From f0ca76102cc6ea8ba10715caafe37f89eab93cc3 Mon Sep 17 00:00:00 2001 From: Moshe Kaplan Date: Fri, 24 Mar 2023 15:26:46 -0400 Subject: [PATCH 01/37] Correct menu title name of "Open Workspace" Correct menu title name of "Open Workspace" to "Open Workspace from File", as that is the current menu title on VS Code (at least as of 1.76.2) --- .../setting-up-codeql-in-visual-studio-code.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst index 6ed374381d8..98990c7f706 100644 --- a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst +++ b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst @@ -72,7 +72,7 @@ To use the starter workspace: * Make sure you include the submodules, either by using ``git clone --recursive``, or using by ``git submodule update --init --remote`` after cloning. * Use ``git submodule update --remote`` regularly to keep the submodules up to date. -#. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository. +#. In VS Code, use the **File** > **Open Workspace from File** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository. .. _existing-workspace: From 150debdd8dc5d0ff368ae6d25578b63c8c617179 Mon Sep 17 00:00:00 2001 From: 2h0ng <60600792+superboy-zjc@users.noreply.github.com> Date: Sun, 9 Feb 2025 15:29:37 -0500 Subject: [PATCH 02/37] Fix the broken reference --- docs/codeql/ql-language-reference/aliases.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/ql-language-reference/aliases.rst b/docs/codeql/ql-language-reference/aliases.rst index efbbef65cda..ebecbdf0a2b 100644 --- a/docs/codeql/ql-language-reference/aliases.rst +++ b/docs/codeql/ql-language-reference/aliases.rst @@ -137,6 +137,6 @@ During :ref:`name resolution `, ambiguity between aliases from for the same module/type/predicate is allowed, but ambiguity between between aliases from distinct **strong** alias definitions is invalid QL. Likewise, for the purpose of applicative instantiation of :ref:`parameterised modules ` -and `:ref:`parameterised module signatures `, aliases from **weak** alias +and :ref:`parameterised module signatures `, aliases from **weak** alias definitions for instantiation arguments do not result in separate instantiations, but aliases from **strong** alias definitions for instantiation arguments do. From bca2c2da548d6918ce6d9fde1dac2a41a4331f87 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 19:29:00 -0400 Subject: [PATCH 03/37] Java: Add 'previous-id' and adjust tags for 'java/garbage-collection' and 'java/do-not-use-finalizers' --- .../query-suite/java-code-quality-extended.qls.expected | 1 + .../Undesirable Calls/CallsToRunFinalizersOnExit.ql | 7 +++++-- .../Undesirable Calls/GarbageCollection.ql | 6 ++++-- java/ql/src/change-notes/2025-07-19-adjust-tags.md | 5 +++++ 4 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 java/ql/src/change-notes/2025-07-19-adjust-tags.md diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected index 7a1a986b2aa..4a736437995 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected @@ -80,6 +80,7 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldC ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql index c2ffe45b520..568be1805e6 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql @@ -7,8 +7,11 @@ * @problem.severity error * @precision medium * @id java/run-finalizers-on-exit - * @tags reliability - * maintainability + * @previous-id java/do-not-use-finalizers + * @tags quality + * reliability + * correctness + * performance */ import java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql index 1067bdcb6dc..620177cc58c 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql @@ -6,8 +6,10 @@ * @problem.severity recommendation * @precision low * @id java/garbage-collection - * @tags reliability - * maintainability + * @previous-id java/do-not-use-finalizers + * @tags quality + * reliability + * correctness */ import java diff --git a/java/ql/src/change-notes/2025-07-19-adjust-tags.md b/java/ql/src/change-notes/2025-07-19-adjust-tags.md new file mode 100644 index 00000000000..0067adebdaf --- /dev/null +++ b/java/ql/src/change-notes/2025-07-19-adjust-tags.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The tag `maintainability` has been removed from `java/run-finalizers-on-exit` and the tags `quality`, `correctness`, and `performance` have been added. +* The tag `maintainability` has been removed from `java/garbage-collection` and the tags `quality` and `correctness` have been added. From b104535b32885a60f627e5352fdee78e9ebe072a Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 15 Aug 2025 13:46:30 +0200 Subject: [PATCH 04/37] Type inference: Rename some variables --- .../typeinference/internal/TypeInference.qll | 43 +++++++++++-------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/shared/typeinference/codeql/typeinference/internal/TypeInference.qll b/shared/typeinference/codeql/typeinference/internal/TypeInference.qll index c42a424f3e3..32615dc46cd 100644 --- a/shared/typeinference/codeql/typeinference/internal/TypeInference.qll +++ b/shared/typeinference/codeql/typeinference/internal/TypeInference.qll @@ -731,20 +731,24 @@ module Make1 Input1> { IsInstantiationOfInputSig { pragma[nomagic] - private predicate typeCondition(Type type, TypeAbstraction abs, TypeMentionTypeTree lhs) { - conditionSatisfiesConstraint(abs, lhs, _) and type = resolveTypeMentionRoot(lhs) + private predicate typeCondition( + Type type, TypeAbstraction abs, TypeMentionTypeTree condition + ) { + conditionSatisfiesConstraint(abs, condition, _) and + type = resolveTypeMentionRoot(condition) } pragma[nomagic] - private predicate typeConstraint(Type type, TypeMentionTypeTree rhs) { - conditionSatisfiesConstraint(_, _, rhs) and type = resolveTypeMentionRoot(rhs) + private predicate typeConstraint(Type type, TypeMentionTypeTree constraint) { + conditionSatisfiesConstraint(_, _, constraint) and + type = resolveTypeMentionRoot(constraint) } predicate potentialInstantiationOf( - TypeMentionTypeTree condition, TypeAbstraction abs, TypeMention constraint + TypeMentionTypeTree constraint, TypeAbstraction abs, TypeMention condition ) { exists(Type type | - typeConstraint(type, condition) and typeCondition(type, abs, constraint) + typeConstraint(type, constraint) and typeCondition(type, abs, condition) ) } } @@ -761,20 +765,20 @@ module Make1 Input1> { constraint.resolveTypeAt(path) = t or // recursive case - exists(TypeAbstraction midAbs, TypeMention midSup, TypeMention midSub | - conditionSatisfiesConstraint(abs, condition, midSup) and - // NOTE: `midAbs` describe the free type variables in `midSub`, hence + exists(TypeAbstraction midAbs, TypeMention midConstraint, TypeMention midCondition | + conditionSatisfiesConstraint(abs, condition, midConstraint) and + // NOTE: `midAbs` describe the free type variables in `midCondition`, hence // we use that for instantiation check. - IsInstantiationOf::isInstantiationOf(midSup, - midAbs, midSub) + IsInstantiationOf::isInstantiationOf(midConstraint, + midAbs, midCondition) | - conditionSatisfiesConstraintTypeAt(midAbs, midSub, constraint, path, t) and + conditionSatisfiesConstraintTypeAt(midAbs, midCondition, constraint, path, t) and not t = midAbs.getATypeParameter() or exists(TypePath prefix, TypePath suffix, TypeParameter tp | tp = midAbs.getATypeParameter() and - conditionSatisfiesConstraintTypeAt(midAbs, midSub, constraint, prefix, tp) and - instantiatesWith(midSup, midSub, tp, suffix, t) and + conditionSatisfiesConstraintTypeAt(midAbs, midCondition, constraint, prefix, tp) and + instantiatesWith(midConstraint, midCondition, tp, suffix, t) and path = prefix.append(suffix) ) ) @@ -949,23 +953,24 @@ module Make1 Input1> { */ pragma[nomagic] private predicate hasConstraintMention( - HasTypeTree tt, TypeAbstraction abs, TypeMention sub, Type constraint, + HasTypeTree tt, TypeAbstraction abs, TypeMention condition, Type constraint, TypeMention constraintMention ) { exists(Type type | hasTypeConstraint(tt, type, constraint) | not exists(countConstraintImplementations(type, constraint)) and - conditionSatisfiesConstraintTypeAt(abs, sub, constraintMention, _, _) and - resolveTypeMentionRoot(sub) = abs.getATypeParameter() and + conditionSatisfiesConstraintTypeAt(abs, condition, constraintMention, _, _) and + resolveTypeMentionRoot(condition) = abs.getATypeParameter() and constraint = resolveTypeMentionRoot(constraintMention) or countConstraintImplementations(type, constraint) > 0 and - rootTypesSatisfaction(type, constraint, abs, sub, constraintMention) and + rootTypesSatisfaction(type, constraint, abs, condition, constraintMention) and // When there are multiple ways the type could implement the // constraint we need to find the right implementation, which is the // one where the type instantiates the precondition. if multipleConstraintImplementations(type, constraint) then - IsInstantiationOf::isInstantiationOf(tt, abs, sub) + IsInstantiationOf::isInstantiationOf(tt, abs, + condition) else any() ) } From d8215a35c0268367775c371fe00b1ca0e0cca271 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 18 Jul 2025 13:01:05 +0200 Subject: [PATCH 05/37] C#: Add example of failing taint flow for collections in sinks. --- .../collections/CollectionTaintTracking.cs | 13 +++++++++++++ .../collections/CollectionTaintTracking.expected | 7 +++++++ .../collections/CollectionTaintTracking.ql | 12 ++++++++++++ .../library-tests/tainttracking/collections/options | 2 ++ 4 files changed, 34 insertions(+) create mode 100644 csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs create mode 100644 csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected create mode 100644 csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql create mode 100644 csharp/ql/test/library-tests/tainttracking/collections/options diff --git a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs new file mode 100644 index 00000000000..d4177a57661 --- /dev/null +++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs @@ -0,0 +1,13 @@ +public class CollectionTaintTracking +{ + public void ImplicitCollectionReadAtSink() + { + var tainted = Source(1); + var arr = new object[] { tainted }; + Sink(arr); // $ hasTaintFlow=1 + } + + static T Source(object source) => throw null; + + public static void Sink(T t) { } +} diff --git a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected new file mode 100644 index 00000000000..57e00d1fd09 --- /dev/null +++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected @@ -0,0 +1,7 @@ +models +edges +nodes +subpaths +testFailures +| CollectionTaintTracking.cs:10:20:10:38 | // ... | Missing result: hasTaintFlow=1 | +#select diff --git a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql new file mode 100644 index 00000000000..0af8971a13b --- /dev/null +++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql @@ -0,0 +1,12 @@ +/** + * @kind path-problem + */ + +import csharp +import utils.test.InlineFlowTest +import TaintFlowTest +import PathGraph + +from PathNode source, PathNode sink +where flowPath(source, sink) +select sink, source, sink, "$@", source, source.toString() diff --git a/csharp/ql/test/library-tests/tainttracking/collections/options b/csharp/ql/test/library-tests/tainttracking/collections/options new file mode 100644 index 00000000000..75c39b4541b --- /dev/null +++ b/csharp/ql/test/library-tests/tainttracking/collections/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From 81751ea5916fde3388fbb5b93a1465ec44a93efa Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 18 Jul 2025 13:40:56 +0200 Subject: [PATCH 06/37] C#: Allow implicit reads from collections in argument nodes (sinks and additional flow steps) for default taint tracking configurations. --- .../code/csharp/dataflow/internal/TaintTrackingPrivate.qll | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll index b7681994e2c..908877c359b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll @@ -7,6 +7,7 @@ private import semmle.code.csharp.dataflow.internal.DataFlowPrivate private import semmle.code.csharp.dataflow.internal.ControlFlowReachability private import semmle.code.csharp.dispatch.Dispatch private import semmle.code.csharp.commons.ComparisonTest +private import semmle.code.csharp.commons.Collections as Collections // import `TaintedMember` definitions from other files to avoid potential reevaluation private import semmle.code.csharp.frameworks.JsonNET private import semmle.code.csharp.frameworks.WCF @@ -29,7 +30,11 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { * of `c` at sinks and inputs to additional taint steps. */ bindingset[node] -predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() } +predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { + node instanceof ArgumentNode and + Collections::isCollectionType(node.getType()) and + c.isElement() +} private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration { LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" } From abd0b2e2f9f54590bc4aabeed7a8ed15bc130d4c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 18 Jul 2025 13:48:12 +0200 Subject: [PATCH 07/37] C#: Update test expected output. --- .../collections/CollectionTaintTracking.expected | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected index 57e00d1fd09..6d93e7f5ef9 100644 --- a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected +++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected @@ -1,7 +1,18 @@ models edges +| CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | provenance | | +| CollectionTaintTracking.cs:5:23:5:39 | call to method Source : Object | CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | provenance | | +| CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | provenance | | +| CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | provenance | | +| CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | provenance | | nodes +| CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | semmle.label | access to local variable tainted : Object | +| CollectionTaintTracking.cs:5:23:5:39 | call to method Source : Object | semmle.label | call to method Source : Object | +| CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | semmle.label | access to local variable arr : null [element] : Object | +| CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | semmle.label | { ..., ... } : null [element] : Object | +| CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | semmle.label | access to local variable tainted : Object | +| CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | semmle.label | access to local variable arr | subpaths testFailures -| CollectionTaintTracking.cs:10:20:10:38 | // ... | Missing result: hasTaintFlow=1 | #select +| CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | CollectionTaintTracking.cs:5:23:5:39 | call to method Source : Object | CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | $@ | CollectionTaintTracking.cs:5:23:5:39 | call to method Source : Object | call to method Source : Object | From 1d25a20c9cd81ac73d53723342ff6bb84b9de712 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 18 Jul 2025 15:30:07 +0200 Subject: [PATCH 08/37] C#: Update the external flow test and expected test output. --- .../library-tests/dataflow/external-models/ExternalFlow.cs | 2 +- .../dataflow/external-models/ExternalFlow.expected | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs index 705efd35e38..d7552376c0f 100644 --- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs +++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs @@ -116,7 +116,7 @@ namespace My.Qltest { var a = new object[] { new object() }; var b = Reverse(a); - Sink(b); // No flow + Sink(b); // Flow Sink(b[0]); // Flow } diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected index 7254208be18..3099a3fec7e 100644 --- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected @@ -104,6 +104,7 @@ edges | ExternalFlow.cs:117:17:117:17 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | provenance | | | ExternalFlow.cs:117:34:117:49 | { ..., ... } : null [element] : Object | ExternalFlow.cs:117:17:117:17 | access to local variable a : null [element] : Object | provenance | | | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:117:34:117:49 | { ..., ... } : null [element] : Object | provenance | | +| ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | ExternalFlow.cs:119:18:119:18 | access to local variable b | provenance | | | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | provenance | | | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | provenance | | | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | provenance | MaD:7 | @@ -240,6 +241,7 @@ nodes | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object | | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | semmle.label | call to method Reverse : null [element] : Object | | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object | +| ExternalFlow.cs:119:18:119:18 | access to local variable b | semmle.label | access to local variable b | | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object | | ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element | | ExternalFlow.cs:205:17:205:18 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object | @@ -315,6 +317,7 @@ invalidModelRow | ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object | +| ExternalFlow.cs:119:18:119:18 | access to local variable b | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:119:18:119:18 | access to local variable b | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:206:18:206:48 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:48 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:212:18:212:62 | call to method GeneratedFlowWithGeneratedNeutral | ExternalFlow.cs:211:22:211:33 | object creation of type Object : Object | ExternalFlow.cs:212:18:212:62 | call to method GeneratedFlowWithGeneratedNeutral | $@ | ExternalFlow.cs:211:22:211:33 | object creation of type Object : Object | object creation of type Object : Object | From 7431ee8df9d39c2e1203b3d002e44d9f92fd8dc2 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 18 Jul 2025 15:31:33 +0200 Subject: [PATCH 09/37] C#: Update the barrier in HashWithoutSalt to avoid an FP. It worked by accident before as we didn't allow implicit element reads at sinks. --- .../CWE-759/HashWithoutSalt.ql | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql index f18798c8b08..f175723c099 100644 --- a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql +++ b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql @@ -10,6 +10,7 @@ */ import csharp +import semmle.code.csharp.frameworks.system.Collections import HashWithoutSalt::PathGraph /** The C# class `Windows.Security.Cryptography.Core.HashAlgorithmProvider`. */ @@ -93,12 +94,17 @@ predicate hasAnotherHashCall(MethodCall mc) { /** Holds if a password hash without salt is further processed in another method call. */ predicate hasFurtherProcessing(MethodCall mc) { - mc.getTarget().fromLibrary() and - ( - mc.getTarget().hasFullyQualifiedName("System", "Array", "Copy") or // Array.Copy(passwordHash, 0, password.Length), 0, key, 0, keyLen); - mc.getTarget().hasFullyQualifiedName("System", "String", "Concat") or // string.Concat(passwordHash, saltkey) - mc.getTarget().hasFullyQualifiedName("System", "Buffer", "BlockCopy") or // Buffer.BlockCopy(passwordHash, 0, allBytes, 0, 20) - mc.getTarget().hasFullyQualifiedName("System", "String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password) + exists(Method m | m = mc.getTarget() and m.fromLibrary() | + m.hasFullyQualifiedName("System", "Array", "Copy") // Array.Copy(passwordHash, 0, password.Length), 0, key, 0, keyLen); + or + m.hasFullyQualifiedName("System", "String", "Concat") // string.Concat(passwordHash, saltkey) + or + m.hasFullyQualifiedName("System", "Buffer", "BlockCopy") // Buffer.BlockCopy(passwordHash, 0, allBytes, 0, 20) + or + m.hasFullyQualifiedName("System", "String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password) + or + m.getName() = "CopyTo" and + m.getDeclaringType().getABaseType*() instanceof SystemCollectionsICollectionInterface // passBytes.CopyTo(rawSalted, 0); ) } From 4b0c725367414cd61cf28b0f3304bcc37e4f4ef9 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 18 Aug 2025 11:56:53 +0200 Subject: [PATCH 10/37] C#: Add change note. --- .../ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md diff --git a/csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md b/csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md new file mode 100644 index 00000000000..d66e982e6ae --- /dev/null +++ b/csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives. From 90d29994c87e3ebda8ee9e60948bfc8bd45e119e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 18 Aug 2025 14:06:09 +0000 Subject: [PATCH 11/37] Release preparation for version 2.22.4 --- actions/ql/lib/CHANGELOG.md | 4 ++++ actions/ql/lib/change-notes/released/0.4.15.md | 3 +++ actions/ql/lib/codeql-pack.release.yml | 2 +- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/CHANGELOG.md | 4 ++++ actions/ql/src/change-notes/released/0.6.7.md | 3 +++ actions/ql/src/codeql-pack.release.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/CHANGELOG.md | 8 ++++++++ cpp/ql/lib/change-notes/2025-08-02-gvn.md | 4 ---- .../change-notes/2025-08-11-global-variable-flow.md | 4 ---- cpp/ql/lib/change-notes/2025-08-13-guards.md | 4 ---- cpp/ql/lib/change-notes/released/5.4.1.md | 7 +++++++ cpp/ql/lib/codeql-pack.release.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/CHANGELOG.md | 7 +++++++ cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md | 4 ---- ...-08-15-short-global-name-template-instantiations.md | 4 ---- cpp/ql/src/change-notes/released/1.4.6.md | 6 ++++++ cpp/ql/src/codeql-pack.release.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md | 4 ++++ .../Solorigate/lib/change-notes/released/1.7.46.md | 3 +++ .../campaigns/Solorigate/lib/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/CHANGELOG.md | 4 ++++ .../Solorigate/src/change-notes/released/1.7.46.md | 3 +++ .../campaigns/Solorigate/src/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/CHANGELOG.md | 4 ++++ csharp/ql/lib/change-notes/released/5.2.2.md | 3 +++ csharp/ql/lib/codeql-pack.release.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/CHANGELOG.md | 4 ++++ csharp/ql/src/change-notes/released/1.3.3.md | 3 +++ csharp/ql/src/codeql-pack.release.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.29.md | 3 +++ go/ql/consistency-queries/codeql-pack.release.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/CHANGELOG.md | 4 ++++ go/ql/lib/change-notes/released/4.3.2.md | 3 +++ go/ql/lib/codeql-pack.release.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/CHANGELOG.md | 4 ++++ go/ql/src/change-notes/released/1.4.3.md | 3 +++ go/ql/src/codeql-pack.release.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/CHANGELOG.md | 10 ++++++++++ java/ql/lib/change-notes/2025-07-28-guardwrappers.md | 4 ---- .../change-notes/2025-08-15-lib-models-remotesource.md | 4 ---- java/ql/lib/change-notes/released/7.6.0.md | 9 +++++++++ java/ql/lib/codeql-pack.release.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/CHANGELOG.md | 4 ++++ java/ql/src/change-notes/released/1.6.3.md | 3 +++ java/ql/src/codeql-pack.release.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/CHANGELOG.md | 6 ++++++ .../2.6.9.md} | 7 ++++--- javascript/ql/lib/codeql-pack.release.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/CHANGELOG.md | 6 ++++++ .../2.0.2.md} | 7 ++++--- javascript/ql/src/codeql-pack.release.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/CHANGELOG.md | 4 ++++ misc/suite-helpers/change-notes/released/1.0.29.md | 3 +++ misc/suite-helpers/codeql-pack.release.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/CHANGELOG.md | 4 ++++ python/ql/lib/change-notes/released/4.0.13.md | 3 +++ python/ql/lib/codeql-pack.release.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/CHANGELOG.md | 4 ++++ python/ql/src/change-notes/released/1.6.3.md | 3 +++ python/ql/src/codeql-pack.release.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/CHANGELOG.md | 9 +++++++++ .../5.0.2.md} | 7 ++++--- ruby/ql/lib/codeql-pack.release.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/CHANGELOG.md | 4 ++++ ruby/ql/src/change-notes/released/1.4.3.md | 3 +++ ruby/ql/src/codeql-pack.release.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/CHANGELOG.md | 7 +++++++ rust/ql/lib/change-notes/2025-08-11-database-models.md | 4 ---- .../lib/change-notes/2025-08-14-if-while-let-chains.md | 4 ---- rust/ql/lib/change-notes/released/0.1.14.md | 6 ++++++ rust/ql/lib/codeql-pack.release.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/CHANGELOG.md | 6 ++++++ .../0.1.14.md} | 7 ++++--- rust/ql/src/codeql-pack.release.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/CHANGELOG.md | 4 ++++ shared/concepts/change-notes/released/0.0.3.md | 3 +++ shared/concepts/codeql-pack.release.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/CHANGELOG.md | 4 ++++ shared/controlflow/change-notes/released/2.0.13.md | 3 +++ shared/controlflow/codeql-pack.release.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/CHANGELOG.md | 4 ++++ shared/dataflow/change-notes/released/2.0.13.md | 3 +++ shared/dataflow/codeql-pack.release.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/CHANGELOG.md | 4 ++++ shared/mad/change-notes/released/1.0.29.md | 3 +++ shared/mad/codeql-pack.release.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/CHANGELOG.md | 4 ++++ shared/quantum/change-notes/released/0.0.7.md | 3 +++ shared/quantum/codeql-pack.release.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/CHANGELOG.md | 4 ++++ shared/rangeanalysis/change-notes/released/1.0.29.md | 3 +++ shared/rangeanalysis/codeql-pack.release.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/CHANGELOG.md | 4 ++++ shared/regex/change-notes/released/1.0.29.md | 3 +++ shared/regex/codeql-pack.release.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/CHANGELOG.md | 4 ++++ shared/ssa/change-notes/released/2.0.5.md | 3 +++ shared/ssa/codeql-pack.release.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/CHANGELOG.md | 4 ++++ shared/threat-models/change-notes/released/1.0.29.md | 3 +++ shared/threat-models/codeql-pack.release.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/CHANGELOG.md | 4 ++++ shared/tutorial/change-notes/released/1.0.29.md | 3 +++ shared/tutorial/codeql-pack.release.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/CHANGELOG.md | 4 ++++ shared/typeflow/change-notes/released/1.0.29.md | 3 +++ shared/typeflow/codeql-pack.release.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/CHANGELOG.md | 4 ++++ shared/typeinference/change-notes/released/0.0.10.md | 3 +++ shared/typeinference/codeql-pack.release.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/CHANGELOG.md | 4 ++++ shared/typetracking/change-notes/released/2.0.13.md | 3 +++ shared/typetracking/codeql-pack.release.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/CHANGELOG.md | 4 ++++ shared/typos/change-notes/released/1.0.29.md | 3 +++ shared/typos/codeql-pack.release.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/CHANGELOG.md | 4 ++++ shared/util/change-notes/released/2.0.16.md | 3 +++ shared/util/codeql-pack.release.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/CHANGELOG.md | 4 ++++ shared/xml/change-notes/released/1.0.29.md | 3 +++ shared/xml/codeql-pack.release.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/CHANGELOG.md | 4 ++++ shared/yaml/change-notes/released/1.0.29.md | 3 +++ shared/yaml/codeql-pack.release.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/CHANGELOG.md | 4 ++++ swift/ql/lib/change-notes/released/5.0.5.md | 3 +++ swift/ql/lib/codeql-pack.release.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/CHANGELOG.md | 4 ++++ swift/ql/src/change-notes/released/1.2.3.md | 3 +++ swift/ql/src/codeql-pack.release.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 173 files changed, 416 insertions(+), 130 deletions(-) create mode 100644 actions/ql/lib/change-notes/released/0.4.15.md create mode 100644 actions/ql/src/change-notes/released/0.6.7.md delete mode 100644 cpp/ql/lib/change-notes/2025-08-02-gvn.md delete mode 100644 cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md delete mode 100644 cpp/ql/lib/change-notes/2025-08-13-guards.md create mode 100644 cpp/ql/lib/change-notes/released/5.4.1.md delete mode 100644 cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md delete mode 100644 cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md create mode 100644 cpp/ql/src/change-notes/released/1.4.6.md create mode 100644 csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md create mode 100644 csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md create mode 100644 csharp/ql/lib/change-notes/released/5.2.2.md create mode 100644 csharp/ql/src/change-notes/released/1.3.3.md create mode 100644 go/ql/consistency-queries/change-notes/released/1.0.29.md create mode 100644 go/ql/lib/change-notes/released/4.3.2.md create mode 100644 go/ql/src/change-notes/released/1.4.3.md delete mode 100644 java/ql/lib/change-notes/2025-07-28-guardwrappers.md delete mode 100644 java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md create mode 100644 java/ql/lib/change-notes/released/7.6.0.md create mode 100644 java/ql/src/change-notes/released/1.6.3.md rename javascript/ql/lib/change-notes/{2025-08-01-cli-code-injection.md => released/2.6.9.md} (86%) rename javascript/ql/src/change-notes/{2025-07-31-regexp-injection-threat-model.md => released/2.0.2.md} (83%) create mode 100644 misc/suite-helpers/change-notes/released/1.0.29.md create mode 100644 python/ql/lib/change-notes/released/4.0.13.md create mode 100644 python/ql/src/change-notes/released/1.6.3.md rename ruby/ql/lib/change-notes/{2025-07-21-nethttprequest-improvements.md => released/5.0.2.md} (91%) create mode 100644 ruby/ql/src/change-notes/released/1.4.3.md delete mode 100644 rust/ql/lib/change-notes/2025-08-11-database-models.md delete mode 100644 rust/ql/lib/change-notes/2025-08-14-if-while-let-chains.md create mode 100644 rust/ql/lib/change-notes/released/0.1.14.md rename rust/ql/src/change-notes/{2025-08-04-cleartext-storage-database.md => released/0.1.14.md} (83%) create mode 100644 shared/concepts/change-notes/released/0.0.3.md create mode 100644 shared/controlflow/change-notes/released/2.0.13.md create mode 100644 shared/dataflow/change-notes/released/2.0.13.md create mode 100644 shared/mad/change-notes/released/1.0.29.md create mode 100644 shared/quantum/change-notes/released/0.0.7.md create mode 100644 shared/rangeanalysis/change-notes/released/1.0.29.md create mode 100644 shared/regex/change-notes/released/1.0.29.md create mode 100644 shared/ssa/change-notes/released/2.0.5.md create mode 100644 shared/threat-models/change-notes/released/1.0.29.md create mode 100644 shared/tutorial/change-notes/released/1.0.29.md create mode 100644 shared/typeflow/change-notes/released/1.0.29.md create mode 100644 shared/typeinference/change-notes/released/0.0.10.md create mode 100644 shared/typetracking/change-notes/released/2.0.13.md create mode 100644 shared/typos/change-notes/released/1.0.29.md create mode 100644 shared/util/change-notes/released/2.0.16.md create mode 100644 shared/xml/change-notes/released/1.0.29.md create mode 100644 shared/yaml/change-notes/released/1.0.29.md create mode 100644 swift/ql/lib/change-notes/released/5.0.5.md create mode 100644 swift/ql/src/change-notes/released/1.2.3.md diff --git a/actions/ql/lib/CHANGELOG.md b/actions/ql/lib/CHANGELOG.md index dffad0539b0..bd6b24ef487 100644 --- a/actions/ql/lib/CHANGELOG.md +++ b/actions/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.4.15 + +No user-facing changes. + ## 0.4.14 No user-facing changes. diff --git a/actions/ql/lib/change-notes/released/0.4.15.md b/actions/ql/lib/change-notes/released/0.4.15.md new file mode 100644 index 00000000000..364e11a8706 --- /dev/null +++ b/actions/ql/lib/change-notes/released/0.4.15.md @@ -0,0 +1,3 @@ +## 0.4.15 + +No user-facing changes. diff --git a/actions/ql/lib/codeql-pack.release.yml b/actions/ql/lib/codeql-pack.release.yml index 3841668fe04..613c98e4872 100644 --- a/actions/ql/lib/codeql-pack.release.yml +++ b/actions/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.14 +lastReleaseVersion: 0.4.15 diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index dd2723b0315..6ab370e2e97 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.15-dev +version: 0.4.15 library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/CHANGELOG.md b/actions/ql/src/CHANGELOG.md index 09fb20778fc..769ce155451 100644 --- a/actions/ql/src/CHANGELOG.md +++ b/actions/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.6.7 + +No user-facing changes. + ## 0.6.6 No user-facing changes. diff --git a/actions/ql/src/change-notes/released/0.6.7.md b/actions/ql/src/change-notes/released/0.6.7.md new file mode 100644 index 00000000000..c185761a60f --- /dev/null +++ b/actions/ql/src/change-notes/released/0.6.7.md @@ -0,0 +1,3 @@ +## 0.6.7 + +No user-facing changes. diff --git a/actions/ql/src/codeql-pack.release.yml b/actions/ql/src/codeql-pack.release.yml index f4cae0a77ad..a6d2952e5fb 100644 --- a/actions/ql/src/codeql-pack.release.yml +++ b/actions/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.6 +lastReleaseVersion: 0.6.7 diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 911d1e19168..416cd0e5c45 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.7-dev +version: 0.6.7 library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index def048bdd3c..7abedf38ee1 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,11 @@ +## 5.4.1 + +### Minor Analysis Improvements + +* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards. +* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables. +* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number. + ## 5.4.0 ### New Features diff --git a/cpp/ql/lib/change-notes/2025-08-02-gvn.md b/cpp/ql/lib/change-notes/2025-08-02-gvn.md deleted file mode 100644 index 70c9f7dbb15..00000000000 --- a/cpp/ql/lib/change-notes/2025-08-02-gvn.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md b/cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md deleted file mode 100644 index c140570df31..00000000000 --- a/cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2025-08-13-guards.md b/cpp/ql/lib/change-notes/2025-08-13-guards.md deleted file mode 100644 index 4181a6cbeb2..00000000000 --- a/cpp/ql/lib/change-notes/2025-08-13-guards.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/released/5.4.1.md b/cpp/ql/lib/change-notes/released/5.4.1.md new file mode 100644 index 00000000000..ae345bbf8d8 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/5.4.1.md @@ -0,0 +1,7 @@ +## 5.4.1 + +### Minor Analysis Improvements + +* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards. +* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables. +* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index afb2156eaa2..7adcb16ea28 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.4.0 +lastReleaseVersion: 5.4.1 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 7c1fb8aad1c..9698c86d3f2 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 5.4.1-dev +version: 5.4.1 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 589dfb68e1e..e3c013b76c7 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 1.4.6 + +### Minor Analysis Improvements + +* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself. +* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type. + ## 1.4.5 ### Minor Analysis Improvements diff --git a/cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md b/cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md deleted file mode 100644 index 02c73804c9f..00000000000 --- a/cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type. \ No newline at end of file diff --git a/cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md b/cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md deleted file mode 100644 index 8a8f54c7337..00000000000 --- a/cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself. diff --git a/cpp/ql/src/change-notes/released/1.4.6.md b/cpp/ql/src/change-notes/released/1.4.6.md new file mode 100644 index 00000000000..6f6c9bbc385 --- /dev/null +++ b/cpp/ql/src/change-notes/released/1.4.6.md @@ -0,0 +1,6 @@ +## 1.4.6 + +### Minor Analysis Improvements + +* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself. +* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index a74b6b08d86..3b00bbce928 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.4.5 +lastReleaseVersion: 1.4.6 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index ad3dc6c91f9..bd7ff423c7c 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.4.6-dev +version: 1.4.6 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 1b3c69fd4d0..c276cd6133e 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.46 + +No user-facing changes. + ## 1.7.45 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md new file mode 100644 index 00000000000..b6482a9a030 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md @@ -0,0 +1,3 @@ +## 1.7.46 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 5a84df10183..a39de8bc91c 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.45 +lastReleaseVersion: 1.7.46 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index c6e17a64adc..d9430bc679c 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.46-dev +version: 1.7.46 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 1b3c69fd4d0..c276cd6133e 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.46 + +No user-facing changes. + ## 1.7.45 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md new file mode 100644 index 00000000000..b6482a9a030 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md @@ -0,0 +1,3 @@ +## 1.7.46 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 5a84df10183..a39de8bc91c 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.45 +lastReleaseVersion: 1.7.46 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 529cd400b6c..747eaaec33b 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.46-dev +version: 1.7.46 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index 1bce7a7f803..9e3686d8267 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 5.2.2 + +No user-facing changes. + ## 5.2.1 No user-facing changes. diff --git a/csharp/ql/lib/change-notes/released/5.2.2.md b/csharp/ql/lib/change-notes/released/5.2.2.md new file mode 100644 index 00000000000..22402d6e8fa --- /dev/null +++ b/csharp/ql/lib/change-notes/released/5.2.2.md @@ -0,0 +1,3 @@ +## 5.2.2 + +No user-facing changes. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 1684d0e72a2..e3b1b0c079d 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.2.1 +lastReleaseVersion: 5.2.2 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index b99e5b5be64..2a606aa966c 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.2.2-dev +version: 5.2.2 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 7209d4cfb81..2539f93099f 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.3.3 + +No user-facing changes. + ## 1.3.2 No user-facing changes. diff --git a/csharp/ql/src/change-notes/released/1.3.3.md b/csharp/ql/src/change-notes/released/1.3.3.md new file mode 100644 index 00000000000..27a88ea0061 --- /dev/null +++ b/csharp/ql/src/change-notes/released/1.3.3.md @@ -0,0 +1,3 @@ +## 1.3.3 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 86a9cb32d86..eb1f7dabc84 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.3.2 +lastReleaseVersion: 1.3.3 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index ec0fab1f111..959446de1d7 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.3.3-dev +version: 1.3.3 groups: - csharp - queries diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md index 6e50e04a514..596a873b2c5 100644 --- a/go/ql/consistency-queries/CHANGELOG.md +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/1.0.29.md b/go/ql/consistency-queries/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/go/ql/consistency-queries/codeql-pack.release.yml +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 706e295580e..ccfc15b0197 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.29-dev +version: 1.0.29 groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index b047f838925..0ddd2c37449 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 4.3.2 + +No user-facing changes. + ## 4.3.1 No user-facing changes. diff --git a/go/ql/lib/change-notes/released/4.3.2.md b/go/ql/lib/change-notes/released/4.3.2.md new file mode 100644 index 00000000000..1af97c82697 --- /dev/null +++ b/go/ql/lib/change-notes/released/4.3.2.md @@ -0,0 +1,3 @@ +## 4.3.2 + +No user-facing changes. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index 70ac3707fcd..5b8421b639f 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 4.3.1 +lastReleaseVersion: 4.3.2 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 391245fa689..7799e61ca85 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 4.3.2-dev +version: 4.3.2 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index eb21b53b4f7..f86e390b56d 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.4.3 + +No user-facing changes. + ## 1.4.2 No user-facing changes. diff --git a/go/ql/src/change-notes/released/1.4.3.md b/go/ql/src/change-notes/released/1.4.3.md new file mode 100644 index 00000000000..abf2a0d4dcc --- /dev/null +++ b/go/ql/src/change-notes/released/1.4.3.md @@ -0,0 +1,3 @@ +## 1.4.3 + +No user-facing changes. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index a76cacdf799..08f88b689fb 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.4.2 +lastReleaseVersion: 1.4.3 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index d3c411a74f7..d468ea88eca 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.4.3-dev +version: 1.4.3 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index e15d695efea..f3b7648c5ed 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 7.6.0 + +### Major Analysis Improvements + +* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources. + +### Minor Analysis Improvements + +* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`. + ## 7.5.0 ### New Features diff --git a/java/ql/lib/change-notes/2025-07-28-guardwrappers.md b/java/ql/lib/change-notes/2025-07-28-guardwrappers.md deleted file mode 100644 index cf976fe7789..00000000000 --- a/java/ql/lib/change-notes/2025-07-28-guardwrappers.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`. diff --git a/java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md b/java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md deleted file mode 100644 index 3cb81f84019..00000000000 --- a/java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: majorAnalysis ---- -* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources. diff --git a/java/ql/lib/change-notes/released/7.6.0.md b/java/ql/lib/change-notes/released/7.6.0.md new file mode 100644 index 00000000000..6c7a1c3338c --- /dev/null +++ b/java/ql/lib/change-notes/released/7.6.0.md @@ -0,0 +1,9 @@ +## 7.6.0 + +### Major Analysis Improvements + +* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources. + +### Minor Analysis Improvements + +* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 7ed5cb290ca..dd20d7a9632 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.5.0 +lastReleaseVersion: 7.6.0 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 0e69cc38681..6d89a227eb6 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 7.5.1-dev +version: 7.6.0 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 9d630f16f4b..81ce9022d91 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.6.3 + +No user-facing changes. + ## 1.6.2 No user-facing changes. diff --git a/java/ql/src/change-notes/released/1.6.3.md b/java/ql/src/change-notes/released/1.6.3.md new file mode 100644 index 00000000000..a000ecf7025 --- /dev/null +++ b/java/ql/src/change-notes/released/1.6.3.md @@ -0,0 +1,3 @@ +## 1.6.3 + +No user-facing changes. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 5f5beb68311..00b51441d88 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.2 +lastReleaseVersion: 1.6.3 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index aa899419ad9..e7a63231064 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.6.3-dev +version: 1.6.3 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 93edd0d9f49..3604e77c13b 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 2.6.9 + +### Minor Analysis Improvements + +* Improved modeling of command-line argument parsing libraries [arg](https://www.npmjs.com/package/arg), [args](https://www.npmjs.com/package/args), [command-line-args](https://www.npmjs.com/package/command-line-args) and [commander](https://www.npmjs.com/package/commander) + ## 2.6.8 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/2025-08-01-cli-code-injection.md b/javascript/ql/lib/change-notes/released/2.6.9.md similarity index 86% rename from javascript/ql/lib/change-notes/2025-08-01-cli-code-injection.md rename to javascript/ql/lib/change-notes/released/2.6.9.md index 20fa14da66f..6c80cc1db0d 100644 --- a/javascript/ql/lib/change-notes/2025-08-01-cli-code-injection.md +++ b/javascript/ql/lib/change-notes/released/2.6.9.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 2.6.9 + +### Minor Analysis Improvements + * Improved modeling of command-line argument parsing libraries [arg](https://www.npmjs.com/package/arg), [args](https://www.npmjs.com/package/args), [command-line-args](https://www.npmjs.com/package/command-line-args) and [commander](https://www.npmjs.com/package/commander) diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index e3569f2b799..8bec0b26cea 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.6.8 +lastReleaseVersion: 2.6.9 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 39b1edfe98c..9c9850454f2 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.9-dev +version: 2.6.9 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index 19314b8b774..ce2c8bacbb3 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 2.0.2 + +### Minor Analysis Improvements + +* The `js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category. + ## 2.0.1 No user-facing changes. diff --git a/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md b/javascript/ql/src/change-notes/released/2.0.2.md similarity index 83% rename from javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md rename to javascript/ql/src/change-notes/released/2.0.2.md index f87e1007765..f2fc5c62f78 100644 --- a/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md +++ b/javascript/ql/src/change-notes/released/2.0.2.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 2.0.2 + +### Minor Analysis Improvements + * The `js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index fe974a4dbf3..81c7f1dbc13 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.1 +lastReleaseVersion: 2.0.2 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index c06711ab2ca..1f71ec359c4 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.0.2-dev +version: 2.0.2 groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 3ba59599115..541e9e2a945 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/1.0.29.md b/misc/suite-helpers/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index de025c1e873..0a4fd9b08e5 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.29-dev +version: 1.0.29 groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index 901012f035f..b71f642da27 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 4.0.13 + +No user-facing changes. + ## 4.0.12 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/released/4.0.13.md b/python/ql/lib/change-notes/released/4.0.13.md new file mode 100644 index 00000000000..7e3690f40f1 --- /dev/null +++ b/python/ql/lib/change-notes/released/4.0.13.md @@ -0,0 +1,3 @@ +## 4.0.13 + +No user-facing changes. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index f2bb0c626a2..a03f76ad596 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 4.0.12 +lastReleaseVersion: 4.0.13 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 2434ee3f0db..2b2e9428d87 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 4.0.13-dev +version: 4.0.13 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 4e5033cfb45..42d3b42a5e8 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.6.3 + +No user-facing changes. + ## 1.6.2 No user-facing changes. diff --git a/python/ql/src/change-notes/released/1.6.3.md b/python/ql/src/change-notes/released/1.6.3.md new file mode 100644 index 00000000000..a000ecf7025 --- /dev/null +++ b/python/ql/src/change-notes/released/1.6.3.md @@ -0,0 +1,3 @@ +## 1.6.3 + +No user-facing changes. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 5f5beb68311..00b51441d88 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.2 +lastReleaseVersion: 1.6.3 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 0605e37a7cc..121332a724b 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.6.3-dev +version: 1.6.3 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 185be6d23bc..24c2c0b6a4a 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,12 @@ +## 5.0.2 + +### Bug Fixes + +* Made the following changes to `NetHttpRequest` + * Adds `connectionNode`, like other Ruby HTTP clients + * Makes `requestNode` and `connectionNode` public so subclasses can use them + * Adds detection of `Net::HTTP.start`, a common way to make HTTP requests in Ruby + ## 5.0.1 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/2025-07-21-nethttprequest-improvements.md b/ruby/ql/lib/change-notes/released/5.0.2.md similarity index 91% rename from ruby/ql/lib/change-notes/2025-07-21-nethttprequest-improvements.md rename to ruby/ql/lib/change-notes/released/5.0.2.md index 7de3ed050e2..c50a06af309 100644 --- a/ruby/ql/lib/change-notes/2025-07-21-nethttprequest-improvements.md +++ b/ruby/ql/lib/change-notes/released/5.0.2.md @@ -1,6 +1,7 @@ ---- -category: fix ---- +## 5.0.2 + +### Bug Fixes + * Made the following changes to `NetHttpRequest` * Adds `connectionNode`, like other Ruby HTTP clients * Makes `requestNode` and `connectionNode` public so subclasses can use them diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index ae7df5e18b7..3940dee0f32 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.0.1 +lastReleaseVersion: 5.0.2 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 2ee74c2d603..a6890d52478 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.0.2-dev +version: 5.0.2 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 330b92b7d7e..469f8421413 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.4.3 + +No user-facing changes. + ## 1.4.2 No user-facing changes. diff --git a/ruby/ql/src/change-notes/released/1.4.3.md b/ruby/ql/src/change-notes/released/1.4.3.md new file mode 100644 index 00000000000..abf2a0d4dcc --- /dev/null +++ b/ruby/ql/src/change-notes/released/1.4.3.md @@ -0,0 +1,3 @@ +## 1.4.3 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index a76cacdf799..08f88b689fb 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.4.2 +lastReleaseVersion: 1.4.3 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index ac62f1cc0d9..e053d77fd57 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.4.3-dev +version: 1.4.3 groups: - ruby - queries diff --git a/rust/ql/lib/CHANGELOG.md b/rust/ql/lib/CHANGELOG.md index b2e266ccd06..20275537b0c 100644 --- a/rust/ql/lib/CHANGELOG.md +++ b/rust/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.1.14 + +### Minor Analysis Improvements + +* [`let` chains in `if` and `while`](https://doc.rust-lang.org/edition-guide/rust-2024/let-chains.html) are now supported, as well as [`if let` guards in `match` expressions](https://rust-lang.github.io/rfcs/2294-if-let-guard.html). +* Added more detail to models of `postgres`, `rusqlite`, `sqlx` and `tokio-postgres`. This may improve query results, particularly for `rust/sql-injection` and `rust/cleartext-storage-database`. + ## 0.1.13 ### Minor Analysis Improvements diff --git a/rust/ql/lib/change-notes/2025-08-11-database-models.md b/rust/ql/lib/change-notes/2025-08-11-database-models.md deleted file mode 100644 index e8aa6dda7a6..00000000000 --- a/rust/ql/lib/change-notes/2025-08-11-database-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added more detail to models of `postgres`, `rusqlite`, `sqlx` and `tokio-postgres`. This may improve query results, particularly for `rust/sql-injection` and `rust/cleartext-storage-database`. diff --git a/rust/ql/lib/change-notes/2025-08-14-if-while-let-chains.md b/rust/ql/lib/change-notes/2025-08-14-if-while-let-chains.md deleted file mode 100644 index f4d364d5035..00000000000 --- a/rust/ql/lib/change-notes/2025-08-14-if-while-let-chains.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* [`let` chains in `if` and `while`](https://doc.rust-lang.org/edition-guide/rust-2024/let-chains.html) are now supported, as well as [`if let` guards in `match` expressions](https://rust-lang.github.io/rfcs/2294-if-let-guard.html). \ No newline at end of file diff --git a/rust/ql/lib/change-notes/released/0.1.14.md b/rust/ql/lib/change-notes/released/0.1.14.md new file mode 100644 index 00000000000..b1dc08f6737 --- /dev/null +++ b/rust/ql/lib/change-notes/released/0.1.14.md @@ -0,0 +1,6 @@ +## 0.1.14 + +### Minor Analysis Improvements + +* [`let` chains in `if` and `while`](https://doc.rust-lang.org/edition-guide/rust-2024/let-chains.html) are now supported, as well as [`if let` guards in `match` expressions](https://rust-lang.github.io/rfcs/2294-if-let-guard.html). +* Added more detail to models of `postgres`, `rusqlite`, `sqlx` and `tokio-postgres`. This may improve query results, particularly for `rust/sql-injection` and `rust/cleartext-storage-database`. diff --git a/rust/ql/lib/codeql-pack.release.yml b/rust/ql/lib/codeql-pack.release.yml index f43379f8196..76f7b27fb4e 100644 --- a/rust/ql/lib/codeql-pack.release.yml +++ b/rust/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.13 +lastReleaseVersion: 0.1.14 diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 6a2323410e6..83faa48ad14 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.1.14-dev +version: 0.1.14 groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/CHANGELOG.md b/rust/ql/src/CHANGELOG.md index ba5accc2aff..94231f13170 100644 --- a/rust/ql/src/CHANGELOG.md +++ b/rust/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.1.14 + +### New Queries + +* Added a new query, `rust/cleartext-storage-database`, for detecting cases where sensitive information is stored non-encrypted in a database. + ## 0.1.13 ### New Queries diff --git a/rust/ql/src/change-notes/2025-08-04-cleartext-storage-database.md b/rust/ql/src/change-notes/released/0.1.14.md similarity index 83% rename from rust/ql/src/change-notes/2025-08-04-cleartext-storage-database.md rename to rust/ql/src/change-notes/released/0.1.14.md index 9aac1d20f45..428909605d1 100644 --- a/rust/ql/src/change-notes/2025-08-04-cleartext-storage-database.md +++ b/rust/ql/src/change-notes/released/0.1.14.md @@ -1,4 +1,5 @@ ---- -category: newQuery ---- +## 0.1.14 + +### New Queries + * Added a new query, `rust/cleartext-storage-database`, for detecting cases where sensitive information is stored non-encrypted in a database. diff --git a/rust/ql/src/codeql-pack.release.yml b/rust/ql/src/codeql-pack.release.yml index f43379f8196..76f7b27fb4e 100644 --- a/rust/ql/src/codeql-pack.release.yml +++ b/rust/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.13 +lastReleaseVersion: 0.1.14 diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 2ca2fb08a0f..1e39349d4fc 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.14-dev +version: 0.1.14 groups: - rust - queries diff --git a/shared/concepts/CHANGELOG.md b/shared/concepts/CHANGELOG.md index bafab76efba..6e48d91ef56 100644 --- a/shared/concepts/CHANGELOG.md +++ b/shared/concepts/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.3 + +No user-facing changes. + ## 0.0.2 No user-facing changes. diff --git a/shared/concepts/change-notes/released/0.0.3.md b/shared/concepts/change-notes/released/0.0.3.md new file mode 100644 index 00000000000..af7864fc7d5 --- /dev/null +++ b/shared/concepts/change-notes/released/0.0.3.md @@ -0,0 +1,3 @@ +## 0.0.3 + +No user-facing changes. diff --git a/shared/concepts/codeql-pack.release.yml b/shared/concepts/codeql-pack.release.yml index 55dc06fbd76..a24b693d1e7 100644 --- a/shared/concepts/codeql-pack.release.yml +++ b/shared/concepts/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.2 +lastReleaseVersion: 0.0.3 diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index a3945e32785..1a4b23c6fcd 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.3-dev +version: 0.0.3 groups: shared library: true dependencies: diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index 17db1caf695..ecf7d7005e9 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.13 + +No user-facing changes. + ## 2.0.12 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/2.0.13.md b/shared/controlflow/change-notes/released/2.0.13.md new file mode 100644 index 00000000000..39a24682b50 --- /dev/null +++ b/shared/controlflow/change-notes/released/2.0.13.md @@ -0,0 +1,3 @@ +## 2.0.13 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index b856d9a13f2..30d169d6eb8 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.12 +lastReleaseVersion: 2.0.13 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 9daf1b8e60e..5dcd3a6170e 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.13-dev +version: 2.0.13 groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index 2e77e1a942d..db415d30d47 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.13 + +No user-facing changes. + ## 2.0.12 No user-facing changes. diff --git a/shared/dataflow/change-notes/released/2.0.13.md b/shared/dataflow/change-notes/released/2.0.13.md new file mode 100644 index 00000000000..39a24682b50 --- /dev/null +++ b/shared/dataflow/change-notes/released/2.0.13.md @@ -0,0 +1,3 @@ +## 2.0.13 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index b856d9a13f2..30d169d6eb8 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.12 +lastReleaseVersion: 2.0.13 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 759c844c110..a3b22666422 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.13-dev +version: 2.0.13 groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index db8e38ba03e..6bd67795a3a 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/mad/change-notes/released/1.0.29.md b/shared/mad/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/mad/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 9b5895697f0..b8dbf57a299 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true dependencies: diff --git a/shared/quantum/CHANGELOG.md b/shared/quantum/CHANGELOG.md index ad2e63eb470..8f58f5145db 100644 --- a/shared/quantum/CHANGELOG.md +++ b/shared/quantum/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.7 + +No user-facing changes. + ## 0.0.6 No user-facing changes. diff --git a/shared/quantum/change-notes/released/0.0.7.md b/shared/quantum/change-notes/released/0.0.7.md new file mode 100644 index 00000000000..84da6f18c42 --- /dev/null +++ b/shared/quantum/change-notes/released/0.0.7.md @@ -0,0 +1,3 @@ +## 0.0.7 + +No user-facing changes. diff --git a/shared/quantum/codeql-pack.release.yml b/shared/quantum/codeql-pack.release.yml index cf398ce02aa..a2a5484910b 100644 --- a/shared/quantum/codeql-pack.release.yml +++ b/shared/quantum/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.6 +lastReleaseVersion: 0.0.7 diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index 9046eb79e24..ea2acfb14f6 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.7-dev +version: 0.0.7 groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/CHANGELOG.md b/shared/rangeanalysis/CHANGELOG.md index 41d2e7d037c..c6dd1d9b79d 100644 --- a/shared/rangeanalysis/CHANGELOG.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/rangeanalysis/change-notes/released/1.0.29.md b/shared/rangeanalysis/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/rangeanalysis/codeql-pack.release.yml +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 3af1d03945d..833e16de4d2 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index b985a679eaa..ccbf4d95cf6 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/regex/change-notes/released/1.0.29.md b/shared/regex/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/regex/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index f29d547adc4..a3195cfb3d0 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index b628a618c2b..9c9caa32918 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.5 + +No user-facing changes. + ## 2.0.4 No user-facing changes. diff --git a/shared/ssa/change-notes/released/2.0.5.md b/shared/ssa/change-notes/released/2.0.5.md new file mode 100644 index 00000000000..8bce5b7ca75 --- /dev/null +++ b/shared/ssa/change-notes/released/2.0.5.md @@ -0,0 +1,3 @@ +## 2.0.5 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index 0f306f8bd3b..6c269316f27 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.4 +lastReleaseVersion: 2.0.5 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 6912467b508..8eef08c4cb4 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.5-dev +version: 2.0.5 groups: shared library: true dependencies: diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md index 6e50e04a514..596a873b2c5 100644 --- a/shared/threat-models/CHANGELOG.md +++ b/shared/threat-models/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/threat-models/change-notes/released/1.0.29.md b/shared/threat-models/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/threat-models/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/threat-models/codeql-pack.release.yml +++ b/shared/threat-models/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 5e8c43c8bbf..4e74fe0abde 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.29-dev +version: 1.0.29 library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index d1848f17c53..73e10501041 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/1.0.29.md b/shared/tutorial/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/tutorial/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 998c513f7c6..263d7bdf3a8 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/CHANGELOG.md b/shared/typeflow/CHANGELOG.md index d63b01de987..5b8d81ca4b3 100644 --- a/shared/typeflow/CHANGELOG.md +++ b/shared/typeflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/typeflow/change-notes/released/1.0.29.md b/shared/typeflow/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/typeflow/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/typeflow/codeql-pack.release.yml b/shared/typeflow/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/typeflow/codeql-pack.release.yml +++ b/shared/typeflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index f1969d52e2b..98c82501a97 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true dependencies: diff --git a/shared/typeinference/CHANGELOG.md b/shared/typeinference/CHANGELOG.md index a59e560c415..1857b399fe8 100644 --- a/shared/typeinference/CHANGELOG.md +++ b/shared/typeinference/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.10 + +No user-facing changes. + ## 0.0.9 No user-facing changes. diff --git a/shared/typeinference/change-notes/released/0.0.10.md b/shared/typeinference/change-notes/released/0.0.10.md new file mode 100644 index 00000000000..22391080fd4 --- /dev/null +++ b/shared/typeinference/change-notes/released/0.0.10.md @@ -0,0 +1,3 @@ +## 0.0.10 + +No user-facing changes. diff --git a/shared/typeinference/codeql-pack.release.yml b/shared/typeinference/codeql-pack.release.yml index ecdd64fbab8..b740014e5ae 100644 --- a/shared/typeinference/codeql-pack.release.yml +++ b/shared/typeinference/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.9 +lastReleaseVersion: 0.0.10 diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 311bc370c09..f4aba2b768e 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.10-dev +version: 0.0.10 groups: shared library: true dependencies: diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index d13d7ed092a..7e63a18be0b 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.13 + +No user-facing changes. + ## 2.0.12 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/2.0.13.md b/shared/typetracking/change-notes/released/2.0.13.md new file mode 100644 index 00000000000..39a24682b50 --- /dev/null +++ b/shared/typetracking/change-notes/released/2.0.13.md @@ -0,0 +1,3 @@ +## 2.0.13 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index b856d9a13f2..30d169d6eb8 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.12 +lastReleaseVersion: 2.0.13 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 143381c6828..b25743112e1 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.13-dev +version: 2.0.13 groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index 40cca012100..4c15b434d52 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/typos/change-notes/released/1.0.29.md b/shared/typos/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/typos/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index cfbe48595f7..ed8c5320fdb 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index 99afc785e5d..f7354c0cfbe 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.16 + +No user-facing changes. + ## 2.0.15 No user-facing changes. diff --git a/shared/util/change-notes/released/2.0.16.md b/shared/util/change-notes/released/2.0.16.md new file mode 100644 index 00000000000..221400d393f --- /dev/null +++ b/shared/util/change-notes/released/2.0.16.md @@ -0,0 +1,3 @@ +## 2.0.16 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index 0377ae283a3..c10461a785c 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.15 +lastReleaseVersion: 2.0.16 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 18f2e50e636..be3bcefeac0 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.16-dev +version: 2.0.16 groups: shared library: true dependencies: null diff --git a/shared/xml/CHANGELOG.md b/shared/xml/CHANGELOG.md index 8688583b1d4..70c94326970 100644 --- a/shared/xml/CHANGELOG.md +++ b/shared/xml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/xml/change-notes/released/1.0.29.md b/shared/xml/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/xml/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/xml/codeql-pack.release.yml b/shared/xml/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/xml/codeql-pack.release.yml +++ b/shared/xml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 81781de2996..23aa3f361b2 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true dependencies: diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index 4651f486f24..e0f14b7a34c 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.29 + +No user-facing changes. + ## 1.0.28 No user-facing changes. diff --git a/shared/yaml/change-notes/released/1.0.29.md b/shared/yaml/change-notes/released/1.0.29.md new file mode 100644 index 00000000000..e6b79b88ef3 --- /dev/null +++ b/shared/yaml/change-notes/released/1.0.29.md @@ -0,0 +1,3 @@ +## 1.0.29 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index 328402fb34f..8751a216238 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.28 +lastReleaseVersion: 1.0.29 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index f7fd571722e..366255af6f2 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.29-dev +version: 1.0.29 groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index 46341f158e7..13c6f27bffb 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 5.0.5 + +No user-facing changes. + ## 5.0.4 ### Minor Analysis Improvements diff --git a/swift/ql/lib/change-notes/released/5.0.5.md b/swift/ql/lib/change-notes/released/5.0.5.md new file mode 100644 index 00000000000..be08f873636 --- /dev/null +++ b/swift/ql/lib/change-notes/released/5.0.5.md @@ -0,0 +1,3 @@ +## 5.0.5 + +No user-facing changes. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 8cb0167caf0..02e5f00fa9e 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.0.4 +lastReleaseVersion: 5.0.5 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 057ff6a9133..1adc383bd26 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 5.0.5-dev +version: 5.0.5 groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index 8c57120f256..8faa03573fc 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.2.3 + +No user-facing changes. + ## 1.2.2 No user-facing changes. diff --git a/swift/ql/src/change-notes/released/1.2.3.md b/swift/ql/src/change-notes/released/1.2.3.md new file mode 100644 index 00000000000..b86fd3af318 --- /dev/null +++ b/swift/ql/src/change-notes/released/1.2.3.md @@ -0,0 +1,3 @@ +## 1.2.3 + +No user-facing changes. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index 0a70a9a01a7..09a7400b594 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.2 +lastReleaseVersion: 1.2.3 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 193dfa77a9a..a6761f78190 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.3-dev +version: 1.2.3 groups: - swift - queries From 42e3d31c4941ec25904e9cc41bb639676c505fce Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 18 Aug 2025 14:42:42 +0000 Subject: [PATCH 12/37] Post-release preparation for codeql-cli-2.22.4 --- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 41 files changed, 41 insertions(+), 41 deletions(-) diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 6ab370e2e97..c10bedbaef6 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.15 +version: 0.4.16-dev library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 416cd0e5c45..11e5bb790b7 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.7 +version: 0.6.8-dev library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 9698c86d3f2..68f412126f4 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 5.4.1 +version: 5.4.2-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index bd7ff423c7c..3e64a19c68b 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.4.6 +version: 1.4.7-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index d9430bc679c..ea7b1f0c021 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.46 +version: 1.7.47-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 747eaaec33b..377ad66a5ba 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.46 +version: 1.7.47-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 2a606aa966c..f5ad09a43fa 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.2.2 +version: 5.2.3-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 959446de1d7..0567f720300 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.3.3 +version: 1.3.4-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index ccfc15b0197..2cac181bfb5 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.29 +version: 1.0.30-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 7799e61ca85..2658d54432f 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 4.3.2 +version: 4.3.3-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index d468ea88eca..8c8c36a4fc7 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.4.3 +version: 1.4.4-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 6d89a227eb6..93be6469202 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 7.6.0 +version: 7.6.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index e7a63231064..ec081681c2b 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.6.3 +version: 1.6.4-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 9c9850454f2..3864c3031b3 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.9 +version: 2.6.10-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 1f71ec359c4..14a9ceb6a30 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.0.2 +version: 2.0.3-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 0a4fd9b08e5..05d8f61eb99 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.29 +version: 1.0.30-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 2b2e9428d87..ad4bbced61a 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 4.0.13 +version: 4.0.14-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 121332a724b..0f047b047b9 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.6.3 +version: 1.6.4-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index a6890d52478..f0cbf51f467 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.0.2 +version: 5.0.3-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index e053d77fd57..1e435c15de2 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.4.3 +version: 1.4.4-dev groups: - ruby - queries diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 83faa48ad14..68121096b5e 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.1.14 +version: 0.1.15-dev groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 1e39349d4fc..8057cbc0e68 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.14 +version: 0.1.15-dev groups: - rust - queries diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index 1a4b23c6fcd..849cda97bf0 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.3 +version: 0.0.4-dev groups: shared library: true dependencies: diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 5dcd3a6170e..2dbb7951de1 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.13 +version: 2.0.14-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index a3b22666422..20069450f22 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.13 +version: 2.0.14-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index b8dbf57a299..0b47255d1a6 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true dependencies: diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index ea2acfb14f6..36d76723360 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.7 +version: 0.0.8-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 833e16de4d2..a8b86549ce9 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index a3195cfb3d0..496ef35adc1 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 8eef08c4cb4..30858c2f029 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.5 +version: 2.0.6-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 4e74fe0abde..76cca7a3d08 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.29 +version: 1.0.30-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 263d7bdf3a8..5427f065760 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 98c82501a97..90dd04cd114 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true dependencies: diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index f4aba2b768e..509cb216f7a 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.10 +version: 0.0.11-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index b25743112e1..746a61e679f 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.13 +version: 2.0.14-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index ed8c5320fdb..036b545df82 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index be3bcefeac0..f3c51c17a49 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.16 +version: 2.0.17-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 23aa3f361b2..c0c541fa282 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 366255af6f2..3b757e1f062 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.29 +version: 1.0.30-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 1adc383bd26..74dffd61857 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 5.0.5 +version: 5.0.6-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index a6761f78190..9ee2255a7d6 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.3 +version: 1.2.4-dev groups: - swift - queries From 0cd8c9009ff8f0d85960e5ec6fd38d7a79dab8b7 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 19 Aug 2025 10:20:59 +0200 Subject: [PATCH 13/37] Rust: Add more jump-to-def tests --- .../definitions/Definitions.expected | 61 +++++++++++-------- .../ql/test/library-tests/definitions/main.rs | 9 +++ 2 files changed, 45 insertions(+), 25 deletions(-) diff --git a/rust/ql/test/library-tests/definitions/Definitions.expected b/rust/ql/test/library-tests/definitions/Definitions.expected index f3cde895068..476e97e1e6c 100644 --- a/rust/ql/test/library-tests/definitions/Definitions.expected +++ b/rust/ql/test/library-tests/definitions/Definitions.expected @@ -2,28 +2,39 @@ | main.rs:9:14:9:14 | S | main.rs:7:9:7:21 | struct S | path | | main.rs:10:36:10:39 | Self | main.rs:7:9:7:21 | struct S | path | | main.rs:11:17:11:17 | S | main.rs:7:9:7:21 | struct S | path | -| main.rs:21:22:21:26 | value | main.rs:21:50:21:54 | value | format argument | -| main.rs:21:29:21:33 | width | main.rs:18:9:18:13 | width | local variable | -| main.rs:21:36:21:44 | precision | main.rs:19:9:19:17 | precision | local variable | -| main.rs:22:22:22:22 | 0 | main.rs:22:34:22:38 | value | format argument | -| main.rs:22:25:22:25 | 1 | main.rs:22:41:22:45 | width | format argument | -| main.rs:22:28:22:28 | 2 | main.rs:22:48:22:56 | precision | format argument | -| main.rs:22:34:22:38 | value | main.rs:20:9:20:13 | value | local variable | -| main.rs:22:41:22:45 | width | main.rs:18:9:18:13 | width | local variable | -| main.rs:22:48:22:56 | precision | main.rs:19:9:19:17 | precision | local variable | -| main.rs:23:21:23:22 | {} | main.rs:23:29:23:33 | value | format argument | -| main.rs:23:24:23:25 | {} | main.rs:23:36:23:40 | width | format argument | -| main.rs:23:29:23:33 | value | main.rs:20:9:20:13 | value | local variable | -| main.rs:23:36:23:40 | width | main.rs:18:9:18:13 | width | local variable | -| main.rs:25:22:25:27 | people | main.rs:24:9:24:14 | people | local variable | -| main.rs:26:16:26:16 | 1 | main.rs:26:34:26:34 | 2 | format argument | -| main.rs:26:19:26:20 | {} | main.rs:26:31:26:31 | 1 | format argument | -| main.rs:26:23:26:23 | 0 | main.rs:26:31:26:31 | 1 | format argument | -| main.rs:26:26:26:27 | {} | main.rs:26:34:26:34 | 2 | format argument | -| main.rs:27:31:27:35 | {:<5} | main.rs:27:40:27:42 | "x" | format argument | -| main.rs:28:13:28:13 | S | main.rs:1:1:1:9 | struct S | path | -| main.rs:29:13:29:14 | M1 | main.rs:5:1:15:1 | mod M1 | path | -| main.rs:29:17:29:18 | M2 | main.rs:6:5:14:5 | mod M2 | path | -| main.rs:29:21:29:21 | S | main.rs:7:9:7:21 | struct S | path | -| main.rs:30:5:30:5 | s | main.rs:29:9:29:9 | s | local variable | -| main.rs:30:7:30:12 | method | main.rs:10:13:12:13 | fn method | method | +| main.rs:16:22:16:22 | T | main.rs:16:19:16:19 | T | path | +| main.rs:18:13:18:17 | S2::<...> | main.rs:16:5:16:24 | struct S2 | path | +| main.rs:18:16:18:16 | T | main.rs:18:10:18:10 | T | path | +| main.rs:19:23:19:23 | T | main.rs:18:10:18:10 | T | path | +| main.rs:19:29:19:32 | Self | main.rs:16:5:16:24 | struct S2 | path | +| main.rs:20:16:20:16 | x | main.rs:19:20:19:20 | x | local variable | +| main.rs:29:22:29:26 | value | main.rs:29:50:29:54 | value | format argument | +| main.rs:29:29:29:33 | width | main.rs:26:9:26:13 | width | local variable | +| main.rs:29:36:29:44 | precision | main.rs:27:9:27:17 | precision | local variable | +| main.rs:30:22:30:22 | 0 | main.rs:30:34:30:38 | value | format argument | +| main.rs:30:25:30:25 | 1 | main.rs:30:41:30:45 | width | format argument | +| main.rs:30:28:30:28 | 2 | main.rs:30:48:30:56 | precision | format argument | +| main.rs:30:34:30:38 | value | main.rs:28:9:28:13 | value | local variable | +| main.rs:30:41:30:45 | width | main.rs:26:9:26:13 | width | local variable | +| main.rs:30:48:30:56 | precision | main.rs:27:9:27:17 | precision | local variable | +| main.rs:31:21:31:22 | {} | main.rs:31:29:31:33 | value | format argument | +| main.rs:31:24:31:25 | {} | main.rs:31:36:31:40 | width | format argument | +| main.rs:31:29:31:33 | value | main.rs:28:9:28:13 | value | local variable | +| main.rs:31:36:31:40 | width | main.rs:26:9:26:13 | width | local variable | +| main.rs:33:22:33:27 | people | main.rs:32:9:32:14 | people | local variable | +| main.rs:34:16:34:16 | 1 | main.rs:34:34:34:34 | 2 | format argument | +| main.rs:34:19:34:20 | {} | main.rs:34:31:34:31 | 1 | format argument | +| main.rs:34:23:34:23 | 0 | main.rs:34:31:34:31 | 1 | format argument | +| main.rs:34:26:34:27 | {} | main.rs:34:34:34:34 | 2 | format argument | +| main.rs:35:31:35:35 | {:<5} | main.rs:35:40:35:42 | "x" | format argument | +| main.rs:36:13:36:13 | S | main.rs:1:1:1:9 | struct S | path | +| main.rs:37:13:37:14 | M1 | main.rs:5:1:23:1 | mod M1 | path | +| main.rs:37:17:37:18 | M2 | main.rs:6:5:14:5 | mod M2 | path | +| main.rs:37:21:37:21 | S | main.rs:7:9:7:21 | struct S | path | +| main.rs:38:5:38:5 | s | main.rs:37:9:37:9 | s | local variable | +| main.rs:38:7:38:12 | method | main.rs:10:13:12:13 | fn method | method | +| main.rs:39:5:39:6 | M1 | main.rs:5:1:23:1 | mod M1 | path | +| main.rs:39:9:39:15 | S2::<...> | main.rs:16:5:16:24 | struct S2 | path | +| main.rs:39:14:39:14 | S | main.rs:1:1:1:9 | struct S | path | +| main.rs:39:18:39:20 | new | main.rs:19:9:21:9 | fn new | path | +| main.rs:39:22:39:22 | S | main.rs:1:1:1:9 | struct S | path | diff --git a/rust/ql/test/library-tests/definitions/main.rs b/rust/ql/test/library-tests/definitions/main.rs index 35acea6858e..89742adf8f9 100644 --- a/rust/ql/test/library-tests/definitions/main.rs +++ b/rust/ql/test/library-tests/definitions/main.rs @@ -12,6 +12,14 @@ mod M1 { } } } + + pub struct S2(T); + + impl S2 { + pub fn new(x: T) -> Self { + S2(x) + } + } } fn main() { @@ -28,4 +36,5 @@ fn main() { let x = S; let s = M1::M2::S; s.method(); + M1::S2::::new(S); } From 714423d6b9112ab9bc84875a5c59e6bd976a0528 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 19 Aug 2025 10:22:32 +0200 Subject: [PATCH 14/37] Rust: Adjust jump-to-def for paths with generic arguments --- rust/ql/lib/codeql/rust/internal/Definitions.qll | 4 ++-- rust/ql/test/library-tests/definitions/Definitions.expected | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rust/ql/lib/codeql/rust/internal/Definitions.qll b/rust/ql/lib/codeql/rust/internal/Definitions.qll index c03ece9d56d..b1b3e475c46 100644 --- a/rust/ql/lib/codeql/rust/internal/Definitions.qll +++ b/rust/ql/lib/codeql/rust/internal/Definitions.qll @@ -135,10 +135,10 @@ private class PositionalFormatArgumentUse extends Use instanceof PositionalForma override string getUseType() { result = "format argument" } } -private class PathUse extends Use instanceof PathSegment { +private class PathUse extends Use instanceof NameRef { private Path path; - PathUse() { this = path.getSegment() } + PathUse() { this = path.getSegment().getIdentifier() } private CallExpr getCall() { result.getFunction().(PathExpr).getPath() = path } diff --git a/rust/ql/test/library-tests/definitions/Definitions.expected b/rust/ql/test/library-tests/definitions/Definitions.expected index 476e97e1e6c..b6f8201240a 100644 --- a/rust/ql/test/library-tests/definitions/Definitions.expected +++ b/rust/ql/test/library-tests/definitions/Definitions.expected @@ -3,7 +3,7 @@ | main.rs:10:36:10:39 | Self | main.rs:7:9:7:21 | struct S | path | | main.rs:11:17:11:17 | S | main.rs:7:9:7:21 | struct S | path | | main.rs:16:22:16:22 | T | main.rs:16:19:16:19 | T | path | -| main.rs:18:13:18:17 | S2::<...> | main.rs:16:5:16:24 | struct S2 | path | +| main.rs:18:13:18:14 | S2 | main.rs:16:5:16:24 | struct S2 | path | | main.rs:18:16:18:16 | T | main.rs:18:10:18:10 | T | path | | main.rs:19:23:19:23 | T | main.rs:18:10:18:10 | T | path | | main.rs:19:29:19:32 | Self | main.rs:16:5:16:24 | struct S2 | path | @@ -34,7 +34,7 @@ | main.rs:38:5:38:5 | s | main.rs:37:9:37:9 | s | local variable | | main.rs:38:7:38:12 | method | main.rs:10:13:12:13 | fn method | method | | main.rs:39:5:39:6 | M1 | main.rs:5:1:23:1 | mod M1 | path | -| main.rs:39:9:39:15 | S2::<...> | main.rs:16:5:16:24 | struct S2 | path | +| main.rs:39:9:39:10 | S2 | main.rs:16:5:16:24 | struct S2 | path | | main.rs:39:14:39:14 | S | main.rs:1:1:1:9 | struct S | path | | main.rs:39:18:39:20 | new | main.rs:19:9:21:9 | fn new | path | | main.rs:39:22:39:22 | S | main.rs:1:1:1:9 | struct S | path | From c1b91db37ab39eebe91fbb3da9e6af86f26fba48 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:32:09 +0200 Subject: [PATCH 15/37] C++: Add more virtual dispatch tests. --- .../library-tests/dataflow/dispatch/test.cpp | 127 ++++++++++++++++++ .../dataflow/dispatch/test.expected | 0 .../library-tests/dataflow/dispatch/test.ql | 22 +++ 3 files changed, 149 insertions(+) create mode 100644 cpp/ql/test/library-tests/dataflow/dispatch/test.cpp create mode 100644 cpp/ql/test/library-tests/dataflow/dispatch/test.expected create mode 100644 cpp/ql/test/library-tests/dataflow/dispatch/test.ql diff --git a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp new file mode 100644 index 00000000000..b89ba51f1c6 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp @@ -0,0 +1,127 @@ +struct Base { + void f(); + virtual void virtual_f(); +}; + +struct Derived : Base { + void f(); + void virtual_f(); +}; + +void test_simple() { + Base b; + b.f(); // $ target=2 + b.virtual_f(); // $ target=3 + + Derived d; + d.f(); // $ target=7 + d.virtual_f(); // $ target=8 + + Base* b_ptr = &d; + b_ptr->f(); // $ target=2 + b_ptr->virtual_f(); // $ target=8 SPURIOUS: target=3 + + Base& b_ref = d; + b_ref.f(); // $ target=2 + b_ref.virtual_f(); // $ target=8 SPURIOUS: target=3 + + Base* b_null = nullptr; + b_null->f(); // $ target=2 + b_null->virtual_f(); // $ target=3 + + Base* base_is_derived = new Derived(); + base_is_derived->f(); // $ target=2 + base_is_derived->virtual_f(); // $ target=8 SPURIOUS: target=3 + + Base* base_is_base = new Base(); + base_is_base->f(); // $ target=2 + base_is_base->virtual_f(); // $ target=3 + + Derived* derived_is_derived = new Derived(); + derived_is_derived->f(); // $ target=7 + derived_is_derived->virtual_f(); // $ target=8 + + Base& b_ref2 = b; + b_ref2 = d; + b_ref2.f(); // $ target=2 + b_ref2.virtual_f(); // $ target=3 +} + +struct S { + Base* b1; + Base* b2; +}; + +void test_fields() { + S s; + + s.b1 = new Base(); + s.b2 = new Derived(); + + s.b1->virtual_f(); // $ target=3 + s.b2->virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 + + s.b1 = new Derived(); + s.b2 = new Base(); + s.b1->virtual_f(); // $ MISSING: target=8 SPURIOUS: target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA + s.b2->virtual_f(); // $ target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA +} + +Base* getDerived() { + return new Derived(); +} + +void test_getDerived() { + Base* b = getDerived(); + b->virtual_f(); // $ target=8 SPURIOUS: target=3 + + Derived d = *(Derived*)getDerived(); + d.virtual_f(); // $ target=8 +} + +void write_to_arg(Base* b) { + *b = Derived(); +} + +void write_to_arg_2(Base** b) { + Derived* d = new Derived(); + *b = d; +} + +void test_write_to_arg() { + { + Base b; + write_to_arg(&b); + b.virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 // missing flow through the copy-constructor in write_to_arg + } + + { + Base* b; + write_to_arg_2(&b); + b->virtual_f(); // $ target=8 SPURIOUS: target=3 + } +} + +Base* global_derived; + +void set_global_to_derived() { + global_derived = new Derived(); +} + +void read_global() { + global_derived->virtual_f(); // $ target=8 SPURIOUS: target=3 +} + +Base* global_base_or_derived; + +void set_global_base_or_derived_1() { + global_base_or_derived = new Base(); +} + +void set_global_base_or_derived_2() { + global_base_or_derived = new Derived(); +} + +void read_global_base_or_derived() { + global_base_or_derived->virtual_f(); // $ target=3 target=8 +} \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/dispatch/test.expected b/cpp/ql/test/library-tests/dataflow/dispatch/test.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/cpp/ql/test/library-tests/dataflow/dispatch/test.ql b/cpp/ql/test/library-tests/dataflow/dispatch/test.ql new file mode 100644 index 00000000000..de16d6da1ef --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.ql @@ -0,0 +1,22 @@ +import cpp +import utils.test.InlineExpectationsTest +import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch +import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate + +module ResolveDispatchTest implements TestSig { + string getARelevantTag() { result = "target" } + + predicate hasActualResult(Location location, string element, string tag, string value) { + exists(DataFlowCall call, SourceCallable callable, MemberFunction mf | + mf = callable.asSourceCallable() and + not mf.isCompilerGenerated() and + callable = viableCallable(call) and + location = call.getLocation() and + element = call.toString() and + tag = "target" and + value = callable.getLocation().getStartLine().toString() + ) + } +} + +import MakeTest From 42fcfca8499d698eeb28bb694d9197adb2e331fa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:39:26 +0200 Subject: [PATCH 16/37] C++: Remove the old virtual dispatch case from 'defaultViableCallable' and slightly reorganize the code in preparation for the next commit. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index b5e899bf0aa..e762a82d04f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -11,7 +11,15 @@ private import DataFlowImplCommon as DataFlowImplCommon * from `AdditionalCallTarget` into account. */ cached -DataFlowCallable defaultViableCallable(DataFlowCall call) { +DataFlowPrivate::DataFlowCallable defaultViableCallable(DataFlowPrivate::DataFlowCall call) { + result = defaultViableCallableWithoutLambda(call) + or + result = DataFlowImplCommon::viableCallableLambda(call, _) +} + +private DataFlowPrivate::DataFlowCallable defaultViableCallableWithoutLambda( + DataFlowPrivate::DataFlowCall call +) { DataFlowImplCommon::forceCachingInSameStage() and result = call.getStaticCallTarget() or @@ -26,17 +34,13 @@ DataFlowCallable defaultViableCallable(DataFlowCall call) { functionSignatureWithBody(qualifiedName, nparams, result.getUnderlyingCallable()) and strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1 ) - or - // Virtual dispatch - result.asSourceCallable() = call.(VirtualDispatch::DataSensitiveCall).resolve() } /** * Gets a function that might be called by `call`. */ -cached -DataFlowCallable viableCallable(DataFlowCall call) { - result = defaultViableCallable(call) +private DataFlowPrivate::DataFlowCallable nonVirtualDispatch(DataFlowPrivate::DataFlowCall call) { + result = defaultViableCallableWithoutLambda(call) or // Additional call targets result.getUnderlyingCallable() = From fdb9f7ba2afd971122e17770a6e60bc4632d2905 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:42:15 +0200 Subject: [PATCH 17/37] C++: Move these predicates to make the diff smaller. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index e762a82d04f..477875fffde 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -4,6 +4,39 @@ private import DataFlowPrivate private import DataFlowUtil private import DataFlowImplCommon as DataFlowImplCommon +/** + * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is + * an approximation of its signature for the purpose of matching functions that + * might be the same across link targets. + */ +private predicate functionSignature(Function f, string qualifiedName, int nparams) { + qualifiedName = f.getQualifiedName() and + nparams = f.getNumberOfParameters() and + not f.isStatic() +} + +/** + * Holds if `f` is a function with a body that has name `qualifiedName` and + * `nparams` parameter count. See `functionSignature`. + */ +private predicate functionSignatureWithBody(string qualifiedName, int nparams, Function f) { + functionSignature(f, qualifiedName, nparams) and + exists(f.getBlock()) +} + +/** + * Holds if the target of `call` is a function _with no definition_ that has + * name `qualifiedName` and `nparams` parameter count. See `functionSignature`. + */ +pragma[noinline] +private predicate callSignatureWithoutBody(string qualifiedName, int nparams, CallInstruction call) { + exists(Function target | + target = call.getStaticCallTarget() and + not exists(target.getBlock()) and + functionSignature(target, qualifiedName, nparams) + ) +} + /** * Gets a function that might be called by `call`. * @@ -219,39 +252,6 @@ private module VirtualDispatch { } } -/** - * Holds if `f` is a function with a body that has name `qualifiedName` and - * `nparams` parameter count. See `functionSignature`. - */ -private predicate functionSignatureWithBody(string qualifiedName, int nparams, Function f) { - functionSignature(f, qualifiedName, nparams) and - exists(f.getBlock()) -} - -/** - * Holds if the target of `call` is a function _with no definition_ that has - * name `qualifiedName` and `nparams` parameter count. See `functionSignature`. - */ -pragma[noinline] -private predicate callSignatureWithoutBody(string qualifiedName, int nparams, CallInstruction call) { - exists(Function target | - target = call.getStaticCallTarget() and - not exists(target.getBlock()) and - functionSignature(target, qualifiedName, nparams) - ) -} - -/** - * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is - * an approximation of its signature for the purpose of matching functions that - * might be the same across link targets. - */ -private predicate functionSignature(Function f, string qualifiedName, int nparams) { - qualifiedName = f.getQualifiedName() and - nparams = f.getNumberOfParameters() and - not f.isStatic() -} - /** * Holds if the set of viable implementations that can be called by `call` * might be improved by knowing the call context. From caf7464f3be67df6b001b715ac82b2c0da1d47d7 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:45:37 +0200 Subject: [PATCH 18/37] C++: Prefix with 'DataflowPrivate'. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index 477875fffde..a4d29cdbcb9 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -1,6 +1,6 @@ private import cpp private import semmle.code.cpp.ir.IR -private import DataFlowPrivate +private import DataFlowPrivate as DataFlowPrivate private import DataFlowUtil private import DataFlowImplCommon as DataFlowImplCommon @@ -256,14 +256,16 @@ private module VirtualDispatch { * Holds if the set of viable implementations that can be called by `call` * might be improved by knowing the call context. */ -predicate mayBenefitFromCallContext(DataFlowCall call) { mayBenefitFromCallContext(call, _, _) } +predicate mayBenefitFromCallContext(DataFlowPrivate::DataFlowCall call) { + mayBenefitFromCallContext(call, _, _) +} /** * Holds if `call` is a call through a function pointer, and the pointer * value is given as the `arg`'th argument to `f`. */ private predicate mayBenefitFromCallContext( - VirtualDispatch::DataSensitiveCall call, DataFlowCallable f, int arg + DataFlowPrivate::DataFlowCall call, DataFlowPrivate::DataFlowCallable f, int arg ) { f = pragma[only_bind_out](call).getEnclosingCallable() and exists(InitializeParameterInstruction init | @@ -278,9 +280,11 @@ private predicate mayBenefitFromCallContext( * Gets a viable dispatch target of `call` in the context `ctx`. This is * restricted to those `call`s for which a context might make a difference. */ -DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { +DataFlowPrivate::DataFlowCallable viableImplInCallContext( + DataFlowPrivate::DataFlowCall call, DataFlowPrivate::DataFlowCall ctx +) { result = viableCallable(call) and - exists(int i, DataFlowCallable f | + exists(int i, DataFlowPrivate::DataFlowCallable f | mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and f = ctx.getStaticCallTarget() and result.asSourceCallable() = @@ -290,4 +294,8 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { /** Holds if arguments at position `apos` match parameters at position `ppos`. */ pragma[inline] -predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } +predicate parameterMatch( + DataFlowPrivate::ParameterPosition ppos, DataFlowPrivate::ArgumentPosition apos +) { + ppos = apos +} From d4188d59a8d0beabb9664e67054e11d2dca03951 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:48:07 +0200 Subject: [PATCH 19/37] C++: Instantiate the type tracking module inside a reusable module like it's done in Java. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 321 ++++++++++-------- 1 file changed, 175 insertions(+), 146 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index a4d29cdbcb9..c9e1ac8cfee 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -1,8 +1,11 @@ private import cpp private import semmle.code.cpp.ir.IR +private import semmle.code.cpp.ir.dataflow.DataFlow private import DataFlowPrivate as DataFlowPrivate private import DataFlowUtil private import DataFlowImplCommon as DataFlowImplCommon +private import codeql.typetracking.TypeTracking +private import SsaImpl as SsaImpl /** * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is @@ -81,174 +84,200 @@ private DataFlowPrivate::DataFlowCallable nonVirtualDispatch(DataFlowPrivate::Da .viableTarget(call.asCallInstruction().getUnconvertedResultExpression()) } +private class RelevantNode extends Node { + RelevantNode() { this.getType().stripType() instanceof Class } +} + +private signature DataFlowPrivate::DataFlowCallable methodDispatchSig( + DataFlowPrivate::DataFlowCall c +); + +private predicate ignoreConstructor(Expr e) { + e instanceof ConstructorDirectInit or + e instanceof ConstructorVirtualInit or + e instanceof ConstructorDelegationInit or + exists(ConstructorFieldInit init | init.getExpr() = e) +} + /** - * Provides virtual dispatch support compatible with the original - * implementation of `semmle.code.cpp.security.TaintTracking`. + * Holds if `n` is either: + * - the post-update node of a qualifier after a call to a constructor which + * constructs an object containing at least one virtual function. + * - a node which represents a derived-to-base instruction that converts from `c`. */ -private module VirtualDispatch { - /** A call that may dispatch differently depending on the qualifier value. */ - abstract class DataSensitiveCall extends DataFlowCall { - /** - * Gets the node whose value determines the target of this call. This node - * could be the qualifier of a virtual dispatch or the function-pointer - * expression in a call to a function pointer. What they have in common is - * that we need to find out which data flows there, and then it's up to the - * `resolve` predicate to stitch that information together and resolve the - * call. - */ - abstract Node getDispatchValue(); +private predicate lambdaSourceImpl(RelevantNode n, Class c) { + // Object construction + exists(CallInstruction call, ThisArgumentOperand qualifier, Call e | + qualifier = call.getThisArgumentOperand() and + n.(PostUpdateNode).getPreUpdateNode().asOperand() = qualifier and + call.getStaticCallTarget() instanceof Constructor and + qualifier.getType().stripType() = c and + c.getABaseClass*().getAMemberFunction().isVirtual() and + e = call.getUnconvertedResultExpression() and + not ignoreConstructor(e) + | + exists(c.getABaseClass()) + or + exists(c.getADerivedClass()) + ) + or + // Conversion to a base class + exists(ConvertToBaseInstruction convert | + // Only keep the most specific cast + not convert.getUnary() instanceof ConvertToBaseInstruction and + n.asInstruction() = convert and + convert.getDerivedClass() = c and + c.getABaseClass*().getAMemberFunction().isVirtual() + ) +} - /** Gets a candidate target for this call. */ - abstract Function resolve(); +private module TrackVirtualDispatch { + /** + * Gets a possible runtime target of `c` using both static call-target + * information, and call-target resolution from `lambdaDispatch0`. + */ + private DataFlowPrivate::DataFlowCallable dispatch(DataFlowPrivate::DataFlowCall c) { + result = nonVirtualDispatch(c) or + result = lambdaDispatch0(c) + } - /** - * Whether `src` can flow to this call. - * - * Searches backwards from `getDispatchValue()` to `src`. The `allowFromArg` - * parameter is true when the search is allowed to continue backwards into - * a parameter; non-recursive callers should pass `_` for `allowFromArg`. - */ - predicate flowsFrom(Node src, boolean allowFromArg) { - src = this.getDispatchValue() and allowFromArg = true - or - exists(Node other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) | - // Call argument - exists(DataFlowCall call, Position i | - other.(ParameterNode).isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and - src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i))) - ) and - allowOtherFromArg = true and - allowFromArg = true + private module TtInput implements TypeTrackingInput { + final class Node = RelevantNode; + + class LocalSourceNode extends Node { + LocalSourceNode() { + this instanceof ParameterNode or - // Call return - exists(DataFlowCall call, ReturnKind returnKind | - other = getAnOutNode(call, returnKind) and - returnNodeWithKindAndEnclosingCallable(src, returnKind, call.getStaticCallTarget()) - ) and - allowFromArg = false + this instanceof DataFlowPrivate::OutNode or - // Local flow - localFlowStep(src, other) and - allowFromArg = allowOtherFromArg + DataFlowPrivate::readStep(_, _, this) or - // Flow from global variable to load. - exists(LoadInstruction load, GlobalOrNamespaceVariable var | - var = src.asVariable() and - other.asInstruction() = load and - addressOfGlobal(load.getSourceAddress(), var) and - // The `allowFromArg` concept doesn't play a role when `src` is a - // global variable, so we just set it to a single arbitrary value for - // performance. - allowFromArg = true - ) - or - // Flow from store to global variable. - exists(StoreInstruction store, GlobalOrNamespaceVariable var | - var = other.asVariable() and - store = src.asInstruction() and - storeIntoGlobal(store, var) and - // Setting `allowFromArg` to `true` like in the base case means we - // treat a store to a global variable like the dispatch itself: flow - // may come from anywhere. - allowFromArg = true + DataFlowPrivate::storeStep(_, _, this) + or + DataFlowPrivate::jumpStep(_, this) + or + lambdaSourceImpl(this, _) + } + } + + final private class ContentSetFinal = ContentSet; + + class Content extends ContentSetFinal { + Content() { + exists(DataFlow::Content c | + this.isSingleton(c) and + c.getIndirectionIndex() = 1 ) + } + } + + class ContentFilter extends Content { + Content getAMatchingContent() { result = this } + } + + predicate compatibleContents(Content storeContents, Content loadContents) { + storeContents = loadContents + } + + predicate simpleLocalSmallStep(Node nodeFrom, Node nodeTo) { + nodeFrom.getFunction() instanceof Function and + simpleLocalFlowStep(nodeFrom, nodeTo, _) + } + + predicate levelStepNoCall(Node n1, LocalSourceNode n2) { none() } + + predicate levelStepCall(Node n1, LocalSourceNode n2) { none() } + + predicate storeStep(Node n1, Node n2, Content f) { DataFlowPrivate::storeStep(n1, f, n2) } + + predicate callStep(Node n1, LocalSourceNode n2) { + exists(DataFlowPrivate::DataFlowCall call, DataFlowPrivate::Position pos | + n1.(DataFlowPrivate::ArgumentNode).argumentOf(call, pos) and + n2.(ParameterNode).isParameterOf(dispatch(call), pos) ) } + + predicate returnStep(Node n1, LocalSourceNode n2) { + exists(DataFlowPrivate::DataFlowCallable callable, DataFlowPrivate::DataFlowCall call | + n1.(DataFlowPrivate::ReturnNode).getEnclosingCallable() = callable and + callable = dispatch(call) and + n2 = DataFlowPrivate::getAnOutNode(call, n1.(DataFlowPrivate::ReturnNode).getKind()) + ) + } + + predicate loadStep(Node n1, LocalSourceNode n2, Content f) { + DataFlowPrivate::readStep(n1, f, n2) + } + + predicate loadStoreStep(Node nodeFrom, Node nodeTo, Content f1, Content f2) { none() } + + predicate withContentStep(Node nodeFrom, LocalSourceNode nodeTo, ContentFilter f) { none() } + + predicate withoutContentStep(Node nodeFrom, LocalSourceNode nodeTo, ContentFilter f) { none() } + + predicate jumpStep(Node n1, LocalSourceNode n2) { DataFlowPrivate::jumpStep(n1, n2) } + + predicate hasFeatureBacktrackStoreTarget() { none() } } - pragma[noinline] - private predicate storeIntoGlobal(StoreInstruction store, GlobalOrNamespaceVariable var) { - addressOfGlobal(store.getDestinationAddress(), var) + private predicate lambdaSource(RelevantNode n) { lambdaSourceImpl(n, _) } + + /** + * Holds if `n` is the qualifier of `call` which targets the virtual member + * function `mf`. + */ + private predicate lambdaSinkImpl(RelevantNode n, CallInstruction call, MemberFunction mf) { + n.asOperand() = call.getThisArgumentOperand() and + call.getStaticCallTarget() = mf and + mf.isVirtual() } - /** Holds if `addressInstr` is an instruction that produces the address of `var`. */ - private predicate addressOfGlobal(Instruction addressInstr, GlobalOrNamespaceVariable var) { - // Access directly to the global variable - addressInstr.(VariableAddressInstruction).getAstVariable() = var - or - // Access to a field on a global union - exists(FieldAddressInstruction fa | - fa = addressInstr and - fa.getObjectAddress().(VariableAddressInstruction).getAstVariable() = var and - fa.getField().getDeclaringType() instanceof Union + private predicate lambdaSink(RelevantNode n) { lambdaSinkImpl(n, _, _) } + + private import TypeTracking::TypeTrack::Graph + + private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2) + + /** + * Gets the most specific implementation of `mf` that may be called when the + * qualifier has runtime type `c`. + */ + private MemberFunction mostSpecific(MemberFunction mf, Class c) { + lambdaSinkImpl(_, _, mf) and + mf.getAnOverridingFunction*() = result and + ( + result.getDeclaringType() = c + or + not c.getAMemberFunction().getAnOverriddenFunction*() = mf and + result = mostSpecific(mf, c.getABaseClass()) ) } /** - * A ReturnNode with its ReturnKind and its enclosing callable. - * - * Used to fix a join ordering issue in flowsFrom. + * Gets a possible pair of end-points `(p1, p2)` where: + * - `p1` is a derived-to-base conversion that converts from some + * class `derived`, and + * - `p2` is the qualifier of a call to a virtual function that may + * target `callable`, and + * - `callable` is the most specific implementation that may be called when + * the qualifier has type `derived`. */ - pragma[noinline] - private predicate returnNodeWithKindAndEnclosingCallable( - ReturnNode node, ReturnKind kind, DataFlowCallable callable + private predicate pairCand( + PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable, + DataFlowPrivate::DataFlowCall call ) { - node.getKind() = kind and - node.getFunction() = callable.getUnderlyingCallable() + exists(Class derived, MemberFunction mf | + lambdaSourceImpl(p1.getNode(), derived) and + lambdaSinkImpl(p2.getNode(), call.asCallInstruction(), mf) and + p1.isSource() and + p2.isSink() and + callable.asSourceCallable() = mostSpecific(mf, derived) + ) } - /** Call through a function pointer. */ - private class DataSensitiveExprCall extends DataSensitiveCall { - DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) } - - override Node getDispatchValue() { result.asOperand() = this.getCallTargetOperand() } - - override Function resolve() { - exists(FunctionInstruction fi | - this.flowsFrom(instructionNode(fi), _) and - result = fi.getFunctionSymbol() - ) and - ( - this.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and - this.getNumberOfArguments() >= result.getEffectiveNumberOfParameters() - or - result.isVarargs() - ) - } - } - - /** Call to a virtual function. */ - private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall { - DataSensitiveOverriddenFunctionCall() { - exists( - this.getStaticCallTarget() - .getUnderlyingCallable() - .(VirtualFunction) - .getAnOverridingFunction() - ) - } - - override Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) } - - override MemberFunction resolve() { - exists(Class overridingClass | - this.overrideMayAffectCall(overridingClass, result) and - this.hasFlowFromCastFrom(overridingClass) - ) - } - - /** - * Holds if `this` is a virtual function call whose static target is - * overridden by `overridingFunction` in `overridingClass`. - */ - pragma[noinline] - private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) { - overridingFunction.getAnOverriddenFunction+() = - this.getStaticCallTarget().getUnderlyingCallable().(VirtualFunction) and - overridingFunction.getDeclaringType() = overridingClass - } - - /** - * Holds if the qualifier of `this` has flow from an upcast from - * `derivedClass`. - */ - pragma[noinline] - private predicate hasFlowFromCastFrom(Class derivedClass) { - exists(ConvertToBaseInstruction toBase | - this.flowsFrom(instructionNode(toBase), _) and - derivedClass = toBase.getDerivedClass() - ) - } + /** Gets a possible run-time target of `call`. */ + DataFlowPrivate::DataFlowCallable lambdaDispatch(DataFlowPrivate::DataFlowCall call) { + exists(PathNode p1, PathNode p2 | p1 = p2 or edgePlus(p1, p2) | pairCand(p1, p2, result, call)) } } From 383799ce67ec9af67d6e1fd155f3440bf2afe55c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:48:31 +0200 Subject: [PATCH 20/37] C++: Perform 6 rounds of virtual dispatch resolution like Java. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index c9e1ac8cfee..c644715aedb 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -281,6 +281,47 @@ private module TrackVirtualDispatch { } } +private DataFlowPrivate::DataFlowCallable noDisp(DataFlowPrivate::DataFlowCall call) { none() } + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d1(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d2(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d3(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d4(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d5(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +pragma[nomagic] +private DataFlowPrivate::DataFlowCallable d6(DataFlowPrivate::DataFlowCall call) { + result = TrackVirtualDispatch::lambdaDispatch(call) +} + +/** Gets a function that might be called by `call`. */ +cached +DataFlowPrivate::DataFlowCallable viableCallable(DataFlowPrivate::DataFlowCall call) { + not exists(d6(call)) and + result = nonVirtualDispatch(call) + or + result = d6(call) +} + /** * Holds if the set of viable implementations that can be called by `call` * might be improved by knowing the call context. From cca5bd9adac088c647874efd7975430a1558495a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:50:23 +0200 Subject: [PATCH 21/37] C++: Update 'mayBenefitFromCallContext' to not use the old virtual dispatch local flow predicate. --- .../cpp/ir/dataflow/internal/DataFlowDispatch.qll | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index c644715aedb..899dae69589 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -330,6 +330,12 @@ predicate mayBenefitFromCallContext(DataFlowPrivate::DataFlowCall call) { mayBenefitFromCallContext(call, _, _) } +private predicate localLambdaFlowStep(Node nodeFrom, Node nodeTo) { + localFlowStep(nodeFrom, nodeTo) + or + DataFlowPrivate::additionalLambdaFlowStep(nodeFrom, nodeTo, _) +} + /** * Holds if `call` is a call through a function pointer, and the pointer * value is given as the `arg`'th argument to `f`. @@ -339,9 +345,13 @@ private predicate mayBenefitFromCallContext( ) { f = pragma[only_bind_out](call).getEnclosingCallable() and exists(InitializeParameterInstruction init | - not exists(call.getStaticCallTarget()) and + not exists(call.getStaticCallTarget()) + or + exists(call.getStaticCallSourceTarget().(VirtualFunction).getAnOverridingFunction()) + | init.getEnclosingFunction() = f.getUnderlyingCallable() and - call.flowsFrom(instructionNode(init), _) and + localLambdaFlowStep+(instructionNode(init), + operandNode(call.asCallInstruction().getCallTargetOperand())) and init.getParameter().getIndex() = arg ) } From 302d35bedc5a7124bc8f5afbe994389ba99d3c87 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 12:57:56 +0200 Subject: [PATCH 22/37] C++: Accept test changes. --- .../dataflow/dataflow-tests/dispatch.cpp | 20 +++++++++---------- .../dataflow-tests/test-source-sink.expected | 12 ++--------- .../library-tests/dataflow/dispatch/test.cpp | 20 +++++++++---------- 3 files changed, 22 insertions(+), 30 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp index 105212ccca6..50c698033a4 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp @@ -8,7 +8,7 @@ struct Top { virtual void isSink(int x) { } virtual int notSource1() { return source(); } virtual int notSource2() { return source(); } - virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast,ir=37:19 ast,ir=45:18 + virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast=37:19 ast=45:18 }; // This class has the correct behavior for just the functions ending in 2. @@ -32,16 +32,16 @@ void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottom sink(topPtr->isSource2()); // $ ir MISSING: ast topPtr->isSink(source()); // causing a MISSING for ast - sink(topPtr->notSource1()); // $ SPURIOUS: ast,ir - sink(topPtr->notSource2()); // $ SPURIOUS: ast,ir + sink(topPtr->notSource1()); // $ SPURIOUS: ast + sink(topPtr->notSource2()); // $ SPURIOUS: ast topPtr->notSink(source()); // causing SPURIOUS for ast,ir sink(topRef.isSource1()); // $ ir MISSING: ast sink(topRef.isSource2()); // $ ir MISSING: ast topRef.isSink(source()); // causing a MISSING for ast - sink(topRef.notSource1()); // $ SPURIOUS: ast,ir - sink(topRef.notSource2()); // $ SPURIOUS: ast,ir + sink(topRef.notSource1()); // $ SPURIOUS: ast + sink(topRef.notSource2()); // $ SPURIOUS: ast topRef.notSink(source()); // causing SPURIOUS for ast,ir } @@ -52,10 +52,10 @@ Top *readGlobalBottom() { } void DispatchThroughGlobal() { - sink(globalBottom->isSource1()); // $ ir MISSING: ast + sink(globalBottom->isSource1()); // $ MISSING: ast,ir sink(globalMiddle->isSource1()); // no flow - sink(readGlobalBottom()->isSource1()); // $ ir MISSING: ast + sink(readGlobalBottom()->isSource1()); // $ MISSING: ast,ir globalBottom = new Bottom(); globalMiddle = new Middle(); @@ -93,7 +93,7 @@ void callIdentityFunctions(Top *top, Bottom *bottom) { // $ ast-def=bottom ast-d using SinkFunctionType = void (*)(int); void callSink(int x) { - sink(x); // $ ir=107:17 ir=140:8 ir=144:8 MISSING: ast=107:17 ast=140:8 ast=144:8 + sink(x); // $ ir MISSING: ast,ir=107:17 ast,ir=140:8 ast,ir=144:8 } SinkFunctionType returnCallSink() { @@ -126,8 +126,8 @@ namespace virtual_inheritance { // get flow from a `Middle` value to the call qualifier. Top *topPtr = bottomPtr, &topRef = bottomRef; - sink(topPtr->isSource()); // $ MISSING: ast,ir - sink(topRef.isSource()); // $ MISSING: ast,ir + sink(topPtr->isSource()); // $ ir MISSING: ast + sink(topRef.isSource()); // $ ir MISSING: ast } } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 6e0b03be9c6..7ca7e6a9bf0 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -169,26 +169,18 @@ irFlow | clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | *stackArray | | clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | *stackArray | | clang.cpp:57:21:57:28 | call to source | clang.cpp:59:8:59:8 | d | -| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 | -| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 | -| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 | -| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:44:15:44:24 | call to notSource2 | | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:32:16:32:24 | call to isSource2 | | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:40:15:40:23 | call to isSource2 | | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:31:16:31:24 | call to isSource1 | | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:39:15:39:23 | call to isSource1 | -| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:55:22:55:30 | call to isSource1 | -| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:58:28:58:36 | call to isSource1 | | dispatch.cpp:33:18:33:23 | call to source | dispatch.cpp:23:38:23:38 | x | -| dispatch.cpp:37:19:37:24 | call to source | dispatch.cpp:11:38:11:38 | x | | dispatch.cpp:41:17:41:22 | call to source | dispatch.cpp:23:38:23:38 | x | -| dispatch.cpp:45:18:45:23 | call to source | dispatch.cpp:11:38:11:38 | x | | dispatch.cpp:69:15:69:20 | call to source | dispatch.cpp:23:38:23:38 | x | | dispatch.cpp:73:14:73:19 | call to source | dispatch.cpp:23:38:23:38 | x | | dispatch.cpp:81:13:81:18 | call to source | dispatch.cpp:23:38:23:38 | x | | dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x | -| dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x | -| dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x | +| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:129:18:129:25 | call to isSource | +| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:130:17:130:24 | call to isSource | | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:31:9:31:9 | x | | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:61:8:61:11 | access to array | | flowOut.cpp:84:18:84:23 | call to source | flowOut.cpp:85:8:85:9 | * ... | diff --git a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp index b89ba51f1c6..0d112acc9a1 100644 --- a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp @@ -19,11 +19,11 @@ void test_simple() { Base* b_ptr = &d; b_ptr->f(); // $ target=2 - b_ptr->virtual_f(); // $ target=8 SPURIOUS: target=3 + b_ptr->virtual_f(); // $ target=8 Base& b_ref = d; b_ref.f(); // $ target=2 - b_ref.virtual_f(); // $ target=8 SPURIOUS: target=3 + b_ref.virtual_f(); // $ target=8 Base* b_null = nullptr; b_null->f(); // $ target=2 @@ -31,7 +31,7 @@ void test_simple() { Base* base_is_derived = new Derived(); base_is_derived->f(); // $ target=2 - base_is_derived->virtual_f(); // $ target=8 SPURIOUS: target=3 + base_is_derived->virtual_f(); // $ target=8 Base* base_is_base = new Base(); base_is_base->f(); // $ target=2 @@ -59,12 +59,12 @@ void test_fields() { s.b2 = new Derived(); s.b1->virtual_f(); // $ target=3 - s.b2->virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 + s.b2->virtual_f(); // $ target=8 s.b1 = new Derived(); s.b2 = new Base(); - s.b1->virtual_f(); // $ MISSING: target=8 SPURIOUS: target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA - s.b2->virtual_f(); // $ target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA + s.b1->virtual_f(); // $ target=8 SPURIOUS: target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA + s.b2->virtual_f(); // $ target=3 SPURIOUS: target=8 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA } Base* getDerived() { @@ -73,7 +73,7 @@ Base* getDerived() { void test_getDerived() { Base* b = getDerived(); - b->virtual_f(); // $ target=8 SPURIOUS: target=3 + b->virtual_f(); // $ target=8 Derived d = *(Derived*)getDerived(); d.virtual_f(); // $ target=8 @@ -98,7 +98,7 @@ void test_write_to_arg() { { Base* b; write_to_arg_2(&b); - b->virtual_f(); // $ target=8 SPURIOUS: target=3 + b->virtual_f(); // $ target=8 } } @@ -109,7 +109,7 @@ void set_global_to_derived() { } void read_global() { - global_derived->virtual_f(); // $ target=8 SPURIOUS: target=3 + global_derived->virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 } Base* global_base_or_derived; @@ -123,5 +123,5 @@ void set_global_base_or_derived_2() { } void read_global_base_or_derived() { - global_base_or_derived->virtual_f(); // $ target=3 target=8 + global_base_or_derived->virtual_f(); // $ target=3 MISSING: target=8 } \ No newline at end of file From 16508b18004dec91c1577b9e2d165bf0b2745745 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 13:03:53 +0200 Subject: [PATCH 23/37] C++: Fix off-by-one error in getType on 'FinalGlobalValue' nodes and accept test changes. --- .../lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 2 +- .../test/library-tests/dataflow/dataflow-tests/dispatch.cpp | 4 ++-- .../dataflow/dataflow-tests/test-source-sink.expected | 2 ++ cpp/ql/test/library-tests/dataflow/dispatch/test.cpp | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index a0a99711552..ef4051171af 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -795,7 +795,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue { override DataFlowType getType() { exists(int indirectionIndex | indirectionIndex = globalUse.getIndirectionIndex() and - result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex - 1) + result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex) ) } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp index 50c698033a4..6361d172ed4 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp @@ -52,10 +52,10 @@ Top *readGlobalBottom() { } void DispatchThroughGlobal() { - sink(globalBottom->isSource1()); // $ MISSING: ast,ir + sink(globalBottom->isSource1()); // $ ir MISSING: ast sink(globalMiddle->isSource1()); // no flow - sink(readGlobalBottom()->isSource1()); // $ MISSING: ast,ir + sink(readGlobalBottom()->isSource1()); // $ ir MISSING: ast globalBottom = new Bottom(); globalMiddle = new Middle(); diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 7ca7e6a9bf0..cb339d8d365 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -173,6 +173,8 @@ irFlow | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:40:15:40:23 | call to isSource2 | | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:31:16:31:24 | call to isSource1 | | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:39:15:39:23 | call to isSource1 | +| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:55:22:55:30 | call to isSource1 | +| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:58:28:58:36 | call to isSource1 | | dispatch.cpp:33:18:33:23 | call to source | dispatch.cpp:23:38:23:38 | x | | dispatch.cpp:41:17:41:22 | call to source | dispatch.cpp:23:38:23:38 | x | | dispatch.cpp:69:15:69:20 | call to source | dispatch.cpp:23:38:23:38 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp index 0d112acc9a1..f243b76ad14 100644 --- a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp @@ -109,7 +109,7 @@ void set_global_to_derived() { } void read_global() { - global_derived->virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 + global_derived->virtual_f(); // $ target=8 } Base* global_base_or_derived; @@ -123,5 +123,5 @@ void set_global_base_or_derived_2() { } void read_global_base_or_derived() { - global_base_or_derived->virtual_f(); // $ target=3 MISSING: target=8 + global_base_or_derived->virtual_f(); // $ target=3 target=8 } \ No newline at end of file From 0631bd74666d4f0fb2759dc30cb57954dc42b19a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 13:07:55 +0200 Subject: [PATCH 24/37] C++: Add object/flow conflation for unions when resolving function pointers. --- .../code/cpp/ir/dataflow/internal/DataFlowPrivate.qll | 9 ++++++++- .../library-tests/dataflow/dataflow-tests/dispatch.cpp | 2 +- .../dataflow/dataflow-tests/test-source-sink.expected | 2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index a03042a77ff..3aa8994a449 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -1492,7 +1492,14 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { } /** Extra data-flow steps needed for lambda flow analysis. */ -predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } +predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { + preservesValue = false and + exists(ContentSet cs | cs.isSingleton(any(UnionContent uc)) | + storeStep(nodeFrom, cs, nodeTo) + or + readStep(nodeFrom, cs, nodeTo) + ) +} predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp index 6361d172ed4..63528d712c0 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp @@ -93,7 +93,7 @@ void callIdentityFunctions(Top *top, Bottom *bottom) { // $ ast-def=bottom ast-d using SinkFunctionType = void (*)(int); void callSink(int x) { - sink(x); // $ ir MISSING: ast,ir=107:17 ast,ir=140:8 ast,ir=144:8 + sink(x); // $ ir=107:17 ir=140:8 ir=144:8 MISSING: ast=107:17 ast=140:8 ast=144:8 } SinkFunctionType returnCallSink() { diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index cb339d8d365..8c009241734 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -183,6 +183,8 @@ irFlow | dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x | | dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:129:18:129:25 | call to isSource | | dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:130:17:130:24 | call to isSource | +| dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x | +| dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x | | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:31:9:31:9 | x | | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:61:8:61:11 | access to array | | flowOut.cpp:84:18:84:23 | call to source | flowOut.cpp:85:8:85:9 | * ... | From 02bf923f7e1c332683e3af55301308c3a7a24b7f Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Aug 2025 13:50:03 +0200 Subject: [PATCH 25/37] C++: Add change note. --- cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md diff --git a/cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md b/cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md new file mode 100644 index 00000000000..4342bb7f62d --- /dev/null +++ b/cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects. \ No newline at end of file From 65e5ded80d34edfce87dbaaf04a7657c68428d37 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 19 Aug 2025 16:02:45 +0200 Subject: [PATCH 26/37] Rust: update README to remove experimental warning --- rust/README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/rust/README.md b/rust/README.md index 8be853bd5f2..4f462f1b70f 100644 --- a/rust/README.md +++ b/rust/README.md @@ -1,8 +1,5 @@ # Rust on CodeQL -> [!WARNING] -> Rust support for CodeQL is experimental. No support is offered. QL and database interfaces will change and break without notice or deprecation periods. - ## Development ### Dependencies From 49ef6939d41ebdb5e6875ca33354c9f7442f6638 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Tue, 19 Aug 2025 14:49:31 -0400 Subject: [PATCH 27/37] Add extra Customizations files --- cpp/ql/lib/Customizations.qll | 12 ++++++++++++ cpp/ql/lib/cpp.qll | 1 + rust/ql/lib/Customizations.qll | 12 ++++++++++++ rust/ql/lib/rust.qll | 1 + swift/ql/lib/Customizations.qll | 12 ++++++++++++ swift/ql/lib/swift.qll | 1 + 6 files changed, 39 insertions(+) create mode 100644 cpp/ql/lib/Customizations.qll create mode 100644 rust/ql/lib/Customizations.qll create mode 100644 swift/ql/lib/Customizations.qll diff --git a/cpp/ql/lib/Customizations.qll b/cpp/ql/lib/Customizations.qll new file mode 100644 index 00000000000..76a4355b69c --- /dev/null +++ b/cpp/ql/lib/Customizations.qll @@ -0,0 +1,12 @@ +/** + * Contains customizations to the standard library. + * + * This module is imported by `cpp.qll`, so any customizations defined here automatically + * apply to all queries. + * + * Typical examples of customizations include adding new subclasses of abstract classes such as + * the `RemoteFlowSource` class + * to model frameworks that are not covered by the standard library. + */ + +import cpp diff --git a/cpp/ql/lib/cpp.qll b/cpp/ql/lib/cpp.qll index ccd32c368e4..c8afac1c7ae 100644 --- a/cpp/ql/lib/cpp.qll +++ b/cpp/ql/lib/cpp.qll @@ -13,6 +13,7 @@ * https://github.com/cplusplus/draft/raw/master/papers/n4140.pdf */ +import Customizations import semmle.code.cpp.File import semmle.code.cpp.Linkage import semmle.code.cpp.Location diff --git a/rust/ql/lib/Customizations.qll b/rust/ql/lib/Customizations.qll new file mode 100644 index 00000000000..4f67cb91049 --- /dev/null +++ b/rust/ql/lib/Customizations.qll @@ -0,0 +1,12 @@ +/** + * Contains customizations to the standard library. + * + * This module is imported by `rust.qll`, so any customizations defined here automatically + * apply to all queries. + * + * Typical examples of customizations include adding new subclasses of abstract classes such as + * the `RemoteFlowSource` class + * to model frameworks that are not covered by the standard library. + */ + +import rust diff --git a/rust/ql/lib/rust.qll b/rust/ql/lib/rust.qll index e7d02adea32..b46e96868f6 100644 --- a/rust/ql/lib/rust.qll +++ b/rust/ql/lib/rust.qll @@ -1,5 +1,6 @@ /** Top-level import for the Rust language pack */ +import Customizations import codeql.rust.elements import codeql.Locations import codeql.files.FileSystem diff --git a/swift/ql/lib/Customizations.qll b/swift/ql/lib/Customizations.qll new file mode 100644 index 00000000000..71684ba1f75 --- /dev/null +++ b/swift/ql/lib/Customizations.qll @@ -0,0 +1,12 @@ +/** + * Contains customizations to the standard library. + * + * This module is imported by `swift.qll`, so any customizations defined here automatically + * apply to all queries. + * + * Typical examples of customizations include adding new subclasses of abstract classes such as + * the `RemoteFlowSource` class + * to model frameworks that are not covered by the standard library. + */ + +import swift diff --git a/swift/ql/lib/swift.qll b/swift/ql/lib/swift.qll index 901d9e895e0..54f2abf9092 100644 --- a/swift/ql/lib/swift.qll +++ b/swift/ql/lib/swift.qll @@ -1,5 +1,6 @@ /** Top-level import for the Swift language pack */ +import Customizations import codeql.swift.elements import codeql.swift.elements.expr.ArithmeticOperation import codeql.swift.elements.expr.Assignment From d630e32ce9f714674a99a3cbb881157f4ac37216 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Tue, 19 Aug 2025 15:27:29 -0400 Subject: [PATCH 28/37] Format Customizations.qll --- cpp/ql/lib/Customizations.qll | 2 +- rust/ql/lib/Customizations.qll | 2 +- swift/ql/lib/Customizations.qll | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/Customizations.qll b/cpp/ql/lib/Customizations.qll index 76a4355b69c..88e83346ef1 100644 --- a/cpp/ql/lib/Customizations.qll +++ b/cpp/ql/lib/Customizations.qll @@ -8,5 +8,5 @@ * the `RemoteFlowSource` class * to model frameworks that are not covered by the standard library. */ - + import cpp diff --git a/rust/ql/lib/Customizations.qll b/rust/ql/lib/Customizations.qll index 4f67cb91049..822792df6c7 100644 --- a/rust/ql/lib/Customizations.qll +++ b/rust/ql/lib/Customizations.qll @@ -8,5 +8,5 @@ * the `RemoteFlowSource` class * to model frameworks that are not covered by the standard library. */ - + import rust diff --git a/swift/ql/lib/Customizations.qll b/swift/ql/lib/Customizations.qll index 71684ba1f75..001628f2110 100644 --- a/swift/ql/lib/Customizations.qll +++ b/swift/ql/lib/Customizations.qll @@ -8,5 +8,5 @@ * the `RemoteFlowSource` class * to model frameworks that are not covered by the standard library. */ - + import swift From e74116b34737a0f2ec33dac64614d3eaf2dc5437 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 20 Aug 2025 00:23:14 +0000 Subject: [PATCH 29/37] Add changed framework coverage reports --- java/documentation/library-coverage/coverage.csv | 2 +- java/documentation/library-coverage/coverage.rst | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/java/documentation/library-coverage/coverage.csv b/java/documentation/library-coverage/coverage.csv index 7ec0b4c5f0f..1d1f9a1545e 100644 --- a/java/documentation/library-coverage/coverage.csv +++ b/java/documentation/library-coverage/coverage.csv @@ -76,7 +76,7 @@ jakarta.activation,2,,2,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,,,,,,2, jakarta.faces.context,4,7,,,,,,,,,,,,,,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,7,, jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23 jakarta.persistence,2,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,1, -jakarta.servlet,2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,, +jakarta.servlet,2,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,19,, jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,, jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,, jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55 diff --git a/java/documentation/library-coverage/coverage.rst b/java/documentation/library-coverage/coverage.rst index aa6a3f2c171..d70f9c2f463 100644 --- a/java/documentation/library-coverage/coverage.rst +++ b/java/documentation/library-coverage/coverage.rst @@ -19,9 +19,9 @@ Java framework & library support JBoss Logging,``org.jboss.logging``,,,324,,,,,, `JSON-java `_,``org.json``,,236,,,,,,, Java Standard Library,``java.*``,10,4621,260,99,,9,,,26 - Java extensions,"``javax.*``, ``jakarta.*``",69,4159,90,10,4,2,1,1,4 + Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4 Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2 `Spring `_,``org.springframework.*``,38,486,143,26,,28,14,,35 Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",133,10525,927,140,6,22,18,,208 - Totals,,312,26328,2656,404,16,128,33,1,409 + Totals,,330,26328,2656,404,16,128,33,1,409 From c9f0e3a37744c1868781d915590d62970d9d9e03 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema <93738568+jketema@users.noreply.github.com> Date: Wed, 20 Aug 2025 08:07:10 +0200 Subject: [PATCH 30/37] Apply suggestions from code review --- cpp/ql/lib/Customizations.qll | 3 +-- rust/ql/lib/Customizations.qll | 3 +-- swift/ql/lib/Customizations.qll | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/Customizations.qll b/cpp/ql/lib/Customizations.qll index 88e83346ef1..c9d899e07e0 100644 --- a/cpp/ql/lib/Customizations.qll +++ b/cpp/ql/lib/Customizations.qll @@ -5,8 +5,7 @@ * apply to all queries. * * Typical examples of customizations include adding new subclasses of abstract classes such as - * the `RemoteFlowSource` class - * to model frameworks that are not covered by the standard library. + * the `RemoteFlowSource` class to model frameworks that are not covered by the standard library. */ import cpp diff --git a/rust/ql/lib/Customizations.qll b/rust/ql/lib/Customizations.qll index 822792df6c7..8fc6bbea911 100644 --- a/rust/ql/lib/Customizations.qll +++ b/rust/ql/lib/Customizations.qll @@ -5,8 +5,7 @@ * apply to all queries. * * Typical examples of customizations include adding new subclasses of abstract classes such as - * the `RemoteFlowSource` class - * to model frameworks that are not covered by the standard library. + * the `RemoteFlowSource` class to model frameworks that are not covered by the standard library. */ import rust diff --git a/swift/ql/lib/Customizations.qll b/swift/ql/lib/Customizations.qll index 001628f2110..bf9e66de70b 100644 --- a/swift/ql/lib/Customizations.qll +++ b/swift/ql/lib/Customizations.qll @@ -5,8 +5,7 @@ * apply to all queries. * * Typical examples of customizations include adding new subclasses of abstract classes such as - * the `RemoteFlowSource` class - * to model frameworks that are not covered by the standard library. + * the `RemoteFlowSource` class to model frameworks that are not covered by the standard library. */ import swift From b42c366250be3a2d929e8a78dfc003a8bbf4a942 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 20 Aug 2025 08:50:23 +0200 Subject: [PATCH 31/37] C#: Address review comments. --- .../code/csharp/dataflow/internal/TaintTrackingPrivate.qll | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll index 908877c359b..dbfda21c09c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll @@ -31,8 +31,7 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { */ bindingset[node] predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { - node instanceof ArgumentNode and - Collections::isCollectionType(node.getType()) and + exists(node) and c.isElement() } From 70d3e69ce5f1c7d3b819b8c60a39923ddd0d7366 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 20 Aug 2025 10:38:22 +0200 Subject: [PATCH 32/37] C++: Rename 'lambda' to 'virtual'. --- .../ir/dataflow/internal/DataFlowDispatch.qll | 40 ++++++++++--------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index 899dae69589..0d63558c956 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -105,7 +105,7 @@ private predicate ignoreConstructor(Expr e) { * constructs an object containing at least one virtual function. * - a node which represents a derived-to-base instruction that converts from `c`. */ -private predicate lambdaSourceImpl(RelevantNode n, Class c) { +private predicate qualifierSourceImpl(RelevantNode n, Class c) { // Object construction exists(CallInstruction call, ThisArgumentOperand qualifier, Call e | qualifier = call.getThisArgumentOperand() and @@ -131,14 +131,14 @@ private predicate lambdaSourceImpl(RelevantNode n, Class c) { ) } -private module TrackVirtualDispatch { +private module TrackVirtualDispatch { /** * Gets a possible runtime target of `c` using both static call-target - * information, and call-target resolution from `lambdaDispatch0`. + * information, and call-target resolution from `virtualDispatch0`. */ private DataFlowPrivate::DataFlowCallable dispatch(DataFlowPrivate::DataFlowCall c) { result = nonVirtualDispatch(c) or - result = lambdaDispatch0(c) + result = virtualDispatch0(c) } private module TtInput implements TypeTrackingInput { @@ -156,7 +156,7 @@ private module TrackVirtualDispatch { or DataFlowPrivate::jumpStep(_, this) or - lambdaSourceImpl(this, _) + qualifierSourceImpl(this, _) } } @@ -220,21 +220,23 @@ private module TrackVirtualDispatch { predicate hasFeatureBacktrackStoreTarget() { none() } } - private predicate lambdaSource(RelevantNode n) { lambdaSourceImpl(n, _) } + private predicate qualifierSource(RelevantNode n) { qualifierSourceImpl(n, _) } /** * Holds if `n` is the qualifier of `call` which targets the virtual member * function `mf`. */ - private predicate lambdaSinkImpl(RelevantNode n, CallInstruction call, MemberFunction mf) { + private predicate qualifierOfVirtualCallImpl( + RelevantNode n, CallInstruction call, MemberFunction mf + ) { n.asOperand() = call.getThisArgumentOperand() and call.getStaticCallTarget() = mf and mf.isVirtual() } - private predicate lambdaSink(RelevantNode n) { lambdaSinkImpl(n, _, _) } + private predicate qualifierOfVirtualCall(RelevantNode n) { qualifierOfVirtualCallImpl(n, _, _) } - private import TypeTracking::TypeTrack::Graph + private import TypeTracking::TypeTrack::Graph private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2) @@ -243,7 +245,7 @@ private module TrackVirtualDispatch { * qualifier has runtime type `c`. */ private MemberFunction mostSpecific(MemberFunction mf, Class c) { - lambdaSinkImpl(_, _, mf) and + qualifierOfVirtualCallImpl(_, _, mf) and mf.getAnOverridingFunction*() = result and ( result.getDeclaringType() = c @@ -267,8 +269,8 @@ private module TrackVirtualDispatch { DataFlowPrivate::DataFlowCall call ) { exists(Class derived, MemberFunction mf | - lambdaSourceImpl(p1.getNode(), derived) and - lambdaSinkImpl(p2.getNode(), call.asCallInstruction(), mf) and + qualifierSourceImpl(p1.getNode(), derived) and + qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and p1.isSource() and p2.isSink() and callable.asSourceCallable() = mostSpecific(mf, derived) @@ -276,7 +278,7 @@ private module TrackVirtualDispatch { } /** Gets a possible run-time target of `call`. */ - DataFlowPrivate::DataFlowCallable lambdaDispatch(DataFlowPrivate::DataFlowCall call) { + DataFlowPrivate::DataFlowCallable virtualDispatch(DataFlowPrivate::DataFlowCall call) { exists(PathNode p1, PathNode p2 | p1 = p2 or edgePlus(p1, p2) | pairCand(p1, p2, result, call)) } } @@ -285,32 +287,32 @@ private DataFlowPrivate::DataFlowCallable noDisp(DataFlowPrivate::DataFlowCall c pragma[nomagic] private DataFlowPrivate::DataFlowCallable d1(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } pragma[nomagic] private DataFlowPrivate::DataFlowCallable d2(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } pragma[nomagic] private DataFlowPrivate::DataFlowCallable d3(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } pragma[nomagic] private DataFlowPrivate::DataFlowCallable d4(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } pragma[nomagic] private DataFlowPrivate::DataFlowCallable d5(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } pragma[nomagic] private DataFlowPrivate::DataFlowCallable d6(DataFlowPrivate::DataFlowCall call) { - result = TrackVirtualDispatch::lambdaDispatch(call) + result = TrackVirtualDispatch::virtualDispatch(call) } /** Gets a function that might be called by `call`. */ From c475bedf73c19a0a50f1ebe6d18053f49b6eb482 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 20 Aug 2025 12:58:54 +0200 Subject: [PATCH 33/37] CS: removed dead links from LDAPInjection qhelp --- csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp | 2 -- 1 file changed, 2 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp index 04f01720ce6..34e9bee18ba 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp @@ -35,7 +35,5 @@ the query cannot be changed by a malicious user.

  • OWASP: LDAP Injection Prevention Cheat Sheet.
  • OWASP: Preventing LDAP Injection in Java.
    • -
  • AntiXSS doc: LdapFilterEncode.
    • -
  • AntiXSS doc: LdapDistinguishedNameEncode.
    •  From 71a8e10f3d33f58f9bd53c4c6a7544ce3bb11298 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 20 Aug 2025 12:59:59 +0200 Subject: [PATCH 34/37] CS: added extra guidance in recommendation section for LDAPInjection --- csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp index 34e9bee18ba..4af37eadfd7 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.qhelp @@ -12,7 +12,7 @@ is likely to be able to run malicious LDAP queries.

    If user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible, use an existing library, such as the AntiXSS -library.

    +library. One may also make their own encoder filter `LdapEncode` following RFC 4515 standards.

    @@ -35,5 +35,6 @@ the query cannot be changed by a malicious user.

  • OWASP: LDAP Injection Prevention Cheat Sheet.
  • OWASP: Preventing LDAP Injection in Java.
    • +
  • RFC 4515: String Search Filter Definition.
    •  From 854a5b58713c7a5737748379e6c34a0a3df0e909 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 20 Aug 2025 13:18:17 -0400 Subject: [PATCH 35/37] Add changenotes customizations addition --- cpp/ql/src/change-notes/2025-08-20-add-customizations.md | 4 ++++ rust/ql/src/change-notes/2025-08-20-add-customizations.md | 4 ++++ swift/ql/src/change-notes/2025-08-20-add-customizations.md | 4 ++++ 3 files changed, 12 insertions(+) create mode 100644 cpp/ql/src/change-notes/2025-08-20-add-customizations.md create mode 100644 rust/ql/src/change-notes/2025-08-20-add-customizations.md create mode 100644 swift/ql/src/change-notes/2025-08-20-add-customizations.md diff --git a/cpp/ql/src/change-notes/2025-08-20-add-customizations.md b/cpp/ql/src/change-notes/2025-08-20-add-customizations.md new file mode 100644 index 00000000000..3a01298283c --- /dev/null +++ b/cpp/ql/src/change-notes/2025-08-20-add-customizations.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did. \ No newline at end of file diff --git a/rust/ql/src/change-notes/2025-08-20-add-customizations.md b/rust/ql/src/change-notes/2025-08-20-add-customizations.md new file mode 100644 index 00000000000..3a01298283c --- /dev/null +++ b/rust/ql/src/change-notes/2025-08-20-add-customizations.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did. \ No newline at end of file diff --git a/swift/ql/src/change-notes/2025-08-20-add-customizations.md b/swift/ql/src/change-notes/2025-08-20-add-customizations.md new file mode 100644 index 00000000000..3a01298283c --- /dev/null +++ b/swift/ql/src/change-notes/2025-08-20-add-customizations.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did. \ No newline at end of file From e99b423e288270c62c61de64a5fe92b1fbc99f48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Aug 2025 03:46:43 +0000 Subject: [PATCH 36/37] Bump the extractor-dependencies group in /go/extractor with 2 updates Bumps the extractor-dependencies group in /go/extractor with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/mod` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) Updates `golang.org/x/tools` from 0.35.0 to 0.36.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies - dependency-name: golang.org/x/tools dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies ... Signed-off-by: dependabot[bot] --- go/extractor/go.mod | 4 ++-- go/extractor/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go/extractor/go.mod b/go/extractor/go.mod index 8ec7ec72fc2..a23183400d0 100644 --- a/go/extractor/go.mod +++ b/go/extractor/go.mod @@ -9,8 +9,8 @@ toolchain go1.25.0 // when adding or removing dependencies, run // bazel mod tidy require ( - golang.org/x/mod v0.26.0 - golang.org/x/tools v0.35.0 + golang.org/x/mod v0.27.0 + golang.org/x/tools v0.36.0 ) require golang.org/x/sync v0.16.0 // indirect diff --git a/go/extractor/go.sum b/go/extractor/go.sum index 58f0d0b933b..e1a8435ba51 100644 --- a/go/extractor/go.sum +++ b/go/extractor/go.sum @@ -1,8 +1,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= -golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= +golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= +golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= -golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= -golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= +golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= +golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= From ebfbc711046dbdcfa3d275ef71044d2c4185bd0a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 21 Aug 2025 08:07:17 +0200 Subject: [PATCH 37/37] C#: Address more review comments. --- .../code/csharp/dataflow/internal/TaintTrackingPrivate.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll index dbfda21c09c..3146720efe8 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll @@ -7,7 +7,6 @@ private import semmle.code.csharp.dataflow.internal.DataFlowPrivate private import semmle.code.csharp.dataflow.internal.ControlFlowReachability private import semmle.code.csharp.dispatch.Dispatch private import semmle.code.csharp.commons.ComparisonTest -private import semmle.code.csharp.commons.Collections as Collections // import `TaintedMember` definitions from other files to avoid potential reevaluation private import semmle.code.csharp.frameworks.JsonNET private import semmle.code.csharp.frameworks.WCF