Manual merge v2.17.2

java/ql/automodel/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.22
+
+No user-facing changes.
+
 ## 0.0.21
 
 No user-facing changes.

java/ql/automodel/src/change-notes/released/0.0.22.md

@@ -0,0 +1,3 @@
+## 0.0.22
+
+No user-facing changes.

java/ql/automodel/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.21
+lastReleaseVersion: 0.0.22

java/ql/automodel/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 0.0.21
+version: 0.0.22
 groups:
     - java
     - automodel

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/buildless-fetches.expected

@@ -0,0 +1,5 @@
+https://repo.maven.apache.org/maven2/com/blazegraph/junit-ext/2.1.4/junit-ext-2.1.4.jar
+https://repo.maven.apache.org/maven2/com/greghaskins/spectrum/1.2.0/spectrum-1.2.0-tests.jar
+https://repo.maven.apache.org/maven2/com/pyx4me/cldcunit/2.0.4/cldcunit-2.0.4.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
+https://repo1.maven.org/maven2/junit/junit/9.9.9/junit-9.9.9.jar

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected

@@ -0,0 +1,126 @@
+{
+  "markdownMessage": "At least one dependency JAR suggested by the build system could not be downloaded. This means the analysis will try to satisfy the dependency with its default choice for the required external package name, which may be the wrong version or the wrong package entirely. This may lead to partial analysis of code using this dependency. See the extraction log for full details. If the cause appears to be a temporary outage, consider retrying the analysis.",
+  "severity": "warning",
+  "source": {
+    "extractorName": "java",
+    "id": "java/extractor/buildless/suggested-classpath-fetches-failed",
+    "name": "Some build-system suggested dependencies could not be fetched"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Buildless extraction tried and failed to fetch a jar (`https://repo1.maven.org/maven2, junit:junit:jar:9.9.9`). If a temporary network outage is likely, consider retrying the scan.",
+  "severity": "warning",
+  "source": {
+    "extractorName": "java",
+    "id": "java/extractor/buildless/jar-fetch-failed",
+    "name": "Fetching a dependency jar failed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/using-build-tool-advice",
+    "name": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used the system default JDK.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/jdk-system-default",
+    "name": "Java analysis used the system default JDK"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis with build-mode 'none' completed.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/complete",
+    "name": "Java analysis with build-mode 'none' completed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/mode-active",
+    "name": "Java was extracted with build-mode set to 'none'"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Reading the dependency graph from build files provided 1 classpath entries",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-provided-by-maven",
+    "name": "Java analysis extracted precise dependency graph information from tool Maven"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.2:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
+  "severity": "warning",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-maven-plugin-transfer-exception",
+    "name": "Java analysis encountered a transfer exception dependency graph from Maven"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Some classpath entries had to be inferred from external package names used in source code -- for example, guessing that if `javax.xml.bind` is referred to, then JAXB should be added to the classpath. This means that the dependency information extracted from build scripts was insufficient. The dependencies guessed this way might be the wrong versions, leading to failure to extract some uses of those external libraries. The cause may be missing dependencies that should be generated at build time -- in this case, consider using a build mode other than 'none'. See the full analysis log for details of the inferred classpath entries.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/extractor/buildless/supplied-classpath-insufficient",
+    "name": "Some classpath entries were inferred from used external package names"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/pom.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>dlfs</groupId>
+  <artifactId>asdkfj</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>asdkfj</name>
+  <description>A simple asdkfj.</description>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.7</maven.compiler.source>
+    <maven.compiler.target>1.7</maven.compiler.target>
+  </properties>
+
+  <repositories>
+    <repository>
+      <id>my-repo1</id>
+      <name>your custom repo</name>
+      <url>https://saldkfjadksfj.info/releases</url>
+    </repository>
+  </repositories>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>9.9.9</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+        <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/src/main/java/dlfs/App.java

@@ -0,0 +1,13 @@
+package dlfs;
+
+/**
+ * Hello world!
+ *
+ */
+public class App 
+{
+    public static void main( String[] args )
+    {
+        System.out.println( "Hello World!" );
+    }
+}

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/src/site/site.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project name="asdkfj" xmlns="http://maven.apache.org/DECORATION/1.8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/DECORATION/1.8.0 http://maven.apache.org/xsd/decoration-1.8.0.xsd">
+  <bannerLeft>
+    <name>asdkfj</name>
+    <src>https://maven.apache.org/images/apache-maven-project.png</src>
+    <href>https://www.apache.org/</href>
+  </bannerLeft>
+
+  <bannerRight>
+    <src>https://maven.apache.org/images/maven-logo-black-on-white.png</src>
+    <href>https://maven.apache.org/</href>
+  </bannerRight>
+
+  <skin>
+    <groupId>org.apache.maven.skins</groupId>
+    <artifactId>maven-fluido-skin</artifactId>
+    <version>1.7</version>
+  </skin>
+
+  <body>
+    <menu ref="parent" />
+    <menu ref="reports" />
+  </body>
+</project>

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/src/test/java/dlfs/AppTest.java

@@ -0,0 +1,38 @@
+package dlfs;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+/**
+ * Unit test for simple App.
+ */
+public class AppTest 
+    extends TestCase
+{
+    /**
+     * Create the test case
+     *
+     * @param testName name of the test case
+     */
+    public AppTest( String testName )
+    {
+        super( testName );
+    }
+
+    /**
+     * @return the suite of tests being tested
+     */
+    public static Test suite()
+    {
+        return new TestSuite( AppTest.class );
+    }
+
+    /**
+     * Rigourous Test :-)
+     */
+    public void testApp()
+    {
+        assertTrue( true );
+    }
+}

java/ql/integration-tests/all-platforms/java/buildless-maven-tolerate-unavailable-dependency/test.py

@@ -0,0 +1,8 @@
+from create_database_utils import *
+from diagnostics_test_utils import *
+from buildless_test_utils import *
+
+run_codeql_database_create([], lang="java", extra_args=["--build-mode=none"])
+
+check_diagnostics()
+check_buildless_fetches()

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.10.0
+
+### Breaking Changes
+
+* Deleted the deprecated `AssignLShiftExpr`, `AssignRShiftExpr`, `AssignURShiftExpr`, `LShiftExpr`, `RShiftExpr`, and `URShiftExpr` aliases.
+
 ## 0.9.1
 
 ### Minor Analysis Improvements

java/ql/lib/change-notes/released/0.10.0.md

@@ -0,0 +1,5 @@
+## 0.10.0
+
+### Breaking Changes
+
+* Deleted the deprecated `AssignLShiftExpr`, `AssignRShiftExpr`, `AssignURShiftExpr`, `LShiftExpr`, `RShiftExpr`, and `URShiftExpr` aliases.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.10.0

java/ql/lib/config/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//:mappings.bzl", "pkg_files")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
 
 package(default_visibility = ["//java:__pkg__"])
 

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.9.1
+version: 0.10.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/lib/semmle/code/java/Expr.qll

@@ -511,9 +511,6 @@ class AssignLeftShiftExpr extends AssignOp, @assignlshiftexpr {
   override string getAPrimaryQlClass() { result = "AssignLeftShiftExpr" }
 }
 
-/** DEPRECATED: Alias for AssignLeftShiftExpr. */
-deprecated class AssignLShiftExpr = AssignLeftShiftExpr;
-
 /** A compound assignment expression using the `>>=` operator. */
 class AssignRightShiftExpr extends AssignOp, @assignrshiftexpr {
   override string getOp() { result = ">>=" }
@@ -521,9 +518,6 @@ class AssignRightShiftExpr extends AssignOp, @assignrshiftexpr {
   override string getAPrimaryQlClass() { result = "AssignRightShiftExpr" }
 }
 
-/** DEPRECATED: Alias for AssignRightShiftExpr. */
-deprecated class AssignRShiftExpr = AssignRightShiftExpr;
-
 /** A compound assignment expression using the `>>>=` operator. */
 class AssignUnsignedRightShiftExpr extends AssignOp, @assignurshiftexpr {
   override string getOp() { result = ">>>=" }
@@ -531,9 +525,6 @@ class AssignUnsignedRightShiftExpr extends AssignOp, @assignurshiftexpr {
   override string getAPrimaryQlClass() { result = "AssignUnsignedRightShiftExpr" }
 }
 
-/** DEPRECATED: Alias for AssignUnsignedRightShiftExpr. */
-deprecated class AssignURShiftExpr = AssignUnsignedRightShiftExpr;
-
 /** A common super-class to represent constant literals. */
 class Literal extends Expr, @literal {
   /**
@@ -793,9 +784,6 @@ class LeftShiftExpr extends BinaryExpr, @lshiftexpr {
   override string getAPrimaryQlClass() { result = "LeftShiftExpr" }
 }
 
-/** DEPRECATED: Alias for LeftShiftExpr. */
-deprecated class LShiftExpr = LeftShiftExpr;
-
 /** A binary expression using the `>>` operator. */
 class RightShiftExpr extends BinaryExpr, @rshiftexpr {
   override string getOp() { result = " >> " }
@@ -803,9 +791,6 @@ class RightShiftExpr extends BinaryExpr, @rshiftexpr {
   override string getAPrimaryQlClass() { result = "RightShiftExpr" }
 }
 
-/** DEPRECATED: Alias for RightShiftExpr. */
-deprecated class RShiftExpr = RightShiftExpr;
-
 /** A binary expression using the `>>>` operator. */
 class UnsignedRightShiftExpr extends BinaryExpr, @urshiftexpr {
   override string getOp() { result = " >>> " }
@@ -813,9 +798,6 @@ class UnsignedRightShiftExpr extends BinaryExpr, @urshiftexpr {
   override string getAPrimaryQlClass() { result = "UnsignedRightShiftExpr" }
 }
 
-/** DEPRECATED: Alias for UnsignedRightShiftExpr. */
-deprecated class URShiftExpr = UnsignedRightShiftExpr;
-
 /** A binary expression using the `&` operator. */
 class AndBitwiseExpr extends BinaryExpr, @andbitexpr {
   override string getOp() { result = " & " }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplSpecific.qll

@@ -20,6 +20,8 @@ module JavaDataFlow implements InputSig<Location> {
 
   Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
 
+  predicate getSecondLevelScope = Private::getSecondLevelScope/1;
+
   predicate mayBenefitFromCallContext = Private::mayBenefitFromCallContext/1;
 
   predicate viableImplInCallContext = Private::viableImplInCallContext/2;

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -591,6 +591,81 @@ predicate knownSourceModel(Node source, string model) { sourceNode(source, _, mo
 
 predicate knownSinkModel(Node sink, string model) { sinkNode(sink, _, model) }
 
+private predicate isTopLevel(Stmt s) {
+  any(Callable c).getBody() = s
+  or
+  exists(BlockStmt b | s = b.getAStmt() and isTopLevel(b))
+}
+
+private Stmt getAChainedBranch(IfStmt s) {
+  result = s.getThen()
+  or
+  exists(Stmt elseBranch | s.getElse() = elseBranch |
+    result = getAChainedBranch(elseBranch)
+    or
+    result = elseBranch and not elseBranch instanceof IfStmt
+  )
+}
+
+private newtype TDataFlowSecondLevelScope =
+  TTopLevelIfBranch(Stmt s) {
+    exists(IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
+  } or
+  TTopLevelSwitchCase(SwitchCase s) {
+    exists(SwitchStmt switchstmt | s = switchstmt.getACase() and isTopLevel(switchstmt))
+  }
+
+private SwitchCase getPrecedingCase(Stmt s) {
+  result = s
+  or
+  exists(SwitchStmt switch, int i |
+    s = switch.getStmt(i) and
+    not s instanceof SwitchCase and
+    result = getPrecedingCase(switch.getStmt(i - 1))
+  )
+}
+
+/**
+ * A second-level control-flow scope in a `switch` or a chained `if` statement.
+ *
+ * This is a `switch` case or a branch of a chained `if` statement, given that
+ * the `switch` or `if` statement is top level, that is, it is not nested inside
+ * other CFG constructs.
+ */
+class DataFlowSecondLevelScope extends TDataFlowSecondLevelScope {
+  /** Gets a textual representation of this element. */
+  string toString() {
+    exists(Stmt s | this = TTopLevelIfBranch(s) | result = s.toString())
+    or
+    exists(SwitchCase s | this = TTopLevelSwitchCase(s) | result = s.toString())
+  }
+
+  /**
+   * Gets a statement directly contained in this scope. For an `if` branch, this
+   * is the branch itself, and for a `switch case`, this is one the statements
+   * of that case branch.
+   */
+  private Stmt getAStmt() {
+    exists(Stmt s | this = TTopLevelIfBranch(s) | result = s)
+    or
+    exists(SwitchCase s | this = TTopLevelSwitchCase(s) |
+      result = s.getRuleStatement() or
+      s = getPrecedingCase(result)
+    )
+  }
+
+  /** Gets a data-flow node nested within this scope. */
+  Node getANode() { getRelatedExpr(result).getAnEnclosingStmt() = this.getAStmt() }
+}
+
+private Expr getRelatedExpr(Node n) {
+  n.asExpr() = result or
+  n.(PostUpdateNode).getPreUpdateNode().asExpr() = result
+}
+
+/** Gets the second-level scope containing the node `n`, if any. */
+DataFlowSecondLevelScope getSecondLevelScope(Node n) { result.getANode() = n }
+
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
  * side-effect, resulting in a summary from `p` to itself.

java/ql/lib/semmle/code/java/os/OSCheck.qll

@@ -37,11 +37,17 @@ abstract class IsUnixGuard extends Guard { }
  */
 abstract class IsSpecificUnixVariant extends Guard { }
 
+private DataFlow::Node osNameFlow() {
+  result.asExpr() = getSystemProperty("os.name")
+  or
+  TaintTracking::localTaintStep(osNameFlow(), result)
+}
+
 /**
  * Holds when `ma` compares the current OS against the string constant `osString`.
  */
 private predicate isOsFromSystemProp(MethodCall ma, string osString) {
-  TaintTracking::localExprTaint(getSystemProperty("os.name"), ma.getQualifier()) and // Call from System.getProperty (or equivalent) to some partial match method
+  osNameFlow().asExpr() = ma.getQualifier() and // Call from System.getProperty (or equivalent) to some partial match method
   exists(StringPartialMatchMethod m, CompileTimeConstantExpr matchedStringConstant |
     m = ma.getMethod() and
     matchedStringConstant.getStringValue().toLowerCase() = osString

java/ql/lib/semmle/code/java/regex/RegexTreeView.qll

@@ -1162,14 +1162,6 @@ module Impl implements RegexTreeViewSig {
     root.getLiteral().isIgnoreCase()
   }
 
-  /**
-   * Gets the flags for `root`, or the empty string if `root` has no flags.
-   */
-  additional deprecated string getFlags(RegExpTerm root) {
-    root.isRootTerm() and
-    result = root.getLiteral().getFlags()
-  }
-
   /**
    * Holds if `root` has the `s` flag for multi-line matching.
    */

java/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.15
+
+No user-facing changes.
+
 ## 0.8.14
 
 ### Minor Analysis Improvements

java/ql/src/change-notes/released/0.8.15.md

@@ -0,0 +1,3 @@
+## 0.8.15
+
+No user-facing changes.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.14
+lastReleaseVersion: 0.8.15

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.8.14
+version: 0.8.15
 groups:
   - java
   - queries

java/ql/test/library-tests/frameworks/guava/handwritten/flow.ql

@@ -18,8 +18,6 @@ module ValueFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node n) {
     exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
   }
-
-  int fieldFlowBranchLimit() { result = 100 }
 }
 
 module ValueFlow = DataFlow::Global<ValueFlowConfig>;