mirror of
https://github.com/github/codeql.git
synced 2026-01-29 22:32:58 +01:00
Sauyon Lee
@@ -2,11 +2,11 @@
|
||||
|
||||
## General improvements
|
||||
|
||||
* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`).
|
||||
* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
|
||||
* Analysis of flow through fields and elements of arrays and slices has been improved, which may lead to more results from the security queries.
|
||||
* Detection of test code has been improved. LGTM will not show alerts in test code by default.
|
||||
* Go 1.14 library changes have been modeled.
|
||||
* More sources of untrusted input as well as vulnerable sinks are modelled, which may lead to more results from the security queries.
|
||||
* More sources of untrusted input as well as vulnerable sinks are modeled, which may lead to more results from the security queries.
|
||||
|
||||
## New queries
|
||||
|
||||
@@ -26,14 +26,14 @@ The CodeQL library for Go now contains a folder of simple "cookbook" queries tha
|
||||
|
||||
## Changes to existing queries
|
||||
|
||||
| **Query** | **Expected impact** | **Change** |
|
||||
|-------------------------------------------------------------------------------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Arbitrary file write during zip extraction ("zip slip") (`go/zipslip`) | Fewer false positives | The query now recognizes more cases where it is safe to use a path extractor from an archive. |
|
||||
| Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`) | Fewer false positives | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results. |
|
||||
| Command built from user-controlled sources (`go/command-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. |
|
||||
| Database query built from user-controlled sources (`go/sql-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases. |
|
||||
| Identical operands (`go/redundant-operation`) | Fewer false positives | The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional. |
|
||||
| Incomplete regular expression for hostnames (`go/incomplete-hostname-regexp`) | More results | The query now flags unescaped dots before the TLD in a hostname regex. |
|
||||
| Open URL redirect (`go/unvalidated-url-redirection`) | Fewer false positives | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources. |
|
||||
| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition or into an `fmt.Fprintf` call with a constant prefix is no longer flagged, since it is in both cases often harmless. |
|
||||
| Useless assignment to field (`go/useless-assignment-to-field`) | Fewer false positives | The query now conservatively handles fields promoted through embedded pointer types. |
|
||||
| **Query** | **Expected impact** | **Change** |
|
||||
|-------------------------------------------------------------------------------|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Arbitrary file write during zip extraction ("zip slip") (`go/zipslip`) | Fewer false positive results | The query now excludes more cases where it is safe to use a path extractor from an archive. |
|
||||
| Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`) | Fewer false positive results | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results. |
|
||||
| Command built from user-controlled sources (`go/command-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. |
|
||||
| Database query built from user-controlled sources (`go/sql-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases. |
|
||||
| Identical operands (`go/redundant-operation`) | Fewer false positive results | The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional. |
|
||||
| Incomplete regular expression for hostnames (`go/incomplete-hostname-regexp`) | More results | The query now flags unescaped dots before the TLD in a hostname regex. |
|
||||
| Open URL redirect (`go/unvalidated-url-redirection`) | Fewer false positive results | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources. |
|
||||
| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition or into an `fmt.Fprintf` call with a constant prefix is no longer flagged, since it is in both cases often harmless. |
|
||||
| Useless assignment to field (`go/useless-assignment-to-field`) | Fewer false positive results | The query now conservatively handles fields promoted through embedded pointer types. |
|
||||
|
||||
@@ -2,15 +2,18 @@
|
||||
|
||||
# Improvements to Go analysis
|
||||
|
||||
## Improvements to the autobuilder
|
||||
|
||||
* When Makefiles or custom build scripts are present in the codebase, the autobuilder uses them to install dependencies. The build command
|
||||
to invoke can be configured via `lgtm.yml`, or by setting the environment variable `CODEQL_EXTRACTOR_GO_BUILD_COMMAND`.
|
||||
* The autobuilder now attempts to automatically detect when dependencies have been vendored and use `-mod=vendor` appropriately.
|
||||
|
||||
## Changes to code extraction
|
||||
|
||||
* The extractor now supports Go 1.14.
|
||||
* In resource-constrained environments, the environment variable `CODEQL_EXTRACTOR_GO_MAX_GOROUTINES` can be used to limit the
|
||||
number of parallel goroutines started by the extractor, which reduces CPU and memory requirements. The default value for this
|
||||
variable is 32.
|
||||
* The autobuilder now runs Makefiles or custom build scripts present in the codebase to install dependencies. The build command
|
||||
to invoke can be configured via `lgtm.yml`, or by setting the environment variable `CODEQL_EXTRACTOR_GO_BUILD_COMMAND`.
|
||||
* The autobuilder now attempts to automatically detect when dependencies have been vendored and use `-mod=vendor` appropriately.
|
||||
* The extractor now uses buffered i/o for writing database files, which reduces the amount of time taken for extraction.
|
||||
* The extractor now compresses intermediate files used for constructing databases, which reduces the amount of disk space it requires.
|
||||
* The extractor now supports extracting go.mod files, enabling queries on dependencies and their versions.
|
||||
* The extractor now supports Go 1.14.
|
||||
* The extractor now supports extracting `go.mod` files, enabling queries on dependencies and their versions.
|
||||
|
||||
Reference in New Issue
Block a user