hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/rules_rust-update

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-02-11 09:10:15 +01:00
parent c0eaff6fa1 e1c810a50c
commit f7ca717375
78 changed files with 633 additions and 789 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

9
actions/ql/lib/codeql/actions/config/Config.qll
View File

@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
*/
predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
/**
* MaD models for trusted actions owners
* Fields:
* - owner: owner name
*/
predicate trustedActionsOwnerDataModel(string owner) {
Extensions::trustedActionsOwnerDataModel(owner)
}
/**
* MaD models for untrusted git commands
* Fields:

5
actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
View File

@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
*/
extensible predicate immutableActionsDataModel(string action);
/**
* Holds for trusted Actions owners.
*/
extensible predicate trustedActionsOwnerDataModel(string owner);
/**
* Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
*/

8
actions/ql/lib/ext/config/trusted_actions_owner.yml Normal file
View File

@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: trustedActionsOwnerDataModel
data:
- ["actions"]
- ["github"]
- ["advanced-security"]

4
actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
View File

@@ -2,9 +2,9 @@
* @name PATH Enviroment Variable built from user-controlled sources
* @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
* @kind path-problem
* @problem.severity warning
* @problem.severity error
* @security-severity 5.0
* @precision high
* @precision medium
* @id actions/envpath-injection/medium
* @tags actions
* security

4
actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
View File

@@ -2,9 +2,9 @@
* @name Enviroment Variable built from user-controlled sources
* @description Building an environment variable from user-controlled sources may alter the execution of following system commands
* @kind path-problem
* @problem.severity warning
* @problem.severity error
* @security-severity 5.0
* @precision high
* @precision medium
* @id actions/envvar-injection/medium
* @tags actions
* security

3
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
View File

@@ -3,11 +3,12 @@
* @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
* @kind problem
* @security-severity 5.0
* @problem.severity recommendation
* @problem.severity warning
* @precision high
* @id actions/missing-workflow-permissions
* @tags actions
* maintainability
* security
* external/cwe/cwe-275
*/

3
actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
View File

@@ -2,7 +2,8 @@
* @name Excessive Secrets Exposure
* @description All organization and repository secrets are passed to the workflow runner.
* @kind problem
* @problem.severity recommendation
* @precision high
* @problem.severity warning
* @id actions/excessive-secrets-exposure
* @tags actions
* security

4
actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
View File

@@ -2,8 +2,8 @@
* @name Artifact poisoning
* @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
* @kind path-problem
* @problem.severity warning
* @precision high
* @problem.severity error
* @precision medium
* @security-severity 5.0
* @id actions/artifact-poisoning/medium
* @tags actions

2
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md
View File

@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
## References
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)

21
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
View File

@@ -3,8 +3,8 @@
* @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
* @kind problem
* @security-severity 5.0
* @problem.severity recommendation
* @precision high
* @problem.severity warning
* @precision medium
* @id actions/unpinned-tag
* @tags security
* actions
@@ -17,14 +17,15 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
bindingset[version]
private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
bindingset[repo]
private predicate isTrustedOrg(string repo) {
repo.matches(["actions", "github", "advanced-security"] + "/%")
bindingset[nwo]
private predicate isTrustedOwner(string nwo) {
// Gets the segment before the first '/' in the name with owner(nwo) string
trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
}
from UsesStep uses, string repo, string version, Workflow workflow, string name
from UsesStep uses, string nwo, string version, Workflow workflow, string name
where
uses.getCallee() = repo and
uses.getCallee() = nwo and
uses.getEnclosingWorkflow() = workflow and
(
workflow.getName() = name
@@ -32,9 +33,9 @@ where
not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
) and
uses.getVersion() = version and
not isTrustedOrg(repo) and
not isTrustedOwner(nwo) and
not isPinnedCommit(version) and
not isImmutableAction(uses, repo)
not isImmutableAction(uses, nwo)
select uses.getCalleeNode(),
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
"', not a pinned commit hash", uses, uses.toString()

20
actions/ql/src/change-notes/2025-02-06-curate-suites.md Normal file
View File

@@ -0,0 +1,20 @@
---
category: breaking
---
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
Any existing alerts for these queries will be closed automatically.
* `actions/if-expression-always-true/critical`
* `actions/if-expression-always-true/high`
* `actions/unnecessary-use-of-advanced-config`
* The following query has been moved from the `code-scanning` suite to the `security-extended`
suite. Any existing alerts for this query will be closed automatically unless the analysis is
configured to use the `security-extended` suite.
* `actions/unpinned-tag`
* The following queries have been added to the `security-extended` suite.
* `actions/unversioned-immutable-action`
* `actions/envpath-injection/medium`
* `actions/envvar-injection/medium`
* `actions/code-injection/medium`
* `actions/artifact-poisoning/medium`
* `actions/untrusted-checkout/medium`

13
actions/ql/src/codeql-suites/actions-code-scanning.qls
View File

@@ -1,11 +1,4 @@
- description: Standard Code Scanning queries for GitHub Actions
- queries: '.'
- include:
problem.severity:
- error
- recommendation
- exclude:
tags contain:
- experimental
- debug
- internal
- queries: .
- apply: code-scanning-selectors.yml
from: codeql/suite-helpers

4
actions/ql/src/codeql-suites/actions-security-extended.qls
View File

@@ -1,2 +1,4 @@
- description: Security-extended queries for GitHub Actions
- import: codeql-suites/actions-code-scanning.qls
- queries: .
- apply: security-extended-selectors.yml
from: codeql/suite-helpers

0
actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql → actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
View File

0
actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql → actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
View File

0
actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql → actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
View File

0
actions/ql/src/Security/CWE-200/SecretExfiltration.ql → actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
View File

0
actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql → actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
View File

0
actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql → actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
View File

0
actions/ql/src/Security/CWE-918/RequestForgery.ql → actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
View File

2
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
View File

@@ -1 +1 @@
Security/CWE-074/OutputClobberingHigh.ql
experimental/Security/CWE-074/OutputClobberingHigh.ql

2
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
View File

@@ -1 +1 @@
Security/CWE-078/CommandInjectionCritical.ql
experimental/Security/CWE-078/CommandInjectionCritical.ql

2
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
View File

@@ -1 +1 @@
Security/CWE-078/CommandInjectionMedium.ql
experimental/Security/CWE-078/CommandInjectionMedium.ql

2
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
View File

@@ -1 +1 @@
Security/CWE-088/ArgumentInjectionCritical.ql
experimental/Security/CWE-088/ArgumentInjectionCritical.ql

2
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
View File

@@ -1 +1 @@
Security/CWE-088/ArgumentInjectionMedium.ql
experimental/Security/CWE-088/ArgumentInjectionMedium.ql

2
actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-200/SecretExfiltration.ql
experimental/Security/CWE-200/SecretExfiltration.ql

2
actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql

2
actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-829/ArtifactPoisoningPathTraversal.ql
experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

2
actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref
View File

@@ -1 +1 @@
Security/CWE-918/RequestForgery.ql
experimental/Security/CWE-918/RequestForgery.ql

4
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
View File

@@ -769,8 +769,4 @@ module InputSigCommon {
BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock extends BasicBlock {
ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
}
}

2
csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreSsa.qll
View File

@@ -90,7 +90,7 @@ module PreSsa {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock extends BasicBlock {
private class ExitBasicBlock extends BasicBlock {
ExitBasicBlock() { scopeLast(_, this.getLastElement(), _) }
}

4
csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll
View File

@@ -345,7 +345,7 @@ module Ssa {
* - The read of `this.Field` on line 11 is a last read of the phi node
* between lines 9 and 10.
*/
final AssignableRead getALastRead() { result = this.getALastReadAtNode(_) }
deprecated final AssignableRead getALastRead() { result = this.getALastReadAtNode(_) }
/**
* Gets a last read of the source variable underlying this SSA definition at
@@ -375,7 +375,7 @@ module Ssa {
* - The read of `this.Field` on line 11 is a last read of the phi node
* between lines 9 and 10.
*/
final AssignableRead getALastReadAtNode(ControlFlow::Node cfn) {
deprecated final AssignableRead getALastReadAtNode(ControlFlow::Node cfn) {
SsaImpl::lastReadSameVar(this, cfn) and
result.getAControlFlowNode() = cfn
}

2
csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll
View File

@@ -55,8 +55,6 @@ module BaseSsa {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock extends BasicBlock, ControlFlow::BasicBlocks::ExitBlock { }
class SourceVariable = PreSsa::SimpleLocalScopeVariable;
predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {

24
csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
View File

@@ -17,8 +17,6 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock extends BasicBlock, ControlFlow::BasicBlocks::ExitBlock { }
class SourceVariable = Ssa::SourceVariable;
/**
@@ -784,7 +782,9 @@ private predicate adjacentDefReachesUncertainRead(
/** Same as `lastRefRedef`, but skips uncertain reads. */
pragma[nomagic]
private predicate lastRefSkipUncertainReads(Definition def, SsaInput::BasicBlock bb, int i) {
deprecated private predicate lastRefSkipUncertainReads(
Definition def, SsaInput::BasicBlock bb, int i
) {
Impl::lastRef(def, bb, i) and
not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
or
@@ -794,6 +794,15 @@ private predicate lastRefSkipUncertainReads(Definition def, SsaInput::BasicBlock
)
}
pragma[nomagic]
deprecated predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
exists(ControlFlow::BasicBlock bb, int i |
lastRefSkipUncertainReads(def, bb, i) and
variableReadActual(bb, i, _) and
cfn = bb.getNode(i)
)
}
cached
private module Cached {
cached
@@ -957,15 +966,6 @@ private module Cached {
)
}
cached
predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
exists(ControlFlow::BasicBlock bb, int i |
lastRefSkipUncertainReads(def, bb, i) and
variableReadActual(bb, i, _) and
cfn = bb.getNode(i)
)
}
cached
Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
Impl::uncertainWriteDefinitionInput(def, result)

28
csharp/ql/src/Telemetry/DatabaseQuality.qll
View File

@@ -4,33 +4,7 @@
*/
import csharp
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(Call c | exists(c.getTarget())) }

259
csharp/ql/test/library-tests/dataflow/ssa/SsaDefLastRead.expected
View File

@@ -1,259 +0,0 @@
| Capture.cs:10:16:10:16 | a | Capture.cs:10:16:27:9 | SSA def(a) | Capture.cs:46:12:46:12 | access to local variable a |
| Capture.cs:17:17:17:17 | y | Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:26:17:26:17 | access to local variable y |
| Capture.cs:17:17:17:17 | y | Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:22:21:22:21 | access to local variable y |
| Capture.cs:19:20:19:20 | b | Capture.cs:19:20:23:13 | SSA def(b) | Capture.cs:25:13:25:13 | access to local variable b |
| Capture.cs:30:16:30:16 | c | Capture.cs:30:16:30:35 | SSA def(c) | Capture.cs:32:9:32:9 | access to local variable c |
| Capture.cs:52:16:52:16 | b | Capture.cs:52:16:52:43 | SSA def(b) | Capture.cs:53:9:53:9 | access to local variable b |
| Capture.cs:57:57:57:63 | strings | Capture.cs:57:57:57:63 | SSA param(strings) | Capture.cs:61:9:61:15 | access to parameter strings |
| Capture.cs:60:27:60:27 | e | Capture.cs:60:27:60:38 | SSA def(e) | Capture.cs:61:24:61:24 | access to local variable e |
| Capture.cs:65:45:65:51 | strings | Capture.cs:65:45:65:51 | SSA param(strings) | Capture.cs:70:9:70:15 | access to parameter strings |
| Capture.cs:67:13:67:13 | c | Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:48:68:48 | access to local variable c |
| Capture.cs:67:13:67:13 | c | Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:69:48:69:48 | access to local variable c |
| Capture.cs:68:32:68:32 | s | Capture.cs:68:32:68:32 | SSA param(s) | Capture.cs:68:37:68:37 | access to parameter s |
| Capture.cs:69:25:69:25 | s | Capture.cs:69:25:69:25 | SSA param(s) | Capture.cs:69:59:69:59 | access to parameter s |
| Capture.cs:73:67:73:73 | strings | Capture.cs:73:67:73:73 | SSA param(strings) | Capture.cs:77:9:77:15 | access to parameter strings |
| Capture.cs:76:63:76:63 | e | Capture.cs:76:63:76:81 | SSA def(e) | Capture.cs:77:24:77:24 | access to local variable e |
| Capture.cs:81:28:81:28 | i | Capture.cs:81:28:81:28 | SSA param(i) | Capture.cs:81:34:81:34 | access to parameter i |
| Capture.cs:83:65:83:71 | strings | Capture.cs:83:65:83:71 | SSA param(strings) | Capture.cs:87:9:87:15 | access to parameter strings |
| Capture.cs:85:13:85:13 | b | Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:86:73:86:73 | access to local variable b |
| Capture.cs:86:64:86:64 | e | Capture.cs:86:64:86:73 | SSA def(e) | Capture.cs:87:23:87:23 | access to local variable e |
| Capture.cs:92:18:92:18 | d | Capture.cs:92:18:92:18 | SSA param(d) | Capture.cs:92:24:92:24 | access to parameter d |
| Capture.cs:94:13:94:13 | y | Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:98:21:98:21 | access to local variable y |
| Capture.cs:98:17:98:17 | x | Capture.cs:98:17:98:21 | SSA def(x) | Capture.cs:99:20:99:20 | access to local variable x |
| Capture.cs:114:13:114:13 | a | Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:117:21:117:21 | access to local variable a |
| Capture.cs:117:17:117:17 | x | Capture.cs:117:17:117:21 | SSA def(x) | Capture.cs:118:17:118:17 | access to local variable x |
| Capture.cs:162:13:162:13 | g | Capture.cs:163:9:166:9 | SSA capture def(g) | Capture.cs:165:17:165:17 | access to local variable g |
| Capture.cs:182:17:182:17 | i | Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:185:21:185:21 | access to local variable i |
| Capture.cs:197:17:197:17 | i | Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:198:43:198:43 | access to local variable i |
| Capture.cs:197:17:197:17 | i | Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:203:44:203:44 | access to local variable i |
| Capture.cs:198:28:198:29 | eh | Capture.cs:198:28:198:44 | SSA def(eh) | Capture.cs:199:27:199:28 | access to local variable eh |
| Capture.cs:203:28:203:30 | eh2 | Capture.cs:203:28:203:45 | SSA def(eh2) | Capture.cs:204:27:204:29 | access to local variable eh2 |
| Capture.cs:209:17:209:17 | i | Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:212:70:212:70 | access to local variable i |
| Capture.cs:210:24:210:24 | p | Capture.cs:210:24:210:59 | SSA def(p) | Capture.cs:213:17:213:17 | access to local variable p |
| Capture.cs:212:30:212:35 | exited | Capture.cs:212:30:212:71 | SSA def(exited) | Capture.cs:213:29:213:34 | access to local variable exited |
| Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:11:17:11:17 | access to parameter b |
| Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:16:17:16:17 | access to local variable i |
| Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | [finally: exception(Exception)] SSA def(i) | Consistency.cs:16:17:16:17 | access to local variable i |
| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:27:13:27:13 | access to local variable c |
| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:27:13:27:19 | access to field Field |
| Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:33:9:33:9 | access to parameter c |
| Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:46:13:46:13 | access to local variable s |
| Consistency.cs:49:30:49:30 | a | Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:47:49:47 | access to parameter a |
| Consistency.cs:49:37:49:37 | i | Consistency.cs:49:37:49:37 | SSA param(i) | Consistency.cs:49:49:49:49 | access to parameter i |
| Consistency.cs:51:20:51:20 | a | Consistency.cs:51:20:51:20 | SSA param(a) | Consistency.cs:56:36:56:36 | access to parameter a |
| DefUse.cs:3:26:3:26 | w | DefUse.cs:3:26:3:26 | SSA param(w) | DefUse.cs:9:13:9:13 | access to parameter w |
| DefUse.cs:3:26:3:26 | w | DefUse.cs:19:13:19:18 | SSA def(w) | DefUse.cs:20:17:20:17 | access to parameter w |
| DefUse.cs:3:26:3:26 | w | DefUse.cs:23:9:23:15 | SSA phi(w) | DefUse.cs:24:13:24:13 | access to parameter w |
| DefUse.cs:3:26:3:26 | w | DefUse.cs:29:13:29:18 | SSA def(w) | DefUse.cs:53:17:53:17 | access to parameter w |
| DefUse.cs:5:13:5:13 | x | DefUse.cs:5:13:5:17 | SSA def(x) | DefUse.cs:26:13:26:13 | access to local variable x |
| DefUse.cs:5:13:5:13 | x | DefUse.cs:5:13:5:17 | SSA def(x) | DefUse.cs:56:16:56:16 | access to local variable x |
| DefUse.cs:6:14:6:14 | y | DefUse.cs:6:14:6:19 | SSA def(y) | DefUse.cs:8:13:8:13 | access to local variable y |
| DefUse.cs:6:14:6:14 | y | DefUse.cs:13:13:13:18 | SSA def(y) | DefUse.cs:14:17:14:17 | access to local variable y |
| DefUse.cs:6:14:6:14 | y | DefUse.cs:23:9:23:15 | SSA phi(y) | DefUse.cs:23:13:23:13 | access to local variable y |
| DefUse.cs:6:14:6:14 | y | DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:34:13:34:13 | access to local variable y |
| DefUse.cs:6:14:6:14 | y | DefUse.cs:42:9:42:15 | SSA phi(y) | DefUse.cs:42:13:42:13 | access to local variable y |
| DefUse.cs:44:13:44:13 | z | DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:45:13:45:13 | access to local variable z |
| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:50:23:50:23 | access to local variable z |
| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:51:13:51:13 | access to local variable z |
| DefUse.cs:53:9:53:13 | this.Field | DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:54:13:54:17 | access to field Field |
| DefUse.cs:56:9:56:12 | this.Prop | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:57:13:57:16 | access to property Prop |
| DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:64:13:64:18 | access to field Field2 |
| DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:80:37:80:42 | access to field Field2 |
| DefUse.cs:66:9:66:14 | this.Field3 | DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:69:13:69:18 | access to field Field3 |
| DefUse.cs:67:19:67:20 | tc | DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:68:9:68:10 | access to local variable tc |
| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:81:13:81:14 | access to local variable x1 |
| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA phi(x1) | DefUse.cs:80:30:80:31 | access to local variable x1 |
| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:85:15:85:16 | access to local variable x2 |
| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:87:13:87:14 | access to local variable x2 |
| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:92:15:92:16 | access to local variable x3 |
| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:94:13:94:14 | access to local variable x3 |
| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:95:13:95:14 | access to local variable x4 |
| DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:16:98:17 | SSA phi(x5) | DefUse.cs:101:18:101:19 | access to local variable x5 |
| DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:16:98:17 | SSA phi(x5) | DefUse.cs:104:9:104:10 | access to local variable x5 |
| DefUse.cs:97:13:97:14 | x5 | DefUse.cs:104:9:104:15 | SSA def(x5) | DefUse.cs:105:13:105:14 | access to local variable x5 |
| DefUse.cs:118:45:118:45 | i | DefUse.cs:118:45:118:45 | SSA param(i) | DefUse.cs:118:65:118:65 | access to parameter i |
| DefUse.cs:128:19:128:19 | i | DefUse.cs:128:19:128:19 | SSA param(i) | DefUse.cs:129:19:129:19 | access to parameter i |
| DefUse.cs:134:22:134:22 | d | DefUse.cs:134:22:134:22 | SSA param(d) | DefUse.cs:135:14:135:14 | access to parameter d |
| DefUse.cs:142:68:142:69 | ie | DefUse.cs:142:68:142:69 | SSA param(ie) | DefUse.cs:144:27:144:28 | access to parameter ie |
| DefUse.cs:144:22:144:22 | x | DefUse.cs:144:22:144:22 | SSA def(x) | DefUse.cs:147:17:147:17 | access to local variable x |
| DefUse.cs:155:9:155:14 | this.Field4 | DefUse.cs:155:9:155:18 | SSA def(this.Field4) | DefUse.cs:157:13:157:18 | access to field Field4 |
| DefUse.cs:162:13:162:18 | this.Field4 | DefUse.cs:160:10:160:16 | SSA entry def(this.Field4) | DefUse.cs:163:13:163:18 | access to field Field4 |
| DefUse.cs:171:23:171:23 | a | DefUse.cs:171:23:180:9 | SSA def(a) | DefUse.cs:181:9:181:9 | access to local variable a |
| DefUse.cs:171:23:171:23 | a | DefUse.cs:186:9:190:9 | SSA def(a) | DefUse.cs:191:9:191:9 | access to local variable a |
| DefUse.cs:184:9:184:14 | this.Field5 | DefUse.cs:184:9:184:18 | SSA def(this.Field5) | DefUse.cs:185:13:185:18 | access to field Field5 |
| DefUse.cs:184:9:184:14 | this.Field5 | DefUse.cs:191:9:191:11 | SSA call def(this.Field5) | DefUse.cs:192:13:192:18 | access to field Field5 |
| DefUse.cs:188:13:188:18 | this.Field5 | DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:189:17:189:22 | access to field Field5 |
| Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | SSA param(i) | Example.cs:11:26:11:26 | access to parameter i |
| Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | SSA param(i) | Example.cs:12:18:12:18 | access to parameter i |
| Example.cs:8:9:8:18 | this.Field | Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:9:13:9:22 | access to field Field |
| Example.cs:8:9:8:18 | this.Field | Example.cs:14:9:14:24 | SSA phi(this.Field) | Example.cs:15:13:15:22 | access to field Field |
| Example.cs:18:16:18:16 | p | Example.cs:18:16:18:16 | SSA param(p) | Example.cs:22:17:22:17 | access to parameter p |
| Example.cs:18:16:18:16 | p | Example.cs:25:9:25:15 | SSA phi(p) | Example.cs:25:13:25:13 | access to parameter p |
| Example.cs:18:24:18:24 | b | Example.cs:18:24:18:24 | SSA param(b) | Example.cs:20:13:20:13 | access to parameter b |
| Fields.cs:18:15:18:15 | x | Fields.cs:20:9:20:14 | SSA def(x) | Fields.cs:21:13:21:13 | access to local variable x |
| Fields.cs:18:19:18:20 | this.xs | Fields.cs:16:17:16:17 | SSA entry def(this.xs) | Fields.cs:18:19:18:20 | access to field xs |
| Fields.cs:18:19:18:20 | this.xs | Fields.cs:19:9:19:13 | SSA call def(this.xs) | Fields.cs:20:13:20:14 | access to field xs |
| Fields.cs:18:19:18:20 | this.xs | Fields.cs:23:9:23:20 | SSA phi(this.xs) | Fields.cs:23:13:23:19 | access to field xs |
| Fields.cs:18:19:18:20 | this.xs | Fields.cs:24:9:24:23 | SSA def(this.xs) | Fields.cs:25:13:25:14 | access to field xs |
| Fields.cs:30:13:30:13 | f | Fields.cs:30:13:30:28 | SSA def(f) | Fields.cs:46:13:46:13 | access to local variable f |
| Fields.cs:30:13:30:13 | f | Fields.cs:50:9:50:17 | SSA phi(f) | Fields.cs:52:13:52:13 | access to local variable f |
| Fields.cs:31:19:31:22 | f.xs | Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:31:19:31:22 | access to field xs |
| Fields.cs:31:19:31:22 | f.xs | Fields.cs:34:9:34:16 | SSA call def(f.xs) | Fields.cs:35:13:35:16 | access to field xs |
| Fields.cs:31:19:31:22 | f.xs | Fields.cs:38:9:38:13 | SSA call def(f.xs) | Fields.cs:43:13:43:16 | access to field xs |
| Fields.cs:31:19:31:22 | f.xs | Fields.cs:45:9:45:25 | SSA def(f.xs) | Fields.cs:46:13:46:16 | access to field xs |
| Fields.cs:31:19:31:22 | f.xs | Fields.cs:50:9:50:17 | SSA phi(f.xs) | Fields.cs:52:13:52:16 | access to field xs |
| Fields.cs:32:15:32:15 | z | Fields.cs:47:9:47:14 | SSA def(z) | Fields.cs:48:13:48:13 | access to local variable z |
| Fields.cs:32:19:32:20 | this.xs | Fields.cs:28:17:28:17 | SSA entry def(this.xs) | Fields.cs:32:19:32:20 | access to field xs |
| Fields.cs:32:19:32:20 | this.xs | Fields.cs:34:9:34:16 | SSA call def(this.xs) | Fields.cs:36:13:36:14 | access to field xs |
| Fields.cs:32:19:32:20 | this.xs | Fields.cs:38:9:38:13 | SSA call def(this.xs) | Fields.cs:40:13:40:14 | access to field xs |
| Fields.cs:32:19:32:20 | this.xs | Fields.cs:42:9:42:23 | SSA def(this.xs) | Fields.cs:53:13:53:14 | access to field xs |
| Fields.cs:33:19:33:22 | Fields.stat | Fields.cs:30:17:30:28 | SSA call def(Fields.stat) | Fields.cs:33:19:33:22 | access to field stat |
| Fields.cs:33:19:33:22 | Fields.stat | Fields.cs:34:9:34:16 | SSA call def(Fields.stat) | Fields.cs:37:13:37:16 | access to field stat |
| Fields.cs:33:19:33:22 | Fields.stat | Fields.cs:38:9:38:13 | SSA call def(Fields.stat) | Fields.cs:41:13:41:16 | access to field stat |
| Fields.cs:33:19:33:22 | Fields.stat | Fields.cs:51:9:51:20 | SSA call def(Fields.stat) | Fields.cs:54:13:54:16 | access to field stat |
| Fields.cs:65:24:65:32 | this.LoopField | Fields.cs:61:17:61:17 | SSA entry def(this.LoopField) | Fields.cs:65:24:65:32 | access to field LoopField |
| Fields.cs:71:17:71:35 | this.SingleAccessedField | Fields.cs:61:17:61:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:71:17:71:35 | access to field SingleAccessedField |
| Fields.cs:76:20:76:38 | this.SingleAccessedField | Fields.cs:74:17:74:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:76:20:76:38 | access to field SingleAccessedField |
| Fields.cs:77:13:77:13 | f | Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:90:19:90:19 | access to local variable f |
| Fields.cs:77:13:77:13 | f | Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:78:35:78:35 | access to local variable f |
| Fields.cs:78:23:78:23 | a | Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:81:9:81:9 | access to local variable a |
| Fields.cs:78:23:78:23 | a | Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:31:86:31 | access to local variable a |
| Fields.cs:79:23:79:23 | b | Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:84:9:84:9 | access to local variable b |
| Fields.cs:79:23:79:23 | b | Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:31:89:31 | access to local variable b |
| Fields.cs:80:9:80:12 | f.xs | Fields.cs:81:9:81:11 | SSA call def(f.xs) | Fields.cs:82:19:82:22 | access to field xs |
| Fields.cs:80:9:80:12 | f.xs | Fields.cs:83:9:83:25 | SSA def(f.xs) | Fields.cs:85:19:85:22 | access to field xs |
| Fields.cs:80:9:80:12 | f.xs | Fields.cs:86:9:86:47 | SSA call def(f.xs) | Fields.cs:87:19:87:22 | access to field xs |
| Fields.cs:80:9:80:12 | f.xs | Fields.cs:88:9:88:25 | SSA def(f.xs) | Fields.cs:90:19:90:22 | access to field xs |
| Fields.cs:82:9:82:15 | this.xs | Fields.cs:85:9:85:22 | SSA def(this.xs) | Fields.cs:86:9:86:15 | access to field xs |
| Fields.cs:82:9:82:15 | this.xs | Fields.cs:87:9:87:22 | SSA def(this.xs) | Fields.cs:89:9:89:15 | access to field xs |
| Fields.cs:95:19:95:19 | f | Fields.cs:95:19:95:19 | SSA param(f) | Fields.cs:102:22:102:22 | access to parameter f |
| Fields.cs:97:9:97:15 | f.Field | Fields.cs:97:9:97:30 | SSA def(f.Field) | Fields.cs:102:22:102:28 | access to field Field |
| Fields.cs:98:20:98:32 | f.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:101:16:101:28 | access to field Field |
| Fields.cs:99:16:99:34 | f.Field.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | Fields.cs:101:16:101:34 | access to field Field |
| Fields.cs:100:16:100:40 | f.Field.Field.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field.Field) | Fields.cs:101:16:101:40 | access to field Field |
| Fields.cs:102:9:102:18 | this.Field | Fields.cs:102:9:102:28 | SSA def(this.Field) | Fields.cs:104:16:104:25 | access to field Field |
| Fields.cs:107:33:107:33 | f | Fields.cs:107:33:107:33 | SSA param(f) | Fields.cs:107:38:107:38 | access to parameter f |
| Fields.cs:115:20:115:29 | this.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:117:17:117:26 | access to field Field |
| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:117:17:117:32 | access to field Field |
| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:117:17:117:35 | access to field xs |
| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:28:5:28 | access to parameter x |
| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationB.cs:3:28:3:28 | access to parameter x |
| OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:10:32:10:32 | access to local variable j |
| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:22:29:22:29 | access to local variable j |
| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:24:29:24:29 | access to local variable j |
| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:25:13:25:13 | access to local variable j |
| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:11:13:11:13 | access to local variable i |
| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:14:13:14:13 | access to local variable i |
| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:13:28:13:32 | access to field Field |
| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:16:32:16:36 | access to field Field |
| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:17:13:17:17 | access to field Field |
| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:20:13:20:17 | access to field Field |
| OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:21:13:21:13 | access to local variable t |
| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:19:32:19:38 | access to field Field |
| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:21:13:21:19 | access to field Field |
| OutRef.cs:28:37:28:37 | j | OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:30:13:30:13 | access to parameter j |
| OutRef.cs:34:38:34:38 | j | OutRef.cs:34:38:34:38 | SSA param(j) | OutRef.cs:36:13:36:13 | access to parameter j |
| OutRef.cs:39:24:39:24 | b | OutRef.cs:39:24:39:24 | SSA param(b) | OutRef.cs:41:13:41:13 | access to parameter b |
| Patterns.cs:7:16:7:16 | o | Patterns.cs:7:16:7:23 | SSA def(o) | Patterns.cs:20:17:20:17 | access to local variable o |
| Patterns.cs:8:22:8:23 | i1 | Patterns.cs:8:18:8:23 | SSA def(i1) | Patterns.cs:10:38:10:39 | access to local variable i1 |
| Patterns.cs:12:30:12:31 | s1 | Patterns.cs:12:23:12:31 | SSA def(s1) | Patterns.cs:14:41:14:42 | access to local variable s1 |
| Patterns.cs:24:22:24:23 | i2 | Patterns.cs:24:18:24:23 | SSA def(i2) | Patterns.cs:24:30:24:31 | access to local variable i2 |
| Patterns.cs:24:22:24:23 | i2 | Patterns.cs:24:18:24:23 | SSA def(i2) | Patterns.cs:25:47:25:48 | access to local variable i2 |
| Patterns.cs:27:22:27:23 | i3 | Patterns.cs:27:18:27:23 | SSA def(i3) | Patterns.cs:28:42:28:43 | access to local variable i3 |
| Patterns.cs:30:25:30:26 | s2 | Patterns.cs:30:18:30:26 | SSA def(s2) | Patterns.cs:31:45:31:46 | access to local variable s2 |
| Properties.cs:18:15:18:15 | x | Properties.cs:20:9:20:14 | SSA def(x) | Properties.cs:21:13:21:13 | access to local variable x |
| Properties.cs:18:19:18:20 | this.xs | Properties.cs:16:17:16:17 | SSA entry def(this.xs) | Properties.cs:18:19:18:20 | access to property xs |
| Properties.cs:18:19:18:20 | this.xs | Properties.cs:19:9:19:13 | SSA call def(this.xs) | Properties.cs:20:13:20:14 | access to property xs |
| Properties.cs:18:19:18:20 | this.xs | Properties.cs:23:9:23:20 | SSA phi(this.xs) | Properties.cs:23:13:23:19 | access to property xs |
| Properties.cs:18:19:18:20 | this.xs | Properties.cs:24:9:24:23 | SSA def(this.xs) | Properties.cs:25:13:25:14 | access to property xs |
| Properties.cs:30:13:30:13 | f | Properties.cs:30:13:30:32 | SSA def(f) | Properties.cs:46:13:46:13 | access to local variable f |
| Properties.cs:30:13:30:13 | f | Properties.cs:50:9:50:17 | SSA phi(f) | Properties.cs:52:13:52:13 | access to local variable f |
| Properties.cs:31:19:31:22 | f.xs | Properties.cs:30:13:30:32 | SSA qualifier def(f.xs) | Properties.cs:31:19:31:22 | access to property xs |
| Properties.cs:31:19:31:22 | f.xs | Properties.cs:34:9:34:16 | SSA call def(f.xs) | Properties.cs:35:13:35:16 | access to property xs |
| Properties.cs:31:19:31:22 | f.xs | Properties.cs:38:9:38:13 | SSA call def(f.xs) | Properties.cs:43:13:43:16 | access to property xs |
| Properties.cs:31:19:31:22 | f.xs | Properties.cs:45:9:45:25 | SSA def(f.xs) | Properties.cs:46:13:46:16 | access to property xs |
| Properties.cs:31:19:31:22 | f.xs | Properties.cs:50:9:50:17 | SSA phi(f.xs) | Properties.cs:52:13:52:16 | access to property xs |
| Properties.cs:32:15:32:15 | z | Properties.cs:47:9:47:14 | SSA def(z) | Properties.cs:48:13:48:13 | access to local variable z |
| Properties.cs:32:19:32:20 | this.xs | Properties.cs:28:17:28:17 | SSA entry def(this.xs) | Properties.cs:32:19:32:20 | access to property xs |
| Properties.cs:32:19:32:20 | this.xs | Properties.cs:34:9:34:16 | SSA call def(this.xs) | Properties.cs:36:13:36:14 | access to property xs |
| Properties.cs:32:19:32:20 | this.xs | Properties.cs:38:9:38:13 | SSA call def(this.xs) | Properties.cs:40:13:40:14 | access to property xs |
| Properties.cs:32:19:32:20 | this.xs | Properties.cs:42:9:42:23 | SSA def(this.xs) | Properties.cs:53:13:53:14 | access to property xs |
| Properties.cs:33:19:33:22 | Properties.stat | Properties.cs:30:17:30:32 | SSA call def(Properties.stat) | Properties.cs:33:19:33:22 | access to property stat |
| Properties.cs:33:19:33:22 | Properties.stat | Properties.cs:34:9:34:16 | SSA call def(Properties.stat) | Properties.cs:37:13:37:16 | access to property stat |
| Properties.cs:33:19:33:22 | Properties.stat | Properties.cs:38:9:38:13 | SSA call def(Properties.stat) | Properties.cs:41:13:41:16 | access to property stat |
| Properties.cs:33:19:33:22 | Properties.stat | Properties.cs:51:9:51:24 | SSA call def(Properties.stat) | Properties.cs:54:13:54:16 | access to property stat |
| Properties.cs:61:23:61:23 | i | Properties.cs:63:16:63:16 | SSA phi(i) | Properties.cs:63:16:63:16 | access to parameter i |
| Properties.cs:65:24:65:31 | this.LoopProp | Properties.cs:61:17:61:17 | SSA entry def(this.LoopProp) | Properties.cs:65:24:65:31 | access to property LoopProp |
| Properties.cs:67:21:67:38 | this.SingleAccessedProp | Properties.cs:61:17:61:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:67:21:67:38 | access to property SingleAccessedProp |
| Properties.cs:72:20:72:37 | this.SingleAccessedProp | Properties.cs:70:17:70:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:72:20:72:37 | access to property SingleAccessedProp |
| Properties.cs:73:13:73:13 | f | Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:86:19:86:19 | access to local variable f |
| Properties.cs:73:13:73:13 | f | Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:74:35:74:35 | access to local variable f |
| Properties.cs:74:23:74:23 | a | Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:77:9:77:9 | access to local variable a |
| Properties.cs:74:23:74:23 | a | Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:31:82:31 | access to local variable a |
| Properties.cs:75:23:75:23 | b | Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:80:9:80:9 | access to local variable b |
| Properties.cs:75:23:75:23 | b | Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:31:85:31 | access to local variable b |
| Properties.cs:76:9:76:12 | f.xs | Properties.cs:77:9:77:11 | SSA call def(f.xs) | Properties.cs:78:19:78:22 | access to property xs |
| Properties.cs:76:9:76:12 | f.xs | Properties.cs:79:9:79:25 | SSA def(f.xs) | Properties.cs:81:19:81:22 | access to property xs |
| Properties.cs:76:9:76:12 | f.xs | Properties.cs:82:9:82:47 | SSA call def(f.xs) | Properties.cs:83:19:83:22 | access to property xs |
| Properties.cs:76:9:76:12 | f.xs | Properties.cs:84:9:84:25 | SSA def(f.xs) | Properties.cs:86:19:86:22 | access to property xs |
| Properties.cs:78:9:78:15 | this.xs | Properties.cs:81:9:81:22 | SSA def(this.xs) | Properties.cs:82:9:82:15 | access to property xs |
| Properties.cs:78:9:78:15 | this.xs | Properties.cs:83:9:83:22 | SSA def(this.xs) | Properties.cs:85:9:85:15 | access to property xs |
| Properties.cs:106:37:106:37 | p | Properties.cs:106:37:106:37 | SSA param(p) | Properties.cs:106:42:106:42 | access to parameter p |
| Properties.cs:114:20:114:29 | this.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:116:17:116:26 | access to field Props |
| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:116:17:116:32 | access to field Props |
| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:116:17:116:35 | access to property xs |
| Splitting.cs:3:18:3:18 | b | Splitting.cs:3:18:3:18 | SSA param(b) | Splitting.cs:15:13:15:13 | access to parameter b |
| Splitting.cs:5:13:5:13 | x | Splitting.cs:7:13:7:19 | [b (line 3): true] SSA def(x) | Splitting.cs:17:13:17:13 | access to local variable x |
| Splitting.cs:5:13:5:13 | x | Splitting.cs:10:13:10:19 | [b (line 3): false] SSA def(x) | Splitting.cs:14:9:14:9 | access to local variable x |
| Splitting.cs:22:18:22:18 | b | Splitting.cs:22:18:22:18 | SSA param(b) | Splitting.cs:35:13:35:13 | access to parameter b |
| Splitting.cs:24:13:24:13 | x | Splitting.cs:29:13:29:19 | [b (line 22): false] SSA def(x) | Splitting.cs:30:13:30:13 | access to local variable x |
| Splitting.cs:24:13:24:13 | x | Splitting.cs:32:9:32:15 | [b (line 22): false] SSA def(x) | Splitting.cs:34:9:34:9 | access to local variable x |
| Splitting.cs:24:13:24:13 | x | Splitting.cs:32:9:32:15 | [b (line 22): true] SSA def(x) | Splitting.cs:37:13:37:13 | access to local variable x |
| Splitting.cs:42:18:42:18 | b | Splitting.cs:42:18:42:18 | SSA param(b) | Splitting.cs:52:13:52:13 | access to parameter b |
| Splitting.cs:44:13:44:13 | x | Splitting.cs:49:13:49:19 | [b (line 42): false] SSA def(x) | Splitting.cs:50:13:50:13 | access to local variable x |
| Splitting.cs:44:13:44:13 | x | Splitting.cs:54:9:54:21 | SSA phi(x) | Splitting.cs:55:9:55:9 | access to local variable x |
| Test.cs:5:15:5:20 | param1 | Test.cs:5:15:5:20 | SSA param(param1) | Test.cs:11:13:11:18 | access to parameter param1 |
| Test.cs:5:15:5:20 | param1 | Test.cs:25:16:25:16 | SSA phi(param1) | Test.cs:27:17:27:22 | access to parameter param1 |
| Test.cs:5:15:5:20 | param1 | Test.cs:39:9:42:9 | SSA phi(param1) | Test.cs:41:13:41:18 | access to parameter param1 |
| Test.cs:5:67:5:72 | param2 | Test.cs:5:67:5:72 | SSA param(param2) | Test.cs:39:27:39:32 | access to parameter param2 |
| Test.cs:7:9:7:13 | this.field | Test.cs:24:9:24:15 | SSA phi(this.field) | Test.cs:33:13:33:17 | access to field field |
| Test.cs:8:13:8:13 | x | Test.cs:8:13:8:17 | SSA def(x) | Test.cs:13:13:13:13 | access to local variable x |
| Test.cs:8:13:8:13 | x | Test.cs:13:13:13:15 | SSA def(x) | Test.cs:14:19:14:19 | access to local variable x |
| Test.cs:8:13:8:13 | x | Test.cs:24:9:24:15 | SSA phi(x) | Test.cs:25:16:25:16 | access to local variable x |
| Test.cs:8:13:8:13 | x | Test.cs:34:25:34:25 | SSA phi(x) | Test.cs:36:13:36:13 | access to local variable x |
| Test.cs:8:13:8:13 | x | Test.cs:34:25:34:25 | SSA phi(x) | Test.cs:43:16:43:16 | access to local variable x |
| Test.cs:9:13:9:13 | y | Test.cs:19:13:19:17 | SSA def(y) | Test.cs:20:13:20:13 | access to local variable y |
| Test.cs:9:13:9:13 | y | Test.cs:25:16:25:16 | SSA phi(y) | Test.cs:31:13:31:13 | access to local variable y |
| Test.cs:9:13:9:13 | y | Test.cs:25:16:25:16 | SSA phi(y) | Test.cs:43:20:43:20 | access to local variable y |
| Test.cs:10:13:10:13 | z | Test.cs:24:9:24:15 | SSA phi(z) | Test.cs:24:13:24:13 | access to local variable z |
| Test.cs:34:18:34:18 | i | Test.cs:34:25:34:25 | SSA phi(i) | Test.cs:34:25:34:25 | access to local variable i |
| Test.cs:34:18:34:18 | i | Test.cs:34:25:34:25 | SSA phi(i) | Test.cs:34:33:34:33 | access to local variable i |
| Test.cs:39:22:39:22 | w | Test.cs:39:22:39:22 | SSA def(w) | Test.cs:41:23:41:23 | access to local variable w |
| Test.cs:46:16:46:18 | in | Test.cs:46:16:46:18 | SSA param(in) | Test.cs:48:13:48:15 | access to parameter in |
| Test.cs:56:13:56:17 | this.field | Test.cs:46:10:46:10 | SSA entry def(this.field) | Test.cs:56:13:56:17 | access to field field |
| Test.cs:56:13:56:17 | this.field | Test.cs:57:9:57:17 | SSA def(this.field) | Test.cs:58:13:58:17 | access to field field |
| Test.cs:62:16:62:16 | x | Test.cs:62:16:62:16 | SSA param(x) | Test.cs:66:28:66:28 | access to parameter x |
| Test.cs:68:45:68:45 | e | Test.cs:68:45:68:45 | [exception: DivideByZeroException] SSA def(e) | Test.cs:70:17:70:17 | access to local variable e |
| Test.cs:76:24:76:25 | b1 | Test.cs:76:24:76:25 | SSA param(b1) | Test.cs:80:13:80:14 | access to parameter b1 |
| Test.cs:76:33:76:34 | b2 | Test.cs:76:33:76:34 | SSA param(b2) | Test.cs:84:18:84:19 | access to parameter b2 |
| Test.cs:76:42:76:43 | b3 | Test.cs:76:42:76:43 | SSA param(b3) | Test.cs:90:13:90:14 | access to parameter b3 |
| Test.cs:76:51:76:52 | b4 | Test.cs:76:51:76:52 | SSA param(b4) | Test.cs:94:18:94:19 | access to parameter b4 |
| Test.cs:76:60:76:61 | b5 | Test.cs:76:60:76:61 | SSA param(b5) | Test.cs:102:13:102:14 | access to parameter b5 |
| Test.cs:76:69:76:70 | b6 | Test.cs:76:69:76:70 | SSA param(b6) | Test.cs:113:13:113:14 | access to parameter b6 |
| Test.cs:78:13:78:13 | x | Test.cs:78:13:78:17 | SSA def(x) | Test.cs:99:13:99:13 | access to local variable x |
| Test.cs:78:13:78:13 | x | Test.cs:78:13:78:17 | SSA def(x) | Test.cs:104:17:104:17 | access to local variable x |
| Test.cs:78:13:78:13 | x | Test.cs:108:13:108:17 | SSA def(x) | Test.cs:109:17:109:17 | access to local variable x |
| Test.cs:78:13:78:13 | x | Test.cs:113:9:116:9 | SSA phi(x) | Test.cs:115:17:115:17 | access to local variable x |
| Tuples.cs:10:14:10:14 | x | Tuples.cs:10:9:10:54 | SSA def(x) | Tuples.cs:11:13:11:13 | access to local variable x |
| Tuples.cs:10:14:10:14 | x | Tuples.cs:14:9:14:32 | SSA def(x) | Tuples.cs:15:13:15:13 | access to local variable x |
| Tuples.cs:10:14:10:14 | x | Tuples.cs:23:9:23:37 | SSA def(x) | Tuples.cs:24:13:24:13 | access to local variable x |
| Tuples.cs:10:23:10:23 | b | Tuples.cs:10:9:10:54 | SSA def(b) | Tuples.cs:12:13:12:13 | access to local variable b |
| Tuples.cs:10:23:10:23 | b | Tuples.cs:14:9:14:32 | SSA def(b) | Tuples.cs:16:13:16:13 | access to local variable b |
| Tuples.cs:10:33:10:33 | s | Tuples.cs:10:9:10:54 | SSA def(s) | Tuples.cs:13:13:13:13 | access to local variable s |
| Tuples.cs:10:33:10:33 | s | Tuples.cs:14:9:14:32 | SSA def(s) | Tuples.cs:17:13:17:13 | access to local variable s |
| Tuples.cs:18:40:18:44 | tuple | Tuples.cs:18:40:18:57 | SSA def(tuple) | Tuples.cs:19:13:19:17 | access to local variable tuple |
| Tuples.cs:20:10:20:17 | this.Property | Tuples.cs:20:9:20:34 | SSA def(this.Property) | Tuples.cs:21:13:21:20 | access to property Property |
| Tuples.cs:20:20:20:24 | this.Field | Tuples.cs:20:9:20:34 | SSA def(this.Field) | Tuples.cs:22:13:22:17 | access to field Field |
| Tuples.cs:20:20:20:24 | this.Field | Tuples.cs:26:9:26:33 | SSA def(this.Field) | Tuples.cs:27:13:27:17 | access to field Field |
| Tuples.cs:25:13:25:13 | t | Tuples.cs:25:13:25:28 | SSA def(t) | Tuples.cs:28:13:28:13 | access to local variable t |
| Tuples.cs:26:17:26:23 | t.Field | Tuples.cs:26:9:26:33 | SSA def(t.Field) | Tuples.cs:28:13:28:19 | access to field Field |

5
csharp/ql/test/library-tests/dataflow/ssa/SsaDefLastRead.ql
View File

@@ -1,5 +0,0 @@
import csharp
from Ssa::Definition def, AssignableRead read
where read = def.getALastRead()
select def.getSourceVariable(), def, read

1
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.2.rst
View File

@@ -74,6 +74,7 @@ Golang
* Added member predicates :code:`StructTag.hasOwnFieldWithTag` and :code:`Field.getTag`, which enable CodeQL queries to examine struct field tags.
* Added member predicate :code:`InterfaceType.hasPrivateMethodWithQualifiedName`, which enables CodeQL queries to distinguish interfaces with matching non-exported method names that are declared in different packages, and are therefore incompatible.
* Local source models with the :code:`stdin` source kind have been added for the variable :code:`os.Stdin` and the functions :code:`fmt.Scan`, :code:`fmt.Scanf` and :code:`fmt.Scanln`. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data%3E>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
Python
""""""

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.1.rst
View File

@@ -56,8 +56,8 @@ Python
* The Server Side Template Injection query (:code:`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.
Actions
"""""""
GitHub Actions
""""""""""""""
* Initial public preview release
@@ -149,8 +149,8 @@ Python
* Added support for parameter annotations in API graphs. This means that in a function definition such as :code:`def foo(x: Bar): ...`, you can now use the :code:`getInstanceFromAnnotation()` method to step from :code:`Bar` to :code:`x`. In addition to this, the :code:`getAnInstance` method now also includes instances arising from parameter annotations.
Actions
"""""""
GitHub Actions
""""""""""""""
* Initial public preview release

223
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst Normal file
View File

@@ -0,0 +1,223 @@
.. _codeql-cli-2.20.4:
==========================
CodeQL 2.20.4 (2025-02-06)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.20.4 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug where CodeQL for Java would fail with an SSL exception while trying to download :code:`maven`.
New Features
~~~~~~~~~~~~
* Using the :code:`actions` language (for analysis of GitHub Actions workflows) no longer requires the :code:`CODEQL_ENABLE_EXPERIMENTAL_FEATURES` environment variable to be set. Support for analysis of GitHub Actions workflows remains in public preview.
Miscellaneous
~~~~~~~~~~~~~
* The build of the `logback-core <https://logback.qos.ch/>`__ library that is used for logging in the CodeQL CLI has been updated to version 1.3.15.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a :code:`.vue` file,
but where it could not be associated with any :code:`tsconfig.json` file. Previously the embedded code was not extracted in this case, but should now be extracted properly.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Improved support for NestJS applications that make use of dependency injection with custom providers.
Calls to methods on an injected service should now be resolved properly.
* TypeScript extraction is now better at analyzing projects where the main :code:`tsconfig.json` file does not include any source files, but references other :code:`tsconfig.json`\ -like files that do include source files.
* The :code:`js/incorrect-suffix-check` query now recognises some good patterns of the form :code:`origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.
* Added a new threat model kind called :code:`view-component-input`, which can enabled with `advanced setup <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value.
Some users may prefer this as a "defense in depth" option but note that it may result in false positives.
Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Wrong type of arguments to formatting function" query (:code:`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.
* The "Call to memory access function may overflow buffer" query (:code:`cpp/overflow-buffer`) now produces fewer FPs involving non-static member variables.
C#
""
* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in `CodeQL-Community-Packs <https://github.com/GitHubSecurityLab/CodeQL-Community-Packs>`__.
Java/Kotlin
"""""""""""
* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in `CodeQL-Community-Packs <https://github.com/GitHubSecurityLab/CodeQL-Community-Packs>`__.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
GitHub Actions
""""""""""""""
* Fixed data for vulnerable versions of :code:`actions/download-artifact` and :code:`rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
* Improved :code:`untrustedGhCommandDataModel` regex for :code:`gh pr view` and Bash taint analysis in GitHub Actions.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`getAllocatorCall` predicate from :code:`DeleteOrDeleteArrayExpr`, use :code:`getDeallocatorCall` instead.
C#
""
* Deleted the deprecated :code:`getInstanceType` predicate from the :code:`UnboundGenericType` class.
* Deleted the deprecated :code:`getElement` predicate from the :code:`Node` class in :code:`ControlFlowGraph.qll`, use :code:`getAstNode` instead.
Golang
""""""
* Deleted the deprecated :code:`describeBitSize` predicate from :code:`IncorrectIntegerConversionLib.qll`
Java/Kotlin
"""""""""""
* Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead.
* Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead.
* Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead.
* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead.
* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead.
* Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead.
* Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead.
Python
""""""
* Deleted the old deprecated TypeTracking library.
* Deleted the deprecated :code:`classRef` predicate from the :code:`FieldStorage` module, use :code:`subclassRef` instead.
* Deleted a lot of deprecated modules and predicates from :code:`Stdlib.qll`, use API-graphs directly instead.
Ruby
""""
* Deleted the deprecated :code:`getCallNode` predicate from :code:`API::Node`, use :code:`asCall()` instead.
* Deleted the deprecated :code:`getASubclass`, :code:`getAnImmediateSubclass`, :code:`getASuccessor`, :code:`getAPredecessor`, :code:`getASuccessor`, :code:`getDepth`, and :code:`getPath` predicates from :code:`API::Node`.
* Deleted the deprecated :code:`Root`, :code:`Use`, and :code:`Def` classes from :code:`ApiGraphs.qll`.
* Deleted the deprecated :code:`Label` module from :code:`ApiGraphs.qll`.
* Deleted the deprecated :code:`getAUse`, :code:`getAnImmediateUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from :code:`API::Node`, use :code:`getAValueReachableFromSource`, :code:`asSource`, :code:`asSink`, and :code:`getAValueReachingSink` instead.
* Deleted the deprecated :code:`getAVariable` predicate from the :code:`ExprNode` class, use :code:`getVariable` instead.
* Deleted the deprecated :code:`getAPotentialFieldAccessMethod` predicate from the :code:`ActiveRecordModelClass` class.
* Deleted the deprecated :code:`ActiveRecordModelClassMethodCall` class from :code:`ActiveRecord.qll`, use :code:`ActiveRecordModelClass.getClassNode().trackModule().getMethod()` instead.
* Deleted the deprecated :code:`PotentiallyUnsafeSqlExecutingMethodCall` class from :code:`ActiveRecord.qll`, use the :code:`SqlExecution` concept instead.
* Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead.
* Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead.
* Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`.
* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files.
* Deleted the old deprecated TypeTracking library.
Swift
"""""
* Deleted the deprecated :code:`ArrayContent` class from the dataflow library, use :code:`CollectionContent` instead.
* Deleted the deprecated :code:`getOptionsInput`, :code:`getRegexInput`, and :code:`getStringInput` predicates from the regexp library, use :code:`getAnOptionsInput`, :code:`getRegexInputNode`, and :code:`getStringInputNode` instead.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added new XSS sink where :code:`innerHTML` or :code:`outerHTML` is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* C# 13: Added MaD models for some overload implementations using :code:`ReadOnlySpan` parameters (like :code:`String.Format(System.String, System.ReadOnlySpan<System.Object>))`).
* C# 13: Added support for the overload resolution priority attribute (:code:`OverloadResolutionPriority`). Usages of the attribute and the corresponding priority can be found using the QL class :code:`SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute`.
* C# 13: Added support for partial properties and indexers.
Golang
""""""
* Models-as-data models using "Parameter", "Parameter[n]" or "Parameter[n1..n2]" as the output now work correctly.
* By implementing :code:`ImplicitFieldReadNode` it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.
* The :code:`Template.Execute[Template]` methods of the :code:`text/template` package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when the :code:`text/template` package is in use.
* Added the `rs cors <https://github.com/rs/cors>`__ library to the CorsMisconfiguration.ql query
Java/Kotlin
"""""""""""
* We now allow classes which don't have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
Python
""""""
* Additional data flow models for the builtin functions :code:`map`, :code:`filter`, :code:`zip`, and :code:`enumerate` have been added.
New Features
~~~~~~~~~~~~
C/C++
"""""
* A new predicate :code:`getOffsetInClass` was added to the :code:`Field` class, which computes the byte offset of a field relative to a given :code:`Class`.
* New classes :code:`PreprocessorElifdef` and :code:`PreprocessorElifndef` were introduced, which represents the C23/C++23 :code:`#elifdef` and :code:`#elifndef` preprocessor directives.
* A new class :code:`TypeLibraryImport` was introduced, which represents the :code:`#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
Shared Libraries
----------------
Breaking Changes
~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Deleted the deprecated :code:`Make` and :code:`MakeWithState` modules, use :code:`Global` and :code:`GlobalWithState` instead.
* Deleted the deprecated :code:`hasFlow`, :code:`hasFlowPath`, :code:`hasFlowTo`, and :code:`hasFlowToExpr` predicates, use :code:`flow`, :code:`flowPath`, :code:`flowTo`, and :code:`flowToExpr` respectively instead.
Control Flow Analysis
"""""""""""""""""""""
* Added a basic block construction as part of the library. This is currently considered an internal unstable API. The input signature to the control flow graph now requires two additional predicates: :code:`idOfAstNode` and
:code:`idOfCfgScope`.
Type Trackers
"""""""""""""
* Deleted the deprecated :code:`ConsistencyChecks` module.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.20.4
codeql-cli-2.20.3
codeql-cli-2.20.2
codeql-cli-2.20.1

28
java/ql/src/Telemetry/DatabaseQuality.qll
View File

@@ -4,33 +4,7 @@
*/
import java
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(Call c | exists(c.getCallee())) }

2
javascript/ql/lib/semmle/javascript/dataflow/internal/VariableCapture.qll
View File

@@ -240,8 +240,6 @@ module VariableCaptureConfig implements InputSig<js::DbLocation> {
BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result = bb.getImmediateDominator() }
predicate entryBlock(BasicBlock bb) { bb instanceof js::EntryBasicBlock }
predicate exitBlock(BasicBlock bb) { bb.getLastNode() instanceof js::ControlFlowExitNode }
}
module VariableCaptureOutput = Flow<js::DbLocation, VariableCaptureConfig>;

4
javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/Ssa.qll
View File

@@ -14,10 +14,6 @@ module SsaConfig implements InputSig<js::DbLocation> {
class BasicBlock = js::BasicBlock;
class ExitBasicBlock extends BasicBlock {
ExitBasicBlock() { this.isExitBlock() }
}
class SourceVariable extends LocalVariableOrThis {
SourceVariable() { not this.isCaptured() }
}

11
misc/scripts/generate-code-scanning-query-list.py
View File

@@ -31,7 +31,7 @@ assert hasattr(arguments, "ignore_missing_query_packs")
# Define which languages and query packs to consider
languages = [ "actions", "cpp", "csharp", "go", "java", "javascript", "python", "ruby", "swift" ]
packs = [ "code-scanning", "security-and-quality", "security-extended", "security-experimental" ]
packs = [ "code-scanning", "security-and-quality", "security-extended", "security-experimental", "ccr"]
class CodeQL:
def __init__(self):
@@ -169,7 +169,7 @@ with CodeQL() as codeql:
for pack in packs:
# Get absolute paths to queries in this pack by using 'codeql resolve queries'
try:
queries_subp = codeql.command(["resolve","queries","--search-path", codeql_search_path, "%s-%s.qls" % (lang, pack)])
queries_subp = codeql.command(["resolve","queries","--search-path", codeql_search_path, "%s-%s.qls" % (lang, pack)]).strip()
except Exception as e:
# Resolving queries might go wrong if the github/codeql repository is not
# on the search path.
@@ -183,8 +183,13 @@ with CodeQL() as codeql:
else:
sys.exit("You can use '--ignore-missing-query-packs' to ignore this error")
# Exception for the CCR suites, which might be empty, but must be resolvable.
if pack == 'ccr' and queries_subp == '':
print(f'Warning: skipping empty suite ccr', file=sys.stderr)
continue
# Investigate metadata for every query by using 'codeql resolve metadata'
for queryfile in queries_subp.strip().split("\n"):
for queryfile in queries_subp.split("\n"):
query_metadata_json = codeql.command(["resolve","metadata",queryfile]).strip()
# Turn an absolute path to a query file into an nwo-prefixed path (e.g. github/codeql/java/ql/src/....)

2
ruby/ql/lib/codeql/ruby/dataflow/SSA.qll
View File

@@ -102,7 +102,7 @@ module Ssa {
* end
* ```
*/
final VariableReadAccessCfgNode getALastRead() { SsaImpl::lastRead(this, result) }
deprecated final VariableReadAccessCfgNode getALastRead() { SsaImpl::lastRead(this, result) }
/**
* Holds if `read1` and `read2` are adjacent reads of this SSA definition.

34
ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll
View File

@@ -18,8 +18,6 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock extends BasicBlock, BasicBlocks::ExitBasicBlock { }
class SourceVariable = LocalVariable;
/**
@@ -292,7 +290,9 @@ private predicate adjacentDefReachesUncertainReadExt(
/** Same as `lastRefRedef`, but skips uncertain reads. */
pragma[nomagic]
private predicate lastRefSkipUncertainReadsExt(DefinitionExt def, SsaInput::BasicBlock bb, int i) {
deprecated private predicate lastRefSkipUncertainReadsExt(
DefinitionExt def, SsaInput::BasicBlock bb, int i
) {
Impl::lastRef(def, bb, i) and
not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
or
@@ -302,6 +302,20 @@ private predicate lastRefSkipUncertainReadsExt(DefinitionExt def, SsaInput::Basi
)
}
/**
* Holds if the read of `def` at `read` may be a last read. That is, `read`
* can either reach another definition of the underlying source variable or
* the end of the CFG scope, without passing through another non-pseudo read.
*/
pragma[nomagic]
deprecated predicate lastRead(Definition def, VariableReadAccessCfgNode read) {
exists(Cfg::BasicBlock bb, int i |
lastRefSkipUncertainReadsExt(def, bb, i) and
variableReadActual(bb, i, _) and
read = bb.getNode(i)
)
}
cached
private module Cached {
/**
@@ -401,20 +415,6 @@ private module Cached {
)
}
/**
* Holds if the read of `def` at `read` may be a last read. That is, `read`
* can either reach another definition of the underlying source variable or
* the end of the CFG scope, without passing through another non-pseudo read.
*/
cached
predicate lastRead(Definition def, VariableReadAccessCfgNode read) {
exists(Cfg::BasicBlock bb, int i |
lastRefSkipUncertainReadsExt(def, bb, i) and
variableReadActual(bb, i, _) and
read = bb.getNode(i)
)
}
cached
Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
Impl::uncertainWriteDefinitionInput(def, result)

152
ruby/ql/test/library-tests/variables/ssa.expected
View File

@@ -515,158 +515,6 @@ firstRead
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:95:10:95:10 | x |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:99:10:99:10 | x |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:101:10:101:10 | x |
lastRead
| class_variables.rb:1:1:29:4 | self (class_variables.rb) | class_variables.rb:1:1:29:4 | self | class_variables.rb:3:1:3:5 | self |
| class_variables.rb:5:1:7:3 | self (print) | class_variables.rb:5:1:7:3 | self | class_variables.rb:6:2:6:6 | self |
| class_variables.rb:9:1:16:3 | self (X) | class_variables.rb:9:1:16:3 | self | class_variables.rb:13:7:13:10 | self |
| class_variables.rb:10:3:12:5 | self (b) | class_variables.rb:10:3:12:5 | self | class_variables.rb:11:5:11:9 | self |
| class_variables.rb:13:3:15:5 | self (s) | class_variables.rb:13:3:15:5 | self | class_variables.rb:14:4:14:8 | self |
| class_variables.rb:26:1:29:3 | self (N) | class_variables.rb:26:1:29:3 | self | class_variables.rb:28:3:28:7 | self |
| instance_variables.rb:1:1:44:4 | self (instance_variables.rb) | instance_variables.rb:1:1:44:4 | self | instance_variables.rb:27:1:29:1 | self |
| instance_variables.rb:3:1:5:3 | self (foo) | instance_variables.rb:3:1:5:3 | self | instance_variables.rb:4:3:4:6 | self |
| instance_variables.rb:7:1:9:3 | self (print_foo) | instance_variables.rb:7:1:9:3 | self | instance_variables.rb:8:8:8:11 | self |
| instance_variables.rb:13:1:18:3 | self (X) | instance_variables.rb:13:1:18:3 | self | instance_variables.rb:14:3:14:4 | self |
| instance_variables.rb:15:3:17:5 | self (m) | instance_variables.rb:15:3:17:5 | self | instance_variables.rb:16:5:16:6 | self |
| instance_variables.rb:20:1:25:3 | self (M) | instance_variables.rb:20:1:25:3 | self | instance_variables.rb:21:2:21:3 | self |
| instance_variables.rb:22:2:24:4 | self (n) | instance_variables.rb:22:2:24:4 | self | instance_variables.rb:23:4:23:5 | self |
| instance_variables.rb:27:6:29:1 | <captured entry> self | instance_variables.rb:1:1:44:4 | self | instance_variables.rb:28:3:28:4 | self |
| instance_variables.rb:32:10:32:21 | <captured entry> self | instance_variables.rb:31:1:33:3 | self | instance_variables.rb:32:12:32:13 | self |
| instance_variables.rb:35:1:44:4 | self (C) | instance_variables.rb:35:1:44:4 | self | instance_variables.rb:36:3:36:4 | self |
| instance_variables.rb:37:3:43:5 | self (x) | instance_variables.rb:37:3:43:5 | self | instance_variables.rb:42:6:42:7 | self |
| instance_variables.rb:38:4:40:6 | self (y) | instance_variables.rb:38:4:40:6 | self | instance_variables.rb:39:6:39:7 | self |
| nested_scopes.rb:1:1:3:3 | self (a) | nested_scopes.rb:1:1:3:3 | self | nested_scopes.rb:2:3:2:17 | self |
| nested_scopes.rb:4:1:39:3 | self (C) | nested_scopes.rb:4:1:39:3 | self | nested_scopes.rb:38:3:38:8 | self |
| nested_scopes.rb:5:3:5:3 | a | nested_scopes.rb:5:3:5:3 | a | nested_scopes.rb:38:8:38:8 | a |
| nested_scopes.rb:6:3:37:5 | self (M) | nested_scopes.rb:6:3:37:5 | self | nested_scopes.rb:36:5:36:10 | self |
| nested_scopes.rb:7:5:7:5 | a | nested_scopes.rb:7:5:7:5 | a | nested_scopes.rb:36:10:36:10 | a |
| nested_scopes.rb:8:5:35:7 | self (N) | nested_scopes.rb:8:5:35:7 | self | nested_scopes.rb:34:7:34:12 | self |
| nested_scopes.rb:9:7:9:7 | a | nested_scopes.rb:9:7:9:7 | a | nested_scopes.rb:34:12:34:12 | a |
| nested_scopes.rb:10:7:26:9 | self (D) | nested_scopes.rb:10:7:26:9 | self | nested_scopes.rb:25:9:25:14 | self |
| nested_scopes.rb:11:9:11:9 | a | nested_scopes.rb:11:9:11:9 | a | nested_scopes.rb:25:14:25:14 | a |
| nested_scopes.rb:12:9:21:11 | self (show_a) | nested_scopes.rb:12:9:21:11 | self | nested_scopes.rb:14:11:14:16 | self |
| nested_scopes.rb:13:11:13:11 | a | nested_scopes.rb:13:11:13:11 | a | nested_scopes.rb:15:11:15:11 | a |
| nested_scopes.rb:15:23:15:23 | a | nested_scopes.rb:15:23:15:23 | a | nested_scopes.rb:16:13:16:13 | a |
| nested_scopes.rb:17:15:17:15 | a | nested_scopes.rb:16:29:16:29 | a | nested_scopes.rb:18:15:18:15 | a |
| nested_scopes.rb:18:23:18:36 | <captured entry> a | nested_scopes.rb:16:29:16:29 | a | nested_scopes.rb:18:34:18:34 | a |
| nested_scopes.rb:18:23:18:36 | <captured entry> self | nested_scopes.rb:12:9:21:11 | self | nested_scopes.rb:18:29:18:34 | self |
| nested_scopes.rb:22:9:24:11 | self (show_a2) | nested_scopes.rb:22:9:24:11 | self | nested_scopes.rb:23:11:23:16 | self |
| nested_scopes.rb:22:21:22:21 | a | nested_scopes.rb:22:21:22:21 | a | nested_scopes.rb:23:16:23:16 | a |
| nested_scopes.rb:27:7:29:9 | self (show) | nested_scopes.rb:27:7:29:9 | self | nested_scopes.rb:28:16:28:16 | self |
| nested_scopes.rb:30:16:30:19 | self (class << ...) | nested_scopes.rb:30:7:33:9 | self | nested_scopes.rb:32:11:32:16 | self |
| nested_scopes.rb:31:11:31:11 | a | nested_scopes.rb:31:11:31:11 | a | nested_scopes.rb:32:16:32:16 | a |
| nested_scopes.rb:40:1:40:1 | d | nested_scopes.rb:40:1:40:1 | d | nested_scopes.rb:41:1:41:1 | d |
| parameters.rb:1:9:5:3 | <captured entry> self | parameters.rb:1:1:62:1 | self | parameters.rb:4:4:4:9 | self |
| parameters.rb:1:14:1:14 | x | parameters.rb:1:14:1:14 | x | parameters.rb:3:9:3:9 | x |
| parameters.rb:2:4:2:4 | y | parameters.rb:1:18:1:18 | y | parameters.rb:4:9:4:9 | y |
| parameters.rb:7:1:13:3 | self (order_pizza) | parameters.rb:7:1:13:3 | self | parameters.rb:9:5:9:33 | self |
| parameters.rb:7:1:13:3 | self (order_pizza) | parameters.rb:7:1:13:3 | self | parameters.rb:11:5:11:49 | self |
| parameters.rb:7:17:7:22 | client | parameters.rb:7:17:7:22 | client | parameters.rb:9:25:9:30 | client |
| parameters.rb:7:17:7:22 | client | parameters.rb:7:17:7:22 | client | parameters.rb:11:41:11:46 | client |
| parameters.rb:7:26:7:31 | pizzas | parameters.rb:7:26:7:31 | pizzas | parameters.rb:8:6:8:11 | pizzas |
| parameters.rb:7:26:7:31 | pizzas | parameters.rb:7:26:7:31 | pizzas | parameters.rb:11:14:11:19 | pizzas |
| parameters.rb:15:17:15:19 | map | parameters.rb:15:17:15:19 | map | parameters.rb:16:3:16:5 | map |
| parameters.rb:16:12:18:5 | <captured entry> self | parameters.rb:15:1:19:3 | self | parameters.rb:17:5:17:28 | self |
| parameters.rb:16:16:16:18 | key | parameters.rb:16:16:16:18 | key | parameters.rb:17:13:17:15 | key |
| parameters.rb:16:21:16:25 | value | parameters.rb:16:21:16:25 | value | parameters.rb:17:22:17:26 | value |
| parameters.rb:21:17:21:21 | block | parameters.rb:21:17:21:21 | block | parameters.rb:22:3:22:7 | block |
| parameters.rb:25:1:28:3 | self (opt_param) | parameters.rb:25:1:28:3 | self | parameters.rb:27:3:27:11 | self |
| parameters.rb:25:15:25:18 | name | parameters.rb:25:15:25:18 | name | parameters.rb:26:8:26:11 | name |
| parameters.rb:25:33:25:36 | size | parameters.rb:25:33:25:36 | size | parameters.rb:27:8:27:11 | size |
| parameters.rb:30:1:32:3 | self (key_param) | parameters.rb:30:1:32:3 | self | parameters.rb:31:3:31:35 | self |
| parameters.rb:30:15:30:19 | first | parameters.rb:30:15:30:19 | first | parameters.rb:31:11:31:15 | first |
| parameters.rb:30:24:30:29 | middle | parameters.rb:30:24:30:29 | middle | parameters.rb:31:20:31:25 | middle |
| parameters.rb:30:36:30:39 | last | parameters.rb:30:36:30:39 | last | parameters.rb:31:30:31:33 | last |
| parameters.rb:35:1:38:3 | self (multi) | parameters.rb:35:1:38:3 | self | parameters.rb:37:3:37:18 | self |
| parameters.rb:35:11:35:11 | a | parameters.rb:35:11:35:11 | a | parameters.rb:37:11:37:11 | a |
| parameters.rb:37:3:37:18 | phi | parameters.rb:35:16:35:16 | b | parameters.rb:37:16:37:16 | b |
| parameters.rb:40:1:43:3 | self (multi2) | parameters.rb:40:1:43:3 | self | parameters.rb:42:3:42:18 | self |
| parameters.rb:40:12:40:12 | d | parameters.rb:40:12:40:12 | d | parameters.rb:42:11:42:11 | d |
| parameters.rb:42:3:42:18 | phi | parameters.rb:40:15:40:15 | e | parameters.rb:42:16:42:16 | e |
| parameters.rb:45:1:47:3 | self (dup_underscore) | parameters.rb:45:1:47:3 | self | parameters.rb:46:3:46:8 | self |
| parameters.rb:45:20:45:20 | _ | parameters.rb:45:20:45:20 | _ | parameters.rb:46:8:46:8 | _ |
| parameters.rb:49:1:51:3 | self (tuples) | parameters.rb:49:1:51:3 | self | parameters.rb:50:3:50:18 | self |
| parameters.rb:49:13:49:13 | a | parameters.rb:49:13:49:13 | a | parameters.rb:50:11:50:11 | a |
| parameters.rb:49:15:49:15 | b | parameters.rb:49:15:49:15 | b | parameters.rb:50:16:50:16 | b |
| parameters.rb:54:9:57:3 | <captured entry> self | parameters.rb:1:1:62:1 | self | parameters.rb:56:4:56:9 | self |
| parameters.rb:54:14:54:14 | y | parameters.rb:54:14:54:14 | y | parameters.rb:56:9:56:9 | y |
| parameters.rb:55:4:55:9 | phi | parameters.rb:53:1:53:1 | x | parameters.rb:55:9:55:9 | x |
| parameters.rb:59:1:61:3 | self (tuples_nested) | parameters.rb:59:1:61:3 | self | parameters.rb:60:3:60:23 | self |
| parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a | parameters.rb:60:11:60:11 | a |
| parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b | parameters.rb:60:16:60:16 | b |
| parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c | parameters.rb:60:21:60:21 | c |
| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self | scopes.rb:8:1:8:6 | self |
| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:5:4:5:9 | self |
| scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:5:9:5:9 | a |
| scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:8:6:8:6 | a |
| scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:11:4:11:4 | a |
| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:17:4:17:9 | self |
| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:12:9:12:9 | a |
| scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:14:9:14:9 | a |
| scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:15:9:15:9 | b |
| scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:14:13:14 | __synth__2__1 |
| scopes.rb:13:11:13:11 | c | scopes.rb:13:11:13:11 | c | scopes.rb:16:9:16:9 | c |
| scopes.rb:13:14:13:14 | d | scopes.rb:13:14:13:14 | d | scopes.rb:17:9:17:9 | d |
| scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 | scopes.rb:13:10:13:15 | __synth__3 |
| scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:37:5:37:5 | x |
| scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self | scopes.rb:45:5:45:7 | self |
| scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:44:5:44:7 | var |
| scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:47:5:47:8 | var2 |
| ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:15:3:15:8 | self |
| ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b | ssa.rb:5:6:5:6 | b |
| ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i | ssa.rb:4:8:4:8 | i |
| ssa.rb:5:3:13:5 | phi | ssa.rb:2:3:2:3 | i | ssa.rb:15:8:15:8 | i |
| ssa.rb:6:5:6:5 | i | ssa.rb:2:3:2:3 | i | ssa.rb:8:10:8:10 | i |
| ssa.rb:10:5:10:5 | i | ssa.rb:2:3:2:3 | i | ssa.rb:12:10:12:10 | i |
| ssa.rb:18:1:23:3 | self (m1) | ssa.rb:18:1:23:3 | self | ssa.rb:20:5:20:10 | self |
| ssa.rb:19:9:19:9 | phi | ssa.rb:18:8:18:8 | x | ssa.rb:19:9:19:9 | x |
| ssa.rb:19:9:19:9 | phi | ssa.rb:18:8:18:8 | x | ssa.rb:21:5:21:5 | x |
| ssa.rb:25:1:30:3 | <uninitialized> elem | ssa.rb:26:7:26:10 | elem | ssa.rb:26:7:26:10 | elem |
| ssa.rb:25:1:30:3 | self (m2) | ssa.rb:25:1:30:3 | self | ssa.rb:29:3:29:11 | self |
| ssa.rb:25:8:25:15 | elements | ssa.rb:25:8:25:15 | elements | ssa.rb:26:15:26:22 | elements |
| ssa.rb:26:3:28:5 | <captured entry> self | ssa.rb:25:1:30:3 | self | ssa.rb:27:5:27:13 | self |
| ssa.rb:26:3:28:5 | <captured exit> elem | ssa.rb:26:7:26:10 | elem | ssa.rb:29:8:29:11 | elem |
| ssa.rb:26:3:28:5 | __synth__0__1 | ssa.rb:26:3:28:5 | __synth__0__1 | ssa.rb:26:3:28:5 | __synth__0__1 |
| ssa.rb:26:7:26:10 | elem | ssa.rb:26:7:26:10 | elem | ssa.rb:27:10:27:13 | elem |
| ssa.rb:33:16:35:5 | <captured entry> self | ssa.rb:32:1:36:3 | self | ssa.rb:34:5:34:10 | self |
| ssa.rb:33:20:33:20 | x | ssa.rb:33:20:33:20 | x | ssa.rb:34:10:34:10 | x |
| ssa.rb:38:1:42:3 | self (m4) | ssa.rb:38:1:42:3 | self | ssa.rb:41:3:41:13 | self |
| ssa.rb:40:3:40:4 | m3 | ssa.rb:40:3:40:4 | m3 | ssa.rb:41:8:41:9 | m3 |
| ssa.rb:44:1:47:3 | self (m5) | ssa.rb:44:1:47:3 | self | ssa.rb:46:3:46:8 | self |
| ssa.rb:44:8:44:8 | b | ssa.rb:44:8:44:8 | b | ssa.rb:45:12:45:12 | b |
| ssa.rb:45:3:45:12 | phi | ssa.rb:45:3:45:3 | x | ssa.rb:46:8:46:8 | x |
| ssa.rb:49:1:51:3 | self (m6) | ssa.rb:49:1:51:3 | self | ssa.rb:50:3:50:8 | self |
| ssa.rb:50:3:50:8 | phi | ssa.rb:49:14:49:14 | y | ssa.rb:50:8:50:8 | y |
| ssa.rb:53:1:56:3 | self (m7) | ssa.rb:53:1:56:3 | self | ssa.rb:55:3:55:8 | self |
| ssa.rb:53:8:53:10 | foo | ssa.rb:53:8:53:10 | foo | ssa.rb:54:7:54:9 | foo |
| ssa.rb:54:3:54:3 | x | ssa.rb:54:3:54:3 | x | ssa.rb:55:8:55:8 | x |
| ssa.rb:58:1:62:3 | self (m8) | ssa.rb:58:1:62:3 | self | ssa.rb:61:3:61:8 | self |
| ssa.rb:59:3:59:3 | x | ssa.rb:59:3:59:3 | x | ssa.rb:60:3:60:3 | x |
| ssa.rb:60:3:60:3 | x | ssa.rb:59:3:59:3 | x | ssa.rb:61:8:61:8 | x |
| ssa.rb:64:1:72:3 | self (m9) | ssa.rb:64:1:72:3 | self | ssa.rb:71:3:71:15 | self |
| ssa.rb:64:8:64:8 | a | ssa.rb:64:8:64:8 | a | ssa.rb:66:3:66:3 | a |
| ssa.rb:66:3:70:5 | <captured exit> captured | ssa.rb:65:3:65:10 | captured | ssa.rb:71:8:71:15 | captured |
| ssa.rb:66:11:70:5 | <captured entry> captured | ssa.rb:65:3:65:10 | captured | ssa.rb:69:5:69:12 | captured |
| ssa.rb:66:11:70:5 | <captured entry> self | ssa.rb:64:1:72:3 | self | ssa.rb:68:5:68:17 | self |
| ssa.rb:66:15:66:15 | a | ssa.rb:66:15:66:15 | a | ssa.rb:67:10:67:10 | a |
| ssa.rb:74:1:79:3 | self (m10) | ssa.rb:74:1:79:3 | self | ssa.rb:76:3:78:5 | self |
| ssa.rb:76:7:78:5 | <captured entry> captured | ssa.rb:75:3:75:10 | captured | ssa.rb:77:15:77:22 | captured |
| ssa.rb:76:7:78:5 | <captured entry> self | ssa.rb:74:1:79:3 | self | ssa.rb:77:6:77:23 | self |
| ssa.rb:81:1:88:3 | self (m11) | ssa.rb:81:1:88:3 | self | ssa.rb:83:3:87:5 | self |
| ssa.rb:83:7:87:5 | <captured entry> self | ssa.rb:81:1:88:3 | self | ssa.rb:84:6:86:8 | self |
| ssa.rb:84:10:86:8 | <captured entry> captured | ssa.rb:82:3:82:10 | captured | ssa.rb:85:15:85:22 | captured |
| ssa.rb:84:10:86:8 | <captured entry> self | ssa.rb:81:1:88:3 | self | ssa.rb:85:10:85:22 | self |
| ssa.rb:90:1:103:3 | self (m12) | ssa.rb:90:1:103:3 | self | ssa.rb:93:5:93:10 | self |
| ssa.rb:90:1:103:3 | self (m12) | ssa.rb:90:1:103:3 | self | ssa.rb:95:5:95:10 | self |
| ssa.rb:90:1:103:3 | self (m12) | ssa.rb:90:1:103:3 | self | ssa.rb:99:5:99:10 | self |
| ssa.rb:90:1:103:3 | self (m12) | ssa.rb:90:1:103:3 | self | ssa.rb:101:5:101:10 | self |
| ssa.rb:90:9:90:10 | b1 | ssa.rb:90:9:90:10 | b1 | ssa.rb:92:7:92:8 | b1 |
| ssa.rb:90:13:90:14 | b2 | ssa.rb:90:13:90:14 | b2 | ssa.rb:94:10:94:11 | b2 |
| ssa.rb:90:17:90:18 | b3 | ssa.rb:90:17:90:18 | b3 | ssa.rb:98:7:98:8 | b3 |
| ssa.rb:90:21:90:22 | b4 | ssa.rb:90:21:90:22 | b4 | ssa.rb:100:10:100:11 | b4 |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:93:10:93:10 | x |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:95:10:95:10 | x |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:99:10:99:10 | x |
| ssa.rb:91:3:91:3 | x | ssa.rb:91:3:91:3 | x | ssa.rb:101:10:101:10 | x |
adjacentReads
| class_variables.rb:26:1:29:3 | self (N) | class_variables.rb:26:1:29:3 | self | class_variables.rb:27:3:27:11 | self | class_variables.rb:28:3:28:7 | self |
| instance_variables.rb:1:1:44:4 | self (instance_variables.rb) | instance_variables.rb:1:1:44:4 | self | instance_variables.rb:1:1:1:4 | self | instance_variables.rb:11:1:11:9 | self |

4
ruby/ql/test/library-tests/variables/ssa.ql
View File

@@ -14,10 +14,6 @@ query predicate firstRead(Ssa::Definition def, Variable v, CfgNode read) {
def.getSourceVariable() = v and read = def.getAFirstRead()
}
query predicate lastRead(Ssa::Definition def, Variable v, CfgNode read) {
def.getSourceVariable() = v and read = def.getALastRead()
}
query predicate adjacentReads(Ssa::Definition def, Variable v, CfgNode read1, CfgNode read2) {
def.getSourceVariable() = v and
def.hasAdjacentReads(read1, read2)

2
rust/ql/integration-tests/hello-project/summary.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

2
rust/ql/integration-tests/hello-workspace/summary.cargo.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

2
rust/ql/integration-tests/hello-workspace/summary.rust-project.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

26
rust/ql/lib/codeql/rust/Concepts.qll
View File

@@ -100,6 +100,32 @@ class ModeledEnvironmentSource extends EnvironmentSource::Range {
ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
}
/**
* A data flow source corresponding to the program's database reads.
*/
final class DatabaseSource = DatabaseSource::Range;
/**
* Provides a class for modeling new sources for the program's database reads.
*/
module DatabaseSource {
/**
* A data flow source corresponding to the program's database reads.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "database" }
override string getSourceType() { result = "DatabaseSource" }
}
}
/**
* An externally modeled source for data from the program's database.
*/
class ModeledDatabaseSource extends DatabaseSource::Range {
ModeledDatabaseSource() { sourceNode(this, "database") }
}
/**
* A data flow source for remote (network) data.
*/

29
rust/ql/lib/codeql/rust/dataflow/Ssa.qll
View File

@@ -82,35 +82,6 @@ module Ssa {
*/
final CfgNode getAFirstRead() { SsaImpl::firstRead(this, result) }
/**
* Gets a last control flow node that reads the value of this SSA definition.
* That is, a read that can reach the end of the enclosing CFG scope, or another
* SSA definition for the source variable, without passing through any other read.
*
* Example:
*
* ```rust
* fn phi(b : bool) { // defines b_0
* let mut x = 1; // defines x_0
* println!("{}", x);
* println!("{}", x + 1); // last read of x_0
*
* if b { // last read of b_0
* x = 2; // defines x_1
* println!("{}", x);
* println!("{}", x + 1); // last read of x_1
* } else {
* x = 3; // defines x_2
* println!("{}", x);
* println!("{}", x + 1); // last read of x_2
* }
* // defines x_3 = phi(x_1, x_2)
* println!("{}", x); // last read of x_3
* }
* ```
*/
final CfgNode getALastRead() { SsaImpl::lastRead(this, result) }
/**
* Holds if `read1` and `read2` are adjacent reads of this SSA definition.
* That is, `read2` can be reached from `read1` without passing through

35
rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll
View File

@@ -47,8 +47,6 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock = BasicBlocks::ExitBasicBlock;
/**
* A variable amenable to SSA construction.
*
@@ -218,25 +216,6 @@ private predicate adjacentDefSkipUncertainReads(
SsaInput::variableRead(bb2, i2, _, true)
}
private predicate adjacentDefReachesUncertainReadExt(
DefinitionExt def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
) {
adjacentDefReachesReadExt(def, bb1, i1, bb2, i2) and
SsaInput::variableRead(bb2, i2, _, false)
}
/** Same as `lastRefRedef`, but skips uncertain reads. */
pragma[nomagic]
private predicate lastRefSkipUncertainReadsExt(DefinitionExt def, BasicBlock bb, int i) {
Impl::lastRef(def, bb, i) and
not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
or
exists(BasicBlock bb0, int i0 |
Impl::lastRef(def, bb0, i0) and
adjacentDefReachesUncertainReadExt(def, bb, i, bb0, i0)
)
}
private VariableAccess getACapturedVariableAccess(BasicBlock bb, Variable v) {
result = bb.getANode().getAstNode() and
result.isCapture() and
@@ -381,20 +360,6 @@ private module Cached {
)
}
/**
* Holds if the read of `def` at `read` may be a last read. That is, `read`
* can either reach another definition of the underlying source variable or
* the end of the CFG scope, without passing through another non-pseudo read.
*/
cached
predicate lastRead(Definition def, CfgNode read) {
exists(BasicBlock bb, int i |
lastRefSkipUncertainReadsExt(def, bb, i) and
variableReadActual(bb, i, _) and
read = bb.getNode(i)
)
}
cached
Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
Impl::uncertainWriteDefinitionInput(def, result)

8
rust/ql/lib/codeql/rust/frameworks/stdlib/env.model.yml
View File

@@ -3,12 +3,12 @@ extensions:
pack: codeql/rust-all
extensible: sourceModel
data:
- ["lang:std", "crate::env::args", "ReturnValue", "command-line-source", "manual"]
- ["lang:std", "crate::env::args_os", "ReturnValue", "command-line-source", "manual"]
- ["lang:std", "crate::env::args", "ReturnValue.Element", "command-line-source", "manual"]
- ["lang:std", "crate::env::args_os", "ReturnValue.Element", "command-line-source", "manual"]
- ["lang:std", "crate::env::current_dir", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::current_exe", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::home_dir", "ReturnValue.Variant[crate::option::Option::Some(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::var", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "environment-source", "manual"]
- ["lang:std", "crate::env::var_os", "ReturnValue.Variant[crate::option::Option::Some(0)]", "environment-source", "manual"]
- ["lang:std", "crate::env::vars", "ReturnValue", "environment-source", "manual"]
- ["lang:std", "crate::env::vars_os", "ReturnValue", "environment-source", "manual"]
- ["lang:std", "crate::env::vars", "ReturnValue.Element", "environment-source", "manual"]
- ["lang:std", "crate::env::vars_os", "ReturnValue.Element", "environment-source", "manual"]

3
rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
View File

@@ -7,6 +7,9 @@ extensions:
- ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]
# Hint
- ["lang:core", "crate::hint::must_use", "Argument[0]", "ReturnValue", "value", "manual"]
# Iterator
- ["lang:core", "crate::iter::traits::iterator::Iterator::nth", "Argument[self].Element", "ReturnValue.Variant[crate::option::Option::Some(0)]", "value", "manual"]
- ["lang:core", "crate::iter::traits::iterator::Iterator::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
# Option
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]

24
rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml Normal file
View File

@@ -0,0 +1,24 @@
extensions:
- addsTo:
pack: codeql/rust-all
extensible: sinkModel
data:
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::execute", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::batch_execute", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::execute_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::prepare", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::prepare_typed", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_opt", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_typed", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_typed_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::simple_query", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::simple_query_raw", "Argument[0]", "sql-injection", "manual"]
- addsTo:
pack: codeql/rust-all
extensible: sourceModel
data:
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::row::Row>::get", "ReturnValue", "database", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::row::Row>::try_get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]

46
rust/ql/src/queries/telemetry/DatabaseQuality.qll Normal file
View File

@@ -0,0 +1,46 @@
/**
* Provides database quality statistics that are reported by
* `rust/telemetry/extractor-information`
* and perhaps warned about by `rust/diagnostics/database-quality`.
*/
import rust
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(CallExprBase c | exists(c.getStaticTarget())) }
private predicate isLambdaCall(CallExpr call) {
exists(Expr receiver | receiver = call.getFunction() |
// All calls to complex expressions and local variable accesses are lambda calls
receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
)
}
additional predicate isNotOkCall(CallExprBase c) {
not exists(c.getStaticTarget()) and
not isLambdaCall(c)
}
int getNumberOfNotOk() { result = count(CallExprBase c | isNotOkCall(c)) }
string getOkText() { result = "calls with call target" }
string getNotOkText() { result = "calls with missing call target" }
}
module MacroCallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(MacroCall c | c.hasExpanded()) }
additional predicate isNotOkCall(MacroCall c) { not c.hasExpanded() }
int getNumberOfNotOk() { result = count(MacroCall c | isNotOkCall(c)) }
string getOkText() { result = "macro calls with call target" }
string getNotOkText() { result = "macro calls with missing call target" }
}
module CallTargetStatsReport = ReportStats<CallTargetStats>;
module MacroCallTargetStatsReport = ReportStats<MacroCallTargetStats>;

41
rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql Normal file
View File

@@ -0,0 +1,41 @@
/**
* @name Low Rust analysis quality
* @description Low Rust analysis quality
* @kind diagnostic
* @id rust/diagnostic/database-quality
*/
import rust
import DatabaseQuality
import codeql.util.Unit
class DbQualityDiagnostic extends Unit {
DbQualityDiagnostic() {
exists(float percentageGood |
CallTargetStatsReport::percentageOfOk(_, percentageGood)
or
MacroCallTargetStatsReport::percentageOfOk(_, percentageGood)
|
percentageGood < 95
)
}
string toString() {
result =
"Scanning Rust code completed successfully, but the scan encountered issues. " +
"This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- "
+
"see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. "
+ "Addressing these warnings is advisable to avoid false-positive or missing results."
}
}
query predicate diagnosticAttributes(DbQualityDiagnostic e, string key, string value) {
exists(e) and // Quieten warning about unconstrained 'e'
key = ["visibilityCliSummaryTable", "visibilityTelemetry", "visibilityStatusPage"] and
value = "true"
}
from DbQualityDiagnostic d
select d, d.toString(), 1
/* 1 = Warning severity */

65
rust/ql/src/queries/telemetry/ExtractorInformation.ql Normal file
View File

@@ -0,0 +1,65 @@
/**
* @name Rust extraction information
* @description Information about the extraction for a Rust database
* @kind metric
* @tags summary telemetry
* @id rust/telemetry/extraction-information
*/
import rust
import DatabaseQuality
import codeql.rust.Diagnostics
predicate fileCount(string key, int value) {
key = "Number of files" and
value = strictcount(File f)
}
predicate fileCountByExtension(string key, int value) {
exists(string extension |
key = "Number of files with extension " + extension and
value = strictcount(File f | f.getExtension() = extension)
)
}
predicate numberOfLinesOfCode(string key, int value) {
key = "Number of lines of code" and
value = strictsum(File f | any() | f.getNumberOfLinesOfCode())
}
predicate numberOfLinesOfCodeByExtension(string key, int value) {
exists(string extension |
key = "Number of lines of code with extension " + extension and
value = strictsum(File f | f.getExtension() = extension | f.getNumberOfLinesOfCode())
)
}
predicate extractorDiagnostics(string key, int value) {
exists(int severity |
key = "Number of diagnostics with severity " + severity.toString() and
value = strictcount(Diagnostic d | d.getSeverity() = severity)
)
}
from string key, float value
where
(
fileCount(key, value) or
fileCountByExtension(key, value) or
numberOfLinesOfCode(key, value) or
numberOfLinesOfCodeByExtension(key, value) or
extractorDiagnostics(key, value) or
CallTargetStatsReport::numberOfOk(key, value) or
CallTargetStatsReport::numberOfNotOk(key, value) or
CallTargetStatsReport::percentageOfOk(key, value) or
MacroCallTargetStatsReport::numberOfOk(key, value) or
MacroCallTargetStatsReport::numberOfNotOk(key, value) or
MacroCallTargetStatsReport::percentageOfOk(key, value)
) and
/* Infinity */
value != 1.0 / 0.0 and
/* -Infinity */
value != -1.0 / 0.0 and
/* NaN */
value != 0.0 / 0.0
select key, value

8
rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -4,6 +4,8 @@ localStep
| file://:0:0:0:0 | [summary param] 0 in lang:core::_::crate::hint::must_use | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::hint::must_use | MaD:21 |
| file://:0:0:0:0 | [summary] read: Argument[0].ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or_else | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or_else | MaD:7 |
| file://:0:0:0:0 | [summary] read: Argument[0].ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or_else | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or_else | MaD:18 |
| file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | file://:0:0:0:0 | [summary] to write: ReturnValue.Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | MaD:22 |
| file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::option::Option::Some(0)] in lang:core::_::crate::iter::traits::iterator::Iterator::nth | MaD:23 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::expect | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::expect | MaD:2 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap | MaD:3 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or | MaD:5 |
@@ -536,7 +538,11 @@ models
| 19 | Summary: lang:core; <crate::result::Result>::unwrap_or_else; Argument[self].Variant[crate::result::Result::Ok(0)]; ReturnValue; value |
| 20 | Summary: lang:core; <crate::result::Result>::unwrap_unchecked; Argument[self].Variant[crate::result::Result::Ok(0)]; ReturnValue; value |
| 21 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value |
| 22 | Summary: lang:core; crate::iter::traits::iterator::Iterator::collect; Argument[self].Element; ReturnValue.Element; value |
| 23 | Summary: lang:core; crate::iter::traits::iterator::Iterator::nth; Argument[self].Element; ReturnValue.Variant[crate::option::Option::Some(0)]; value |
storeStep
| file://:0:0:0:0 | [summary] to write: ReturnValue.Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | element | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::iter::traits::iterator::Iterator::collect |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::option::Option::Some(0)] in lang:core::_::crate::iter::traits::iterator::Iterator::nth | Some | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::iter::traits::iterator::Iterator::nth |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset |
@@ -639,6 +645,8 @@ readStep
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or_default | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_or_default |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or_else | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_or_else |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_unchecked | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_unchecked |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::collect | element | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::nth | element | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth |
| main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ |
| main.rs:87:11:87:11 | i | &ref | main.rs:87:10:87:11 | * ... |
| main.rs:95:10:95:10 | a | tuple.0 | main.rs:95:10:95:12 | a.0 |

8
rust/ql/test/library-tests/dataflow/sources/test.rs
View File

@@ -32,10 +32,10 @@ fn test_env_args() {
let arg2 = std::env::args().nth(2).unwrap(); // $ Alert[rust/summary/taint-sources]
let arg3 = std::env::args_os().nth(3).unwrap(); // $ Alert[rust/summary/taint-sources]
sink(my_path); // $ MISSING: hasTaintFlow
sink(arg1); // $ MISSING: hasTaintFlow
sink(arg2); // $ MISSING: hasTaintFlow
sink(arg3); // $ MISSING: hasTaintFlow
sink(my_path); // $ hasTaintFlow
sink(arg1); // $ hasTaintFlow
sink(arg2); // $ hasTaintFlow
sink(arg3); // $ hasTaintFlow
for arg in std::env::args() { // $ Alert[rust/summary/taint-sources]
sink(arg); // $ hasTaintFlow

2
rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
View File

@@ -2,6 +2,8 @@ additionalTaintStep
| file://:0:0:0:0 | [summary param] 0 in lang:alloc::_::crate::fmt::format | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::crate::fmt::format | MaD:3 |
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_bytes | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_bytes | MaD:1 |
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:2 |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::collect | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::nth | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth | |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | MaD:4 |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:5 |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | MaD:6 |

11
rust/ql/test/library-tests/frameworks/postgres/Postgres.ql
View File

@@ -1,9 +1,10 @@
import rust
import codeql.rust.Concepts
import codeql.rust.security.SqlInjectionExtensions
import utils.test.InlineExpectationsTest
module PostgresTest implements TestSig {
string getARelevantTag() { result = "sql-sink" }
string getARelevantTag() { result = ["sql-sink", "database-read"] }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(SqlInjection::Sink sink |
@@ -13,6 +14,14 @@ module PostgresTest implements TestSig {
tag = "sql-sink" and
value = ""
)
or
exists(ModeledDatabaseSource source |
location = source.getLocation() and
location.getFile().getBaseName() != "" and
element = source.toString() and
tag = "database-read" and
value = ""
)
}
}

6
rust/ql/test/library-tests/frameworks/postgres/main.rs
View File

@@ -33,9 +33,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// conn.query_typed_raw(query.as_str(), &[])?;
for row in &conn.query("SELECT id, name, age FROM person", &[])? { // $ sql-sink
let id: i32 = row.get("id");
let name: &str = row.get("name");
let age: i32 = row.get("age");
let id: i32 = row.get("id"); // $ database-read
let name: &str = row.try_get("name")?; // $ database-read
let age: i32 = row.try_get("age").unwrap(); // $ database-read
println!("found person: {} {} {}", id, name, age);
}

121
rust/ql/test/library-tests/variables/Ssa.expected
View File

@@ -423,127 +423,6 @@ firstRead
| main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro |
| main.rs:596:9:596:20 | var_in_macro | main.rs:596:9:596:20 | var_in_macro | main.rs:601:15:601:26 | var_in_macro |
| main.rs:600:15:600:42 | var_in_macro | main.rs:600:15:600:42 | var_in_macro | main.rs:600:30:600:41 | var_in_macro |
lastRead
| main.rs:3:14:3:14 | s | main.rs:3:14:3:14 | s | main.rs:4:20:4:20 | s |
| main.rs:7:14:7:14 | i | main.rs:7:14:7:14 | i | main.rs:8:20:8:20 | i |
| main.rs:11:18:11:18 | i | main.rs:11:18:11:18 | i | main.rs:12:16:12:16 | i |
| main.rs:16:9:16:10 | x1 | main.rs:16:9:16:10 | x1 | main.rs:17:15:17:16 | x1 |
| main.rs:21:9:21:14 | x2 | main.rs:21:13:21:14 | x2 | main.rs:22:15:22:16 | x2 |
| main.rs:23:5:23:6 | x2 | main.rs:21:13:21:14 | x2 | main.rs:24:15:24:16 | x2 |
| main.rs:28:9:28:13 | x | main.rs:28:13:28:13 | x | main.rs:29:20:29:20 | x |
| main.rs:30:5:30:5 | x | main.rs:28:13:28:13 | x | main.rs:31:20:31:20 | x |
| main.rs:35:9:35:10 | x3 | main.rs:35:9:35:10 | x3 | main.rs:38:9:38:10 | x3 |
| main.rs:37:9:37:10 | x3 | main.rs:37:9:37:10 | x3 | main.rs:39:15:39:16 | x3 |
| main.rs:43:9:43:10 | x4 | main.rs:43:9:43:10 | x4 | main.rs:49:15:49:16 | x4 |
| main.rs:46:13:46:14 | x4 | main.rs:46:13:46:14 | x4 | main.rs:47:19:47:20 | x4 |
| main.rs:60:13:60:14 | a1 | main.rs:60:13:60:14 | a1 | main.rs:68:15:68:16 | a1 |
| main.rs:61:13:61:14 | b1 | main.rs:61:13:61:14 | b1 | main.rs:69:15:69:16 | b1 |
| main.rs:64:13:64:13 | x | main.rs:64:13:64:13 | x | main.rs:70:15:70:15 | x |
| main.rs:65:13:65:13 | y | main.rs:65:13:65:13 | y | main.rs:71:15:71:15 | y |
| main.rs:75:9:75:10 | p1 | main.rs:75:9:75:10 | p1 | main.rs:79:9:79:10 | p1 |
| main.rs:77:12:77:13 | a2 | main.rs:77:12:77:13 | a2 | main.rs:80:15:80:16 | a2 |
| main.rs:78:12:78:13 | b2 | main.rs:78:12:78:13 | b2 | main.rs:81:15:81:16 | b2 |
| main.rs:85:9:85:10 | s1 | main.rs:85:9:85:10 | s1 | main.rs:88:11:88:12 | s1 |
| main.rs:87:17:87:22 | s2 | main.rs:87:21:87:22 | s2 | main.rs:89:19:89:20 | s2 |
| main.rs:94:14:94:15 | x5 | main.rs:94:14:94:15 | x5 | main.rs:98:15:98:16 | x5 |
| main.rs:102:9:102:10 | s1 | main.rs:102:9:102:10 | s1 | main.rs:105:11:105:12 | s1 |
| main.rs:104:20:104:25 | s2 | main.rs:104:24:104:25 | s2 | main.rs:106:19:106:20 | s2 |
| main.rs:111:9:111:10 | x6 | main.rs:111:9:111:10 | x6 | main.rs:114:11:114:12 | x6 |
| main.rs:112:9:112:10 | y1 | main.rs:112:9:112:10 | y1 | main.rs:124:15:124:16 | y1 |
| main.rs:116:14:116:15 | y1 | main.rs:116:14:116:15 | y1 | main.rs:119:23:119:24 | y1 |
| main.rs:128:9:128:15 | numbers | main.rs:128:9:128:15 | numbers | main.rs:142:11:142:17 | numbers |
| main.rs:132:13:132:17 | first | main.rs:132:13:132:17 | first | main.rs:136:23:136:27 | first |
| main.rs:133:13:133:17 | third | main.rs:133:13:133:17 | third | main.rs:137:23:137:27 | third |
| main.rs:134:13:134:17 | fifth | main.rs:134:13:134:17 | fifth | main.rs:138:23:138:27 | fifth |
| main.rs:144:13:144:17 | first | main.rs:144:13:144:17 | first | main.rs:148:23:148:27 | first |
| main.rs:146:13:146:16 | last | main.rs:146:13:146:16 | last | main.rs:149:23:149:26 | last |
| main.rs:155:9:155:10 | p2 | main.rs:155:9:155:10 | p2 | main.rs:157:11:157:12 | p2 |
| main.rs:159:16:159:17 | x7 | main.rs:159:16:159:17 | x7 | main.rs:160:24:160:25 | x7 |
| main.rs:169:9:169:11 | msg | main.rs:169:9:169:11 | msg | main.rs:171:11:171:13 | msg |
| main.rs:173:17:173:35 | [match(true)] id_variable | main.rs:173:17:173:27 | id_variable | main.rs:174:24:174:34 | id_variable |
| main.rs:178:26:178:27 | id | main.rs:178:26:178:27 | id | main.rs:179:23:179:24 | id |
| main.rs:189:9:189:14 | either | main.rs:189:9:189:14 | either | main.rs:190:11:190:16 | either |
| main.rs:191:9:191:44 | [match(true)] phi | main.rs:191:9:191:44 | a3 | main.rs:192:26:192:27 | a3 |
| main.rs:203:9:203:10 | tv | main.rs:203:9:203:10 | tv | main.rs:212:11:212:12 | tv |
| main.rs:205:9:205:81 | [match(true)] phi | main.rs:205:9:205:81 | a4 | main.rs:206:26:206:27 | a4 |
| main.rs:209:9:209:83 | [match(true)] phi | main.rs:209:9:209:83 | a5 | main.rs:210:26:210:27 | a5 |
| main.rs:213:9:213:83 | [match(true)] phi | main.rs:213:9:213:83 | a6 | main.rs:214:26:214:27 | a6 |
| main.rs:219:9:219:14 | either | main.rs:219:9:219:14 | either | main.rs:220:11:220:16 | either |
| main.rs:221:9:221:44 | [match(true)] phi | main.rs:221:9:221:44 | a7 | main.rs:222:16:222:17 | a7 |
| main.rs:221:9:221:44 | [match(true)] phi | main.rs:221:9:221:44 | a7 | main.rs:223:26:223:27 | a7 |
| main.rs:229:9:229:14 | either | main.rs:229:9:229:14 | either | main.rs:231:11:231:16 | either |
| main.rs:232:9:233:52 | [match(true)] e | main.rs:232:13:232:13 | e | main.rs:237:15:237:15 | e |
| main.rs:233:14:233:51 | [match(true)] phi | main.rs:233:14:233:51 | a11 | main.rs:235:23:235:25 | a11 |
| main.rs:236:33:236:35 | a12 | main.rs:236:33:236:35 | a12 | main.rs:238:28:238:30 | a12 |
| main.rs:253:9:253:10 | fv | main.rs:253:9:253:10 | fv | main.rs:254:11:254:12 | fv |
| main.rs:255:9:255:109 | [match(true)] phi | main.rs:255:9:255:109 | a13 | main.rs:256:26:256:28 | a13 |
| main.rs:261:5:261:6 | a8 | main.rs:261:5:261:6 | a8 | main.rs:266:15:266:16 | a8 |
| main.rs:263:9:263:10 | b3 | main.rs:263:9:263:10 | b3 | main.rs:267:15:267:16 | b3 |
| main.rs:264:9:264:10 | c1 | main.rs:264:9:264:10 | c1 | main.rs:268:15:268:16 | c1 |
| main.rs:272:6:272:41 | [match(true)] phi | main.rs:272:6:272:41 | a9 | main.rs:274:15:274:16 | a9 |
| main.rs:279:9:279:15 | a10 | main.rs:279:13:279:15 | a10 | main.rs:283:15:283:17 | a10 |
| main.rs:280:9:280:14 | b4 | main.rs:280:13:280:14 | b4 | main.rs:284:15:284:16 | b4 |
| main.rs:281:9:281:14 | c2 | main.rs:281:13:281:14 | c2 | main.rs:285:15:285:16 | c2 |
| main.rs:288:9:288:10 | c2 | main.rs:281:13:281:14 | c2 | main.rs:298:15:298:16 | c2 |
| main.rs:289:9:289:10 | b4 | main.rs:280:13:280:14 | b4 | main.rs:311:15:311:16 | b4 |
| main.rs:290:9:290:11 | a10 | main.rs:279:13:279:15 | a10 | main.rs:310:15:310:17 | a10 |
| main.rs:302:13:302:15 | a10 | main.rs:302:13:302:15 | a10 | main.rs:305:23:305:25 | a10 |
| main.rs:303:13:303:14 | b4 | main.rs:303:13:303:14 | b4 | main.rs:306:23:306:24 | b4 |
| main.rs:315:9:315:23 | example_closure | main.rs:315:9:315:23 | example_closure | main.rs:319:9:319:23 | example_closure |
| main.rs:316:10:316:10 | x | main.rs:316:10:316:10 | x | main.rs:317:9:317:9 | x |
| main.rs:318:9:318:10 | n1 | main.rs:318:9:318:10 | n1 | main.rs:320:15:320:16 | n1 |
| main.rs:323:9:323:26 | immutable_variable | main.rs:323:9:323:26 | immutable_variable | main.rs:327:9:327:26 | immutable_variable |
| main.rs:324:10:324:10 | x | main.rs:324:10:324:10 | x | main.rs:325:9:325:9 | x |
| main.rs:326:9:326:10 | n2 | main.rs:326:9:326:10 | n2 | main.rs:328:15:328:16 | n2 |
| main.rs:333:9:333:9 | f | main.rs:333:9:333:9 | f | main.rs:342:15:342:15 | f |
| main.rs:334:10:334:10 | x | main.rs:334:10:334:10 | x | main.rs:335:9:335:9 | x |
| main.rs:338:10:338:10 | x | main.rs:338:10:338:10 | x | main.rs:339:9:339:9 | x |
| main.rs:346:14:346:14 | x | main.rs:346:14:346:14 | x | main.rs:347:17:347:17 | x |
| main.rs:354:13:354:13 | f | main.rs:354:13:354:13 | f | main.rs:357:19:357:19 | f |
| main.rs:355:14:355:14 | x | main.rs:355:14:355:14 | x | main.rs:356:13:356:13 | x |
| main.rs:362:9:362:9 | v | main.rs:362:9:362:9 | v | main.rs:365:12:365:12 | v |
| main.rs:364:9:364:12 | text | main.rs:364:9:364:12 | text | main.rs:366:19:366:22 | text |
| main.rs:380:9:380:13 | ref_i | main.rs:380:9:380:13 | ref_i | main.rs:382:6:382:10 | ref_i |
| main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:390:12:390:12 | x |
| main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:398:9:398:9 | x |
| main.rs:393:39:393:39 | y | main.rs:393:39:393:39 | y | main.rs:397:6:397:6 | y |
| main.rs:403:9:403:9 | y | main.rs:403:9:403:9 | y | main.rs:405:6:405:6 | y |
| main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | main.rs:416:7:416:7 | w |
| main.rs:423:9:423:9 | y | main.rs:423:9:423:9 | y | main.rs:425:6:425:6 | y |
| main.rs:430:9:430:9 | x | main.rs:430:9:430:9 | x | main.rs:436:15:436:15 | x |
| main.rs:432:9:432:11 | cap | main.rs:432:9:432:11 | cap | main.rs:435:5:435:7 | cap |
| main.rs:432:15:434:5 | <captured entry> x | main.rs:430:9:430:9 | x | main.rs:433:19:433:19 | x |
| main.rs:440:9:440:13 | x | main.rs:440:13:440:13 | x | main.rs:446:15:446:15 | x |
| main.rs:442:9:442:16 | closure1 | main.rs:442:9:442:16 | closure1 | main.rs:445:5:445:12 | closure1 |
| main.rs:442:20:444:5 | <captured entry> x | main.rs:440:13:440:13 | x | main.rs:443:19:443:19 | x |
| main.rs:450:9:450:20 | closure2 | main.rs:450:13:450:20 | closure2 | main.rs:453:5:453:12 | closure2 |
| main.rs:453:5:453:14 | <captured exit> y | main.rs:448:13:448:13 | y | main.rs:454:15:454:15 | y |
| main.rs:458:9:458:20 | closure3 | main.rs:458:13:458:20 | closure3 | main.rs:461:5:461:12 | closure3 |
| main.rs:467:9:467:13 | block | main.rs:467:9:467:13 | block | main.rs:471:5:471:9 | block |
| main.rs:471:5:471:15 | <captured exit> i | main.rs:466:13:466:13 | i | main.rs:472:15:472:15 | i |
| main.rs:475:8:475:8 | b | main.rs:475:8:475:8 | b | main.rs:479:8:479:8 | b |
| main.rs:476:9:476:13 | x | main.rs:476:13:476:13 | x | main.rs:478:15:478:15 | x |
| main.rs:479:5:487:5 | phi | main.rs:476:13:476:13 | x | main.rs:488:15:488:15 | x |
| main.rs:480:9:480:9 | x | main.rs:476:13:476:13 | x | main.rs:482:19:482:19 | x |
| main.rs:484:9:484:9 | x | main.rs:476:13:476:13 | x | main.rs:486:19:486:19 | x |
| main.rs:491:13:491:14 | b1 | main.rs:491:13:491:14 | b1 | main.rs:493:8:493:9 | b1 |
| main.rs:491:24:491:25 | b2 | main.rs:491:24:491:25 | b2 | main.rs:499:8:499:9 | b2 |
| main.rs:492:9:492:9 | x | main.rs:492:9:492:9 | x | main.rs:500:19:500:19 | x |
| main.rs:492:9:492:9 | x | main.rs:492:9:492:9 | x | main.rs:502:19:502:19 | x |
| main.rs:512:15:512:23 | SelfParam | main.rs:512:20:512:23 | self | main.rs:513:16:513:19 | self |
| main.rs:516:11:516:14 | SelfParam | main.rs:516:11:516:14 | self | main.rs:517:9:517:12 | self |
| main.rs:521:13:521:17 | f | main.rs:521:17:521:17 | f | main.rs:526:9:526:9 | f |
| main.rs:521:21:524:9 | <captured entry> self | main.rs:520:23:520:26 | self | main.rs:523:13:523:16 | self |
| main.rs:521:22:521:22 | n | main.rs:521:22:521:22 | n | main.rs:523:25:523:25 | n |
| main.rs:540:9:540:13 | a | main.rs:540:13:540:13 | a | main.rs:543:15:543:15 | a |
| main.rs:544:5:544:5 | a | main.rs:540:13:540:13 | a | main.rs:545:15:545:15 | a |
| main.rs:549:9:549:9 | x | main.rs:549:9:549:9 | x | main.rs:551:15:551:15 | x |
| main.rs:553:9:553:9 | z | main.rs:553:9:553:9 | z | main.rs:554:20:554:20 | z |
| main.rs:562:10:562:18 | SelfParam | main.rs:562:15:562:18 | self | main.rs:563:6:563:9 | self |
| main.rs:593:9:593:22 | var_from_macro | main.rs:593:9:593:22 | var_from_macro | main.rs:595:15:595:28 | var_from_macro |
| main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro |
| main.rs:596:9:596:20 | var_in_macro | main.rs:596:9:596:20 | var_in_macro | main.rs:601:15:601:26 | var_in_macro |
| main.rs:600:15:600:42 | var_in_macro | main.rs:600:15:600:42 | var_in_macro | main.rs:600:30:600:41 | var_in_macro |
adjacentReads
| main.rs:35:9:35:10 | x3 | main.rs:35:9:35:10 | x3 | main.rs:36:15:36:16 | x3 | main.rs:38:9:38:10 | x3 |
| main.rs:43:9:43:10 | x4 | main.rs:43:9:43:10 | x4 | main.rs:44:15:44:16 | x4 | main.rs:49:15:49:16 | x4 |

4
rust/ql/test/library-tests/variables/Ssa.ql
View File

@@ -17,10 +17,6 @@ query predicate firstRead(Ssa::Definition def, Variable v, CfgNode read) {
def.getSourceVariable() = v and read = def.getAFirstRead()
}
query predicate lastRead(Ssa::Definition def, Variable v, CfgNode read) {
def.getSourceVariable() = v and read = def.getALastRead()
}
query predicate adjacentReads(Ssa::Definition def, Variable v, CfgNode read1, CfgNode read2) {
def.getSourceVariable() = v and
def.hasAdjacentReads(read1, read2)

2
rust/ql/test/query-tests/diagnostics/SummaryStats.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 8 |
| Macro calls - total | 9 |
| Macro calls - unresolved | 1 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

7
shared/dataflow/codeql/dataflow/VariableCapture.qll
View File

@@ -67,9 +67,6 @@ signature module InputSig<LocationSig Location> {
/** Holds if `bb` is a control-flow entry point. */
default predicate entryBlock(BasicBlock bb) { not exists(getImmediateBasicBlockDominator(bb)) }
/** Holds if `bb` is a control-flow exit point. */
default predicate exitBlock(BasicBlock bb) { not exists(getABasicBlockSuccessor(bb)) }
/** A variable that is captured in a closure. */
class CapturedVariable {
/** Gets a textual representation of this variable. */
@@ -699,10 +696,6 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
result = Input::getABasicBlockSuccessor(bb)
}
class ExitBasicBlock extends BasicBlock {
ExitBasicBlock() { exitBlock(this) }
}
class SourceVariable = CaptureContainer;
predicate variableWrite(BasicBlock bb, int i, SourceVariable cc, boolean certain) {

17
shared/ssa/codeql/ssa/Ssa.qll
View File

@@ -60,12 +60,6 @@ signature module InputSig<LocationSig Location> {
/** Gets an immediate successor of basic block `bb`, if any. */
BasicBlock getABasicBlockSuccessor(BasicBlock bb);
/**
* An exit basic block, that is, a basic block whose last node is
* an exit node.
*/
class ExitBasicBlock extends BasicBlock;
/** A variable that can be SSA converted. */
class SourceVariable {
/** Gets a textual representation of this variable. */
@@ -855,6 +849,9 @@ module Make<LocationSig Location, InputSig<Location> Input> {
lastRefRedef(inp, _, _, def)
}
/** Holds if `bb` is a control-flow exit point. */
private predicate exitBlock(BasicBlock bb) { not exists(getABasicBlockSuccessor(bb)) }
/**
* NB: If this predicate is exposed, it should be cached.
*
@@ -866,14 +863,14 @@ module Make<LocationSig Location, InputSig<Location> Input> {
* another read.
*/
pragma[nomagic]
predicate lastRefExt(DefinitionExt def, BasicBlock bb, int i) {
deprecated predicate lastRefExt(DefinitionExt def, BasicBlock bb, int i) {
// Can reach another definition
lastRefRedefExt(def, _, bb, i, _)
or
lastSsaRefExt(def, _, bb, i) and
(
// Can reach exit directly
bb instanceof ExitBasicBlock
exitBlock(bb)
or
// Can reach a block using one or more steps, where `def` is no longer live
varBlockReachesExitExt(def, bb)
@@ -886,14 +883,14 @@ module Make<LocationSig Location, InputSig<Location> Input> {
* Same as `lastRefExt`, but ignores phi-reads.
*/
pragma[nomagic]
predicate lastRef(Definition def, BasicBlock bb, int i) {
deprecated predicate lastRef(Definition def, BasicBlock bb, int i) {
// Can reach another definition
lastRefRedef(def, bb, i, _)
or
lastSsaRef(def, _, bb, i) and
(
// Can reach exit directly
bb instanceof ExitBasicBlock
exitBlock(bb)
or
// Can reach a block using one or more steps, where `def` is no longer live
varBlockReachesExit(def, bb)

31
shared/util/codeql/util/ReportStats.qll Normal file
View File

@@ -0,0 +1,31 @@
/**
* Provides the `ReportStats` module for reporting database quality statistics.
*/
module;
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}

2
swift/ql/lib/codeql/swift/dataflow/Ssa.qll
View File

@@ -21,8 +21,6 @@ module Ssa {
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
class ExitBasicBlock = BasicBlocks::ExitBasicBlock;
private newtype TSourceVariable =
TNormalSourceVariable(VarDecl v) or
TKeyPathSourceVariable(EntryNode entry) { entry.getScope() instanceof KeyPathExpr }