Merge branch 'main' into copilot/investigate-missing-alerts

python/ql/lib/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ### Minor Analysis Improvements
 
-* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.
 
 ## 7.1.1
 

python/ql/lib/change-notes/released/7.1.2.md

@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.

python/ql/lib/semmle/python/Yaml.qll

@@ -45,6 +45,12 @@ private module YamlSig implements LibYaml::InputSig {
   class ParseErrorBase extends LocatableBase, @yaml_error {
     string getMessage() { yaml_errors(this, result) }
   }
+
+  class CommentBase extends LocatableBase, @yaml_comment {
+    string getText() { yaml_comments(this, result, _) }
+
+    override string toString() { yaml_comments(this, _, result) }
+  }
 }
 
 import LibYaml::Make<YamlSig>

python/ql/lib/semmlecode.python.dbscheme

@@ -280,13 +280,17 @@ yaml_scalars (unique int scalar: @yaml_scalar_node ref,
               int style: int ref,
               string value: string ref);
 
+yaml_comments (unique int id: @yaml_comment,
+               string text: string ref,
+               string tostring: string ref);
+
 yaml_errors (unique int id: @yaml_error,
              string message: string ref);
 
 yaml_locations(unique int locatable: @yaml_locatable ref,
              int location: @location_default ref);
 
-@yaml_locatable = @yaml_node | @yaml_error;
+@yaml_locatable = @yaml_node | @yaml_error | @yaml_comment;
 
 /*- Python dbscheme -*/
 

python/ql/lib/semmlecode.python.dbscheme.stats

@@ -641,6 +641,10 @@
 <k>@yaml_error</k>
 <v>1</v>
 </e>
+<e>
+<k>@yaml_comment</k>
+<v>1000</v>
+</e>
 </typesizes>
   <stats><relation>
 <name>externalDefects</name>
@@ -18657,5 +18661,121 @@
 </dep>
 </dependencies>
 </relation>
+<relation>
+<name>yaml_comments</name>
+<cardinality>1000</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1000</v>
+</e>
+<e>
+<k>text</k>
+<v>1000</v>
+</e>
+<e>
+<k>tostring</k>
+<v>1000</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>text</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>tostring</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>text</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>text</src>
+<trg>tostring</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>tostring</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>tostring</src>
+<trg>text</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1000</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
 </stats>
 </dbstats>

python/ql/lib/upgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/upgrade.properties

@@ -0,0 +1,2 @@
+description: Extract YAML comments
+compatibility: backwards

python/ql/src/experimental/semmle/python/frameworks/OpenAI.qll

@@ -13,7 +13,7 @@ private import semmle.python.ApiGraphs
  *
  * See https://github.com/openai/openai-agents-python.
  */
-module AgentSDK {
+module AgentSdk {
   /** Gets a reference to the `agents.Runner` class. */
   API::Node classRef() { result = API::moduleImport("agents").getMember("Runner") }
 

python/ql/src/experimental/semmle/python/security/dataflow/PromptInjectionCustomizations.qll

@@ -54,7 +54,7 @@ module PromptInjection {
     PromptContentSink() {
       this = OpenAI::getContentNode().asSink()
       or
-      this = AgentSDK::getContentNode().asSink()
+      this = AgentSdk::getContentNode().asSink()
     }
   }