mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Merge branch 'main' into jcogs33/update-paramsString
This commit is contained in:
Jami
4
.github/workflows/mad_modelDiff.yml
vendored
4
.github/workflows/mad_modelDiff.yml
vendored
@@ -11,7 +11,7 @@ on:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- "java/ql/src/utils/model-generator/**/*.*"
|
||||
- "java/ql/src/utils/modelgenerator/**/*.*"
|
||||
- ".github/workflows/mad_modelDiff.yml"
|
||||
|
||||
permissions:
|
||||
@@ -61,7 +61,7 @@ jobs:
|
||||
DATABASE=$2
|
||||
cd codeql-$QL_VARIANT
|
||||
SHORTNAME=`basename $DATABASE`
|
||||
python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
|
||||
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
|
||||
mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
|
||||
cd ..
|
||||
}
|
||||
|
||||
2
.github/workflows/mad_regenerate-models.yml
vendored
2
.github/workflows/mad_regenerate-models.yml
vendored
@@ -50,7 +50,7 @@ jobs:
|
||||
SLUG: ${{ matrix.slug }}
|
||||
run: |
|
||||
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
|
||||
java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
|
||||
java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
|
||||
- name: Stage changes
|
||||
run: |
|
||||
find java -name "*.model.yml" -print0 | xargs -0 git add
|
||||
|
||||
10
.github/workflows/ql-for-ql-build.yml
vendored
10
.github/workflows/ql-for-ql-build.yml
vendored
@@ -27,7 +27,7 @@ jobs:
|
||||
uses: ./.github/actions/find-latest-bundle
|
||||
- name: Find codeql
|
||||
id: find-codeql
|
||||
uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
|
||||
uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
|
||||
with:
|
||||
languages: javascript # does not matter
|
||||
tools: ${{ steps.find-latest-bundle.outputs.url }}
|
||||
@@ -137,20 +137,20 @@ jobs:
|
||||
env:
|
||||
CONF: ./ql-for-ql-config.yml
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
|
||||
uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
|
||||
with:
|
||||
languages: ql
|
||||
db-location: ${{ runner.temp }}/db
|
||||
config-file: ./ql-for-ql-config.yml
|
||||
tools: ${{ steps.find-latest-bundle.outputs.url }}
|
||||
- name: Move pack cache
|
||||
- name: Move pack queries
|
||||
run: |
|
||||
cp -r ${PACK}/.cache ql/ql/src/.cache
|
||||
cp -r ${PACK}/queries ql/ql/src
|
||||
env:
|
||||
PACK: ${{ runner.temp }}/pack
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
|
||||
uses: github/codeql-action/analyze@45955cb1830b640e2c1603ad72ad542a49d47b96
|
||||
with:
|
||||
category: "ql-for-ql"
|
||||
- name: Copy sarif file to CWD
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
|
||||
- name: Find codeql
|
||||
id: find-codeql
|
||||
uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
|
||||
uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
|
||||
with:
|
||||
languages: javascript # does not matter
|
||||
- uses: actions/cache@v3
|
||||
|
||||
2
.github/workflows/ql-for-ql-tests.yml
vendored
2
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -22,7 +22,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Find codeql
|
||||
id: find-codeql
|
||||
uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
|
||||
uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
|
||||
with:
|
||||
languages: javascript # does not matter
|
||||
- uses: actions/cache@v3
|
||||
|
||||
@@ -25,6 +25,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
|
||||
|
||||
Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
|
||||
- Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
|
||||
- Experimental queries need to include `experimental` in their `@tags`
|
||||
- The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
|
||||
- Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
|
||||
|
||||
|
||||
9
cpp/ql/src/codeql-suites/cpp-security-experimental.qls
Normal file
9
cpp/ql/src/codeql-suites/cpp-security-experimental.qls
Normal file
@@ -0,0 +1,9 @@
|
||||
- description: Extended and experimental security queries for C and C++
|
||||
- queries: .
|
||||
- apply: security-experimental-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
- apply: codeql-suites/exclude-slow-queries.yml
|
||||
# Excluding problematically slow experimental queries
|
||||
- exclude:
|
||||
query path:
|
||||
- experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
@@ -6,6 +6,7 @@
|
||||
* @id cpp/off-by-one-array-access
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import cpp
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @id cpp/overrun-write
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-119
|
||||
* external/cwe/cwe-131
|
||||
*/
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-476
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import cpp
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-20
|
||||
*/
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-020
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision high
|
||||
* @id cpp/wordexp-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-078
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @tags correctness
|
||||
* maintainability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-1041
|
||||
*/
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-1126
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @id cpp/memory-unsafe-function-scan
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-120
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-125
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision low
|
||||
* @tags security
|
||||
* correctness
|
||||
* experimental
|
||||
* external/cwe/cwe-190
|
||||
* external/cwe/cwe-128
|
||||
* @id cpp/multiplication-overflow-in-alloc
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-190
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @id cpp/constant-array-overflow
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @id cpp/invalid-pointer-deref
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-119
|
||||
* external/cwe/cwe-125
|
||||
* external/cwe/cwe-193
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @tags correctness
|
||||
* maintainability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-200
|
||||
* external/cwe/cwe-264
|
||||
*/
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-243
|
||||
* external/cwe/cwe-252
|
||||
*/
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @tags correctness
|
||||
* maintainability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-266
|
||||
* external/cwe/cwe-264
|
||||
* external/cwe/cwe-200
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @problem.severity recommendation
|
||||
* @id cpp/drop-linux-privileges-outoforder
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-273
|
||||
* @precision medium
|
||||
*/
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* @problem.severity error
|
||||
* @id cpp/pam-auth-bypass
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-285
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @problem.severity error
|
||||
* @id cpp/private-cleartext-write
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-359
|
||||
*/
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-362
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-377
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-401
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-415
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-476
|
||||
* external/cwe/cwe-415
|
||||
*/
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-561
|
||||
* external/cwe/cwe-691
|
||||
* external/cwe/cwe-478
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-670
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-675
|
||||
* external/cwe/cwe-666
|
||||
*/
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-691
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-691
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-703
|
||||
* external/cwe/cwe-248
|
||||
* external/cwe/cwe-390
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-754
|
||||
* external/cwe/cwe-908
|
||||
*/
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-758
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags maintainability
|
||||
* readability
|
||||
* experimental
|
||||
* external/cwe/cwe-783
|
||||
* external/cwe/cwe-480
|
||||
*/
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-783
|
||||
* external/cwe/cwe-480
|
||||
*/
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @problem.severity warning
|
||||
* @tags reliability
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-787
|
||||
*/
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision medium
|
||||
* @tags correctness
|
||||
* security
|
||||
* experimental
|
||||
* external/cwe/cwe-788
|
||||
*/
|
||||
|
||||
|
||||
@@ -410,11 +410,6 @@ Element interpretElement(
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `c` has a `generated` summary.
|
||||
*/
|
||||
predicate hasSummary(Callable c, boolean generated) { summaryElement(c, _, _, _, generated) }
|
||||
|
||||
cached
|
||||
private module Cached {
|
||||
/**
|
||||
|
||||
@@ -241,15 +241,19 @@ module Public {
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the summary is auto generated and not manually generated.
|
||||
* Holds if all the summaries that apply to `this` are auto generated and not manually created.
|
||||
*/
|
||||
predicate isAutoGenerated() { none() }
|
||||
final predicate isAutoGenerated() { this.hasProvenance("generated") and not this.isManual() }
|
||||
|
||||
/**
|
||||
* Holds if the summary has the given provenance where `true` is
|
||||
* `generated` and `false` is `manual`.
|
||||
* Holds if there exists a manual summary that applies to `this`.
|
||||
*/
|
||||
predicate hasProvenance(boolean generated) { none() }
|
||||
final predicate isManual() { this.hasProvenance("manual") }
|
||||
|
||||
/**
|
||||
* Holds if there exists a summary that applies to `this` that has provenance `provenance`.
|
||||
*/
|
||||
predicate hasProvenance(string provenance) { none() }
|
||||
}
|
||||
|
||||
/** A callable where there is no flow via the callable. */
|
||||
@@ -257,15 +261,19 @@ module Public {
|
||||
NeutralCallable() { neutralElement(this, _) }
|
||||
|
||||
/**
|
||||
* Holds if the neutral is auto generated.
|
||||
* Holds if the neutral is auto generated.
|
||||
*/
|
||||
predicate isAutoGenerated() { neutralElement(this, true) }
|
||||
predicate isAutoGenerated() { neutralElement(this, "generated") }
|
||||
|
||||
/**
|
||||
* Holds if the neutral has the given provenance where `true` is
|
||||
* `generated` and `false` is `manual`.
|
||||
* Holds if there exists a manual neutral that applies to `this`.
|
||||
*/
|
||||
predicate hasProvenance(boolean generated) { neutralElement(this, generated) }
|
||||
final predicate isManual() { this.hasProvenance("manual") }
|
||||
|
||||
/**
|
||||
* Holds if the neutral has provenance `provenance`.
|
||||
*/
|
||||
predicate hasProvenance(string provenance) { neutralElement(this, provenance) }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -997,12 +1005,12 @@ module Private {
|
||||
private predicate relevantSummaryElementGenerated(
|
||||
AccessPath inSpec, AccessPath outSpec, string kind
|
||||
) {
|
||||
summaryElement(this, inSpec, outSpec, kind, true) and
|
||||
not summaryElement(this, _, _, _, false)
|
||||
summaryElement(this, inSpec, outSpec, kind, "generated") and
|
||||
not summaryElement(this, _, _, _, "manual")
|
||||
}
|
||||
|
||||
private predicate relevantSummaryElement(AccessPath inSpec, AccessPath outSpec, string kind) {
|
||||
summaryElement(this, inSpec, outSpec, kind, false)
|
||||
summaryElement(this, inSpec, outSpec, kind, "manual")
|
||||
or
|
||||
this.relevantSummaryElementGenerated(inSpec, outSpec, kind)
|
||||
}
|
||||
@@ -1021,10 +1029,8 @@ module Private {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isAutoGenerated() { this.relevantSummaryElementGenerated(_, _, _) }
|
||||
|
||||
override predicate hasProvenance(boolean generated) {
|
||||
summaryElement(this, _, _, _, generated)
|
||||
override predicate hasProvenance(string provenance) {
|
||||
summaryElement(this, _, _, _, provenance)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -97,69 +97,52 @@ DataFlowType getSyntheticGlobalType(SummaryComponent::SyntheticGlobal sg) {
|
||||
result = Gvn::getGlobalValueNumber(any(ObjectType t))
|
||||
}
|
||||
|
||||
bindingset[provenance]
|
||||
private boolean isGenerated(string provenance) {
|
||||
provenance = "generated" and result = true
|
||||
or
|
||||
provenance != "generated" and result = false
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an external flow summary exists for `c` with input specification
|
||||
* `input`, output specification `output`, kind `kind`, and a flag `generated`
|
||||
* stating whether the summary is autogenerated.
|
||||
* `input`, output specification `output`, kind `kind`, and provenance `provenance`.
|
||||
*/
|
||||
predicate summaryElement(Callable c, string input, string output, string kind, boolean generated) {
|
||||
predicate summaryElement(Callable c, string input, string output, string kind, string provenance) {
|
||||
exists(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string provenance
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
||||
|
|
||||
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
|
||||
generated = isGenerated(provenance) and
|
||||
c = interpretElement(namespace, type, subtypes, name, signature, ext)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a neutral model exists for `c`, which means that there is no
|
||||
* flow through `c`. The flag `generated` states whether the neutral model is autogenerated.
|
||||
* Holds if a neutral model exists for `c` with provenance `provenace`,
|
||||
* which means that there is no flow through `c`.
|
||||
*/
|
||||
predicate neutralElement(Callable c, boolean generated) {
|
||||
exists(string namespace, string type, string name, string signature, string provenance |
|
||||
predicate neutralElement(Callable c, string provenance) {
|
||||
exists(string namespace, string type, string name, string signature |
|
||||
neutralModel(namespace, type, name, signature, provenance) and
|
||||
generated = isGenerated(provenance) and
|
||||
c = interpretElement(namespace, type, false, name, signature, "")
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an external source specification exists for `e` with output specification
|
||||
* `output`, kind `kind`, and a flag `generated` stating whether the source specification is
|
||||
* autogenerated.
|
||||
* `output`, kind `kind`, and provenance `provenance`.
|
||||
*/
|
||||
predicate sourceElement(Element e, string output, string kind, boolean generated) {
|
||||
predicate sourceElement(Element e, string output, string kind, string provenance) {
|
||||
exists(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string provenance
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
||||
|
|
||||
sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
|
||||
generated = isGenerated(provenance) and
|
||||
e = interpretElement(namespace, type, subtypes, name, signature, ext)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an external sink specification exists for `e` with input specification
|
||||
* `input`, kind `kind` and a flag `generated` stating whether the sink specification is
|
||||
* autogenerated.
|
||||
* `input`, kind `kind` and provenance `provenance`.
|
||||
*/
|
||||
predicate sinkElement(Element e, string input, string kind, boolean generated) {
|
||||
predicate sinkElement(Element e, string input, string kind, string provenance) {
|
||||
exists(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string provenance
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
||||
|
|
||||
sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance) and
|
||||
generated = isGenerated(provenance) and
|
||||
e = interpretElement(namespace, type, subtypes, name, signature, ext)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
- description: Extended and experimental security queries for C#
|
||||
- queries: .
|
||||
- apply: security-experimental-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision high
|
||||
* @id cs/webclient-path-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-099
|
||||
* external/cwe/cwe-023
|
||||
* external/cwe/cwe-036
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision high
|
||||
* @id cs/request-forgery
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-918
|
||||
*/
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @precision high
|
||||
* @id cs/web/cookie-httponly-not-set
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-1004
|
||||
*/
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* @kind problem
|
||||
* @tags security
|
||||
* cryptography
|
||||
* experimental
|
||||
* external/cwe/cwe-327
|
||||
* @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
|
||||
* @problem.severity error
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
* @precision high
|
||||
* @id cs/web/cookie-secure-not-set
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-319
|
||||
* external/cwe/cwe-614
|
||||
*/
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* @problem.severity error
|
||||
* @id cs/hash-without-salt
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe-759
|
||||
*/
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* Higher precision version checks for exception throws, so less false positives are expected.
|
||||
* @kind problem
|
||||
* @tags security
|
||||
* experimental
|
||||
* JsonWebTokenHandler
|
||||
* manual-verification-required
|
||||
* @id cs/json-webtoken-handler/delegated-security-validations-always-return-true
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Check if security sensitive token validations for `JsonWebTokenHandler` are being disabled.
|
||||
* @kind problem
|
||||
* @tags security
|
||||
* experimental
|
||||
* JsonWebTokenHandler
|
||||
* manual-verification-required
|
||||
* @id cs/json-webtoken-handler/security-validations-disabled
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* @problem.severity warning
|
||||
* @id cs/dataset-serialization/defining-dataset-related-type
|
||||
* @tags security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision medium
|
||||
* @id cs/dataset-serialization/defining-potentially-unsafe-xml-serializer
|
||||
* @tags security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision medium
|
||||
* @id cs/dataset-serialization/unsafe-type-used-data-contract-serializer
|
||||
* @tags security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision medium
|
||||
* @id cs/dataset-serialization/xml-deserialization-with-dataset
|
||||
* @tags security
|
||||
* experimental
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision low
|
||||
* @id cs/backdoor/dangerous-native-functions
|
||||
* @tags security
|
||||
* experimental
|
||||
* solorigate
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @problem.severity warning
|
||||
* @id cs/backdoor/potential-time-bomb
|
||||
* @tags security
|
||||
* experimental
|
||||
* solorigate
|
||||
*/
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Flow from a function retrieving process name to a hash function.
|
||||
* @kind path-problem
|
||||
* @tags security
|
||||
* experimental
|
||||
* solorigate
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
/**
|
||||
* @name Capture discarded summary models.
|
||||
* @description Finds summary models that are discarded as handwritten counterparts exist.
|
||||
* @id cs/utils/model-generator/discarded-summary-models
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.ExternalFlow
|
||||
import utils.modelgenerator.internal.CaptureModels
|
||||
import utils.modelgenerator.internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string flow
|
||||
where flow = captureFlow(api) and hasSummary(api, false)
|
||||
select flow order by flow
|
||||
@@ -1,17 +0,0 @@
|
||||
/**
|
||||
* @name Capture neutral models.
|
||||
* @description Finds neutral models to be used by other queries.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/model-generator/neutral-models
|
||||
* @tags model-generator
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.ExternalFlow
|
||||
import utils.modelgenerator.internal.CaptureModels
|
||||
import utils.modelgenerator.internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string noflow
|
||||
where
|
||||
noflow = captureNoFlow(api) and
|
||||
not hasSummary(api, false)
|
||||
select noflow order by noflow
|
||||
@@ -1,15 +0,0 @@
|
||||
/**
|
||||
* @name Capture summary models.
|
||||
* @description Finds applicable summary models to be used by other queries.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/model-generator/summary-models
|
||||
* @tags model-generator
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.ExternalFlow
|
||||
import utils.modelgenerator.internal.CaptureModels
|
||||
import utils.modelgenerator.internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string flow
|
||||
where flow = captureFlow(api) and not hasSummary(api, false)
|
||||
select flow order by flow
|
||||
@@ -0,0 +1,15 @@
|
||||
/**
|
||||
* @name Capture discarded summary models.
|
||||
* @description Finds summary models that are discarded as handwritten counterparts exist.
|
||||
* @id cs/utils/modelgenerator/discarded-summary-models
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
import internal.CaptureModels
|
||||
import internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string flow
|
||||
where
|
||||
flow = captureFlow(api) and
|
||||
api.(FlowSummaryImpl::Public::SummarizedCallable).isManual()
|
||||
select flow order by flow
|
||||
17
csharp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
Normal file
17
csharp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
Normal file
@@ -0,0 +1,17 @@
|
||||
/**
|
||||
* @name Capture neutral models.
|
||||
* @description Finds neutral models to be used by other queries.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/modelgenerator/neutral-models
|
||||
* @tags modelgenerator
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
import internal.CaptureModels
|
||||
import internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string noflow
|
||||
where
|
||||
noflow = captureNoFlow(api) and
|
||||
not api.(FlowSummaryImpl::Public::SummarizedCallable).isManual()
|
||||
select noflow order by noflow
|
||||
@@ -2,11 +2,11 @@
|
||||
* @name Capture sink models.
|
||||
* @description Finds public methods that act as sinks as they flow into a known sink.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/model-generator/sink-models
|
||||
* @tags model-generator
|
||||
* @id cs/utils/modelgenerator/sink-models
|
||||
* @tags modelgenerator
|
||||
*/
|
||||
|
||||
import utils.modelgenerator.internal.CaptureModels
|
||||
import internal.CaptureModels
|
||||
|
||||
class Activate extends ActiveConfiguration {
|
||||
override predicate activateToSinkConfig() { any() }
|
||||
@@ -2,11 +2,11 @@
|
||||
* @name Capture source models.
|
||||
* @description Finds APIs that act as sources as they expose already known sources.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/model-generator/source-models
|
||||
* @tags model-generator
|
||||
* @id cs/utils/modelgenerator/source-models
|
||||
* @tags modelgenerator
|
||||
*/
|
||||
|
||||
import utils.modelgenerator.internal.CaptureModels
|
||||
import internal.CaptureModels
|
||||
|
||||
class Activate extends ActiveConfiguration {
|
||||
override predicate activateFromSourceConfig() { any() }
|
||||
15
csharp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
Normal file
15
csharp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
Normal file
@@ -0,0 +1,15 @@
|
||||
/**
|
||||
* @name Capture summary models.
|
||||
* @description Finds applicable summary models to be used by other queries.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/modelgenerator/summary-models
|
||||
* @tags modelgenerator
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
import internal.CaptureModels
|
||||
import internal.CaptureSummaryFlow
|
||||
|
||||
from DataFlowTargetApi api, string flow
|
||||
where flow = captureFlow(api) and not api.(FlowSummaryImpl::Public::SummarizedCallable).isManual()
|
||||
select flow order by flow
|
||||
@@ -2,11 +2,11 @@
|
||||
* @name Capture typed based summary models.
|
||||
* @description Finds applicable summary models to be used by other queries.
|
||||
* @kind diagnostic
|
||||
* @id cs/utils/model-generator/summary-models-typed-based
|
||||
* @tags model-generator
|
||||
* @id cs/utils/modelgenerator/summary-models-typed-based
|
||||
* @tags modelgenerator
|
||||
*/
|
||||
|
||||
import utils.modelgenerator.internal.CaptureTypeBasedSummaryModels
|
||||
import internal.CaptureTypeBasedSummaryModels
|
||||
|
||||
from TypeBasedFlowTargetApi api, string flow
|
||||
where flow = captureFlow(api)
|
||||
@@ -1 +0,0 @@
|
||||
utils/model-generator/CaptureNeutralModels.ql
|
||||
@@ -1 +0,0 @@
|
||||
utils/model-generator/CaptureSinkModels.ql
|
||||
@@ -1 +0,0 @@
|
||||
utils/model-generator/CaptureSourceModels.ql
|
||||
@@ -1 +0,0 @@
|
||||
utils/model-generator/CaptureSummaryModels.ql
|
||||
@@ -1 +0,0 @@
|
||||
utils/model-generator/CaptureTypeBasedSummaryModels.ql
|
||||
@@ -0,0 +1 @@
|
||||
utils/modelgenerator/CaptureNeutralModels.ql
|
||||
@@ -0,0 +1 @@
|
||||
utils/modelgenerator/CaptureSinkModels.ql
|
||||
@@ -0,0 +1 @@
|
||||
utils/modelgenerator/CaptureSourceModels.ql
|
||||
@@ -0,0 +1 @@
|
||||
utils/modelgenerator/CaptureSummaryModels.ql
|
||||
@@ -0,0 +1 @@
|
||||
utils/modelgenerator/CaptureTypeBasedSummaryModels.ql
|
||||
@@ -9,8 +9,8 @@ CodeQL packs are used to create, share, depend on, and run CodeQL queries and li
|
||||
|
||||
There are two types of CodeQL packs: query packs and library packs.
|
||||
|
||||
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
|
||||
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
|
||||
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
|
||||
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
|
||||
|
||||
You can use the package management commands in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. For more information, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`." You can also publish and download CodeQL packs using the CodeQL CLI. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
|
||||
|
||||
@@ -31,6 +31,16 @@ The other files and directories within the pack should be logically organized. F
|
||||
- Queries for specific products, libraries, and frameworks are organized into
|
||||
their own top-level directories.
|
||||
|
||||
About published packs
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When a pack is published for use in analyses, the ``codeql pack create`` or ``codeql pack publish`` command verifies that the content is complete and also adds some additional pieces of content to it:
|
||||
|
||||
* For query packs, a copy of each of the library packs it depends on, in the precise versions it has been developed with. Users of the query pack won't need to download these library packs separately.
|
||||
* For query packs, precompiled representations of each of the queries. These are faster to execute than it would be to compile the QL source for the query at each analysis.
|
||||
|
||||
Most of this data is located in a directory named ``.codeql`` in the published pack, but precompiled queries are in files with a ``.qlx`` suffix next to the ``.ql`` source for each query. When analyzing a database with a query from a published pack, CodeQL will load these files instead of the ``.ql`` source. If you need to modify the content of a *published* pack, be sure to remove all of the ``.qlx`` files, since they may prevent modifications in the ``.ql`` files from taking effect.
|
||||
|
||||
About ``qlpack.yml`` files
|
||||
--------------------------
|
||||
|
||||
|
||||
@@ -14,11 +14,13 @@ With CodeQL packs and the package management commands in the CodeQL CLI, you can
|
||||
|
||||
There are two types of CodeQL packs: query packs and library packs.
|
||||
|
||||
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
|
||||
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
|
||||
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
|
||||
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
|
||||
|
||||
You can use the ``pack`` command in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. You can also publish and download CodeQL packs using the ``pack`` command. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
|
||||
|
||||
For more information about compatibility between published query packs and different CodeQL releases, see ":ref:`About CodeQL pack compatibility <about-codeql-pack-compatibility>`."
|
||||
|
||||
Creating a CodeQL pack
|
||||
----------------------
|
||||
You can create a CodeQL pack by running the following command from the checkout root of your project:
|
||||
@@ -81,3 +83,13 @@ This command downloads all dependencies to the shared cache on the local disk.
|
||||
By default ``codeql pack install`` will install dependencies from the Container registry on GitHub.com.
|
||||
You can install dependencies from a GitHub Enterprise Server Container registry by creating a ``qlconfig.yml`` file.
|
||||
For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
|
||||
|
||||
Customizing a downloaded CodeQL pack
|
||||
---------------------------------------------------
|
||||
|
||||
The recommended way to experiment with changes to a pack is to clone the repository containing its source code.
|
||||
|
||||
If no source respository is available and you need to base modifications on a pack downloaded from the Container registry, be aware that these packs are not intended to be modified or customized after downloading, and their format may change in the future without much notice. We recommend taking the following steps after downloading a pack if you need to modify the content:
|
||||
|
||||
- Change the pack *name* in ``qlpack.yml`` so you avoid confusion with results from the unmodified pack.
|
||||
- Remove all files named ``*.qlx`` anywhere in the unpacked directory structure. These files contain precompiled versions of the queries, and in some situations CodeQL will use them in preference to the QL source you have modified.
|
||||
@@ -53,6 +53,9 @@ To run a pack that someone else has created, you must first download it by runni
|
||||
|
||||
This command accepts arguments for multiple packs.
|
||||
|
||||
If you write scripts that specify a particular version number of a query pack to download, keep in mind that when you update your version of CodeQL to a newer one, you may also need to switch to a newer version of the query pack. Newer versions of CodeQL *may* provide
|
||||
degraded performance when used with query packs that have been pinned to a very old version. For more information, see ":ref:`About CodeQL pack compatibility <about-codeql-pack-compatibility>`."
|
||||
|
||||
Using a CodeQL pack to analyze a CodeQL database
|
||||
------------------------------------------------
|
||||
|
||||
@@ -74,6 +77,45 @@ The ``analyze`` command will run the default suite of any specified CodeQL packs
|
||||
|
||||
codeql <database> analyze <scope>/<pack> <scope>/<other-pack>
|
||||
|
||||
.. pull-quote::
|
||||
|
||||
Note
|
||||
|
||||
The ``codeql pack download`` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`."
|
||||
|
||||
.. _about-codeql-pack-compatibility:
|
||||
|
||||
About CodeQL pack compatibility
|
||||
-------------------------------
|
||||
|
||||
When a query pack is published, it includes pre-compiled representations of all the queries in it. These pre-compiled queries are generally much faster to execute than it is to compile the QL source from scratch during the analysis. However, the pre-compiled queries also depend on certain internals of the QL evaluator, so if the version of CodeQL that performs the analysis is too different from the version that ran ``codeql pack publish``, it may be necessary to compile the queries from source instead during analysis. The recompilation happens automatically and will not affect the *results* of the analysis, but it can make the
|
||||
analysis significantly slower.
|
||||
|
||||
It can generally be assumed that if a pack is published with one release of CodeQL, the precompiled queries in it can be used directly by *later* releases of CodeQL, as long as there is no more than 6 months between the release dates. We will make reasonable efforts to keep new releases compatible for longer than that, but make no promises.
|
||||
|
||||
It can also be assumed that a pack published by the *latest* public release of CodeQL will be useable by the version of CodeQL that is used by code scanning and GitHub Actions, even though that is often a slightly older release.
|
||||
|
||||
As an exception to the above, packs published with versions of CodeQL *earlier than 2.12.0* are not compatible with any earlier or later versions. These old versions did not write pre-compiled queries in a format that supported compatibility between releases. Packs published by these versions can still be *used* by newer versions, but the analysis will be slower because the queries have to be recompiled first.
|
||||
|
||||
As a user of a published query pack, you can check that the CodeQL makes use of the precompiled queries in it by inspecting the terminal output from an analysis runs that uses the query pack. If it contains lines looking like the following, then the precompiled queries were used successfully:
|
||||
|
||||
::
|
||||
|
||||
[42/108] Loaded /long/path/to/query/Filename.qlx.
|
||||
|
||||
However, if they instead look like the following, then usage of the precompiled queries failed:
|
||||
|
||||
::
|
||||
|
||||
Compiling query plan for /long/path/to/query/Filename.ql.
|
||||
[42/108 comp 25s] Compiled /long/path/to/query/Filename.ql.
|
||||
|
||||
The results of the analysis will still be good in this case, but to get optimal performance you may need to upgrade to a newer version of the CodeQL CLI and/or of the query pack.
|
||||
|
||||
If you publish query packs on the Container registry on GitHub.com for others to use, we recommend that you use a recent release of CodeQL to run ``codeql pack publish``, and that you publish a fresh version of your pack with an updated CodeQL version before the version you used turns 6 months old. That way you can ensure that users of your pack who keep *their* CodeQL up to date will benefit from the pre-compiled queries in your pack.
|
||||
|
||||
If you publish query packs with the intention of using them on a GitHub Enterprise Server installation that uses its bundled CodeQL binaries, use the same CodeQL version to run ``codeql pack publish``. Newer versions might produce pre-compiled queries that the one in GitHub Enterprise Server may not recognize. Your GitHub Enterprise Server administrator may choose to upgrade to a newer version of CodeQL periodically. If so, follow their lead.
|
||||
|
||||
.. _working-with-codeql-packs-on-ghes:
|
||||
|
||||
Working with CodeQL packs on GitHub Enterprise Server
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
Java,"Java 7 to 18 [4]_","javac (OpenJDK and Oracle JDK),
|
||||
|
||||
Eclipse compiler for Java (ECJ) [5]_",``.java``
|
||||
Kotlin [6]_,"Kotlin 1.5.0 to 1.7.21","kotlinc",``.kt``
|
||||
Kotlin [6]_,"Kotlin 1.5.0 to 1.8.0","kotlinc",``.kt``
|
||||
JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
|
||||
Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10",Not applicable,``.py``
|
||||
Ruby [9]_,"up to 3.1",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
|
||||
In addition to [our supported queries and libraries](supported-queries.md), this repository also contains queries and libraries of a more experimental nature. Experimental queries and libraries can be improved incrementally and may eventually reach a sufficient maturity to be included in our supported queries and libraries.
|
||||
|
||||
Experimental security queries are included in the `experimental` [CodeQL suite](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs). This suite is provided for testing purposes only, and should not be used in production code scanning workflows.
|
||||
|
||||
Experimental queries and libraries may not be actively maintained as the [supported](supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
|
||||
|
||||
See [CONTRIBUTING.md](../CONTRIBUTING.md) for guidelines on submitting a new experimental query.
|
||||
|
||||
@@ -124,17 +124,10 @@ predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
|
||||
/** Holds if `row` is a summary model. */
|
||||
predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
|
||||
|
||||
bindingset[input]
|
||||
private predicate getKind(string input, string kind, boolean generated) {
|
||||
input.splitAt(":", 0) = "generated" and kind = input.splitAt(":", 1) and generated = true
|
||||
or
|
||||
not input.matches("%:%") and kind = input and generated = false
|
||||
}
|
||||
|
||||
/** Holds if a source model exists for the given parameters. */
|
||||
predicate sourceModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string output, string kind, boolean generated
|
||||
string output, string kind, string provenance
|
||||
) {
|
||||
exists(string row |
|
||||
sourceModel(row) and
|
||||
@@ -146,14 +139,15 @@ predicate sourceModel(
|
||||
row.splitAt(";", 4) = signature and
|
||||
row.splitAt(";", 5) = ext and
|
||||
row.splitAt(";", 6) = output and
|
||||
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
|
||||
row.splitAt(";", 7) = kind and
|
||||
provenance = "manual"
|
||||
)
|
||||
}
|
||||
|
||||
/** Holds if a sink model exists for the given parameters. */
|
||||
predicate sinkModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string input, string kind, boolean generated
|
||||
string input, string kind, string provenance
|
||||
) {
|
||||
exists(string row |
|
||||
sinkModel(row) and
|
||||
@@ -165,34 +159,30 @@ predicate sinkModel(
|
||||
row.splitAt(";", 4) = signature and
|
||||
row.splitAt(";", 5) = ext and
|
||||
row.splitAt(";", 6) = input and
|
||||
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
|
||||
row.splitAt(";", 7) = kind and
|
||||
provenance = "manual"
|
||||
)
|
||||
}
|
||||
|
||||
/** Holds if a summary model exists for the given parameters. */
|
||||
predicate summaryModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string input, string output, string kind, boolean generated
|
||||
string input, string output, string kind, string provenance
|
||||
) {
|
||||
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated, _)
|
||||
}
|
||||
|
||||
/** Holds if a summary model `row` exists for the given parameters. */
|
||||
predicate summaryModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string input, string output, string kind, boolean generated, string row
|
||||
) {
|
||||
summaryModel(row) and
|
||||
row.splitAt(";", 0) = namespace and
|
||||
row.splitAt(";", 1) = type and
|
||||
row.splitAt(";", 2) = subtypes.toString() and
|
||||
subtypes = [true, false] and
|
||||
row.splitAt(";", 3) = name and
|
||||
row.splitAt(";", 4) = signature and
|
||||
row.splitAt(";", 5) = ext and
|
||||
row.splitAt(";", 6) = input and
|
||||
row.splitAt(";", 7) = output and
|
||||
exists(string k | row.splitAt(";", 8) = k and getKind(k, kind, generated))
|
||||
exists(string row |
|
||||
summaryModel(row) and
|
||||
row.splitAt(";", 0) = namespace and
|
||||
row.splitAt(";", 1) = type and
|
||||
row.splitAt(";", 2) = subtypes.toString() and
|
||||
subtypes = [true, false] and
|
||||
row.splitAt(";", 3) = name and
|
||||
row.splitAt(";", 4) = signature and
|
||||
row.splitAt(";", 5) = ext and
|
||||
row.splitAt(";", 6) = input and
|
||||
row.splitAt(";", 7) = output and
|
||||
row.splitAt(";", 8) = kind
|
||||
) and
|
||||
provenance = "manual"
|
||||
}
|
||||
|
||||
/** Holds if `package` have CSV framework coverage. */
|
||||
@@ -241,25 +231,25 @@ predicate modelCoverage(string package, int pkgs, string kind, string part, int
|
||||
part = "source" and
|
||||
n =
|
||||
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
|
||||
string ext, string output, boolean generated |
|
||||
string ext, string output, string provenance |
|
||||
canonicalPackageHasASubpackage(package, subpkg) and
|
||||
sourceModel(subpkg, type, subtypes, name, signature, ext, output, kind, generated)
|
||||
sourceModel(subpkg, type, subtypes, name, signature, ext, output, kind, provenance)
|
||||
)
|
||||
or
|
||||
part = "sink" and
|
||||
n =
|
||||
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
|
||||
string ext, string input, boolean generated |
|
||||
string ext, string input, string provenance |
|
||||
canonicalPackageHasASubpackage(package, subpkg) and
|
||||
sinkModel(subpkg, type, subtypes, name, signature, ext, input, kind, generated)
|
||||
sinkModel(subpkg, type, subtypes, name, signature, ext, input, kind, provenance)
|
||||
)
|
||||
or
|
||||
part = "summary" and
|
||||
n =
|
||||
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
|
||||
string ext, string input, string output, boolean generated |
|
||||
string ext, string input, string output, string provenance |
|
||||
canonicalPackageHasASubpackage(package, subpkg) and
|
||||
summaryModel(subpkg, type, subtypes, name, signature, ext, input, output, kind, generated)
|
||||
summaryModel(subpkg, type, subtypes, name, signature, ext, input, output, kind, provenance)
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -298,9 +288,8 @@ module CsvValidation {
|
||||
}
|
||||
|
||||
private string getInvalidModelKind() {
|
||||
exists(string row, string k, string kind | summaryModel(row) |
|
||||
k = row.splitAt(";", 8) and
|
||||
getKind(k, kind, _) and
|
||||
exists(string row, string kind | summaryModel(row) |
|
||||
kind = row.splitAt(";", 8) and
|
||||
not kind = ["taint", "value"] and
|
||||
result = "Invalid kind \"" + kind + "\" in summary model."
|
||||
)
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user