hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into nth

Browse Source
This commit is contained in:
Geoffrey White
2025-02-24 10:57:45 +00:00
parent 1a6c6a454d fcb470330c
commit fdc76dd06a
415 changed files with 9345 additions and 4107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.bazelrc
View File

@@ -12,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
build --repo_env=CC=clang --repo_env=CXX=clang++
# print test output, like sembuild does.
# Set to `errors` if this is too verbose.
test --test_output all
# we use transitions that break builds of `...`, so for `test` to work with that we need the following
test --build_tests_only

2
LICENSE
View File

@@ -1,6 +1,6 @@
MIT License
Copyright (c) 2006-2020 GitHub, Inc.
Copyright (c) 2006-2025 GitHub, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

15
MODULE.bazel
View File

@@ -58,15 +58,12 @@ register_toolchains("@rust_toolchains//:all")
py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
use_repo(
py_deps,
"vendor__anyhow-1.0.44",
"vendor__cc-1.0.70",
"vendor__clap-2.33.3",
"vendor__regex-1.5.5",
"vendor__smallvec-1.6.1",
"vendor__string-interner-0.12.2",
"vendor__thiserror-1.0.29",
"vendor__tree-sitter-0.20.4",
"vendor__tree-sitter-graph-0.7.0",
"vendor_py__anyhow-1.0.95",
"vendor_py__cc-1.2.14",
"vendor_py__clap-4.5.30",
"vendor_py__regex-1.11.1",
"vendor_py__tree-sitter-0.20.4",
"vendor_py__tree-sitter-graph-0.7.0",
)
# deps for ruby+rust

1
actions/extractor/BUILD.bazel
View File

@@ -4,6 +4,7 @@ codeql_pkg_files(
name = "extractor",
srcs = [
"codeql-extractor.yml",
"//:LICENSE",
] + glob(["tools/**"]),
strip_prefix = strip_prefix.from_pkg(),
visibility = ["//actions:__pkg__"],

6
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.4.3
### New Features
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
## 0.4.2
### Bug Fixes

9
actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md → actions/ql/lib/change-notes/released/0.4.3.md
View File

@@ -1,4 +1,5 @@
---
category: feature
---
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
## 0.4.3
### New Features
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.2
lastReleaseVersion: 0.4.3

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.3-dev
version: 0.4.4-dev
library: true
warnOnImplicitThis: true
dependencies:

26
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,29 @@
## 0.5.0
### Breaking Changes
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
Any existing alerts for these queries will be closed automatically.
* `actions/if-expression-always-true/critical`
* `actions/if-expression-always-true/high`
* `actions/unnecessary-use-of-advanced-config`
* The following query has been moved from the `code-scanning` suite to the `security-extended`
suite. Any existing alerts for this query will be closed automatically unless the analysis is
configured to use the `security-extended` suite.
* `actions/unpinned-tag`
* The following queries have been added to the `security-extended` suite.
* `actions/unversioned-immutable-action`
* `actions/envpath-injection/medium`
* `actions/envvar-injection/medium`
* `actions/code-injection/medium`
* `actions/artifact-poisoning/medium`
* `actions/untrusted-checkout/medium`
### Minor Analysis Improvements
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
## 0.4.2
No user-facing changes.

5
actions/ql/src/change-notes/2025-02-14-docker-false-positives.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.

11
actions/ql/src/change-notes/2025-02-06-curate-suites.md → actions/ql/src/change-notes/released/0.5.0.md
View File

@@ -1,6 +1,7 @@
---
category: breaking
---
## 0.5.0
### Breaking Changes
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
Any existing alerts for these queries will be closed automatically.
* `actions/if-expression-always-true/critical`
@@ -18,3 +19,7 @@ category: breaking
* `actions/code-injection/medium`
* `actions/artifact-poisoning/medium`
* `actions/untrusted-checkout/medium`
### Minor Analysis Improvements
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.2
lastReleaseVersion: 0.5.0

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.4.3-dev
version: 0.5.1-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

4
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 4.0.1
No user-facing changes.
## 4.0.0
### Breaking Changes

3
cpp/ql/lib/change-notes/released/4.0.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.0.1
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.0.0
lastReleaseVersion: 4.0.1

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 4.0.1-dev
version: 4.0.2-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.3.4
No user-facing changes.
## 1.3.3
### Minor Analysis Improvements

18
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
call.getTarget() = op and
op.hasQualifiedName("std", "operator+") and
op.getType().(UserType).hasQualifiedName("std", "basic_string") and
incoming.asIndirectArgument() = call.getArgument(1) and // left operand
incoming.asIndirectArgument() = call.getArgument(1) and // right operand
call = outgoing.asInstruction().getUnconvertedResultExpression()
)
}
/**
* A state will represent the most recent concatenation that occurred in the data flow.
* - `TConcatState` if the concetenation has not yet occurred.
* - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
* into result `outgoing`.
*/
newtype TState =
TConcatState() or
TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
DataFlow::Node getOutgoingNode() { result = outgoing }
/** Holds if this is a possible `ExecState` for `sink`. */
/**
* Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
*/
predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
module ExecState = TaintTracking::Global<ExecStateConfig>;
/**
* A full `TaintTracking` configuration from source to concatenation to sink, using a flow
* state to remember the concatenation. It's important that we track flow to the sink even though
* as soon as we reach the concatenation we know it will get there (due to the check of
* `isFeasibleForSink`), because this way we get a complete flow path.
*/
module ExecTaintConfig implements DataFlow::StateConfigSig {
class FlowState = TState;

3
cpp/ql/src/change-notes/released/1.3.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.3.4
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.3
lastReleaseVersion: 1.3.4

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.3.4-dev
version: 1.3.5-dev
groups:
- cpp
- queries

358
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
View File

@@ -7,68 +7,88 @@ edges
| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags | provenance | |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command | provenance | |
| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument | provenance | Config |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename | provenance | |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command | provenance | |
| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument | provenance | Config |
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename | provenance | |
| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command | provenance | |
| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument | provenance | Config |
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename | provenance | |
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path | provenance | |
| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument | provenance | Config |
| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path | provenance | TaintFunction |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:107:31:107:31 | call to operator+ | provenance | |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str | provenance | TaintFunction |
| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ | provenance | Config |
| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path | provenance | TaintFunction |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ | provenance | |
| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ | provenance | Config |
| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ | provenance | Config |
| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path | provenance | TaintFunction |
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data | provenance | TaintFunction |
| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ | provenance | Config |
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str | provenance | |
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command | provenance | |
| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument | provenance | Config |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename | provenance | |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | Config |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | TaintFunction |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | Config |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | TaintFunction |
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument | provenance | Config |
| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | Config |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | TaintFunction |
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance | |
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance | |
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance | |
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance | |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | Config |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | TaintFunction |
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | Config |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | TaintFunction |
| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename | provenance | |
| test.cpp:63:9:63:16 | fread output argument | test.cpp:65:20:65:27 | *filename | provenance | |
| test.cpp:65:11:65:17 | strncat output argument | test.cpp:66:10:66:16 | *command | provenance | |
| test.cpp:65:20:65:27 | *filename | test.cpp:65:11:65:17 | strncat output argument | provenance | Config |
| test.cpp:83:9:83:16 | fread output argument | test.cpp:85:20:85:27 | *filename | provenance | |
| test.cpp:85:11:85:17 | strncat output argument | test.cpp:86:32:86:38 | *command | provenance | |
| test.cpp:85:20:85:27 | *filename | test.cpp:85:11:85:17 | strncat output argument | provenance | Config |
| test.cpp:92:9:92:16 | fread output argument | test.cpp:94:17:94:24 | *filename | provenance | |
| test.cpp:94:11:94:14 | strncat output argument | test.cpp:95:45:95:48 | *path | provenance | |
| test.cpp:94:17:94:24 | *filename | test.cpp:94:11:94:14 | strncat output argument | provenance | Config |
| test.cpp:107:20:107:38 | *call to getenv | test.cpp:108:33:108:36 | *path | provenance | TaintFunction |
| test.cpp:108:31:108:31 | call to operator+ | test.cpp:108:31:108:31 | call to operator+ | provenance | |
| test.cpp:108:31:108:31 | call to operator+ | test.cpp:109:18:109:22 | *call to c_str | provenance | TaintFunction |
| test.cpp:108:33:108:36 | *path | test.cpp:108:31:108:31 | call to operator+ | provenance | Config |
| test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:19:115:22 | *path | provenance | TaintFunction |
| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
| test.cpp:115:17:115:17 | call to operator+ | test.cpp:115:10:115:23 | call to operator+ | provenance | |
| test.cpp:115:19:115:22 | *path | test.cpp:115:10:115:23 | call to operator+ | provenance | Config |
| test.cpp:115:19:115:22 | *path | test.cpp:115:17:115:17 | call to operator+ | provenance | Config |
| test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:19:121:22 | *path | provenance | TaintFunction |
| test.cpp:121:17:121:17 | call to operator+ | test.cpp:121:10:121:30 | *call to data | provenance | TaintFunction |
| test.cpp:121:19:121:22 | *path | test.cpp:121:17:121:17 | call to operator+ | provenance | Config |
| test.cpp:141:9:141:11 | fread output argument | test.cpp:143:31:143:33 | *str | provenance | |
| test.cpp:143:11:143:17 | sprintf output argument | test.cpp:144:10:144:16 | *command | provenance | |
| test.cpp:143:31:143:33 | *str | test.cpp:143:11:143:17 | sprintf output argument | provenance | Config |
| test.cpp:175:9:175:16 | fread output argument | test.cpp:178:20:178:27 | *filename | provenance | |
| test.cpp:175:9:175:16 | fread output argument | test.cpp:181:22:181:29 | *filename | provenance | |
| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance | |
| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance | |
| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | Config |
| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | TaintFunction |
| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance | |
| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance | |
| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | Config |
| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | TaintFunction |
| test.cpp:181:13:181:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance | |
| test.cpp:181:22:181:29 | *filename | test.cpp:181:13:181:19 | strncat output argument | provenance | Config |
| test.cpp:187:47:187:54 | *filename | test.cpp:188:18:188:25 | *filename | provenance | |
| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance | |
| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance | |
| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | Config |
| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | TaintFunction |
| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance | |
| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance | |
| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance | |
| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance | |
| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | Config |
| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | TaintFunction |
| test.cpp:195:9:195:16 | fread output argument | test.cpp:197:26:197:33 | *filename | provenance | |
| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance | |
| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance | |
| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | provenance | |
| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | Config |
| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | TaintFunction |
| test.cpp:219:9:219:16 | fread output argument | test.cpp:221:19:221:26 | *filename | provenance | |
| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance | |
| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance | |
| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
| test.cpp:221:19:221:26 | *filename | test.cpp:221:19:221:26 | *filename | provenance | |
| test.cpp:231:11:231:16 | strncat output argument | test.cpp:232:11:232:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:231:19:231:33 | *call to getenv | test.cpp:231:11:231:16 | strncat output argument | provenance | Config |
| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
| test.cpp:232:19:232:33 | *call to getenv | test.cpp:232:11:232:16 | strncat output argument | provenance | Config |
| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance | |
| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance | |
| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance | |
| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance | |
| test.cpp:243:5:243:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | Config |
| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance | |
| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance | |
| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance | |
| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | TaintFunction |
| test.cpp:248:5:248:10 | *call to getenv | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
| test.cpp:259:13:259:18 | strncat output argument | test.cpp:261:10:261:15 | *buffer | provenance | |
| test.cpp:259:21:259:35 | *call to getenv | test.cpp:259:13:259:18 | strncat output argument | provenance | Config |
nodes
| test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
| test.cpp:16:20:16:26 | *access to array | semmle.label | *access to array |
@@ -80,98 +100,130 @@ nodes
| test.cpp:50:11:50:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:50:35:50:43 | *envCflags | semmle.label | *envCflags |
| test.cpp:51:10:51:16 | *command | semmle.label | *command |
| test.cpp:62:9:62:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:64:11:64:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:64:20:64:27 | *filename | semmle.label | *filename |
| test.cpp:65:10:65:16 | *command | semmle.label | *command |
| test.cpp:82:9:82:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:84:11:84:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:84:20:84:27 | *filename | semmle.label | *filename |
| test.cpp:85:32:85:38 | *command | semmle.label | *command |
| test.cpp:91:9:91:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:93:17:93:24 | *filename | semmle.label | *filename |
| test.cpp:94:45:94:48 | *path | semmle.label | *path |
| test.cpp:106:20:106:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:107:33:107:36 | *path | semmle.label | *path |
| test.cpp:108:18:108:22 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:113:20:113:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:114:17:114:17 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:114:19:114:22 | *path | semmle.label | *path |
| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:119:20:119:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:120:10:120:30 | *call to data | semmle.label | *call to data |
| test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:120:19:120:22 | *path | semmle.label | *path |
| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:142:31:142:33 | *str | semmle.label | *str |
| test.cpp:143:10:143:16 | *command | semmle.label | *command |
| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:177:20:177:27 | *filename | semmle.label | *filename |
| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:180:22:180:29 | *filename | semmle.label | *filename |
| test.cpp:183:32:183:38 | *command | semmle.label | *command |
| test.cpp:183:32:183:38 | *command | semmle.label | *command |
| test.cpp:183:32:183:38 | *command | semmle.label | *command |
| test.cpp:186:19:186:25 | *command | semmle.label | *command |
| test.cpp:186:19:186:25 | *command | semmle.label | *command |
| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:187:18:187:25 | *filename | semmle.label | *filename |
| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
| test.cpp:196:26:196:33 | *filename | semmle.label | *filename |
| test.cpp:198:32:198:38 | *command | semmle.label | *command |
| test.cpp:198:32:198:38 | *command | semmle.label | *command |
| test.cpp:218:9:218:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
| test.cpp:222:32:222:38 | *command | semmle.label | *command |
| test.cpp:222:32:222:38 | *command | semmle.label | *command |
| test.cpp:63:9:63:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:65:11:65:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:65:20:65:27 | *filename | semmle.label | *filename |
| test.cpp:66:10:66:16 | *command | semmle.label | *command |
| test.cpp:83:9:83:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:85:11:85:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:85:20:85:27 | *filename | semmle.label | *filename |
| test.cpp:86:32:86:38 | *command | semmle.label | *command |
| test.cpp:92:9:92:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:94:11:94:14 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:94:17:94:24 | *filename | semmle.label | *filename |
| test.cpp:95:45:95:48 | *path | semmle.label | *path |
| test.cpp:107:20:107:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:108:33:108:36 | *path | semmle.label | *path |
| test.cpp:109:18:109:22 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:114:20:114:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:115:17:115:17 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:115:19:115:22 | *path | semmle.label | *path |
| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
| test.cpp:120:20:120:38 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:121:10:121:30 | *call to data | semmle.label | *call to data |
| test.cpp:121:17:121:17 | call to operator+ | semmle.label | call to operator+ |
| test.cpp:121:19:121:22 | *path | semmle.label | *path |
| test.cpp:141:9:141:11 | fread output argument | semmle.label | fread output argument |
| test.cpp:143:11:143:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:143:31:143:33 | *str | semmle.label | *str |
| test.cpp:144:10:144:16 | *command | semmle.label | *command |
| test.cpp:175:9:175:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:178:20:178:27 | *filename | semmle.label | *filename |
| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
| test.cpp:181:13:181:19 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:181:22:181:29 | *filename | semmle.label | *filename |
| test.cpp:184:32:184:38 | *command | semmle.label | *command |
| test.cpp:184:32:184:38 | *command | semmle.label | *command |
| test.cpp:184:32:184:38 | *command | semmle.label | *command |
| test.cpp:187:19:187:25 | *command | semmle.label | *command |
| test.cpp:187:19:187:25 | *command | semmle.label | *command |
| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
| test.cpp:187:47:187:54 | *filename | semmle.label | *filename |
| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:188:18:188:25 | *filename | semmle.label | *filename |
| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
| test.cpp:195:9:195:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
| test.cpp:197:26:197:33 | *filename | semmle.label | *filename |
| test.cpp:199:32:199:38 | *command | semmle.label | *command |
| test.cpp:199:32:199:38 | *command | semmle.label | *command |
| test.cpp:219:9:219:16 | fread output argument | semmle.label | fread output argument |
| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
| test.cpp:223:32:223:38 | *command | semmle.label | *command |
| test.cpp:223:32:223:38 | *command | semmle.label | *command |
| test.cpp:231:11:231:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:231:19:231:33 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:232:19:232:33 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:243:5:243:10 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:244:5:244:10 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
| test.cpp:248:5:248:10 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
| test.cpp:259:13:259:18 | strncat output argument | semmle.label | strncat output argument |
| test.cpp:259:21:259:35 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:261:10:261:15 | *buffer | semmle.label | *buffer |
subpaths
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
#select
| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | *call to getenv | test.cpp:108:18:108:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | *call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:10:120:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | *call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument |
| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument |
| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument |
| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ |
| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ |
| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ |
| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ |
| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument |
| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument |
| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument |
| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument |
| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument |
| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument |
| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument |
| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument |
| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument |
| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument |

53
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
View File

@@ -14,7 +14,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
int main(int argc, char** argv) {
char *userName = argv[2];
{
// BAD: a string from the user is injected directly into
// a command.
@@ -23,10 +23,10 @@ int main(int argc, char** argv) {
system(command1);
}
{
{
// GOOD: the user string is encoded by a library routine.
char userNameQuoted[1000] = {0};
encodeShellString(userNameQuoted, 1000, userName);
encodeShellString(userNameQuoted, 1000, userName);
char command2[1000] = {0};
sprintf(command2, "userinfo -v %s", userNameQuoted);
system(command2);
@@ -36,16 +36,16 @@ int main(int argc, char** argv) {
void test2(char* arg2) {
// GOOD?: the user string is the *first* part of the command, like $CC in many environments
char *envCC = getenv("CC");
char command[1000];
sprintf("%s %s", envCC, arg2);
sprintf(command, "%s %s", envCC, arg2);
system(command);
}
void test3(char* arg1) {
// GOOD?: the user string is a `$CFLAGS` environment variable
char *envCflags = getenv("CFLAGS");
char command[1000];
sprintf(command, "%s %s", arg1, envCflags);
system(command);
@@ -54,6 +54,7 @@ void test3(char* arg1) {
typedef unsigned long size_t;
typedef void FILE;
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
char *strncpy(char *s1, const char *s2, size_t n);
char *strncat(char *s1, const char *s2, size_t n);
void test4(FILE *f) {
@@ -160,7 +161,7 @@ void test15(FILE *f) {
fread(temp, 1, 10, f);
int x = atoi(temp);
char temp2[10];
sprintf(temp2, "%d", x);
sprintf(command, "tail -n %s foo.log", temp2);
@@ -222,4 +223,42 @@ void test19(FILE *f) {
execl("/bin/sh", "sh", "-c", command);
}
void test20() {
// BAD: the user strings `var_b`, `var_c` are injected directly into a command
char buffer[1024 * 4];
strncpy(buffer, getenv("var_a"), 1024);
strncat(buffer, getenv("var_b"), 1024);
strncat(buffer, getenv("var_c"), 1024);
strncat(buffer, " ", 1024);
system(buffer);
}
void test21() {
// BAD: the user strings `var_b`, `var_c` are injected directly into a command
char buffer1[1024];
char buffer2[1024];
sprintf(buffer1, "%s %s",
getenv("var_a"),
getenv("var_b"));
sprintf(buffer2, "%s %s %s",
" ",
buffer1,
getenv("var_c"));
system(buffer2);
}
void test22() {
// BAD: the user strings `var_a` are injected directly into a command
char buffer[1024 * 11];
int i;
strncpy(buffer, "command ", 1024);
for (i = 0; i < 10; i++) {
strncat(buffer, getenv("var_a"), 1024);
}
system(buffer);
}
// open question: do we want to report certain sources even when they're the start of the string?

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.34
No user-facing changes.
## 1.7.33
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.34.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.34
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.33
lastReleaseVersion: 1.7.34

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.34-dev
version: 1.7.35-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.34
No user-facing changes.
## 1.7.33
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.34.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.34
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.33
lastReleaseVersion: 1.7.34

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.34-dev
version: 1.7.35-dev
groups:
- csharp
- solorigate

16
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 5.1.0
### Deprecated APIs
* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
class have been deprecated in favor of the newly added `dominatingEdge`
predicate.
### Minor Analysis Improvements
* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
* C# 13: Add generated models for .NET 9.
* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.
## 5.0.0
### Breaking Changes
@@ -53,7 +68,6 @@
### Minor Analysis Improvements
* .NET 9 is now required to build the C# extractor.
* The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.
## 3.1.0

4
csharp/ql/lib/change-notes/2025-02-03-blazor-routing-parameters.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

4
csharp/ql/lib/change-notes/2025-02-05-update-system.net.http.httprequestmessage-and-system.uribuilder-models.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.

5
csharp/ql/lib/change-notes/2025-02-07-dotnet-models.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* C# 13: Add generated models for .NET 9.

4
csharp/ql/lib/change-notes/2025-02-13-csharp13-dotnet9.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.

1
csharp/ql/lib/change-notes/released/3.1.1.md
View File

@@ -2,5 +2,4 @@
### Minor Analysis Improvements
* .NET 9 is now required to build the C# extractor.
* The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.

14
csharp/ql/lib/change-notes/released/5.1.0.md Normal file
View File

@@ -0,0 +1,14 @@
## 5.1.0
### Deprecated APIs
* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
class have been deprecated in favor of the newly added `dominatingEdge`
predicate.
### Minor Analysis Improvements
* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
* C# 13: Add generated models for .NET 9.
* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.0.0
lastReleaseVersion: 5.1.0

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.0.1-dev
version: 5.1.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

43
csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
View File

@@ -734,7 +734,7 @@ private predicate variableReadPseudo(ControlFlow::BasicBlock bb, int i, Ssa::Sou
}
pragma[noinline]
private predicate adjacentDefRead(
deprecated private predicate adjacentDefRead(
Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2,
SsaInput::SourceVariable v
) {
@@ -742,7 +742,7 @@ private predicate adjacentDefRead(
v = def.getSourceVariable()
}
private predicate adjacentDefReachesRead(
deprecated private predicate adjacentDefReachesRead(
Definition def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
SsaInput::BasicBlock bb2, int i2
) {
@@ -760,18 +760,7 @@ private predicate adjacentDefReachesRead(
)
}
/** Same as `adjacentDefRead`, but skips uncertain reads. */
pragma[nomagic]
private predicate adjacentDefSkipUncertainReads(
Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
) {
exists(SsaInput::SourceVariable v |
adjacentDefReachesRead(def, v, bb1, i1, bb2, i2) and
SsaInput::variableRead(bb2, i2, v, true)
)
}
private predicate adjacentDefReachesUncertainRead(
deprecated private predicate adjacentDefReachesUncertainRead(
Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
) {
exists(SsaInput::SourceVariable v |
@@ -933,10 +922,8 @@ private module Cached {
*/
cached
predicate firstReadSameVar(Definition def, ControlFlow::Node cfn) {
exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
def.definesAt(_, bb1, i1) and
adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
cfn = bb2.getNode(i2)
exists(ControlFlow::BasicBlock bb, int i |
Impl::firstUse(def, bb, i, true) and cfn = bb.getNode(i)
)
}
@@ -947,25 +934,17 @@ private module Cached {
*/
cached
predicate adjacentReadPairSameVar(Definition def, ControlFlow::Node cfn1, ControlFlow::Node cfn2) {
exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
exists(
ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2,
Ssa::SourceVariable v
|
Impl::ssaDefReachesRead(v, def, bb1, i1) and
Impl::adjacentUseUse(bb1, i1, bb2, i2, v, true) and
cfn1 = bb1.getNode(i1) and
variableReadActual(bb1, i1, _) and
adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
cfn2 = bb2.getNode(i2)
)
}
cached
predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
Impl::lastRefRedef(def, bb, i, next) and
not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
or
exists(SsaInput::BasicBlock bb0, int i0 |
Impl::lastRefRedef(def, bb0, i0, next) and
adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
)
}
cached
Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
Impl::uncertainWriteDefinitionInput(def, result)

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.17
No user-facing changes.
## 1.0.16
### Minor Analysis Improvements

3
csharp/ql/src/change-notes/released/1.0.17.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.17
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.16
lastReleaseVersion: 1.0.17

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.17-dev
version: 1.0.18-dev
groups:
- csharp
- queries

6
csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
View File

@@ -1190,11 +1190,11 @@
| cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | exit (...) => ... | 6 |
| cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | exit delegate(...) { ... } | 8 |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:18 | ... == ... | 6 |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | 1 |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | 1 |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... | 1 |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | 1 |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:28 | ... == ... | 3 |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:39 | ... == ... | 3 |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... | 1 |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... | 1 |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | exit LogicalOr | 5 |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:17:195:32 | ... > ... | 8 |
| cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | exit Booleans | 1 |

40
csharp/ql/test/library-tests/controlflow/graph/Condition.expected
View File

@@ -2303,27 +2303,27 @@ conditionBlock
| cflow.cs:167:16:167:16 | access to local variable x | cflow.cs:174:9:176:9 | {...} | false |
| cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:146:10:146:12 | exit For (normal) | false |
| cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:174:9:176:9 | {...} | true |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | ... \|\| ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:23:187:23 | 2 | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | ... \|\| ... | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:39:195:43 | this access | true |
| cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [false] !... | false |
| cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [true] !... | true |
@@ -2964,11 +2964,11 @@ conditionFlow
| cflow.cs:173:32:173:41 | ... < ... | cflow.cs:146:10:146:12 | exit For (normal) | false |
| cflow.cs:173:32:173:41 | ... < ... | cflow.cs:174:9:176:9 | {...} | true |
| cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... | false |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:17:195:56 | ... && ... | false |
| cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:39:195:43 | this access | true |
| cflow.cs:197:13:197:47 | [false] !... | cflow.cs:200:9:205:9 | if (...) ... | false |

92
csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
View File

@@ -4151,15 +4151,15 @@ dominance
| cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:187:13:187:13 | 1 |
| cflow.cs:187:13:187:13 | 1 | cflow.cs:187:18:187:18 | 2 |
| cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:18 | ... == ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:28:187:28 | 3 |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:28 | ... == ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:39:187:39 | 3 |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:39 | ... == ... |
| cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | exit LogicalOr (normal) |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:190:31:190:50 | "This should happen" |
@@ -8307,18 +8307,18 @@ postDominance
| cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:186:5:191:5 | {...} |
| cflow.cs:187:13:187:13 | 1 | cflow.cs:187:9:190:52 | if (...) ... |
| cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:18:187:18 | 2 |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:23:187:28 | ... == ... |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:23:187:28 | ... == ... |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:13 | 1 |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:18 | ... == ... |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:28:187:28 | 3 |
| cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:39:187:39 | 3 |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:39 | ... == ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:39 | ... == ... |
| cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:190:31:190:50 | "This should happen" |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:190:31:190:50 | "This should happen" | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:193:10:193:17 | exit Booleans (abnormal) | cflow.cs:203:17:203:38 | throw ...; |
| cflow.cs:193:10:193:17 | exit Booleans (normal) | cflow.cs:200:13:200:62 | [false] ... \|\| ... |
@@ -12909,32 +12909,32 @@ blockDominance
| cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | enter (...) => ... |
| cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | enter delegate(...) { ... } |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | enter Booleans |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | exit Booleans |
@@ -16126,32 +16126,32 @@ postBlockDominance
| cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | enter (...) => ... |
| cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | enter delegate(...) { ... } |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | enter LogicalOr |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:28 | ... \|\| ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | ... \|\| ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:23:187:23 | 2 |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:34 | 1 |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:49 | [false] ... && ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:49 | ... && ... |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:190:13:190:52 | ...; |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | enter Booleans |
| cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | exit Booleans |

12
csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
View File

@@ -4539,15 +4539,15 @@ nodeEnclosing
| cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:13 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:18 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:18:187:18 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:28:187:28 | 3 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:39:187:39 | 3 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | LogicalOr |
@@ -6016,11 +6016,11 @@ blockEnclosing
| cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | (...) => ... |
| cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | delegate(...) { ... } |
| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | LogicalOr |
| cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | Booleans |
| cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | Booleans |

10
csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
View File

@@ -4658,15 +4658,15 @@
| cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:187:13:187:13 | 1 | |
| cflow.cs:187:13:187:13 | 1 | cflow.cs:187:18:187:18 | 2 | |
| cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 | false |
| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
| cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:18 | ... == ... | |
| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:28:187:28 | 3 | |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... | false |
| cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:28 | ... == ... | |
| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:39:187:39 | 3 | |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... | false |
| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
| cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:39 | ... == ... | |
| cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | exit LogicalOr (normal) | |
| cflow.cs:190:13:190:52 | ...; | cflow.cs:190:31:190:50 | "This should happen" | |

165
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst Normal file
View File

@@ -0,0 +1,165 @@
.. _codeql-cli-2.20.5:
==========================
CodeQL 2.20.5 (2025-02-20)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.20.5 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 34 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* Removed support for :code:`QlBuiltins::BigInt`\ s in the :code:`avg()` aggregate.
* A number of breaking changes have been made to the C and C++ CodeQL test environment as used by :code:`codeql test run`\ :
* The :code:`-Xclang-only=<arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, when either :code:`--clang` or :code:`--clang_version` is specified the option should be replaced by :code:`<arg>` only, otherwise the option should be omitted.
* The :code:`--sys_include <arg>` and :code:`--preinclude <arg>` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg <option_name> --edg <arg>` should be specified.
* The :code:`-idirafter <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --sys_include --edg <arg>` should be specified.
* The :code:`-imacros <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude_macros --edg <arg>` should be specified.
* The :code:`/FI <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude --edg <arg>` should be specified.
* The :code:`-Wreserved-user-defined-literal`, :code:`-Wno-reserved-user-defined-literal`, :code:`-fwritable-strings`, :code:`/Zc:rvalueCast`, :code:`/Zc:rvalueCast-`, and :code:`/Zc:wchar_t-` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --reserved_user_defined_literal`, :code:`--edg --no-reserved_user_defined_literal`, :code:`--edg --no_const_string_literals`, :code:`--edg --no_preserve_lvalues_with_same_type_casts`, :code:`--edg --preserve_lvalues_with_same_type_casts`, and :code:`--edg --no_wchar_t_keyword` should be specified, respectively.
* The :code:`/Fo <arg>` option is no longer supported by :code:`semmle-extractor-options`. The option should be omitted.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a recently-introduced bug that prevented taint tracking through :code:`URLSearchParams` objects.
The original behaviour has been restored and taint should once again be tracked through such objects.
* Fixed a rare issue that would occur when a function declaration inside a block statement was referenced before it was declared.
Such code is reliant on legacy web semantics, which is non-standard but nevertheless implemented by most engines.
CodeQL now takes legacy web semantics into account and resolves references to these functions correctly.
* Fixed a bug that would cause parse errors in :code:`.jsx` files in rare cases where the file contained syntax that was misinterpreted as Flow syntax.
Breaking Changes
~~~~~~~~~~~~~~~~
GitHub Actions
""""""""""""""
* The following queries have been removed from the :code:`code-scanning` and :code:`security-extended` suites.
Any existing alerts for these queries will be closed automatically.
* :code:`actions/if-expression-always-true/critical`
* :code:`actions/if-expression-always-true/high`
* :code:`actions/unnecessary-use-of-advanced-config`
* The following query has been moved from the :code:`code-scanning` suite to the :code:`security-extended` suite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use the :code:`security-extended` suite.
* :code:`actions/unpinned-tag`
* The following queries have been added to the :code:`security-extended` suite.
* :code:`actions/unversioned-immutable-action`
* :code:`actions/envpath-injection/medium`
* :code:`actions/envvar-injection/medium`
* :code:`actions/code-injection/medium`
* :code:`actions/artifact-poisoning/medium`
* :code:`actions/untrusted-checkout/medium`
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Added `github.com/gorilla/mux.Vars <https://pkg.go.dev/github.com/gorilla/mux#Vars>`__ to path sanitizers (disabled if `github.com/gorilla/mix.Router.SkipClean <https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean>`__ has been called).
GitHub Actions
""""""""""""""
* Fixed false positives in the query :code:`actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
New Queries
~~~~~~~~~~~
Java/Kotlin
"""""""""""
* Added a new query, :code:`java/csrf-unprotected-request-type`, to detect Cross-Site Request Forgery (CSRF) vulnerabilities due to using HTTP request types that are not default-protected from CSRF.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Python
""""""
* Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes.
* Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
* C# 13: Add generated models for .NET 9.
* The models for :code:`System.Net.Http.HttpRequestMessage` and :code:`System.UriBuilder` have been modified to better model the flow of tainted URIs.
* Blazor :code:`[Parameter]` fields bound to a variable from the route specified in the :code:`@page` directive are now modeled as remote flow sources.
Golang
""""""
* Taint models have been added for the :code:`weak` package, which was added in Go 1.24.
* Taint models have been added for the interfaces :code:`TextAppender` and :code:`BinaryAppender` in the :code:`encoding` package, which were added in Go 1.24.
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for regular expressions using the :code:`v` flag.
Deprecated APIs
~~~~~~~~~~~~~~~
C#
""
* The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
Golang
""""""
* The class :code:`NamedType` has been deprecated. Use the new class :code:`DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
* The member predicate :code:`getNamedType` on :code:`GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
* The member predicate :code:`getNamedType` on :code:`Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
Ruby
""""
* The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
Swift
"""""
* The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
New Features
~~~~~~~~~~~~
GitHub Actions
""""""""""""""
* The "Unpinned tag for a non-immutable Action in workflow" query (:code:`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (:code:`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see `Creating a CodeQL Model Pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.20.5
codeql-cli-2.20.4
codeql-cli-2.20.3
codeql-cli-2.20.2

8
docs/codeql/reusables/supported-frameworks.rst
View File

@@ -9,6 +9,7 @@ and the CodeQL library pack ``codeql/cpp-all`` (`changelog <https://github.com/g
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
`Berkeley socket API library <https://en.wikipedia.org/wiki/Berkeley_sockets#Socket_API_functions>`__, Network communicator
@@ -26,6 +27,7 @@ and the CodeQL library pack ``codeql/csharp-all`` (`changelog <https://github.co
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
ASP.NET, Web application framework
@@ -49,6 +51,7 @@ and the CodeQL library pack ``codeql/go-all`` (`changelog <https://github.com/gi
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
`AWS Lambda <https://docs.aws.amazon.com/lambda/latest/dg/lambda-golang.html>`_, Serverless framework
@@ -105,6 +108,7 @@ and the CodeQL library pack ``codeql/java-all`` (`changelog <https://github.com/
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
Apache Commons Collections, Data structure utility library
@@ -139,6 +143,7 @@ and the CodeQL library pack ``codeql/javascript-all`` (`changelog <https://githu
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
angular (modern version), HTML framework
@@ -189,6 +194,7 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
AWS Lambda, Serverless framework
@@ -267,6 +273,7 @@ and the CodeQL library pack ``codeql/ruby-all`` (`changelog <https://github.com/
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
excon, HTTP client
@@ -293,6 +300,7 @@ and the CodeQL library pack ``codeql/swift-all`` (`changelog <https://github.com
:header-rows: 1
:class: fullWidthTable
:widths: auto
:align: left
Name, Category
`AEXML <https://github.com/tadija/AEXML>`__, XML processing library

2
go/BUILD.bazel
View File

@@ -35,10 +35,10 @@ genrule(
pkg_files(
name = "resources",
srcs = [
"LICENSE",
"codeql-extractor.yml",
"ql/lib/go.dbscheme.stats",
":dbscheme",
"//:LICENSE",
],
)

21
go/LICENSE
View File

@@ -1,21 +0,0 @@
MIT License
Copyright (c) 2019-2020 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

16
go/documentation/library-coverage/coverage.rst
View File

@@ -8,32 +8,43 @@ Go framework & library support
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total)
`Afero <https://github.com/spf13/afero>`_,``github.com/spf13/afero*``,,,34
`Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,,,63
`CleverGo <https://github.com/clevergo/clevergo>`_,"``clevergo.tech/clevergo*``, ``github.com/clevergo/clevergo*``",,,2
`Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,16
`Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,8
`Echo <https://echo.labstack.com/>`_,``github.com/labstack/echo*``,12,2,3
`Fiber <https://github.com/gofiber/fiber>`_,``github.com/gofiber/fiber*``,,,5
`Fosite <https://github.com/ory/fosite>`_,``github.com/ory/fosite*``,,,2
`GORM <https://gorm.io>`_,"``github.com/go-gorm/gorm*``, ``github.com/jinzhu/gorm*``, ``gorm.io/gorm*``",45,3,39
`Gin <https://github.com/gin-gonic/gin>`_,``github.com/gin-gonic/gin*``,46,2,3
`Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,270
`Go JOSE <https://github.com/go-jose/go-jose>`_,"``github.com/go-jose/go-jose*``, ``github.com/square/go-jose*``, ``gopkg.in/square/go-jose*``, ``gopkg.in/go-jose/go-jose*``",,16,12
`Go kit <https://gokit.io/>`_,``github.com/go-kit/kit*``,,,1
`Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
`GoDotEnv <https://github.com/joho/godotenv>`_,``github.com/joho/godotenv*``,4,,
`GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,,,51
`Gokogiri <https://github.com/moovweb/gokogiri>`_,"``github.com/jbowtie/gokogiri*``, ``github.com/moovweb/gokogiri*``",,,10
`Iris <https://www.iris-go.com/>`_,``github.com/kataras/iris*``,,,14
`Kubernetes <https://kubernetes.io/>`_,"``k8s.io/api*``, ``k8s.io/apimachinery*``",,57,
`Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,290
`Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
`MongoDB Go Driver <https://www.mongodb.com/docs/drivers/go/current/>`_,``go.mongodb.org/mongo-driver*``,,,14
`Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
`SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
`Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,607,104
`Squirrel <https://github.com/Masterminds/squirrel>`_,"``github.com/Masterminds/squirrel*``, ``github.com/lann/squirrel*``, ``gopkg.in/Masterminds/squirrel``",,,96
`Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,104
`XORM <https://xorm.io>`_,"``github.com/go-xorm/xorm*``, ``xorm.io/xorm*``",,,68
`XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
`appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
`beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
`chi <https://go-chi.io/>`_,``github.com/go-chi/chi*``,3,,
`cristalhq/jwt <https://github.com/cristalhq/jwt>`_,``github.com/cristalhq/jwt*``,,,1
`env <https://github.com/caarlos0/env>`_,``github.com/caarlos0/env*``,5,2,
`envconfig <https://github.com/kelseyhightower/envconfig>`_,``github.com/kelseyhightower/envconfig*``,6,,
`envy <https://github.com/gobuffalo/envy>`_,``github.com/gobuffalo/envy*``,7,,
`fasthttp <https://github.com/valyala/fasthttp>`_,``github.com/valyala/fasthttp*``,50,5,35
`gf-jwt <https://github.com/gogf/gf-jwt>`_,``github.com/gogf/gf-jwt*``,,,1
`go-envparse <https://github.com/hashicorp/go-envparse>`_,``github.com/hashicorp/go-envparse*``,1,,
`go-pg <https://pg.uptrace.dev/>`_,``github.com/go-pg/pg*``,,6,
`go-restful <https://github.com/emicklei/go-restful>`_,``github.com/emicklei/go-restful*``,7,,
`go-sh <https://github.com/codeskyblue/go-sh>`_,``github.com/codeskyblue/go-sh*``,,,4
@@ -42,6 +53,7 @@ Go framework & library support
`goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
`gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
`gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
`gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",,,48
`goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
`htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
`json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
@@ -54,12 +66,12 @@ Go framework & library support
`lestrrat-go/libxml2 <https://github.com/lestrrat-go/libxml2>`_,``github.com/lestrrat-go/libxml2*``,,,3
`nhooyr.io/websocket <https://nhooyr.io/websocket>`_,``nhooyr.io/websocket*``,2,,
`protobuf <https://pkg.go.dev/google.golang.org/protobuf>`_,"``github.com/golang/protobuf*``, ``google.golang.org/protobuf*``",,16,
`sqlx <http://jmoiron.github.io/sqlx/>`_,``github.com/jmoiron/sqlx*``,49,11,12
`ws <https://github.com/gobwas/ws>`_,``github.com/gobwas/ws*``,2,,
`xmlpath <https://gopkg.in/xmlpath.v2>`_,"``gopkg.in/xmlpath*``, ``github.com/go-xmlpath/xmlpath*``, ``github.com/crankycoder/xmlpath*``, ``launchpad.net/xmlpath*``, ``github.com/masterzen/xmlpath*``, ``github.com/going/toolkit/xmlpath*``, ``gopkg.in/go-xmlpath/xmlpath*``",,,14
`xmlquery <https://github.com/antchfx/xmlquery>`_,``github.com/antchfx/xmlquery*``,,,8
`xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
`yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
`zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``weak``, ``xorm.io/xorm``",117,18,391
Totals,,459,947,1532

14
go/extractor/configurebaseline/configurebaseline.go
View File

@@ -3,24 +3,12 @@ package configurebaseline
import (
"encoding/json"
"io/fs"
"os"
"path"
"path/filepath"
"github.com/github/codeql-go/extractor/util"
)
func fileExists(path string) bool {
stat, err := os.Stat(path)
return err == nil && stat.Mode().IsRegular()
}
// Decides if `dirPath` is a vendor directory by testing whether it is called `vendor`
// and contains a `modules.txt` file.
func isGolangVendorDirectory(dirPath string) bool {
return filepath.Base(dirPath) == "vendor" && fileExists(filepath.Join(dirPath, "modules.txt"))
}
type BaselineConfig struct {
PathsIgnore []string `json:"paths-ignore"`
}
@@ -38,7 +26,7 @@ func GetConfigBaselineAsJSON(rootDir string) ([]byte, error) {
// it will not be extracted either.
return nil
}
if isGolangVendorDirectory(dirPath) {
if util.IsGolangVendorDirectory(dirPath) {
// Note that CodeQL expects a forward-slash-separated path, even on Windows.
vendorDirs = append(vendorDirs, path.Join(filepath.ToSlash(dirPath), "**"))
return filepath.SkipDir

13
go/extractor/project/project.go
View File

@@ -184,12 +184,12 @@ func RemoveTemporaryExtractorFiles() {
// Find all go.work files in the working directory and its subdirectories
func findGoWorkFiles() []string {
return util.FindAllFilesWithName(".", "go.work", "vendor")
return util.FindAllFilesWithName(".", "go.work", util.SkipVendorChecks...)
}
// Find all go.mod files in the specified directory and its subdirectories
func findGoModFiles(root string) []string {
return util.FindAllFilesWithName(root, "go.mod", "vendor")
return util.FindAllFilesWithName(root, "go.mod", util.SkipVendorChecks...)
}
// A regular expression for the Go toolchain version syntax.
@@ -315,6 +315,11 @@ func discoverWorkspaces(emitDiagnostics bool) []GoWorkspace {
goModFiles := findGoModFiles(".")
// Return a separate workspace for each `go.mod` file that we found.
if len(goModFiles) > 0 {
log.Printf("Found %d go.mod files in: %s.\n", len(goModFiles), strings.Join(goModFiles, ", "))
} else {
log.Println("Found no go.mod files in the workspace.")
}
results := make([]GoWorkspace, len(goModFiles))
for i, goModFile := range goModFiles {
@@ -547,8 +552,8 @@ func startsWithAnyOf(str string, prefixes []string) bool {
// Finds Go workspaces in the current working directory.
func GetWorkspaceInfo(emitDiagnostics bool) []GoWorkspace {
bazelPaths := slices.Concat(
util.FindAllFilesWithName(".", "BUILD", "vendor"),
util.FindAllFilesWithName(".", "BUILD.bazel", "vendor"),
util.FindAllFilesWithName(".", "BUILD", util.SkipVendorChecks...),
util.FindAllFilesWithName(".", "BUILD.bazel", util.SkipVendorChecks...),
)
if len(bazelPaths) > 0 {
// currently not supported

26
go/extractor/util/util.go
View File

@@ -152,7 +152,16 @@ func FindGoFiles(root string) bool {
return found
}
func FindAllFilesWithName(root string, name string, dirsToSkip ...string) []string {
// The type of check function used by `FindAllFilesWithName` to decide whether to skip the directory named by `path`.
type FindAllFilesWithNameSkipCheck func(path string) bool
// Commonly we only want to skip `vendor` directories in `FindAllFilesWithName`. This array is a suitable
// argument for `dirsToSkip` which skips `vendor` directories.
var SkipVendorChecks = []FindAllFilesWithNameSkipCheck{IsGolangVendorDirectory}
// Returns an array of all files matching `name` within the path at `root`.
// The `dirsToSkip` array contains check functions used to decide which directories to skip.
func FindAllFilesWithName(root string, name string, dirsToSkip ...FindAllFilesWithNameSkipCheck) []string {
paths := make([]string, 0, 1)
filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
if err != nil {
@@ -160,7 +169,7 @@ func FindAllFilesWithName(root string, name string, dirsToSkip ...string) []stri
}
if d.IsDir() {
for _, dirToSkip := range dirsToSkip {
if path == dirToSkip {
if dirToSkip(path) {
return filepath.SkipDir
}
}
@@ -287,3 +296,16 @@ func getImportPathFromRepoURL(repourl string) string {
path = regexp.MustCompile(`^/+|\.git$`).ReplaceAllString(path, "")
return host + "/" + path
}
// Decides if `path` refers to a file that exists.
func fileExists(path string) bool {
stat, err := os.Stat(path)
return err == nil && stat.Mode().IsRegular()
}
// Decides if `dirPath` is a vendor directory by testing whether it is called `vendor`
// and contains a `modules.txt` file.
func IsGolangVendorDirectory(dirPath string) bool {
return filepath.Base(dirPath) == "vendor" &&
(fileExists(filepath.Join(dirPath, "modules.txt")) || fileExists(filepath.Join(dirPath, "../glide.yaml")))
}

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.17
No user-facing changes.
## 1.0.16
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.17.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.17
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.16
lastReleaseVersion: 1.0.17

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.17-dev
version: 1.0.18-dev
groups:
- go
- queries

2
go/ql/integration-tests/mixed-layout/src/module/go.mod
View File

@@ -1,5 +1,3 @@
go 1.14
require golang.org/x/net v0.23.0
module module

45
go/ql/integration-tests/mixed-layout/src/module/go.sum
View File

@@ -1,45 +0,0 @@
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

6
go/ql/integration-tests/mixed-layout/src/module/test.go
View File

@@ -2,12 +2,8 @@ package subdir
import (
"fmt"
"golang.org/x/net/ipv4"
)
func test() {
header := ipv4.Header{}
fmt.Print(header.String())
fmt.Print("Hello world")
}

5
go/ql/integration-tests/mixed-layout/src/module/vendor/example.com/test/add.go generated vendored Normal file
View File

@@ -0,0 +1,5 @@
package test
func Add(a, b int) int {
return a + b
}

3
go/ql/integration-tests/mixed-layout/src/module/vendor/example.com/test/go.work generated vendored Normal file
View File

@@ -0,0 +1,3 @@
go 1.22.0
use .

2
go/ql/integration-tests/mixed-layout/src/module/vendor/modules.txt vendored Normal file
View File

@@ -0,0 +1,2 @@
# example.com/test v0.1.0
example.com/test

3
go/ql/integration-tests/mixed-layout/src/workspace/go.work.sum Normal file
View File

@@ -0,0 +1,3 @@
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=

13
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 4.1.0
### Deprecated APIs
* The class `NamedType` has been deprecated. Use the new class `DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
* The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
* The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
### Minor Analysis Improvements
* Taint models have been added for the `weak` package, which was added in Go 1.24.
* Taint models have been added for the interfaces `TextAppender` and `BinaryAppender` in the `encoding` package, which were added in Go 1.24.
## 4.0.0
### Breaking Changes

5
go/ql/lib/change-notes/2025-01-09-model-stdlib-1.24.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Taint models have been added for the `weak` package, which was added in Go 1.24.
* Taint models have been added for the interfaces `TextAppender` and `BinaryAppender` in the `encoding` package, which were added in Go 1.24.

5
go/ql/lib/change-notes/2025-01-14-mongodb-models.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Added `database` source models for database methods from the `go.mongodb.org/mongo-driver/mongo` package.

12
go/ql/lib/change-notes/2025-02-12-deprecate-namedtype.md → go/ql/lib/change-notes/released/4.1.0.md
View File

@@ -1,6 +1,12 @@
---
category: deprecated
---
## 4.1.0
### Deprecated APIs
* The class `NamedType` has been deprecated. Use the new class `DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
* The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
* The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead.
### Minor Analysis Improvements
* Taint models have been added for the `weak` package, which was added in Go 1.24.
* Taint models have been added for the interfaces `TextAppender` and `BinaryAppender` in the `encoding` package, which were added in Go 1.24.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.0.0
lastReleaseVersion: 4.1.0

24
go/ql/lib/ext/go.mongodb.org.mongo-driver.mongo.model.yml
View File

@@ -1,4 +1,19 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["go.mongodb.org/mongo-driver/mongo", "Client", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Aggregate", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Distinct", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Find", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOne", "", "", "ReturnValue", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndDelete", "", "", "ReturnValue", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndReplace", "", "", "ReturnValue", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndUpdate", "", "", "ReturnValue", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Database", True, "Aggregate", "", "", "ReturnValue[0]", "database", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Database", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sinkModel
@@ -17,3 +32,12 @@ extensions:
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateMany", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateOne", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "Argument[1]", "nosql-injection", "manual"]
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
- ["go.mongodb.org/mongo-driver/mongo", "ChangeStream", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Cursor", True, "All", "", "", "Argument[receiver]", "Argument[1]", "taint", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Cursor", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "SingleResult", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "SingleResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 4.0.1-dev
version: 4.1.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go

15
go/ql/lib/semmle/go/StringOps.qll
View File

@@ -102,6 +102,13 @@ module StringOps {
override boolean getPolarity() { result = expr.getPolarity() }
}
pragma[noinline]
private DataFlow::ElementReadNode getReadOfFirstChar(DataFlow::Node str) {
pragma[only_bind_into](result).getIndex().getIntValue() = 0 and
str = result.getBase() and
str.getType().getUnderlyingType() instanceof StringType
}
/**
* Holds if `eq` is of the form `str[0] == rhs` or `str[0] != rhs`.
*/
@@ -109,12 +116,8 @@ module StringOps {
private predicate comparesFirstCharacter(
DataFlow::EqualityTestNode eq, DataFlow::Node str, DataFlow::Node rhs
) {
exists(DataFlow::ElementReadNode read |
eq.hasOperands(globalValueNumber(read).getANode(), rhs) and
str = read.getBase() and
str.getType().getUnderlyingType() instanceof StringType and
read.getIndex().getIntValue() = 0
)
eq.hasOperands(globalValueNumber(pragma[only_bind_out](getReadOfFirstChar(str))).getANode(),
rhs)
}
/**

6
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.1.8
### Minor Analysis Improvements
* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called).
## 1.1.7
No user-facing changes.

9
go/ql/src/change-notes/2024-10-14-gopathsanitizer.md → go/ql/src/change-notes/released/1.1.8.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called).
## 1.1.8
### Minor Analysis Improvements
* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called).

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.7
lastReleaseVersion: 1.1.8

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.1.8-dev
version: 1.1.9-dev
groups:
- go
- queries

1
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/go.mod
View File

@@ -5,4 +5,5 @@ go 1.22.5
require (
gorm.io/gorm v1.23.0
github.com/jmoiron/sqlx v1.4.0
go.mongodb.org/mongo-driver/mongo v1.17.2
)

121
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_mongo_driver_mongo.go Normal file
View File

@@ -0,0 +1,121 @@
package test
//go:generate depstubber -vendor go.mongodb.org/mongo-driver/mongo Client,Collection,Database
import (
"context"
"go.mongodb.org/mongo-driver/mongo"
)
func test_mongo_driver_mongo_collection(coll *mongo.Collection, ctx context.Context, pipeline any) {
cursor, err := coll.Aggregate(ctx, pipeline) // $ source
if err != nil {
return
}
var users []User
err = cursor.All(ctx, &users)
sink(users) // $ hasTaintFlow="users"
distinct, err := coll.Distinct(ctx, "name", nil) // $ source
if err != nil {
return
}
sink(distinct) // $ hasTaintFlow="distinct"
cursor2, err := coll.Find(ctx, nil) // $ source
if err != nil {
return
}
sink(cursor2) // $ hasTaintFlow="cursor2"
var user1, user2, user3, user4 User
single1 := coll.FindOne(ctx, nil) // $ source
if err != nil {
return
}
single1.Decode(&user1)
sink(user1) // $ hasTaintFlow="user1"
single2 := coll.FindOneAndDelete(ctx, nil) // $ source
if err != nil {
return
}
single2.Decode(&user2)
sink(user2) // $ hasTaintFlow="user2"
single3 := coll.FindOneAndReplace(ctx, nil, nil) // $ source
if err != nil {
return
}
single3.Decode(&user3)
sink(user3) // $ hasTaintFlow="user3"
single4 := coll.FindOneAndUpdate(ctx, nil, nil) // $ source
if err != nil {
return
}
single4.Decode(&user4)
sink(user4) // $ hasTaintFlow="user4"
changeStream, err := coll.Watch(ctx, pipeline) // $ source
if err != nil {
return
}
for changeStream.Next(ctx) {
var userCs User
changeStream.Decode(&userCs)
sink(userCs) // $ hasTaintFlow="userCs"
}
}
func test_mongo_driver_mongo_database(db *mongo.Database, ctx context.Context, pipeline any) {
agg, err := db.Aggregate(ctx, pipeline) // $ source
if err != nil {
return
}
var user User
agg.Decode(&user)
sink(user) // $ hasTaintFlow="user"
changeStream, err := db.Watch(ctx, pipeline) // $ source
if err != nil {
return
}
for changeStream.Next(ctx) {
var userCs User
changeStream.Decode(&userCs)
sink(userCs) // $ hasTaintFlow="userCs"
}
}
func test_mongo_driver_mongo_Client(client *mongo.Client, ctx context.Context) {
changestream, err := client.Watch(ctx, nil) // $ source
if err != nil {
return
}
for changestream.Next(ctx) {
var user User
changestream.Decode(&user)
sink(user) // $ hasTaintFlow="user"
}
}

496
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/go.mongodb.org/mongo-driver/mongo/stub.go generated vendored Normal file
View File

@@ -0,0 +1,496 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for go.mongodb.org/mongo-driver/mongo, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: go.mongodb.org/mongo-driver/mongo (exports: Client,Collection,Database; functions: )
// Package mongo is a stub of go.mongodb.org/mongo-driver/mongo, generated by depstubber.
package mongo
import (
context "context"
time "time"
)
type BulkWriteResult struct {
InsertedCount int64
MatchedCount int64
ModifiedCount int64
DeletedCount int64
UpsertedCount int64
UpsertedIDs map[int64]interface{}
}
type ChangeStream struct {
Current interface{}
}
func (_ *ChangeStream) Close(_ context.Context) error {
return nil
}
func (_ *ChangeStream) Decode(_ interface{}) error {
return nil
}
func (_ *ChangeStream) Err() error {
return nil
}
func (_ *ChangeStream) ID() int64 {
return 0
}
func (_ *ChangeStream) Next(_ context.Context) bool {
return false
}
func (_ *ChangeStream) RemainingBatchLength() int {
return 0
}
func (_ *ChangeStream) ResumeToken() interface{} {
return nil
}
func (_ *ChangeStream) SetBatchSize(_ int32) {}
func (_ *ChangeStream) TryNext(_ context.Context) bool {
return false
}
type Client struct{}
func (_ *Client) Connect(_ context.Context) error {
return nil
}
func (_ *Client) Database(_ string, _ ...interface{}) *Database {
return nil
}
func (_ *Client) Disconnect(_ context.Context) error {
return nil
}
func (_ *Client) ListDatabaseNames(_ context.Context, _ interface{}, _ ...interface{}) ([]string, error) {
return nil, nil
}
func (_ *Client) ListDatabases(_ context.Context, _ interface{}, _ ...interface{}) (ListDatabasesResult, error) {
return ListDatabasesResult{}, nil
}
func (_ *Client) NumberSessionsInProgress() int {
return 0
}
func (_ *Client) Ping(_ context.Context, _ interface{}) error {
return nil
}
func (_ *Client) StartSession(_ ...interface{}) (Session, error) {
return nil, nil
}
func (_ *Client) Timeout() *time.Duration {
return nil
}
func (_ *Client) UseSession(_ context.Context, _ func(SessionContext) error) error {
return nil
}
func (_ *Client) UseSessionWithOptions(_ context.Context, _ interface{}, _ func(SessionContext) error) error {
return nil
}
func (_ *Client) Watch(_ context.Context, _ interface{}, _ ...interface{}) (*ChangeStream, error) {
return nil, nil
}
type Collection struct{}
func (_ *Collection) Aggregate(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ *Collection) BulkWrite(_ context.Context, _ []WriteModel, _ ...interface{}) (*BulkWriteResult, error) {
return nil, nil
}
func (_ *Collection) Clone(_ ...interface{}) (*Collection, error) {
return nil, nil
}
func (_ *Collection) CountDocuments(_ context.Context, _ interface{}, _ ...interface{}) (int64, error) {
return 0, nil
}
func (_ *Collection) Database() *Database {
return nil
}
func (_ *Collection) DeleteMany(_ context.Context, _ interface{}, _ ...interface{}) (*DeleteResult, error) {
return nil, nil
}
func (_ *Collection) DeleteOne(_ context.Context, _ interface{}, _ ...interface{}) (*DeleteResult, error) {
return nil, nil
}
func (_ *Collection) Distinct(_ context.Context, _ string, _ interface{}, _ ...interface{}) ([]interface{}, error) {
return nil, nil
}
func (_ *Collection) Drop(_ context.Context) error {
return nil
}
func (_ *Collection) EstimatedDocumentCount(_ context.Context, _ ...interface{}) (int64, error) {
return 0, nil
}
func (_ *Collection) Find(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ *Collection) FindOne(_ context.Context, _ interface{}, _ ...interface{}) *SingleResult {
return nil
}
func (_ *Collection) FindOneAndDelete(_ context.Context, _ interface{}, _ ...interface{}) *SingleResult {
return nil
}
func (_ *Collection) FindOneAndReplace(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) *SingleResult {
return nil
}
func (_ *Collection) FindOneAndUpdate(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) *SingleResult {
return nil
}
func (_ *Collection) Indexes() IndexView {
return IndexView{}
}
func (_ *Collection) InsertMany(_ context.Context, _ []interface{}, _ ...interface{}) (*InsertManyResult, error) {
return nil, nil
}
func (_ *Collection) InsertOne(_ context.Context, _ interface{}, _ ...interface{}) (*InsertOneResult, error) {
return nil, nil
}
func (_ *Collection) Name() string {
return ""
}
func (_ *Collection) ReplaceOne(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) (*UpdateResult, error) {
return nil, nil
}
func (_ *Collection) SearchIndexes() SearchIndexView {
return SearchIndexView{}
}
func (_ *Collection) UpdateByID(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) (*UpdateResult, error) {
return nil, nil
}
func (_ *Collection) UpdateMany(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) (*UpdateResult, error) {
return nil, nil
}
func (_ *Collection) UpdateOne(_ context.Context, _ interface{}, _ interface{}, _ ...interface{}) (*UpdateResult, error) {
return nil, nil
}
func (_ *Collection) Watch(_ context.Context, _ interface{}, _ ...interface{}) (*ChangeStream, error) {
return nil, nil
}
type CollectionSpecification struct {
Name string
Type string
ReadOnly bool
UUID interface{}
Options interface{}
IDIndex *IndexSpecification
}
func (_ *CollectionSpecification) UnmarshalBSON(_ []byte) error {
return nil
}
type Cursor struct {
Current interface{}
}
func (_ *Cursor) All(_ context.Context, _ interface{}) error {
return nil
}
func (_ *Cursor) Close(_ context.Context) error {
return nil
}
func (_ *Cursor) Decode(_ interface{}) error {
return nil
}
func (_ *Cursor) Err() error {
return nil
}
func (_ *Cursor) ID() int64 {
return 0
}
func (_ *Cursor) Next(_ context.Context) bool {
return false
}
func (_ *Cursor) RemainingBatchLength() int {
return 0
}
func (_ *Cursor) SetBatchSize(_ int32) {}
func (_ *Cursor) SetComment(_ interface{}) {}
func (_ *Cursor) SetMaxTime(_ time.Duration) {}
func (_ *Cursor) TryNext(_ context.Context) bool {
return false
}
type Database struct{}
func (_ *Database) Aggregate(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ *Database) Client() *Client {
return nil
}
func (_ *Database) Collection(_ string, _ ...interface{}) *Collection {
return nil
}
func (_ *Database) CreateCollection(_ context.Context, _ string, _ ...interface{}) error {
return nil
}
func (_ *Database) CreateView(_ context.Context, _ string, _ string, _ interface{}, _ ...interface{}) error {
return nil
}
func (_ *Database) Drop(_ context.Context) error {
return nil
}
func (_ *Database) ListCollectionNames(_ context.Context, _ interface{}, _ ...interface{}) ([]string, error) {
return nil, nil
}
func (_ *Database) ListCollectionSpecifications(_ context.Context, _ interface{}, _ ...interface{}) ([]*CollectionSpecification, error) {
return nil, nil
}
func (_ *Database) ListCollections(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ *Database) Name() string {
return ""
}
func (_ *Database) ReadConcern() interface{} {
return nil
}
func (_ *Database) ReadPreference() interface{} {
return nil
}
func (_ *Database) RunCommand(_ context.Context, _ interface{}, _ ...interface{}) *SingleResult {
return nil
}
func (_ *Database) RunCommandCursor(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ *Database) Watch(_ context.Context, _ interface{}, _ ...interface{}) (*ChangeStream, error) {
return nil, nil
}
func (_ *Database) WriteConcern() interface{} {
return nil
}
type DatabaseSpecification struct {
Name string
SizeOnDisk int64
Empty bool
}
type DeleteResult struct {
DeletedCount int64
}
type IndexModel struct {
Keys interface{}
Options interface{}
}
type IndexSpecification struct {
Name string
Namespace string
KeysDocument interface{}
Version int32
ExpireAfterSeconds *int32
Sparse *bool
Unique *bool
Clustered *bool
}
func (_ *IndexSpecification) UnmarshalBSON(_ []byte) error {
return nil
}
type IndexView struct{}
func (_ IndexView) CreateMany(_ context.Context, _ []IndexModel, _ ...interface{}) ([]string, error) {
return nil, nil
}
func (_ IndexView) CreateOne(_ context.Context, _ IndexModel, _ ...interface{}) (string, error) {
return "", nil
}
func (_ IndexView) DropAll(_ context.Context, _ ...interface{}) (interface{}, error) {
return nil, nil
}
func (_ IndexView) DropOne(_ context.Context, _ string, _ ...interface{}) (interface{}, error) {
return nil, nil
}
func (_ IndexView) DropOneWithKey(_ context.Context, _ interface{}, _ ...interface{}) (interface{}, error) {
return nil, nil
}
func (_ IndexView) List(_ context.Context, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ IndexView) ListSpecifications(_ context.Context, _ ...interface{}) ([]*IndexSpecification, error) {
return nil, nil
}
type InsertManyResult struct {
InsertedIDs []interface{}
}
type InsertOneResult struct {
InsertedID interface{}
}
type ListDatabasesResult struct {
Databases []DatabaseSpecification
TotalSize int64
}
type SearchIndexModel struct {
Definition interface{}
Options interface{}
}
type SearchIndexView struct{}
func (_ SearchIndexView) CreateMany(_ context.Context, _ []SearchIndexModel, _ ...interface{}) ([]string, error) {
return nil, nil
}
func (_ SearchIndexView) CreateOne(_ context.Context, _ SearchIndexModel, _ ...interface{}) (string, error) {
return "", nil
}
func (_ SearchIndexView) DropOne(_ context.Context, _ string, _ ...interface{}) error {
return nil
}
func (_ SearchIndexView) List(_ context.Context, _ interface{}, _ ...interface{}) (*Cursor, error) {
return nil, nil
}
func (_ SearchIndexView) UpdateOne(_ context.Context, _ string, _ interface{}, _ ...interface{}) error {
return nil
}
type Session interface {
AbortTransaction(_ context.Context) error
AdvanceClusterTime(_ interface{}) error
AdvanceOperationTime(_ interface{}) error
Client() *Client
ClusterTime() interface{}
CommitTransaction(_ context.Context) error
EndSession(_ context.Context)
ID() interface{}
OperationTime() interface{}
StartTransaction(_ ...interface{}) error
WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...interface{}) (interface{}, error)
}
type SessionContext interface {
AbortTransaction(_ context.Context) error
AdvanceClusterTime(_ interface{}) error
AdvanceOperationTime(_ interface{}) error
Client() *Client
ClusterTime() interface{}
CommitTransaction(_ context.Context) error
Deadline() (time.Time, bool)
Done() <-chan struct{}
EndSession(_ context.Context)
Err() error
ID() interface{}
OperationTime() interface{}
StartTransaction(_ ...interface{}) error
Value(_ interface{}) interface{}
WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...interface{}) (interface{}, error)
}
type SingleResult struct{}
func (_ *SingleResult) Decode(_ interface{}) error {
return nil
}
func (_ *SingleResult) DecodeBytes() (interface{}, error) {
return nil, nil
}
func (_ *SingleResult) Err() error {
return nil
}
func (_ *SingleResult) Raw() (interface{}, error) {
return nil, nil
}
type UpdateResult struct {
MatchedCount int64
ModifiedCount int64
UpsertedCount int64
UpsertedID interface{}
}
func (_ *UpdateResult) UnmarshalBSON(_ []byte) error {
return nil
}
type WriteModel interface{}

3
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/modules.txt vendored
View File

@@ -4,3 +4,6 @@ gorm.io/gorm
# github.com/jmoiron/sqlx v1.4.0
## explicit
github.com/jmoiron/sqlx
# go.mongodb.org/mongo-driver/mongo v1.17.2
## explicit
go.mongodb.org/mongo-driver/mongo

2
java/documentation/library-coverage/coverage.csv
View File

@@ -79,7 +79,7 @@ jakarta.xml.bind.attachment,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,
java.applet,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,11,
java.awt,1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,3
java.beans,,,177,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,82,95
java.io,66,1,226,,,,,,,,,22,,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,,,,1,,203,23
java.io,66,1,225,,,,,,,,,22,,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,,,,1,,202,23
java.lang,38,3,783,,13,,,,,,1,,,,,,,,,,,,8,,,,11,,,4,,,1,,,,,,,,,,,,,,,3,,,506,277
java.math,,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9
java.net,23,3,347,,,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,,,,,,,,,,,,,,3,248,99
1 package sink source summary sink:bean-validation sink:command-injection sink:credentials-key sink:credentials-password sink:credentials-username sink:encryption-iv sink:encryption-salt sink:environment-injection sink:file-content-store sink:fragment-injection sink:groovy-injection sink:hostname-verification sink:html-injection sink:information-leak sink:intent-redirection sink:jexl-injection sink:jndi-injection sink:js-injection sink:ldap-injection sink:log-injection sink:mvel-injection sink:notification sink:ognl-injection sink:path-injection sink:pending-intents sink:regex-use sink:regex-use[-1] sink:regex-use[0] sink:regex-use[] sink:regex-use[f-1] sink:regex-use[f1] sink:regex-use[f] sink:request-forgery sink:response-splitting sink:sql-injection sink:template-injection sink:trust-boundary-violation sink:url-forward sink:url-redirection sink:xpath-injection sink:xslt-injection source:android-external-storage-dir source:contentprovider source:database source:environment source:file source:remote summary:taint summary:value
79 java.applet 11 11
80 java.awt 1 3 1 3
81 java.beans 177 82 95
82 java.io 66 1 226 225 22 44 1 203 202 23
83 java.lang 38 3 783 13 1 8 11 4 1 3 506 277
84 java.math 9 9
85 java.net 23 3 347 1 1 21 3 248 99

4
java/documentation/library-coverage/coverage.rst
View File

@@ -18,10 +18,10 @@ Java framework & library support
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,43,9,,,,,
JBoss Logging,``org.jboss.logging``,,,324,,,,,,
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
Java Standard Library,``java.*``,10,4622,259,99,,9,,,26
Java Standard Library,``java.*``,10,4621,259,99,,9,,,26
Java extensions,"``javax.*``, ``jakarta.*``",69,4159,90,10,4,2,1,1,4
Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
`Spring <https://spring.io/>`_,``org.springframework.*``,38,486,143,26,,28,14,,35
Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.influxdb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",133,10525,908,140,6,22,18,,208
Totals,,312,26329,2635,404,16,128,33,1,409
Totals,,312,26328,2635,404,16,128,33,1,409

114
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/pom.xml Normal file
View File

@@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>maven-sample</artifactId>
<version>1.0-SNAPSHOT</version>
<name>maven-sample</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.1.1</version>
<executions>
<execution>
<id>check-maven-version</id>
<phase>package</phase>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.example.App</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.19.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<phase>compile</phase>
</execution>
</executions>
<configuration>
<java>
<licenseHeader>
<content>/* FAIL ME */</content>
</licenseHeader>
</java>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

8
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/source_archive.expected Normal file
View File

@@ -0,0 +1,8 @@
pom.xml
src/main/java/com/example/App.java
src/main/resources/my-app.properties
src/main/resources/page.xml
src/test/java/com/example/AppTest.java
target/classes/my-app.properties
target/classes/page.xml
target/maven-archiver/pom.properties

30
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,30 @@
package com.example;
import java.util.regex.Pattern;
import java.nio.file.Path;
import java.nio.file.Paths;
/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args )
{
System.out.println( "Hello World!" );
String expectedVersion = System.getenv("EXPECT_MAVEN");
Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
String observedVersion = mavenHome.getFileName().toString();
if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
System.exit(1);
}
String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
String command = System.getProperty("sun.java.command");
if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
System.exit(1);
}
}
}

1
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/src/main/resources/my-app.properties Normal file
View File

@@ -0,0 +1 @@
version=1.0

2
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/src/main/resources/page.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="GBK" ?>
<doc><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></doc>

20
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/src/test/java/com/example/AppTest.java Normal file
View File

@@ -0,0 +1,20 @@
package com.example;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
/**
* Unit test for simple App.
*/
public class AppTest
{
/**
* Rigorous Test :-)
*/
@Test
public void shouldAnswerWithTrue()
{
assertTrue( true );
}
}

2
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/test.expected Normal file
View File

@@ -0,0 +1,2 @@
| src/main/resources/page.xml:2:6:2:10 | \u4f60\u597d\u4e16\u754c |
| target/classes/page.xml:2:6:2:10 | \u4f60\u597d\u4e16\u754c |

2
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/test.py Normal file
View File

@@ -0,0 +1,2 @@
def test(codeql, java):
codeql.database.create(_env={"LGTM_INDEX_XML_MODE": "all"})

5
java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding/test.ql Normal file
View File

@@ -0,0 +1,5 @@
import java
from XmlElement e
where e.hasName("doc")
select e.getACharactersSet()

4
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 7.0.1
No user-facing changes.
## 7.0.0
### Breaking Changes

4
java/ql/lib/change-notes/2025-01-16-file-constructor-sanitizer.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added a path injection sanitizer for the `child` argument of a `java.io.File` constructor if that argument does not contain path traversal sequences.

Some files were not shown because too many files have changed in this diff Show More