Merge branch 'main' into copilot/investigate-missing-alerts

2026-06-19 11:51:08 +02:00 · 2026-06-17 22:54:22 +01:00
parent 1f9899d7db 3dd3e2c643
commit c7c1eca415
1209 changed files with 59390 additions and 7398 deletions
--- a/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/old.dbscheme
+++ b/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/old.dbscheme
--- a/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/semmlecode.python.dbscheme
+++ b/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/semmlecode.python.dbscheme
--- a/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/upgrade.properties
+++ b/python/downgrades/b7745eb2df865c97e50b7803956a82988716e29a/upgrade.properties
@@ -0,0 +1,3 @@
+description: Extract YAML comments
+compatibility: full
+yaml_comments.rel: delete
--- a/python/extractor/semmle/dbscheme.template
+++ b/python/extractor/semmle/dbscheme.template
@@ -272,13 +272,17 @@ yaml_scalars (unique int scalar: @yaml_scalar_node ref,
              int style: int ref,
              string value: string ref);

+yaml_comments (unique int id: @yaml_comment,
+               string text: string ref,
+               string tostring: string ref);
+
 yaml_errors (unique int id: @yaml_error,
             string message: string ref);

 yaml_locations(unique int locatable: @yaml_locatable ref,
             int location: @location_default ref);

-@yaml_locatable = @yaml_node | @yaml_error;
+@yaml_locatable = @yaml_node | @yaml_error | @yaml_comment;

 /*- Python dbscheme -*/

--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -2,7 +2,7 @@

 ### Minor Analysis Improvements

-* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.

 ## 7.1.1

--- a/python/ql/lib/change-notes/released/7.1.2.md
+++ b/python/ql/lib/change-notes/released/7.1.2.md
@@ -2,4 +2,4 @@

 ### Minor Analysis Improvements

-* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.
--- a/python/ql/lib/semmle/python/Yaml.qll
+++ b/python/ql/lib/semmle/python/Yaml.qll
@@ -45,6 +45,12 @@ private module YamlSig implements LibYaml::InputSig {
  class ParseErrorBase extends LocatableBase, @yaml_error {
    string getMessage() { yaml_errors(this, result) }
  }
+
+  class CommentBase extends LocatableBase, @yaml_comment {
+    string getText() { yaml_comments(this, result, _) }
+
+    override string toString() { yaml_comments(this, _, result) }
+  }
 }

 import LibYaml::Make<YamlSig>
--- a/python/ql/lib/semmlecode.python.dbscheme
+++ b/python/ql/lib/semmlecode.python.dbscheme
@@ -280,13 +280,17 @@ yaml_scalars (unique int scalar: @yaml_scalar_node ref,
              int style: int ref,
              string value: string ref);

+yaml_comments (unique int id: @yaml_comment,
+               string text: string ref,
+               string tostring: string ref);
+
 yaml_errors (unique int id: @yaml_error,
             string message: string ref);

 yaml_locations(unique int locatable: @yaml_locatable ref,
             int location: @location_default ref);

-@yaml_locatable = @yaml_node | @yaml_error;
+@yaml_locatable = @yaml_node | @yaml_error | @yaml_comment;

 /*- Python dbscheme -*/

--- a/python/ql/lib/semmlecode.python.dbscheme.stats
+++ b/python/ql/lib/semmlecode.python.dbscheme.stats
@@ -641,6 +641,10 @@
 <k>@yaml_error</k>
 <v>1</v>
 </e>
+<e>
+<k>@yaml_comment</k>
+<v>1000</v>
+</e>
 </typesizes>
  <stats><relation>
 <name>externalDefects</name>
@@ -18657,5 +18661,121 @@
 </dep>
 </dependencies>
 </relation>
+<relation>
+<name>yaml_comments</name>
+<cardinality>1000</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1000</v>
+</e>
+<e>
+<k>text</k>
+<v>1000</v>
+</e>
+<e>
+<k>tostring</k>
+<v>1000</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>text</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>tostring</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>text</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>text</src>
+<trg>tostring</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>tostring</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>tostring</src>
+<trg>text</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
 </stats>
 </dbstats>
--- a/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/old.dbscheme
+++ b/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/old.dbscheme
--- a/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/semmlecode.python.dbscheme
+++ b/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/semmlecode.python.dbscheme
--- a/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/upgrade.properties
+++ b/python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/upgrade.properties
@@ -0,0 +1,2 @@
+description: Extract YAML comments
+compatibility: backwards
--- a/python/ql/src/experimental/semmle/python/frameworks/OpenAI.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/OpenAI.qll
@@ -13,7 +13,7 @@ private import semmle.python.ApiGraphs
 *
 * See https://github.com/openai/openai-agents-python.
 */
-module AgentSDK {
+module AgentSdk {
  /** Gets a reference to the `agents.Runner` class. */
  API::Node classRef() { result = API::moduleImport("agents").getMember("Runner") }

--- a/python/ql/src/experimental/semmle/python/security/dataflow/PromptInjectionCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/PromptInjectionCustomizations.qll
@@ -54,7 +54,7 @@ module PromptInjection {
    PromptContentSink() {
      this = OpenAI::getContentNode().asSink()
      or
-      this = AgentSDK::getContentNode().asSink()
+      this = AgentSdk::getContentNode().asSink()
    }
  }