result) }
override Location getLocation() { externalMetrics(this, _, result, _) }
override string toString() { result = getQueryPath() + ": " + getLocation() + " - " + getValue() }
}
class ExternalData extends ExternalElement, @externalDataElement {
string getDataPath() { externalData(this, result, _, _) }
string getQueryPath() { result = getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
int getNumFields() { result = 1 + max(int i | externalData(this, _, i, _) | i) }
string getField(int index) { externalData(this, _, index, result) }
int getFieldAsInt(int index) { result = getField(index).toInt() }
float getFieldAsFloat(int index) { result = getField(index).toFloat() }
date getFieldAsDate(int index) { result = getField(index).toDate() }
override string toString() { result = getQueryPath() + ": " + buildTupleString(0) }
private string buildTupleString(int start) {
start = getNumFields() - 1 and result = getField(start)
or
start < getNumFields() - 1 and result = getField(start) + "," + buildTupleString(start + 1)
}
}
/**
* External data with a location, and a message, as produced by tools that used to produce QLDs.
*/
class DefectExternalData extends ExternalData {
DefectExternalData() {
this.getField(0).regexpMatch("\\w+://.*:[0-9]+:[0-9]+:[0-9]+:[0-9]+$") and
this.getNumFields() = 2
}
string getURL() { result = getField(0) }
string getMessage() { result = getField(1) }
}

44
csharp/ql/src/external/MetricFilter.qll vendored
View File

@@ -1,44 +0,0 @@
import csharp
external predicate metricResults(
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
float value
);
class MetricResult extends int {
MetricResult() { metricResults(this, _, _, _, _, _, _, _) }
string getQueryPath() { metricResults(this, result, _, _, _, _, _, _) }
File getFile() {
exists(string path |
metricResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
)
}
int getStartLine() { metricResults(this, _, _, result, _, _, _, _) }
int getStartColumn() { metricResults(this, _, _, _, result, _, _, _) }
int getEndLine() { metricResults(this, _, _, _, _, result, _, _) }
int getEndColumn() { metricResults(this, _, _, _, _, _, result, _) }
predicate hasMatchingLocation() { exists(this.getMatchingLocation()) }
Location getMatchingLocation() {
result.getFile() = this.getFile() and
result.getStartLine() = this.getStartLine() and
result.getEndLine() = this.getEndLine() and
result.getStartColumn() = this.getStartColumn() and
result.getEndColumn() = this.getEndColumn()
}
float getValue() { metricResults(this, _, _, _, _, _, _, result) }
string getURL() {
result =
"file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +
getEndLine() + ":" + getEndColumn()
}
}

20
csharp/ql/src/external/MostlyDuplicateClass.qhelp vendored
View File

@@ -1,20 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>If two classes share a lot of each other's methods then there is a lot of unnecessary code duplication.
This makes it difficult to make changes in future and makes the code harder to read.</p>
</overview>
<recommendation>
<p>If a duplicate class has been included by mistake then remove it. Otherwise consider making a common
superclass for both classes or even making one of the classes a superclass of the other.</p>
</recommendation>
<references>
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
</references>
</qhelp>

24
csharp/ql/src/external/MostlyDuplicateClass.ql vendored
View File

@@ -1,24 +0,0 @@
/**
* @deprecated
* @name Duplicate class
* @description More than 80% of the methods in this class are duplicated in another class. Create a common supertype to improve code sharing.
* @kind problem
* @problem.severity recommendation
* @precision high
* @id cs/duplicate-class
* @tags testability
* maintainability
* useless-code
* duplicate-code
* statistical
* non-attributable
*/
import csharp
import CodeDuplication
from Class c, string message, Class link
where
mostlyDuplicateClass(c, link, message) and
not fileLevelDuplication(c.getFile(), _)
select c, message, link, link.getName()

31
csharp/ql/src/external/MostlyDuplicateFile.qhelp vendored
View File

@@ -1,31 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>If two files share a lot of each other's code then there is a lot of unnecessary code duplication.
This makes it difficult to make changes in future and makes the code harder to read.</p>
</overview>
<recommendation>
<p>While completely duplicated files are rare, they are usually a sign of a simple oversight.
Usually the required action is to remove all but one of them. A common exception to this rule may arise
from generated code that simply occurs in several places in the source tree; the check can be
adapted to exclude such results.</p>
<p>It is far more common to see duplication of many lines between two files, leaving just a few that
are actually different. Consider such situations carefully. Are the differences deliberate or
a result of an inconsistent update to one of the clones? If the latter, then treating the files as
completely duplicate and eliminating one (while preserving any corrections or new features that
may have been introduced) is the best course. If two files serve genuinely different purposes but almost
all of their lines are the same, that can be a sign that there is a missing level of abstraction. Look
for ways to share the functionality, either by creating a utility class for the common parts or by
encapsulating the common parts into a new super class of any classes involved.</p>
</recommendation>
<references>
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
</references>
</qhelp>

23
csharp/ql/src/external/MostlyDuplicateFile.ql vendored
View File

@@ -1,23 +0,0 @@
/**
* @deprecated
* @name Mostly duplicate file
* @description There is another file that shares a lot of the code with this file. Merge the two files to improve maintainability.
* @kind problem
* @problem.severity recommendation
* @precision high
* @id cs/duplicate-file
* @tags testability
* maintainability
* useless-code
* duplicate-code
* statistical
* non-attributable
*/
import csharp
import CodeDuplication
from File f, File other, int percent
where duplicateFiles(f, other, percent)
select f, percent + "% of the lines in " + f.getBaseName() + " are copies of lines in $@.", other,
other.getBaseName()

48
csharp/ql/src/external/MostlyDuplicateMethod.qhelp vendored
View File

@@ -1,48 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>When most of the lines in one method are duplicated in one or more other
methods, the methods themselves are regarded as <em>mostly duplicate</em> or <em>similar</em>.</p>
<p>Code duplication in general is highly undesirable for a range of reasons. The artificially
inflated amount of code is more difficult to understand, and sequences of similar but subtly different lines
can mask the real purpose or intention behind them. Also, there is always a risk that only one
of several copies of the code is updated to address a defect or add a feature.</p>
</overview>
<recommendation>
<p>Although completely duplicated methods are rare, they are usually a sign of a simple
oversight (or deliberate copy/paste) by a developer. Usually the required solution
is to remove all but one of them.</p>
<p>It is more common to see duplication of many lines between two methods, leaving just
a few that are actually different. Decide whether the differences are
intended or the result of an inconsistent update to one of the copies.</p>
<ul>
<li>If the two methods serve different purposes but many of their lines are duplicated, this indicates
that there is a missing level of abstraction. Look for ways of encapsulating the commonality and sharing it while
retaining the differences in functionality. Perhaps the method can be moved to a single place
and given an additional parameter, allowing it to cover all use cases. Alternatively, there
may be a common pre-processing or post-processing step that can be extracted to its own (shared)
method, leaving only the specific parts in the existing methods. Modern IDEs may provide
refactoring support for this sort of issue, usually with the names "Extract method", "Change method signature",
"Pull up" or "Extract supertype".</li>
<li>If the two methods serve the same purpose and are different only as a result of inconsistent updates
then treat the methods as completely duplicate. Determine
the most up-to-date and correct version of the code and eliminate all near duplicates. Callers of the
removed methods should be updated to call the remaining method instead. </li></ul>
</recommendation>
<references>
<li>E. Juergens, F. Deissenboeck, B. Hummel, S. Wagner.
<em>Do code clones matter?</em> Proceedings of the 31st International Conference on
Software Engineering,
485-495, 2009.</li>
</references>
</qhelp>

30
csharp/ql/src/external/MostlyDuplicateMethod.ql vendored
View File

@@ -1,30 +0,0 @@
/**
* @deprecated
* @name Mostly duplicate method
* @description There is another method that shares a lot of the code with this method. Extract the code to a common superclass or delegate to improve sharing.
* @kind problem
* @problem.severity recommendation
* @precision high
* @id cs/similar-method
* @tags testability
* maintainability
* useless-code
* statistical
* non-attributable
*/
import csharp
import CodeDuplication
from Method m, int covered, int total, Method other, int percent
where
duplicateStatements(m, other, covered, total) and
covered != total and
m.getNumberOfLinesOfCode() > 5 and
covered * 100 / total = percent and
percent > 80 and
not duplicateMethod(m, other) and
not classLevelDuplication(m.getDeclaringType(), other.getDeclaringType()) and
not fileLevelDuplication(m.getFile(), other.getFile())
select m, percent + "% of the statements in " + m.getName() + " are duplicated in $@.", other,
other.getDeclaringType().getName() + "." + other.getName()

24
csharp/ql/src/external/MostlySimilarFile.qhelp vendored
View File

@@ -1,24 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>This rule identifies two files that have a lot of the same lines but with different variable and method
names. This makes it difficult to make changes in future and makes the code harder to read.</p>
</overview>
<recommendation>
<p>It is important to determine why there are small differences in the files. Sometimes the files might have
been duplicates but an update was only applied to one copy. If this is the case it should be simple to merge
the files, preserving any changes.</p>
<p>If the files are intentionally different then it could be a good idea to consider extracting some of the
shared code into a superclass or a separate utility class.</p>
</recommendation>
<references>
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
</references>
</qhelp>

31
csharp/ql/src/external/MostlySimilarFile.ql vendored
View File

@@ -1,31 +0,0 @@
/**
* @deprecated
* @name Mostly similar file
* @description There is another file that shares a lot of the code with this file. Notice that names of variables and types may have been changed. Merge the two files to improve maintainability.
* @kind problem
* @problem.severity recommendation
* @precision high
* @id cs/similar-file
* @tags testability
* maintainability
* useless-code
* duplicate-code
* statistical
* non-attributable
*/
import csharp
import CodeDuplication
predicate irrelevant(File f) {
f.getStem() = "AssemblyInfo" or
f.getStem().matches("%.Designer")
}
from File f, File other, int percent
where
similarFiles(f, other, percent) and
not irrelevant(f) and
not irrelevant(other)
select f, percent + "% of the lines in " + f.getBaseName() + " are similar to lines in $@.", other,
other.getBaseName()

20
csharp/ql/src/filters/ChangedLines.ql
View File

@@ -1,20 +0,0 @@
/**
* @name Filter: only keep results from source that have been changed since the base line
* @description Exclude results that have not changed since the base line.
* @id cs/changed-lines-filter
* @kind problem
*/
import csharp
import external.ExternalArtifact
import external.DefectFilter
import ChangedLines
from DefectResult res
where
changedLine(res.getFile(), res.getStartLine())
or
changedLine(res.getFile(), res.getEndLine())
or
res.getStartLine() = 0 and changedLine(res.getFile(), _)
select res, res.getMessage()

12
csharp/ql/src/filters/ChangedLines.qll
View File

@@ -1,12 +0,0 @@
import csharp
import external.ExternalArtifact
pragma[noopt]
predicate changedLine(File f, int line) {
exists(ExternalMetric metric, Location l |
exists(string s | s = "changedLines.ql" and metric.getQueryPath() = s) and
l = metric.getLocation() and
f = l.getFile() and
line = l.getStartLine()
)
}

15
csharp/ql/src/filters/ChangedLinesForMetric.ql
View File

@@ -1,15 +0,0 @@
/**
* @name Filter: only keep results from source that have been changed since the base line
* @description Exclude results that have not changed since the base line.
* @id cs/changed-lines-metric-filter
* @kind treemap
*/
import csharp
import external.ExternalArtifact
import external.MetricFilter
import ChangedLines
from MetricResult res
where changedLine(res.getFile(), _)
select res, res.getValue()

2
csharp/ql/src/filters/ClassifyFiles.ql
View File

@@ -2,6 +2,8 @@
* @name Classify files
* @description This query produces a list of all files in a snapshot
* that are classified as generated code or test code.
*
* Used by LGTM.
* @kind file-classifier
* @id cs/file-classifier
*/

13
csharp/ql/src/filters/FromSource.ql
View File

@@ -1,13 +0,0 @@
/**
* @name Filter: only keep results from source
* @description Exclude results that do not come from source code files.
* @kind problem
* @id cs/source-filter
*/
import csharp
import external.DefectFilter
from DefectResult res
where res.getFile().fromSource()
select res, res.getMessage()

13
csharp/ql/src/filters/FromSourceForMetric.ql
View File

@@ -1,13 +0,0 @@
/**
* @name Filter: only keep metric results from source
* @description Exclude results that do not come from source code files.
* @kind treemap
* @id cs/source-metric-filter
*/
import csharp
import external.MetricFilter
from MetricResult res
where res.getFile().fromSource()
select res, res.getValue()

13
csharp/ql/src/filters/NotGenerated.ql
View File

@@ -1,13 +0,0 @@
/**
* @name Filter: only keep results in non-generated files
* @description Exclude results that come from generated code.
* @kind problem
* @id cs/not-generated-file-filter
*/
import semmle.code.csharp.commons.GeneratedCode
import external.DefectFilter
from DefectResult res
where not isGeneratedCode(res.getFile())
select res, res.getMessage()

13
csharp/ql/src/filters/NotGeneratedForMetric.ql
View File

@@ -1,13 +0,0 @@
/**
* @name Filter: only keep metric results in non-generated files
* @description Exclude results that come from generated code.
* @kind treemap
* @id cs/not-generated-file-metric-filter
*/
import semmle.code.csharp.commons.GeneratedCode
import external.MetricFilter
from MetricResult res
where not isGeneratedCode(res.getFile())
select res, res.getValue()

14
csharp/ql/src/filters/NotInTestFile.ql
View File

@@ -1,14 +0,0 @@
/**
* @name Filter: only keep results that are outside of test files
* @description Exclude results in test files.
* @kind problem
* @id cs/test-file-filter
*/
import csharp
import semmle.code.csharp.frameworks.Test
import external.DefectFilter
from DefectResult res
where not res.getFile() instanceof TestFile
select res, res.getMessage()

14
csharp/ql/src/filters/NotInTestFileForMetric.ql
View File

@@ -1,14 +0,0 @@
/**
* @name Filter: only keep results that are outside of test files
* @description Exclude results in test files.
* @kind treemap
* @id cs/test-file-metric-filter
*/
import csharp
import semmle.code.csharp.frameworks.Test
import external.MetricFilter
from MetricResult res
where not res.getFile() instanceof TestFile
select res, res.getValue()

17
csharp/ql/src/filters/NotInTestMethod.ql
View File

@@ -1,17 +0,0 @@
/**
* @name Filter: only keep results that are outside of test methods
* @description Exclude results in test methods.
* @kind problem
* @id cs/test-method-filter
*/
import csharp
import semmle.code.csharp.frameworks.Test
import external.DefectFilter
from DefectResult res
where
not res.getFile() instanceof TestFile
or
not res.getStartLine() = res.getFile().(TestFile).lineInTestMethod()
select res, res.getMessage()

24
csharp/ql/src/filters/NotInTestMethodExpectingException.ql
View File

@@ -1,24 +0,0 @@
/**
* @name Filter: only keep results that are outside of a test method expecting an exception
* @description Exclude results in test methods expecting exceptions.
* @kind problem
* @id cs/test-method-exception-filter
*/
import csharp
import semmle.code.csharp.frameworks.Test
import external.DefectFilter
predicate ignoredLine(File f, int line) {
exists(TestMethod m | m.expectsException() |
f = m.getFile() and
line in [m.getLocation().getStartLine() .. m.getBody().getLocation().getEndLine()]
)
}
from DefectResult res
where
not res.getFile() instanceof TestFile
or
not ignoredLine(res.getFile(), res.getStartLine())
select res, res.getMessage()

22
csharp/ql/src/filters/UnchangedLines.ql
View File

@@ -1,22 +0,0 @@
/**
* @name Filter: only keep results from source that have not changed since the base line
* @description Complement of ChangedLines.ql.
* @kind problem
* @id cs/unchanged-lines-filter
*/
import csharp
import external.ExternalArtifact
import external.DefectFilter
import ChangedLines
from DefectResult res
where
not (
changedLine(res.getFile(), res.getStartLine())
or
changedLine(res.getFile(), res.getEndLine())
or
res.getStartLine() = 0 and changedLine(res.getFile(), _)
)
select res, res.getMessage()

15
csharp/ql/src/filters/UnchangedLinesForMetric.ql
View File

@@ -1,15 +0,0 @@
/**
* @name Filter: only keep results from source that have not changed since the base line
* @description Complement of ChangedLinesForMetric.ql.
* @kind treemap
* @id cs/unchanged-lines-metric-filter
*/
import csharp
import external.ExternalArtifact
import external.MetricFilter
import ChangedLines
from MetricResult res
where not changedLine(res.getFile(), _)
select res, res.getValue()

30
csharp/ql/test/query-tests/Metrics/Dependencies/ExternalDependencies/File1.cs
View File

@@ -1,30 +0,0 @@
// semmle-extractor-options: /r:System.Collections.dll /r:System.Data.Common.dll /r:System.Runtime.Serialization.Primitives.dll /r:System.Private.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Net.Primitives.dll /r:System.Net.Http.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Serialization.dll /r:System.ComponentModel.Primitives.dll
using System.Collections.Generic;
using System.Net.Http;
using System.Xml;
using System.Runtime.Serialization.Json;
using System.Data;
class C
{
System.Net.Http.HttpClient client;
System.Xml.XmlReader reader;
IXmlJsonReaderInitializer init;
[DataSysDescription("")]
void Test()
{
client = new HttpClient();
var request = new HttpRequestMessage();
client.SendAsync(request);
Method<XmlReader>();
}
List<IXmlJsonReaderInitializer> initializerList;
void Method<T>()
{
}
}

5
csharp/ql/test/query-tests/Metrics/Dependencies/ExternalDependencies/File2.cs
View File

@@ -1,5 +0,0 @@
class D
{
System.Net.Http.HttpClient client;
}

48
csharp/ql/test/query-tests/Metrics/Files/FLinesOfDuplicatedCode/file1.cs
View File

@@ -1,48 +0,0 @@
// These are not counted as duplicates:
using System;
using System;
using System;
using System;
using System;
using System;
using System;
using System;
using System;
using System;
class C1
{
void f()
{
int a;
int b;
int c;
int d;
int e;
int f;
int g;
int h;
int i;
int j;
int k;
}
}
class C2
{
void f()
{
int a;
int b;
int c;
int d;
int e;
int f;
int g;
int h;
int i;
int j;
int k;
}
}

30
csharp/ql/test/query-tests/Metrics/Files/FLinesOfDuplicatedCode/file2.cs
View File

@@ -1,30 +0,0 @@
// These are not counted as duplicates:
using System;
using System;
using System;
using System;
using System;
using System;
using System;
using System;
using System;
class C3
{
void f()
{
int a;
int b;
int c;
int d;
int e;
int f;
int g;
int h;
int i;
int j;
int k;
}
}

0
csharp/ql/test/query-tests/Security Features/CWE-937/Program.cs
View File

12
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected
View File

@@ -1,12 +0,0 @@
| csproj.config:4:5:4:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:5:5:5:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:6:5:6:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:7:5:7:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
| csproj.config:8:5:8:70 | System.Private.Uri 4.3.0 | Package 'System.Private.Uri 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:9:5:9:73 | Microsoft.NETCore.App 2.1.0 | Package 'Microsoft.NETCore.App 2.1.0' has vulnerability $@, and should be upgraded to version 2.1.8. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:10:5:10:73 | Microsoft.NETCore.App 2.2.1 | Package 'Microsoft.NETCore.App 2.2.1' has vulnerability $@, and should be upgraded to version 2.2.2. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| packages.config:9:3:9:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:10:3:10:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/300 | ASPNETCore-Mar18 |
| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |
| packages.config:12:3:12:84 | Microsoft.AspNetCore.All 2.0.8 | Package 'Microsoft.AspNetCore.All 2.0.8' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |

1
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.qlref
View File

@@ -1 +0,0 @@
Security Features/CWE-937/VulnerablePackage.ql

22
csharp/ql/test/query-tests/Security Features/CWE-937/csproj.config
View File

@@ -1,22 +0,0 @@
<Project>
<ItemGroup>
<!-- These are BAD -->
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
<PackageReference Include="system.text.encodings.web" Version="4.3" />
<PackageReference Include="System.Net.Http" Version="4.1.1" />
<PackageReference Include="System.Net.Http" Version="4.1.2" />
<PackageReference Include="System.Private.Uri" Version="4.3.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.1" />
<!-- These are GOOD -->
<PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
<PackageReference Include="System.Private.Uri" Version="4.3.1" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.8" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.2" />
</ItemGroup>
</Project>

13
csharp/ql/test/query-tests/Security Features/CWE-937/packages.config
View File

@@ -1,13 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<!-- These are GOOD -->
<package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
<package id="Microsoft.AspNetCore.All" version="2.0.9" targetFramework="net45" />
<!-- These are BAD -->
<package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
<package id="microsoft.aspnetcore.all" version="2.0.0" targetFramework="net45" />
<package id="Microsoft.AspNetCore.All" version="2.0.8" targetFramework="net45" />
</packages>