hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 22:44:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/bzlmod

Browse Source
This commit is contained in:
Paolo Tranquilli
2024-02-21 06:22:10 +01:00
parent 2cc762b85a f2e04c0cb2
commit c5ed96b4f8
165 changed files with 721 additions and 665 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.
## 0.12.5
### New Features

7
cpp/ql/lib/change-notes/2023-02-16-range-based-for-initializers.md → cpp/ql/lib/change-notes/released/0.12.6.md
View File

@@ -1,4 +1,5 @@
---
category: feature
---
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.12.5
lastReleaseVersion: 0.12.6

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.12.6-dev
version: 0.12.7-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

7
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.9.5
### Minor Analysis Improvements
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
* Added dataflow models for the `gettext` function variants.
## 0.9.4
### Minor Analysis Improvements

4
cpp/ql/src/change-notes/2024-02-05-gettext-dataflows.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added dataflow models for the `gettext` function variants.

8
cpp/ql/src/change-notes/2024-02-16-non-constant-format.md → cpp/ql/src/change-notes/released/0.9.5.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.9.5
### Minor Analysis Improvements
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
* Added dataflow models for the `gettext` function variants.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.4
lastReleaseVersion: 0.9.5

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.9.5-dev
version: 0.9.6-dev
groups:
- cpp
- queries

53
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
View File

@@ -5,6 +5,7 @@ using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using Semmle.Util;
using Semmle.Util.Logging;
@@ -14,7 +15,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
/// <summary>
/// Main implementation of the build analysis.
/// </summary>
public sealed class DependencyManager : IDisposable
public sealed partial class DependencyManager : IDisposable
{
private readonly AssemblyCache assemblyCache;
private readonly ILogger logger;
@@ -783,13 +784,53 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
CompilationInfos.Add(("Successfully restored project files", successCount.ToString()));
}
[GeneratedRegex(@"^(.+)\.(\d+\.\d+\.\d+(-(.+))?)$", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline)]
private static partial Regex LegacyNugetPackage();
private static IEnumerable<string> GetRestoredPackageDirectoryNames(DirectoryInfo root)
{
return Directory.GetDirectories(root.FullName)
.Select(d => Path.GetFileName(d).ToLowerInvariant());
}
private IEnumerable<string> GetRestoredLegacyPackageNames()
{
var oldPackageDirectories = GetRestoredPackageDirectoryNames(legacyPackageDirectory.DirInfo);
foreach (var oldPackageDirectory in oldPackageDirectories)
{
// nuget install restores packages to 'packagename.version' folders (dotnet restore to 'packagename/version' folders)
// typical folder names look like:
// newtonsoft.json.13.0.3
// there are more complex ones too, such as:
// runtime.tizen.4.0.0-armel.Microsoft.NETCore.DotNetHostResolver.2.0.0-preview2-25407-01
var match = LegacyNugetPackage().Match(oldPackageDirectory);
if (!match.Success)
{
logger.LogWarning($"Package directory '{oldPackageDirectory}' doesn't match the expected pattern.");
continue;
}
yield return match.Groups[1].Value.ToLowerInvariant();
}
}
private void DownloadMissingPackages(List<FileInfo> allFiles, ISet<string> dllPaths)
{
var alreadyDownloadedPackages = Directory.GetDirectories(packageDirectory.DirInfo.FullName)
.Select(d => Path.GetFileName(d).ToLowerInvariant());
var notYetDownloadedPackages = fileContent.AllPackages
.Except(alreadyDownloadedPackages)
.ToList();
var alreadyDownloadedPackages = GetRestoredPackageDirectoryNames(packageDirectory.DirInfo);
var alreadyDownloadedLegacyPackages = GetRestoredLegacyPackageNames();
var notYetDownloadedPackages = new HashSet<string>(fileContent.AllPackages);
foreach (var alreadyDownloadedPackage in alreadyDownloadedPackages)
{
notYetDownloadedPackages.Remove(alreadyDownloadedPackage);
}
foreach (var alreadyDownloadedLegacyPackage in alreadyDownloadedLegacyPackages)
{
notYetDownloadedPackages.Remove(alreadyDownloadedLegacyPackage);
}
if (notYetDownloadedPackages.Count == 0)
{
return;

29
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
View File

@@ -157,23 +157,35 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
return false;
}
private void AddPackageReference(ReadOnlySpan<char> line, string groupName, Func<Regex> regex)
{
foreach (var valueMatch in regex().EnumerateMatches(line))
{
// We can't get the group from the ValueMatch, so doing it manually:
var packageName = GetGroup(line, valueMatch, groupName).ToLowerInvariant();
if (!string.IsNullOrEmpty(packageName))
{
allPackages.Add(packageName);
}
}
}
private void DoInitialize()
{
foreach (var file in files)
{
try
{
var isPackagesConfig = file.EndsWith("packages.config", StringComparison.OrdinalIgnoreCase);
foreach (ReadOnlySpan<char> line in unsafeFileReader.ReadLines(file))
{
// Find all the packages.
foreach (var valueMatch in PackageReference().EnumerateMatches(line))
AddPackageReference(line, "Include", PackageReference);
if (isPackagesConfig)
{
// We can't get the group from the ValueMatch, so doing it manually:
var packageName = GetGroup(line, valueMatch, "Include").ToLowerInvariant();
if (!string.IsNullOrEmpty(packageName))
{
allPackages.Add(packageName);
}
AddPackageReference(line, "id", LegacyPackageReference);
}
// Determine if ASP.NET is used.
@@ -223,6 +235,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
[GeneratedRegex("(?<!<!--.*)<PackageReference.*\\sInclude=\"(.*?)\".*/?>", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline)]
private static partial Regex PackageReference();
[GeneratedRegex("(?<!<!--.*)<package.*\\sid=\"(.*?)\".*/?>", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline)]
private static partial Regex LegacyPackageReference();
[GeneratedRegex("(?<!<!--.*)<FrameworkReference.*\\sInclude=\"(.*?)\".*/?>", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline)]
private static partial Regex FrameworkReference();

182
csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
View File

@@ -1,3 +1,5 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
using System.IO;
using System.Linq;
@@ -10,8 +12,16 @@ namespace Semmle.Extraction.CSharp.Entities
{
internal class Constructor : Method
{
private readonly List<SyntaxNode> declaringReferenceSyntax;
private Constructor(Context cx, IMethodSymbol init)
: base(cx, init) { }
: base(cx, init)
{
declaringReferenceSyntax =
Symbol.DeclaringSyntaxReferences
.Select(r => r.GetSyntax())
.ToList();
}
public override void Populate(TextWriter trapFile)
{
@@ -22,6 +32,12 @@ namespace Semmle.Extraction.CSharp.Entities
trapFile.constructors(this, Symbol.ContainingType.Name, ContainingType, (Constructor)OriginalDefinition);
trapFile.constructor_location(this, Location);
if (IsPrimary)
{
// Create a synthetic empty body for primary constructors.
Statements.SyntheticEmptyBlock.Create(Context, this, 0, Location);
}
if (Symbol.IsImplicitlyDeclared)
{
var lineCounts = new LineCounts() { Total = 2, Code = 1, Comment = 0 };
@@ -33,68 +49,79 @@ namespace Semmle.Extraction.CSharp.Entities
protected override void ExtractInitializers(TextWriter trapFile)
{
// Do not extract initializers for constructed types.
if (!IsSourceDeclaration)
return;
var syntax = Syntax;
var initializer = syntax?.Initializer;
if (initializer is null)
// Only extract initializers for constructors with a body and primary constructors.
if (Block is null && ExpressionBody is null && !IsPrimary ||
!IsSourceDeclaration)
{
if (Symbol.MethodKind is MethodKind.Constructor)
return;
}
if (OrdinaryConstructorSyntax?.Initializer is ConstructorInitializerSyntax initializer)
{
ITypeSymbol initializerType;
var initializerInfo = Context.GetSymbolInfo(initializer);
switch (initializer.Kind())
{
var baseType = Symbol.ContainingType.BaseType;
if (baseType is null)
{
if (Symbol.ContainingType.SpecialType != SpecialType.System_Object)
{
Context.ModelError(Symbol, "Unable to resolve base type in implicit constructor initializer");
}
case SyntaxKind.BaseConstructorInitializer:
initializerType = Symbol.ContainingType.BaseType!;
break;
case SyntaxKind.ThisConstructorInitializer:
initializerType = Symbol.ContainingType;
break;
default:
Context.ModelError(initializer, "Unknown initializer");
return;
}
var baseConstructor = baseType.InstanceConstructors.FirstOrDefault(c => c.Arity is 0);
if (baseConstructor is null)
{
Context.ModelError(Symbol, "Unable to resolve implicit constructor initializer call");
return;
}
var baseConstructorTarget = Create(Context, baseConstructor);
var info = new ExpressionInfo(Context,
AnnotatedTypeSymbol.CreateNotAnnotated(baseType),
Location,
Kinds.ExprKind.CONSTRUCTOR_INIT,
this,
-1,
isCompilerGenerated: true,
null);
trapFile.expr_call(new Expression(info), baseConstructorTarget);
}
return;
ExtractSourceInitializer(trapFile, initializerType, (IMethodSymbol?)initializerInfo.Symbol, initializer.ArgumentList, initializer.ThisOrBaseKeyword.GetLocation());
}
ITypeSymbol initializerType;
var symbolInfo = Context.GetSymbolInfo(initializer);
switch (initializer.Kind())
else if (PrimaryBase is PrimaryConstructorBaseTypeSyntax primaryInitializer)
{
case SyntaxKind.BaseConstructorInitializer:
initializerType = Symbol.ContainingType.BaseType!;
break;
case SyntaxKind.ThisConstructorInitializer:
initializerType = Symbol.ContainingType;
break;
default:
Context.ModelError(initializer, "Unknown initializer");
return;
}
var primaryInfo = Context.GetSymbolInfo(primaryInitializer);
var primarySymbol = primaryInfo.Symbol;
ExtractSourceInitializer(trapFile, primarySymbol?.ContainingType, (IMethodSymbol?)primarySymbol, primaryInitializer.ArgumentList, primaryInitializer.GetLocation());
}
else if (Symbol.MethodKind is MethodKind.Constructor)
{
var baseType = Symbol.ContainingType.BaseType;
if (baseType is null)
{
if (Symbol.ContainingType.SpecialType != SpecialType.System_Object)
{
Context.ModelError(Symbol, "Unable to resolve base type in implicit constructor initializer");
}
return;
}
var baseConstructor = baseType.InstanceConstructors.FirstOrDefault(c => c.Arity is 0);
if (baseConstructor is null)
{
Context.ModelError(Symbol, "Unable to resolve implicit constructor initializer call");
return;
}
var baseConstructorTarget = Create(Context, baseConstructor);
var info = new ExpressionInfo(Context,
AnnotatedTypeSymbol.CreateNotAnnotated(baseType),
Location,
Kinds.ExprKind.CONSTRUCTOR_INIT,
this,
-1,
isCompilerGenerated: true,
null);
trapFile.expr_call(new Expression(info), baseConstructorTarget);
}
}
private void ExtractSourceInitializer(TextWriter trapFile, ITypeSymbol? type, IMethodSymbol? symbol, ArgumentListSyntax arguments, Location location)
{
var initInfo = new ExpressionInfo(Context,
AnnotatedTypeSymbol.CreateNotAnnotated(initializerType),
Context.CreateLocation(initializer.ThisOrBaseKeyword.GetLocation()),
AnnotatedTypeSymbol.CreateNotAnnotated(type),
Context.CreateLocation(location),
Kinds.ExprKind.CONSTRUCTOR_INIT,
this,
-1,
@@ -103,7 +130,7 @@ namespace Semmle.Extraction.CSharp.Entities
var init = new Expression(initInfo);
var target = Constructor.Create(Context, (IMethodSymbol?)symbolInfo.Symbol);
var target = Constructor.Create(Context, symbol);
if (target is null)
{
Context.ModelError(Symbol, "Unable to resolve call");
@@ -112,19 +139,27 @@ namespace Semmle.Extraction.CSharp.Entities
trapFile.expr_call(init, target);
init.PopulateArguments(trapFile, initializer.ArgumentList, 0);
init.PopulateArguments(trapFile, arguments, 0);
}
private ConstructorDeclarationSyntax? Syntax
{
get
{
return Symbol.DeclaringSyntaxReferences
.Select(r => r.GetSyntax())
.OfType<ConstructorDeclarationSyntax>()
.FirstOrDefault();
}
}
private ConstructorDeclarationSyntax? OrdinaryConstructorSyntax =>
declaringReferenceSyntax
.OfType<ConstructorDeclarationSyntax>()
.FirstOrDefault();
private TypeDeclarationSyntax? PrimaryConstructorSyntax =>
declaringReferenceSyntax
.OfType<TypeDeclarationSyntax>()
.FirstOrDefault(t => t is ClassDeclarationSyntax or StructDeclarationSyntax or RecordDeclarationSyntax);
private PrimaryConstructorBaseTypeSyntax? PrimaryBase =>
PrimaryConstructorSyntax?
.BaseList?
.Types
.OfType<PrimaryConstructorBaseTypeSyntax>()
.FirstOrDefault();
private bool IsPrimary => PrimaryConstructorSyntax is not null;
[return: NotNullIfNotNull(nameof(constructor))]
public static new Constructor? Create(Context cx, IMethodSymbol? constructor)
@@ -160,19 +195,20 @@ namespace Semmle.Extraction.CSharp.Entities
trapFile.Write(";constructor");
}
private ConstructorDeclarationSyntax? GetSyntax() =>
Symbol.DeclaringSyntaxReferences.Select(r => r.GetSyntax()).OfType<ConstructorDeclarationSyntax>().FirstOrDefault();
public override Microsoft.CodeAnalysis.Location? FullLocation => ReportingLocation;
public override Microsoft.CodeAnalysis.Location? ReportingLocation
{
get
{
var syn = GetSyntax();
if (syn is not null)
if (OrdinaryConstructorSyntax is not null)
{
return syn.Identifier.GetLocation();
return OrdinaryConstructorSyntax.Identifier.GetLocation();
}
if (PrimaryConstructorSyntax is not null)
{
return PrimaryConstructorSyntax.Identifier.GetLocation();
}
if (Symbol.IsImplicitlyDeclared)

3
csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
View File

@@ -54,12 +54,13 @@ namespace Semmle.Extraction.CSharp.Entities
var block = Block;
var expr = ExpressionBody;
Context.PopulateLater(() => ExtractInitializers(trapFile));
if (block is not null || expr is not null)
{
Context.PopulateLater(
() =>
{
ExtractInitializers(trapFile);
if (block is not null)
Statements.Block.Create(Context, block, this, 0);
else

24
csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/SyntheticEmptyBlock.cs Normal file
View File

@@ -0,0 +1,24 @@
using System.IO;
using Microsoft.CodeAnalysis.CSharp;
using Microsoft.CodeAnalysis.CSharp.Syntax;
using Semmle.Extraction.Entities;
using Semmle.Extraction.Kinds;
namespace Semmle.Extraction.CSharp.Entities.Statements
{
internal class SyntheticEmptyBlock : Statement<BlockSyntax>
{
private SyntheticEmptyBlock(Context cx, BlockSyntax block, IStatementParentEntity parent, int child, Location location)
: base(cx, block, StmtKind.BLOCK, parent, child, location) { }
public static SyntheticEmptyBlock Create(Context cx, IStatementParentEntity parent, int child, Location location)
{
var block = SyntaxFactory.Block();
var ret = new SyntheticEmptyBlock(cx, block, parent, child, location);
ret.TryPopulate();
return ret;
}
protected override void PopulateStatement(TextWriter trapFile) { }
}
}

2
csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
View File

@@ -57,7 +57,7 @@ namespace Semmle.Extraction.CSharp.Entities
{
return Kinds.TypeKind.TUPLE;
}
return Symbol.IsInlineArray()
return Symbol.IsInlineArray()
? Kinds.TypeKind.INLINE_ARRAY
: Kinds.TypeKind.STRUCT;
}

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.9
No user-facing changes.
## 1.7.8
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.9
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.8
lastReleaseVersion: 1.7.9

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.9-dev
version: 1.7.10-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.9
No user-facing changes.
## 1.7.8
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.9
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.8
lastReleaseVersion: 1.7.9

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.9-dev
version: 1.7.10-dev
groups:
- csharp
- solorigate

8
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.8.9
### Minor Analysis Improvements
* C# 12: The QL and data flow library now support primary constructors.
* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in
buildless mode to surface information related to dependency fetching.
## 0.8.8
### Minor Analysis Improvements

4
csharp/ql/lib/change-notes/2024-02-12-primary-constructors.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* C# 12: The QL and data flow library now support primary constructors.

9
csharp/ql/lib/change-notes/2024-02-05-compilation-info.md → csharp/ql/lib/change-notes/released/0.8.9.md
View File

@@ -1,6 +1,7 @@
---
category: minorAnalysis
---
## 0.8.9
### Minor Analysis Improvements
* C# 12: The QL and data flow library now support primary constructors.
* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in
buildless mode to surface information related to dependency fetching.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.8.9-dev
version: 0.8.10-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

4
csharp/ql/lib/semmle/code/csharp/Callable.qll
View File

@@ -416,7 +416,9 @@ class InstanceConstructor extends Constructor {
*/
class PrimaryConstructor extends Constructor {
PrimaryConstructor() {
not this.hasBody() and
// In the extractor we use the constructor location as the location for the
// synthesized empty body of the constructor.
this.getLocation() = this.getBody().getLocation() and
this.getDeclaringType().fromSource() and
this.fromSource()
}

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -953,12 +953,8 @@ private module Cached {
callCfn = any(Call c | isParamsArg(c, _, _)).getAControlFlowNode()
} or
TFlowInsensitiveFieldNode(FieldOrProperty f) { f.isFieldLike() } or
TInstanceParameterAccessNode(ControlFlow::Node cfn, boolean isPostUpdate) {
exists(ParameterAccess pa | cfn = getAPrimaryConstructorParameterCfn(pa) |
isPostUpdate = false
or
pa instanceof ParameterWrite and isPostUpdate = true
)
TInstanceParameterAccessNode(ControlFlow::Node cfn, Boolean isPostUpdate) {
cfn = getAPrimaryConstructorParameterCfn(_)
} or
TPrimaryConstructorThisAccessNode(Parameter p, Boolean isPostUpdate) {
p.getCallable() instanceof PrimaryConstructor

6
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.8.9
### Minor Analysis Improvements
* Added sanitizers for relative URLs, `List.Contains()`, and checking the `.Host` property on an URI to the `cs/web/unvalidated-url-redirection` query.
## 0.8.8
### Minor Analysis Improvements

9
csharp/ql/src/change-notes/2024-02-14-url-sanitizers.md → csharp/ql/src/change-notes/released/0.8.9.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* Added sanitizers for relative URLs, `List.Contains()`, and checking the `.Host` property on an URI to the `cs/web/unvalidated-url-redirection` query.
## 0.8.9
### Minor Analysis Improvements
* Added sanitizers for relative URLs, `List.Contains()`, and checking the `.Host` property on an URI to the `cs/web/unvalidated-url-redirection` query.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.8.9-dev
version: 0.8.10-dev
groups:
- csharp
- queries

5
csharp/ql/test/library-tests/constructors/PrintAst.expected
View File

@@ -25,6 +25,7 @@ constructors.cs:
# 23| -1: [TypeMention] object
# 23| 1: [Parameter] s
# 23| -1: [TypeMention] string
# 23| 4: [BlockStmt] {...}
# 25| 5: [InstanceConstructor] C1
#-----| 2: (Parameters)
# 25| 0: [Parameter] o
@@ -44,3 +45,7 @@ constructors.cs:
# 28| -1: [TypeMention] string
# 28| 2: [Parameter] i
# 28| -1: [TypeMention] int
# 28| 3: [ConstructorInitializer] call to constructor C1
# 28| 0: [ParameterAccess] access to parameter o
# 28| 1: [ParameterAccess] access to parameter s
# 28| 4: [BlockStmt] {...}

17
csharp/ql/test/library-tests/csharp9/PrintAst.expected
View File

@@ -884,6 +884,7 @@ Record.cs:
# 27| -1: [TypeMention] string
# 27| 1: [Parameter] LastName
# 27| -1: [TypeMention] string
# 27| 4: [BlockStmt] {...}
# 27| 16: [Property] FirstName
# 27| 3: [Getter] get_FirstName
# 27| 4: [Setter] set_FirstName
@@ -913,6 +914,10 @@ Record.cs:
# 29| -1: [TypeMention] string
# 29| 2: [Parameter] Subject
# 29| -1: [TypeMention] string
# 30| 3: [ConstructorInitializer] call to constructor Person1
# 30| 0: [ParameterAccess] access to parameter FirstName
# 30| 1: [ParameterAccess] access to parameter LastName
# 29| 4: [BlockStmt] {...}
# 29| 17: [Property] Subject
# 29| 3: [Getter] get_Subject
# 29| 4: [Setter] set_Subject
@@ -937,6 +942,10 @@ Record.cs:
# 32| -1: [TypeMention] string
# 32| 2: [Parameter] Level
# 32| -1: [TypeMention] int
# 33| 3: [ConstructorInitializer] call to constructor Person1
# 33| 0: [ParameterAccess] access to parameter FirstName
# 33| 1: [ParameterAccess] access to parameter LastName
# 32| 4: [BlockStmt] {...}
# 32| 17: [Property] Level
# 32| 3: [Getter] get_Level
# 32| 4: [Setter] set_Level
@@ -957,6 +966,7 @@ Record.cs:
#-----| 2: (Parameters)
# 35| 0: [Parameter] Name
# 35| -1: [TypeMention] string
# 35| 4: [BlockStmt] {...}
# 35| 16: [Property] Name
# 35| 3: [Getter] get_Name
# 35| 4: [Setter] set_Name
@@ -981,6 +991,9 @@ Record.cs:
#-----| 2: (Parameters)
# 41| 0: [Parameter] Name
# 41| -1: [TypeMention] string
# 41| 3: [ConstructorInitializer] call to constructor Pet
# 41| 0: [ParameterAccess] access to parameter Name
# 41| 4: [BlockStmt] {...}
# 41| 15: [Property] EqualityContract
# 41| 3: [Getter] get_EqualityContract
# 43| 16: [Method] WagTail
@@ -1022,6 +1035,7 @@ Record.cs:
#-----| 2: (Parameters)
# 54| 0: [Parameter] A
# 54| -1: [TypeMention] string
# 54| 4: [BlockStmt] {...}
# 54| 16: [Property] A
# 54| 3: [Getter] get_A
# 54| 4: [Setter] set_A
@@ -1044,6 +1058,9 @@ Record.cs:
# 56| -1: [TypeMention] string
# 56| 1: [Parameter] B
# 56| -1: [TypeMention] string
# 56| 3: [ConstructorInitializer] call to constructor R1
# 56| 0: [ParameterAccess] access to parameter A
# 56| 4: [BlockStmt] {...}
# 56| 17: [Property] B
# 56| 3: [Getter] get_B
# 56| 4: [Setter] set_B

21
csharp/ql/test/library-tests/dataflow/constructors/ConstructorFlow.expected
View File

@@ -14,7 +14,9 @@ edges
| Constructors.cs:33:18:33:19 | this access : C_with_ctor [field s1] : Object | Constructors.cs:33:18:33:19 | access to field s1 | provenance | |
| Constructors.cs:41:26:41:26 | o : Object | Constructors.cs:41:38:41:38 | access to parameter o : Object | provenance | |
| Constructors.cs:41:38:41:38 | access to parameter o : Object | Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | provenance | |
| Constructors.cs:44:28:44:35 | o21param : Object | Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | provenance | |
| Constructors.cs:44:28:44:35 | o21param : Object | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | provenance | |
| Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | provenance | |
| Constructors.cs:46:31:46:38 | access to parameter o21param : Object | Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | provenance | |
| Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | provenance | |
| Constructors.cs:50:32:50:36 | this : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | this access : C2 [field Obj21] : Object | provenance | |
@@ -55,6 +57,13 @@ edges
| Constructors.cs:100:25:100:29 | access to local variable taint : Object | Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object | provenance | |
| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | provenance | |
| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:101:14:101:21 | access to property Obj22 | provenance | |
| Constructors.cs:106:32:106:39 | this : C3 [parameter o31param] : Object | Constructors.cs:106:32:106:39 | access to parameter o31param : Object | provenance | |
| Constructors.cs:111:19:111:35 | call to method Source<Object> : Object | Constructors.cs:112:25:112:27 | access to local variable o31 : Object | provenance | |
| Constructors.cs:112:18:112:28 | object creation of type C3 : C3 [parameter o31param] : Object | Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | provenance | |
| Constructors.cs:112:25:112:27 | access to local variable o31 : Object | Constructors.cs:104:28:104:35 | o31param : Object | provenance | |
| Constructors.cs:112:25:112:27 | access to local variable o31 : Object | Constructors.cs:112:18:112:28 | object creation of type C3 : C3 [parameter o31param] : Object | provenance | |
| Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | Constructors.cs:106:32:106:39 | this : C3 [parameter o31param] : Object | provenance | |
| Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | Constructors.cs:113:14:113:21 | access to property Obj31 | provenance | |
nodes
| Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | semmle.label | [post] this access : C_no_ctor [field s1] : Object |
| Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
@@ -76,6 +85,7 @@ nodes
| Constructors.cs:44:28:44:35 | o21param : Object | semmle.label | o21param : Object |
| Constructors.cs:44:45:44:52 | o22param : Object | semmle.label | o22param : Object |
| Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | semmle.label | [post] this access : C2 [field Obj21] : Object |
| Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | semmle.label | this access : C2 [parameter o21param] : Object |
| Constructors.cs:46:31:46:38 | access to parameter o21param : Object | semmle.label | access to parameter o21param : Object |
| Constructors.cs:48:32:48:39 | access to parameter o22param : Object | semmle.label | access to parameter o22param : Object |
| Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | semmle.label | this : C2 [parameter o22param] : Object |
@@ -116,6 +126,14 @@ nodes
| Constructors.cs:100:25:100:29 | access to local variable taint : Object | semmle.label | access to local variable taint : Object |
| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | semmle.label | access to local variable c2 : C2 [parameter o22param] : Object |
| Constructors.cs:101:14:101:21 | access to property Obj22 | semmle.label | access to property Obj22 |
| Constructors.cs:104:28:104:35 | o31param : Object | semmle.label | o31param : Object |
| Constructors.cs:106:32:106:39 | access to parameter o31param : Object | semmle.label | access to parameter o31param : Object |
| Constructors.cs:106:32:106:39 | this : C3 [parameter o31param] : Object | semmle.label | this : C3 [parameter o31param] : Object |
| Constructors.cs:111:19:111:35 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
| Constructors.cs:112:18:112:28 | object creation of type C3 : C3 [parameter o31param] : Object | semmle.label | object creation of type C3 : C3 [parameter o31param] : Object |
| Constructors.cs:112:25:112:27 | access to local variable o31 : Object | semmle.label | access to local variable o31 : Object |
| Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | semmle.label | access to local variable c3 : C3 [parameter o31param] : Object |
| Constructors.cs:113:14:113:21 | access to property Obj31 | semmle.label | access to property Obj31 |
subpaths
| Constructors.cs:64:37:64:37 | access to parameter o : Object | Constructors.cs:57:54:57:55 | o2 : Object | Constructors.cs:59:13:59:19 | SSA def(o1) : Object | Constructors.cs:64:27:64:34 | SSA def(o22param) : Object |
| Constructors.cs:71:25:71:25 | access to local variable o : Object | Constructors.cs:41:26:41:26 | o : Object | Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | Constructors.cs:71:18:71:26 | object creation of type C1 : C1 [field Obj] : Object |
@@ -127,6 +145,8 @@ subpaths
| Constructors.cs:93:14:93:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | Constructors.cs:93:14:93:21 | access to property Obj22 |
| Constructors.cs:100:25:100:29 | access to local variable taint : Object | Constructors.cs:62:41:62:41 | o : Object | Constructors.cs:64:27:64:34 | SSA def(o22param) : Object | Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object |
| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | Constructors.cs:101:14:101:21 | access to property Obj22 |
| Constructors.cs:112:25:112:27 | access to local variable o31 : Object | Constructors.cs:104:28:104:35 | o31param : Object | Constructors.cs:104:28:104:35 | o31param : Object | Constructors.cs:112:18:112:28 | object creation of type C3 : C3 [parameter o31param] : Object |
| Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | Constructors.cs:106:32:106:39 | this : C3 [parameter o31param] : Object | Constructors.cs:106:32:106:39 | access to parameter o31param : Object | Constructors.cs:113:14:113:21 | access to property Obj31 |
#select
| Constructors.cs:15:18:15:19 | access to field s1 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | Constructors.cs:15:18:15:19 | access to field s1 | $@ | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | call to method Source<Object> : Object |
| Constructors.cs:33:18:33:19 | access to field s1 | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | Constructors.cs:33:18:33:19 | access to field s1 | $@ | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | call to method Source<Object> : Object |
@@ -136,3 +156,4 @@ subpaths
| Constructors.cs:82:14:82:21 | access to property Obj23 | Constructors.cs:77:19:77:35 | call to method Source<Object> : Object | Constructors.cs:82:14:82:21 | access to property Obj23 | $@ | Constructors.cs:77:19:77:35 | call to method Source<Object> : Object | call to method Source<Object> : Object |
| Constructors.cs:93:14:93:21 | access to property Obj22 | Constructors.cs:91:21:91:37 | call to method Source<Object> : Object | Constructors.cs:93:14:93:21 | access to property Obj22 | $@ | Constructors.cs:91:21:91:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |
| Constructors.cs:101:14:101:21 | access to property Obj22 | Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | Constructors.cs:101:14:101:21 | access to property Obj22 | $@ | Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |
| Constructors.cs:113:14:113:21 | access to property Obj31 | Constructors.cs:111:19:111:35 | call to method Source<Object> : Object | Constructors.cs:113:14:113:21 | access to property Obj31 | $@ | Constructors.cs:111:19:111:35 | call to method Source<Object> : Object | call to method Source<Object> : Object |

12
csharp/ql/test/library-tests/dataflow/constructors/Constructors.cs
View File

@@ -101,6 +101,18 @@ public class Constructors
Sink(c2.Obj22); // $ hasValueFlow=5
}
public class C3(object o31param)
{
public object Obj31 => o31param;
}
public void M5()
{
var o31 = Source<object>(6);
var c3 = new C3(o31);
Sink(c3.Obj31); // $ hasValueFlow=6
}
public static void Sink(object o) { }
public static T Source<T>(object source) => throw null;

3
csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.expected
View File

@@ -135,6 +135,9 @@
| Tuples.cs:87:27:87:27 | SSA def(q) | Tuples.cs:91:18:91:18 | access to local variable q |
| Tuples.cs:87:30:87:30 | SSA def(r) | Tuples.cs:90:18:90:18 | access to local variable r |
| Tuples.cs:91:18:91:18 | access to local variable q | Tuples.cs:91:18:91:18 | (...) ... |
| Tuples.cs:95:12:95:13 | this | Tuples.cs:95:22:95:22 | this |
| Tuples.cs:95:22:95:22 | [post] this | Tuples.cs:95:29:95:29 | this |
| Tuples.cs:95:22:95:22 | this | Tuples.cs:95:29:95:29 | this |
| Tuples.cs:99:13:99:33 | SSA def(o) | Tuples.cs:100:24:100:24 | access to local variable o |
| Tuples.cs:99:17:99:33 | call to method Source<String> | Tuples.cs:99:13:99:33 | SSA def(o) |
| Tuples.cs:99:32:99:32 | 9 | Tuples.cs:99:32:99:32 | (...) ... |

1
csharp/ql/test/library-tests/dataflow/tuples/PrintAst.expected
View File

@@ -369,6 +369,7 @@ Tuples.cs:
# 95| -1: [TypeMention] string
# 95| 1: [Parameter] j
# 95| -1: [TypeMention] int
# 95| 4: [BlockStmt] {...}
# 95| 16: [Property] i
# 95| 3: [Getter] get_i
# 95| 4: [Setter] set_i

2
csharp/ql/test/library-tests/expressions/ConstructorInitializers.expected
View File

@@ -6,3 +6,5 @@
| expressions.cs:271:16:271:24 | IntVector | expressions.cs:271:16:271:24 | call to constructor Object | file://:0:0:0:0 | Object |
| expressions.cs:311:16:311:20 | Digit | expressions.cs:311:16:311:20 | call to constructor ValueType | file://:0:0:0:0 | ValueType |
| expressions.cs:481:20:481:22 | Num | expressions.cs:481:20:481:22 | call to constructor Object | file://:0:0:0:0 | Object |
| expressions.cs:518:11:518:17 | ClassC1 | expressions.cs:518:11:518:17 | call to constructor Object | file://:0:0:0:0 | Object |
| expressions.cs:520:11:520:17 | ClassC2 | expressions.cs:520:33:520:44 | call to constructor ClassC1 | expressions.cs:518:11:518:17 | ClassC1 |

16
csharp/ql/test/library-tests/expressions/PrintAst.expected
View File

@@ -2406,3 +2406,19 @@ expressions.cs:
# 512| 0: [IntLiteral] 10
# 515| 5: [Field] myInlineArrayElements
# 515| -1: [TypeMention] int
# 518| 22: [Class] ClassC1
# 518| 4: [InstanceConstructor,PrimaryConstructor] ClassC1
#-----| 2: (Parameters)
# 518| 0: [Parameter] oc1
# 518| -1: [TypeMention] object
# 518| 4: [BlockStmt] {...}
# 520| 23: [Class] ClassC2
#-----| 3: (Base types)
# 520| 0: [TypeMention] ClassC1
# 520| 4: [InstanceConstructor,PrimaryConstructor] ClassC2
#-----| 2: (Parameters)
# 520| 0: [Parameter] oc2
# 520| -1: [TypeMention] object
# 520| 3: [ConstructorInitializer] call to constructor ClassC1
# 520| 0: [ParameterAccess] access to parameter oc2
# 520| 4: [BlockStmt] {...}

4
csharp/ql/test/library-tests/expressions/expressions.cs
View File

@@ -514,4 +514,8 @@ namespace Expressions
{
private int myInlineArrayElements;
}
class ClassC1(object oc1) { }
class ClassC2(object oc2) : ClassC1(oc2) { }
}

406
docs/codeql/codeql-language-guides/customizing-library-models-for-ruby.rst
View File

@@ -1,406 +0,0 @@
.. _customizing-library-models-for-ruby:
:orphan:
:nosearch:
Customizing Library Models for Ruby
===================================
.. include:: ../reusables/beta-note-customizing-library-models.rst
Ruby analysis can be customized by adding library models in data extension files.
A data extension for Ruby is a YAML file of the form:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: <name of extensible predicate>
data:
- <tuple1>
- <tuple2>
- ...
The CodeQL library for Ruby exposes the following extensible predicates:
- **sourceModel**\(type, path, kind)
- **sinkModel**\(type, path, kind)
- **typeModel**\(type1, type2, path)
- **summaryModel**\(type, path, input, output, kind)
See the `CLI documentation for how to load and use data extensions in a CodeQL evaluation run <https://docs.google.com/document/d/14IYCHX8wWuU-HTvJ2gPSdXQKHKYbWCHQKOgn8oLaa80/edit#heading=h.m0v53lpi6w2n>`__ (internal access required).
We'll explain how to use these using a few examples, and provide some reference material at the end of this article.
Example: Taint sink in the 'tty-command' gem
--------------------------------------------
In this example, we'll show how to add the following argument, passed to **tty-command**, as a command-line injection sink:
.. code-block:: ruby
tty = TTY::Command.new
tty.run(cmd) # <-- add 'cmd' as a taint sink
For this example, you can use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sinkModel
data:
- ["TTY::Command", "Method[run].Argument[0]", "command-injection"]
- Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
- The first column, **"TTY::Command"**, identifies a set of values from which to begin the search for the sink.
The string **"TTY::Command""** means we start at the places where the codebase constructs instances of the class **TTY::Command**.
- The second column is an access path that is evaluated from left to right, starting at the values that were identified by the first column.
- **Method[run]** selects calls to the **run** method of the **TTY::Command** class.
- **Argument[0]** selects the first argument to calls to that member.
- **command-injection** indicates that this is considered a sink for the command injection query.
Example: Taint sources from 'sinatra' block parameters
------------------------------------------------------
In this example, we'll show how the 'x' parameter below could be marked as a remote flow source:
.. code-block:: ruby
class MyApp < Sinatra::Base
get '/' do |x| # <-- add 'x' as a taint source
# ...
end
end
For this example you could use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sourceModel
data:
- [
"Sinatra::Base!",
"Method[get].Argument[block].Parameter[0]",
"remote",
]
- Since we're adding a new taint source, we add a tuple to the **sourceModel** extensible predicate.
- The first column, **"Sinatra::Base!"**, begins the search at references to the **Sinatra::Base** class.
The **!** suffix indicates that we want to search for references to the class itself, rather than instances of the class.
- **Method[get]** selects calls to the **get** method of the **Sinatra::Base** class.
- **Argument[block]** selects the block argument to the **get** method call.
- **Parameter[0]** selects the first parameter of the block argument (the parameter named **x**).
- Finally, the kind **remote** indicates that this is considered a source of remote flow.
Example: Using types to add MySQL injection sinks
-------------------------------------------------
In this example, we'll show how to add the following SQL injection sink:
.. code-block:: ruby
def submit(q)
client = Mysql2::Client.new
client.query(q) # <-- add 'q' as a SQL injection sink
end
We can recognize this using the following extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sinkModel
data:
- ["Mysql2::Client", "Method[query].Argument[0]", "sql-injection"]
- The first column, **"Mysql2::Client"**, begins the search at any instance of the **Mysql2::Client** class.
- **Method[query]** selects any call to the **query** method on that instance.
- **Argument[0]** selects the first argument to the method call.
- **sql-injection** indicates that this is considered a sink for the SQL injection query.
Continued example: Using type models
------------------------------------
Consider this variation on the previous example, the mysql2 EventMachine API is used.
The client is obtained via a call to **Mysql2::EM::Client.new**.
.. code-block:: ruby
def submit(client, q)
client = Mysql2::EM::Client.new
client.query(q)
end
So far we have only one model for **Mysql2::Client**, but in the real world we
may have many models for the various methods available. Because **Mysql2::EM::Client** is a subclass of **Mysql2::Client**, it inherits all of the same methods.
Instead of updating all our models to include both classes, we can add a type
model to indicate that **Mysql2::EM::Client** is a subclass of **Mysql2::Client**:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: typeModel
data:
- ["Mysql2::Client", "Mysql2::EM::Client", ""]
Example: Adding flow through 'URI.decode_uri_component'
-------------------------------------------------------
In this example, we'll show how to add flow through calls to 'URI.decode_uri_component':
.. code-block:: ruby
y = URI.decode_uri_component(x); # add taint flow from 'x' to 'y'
We can model this using the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: summaryModel
data:
- [
"URI!",
"Method[decode_uri_component]",
"Argument[0]",
"ReturnValue",
"taint",
]
- Since we're adding flow through a method call, we add a tuple to the **summaryModel** extensible predicate.
- The first column, **"URI!"**, begins the search for relevant calls at references to the **URI** class.
- The **!** suffix indicates that we are looking for the class itself, rather than instances of the class.
- The second column, **Method[decode_uri_component]**, is a path leading to the method calls we wish to model.
In this case, we select references to the **decode_uri_component** method from the **URI** class.
- The third column, **Argument[0]**, indicates the input of the flow. In this case, the first argument to the method call.
- The fourth column, **ReturnValue**, indicates the output of the flow. In this case, the return value of the method call.
- The last column, **taint**, indicates the kind of flow to add. The value **taint** means the output is not necessarily equal
to the input, but was derived from the input in a taint-preserving way.
Example: Adding flow through 'File#each'
----------------------------------------
In this example, we'll show how to add flow through calls to **File#each** from the standard library, which iterates over the lines of a file:
.. code-block:: ruby
f = File.new("example.txt")
f.each { |line| ... } # add taint flow from `f` to `line`
We can model this using the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: summaryModel
data:
- [
"File",
"Method[each]",
"Argument[self]",
"Argument[block].Parameter[0]",
"taint",
]
- Since we're adding flow through a method call, we add a tuple to the **summaryModel** extensible predicate.
- The first column, **"File"**, begins the search for relevant calls at places where the **File** class is used.
- The second column, **Method[each]**, selects references to the **each** method on the **File** class.
- The third column specifies the input of the flow. **Argument[self]** selects the **self** argument of **each**, which is the **File** instance being iterated over.
- The fourth column specifies the output of the flow:
- **Argument[block]** selects the block argument of **each** (the block which is executed for each line in the file).
- **Parameter[0]** selects the first parameter of the block (the parameter named **line**).
- The last column, **taint**, indicates the kind of flow to add.
Reference material
------------------
The following sections provide reference material for extensible predicates, access paths, types, and kinds.
Extensible predicates
---------------------
sourceModel(type, path, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new taint source. Most taint-tracking queries will use the new source.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to the source.
- **kind**: Kind of source to add. Currently only **remote** is used.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sourceModel
data:
- ["User", "Method[name]", "remote"]
sinkModel(type, path, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new taint sink. Sinks are query-specific and will typically affect one or two queries.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to the sink.
- **kind**: Kind of sink to add. See the section on sink kinds for a list of supported kinds.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sinkModel
data:
- ["ExecuteShell", "Method[run].Argument[0]", "command-injection"]
summaryModel(type, path, input, output, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds flow through a method call.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to a method call.
- **input**: Path relative to the method call that leads to input of the flow.
- **output**: Path relative to the method call leading to the output of the flow.
- **kind**: Kind of summary to add. Can be **taint** for taint-propagating flow, or **value** for value-preserving flow.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: summaryModel
data:
- [
"URI",
"Method[decode_uri_component]",
"Argument[0]",
"ReturnValue",
"taint",
]
typeModel(type1, type2, path)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new definition of a type.
- **type1**: Name of the type to define.
- **type2**: Name of the type from which to evaluate **path**.
- **path**: Access path leading from **type2** to **type1**.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: typeModel
data:
- [
"Mysql2::Client",
"MyDbWrapper",
"Method[getConnection].ReturnValue",
]
Types
-----
A type is a string that identifies a set of values.
In each of the extensible predicates mentioned in previous section, the first column is always the name of a type.
A type can be defined by adding **typeModel** tuples for that type.
Access paths
------------
The **path**, **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right,
with each step selecting a new set of values derived from the previous set of values.
The following components are supported:
- **Argument[**\ `number`\ **]** selects the argument at the given index.
- **Argument[**\ `string`:\ **]** selects the keyword argument with the given name.
- **Argument[self]** selects the receiver of a method call.
- **Argument[block]** selects the block argument.
- **Argument[any]** selects any argument, except self or block arguments.
- **Argument[any-named]** selects any keyword argument.
- **Argument[hash-splat]** selects a special argument representing all keyword arguments passed in the method call.
- **Parameter[**\ `number`\ **]** selects the argument at the given index.
- **Parameter[**\ `string`:\ **]** selects the keyword argument with the given name.
- **Parameter[self]** selects the **self** parameter of a method.
- **Parameter[block]** selects the block parameter.
- **Parameter[any]** selects any parameter, except self or block parameters.
- **Parameter[any-named]** selects any keyword parameter.
- **Parameter[hash-splat]** selects the hash splat parameter, often written as **\*\*kwargs**.
- **ReturnValue** selects the return value of a call.
- **Method[**\ `name`\ **]** selects a call to the method with the given name.
- **Element[any]** selects any element of an array or hash.
- **Element[**\ `number`\ **]** selects an array element at the given index.
- **Element[**\ `string`\ **]** selects a hash element at the given key.
- **Field[@**\ `string`\ **]** selects an instance variable with the given name.
- **Fuzzy** selects all values that are derived from the current value through a combination of the other operations described in this list.
For example, this can be used to find all values that appear to originate from a particular class. This can be useful for finding method calls
from a known class, but where the receiver type is not known or is difficult to model.
Additional notes about the syntax of operands:
- Multiple operands may be given to a single component, as a shorthand for the union of the operands. For example, **Method[foo,bar]** matches the union of **Method[foo]** and **Method[bar]**.
- Numeric operands to **Argument**, **Parameter**, and **Element** may be given as a lower bound. For example, **Argument[1..]** matches all arguments except 0.
Kinds
-----
Source kinds
~~~~~~~~~~~~
- **remote**: A generic source of remote flow. Most taint-tracking queries will use such a source. Currently this is the only supported source kind.
Sink kinds
~~~~~~~~~~
Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries.
Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
- **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **Process.spawn**.
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **File.open**.
- **sql-injection**: A sink that can be used for SQL injection, such as in an ActiveRecord **where** call.
- **url-redirection**: A sink that can be used to redirect the user to a malicious URL.
- **log-injection**: A sink that can be used for log injection, such as in a **Rails.logger** call.
Summary kinds
~~~~~~~~~~~~~
- **taint**: A summary that propagates taint. This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
- **value**: A summary that preserves the value of the input or creates a copy of the input such that all of its object properties are preserved.

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.0.8
No user-facing changes.
## 0.0.7
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/0.0.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.0.8
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.7
lastReleaseVersion: 0.0.8

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 0.0.8-dev
version: 0.0.9-dev
groups:
- go
- queries

4
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.9
No user-facing changes.
## 0.7.8
No user-facing changes.

3
go/ql/lib/change-notes/released/0.7.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.9
No user-facing changes.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.8
lastReleaseVersion: 0.7.9

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.7.9-dev
version: 0.7.10-dev
groups: go
dbscheme: go.dbscheme
extractor: go

10
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.7.9
### New Queries
* The query "Missing JWT signature check" (`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @am0o0](https://github.com/github/codeql/pull/14075).
### Major Analysis Improvements
* The query "Use of a hardcoded key for signing JWT" (`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of `go/hardcoded-credentials`. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/9378).
## 0.7.8
No user-facing changes.

4
go/ql/src/change-notes/2024-02-06-hardcoded-keys-promotion.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* The query "Use of a hardcoded key for signing JWT" (`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of `go/hardcoded-credentials`. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/9378).

4
go/ql/src/change-notes/2024-02-06-missing-jwt-signature-check-promotion.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* The query "Missing JWT signature check" (`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @am0o0](https://github.com/github/codeql/pull/14075).

9
go/ql/src/change-notes/released/0.7.9.md Normal file
View File

@@ -0,0 +1,9 @@
## 0.7.9
### New Queries
* The query "Missing JWT signature check" (`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @am0o0](https://github.com/github/codeql/pull/14075).
### Major Analysis Improvements
* The query "Use of a hardcoded key for signing JWT" (`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of `go/hardcoded-credentials`. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/9378).

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.8
lastReleaseVersion: 0.7.9

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.7.9-dev
version: 0.7.10-dev
groups:
- go
- queries

4
java/ql/automodel/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.0.16
No user-facing changes.
## 0.0.15
No user-facing changes.

3
java/ql/automodel/src/change-notes/released/0.0.16.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.0.16
No user-facing changes.

2
java/ql/automodel/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.15
lastReleaseVersion: 0.0.16

2
java/ql/automodel/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-automodel-queries
version: 0.0.16-dev
version: 0.0.17-dev
groups:
- java
- automodel

24
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,27 @@
## 0.8.9
### Deprecated APIs
* The `PathCreation` class in `PathCreation.qll` has been deprecated.
### Minor Analysis Improvements
* An extension point for sanitizers of the query `java/unvalidated-url-redirection` has been added.
* Added models for the following packages:
* java.io
* java.lang
* java.net
* java.net.http
* java.nio.file
* java.util.zip
* javax.servlet
* org.apache.commons.io
* org.apache.hadoop.fs
* org.apache.hadoop.fs.s3a
* org.eclipse.jetty.client
* org.gradle.api.file
## 0.8.8
### Minor Analysis Improvements

4
java/ql/lib/change-notes/2024-01-26-deprecated-path-creation.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The `PathCreation` class in `PathCreation.qll` has been deprecated.

4
java/ql/lib/change-notes/2024-02-09-url-redirect-sanitizer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* An extension point for sanitizers of the query `java/unvalidated-url-redirection` has been added.

12
java/ql/lib/change-notes/2024-01-31-new-models.md → java/ql/lib/change-notes/released/0.8.9.md
View File

@@ -1,6 +1,12 @@
---
category: minorAnalysis
---
## 0.8.9
### Deprecated APIs
* The `PathCreation` class in `PathCreation.qll` has been deprecated.
### Minor Analysis Improvements
* An extension point for sanitizers of the query `java/unvalidated-url-redirection` has been added.
* Added models for the following packages:
* java.io

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.8.9-dev
version: 0.8.10-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

13
java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
View File

@@ -8,12 +8,15 @@ import semmle.code.java.frameworks.android.Compose
private import semmle.code.java.security.Sanitizers
/** A variable that may hold sensitive information, judging by its name. */
class CredentialExpr extends Expr {
class VariableWithSensitiveName extends Variable {
VariableWithSensitiveName() { this.getName().regexpMatch(getCommonSensitiveInfoRegex()) }
}
/** A reference to a variable that may hold sensitive information, judging by its name. */
class CredentialExpr extends VarAccess {
CredentialExpr() {
exists(Variable v | this = v.getAnAccess() |
v.getName().regexpMatch(getCommonSensitiveInfoRegex()) and
not this instanceof CompileTimeConstantExpr
)
this.getVariable() instanceof VariableWithSensitiveName and
not this instanceof CompileTimeConstantExpr
}
}

19
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,22 @@
## 0.8.9
### New Queries
* Added a new query `java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a `KeyStore`-backed key and thus may be bypassed.
### Query Metadata Changes
* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.
### Major Analysis Improvements
* The sinks of the queries `java/path-injection` and `java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.
### Minor Analysis Improvements
* The sanitizer for the path injection queries has been improved to handle more cases where `equals` is used to check an exact path match.
* The query `java/unvalidated-url-redirection` now sanitizes results following the same logic as the query `java/ssrf`. URLs the destination of which cannot be externally controlled will not be reported anymore.
## 0.8.8
### New Queries

4
java/ql/src/change-notes/2024-01-26-path-injection-precision-improved.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* The sinks of the queries `java/path-injection` and `java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.

5
java/ql/src/change-notes/2024-02-02-android-insecure-local-auth.md
View File

@@ -1,5 +0,0 @@
---
category: newQuery
---
* Added a new query `java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a `KeyStore`-backed key and thus may be bypassed.

4
java/ql/src/change-notes/2024-02-09-url-redirect-sanitizer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The query `java/unvalidated-url-redirection` now sanitizes results following the same logic as the query `java/ssrf`. URLs the destination of which cannot be externally controlled will not be reported anymore.

4
java/ql/src/change-notes/2024-02-12-relative-exec-severity.md
View File

@@ -1,4 +0,0 @@
---
category: queryMetadata
---
* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.

4
java/ql/src/change-notes/2024-02-15-path-sanitizer-equals.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The sanitizer for the path injection queries has been improved to handle more cases where `equals` is used to check an exact path match.

18
java/ql/src/change-notes/released/0.8.9.md Normal file
View File

@@ -0,0 +1,18 @@
## 0.8.9
### New Queries
* Added a new query `java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a `KeyStore`-backed key and thus may be bypassed.
### Query Metadata Changes
* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.
### Major Analysis Improvements
* The sinks of the queries `java/path-injection` and `java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.
### Minor Analysis Improvements
* The sanitizer for the path injection queries has been improved to handle more cases where `equals` is used to check an exact path match.
* The query `java/unvalidated-url-redirection` now sanitizes results following the same logic as the query `java/ssrf`. URLs the destination of which cannot be externally controlled will not be reported anymore.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 0.8.9-dev
version: 0.8.10-dev
groups:
- java
- queries

6
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.8.9
### Minor Analysis Improvements
* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.
## 0.8.8
No user-facing changes.

7
python/ql/lib/change-notes/2024-01-30-certification_not_certificate.md → javascript/ql/lib/change-notes/released/0.8.9.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.8.9
### Minor Analysis Improvements
* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.8.9-dev
version: 0.8.10-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

6
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.8.9
### Bug Fixes
* The left operand of the `&&` operator no longer propagates data flow by default.
## 0.8.8
No user-facing changes.

7
javascript/ql/src/change-notes/2024-02-13-block-logical-and-flow.md → javascript/ql/src/change-notes/released/0.8.9.md
View File

@@ -1,4 +1,5 @@
---
category: fix
---
## 0.8.9
### Bug Fixes
* The left operand of the `&&` operator no longer propagates data flow by default.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.8
lastReleaseVersion: 0.8.9

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.8.9-dev
version: 0.8.10-dev
groups:
- javascript
- queries

4
misc/suite-helpers/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.9
No user-facing changes.
## 0.7.8
No user-facing changes.

3
misc/suite-helpers/change-notes/released/0.7.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.9
No user-facing changes.

2
misc/suite-helpers/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.8
lastReleaseVersion: 0.7.9

2
misc/suite-helpers/qlpack.yml
View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers
version: 0.7.9-dev
version: 0.7.10-dev
groups: shared
warnOnImplicitThis: true

7
python/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.11.9
### Minor Analysis Improvements
* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.
* Added modeling of the `psycopg` PyPI package as a SQL database library.
## 0.11.8
### Minor Analysis Improvements

4
python/ql/lib/change-notes/2024-01-29-psycopg-modeling.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added modeling of the `psycopg` PyPI package as a SQL database library.

8
javascript/ql/lib/change-notes/2024-01-30-certification_not_certificate.md → python/ql/lib/change-notes/released/0.11.9.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.11.9
### Minor Analysis Improvements
* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.
* Added modeling of the `psycopg` PyPI package as a SQL database library.

2
python/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.11.8
lastReleaseVersion: 0.11.9

2
python/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-all
version: 0.11.9-dev
version: 0.11.10-dev
groups: python
dbscheme: semmlecode.python.dbscheme
extractor: python

16
python/ql/lib/semmle/python/Scope.qll
View File

@@ -1,4 +1,16 @@
import python
private import semmle.python.dataflow.new.internal.ImportResolution
/**
* Gets a name exported by module `m`, that is the names that will be added to a namespace by 'from this-module import *'.
*
* This aims to be the same as m.getAnExport(), but without using the points-to machinery.
*/
private string getAModuleExport(Module m) {
py_exports(m, result)
or
ImportResolution::module_export(m, result, _)
}
/**
* A Scope. A scope is the lexical extent over which all identifiers with the same name refer to the same variable.
@@ -74,9 +86,9 @@ class Scope extends Scope_ {
or
exists(Module m | m = this.getEnclosingScope() and m.isPublic() |
/* If the module has an __all__, is this in it */
not exists(m.getAnExport())
not exists(getAModuleExport(m))
or
m.getAnExport() = this.getName()
getAModuleExport(m) = this.getName()
)
or
exists(Class c | c = this.getEnclosingScope() |

4
python/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.9.9
No user-facing changes.
## 0.9.8
No user-facing changes.

3
python/ql/src/change-notes/released/0.9.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.9.9
No user-facing changes.

2
python/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.8
lastReleaseVersion: 0.9.9

2
python/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-queries
version: 0.9.9-dev
version: 0.9.10-dev
groups:
- python
- queries

Some files were not shown because too many files have changed in this diff Show More