hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add query suite inclusion tests for actions, csharp, go, javascript, ruby, rust

Browse Source
This commit is contained in:
Tamas Vajk
2025-04-24 09:06:18 +02:00
parent 522dd51416
commit a4a24470c8
36 changed files with 1610 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/integration-tests/query-suite/javascript-code-quality.qls.expected Normal file
View File

@@ -0,0 +1,5 @@
ql/javascript/ql/src/Declarations/IneffectiveParameterType.ql
ql/javascript/ql/src/Expressions/ExprHasNoEffect.ql
ql/javascript/ql/src/Expressions/MissingAwait.ql
ql/javascript/ql/src/LanguageFeatures/SpuriousArguments.ql
ql/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql

90
javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected Normal file
View File

@@ -0,0 +1,90 @@
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql

205
javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected Normal file
View File

@@ -0,0 +1,205 @@
ql/javascript/ql/src/AngularJS/DependencyMismatch.ql
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/DuplicateDependency.ql
ql/javascript/ql/src/AngularJS/IncompatibleService.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/AngularJS/MissingExplicitInjection.ql
ql/javascript/ql/src/AngularJS/RepeatedInjection.ql
ql/javascript/ql/src/AngularJS/UseNgSrc.ql
ql/javascript/ql/src/DOM/DuplicateAttributes.ql
ql/javascript/ql/src/DOM/MalformedIdAttribute.ql
ql/javascript/ql/src/DOM/PseudoEval.ql
ql/javascript/ql/src/Declarations/ArgumentsRedefined.ql
ql/javascript/ql/src/Declarations/AssignmentToConst.ql
ql/javascript/ql/src/Declarations/ClobberingVarInit.ql
ql/javascript/ql/src/Declarations/ConflictingFunctions.ql
ql/javascript/ql/src/Declarations/DeadStoreOfLocal.ql
ql/javascript/ql/src/Declarations/DeadStoreOfProperty.ql
ql/javascript/ql/src/Declarations/DeclBeforeUse.ql
ql/javascript/ql/src/Declarations/DefaultArgumentReferencesNestedFunction.ql
ql/javascript/ql/src/Declarations/DuplicateVarDecl.ql
ql/javascript/ql/src/Declarations/IneffectiveParameterType.ql
ql/javascript/ql/src/Declarations/MissingThisQualifier.ql
ql/javascript/ql/src/Declarations/MissingVarDecl.ql
ql/javascript/ql/src/Declarations/MixedStaticInstanceThisAccess.ql
ql/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.ql
ql/javascript/ql/src/Declarations/TemporalDeadZone.ql
ql/javascript/ql/src/Declarations/UniqueParameterNames.ql
ql/javascript/ql/src/Declarations/UniquePropertyNames.ql
ql/javascript/ql/src/Declarations/UnreachableMethodOverloads.ql
ql/javascript/ql/src/Declarations/UnusedVariable.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Expressions/ComparisonWithNaN.ql
ql/javascript/ql/src/Expressions/DuplicateCondition.ql
ql/javascript/ql/src/Expressions/DuplicateProperty.ql
ql/javascript/ql/src/Expressions/DuplicateSwitchCase.ql
ql/javascript/ql/src/Expressions/ExprHasNoEffect.ql
ql/javascript/ql/src/Expressions/HeterogeneousComparison.ql
ql/javascript/ql/src/Expressions/ImplicitOperandConversion.ql
ql/javascript/ql/src/Expressions/MissingAwait.ql
ql/javascript/ql/src/Expressions/MissingDotLengthInComparison.ql
ql/javascript/ql/src/Expressions/MissingSpaceInAppend.ql
ql/javascript/ql/src/Expressions/MisspelledVariableName.ql
ql/javascript/ql/src/Expressions/RedundantExpression.ql
ql/javascript/ql/src/Expressions/SelfAssignment.ql
ql/javascript/ql/src/Expressions/ShiftOutOfRange.ql
ql/javascript/ql/src/Expressions/StringInsteadOfRegex.ql
ql/javascript/ql/src/Expressions/SuspiciousInvocation.ql
ql/javascript/ql/src/Expressions/SuspiciousPropAccess.ql
ql/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql
ql/javascript/ql/src/Expressions/UnclearOperatorPrecedence.ql
ql/javascript/ql/src/Expressions/UnknownDirective.ql
ql/javascript/ql/src/Expressions/UnneededDefensiveProgramming.ql
ql/javascript/ql/src/Expressions/WhitespaceContradictsPrecedence.ql
ql/javascript/ql/src/LanguageFeatures/BadTypeof.ql
ql/javascript/ql/src/LanguageFeatures/ConditionalComments.ql
ql/javascript/ql/src/LanguageFeatures/DeleteVar.ql
ql/javascript/ql/src/LanguageFeatures/ExpressionClosures.ql
ql/javascript/ql/src/LanguageFeatures/ForInComprehensionBlocks.ql
ql/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql
ql/javascript/ql/src/LanguageFeatures/InconsistentNew.ql
ql/javascript/ql/src/LanguageFeatures/InvalidPrototype.ql
ql/javascript/ql/src/LanguageFeatures/LengthComparisonOffByOne.ql
ql/javascript/ql/src/LanguageFeatures/NonLinearPattern.ql
ql/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.ql
ql/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql
ql/javascript/ql/src/LanguageFeatures/SetterReturn.ql
ql/javascript/ql/src/LanguageFeatures/SpuriousArguments.ql
ql/javascript/ql/src/LanguageFeatures/StrictModeCallStackIntrospection.ql
ql/javascript/ql/src/LanguageFeatures/SyntaxError.ql
ql/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
ql/javascript/ql/src/LanguageFeatures/ThisBeforeSuper.ql
ql/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.ql
ql/javascript/ql/src/LanguageFeatures/WithStatement.ql
ql/javascript/ql/src/LanguageFeatures/YieldInNonGenerator.ql
ql/javascript/ql/src/NodeJS/InvalidExport.ql
ql/javascript/ql/src/NodeJS/MissingExports.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/React/DirectStateMutation.ql
ql/javascript/ql/src/React/InconsistentStateUpdate.ql
ql/javascript/ql/src/React/UnsupportedStateUpdateInLifecycleMethod.ql
ql/javascript/ql/src/React/UnusedOrUndefinedStateProperty.ql
ql/javascript/ql/src/RegExp/BackrefBeforeGroup.ql
ql/javascript/ql/src/RegExp/BackrefIntoNegativeLookahead.ql
ql/javascript/ql/src/RegExp/DuplicateCharacterInCharacterClass.ql
ql/javascript/ql/src/RegExp/EmptyCharacterClass.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql
ql/javascript/ql/src/RegExp/UnboundBackref.ql
ql/javascript/ql/src/RegExp/UnmatchableCaret.ql
ql/javascript/ql/src/RegExp/UnmatchableDollar.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-367/FileSystemRace.ql
ql/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
ql/javascript/ql/src/Security/CWE-384/SessionFixation.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-862/EmptyPasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Statements/DanglingElse.ql
ql/javascript/ql/src/Statements/IgnoreArrayResult.ql
ql/javascript/ql/src/Statements/InconsistentLoopOrientation.ql
ql/javascript/ql/src/Statements/LabelInCase.ql
ql/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql
ql/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql
ql/javascript/ql/src/Statements/ReturnAssignsLocal.ql
ql/javascript/ql/src/Statements/SuspiciousUnusedLoopIterationVariable.ql
ql/javascript/ql/src/Statements/UnreachableStatement.ql
ql/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
ql/javascript/ql/src/Statements/UselessComparisonTest.ql
ql/javascript/ql/src/Statements/UselessConditional.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql
ql/javascript/ql/src/Vue/ArrowMethodOnVueInstance.ql

107
javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected Normal file
View File

@@ -0,0 +1,107 @@
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-367/FileSystemRace.ql
ql/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
ql/javascript/ql/src/Security/CWE-384/SessionFixation.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-862/EmptyPasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql

148
javascript/ql/integration-tests/query-suite/not_included_in_qls.expected Normal file
View File

@@ -0,0 +1,148 @@
ql/javascript/ql/src/AlertSuppression.ql
ql/javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql
ql/javascript/ql/src/AngularJS/UnusedAngularDependency.ql
ql/javascript/ql/src/Comments/CommentedOutCode.ql
ql/javascript/ql/src/Comments/FCommentedOutCode.ql
ql/javascript/ql/src/Comments/TodoComments.ql
ql/javascript/ql/src/DOM/Alert.ql
ql/javascript/ql/src/DOM/AmbiguousIdAttribute.ql
ql/javascript/ql/src/DOM/ConflictingAttributes.ql
ql/javascript/ql/src/DOM/TargetBlank.ql
ql/javascript/ql/src/Declarations/DeadStoreOfGlobal.ql
ql/javascript/ql/src/Declarations/RedeclaredVariable.ql
ql/javascript/ql/src/Declarations/TooManyParameters.ql
ql/javascript/ql/src/Declarations/UnstableCyclicImport.ql
ql/javascript/ql/src/Declarations/UnusedParameter.ql
ql/javascript/ql/src/Declarations/UnusedProperty.ql
ql/javascript/ql/src/Electron/EnablingNodeIntegration.ql
ql/javascript/ql/src/Expressions/BitwiseSignCheck.ql
ql/javascript/ql/src/Expressions/CompareIdenticalValues.ql
ql/javascript/ql/src/Expressions/MisspelledIdentifier.ql
ql/javascript/ql/src/JSDoc/BadParamTag.ql
ql/javascript/ql/src/JSDoc/JSDocForNonExistentParameter.ql
ql/javascript/ql/src/JSDoc/UndocumentedParameter.ql
ql/javascript/ql/src/LanguageFeatures/ArgumentsCallerCallee.ql
ql/javascript/ql/src/LanguageFeatures/DebuggerStatement.ql
ql/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql
ql/javascript/ql/src/LanguageFeatures/Eval.ql
ql/javascript/ql/src/LanguageFeatures/JumpFromFinally.ql
ql/javascript/ql/src/LanguageFeatures/SetterIgnoresParameter.ql
ql/javascript/ql/src/LanguageFeatures/WrongExtensionJSON.ql
ql/javascript/ql/src/Metrics/Dependencies/ExternalDependencies.ql
ql/javascript/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
ql/javascript/ql/src/Metrics/FCommentRatio.ql
ql/javascript/ql/src/Metrics/FCyclomaticComplexity.ql
ql/javascript/ql/src/Metrics/FFunctions.ql
ql/javascript/ql/src/Metrics/FLines.ql
ql/javascript/ql/src/Metrics/FLinesOfCode.ql
ql/javascript/ql/src/Metrics/FLinesOfComment.ql
ql/javascript/ql/src/Metrics/FLinesOfDuplicatedCode.ql
ql/javascript/ql/src/Metrics/FLinesOfSimilarCode.ql
ql/javascript/ql/src/Metrics/FNumberOfStatements.ql
ql/javascript/ql/src/Metrics/FNumberOfTests.ql
ql/javascript/ql/src/Metrics/FUseOfES6.ql
ql/javascript/ql/src/Metrics/FunCyclomaticComplexity.ql
ql/javascript/ql/src/Metrics/FunLinesOfCode.ql
ql/javascript/ql/src/NodeJS/CyclicImport.ql
ql/javascript/ql/src/NodeJS/DubiousImport.ql
ql/javascript/ql/src/NodeJS/UnresolvableImport.ql
ql/javascript/ql/src/NodeJS/UnusedDependency.ql
ql/javascript/ql/src/Performance/NonLocalForIn.ql
ql/javascript/ql/src/Performance/ReassignParameterAndUseArguments.ql
ql/javascript/ql/src/RegExp/BackspaceEscape.ql
ql/javascript/ql/src/RegExp/MalformedRegExp.ql
ql/javascript/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
ql/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
ql/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
ql/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
ql/javascript/ql/src/Security/trest/test.ql
ql/javascript/ql/src/Statements/EphemeralLoop.ql
ql/javascript/ql/src/Statements/ImplicitReturn.ql
ql/javascript/ql/src/Statements/InconsistentReturn.ql
ql/javascript/ql/src/Statements/NestedLoopsSameVariable.ql
ql/javascript/ql/src/Statements/ReturnOutsideFunction.ql
ql/javascript/ql/src/Summary/TaintSinks.ql
ql/javascript/ql/src/Summary/TaintSources.ql
ql/javascript/ql/src/definitions.ql
ql/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql
ql/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
ql/javascript/ql/src/experimental/Security/CWE-444/InsecureHttpParser.ql
ql/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
ql/javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
ql/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
ql/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/external/DuplicateFunction.ql
ql/javascript/ql/src/external/DuplicateToplevel.ql
ql/javascript/ql/src/external/SimilarFunction.ql
ql/javascript/ql/src/external/SimilarToplevel.ql
ql/javascript/ql/src/filters/ClassifyFiles.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphEdges.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphNodes.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphPointsToEdges.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphUseNodes.ql
ql/javascript/ql/src/meta/Consistency.ql
ql/javascript/ql/src/meta/SSA/DeadDef.ql
ql/javascript/ql/src/meta/SSA/Dominance.ql
ql/javascript/ql/src/meta/SSA/MultipleDefs.ql
ql/javascript/ql/src/meta/SSA/MultipleRefinementInputs.ql
ql/javascript/ql/src/meta/SSA/NoDefs.ql
ql/javascript/ql/src/meta/SSA/NoPhiInputs.ql
ql/javascript/ql/src/meta/SSA/NoRefinementInputs.ql
ql/javascript/ql/src/meta/SSA/SinglePhiInput.ql
ql/javascript/ql/src/meta/alerts/CallGraph.ql
ql/javascript/ql/src/meta/alerts/ImportGraph.ql
ql/javascript/ql/src/meta/alerts/LibraryInputs.ql
ql/javascript/ql/src/meta/alerts/TaintSinks.ql
ql/javascript/ql/src/meta/alerts/TaintSources.ql
ql/javascript/ql/src/meta/alerts/TaintedNodes.ql
ql/javascript/ql/src/meta/alerts/ThreatModelSources.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql
ql/javascript/ql/src/meta/analysis-quality/DomValueRefs.ql
ql/javascript/ql/src/meta/analysis-quality/NumModules.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableImports.ql
ql/javascript/ql/src/meta/analysis-quality/RouteHandlers.ql
ql/javascript/ql/src/meta/analysis-quality/SanitizersReachableFromSource.ql
ql/javascript/ql/src/meta/analysis-quality/SinksReachableFromSanitizer.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSinks.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSources.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSteps.ql
ql/javascript/ql/src/meta/analysis-quality/TaintedNodes.ql
ql/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql
ql/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
ql/javascript/ql/src/meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql
ql/javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql
ql/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql
ql/javascript/ql/src/meta/analysis-quality/UnresolvableImports.ql
ql/javascript/ql/src/meta/extraction-metrics/FileData.ql
ql/javascript/ql/src/meta/extraction-metrics/MissingMetrics.ql
ql/javascript/ql/src/meta/extraction-metrics/PhaseTimings.ql
ql/javascript/ql/src/meta/types/TypedExprs.ql
ql/javascript/ql/src/meta/types/TypesWithQualifiedName.ql

14
javascript/ql/integration-tests/query-suite/test.py Normal file
View File

@@ -0,0 +1,14 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['javascript-code-quality.qls', 'javascript-security-and-quality.qls', 'javascript-security-extended.qls', 'javascript-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, javascript, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, javascript, check_queries_not_included):
check_queries_not_included('javascript', well_known_query_suites)