Merge branch 'main' of https://github.com/github/codeql into oscarsj/mergeback-rc-3-20-into-main

2025-12-17 01:03:14 +01:00 · 2025-12-12 13:22:08 +01:00
parent 72b63bbdc3 c5987b4481
commit d972af9ef8
1129 changed files with 32377 additions and 8332 deletions
--- a/swift/ql/lib/change-notes/2025-12-11-swift-6.2.2.md
+++ b/swift/ql/lib/change-notes/2025-12-11-swift-6.2.2.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Upgraded to allow analysis of Swift 6.2.2.
--- a/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll
+++ b/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll
@@ -159,6 +159,19 @@ module SourceSinkInterpretationInput implements
    )
  }

+  predicate barrierElement(
+    Element n, string output, string kind, Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
+  predicate barrierGuardElement(
+    Element n, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
  private newtype TInterpretNode =
    TElement_(Element n) or
    TNode_(Node n) or
--- a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -87,7 +87,7 @@ private class UrlTransmittedSink extends CleartextTransmissionSink {
    // exclude `tel:` and similar URLs. These URLs necessarily contain
    // sensitive data which you expect to transmit only by making the
    // phone call (or similar operation).
-    not ExcludeUrlFlow::flow(_, this)
+    not ExcludeUrlFlow::flowTo(this)
  }
 }

--- a/swift/third_party/resources/resource-dir-linux.zip
+++ b/swift/third_party/resources/resource-dir-linux.zip
--- a/swift/third_party/resources/resource-dir-macos.zip
+++ b/swift/third_party/resources/resource-dir-macos.zip
--- a/swift/third_party/resources/swift-prebuilt-linux.tar.zst
+++ b/swift/third_party/resources/swift-prebuilt-linux.tar.zst
--- a/swift/third_party/resources/swift-prebuilt-macos.tar.zst
+++ b/swift/third_party/resources/swift-prebuilt-macos.tar.zst
--- a/swift/tools/tracing-config.lua
+++ b/swift/tools/tracing-config.lua
@@ -53,6 +53,13 @@ function RegisterExtractorPack(id)
        strip_unsupported_arg(args, '-stack-check', 0)
        strip_unsupported_arg(args, '-experimental-skip-non-inlinable-function-bodies-without-types', 0)
        strip_unsupported_clang_arg(args, '-ivfsstatcache', 1)
+        strip_unsupported_clang_arg(args, '-fno-odr-hash-protocols', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+disableNonDependentMemberExprInCurrentInstantiation', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+enableAggressiveVLAFolding', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+revert09abecef7bbf', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+thisNoAlignAttr', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+thisNoNullAttr', 0)
+        strip_unsupported_clang_arg(args, '-clang-vendor-feature=+disableAtImportPrivateFrameworkInImplementationError', 0)
        -- The four args below are removed to workaround version mismatches due to recent versions
        -- of Xcode defaulting to explicit modules:
        strip_unsupported_arg(args, '-disable-implicit-swift-modules', 0)
@@ -120,6 +127,9 @@ function RegisterExtractorPack(id)
        if compilerArguments.argv[1] == '-emit-supported-features' then
            return nil
        end
+        if compilerArguments.argv[1] == '-scan-dependencies' then
+            return nil
+        end

        strip_unsupported_args(compilerArguments.argv)
        replace_resource_dir(compilerPath, compilerArguments.argv)