mirror of
https://github.com/github/codeql.git
synced 2026-07-05 03:25:31 +02:00
Compare commits
1 Commits
codeql-cli
...
aml-auto-e
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
709cbb4316 |
8
.bazelrc
8
.bazelrc
@@ -1,9 +1,3 @@
|
|||||||
common --enable_platform_specific_config
|
build --repo_env=CC=clang --repo_env=CXX=clang++ --cxxopt="-std=c++17"
|
||||||
|
|
||||||
build --repo_env=CC=clang --repo_env=CXX=clang++
|
|
||||||
|
|
||||||
build:linux --cxxopt=-std=c++20
|
|
||||||
build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
|
|
||||||
build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
|
|
||||||
|
|
||||||
try-import %workspace%/local.bazelrc
|
try-import %workspace%/local.bazelrc
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
6.3.1
|
5.0.0
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"extensions": [
|
"extensions": [
|
||||||
"rust-lang.rust-analyzer",
|
"rust-lang.rust",
|
||||||
"bungcip.better-toml",
|
"bungcip.better-toml",
|
||||||
"github.vscode-codeql",
|
"github.vscode-codeql",
|
||||||
"hbenl.vscode-test-explorer",
|
"hbenl.vscode-test-explorer",
|
||||||
|
|||||||
@@ -1,21 +0,0 @@
|
|||||||
# .git-blame-ignore-revs
|
|
||||||
# Auto-formatted Java
|
|
||||||
730eae952139209fe9fdf598541d608f4c0c0c84
|
|
||||||
# Auto-formatted C#
|
|
||||||
5ad7ed49dd3de03ec6dcfcb6848758a6a987e11c
|
|
||||||
# Auto-formatted C/C++
|
|
||||||
ef97e539ec1971494d4bba5cafe82e00bc8217ac
|
|
||||||
# Auto-formatted Python
|
|
||||||
21d5fa836b3a7d020ba45e8b8168b145a9772131
|
|
||||||
# Auto-formatted JavaScript
|
|
||||||
8d97fe9ed327a9546ff2eaf515cf0f5214deddd9
|
|
||||||
# Auto-formatted Ruby
|
|
||||||
a5d229903d2f12d45f2c2c38822f1d0e7504ae7f
|
|
||||||
# Auto-formatted Go
|
|
||||||
08c658e66bf867090033ea096e244a93d46c0aa7
|
|
||||||
# Auto-formatted Swift
|
|
||||||
711d7057f79fb7d72fc3b35e010bd018f9009169
|
|
||||||
# Auto-formatted shared ql packs
|
|
||||||
3640b6d3a8ce9edf8e1d3ed106fe8526cf255bc0
|
|
||||||
# Auto-formatted taint tracking files
|
|
||||||
159d8e978c51959b380838c080d891b66e763b19
|
|
||||||
24
.github/ISSUE_TEMPLATE/lgtm-com---false-positive.md
vendored
Normal file
24
.github/ISSUE_TEMPLATE/lgtm-com---false-positive.md
vendored
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
name: LGTM.com - false positive
|
||||||
|
about: Tell us about an alert that shouldn't be reported
|
||||||
|
title: LGTM.com - false positive
|
||||||
|
labels: false-positive
|
||||||
|
assignees: ''
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
**Description of the false positive**
|
||||||
|
|
||||||
|
<!-- Please explain briefly why you think it shouldn't be included. -->
|
||||||
|
|
||||||
|
**URL to the alert on the project page on LGTM.com**
|
||||||
|
|
||||||
|
<!--
|
||||||
|
1. Open the project on LGTM.com.
|
||||||
|
For example, https://lgtm.com/projects/g/pallets/click/.
|
||||||
|
2. Switch to the `Alerts` tab. For example, https://lgtm.com/projects/g/pallets/click/alerts/.
|
||||||
|
3. Scroll to the alert that you would like to report.
|
||||||
|
4. Click on the right most icon `View this alert within the complete file`.
|
||||||
|
5. A new browser tab opens. Copy and paste the page URL here.
|
||||||
|
For example, https://lgtm.com/projects/g/pallets/click/snapshot/719fb7d8322b0767cdd1e5903ba3eb3233ba8dd5/files/click/_winconsole.py#xa08d213ab3289f87:1.
|
||||||
|
-->
|
||||||
2
.github/ISSUE_TEMPLATE/ql---general.md
vendored
2
.github/ISSUE_TEMPLATE/ql---general.md
vendored
@@ -10,5 +10,5 @@ assignees: ''
|
|||||||
**Description of the issue**
|
**Description of the issue**
|
||||||
|
|
||||||
<!-- Please explain briefly what is the problem.
|
<!-- Please explain briefly what is the problem.
|
||||||
If it is about a GitHub project, please include its URL. -->
|
If it is about an LGTM project, please include its URL.-->
|
||||||
|
|
||||||
|
|||||||
36
.github/ISSUE_TEMPLATE/ql--false-positive.md
vendored
36
.github/ISSUE_TEMPLATE/ql--false-positive.md
vendored
@@ -1,36 +0,0 @@
|
|||||||
---
|
|
||||||
name: CodeQL false positive
|
|
||||||
about: Report CodeQL alerts that you think should not have been detected (not applicable, not exploitable, etc.)
|
|
||||||
title: False positive
|
|
||||||
labels: false-positive
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
**Description of the false positive**
|
|
||||||
|
|
||||||
<!-- Please explain briefly why you think it shouldn't be included. -->
|
|
||||||
|
|
||||||
**Code samples or links to source code**
|
|
||||||
|
|
||||||
<!--
|
|
||||||
For open source code: file links with line numbers on GitHub, for example:
|
|
||||||
https://github.com/github/codeql/blob/dc440aaee6695deb0d9676b87e06ea984e1b4ae5/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js#L10
|
|
||||||
|
|
||||||
For closed source code: (redacted) code samples that illustrate the problem, for example:
|
|
||||||
|
|
||||||
```
|
|
||||||
function execSh(command, options) {
|
|
||||||
return cp.spawn(getShell(), ["-c", command], options) // <- command line injection
|
|
||||||
};
|
|
||||||
```
|
|
||||||
-->
|
|
||||||
|
|
||||||
**URL to the alert on GitHub code scanning (optional)**
|
|
||||||
|
|
||||||
<!--
|
|
||||||
1. Open the project on GitHub.com.
|
|
||||||
2. Switch to the `Security` tab.
|
|
||||||
3. Browse to the alert that you would like to report.
|
|
||||||
4. Copy and paste the page URL here.
|
|
||||||
-->
|
|
||||||
149
.github/actions/cache-query-compilation/action.yml
vendored
149
.github/actions/cache-query-compilation/action.yml
vendored
@@ -1,149 +0,0 @@
|
|||||||
name: Cache query compilation
|
|
||||||
description: Caches CodeQL compilation caches - should be run both on PRs and pushes to main.
|
|
||||||
|
|
||||||
inputs:
|
|
||||||
key:
|
|
||||||
description: 'The cache key to use - should be unique to the workflow'
|
|
||||||
required: true
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
cache-dir:
|
|
||||||
description: "The directory where the cache was stored"
|
|
||||||
value: ${{ steps.output-compilation-dir.outputs.compdir }}
|
|
||||||
|
|
||||||
runs:
|
|
||||||
using: composite
|
|
||||||
steps:
|
|
||||||
# calculate the merge-base with main, in a way that works both on PRs and pushes to main.
|
|
||||||
- name: Calculate merge-base
|
|
||||||
shell: bash
|
|
||||||
if: ${{ github.event_name == 'pull_request' }}
|
|
||||||
env:
|
|
||||||
BASE_BRANCH: ${{ github.base_ref }}
|
|
||||||
run: |
|
|
||||||
MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
|
|
||||||
echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
|
|
||||||
- name: Restore cache (PR)
|
|
||||||
if: ${{ github.event_name == 'pull_request' }}
|
|
||||||
uses: actions/cache/restore@v3
|
|
||||||
with:
|
|
||||||
path: |
|
|
||||||
**/.cache
|
|
||||||
~/.codeql/compile-cache
|
|
||||||
key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
|
|
||||||
restore-keys: |
|
|
||||||
codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
|
|
||||||
codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
|
|
||||||
codeql-compile-${{ inputs.key }}-main-
|
|
||||||
- name: Fill cache (only branch push)
|
|
||||||
if: ${{ github.event_name != 'pull_request' }}
|
|
||||||
uses: actions/cache@v3
|
|
||||||
with:
|
|
||||||
path: |
|
|
||||||
**/.cache
|
|
||||||
~/.codeql/compile-cache
|
|
||||||
key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
|
|
||||||
restore-keys: | # restore the latest cache if the exact cache is unavailable, to speed up compilation.
|
|
||||||
codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
|
|
||||||
codeql-compile-${{ inputs.key }}-main-
|
|
||||||
- name: Output-compilationdir
|
|
||||||
id: output-compilation-dir
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
|
|
||||||
env:
|
|
||||||
COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
|
|
||||||
- name: Fill compilation cache directory
|
|
||||||
id: fill-compilation-dir
|
|
||||||
uses: actions/github-script@v6
|
|
||||||
env:
|
|
||||||
COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
|
|
||||||
with:
|
|
||||||
script: |
|
|
||||||
// # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
|
|
||||||
// mkdir -p ${COMBINED_CACHE_DIR}
|
|
||||||
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
|
|
||||||
// # copy the contents of the .cache folders into the combined cache folder.
|
|
||||||
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
|
|
||||||
// # clean up the .cache folders
|
|
||||||
// rm -rf **/.cache/*
|
|
||||||
|
|
||||||
const fs = require("fs");
|
|
||||||
const path = require("path");
|
|
||||||
const os = require("os");
|
|
||||||
|
|
||||||
// the first argv is the cache folder to create.
|
|
||||||
const COMBINED_CACHE_DIR = process.env.COMBINED_CACHE_DIR;
|
|
||||||
|
|
||||||
function* walkCaches(dir) {
|
|
||||||
const files = fs.readdirSync(dir, { withFileTypes: true });
|
|
||||||
for (const file of files) {
|
|
||||||
if (file.isDirectory()) {
|
|
||||||
const filePath = path.join(dir, file.name);
|
|
||||||
yield* walkCaches(filePath);
|
|
||||||
if (file.name === ".cache") {
|
|
||||||
yield filePath;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
async function copyDir(src, dest) {
|
|
||||||
for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
|
|
||||||
const srcPath = path.join(src, file.name);
|
|
||||||
const destPath = path.join(dest, file.name);
|
|
||||||
if (file.isDirectory()) {
|
|
||||||
if (!fs.existsSync(destPath)) {
|
|
||||||
fs.mkdirSync(destPath);
|
|
||||||
}
|
|
||||||
await copyDir(srcPath, destPath);
|
|
||||||
} else {
|
|
||||||
await fs.promises.copyFile(srcPath, destPath);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
async function main() {
|
|
||||||
const cacheDirs = [...walkCaches(".")];
|
|
||||||
|
|
||||||
for (const dir of cacheDirs) {
|
|
||||||
console.log(`Found .cache dir at ${dir}`);
|
|
||||||
}
|
|
||||||
|
|
||||||
const globalCacheDir = path.join(os.homedir(), ".codeql", "compile-cache");
|
|
||||||
if (fs.existsSync(globalCacheDir)) {
|
|
||||||
console.log("Found global home dir: " + globalCacheDir);
|
|
||||||
cacheDirs.push(globalCacheDir);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cacheDirs.length === 0) {
|
|
||||||
console.log("No cache dirs found");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
// mkdir -p ${COMBINED_CACHE_DIR}
|
|
||||||
fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
|
|
||||||
|
|
||||||
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
|
|
||||||
await Promise.all(
|
|
||||||
cacheDirs.map((cacheDir) =>
|
|
||||||
(async function () {
|
|
||||||
await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
|
|
||||||
await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
|
|
||||||
})()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
// # copy the contents of the .cache folders into the combined cache folder.
|
|
||||||
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
|
|
||||||
await Promise.all(
|
|
||||||
cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
|
|
||||||
);
|
|
||||||
|
|
||||||
// # clean up the .cache folders
|
|
||||||
// rm -rf **/.cache/*
|
|
||||||
await Promise.all(
|
|
||||||
cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
|
|
||||||
);
|
|
||||||
}
|
|
||||||
main();
|
|
||||||
16
.github/actions/fetch-codeql/action.yml
vendored
16
.github/actions/fetch-codeql/action.yml
vendored
@@ -1,24 +1,14 @@
|
|||||||
name: Fetch CodeQL
|
name: Fetch CodeQL
|
||||||
description: Fetches the latest version of CodeQL
|
description: Fetches the latest version of CodeQL
|
||||||
|
|
||||||
inputs:
|
|
||||||
channel:
|
|
||||||
description: 'The CodeQL channel to use'
|
|
||||||
required: false
|
|
||||||
default: 'nightly'
|
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: composite
|
using: composite
|
||||||
steps:
|
steps:
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
shell: bash
|
shell: bash
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
|
||||||
CHANNEL: ${{ inputs.channel }}
|
|
||||||
run: |
|
run: |
|
||||||
gh extension install github/gh-codeql
|
gh extension install github/gh-codeql
|
||||||
gh codeql set-channel "$CHANNEL"
|
gh codeql set-channel nightly
|
||||||
gh codeql version
|
gh codeql version
|
||||||
printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
|
|
||||||
gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
|
|
||||||
gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
|
gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
32
.github/actions/os-version/action.yml
vendored
32
.github/actions/os-version/action.yml
vendored
@@ -1,32 +0,0 @@
|
|||||||
name: OS Version
|
|
||||||
description: Get OS version.
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
version:
|
|
||||||
description: "OS version"
|
|
||||||
value: ${{ steps.version.outputs.version }}
|
|
||||||
|
|
||||||
runs:
|
|
||||||
using: composite
|
|
||||||
steps:
|
|
||||||
- if: runner.os == 'Linux'
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
. /etc/os-release
|
|
||||||
echo "VERSION=${NAME} ${VERSION}" >> $GITHUB_ENV
|
|
||||||
- if: runner.os == 'Windows'
|
|
||||||
shell: powershell
|
|
||||||
run: |
|
|
||||||
$objects = systeminfo.exe /FO CSV | ConvertFrom-Csv
|
|
||||||
"VERSION=$($objects.'OS Name') $($objects.'OS Version')" >> $env:GITHUB_ENV
|
|
||||||
- if: runner.os == 'macOS'
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
echo "VERSION=$(sw_vers -productName) $(sw_vers -productVersion)" >> $GITHUB_ENV
|
|
||||||
- name: Emit OS version
|
|
||||||
id: version
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
echo "$VERSION"
|
|
||||||
echo "version=${VERSION}" >> $GITHUB_OUTPUT
|
|
||||||
|
|
||||||
27
.github/dependabot.yml
vendored
27
.github/dependabot.yml
vendored
@@ -1,12 +1,19 @@
|
|||||||
version: 2
|
version: 2
|
||||||
updates:
|
updates:
|
||||||
- package-ecosystem: "cargo"
|
- package-ecosystem: "cargo"
|
||||||
directory: "ruby"
|
directory: "ruby/node-types"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
|
||||||
- package-ecosystem: "cargo"
|
- package-ecosystem: "cargo"
|
||||||
directory: "ql"
|
directory: "ruby/generator"
|
||||||
|
schedule:
|
||||||
|
interval: "daily"
|
||||||
|
- package-ecosystem: "cargo"
|
||||||
|
directory: "ruby/extractor"
|
||||||
|
schedule:
|
||||||
|
interval: "daily"
|
||||||
|
- package-ecosystem: "cargo"
|
||||||
|
directory: "ruby/autobuilder"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
|
||||||
@@ -17,17 +24,3 @@ updates:
|
|||||||
ignore:
|
ignore:
|
||||||
- dependency-name: '*'
|
- dependency-name: '*'
|
||||||
update-types: ['version-update:semver-patch', 'version-update:semver-minor']
|
update-types: ['version-update:semver-patch', 'version-update:semver-minor']
|
||||||
|
|
||||||
- package-ecosystem: "gomod"
|
|
||||||
directory: "go/extractor"
|
|
||||||
schedule:
|
|
||||||
interval: "daily"
|
|
||||||
allow:
|
|
||||||
- dependency-name: "golang.org/x/mod"
|
|
||||||
- dependency-name: "golang.org/x/tools"
|
|
||||||
group:
|
|
||||||
extractor-dependencies:
|
|
||||||
patterns:
|
|
||||||
- "golang.org/x/*"
|
|
||||||
reviewers:
|
|
||||||
- "github/codeql-go"
|
|
||||||
|
|||||||
10
.github/labeler.yml
vendored
10
.github/labeler.yml
vendored
@@ -11,7 +11,7 @@ Go:
|
|||||||
- change-notes/**/*go.*
|
- change-notes/**/*go.*
|
||||||
|
|
||||||
Java:
|
Java:
|
||||||
- any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
|
- any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
|
||||||
- change-notes/**/*java.*
|
- change-notes/**/*java.*
|
||||||
|
|
||||||
JS:
|
JS:
|
||||||
@@ -20,6 +20,7 @@ JS:
|
|||||||
|
|
||||||
Kotlin:
|
Kotlin:
|
||||||
- java/kotlin-extractor/**/*
|
- java/kotlin-extractor/**/*
|
||||||
|
- java/kotlin-explorer/**/*
|
||||||
- java/ql/test/kotlin/**/*
|
- java/ql/test/kotlin/**/*
|
||||||
|
|
||||||
Python:
|
Python:
|
||||||
@@ -42,10 +43,3 @@ documentation:
|
|||||||
"QL-for-QL":
|
"QL-for-QL":
|
||||||
- ql/**/*
|
- ql/**/*
|
||||||
- .github/workflows/ql-for-ql*
|
- .github/workflows/ql-for-ql*
|
||||||
|
|
||||||
# Since these are all shared files that need to be synced, just pick _one_ copy of each.
|
|
||||||
"DataFlow Library":
|
|
||||||
- "shared/dataflow/**/*"
|
|
||||||
|
|
||||||
"ATM":
|
|
||||||
- javascript/ql/experimental/adaptivethreatmodeling/**/*
|
|
||||||
|
|||||||
8
.github/workflows/check-change-note.yml
vendored
8
.github/workflows/check-change-note.yml
vendored
@@ -8,9 +8,9 @@ on:
|
|||||||
- "*/ql/src/**/*.qll"
|
- "*/ql/src/**/*.qll"
|
||||||
- "*/ql/lib/**/*.ql"
|
- "*/ql/lib/**/*.ql"
|
||||||
- "*/ql/lib/**/*.qll"
|
- "*/ql/lib/**/*.qll"
|
||||||
- "*/ql/lib/**/*.yml"
|
|
||||||
- "!**/experimental/**"
|
- "!**/experimental/**"
|
||||||
- "!ql/**"
|
- "!ql/**"
|
||||||
|
- "!swift/**"
|
||||||
- ".github/workflows/check-change-note.yml"
|
- ".github/workflows/check-change-note.yml"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
@@ -26,9 +26,3 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
|
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
|
||||||
grep true -c
|
grep true -c
|
||||||
- name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
|
|
||||||
grep true -c
|
|
||||||
|
|||||||
29
.github/workflows/check-implicit-this.yml
vendored
29
.github/workflows/check-implicit-this.yml
vendored
@@ -1,29 +0,0 @@
|
|||||||
name: "Check implicit this warnings"
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "**qlpack.yml"
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Check that implicit this warnings is enabled for all packs
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
EXIT_CODE=0
|
|
||||||
packs="$(find . -iname 'qlpack.yml')"
|
|
||||||
for pack_file in ${packs}; do
|
|
||||||
option="$(yq '.warnOnImplicitThis' ${pack_file})"
|
|
||||||
if [ "${option}" != "true" ]; then
|
|
||||||
echo "::error file=${pack_file}::warnOnImplicitThis property must be set to 'true' for pack ${pack_file}"
|
|
||||||
EXIT_CODE=1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
exit "${EXIT_CODE}"
|
|
||||||
5
.github/workflows/check-qldoc.yml
vendored
5
.github/workflows/check-qldoc.yml
vendored
@@ -15,7 +15,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
|
|
||||||
@@ -26,8 +26,9 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
EXIT_CODE=0
|
EXIT_CODE=0
|
||||||
|
# TODO: remove the swift exception from the regex when we fix generated QLdoc
|
||||||
# TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
|
# TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
|
||||||
changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)"
|
changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(swift|shared))[a-z]*/ql/lib' || true; } | sort -u)"
|
||||||
for pack_dir in ${changed_lib_packs}; do
|
for pack_dir in ${changed_lib_packs}; do
|
||||||
lang="${pack_dir%/ql/lib}"
|
lang="${pack_dir%/ql/lib}"
|
||||||
codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"
|
codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"
|
||||||
|
|||||||
21
.github/workflows/check-query-ids.yml
vendored
21
.github/workflows/check-query-ids.yml
vendored
@@ -1,21 +0,0 @@
|
|||||||
name: Check query IDs
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "**/src/**/*.ql"
|
|
||||||
- misc/scripts/check-query-ids.py
|
|
||||||
- .github/workflows/check-query-ids.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check:
|
|
||||||
name: Check query IDs
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Check for duplicate query IDs
|
|
||||||
run: python3 misc/scripts/check-query-ids.py
|
|
||||||
2
.github/workflows/close-stale.yml
vendored
2
.github/workflows/close-stale.yml
vendored
@@ -12,7 +12,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/stale@v8
|
- uses: actions/stale@v6
|
||||||
with:
|
with:
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
||||||
|
|||||||
6
.github/workflows/codeql-analysis.yml
vendored
6
.github/workflows/codeql-analysis.yml
vendored
@@ -28,12 +28,12 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v3
|
uses: actions/setup-dotnet@v2
|
||||||
with:
|
with:
|
||||||
dotnet-version: 7.0.102
|
dotnet-version: 6.0.202
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
37
.github/workflows/compile-queries.yml
vendored
37
.github/workflows/compile-queries.yml
vendored
@@ -1,37 +0,0 @@
|
|||||||
name: "Compile all queries using the latest stable CodeQL CLI"
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches: # makes sure the cache gets populated - running on the branches people tend to merge into.
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
- "codeql-cli-*"
|
|
||||||
pull_request:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
compile-queries:
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Setup CodeQL
|
|
||||||
uses: ./.github/actions/fetch-codeql
|
|
||||||
with:
|
|
||||||
channel: 'release'
|
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: all-queries
|
|
||||||
- name: check formatting
|
|
||||||
run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
|
|
||||||
- name: compile queries - check-only
|
|
||||||
# run with --check-only if running in a PR (github.sha != main)
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
shell: bash
|
|
||||||
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
|
|
||||||
- name: compile queries - full
|
|
||||||
# do full compile if running on main - this populates the cache
|
|
||||||
if : ${{ github.event_name != 'pull_request' }}
|
|
||||||
shell: bash
|
|
||||||
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
|
|
||||||
101
.github/workflows/csharp-qltest.yml
vendored
101
.github/workflows/csharp-qltest.yml
vendored
@@ -1,101 +0,0 @@
|
|||||||
name: "C#: Run QL Tests"
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
paths:
|
|
||||||
- "csharp/**"
|
|
||||||
- "shared/**"
|
|
||||||
- .github/actions/fetch-codeql/action.yml
|
|
||||||
- codeql-workspace.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "csharp/**"
|
|
||||||
- "shared/**"
|
|
||||||
- .github/workflows/csharp-qltest.yml
|
|
||||||
- .github/actions/fetch-codeql/action.yml
|
|
||||||
- codeql-workspace.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: csharp
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
qlupgrade:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
|
||||||
- name: Check DB upgrade scripts
|
|
||||||
run: |
|
|
||||||
echo >empty.trap
|
|
||||||
codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
|
|
||||||
codeql dataset upgrade testdb --additional-packs ql/lib
|
|
||||||
diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
|
|
||||||
- name: Check DB downgrade scripts
|
|
||||||
run: |
|
|
||||||
echo >empty.trap
|
|
||||||
rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
|
|
||||||
codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
|
|
||||||
--dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
|
|
||||||
xargs codeql execute upgrades testdb
|
|
||||||
diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
|
|
||||||
qltest:
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
slice: ["1/2", "2/2"]
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./csharp/actions/create-extractor-pack
|
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: csharp-qltest-${{ matrix.slice }}
|
|
||||||
- name: Run QL tests
|
|
||||||
run: |
|
|
||||||
codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
|
||||||
unit-tests:
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
os: [ubuntu-latest, windows-2019]
|
|
||||||
runs-on: ${{ matrix.os }}
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Setup dotnet
|
|
||||||
uses: actions/setup-dotnet@v3
|
|
||||||
with:
|
|
||||||
dotnet-version: 7.0.102
|
|
||||||
- name: Extractor unit tests
|
|
||||||
run: |
|
|
||||||
dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
|
|
||||||
dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
|
|
||||||
dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
|
|
||||||
dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
|
|
||||||
shell: bash
|
|
||||||
stubgentest:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./csharp/actions/create-extractor-pack
|
|
||||||
- name: Run stub generator tests
|
|
||||||
run: |
|
|
||||||
# Generate (Asp)NetCore stubs
|
|
||||||
STUBS_PATH=stubs_output
|
|
||||||
python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
|
|
||||||
rm -rf ql/test/resources/stubs/_frameworks
|
|
||||||
# Update existing stubs in the repo with the freshly generated ones
|
|
||||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
|
||||||
git status
|
|
||||||
codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
|
||||||
4
.github/workflows/csv-coverage-metrics.yml
vendored
4
.github/workflows/csv-coverage-metrics.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
@@ -47,7 +47,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
|
|||||||
@@ -10,7 +10,6 @@ on:
|
|||||||
- "*/ql/src/**/*.qll"
|
- "*/ql/src/**/*.qll"
|
||||||
- "*/ql/lib/**/*.ql"
|
- "*/ql/lib/**/*.ql"
|
||||||
- "*/ql/lib/**/*.qll"
|
- "*/ql/lib/**/*.qll"
|
||||||
- "*/ql/lib/ext/**/*.yml"
|
|
||||||
- "misc/scripts/library-coverage/*.py"
|
- "misc/scripts/library-coverage/*.py"
|
||||||
# input data files
|
# input data files
|
||||||
- "*/documentation/library-coverage/cwe-sink.csv"
|
- "*/documentation/library-coverage/cwe-sink.csv"
|
||||||
@@ -31,11 +30,11 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql) - MERGE
|
- name: Clone self (github/codeql) - MERGE
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: merge
|
path: merge
|
||||||
- name: Clone self (github/codeql) - BASE
|
- name: Clone self (github/codeql) - BASE
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
path: base
|
path: base
|
||||||
|
|||||||
@@ -20,7 +20,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -9,11 +9,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
2
.github/workflows/csv-coverage-update.yml
vendored
2
.github/workflows/csv-coverage-update.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: ql
|
path: ql
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
4
.github/workflows/csv-coverage.yml
vendored
4
.github/workflows/csv-coverage.yml
vendored
@@ -13,11 +13,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
||||||
|
|||||||
50
.github/workflows/fast-forward.yml
vendored
50
.github/workflows/fast-forward.yml
vendored
@@ -1,50 +0,0 @@
|
|||||||
# Fast-forwards the branch specified in BRANCH_NAME
|
|
||||||
# to the github.ref/sha that this workflow is run on.
|
|
||||||
# Used as part of the release process, to ensure
|
|
||||||
# external query writers can always access a branch of github/codeql
|
|
||||||
# that is compatible with the latest stable release.
|
|
||||||
name: Fast-forward tracking branch for selected CodeQL version
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
fast-forward:
|
|
||||||
name: Fast-forward tracking branch for selected CodeQL version
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: github.repository == 'github/codeql'
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
env:
|
|
||||||
BRANCH_NAME: 'lgtm.com'
|
|
||||||
steps:
|
|
||||||
- name: Validate chosen branch
|
|
||||||
if: ${{ !startsWith(github.ref_name, 'codeql-cli-') }}
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
echo "::error ::The $BRANCH_NAME tracking branch should only be fast-forwarded to the tip of a codeql-cli-* branch, got $GITHUB_REF_NAME instead."
|
|
||||||
exit 1
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Git config
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
git config user.name "github-actions[bot]"
|
|
||||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
||||||
|
|
||||||
- name: Fetch
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
set -x
|
|
||||||
echo "Fetching $BRANCH_NAME"
|
|
||||||
# Explicitly unshallow and fetch to ensure the remote ref is available.
|
|
||||||
git fetch --unshallow origin "$BRANCH_NAME"
|
|
||||||
git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
|
|
||||||
|
|
||||||
- name: Fast-forward
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
echo "Fast-forwarding $BRANCH_NAME to ${GITHUB_REF}@${GITHUB_SHA}"
|
|
||||||
git merge --ff-only "$GITHUB_SHA"
|
|
||||||
git push origin "$BRANCH_NAME"
|
|
||||||
82
.github/workflows/go-tests-other-os.yml
vendored
82
.github/workflows/go-tests-other-os.yml
vendored
@@ -1,82 +0,0 @@
|
|||||||
name: "Go: Run Tests - Other OS"
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "go/**"
|
|
||||||
- "!go/ql/**" # don't run other-os if only ql/ files changed
|
|
||||||
- .github/workflows/go-tests-other-os.yml
|
|
||||||
- .github/actions/**
|
|
||||||
- codeql-workspace.yml
|
|
||||||
env:
|
|
||||||
GO_VERSION: '~1.21.0'
|
|
||||||
jobs:
|
|
||||||
test-mac:
|
|
||||||
name: Test MacOS
|
|
||||||
runs-on: macos-latest
|
|
||||||
steps:
|
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
|
||||||
uses: actions/setup-go@v4
|
|
||||||
with:
|
|
||||||
go-version: ${{ env.GO_VERSION }}
|
|
||||||
id: go
|
|
||||||
|
|
||||||
- name: Check out code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Set up CodeQL CLI
|
|
||||||
uses: ./.github/actions/fetch-codeql
|
|
||||||
|
|
||||||
- name: Enable problem matchers in repository
|
|
||||||
shell: bash
|
|
||||||
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
|
|
||||||
|
|
||||||
- name: Build
|
|
||||||
run: |
|
|
||||||
cd go
|
|
||||||
make
|
|
||||||
|
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: go-qltest
|
|
||||||
- name: Test
|
|
||||||
run: |
|
|
||||||
cd go
|
|
||||||
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
|
|
||||||
|
|
||||||
test-win:
|
|
||||||
name: Test Windows
|
|
||||||
runs-on: windows-latest-xl
|
|
||||||
steps:
|
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
|
||||||
uses: actions/setup-go@v4
|
|
||||||
with:
|
|
||||||
go-version: ${{ env.GO_VERSION }}
|
|
||||||
id: go
|
|
||||||
|
|
||||||
- name: Check out code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Set up CodeQL CLI
|
|
||||||
uses: ./.github/actions/fetch-codeql
|
|
||||||
|
|
||||||
- name: Enable problem matchers in repository
|
|
||||||
shell: bash
|
|
||||||
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
|
|
||||||
|
|
||||||
- name: Build
|
|
||||||
run: |
|
|
||||||
cd go
|
|
||||||
make
|
|
||||||
|
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: go-qltest
|
|
||||||
|
|
||||||
- name: Test
|
|
||||||
run: |
|
|
||||||
cd go
|
|
||||||
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
|
|
||||||
91
.github/workflows/go-tests.yml
vendored
91
.github/workflows/go-tests.yml
vendored
@@ -1,35 +1,24 @@
|
|||||||
name: "Go: Run Tests"
|
name: "Go: Run Tests"
|
||||||
on:
|
on:
|
||||||
push:
|
|
||||||
paths:
|
|
||||||
- "go/**"
|
|
||||||
- .github/workflows/go-tests.yml
|
|
||||||
- .github/actions/**
|
|
||||||
- codeql-workspace.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
pull_request:
|
pull_request:
|
||||||
paths:
|
paths:
|
||||||
- "go/**"
|
- "go/**"
|
||||||
- .github/workflows/go-tests.yml
|
- .github/workflows/go-tests.yml
|
||||||
- .github/actions/**
|
- .github/actions/fetch-codeql/action.yml
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
env:
|
|
||||||
GO_VERSION: '~1.21.0'
|
|
||||||
jobs:
|
jobs:
|
||||||
test-linux:
|
test-linux:
|
||||||
name: Test Linux (Ubuntu)
|
name: Test Linux (Ubuntu)
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
- name: Set up Go 1.19
|
||||||
uses: actions/setup-go@v4
|
uses: actions/setup-go@v3
|
||||||
with:
|
with:
|
||||||
go-version: ${{ env.GO_VERSION }}
|
go-version: 1.19
|
||||||
id: go
|
id: go
|
||||||
|
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Set up CodeQL CLI
|
- name: Set up CodeQL CLI
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
@@ -43,7 +32,7 @@ jobs:
|
|||||||
cd go
|
cd go
|
||||||
make
|
make
|
||||||
|
|
||||||
- name: Check that all Go code is autoformatted
|
- name: Check that all QL and Go code is autoformatted
|
||||||
run: |
|
run: |
|
||||||
cd go
|
cd go
|
||||||
make check-formatting
|
make check-formatting
|
||||||
@@ -54,18 +43,72 @@ jobs:
|
|||||||
env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
|
env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
|
||||||
|
|
||||||
- name: Upload qhelp markdown
|
- name: Upload qhelp markdown
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v2
|
||||||
with:
|
with:
|
||||||
name: qhelp-markdown
|
name: qhelp-markdown
|
||||||
path: go/qhelp-out/**/*.md
|
path: go/qhelp-out/**/*.md
|
||||||
|
|
||||||
- name: Cache compilation cache
|
- name: Test
|
||||||
id: query-cache
|
run: |
|
||||||
uses: ./.github/actions/cache-query-compilation
|
cd go
|
||||||
|
make test
|
||||||
|
|
||||||
|
test-mac:
|
||||||
|
name: Test MacOS
|
||||||
|
runs-on: macos-latest
|
||||||
|
steps:
|
||||||
|
- name: Set up Go 1.19
|
||||||
|
uses: actions/setup-go@v3
|
||||||
with:
|
with:
|
||||||
key: go-qltest
|
go-version: 1.19
|
||||||
|
id: go
|
||||||
|
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Set up CodeQL CLI
|
||||||
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Enable problem matchers in repository
|
||||||
|
shell: bash
|
||||||
|
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
run: |
|
||||||
|
cd go
|
||||||
|
make
|
||||||
|
|
||||||
- name: Test
|
- name: Test
|
||||||
run: |
|
run: |
|
||||||
cd go
|
cd go
|
||||||
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
|
make test
|
||||||
|
|
||||||
|
test-win:
|
||||||
|
name: Test Windows
|
||||||
|
runs-on: windows-2019
|
||||||
|
steps:
|
||||||
|
- name: Set up Go 1.19
|
||||||
|
uses: actions/setup-go@v3
|
||||||
|
with:
|
||||||
|
go-version: 1.19
|
||||||
|
id: go
|
||||||
|
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Set up CodeQL CLI
|
||||||
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Enable problem matchers in repository
|
||||||
|
shell: bash
|
||||||
|
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
run: |
|
||||||
|
cd go
|
||||||
|
make
|
||||||
|
|
||||||
|
- name: Test
|
||||||
|
run: |
|
||||||
|
cd go
|
||||||
|
make test
|
||||||
|
|||||||
81
.github/workflows/js-ml-tests.yml
vendored
Normal file
81
.github/workflows/js-ml-tests.yml
vendored
Normal file
@@ -0,0 +1,81 @@
|
|||||||
|
name: JS ML-powered queries tests
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- "javascript/ql/experimental/adaptivethreatmodeling/**"
|
||||||
|
- .github/workflows/js-ml-tests.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "rc/*"
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "javascript/ql/experimental/adaptivethreatmodeling/**"
|
||||||
|
- .github/workflows/js-ml-tests.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: javascript/ql/experimental/adaptivethreatmodeling
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
qlformat:
|
||||||
|
name: Check QL formatting
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Check QL formatting
|
||||||
|
run: |
|
||||||
|
find . "(" -name "*.ql" -or -name "*.qll" ")" -print0 | \
|
||||||
|
xargs -0 codeql query format --check-only
|
||||||
|
|
||||||
|
qlcompile:
|
||||||
|
name: Check QL compilation
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Install pack dependencies
|
||||||
|
run: |
|
||||||
|
for pack in modelbuilding src; do
|
||||||
|
codeql pack install --mode verify -- "${pack}"
|
||||||
|
done
|
||||||
|
|
||||||
|
- name: Check QL compilation
|
||||||
|
run: |
|
||||||
|
codeql query compile \
|
||||||
|
--check-only \
|
||||||
|
--ram 5120 \
|
||||||
|
--additional-packs "${{ github.workspace }}" \
|
||||||
|
--threads=0 \
|
||||||
|
-- \
|
||||||
|
lib modelbuilding src
|
||||||
|
|
||||||
|
qltest:
|
||||||
|
name: Run QL tests
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Install pack dependencies
|
||||||
|
run: codeql pack install -- test
|
||||||
|
|
||||||
|
- name: Run QL tests
|
||||||
|
run: |
|
||||||
|
codeql test run \
|
||||||
|
--threads=0 \
|
||||||
|
--ram 5120 \
|
||||||
|
--additional-packs "${{ github.workspace }}" \
|
||||||
|
-- \
|
||||||
|
test
|
||||||
22
.github/workflows/mad_modelDiff.yml
vendored
22
.github/workflows/mad_modelDiff.yml
vendored
@@ -11,7 +11,7 @@ on:
|
|||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
paths:
|
paths:
|
||||||
- "java/ql/src/utils/modelgenerator/**/*.*"
|
- "java/ql/src/utils/model-generator/**/*.*"
|
||||||
- ".github/workflows/mad_modelDiff.yml"
|
- ".github/workflows/mad_modelDiff.yml"
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
@@ -27,12 +27,12 @@ jobs:
|
|||||||
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
||||||
steps:
|
steps:
|
||||||
- name: Clone github/codeql from PR
|
- name: Clone github/codeql from PR
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
if: github.event.pull_request
|
if: github.event.pull_request
|
||||||
with:
|
with:
|
||||||
path: codeql-pr
|
path: codeql-pr
|
||||||
- name: Clone github/codeql from main
|
- name: Clone github/codeql from main
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: codeql-main
|
path: codeql-main
|
||||||
ref: main
|
ref: main
|
||||||
@@ -40,12 +40,12 @@ jobs:
|
|||||||
- name: Download database
|
- name: Download database
|
||||||
env:
|
env:
|
||||||
SLUG: ${{ matrix.slug }}
|
SLUG: ${{ matrix.slug }}
|
||||||
GH_TOKEN: ${{ github.token }}
|
|
||||||
run: |
|
run: |
|
||||||
set -x
|
set -x
|
||||||
mkdir lib-dbs
|
mkdir lib-dbs
|
||||||
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
|
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
|
||||||
gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
|
projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
|
||||||
|
curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
|
||||||
unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
|
unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
|
||||||
mkdir "lib-dbs/$SHORTNAME/"
|
mkdir "lib-dbs/$SHORTNAME/"
|
||||||
mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
|
mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
|
||||||
@@ -61,8 +61,8 @@ jobs:
|
|||||||
DATABASE=$2
|
DATABASE=$2
|
||||||
cd codeql-$QL_VARIANT
|
cd codeql-$QL_VARIANT
|
||||||
SHORTNAME=`basename $DATABASE`
|
SHORTNAME=`basename $DATABASE`
|
||||||
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
|
python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $MODELS/${SHORTNAME}.qll
|
||||||
mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
|
mv $MODELS/${SHORTNAME}.qll $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.qll
|
||||||
cd ..
|
cd ..
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -85,21 +85,19 @@ jobs:
|
|||||||
set -x
|
set -x
|
||||||
MODELS=`pwd`/tmp-models
|
MODELS=`pwd`/tmp-models
|
||||||
ls -1 tmp-models/
|
ls -1 tmp-models/
|
||||||
for m in $MODELS/*_main.model.yml ; do
|
for m in $MODELS/*_main.qll ; do
|
||||||
t="${m/main/"pr"}"
|
t="${m/main/"pr"}"
|
||||||
basename=`basename $m`
|
basename=`basename $m`
|
||||||
name="diff_${basename/_main.model.yml/""}"
|
name="diff_${basename/_main.qll/""}"
|
||||||
(diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
|
(diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
|
||||||
done
|
done
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: models
|
name: models
|
||||||
path: tmp-models/*.model.yml
|
path: tmp-models/*.qll
|
||||||
retention-days: 20
|
retention-days: 20
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: diffs
|
name: diffs
|
||||||
path: tmp-models/*.html
|
path: tmp-models/*.html
|
||||||
# An html file is only produced if the generated models differ.
|
|
||||||
if-no-files-found: ignore
|
|
||||||
retention-days: 20
|
retention-days: 20
|
||||||
|
|||||||
8
.github/workflows/mad_regenerate-models.yml
vendored
8
.github/workflows/mad_regenerate-models.yml
vendored
@@ -27,11 +27,11 @@ jobs:
|
|||||||
ref: "placeholder"
|
ref: "placeholder"
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
- name: Setup CodeQL binaries
|
- name: Setup CodeQL binaries
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Clone repositories
|
- name: Clone repositories
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: repos/${{ matrix.ref }}
|
path: repos/${{ matrix.ref }}
|
||||||
ref: ${{ matrix.ref }}
|
ref: ${{ matrix.ref }}
|
||||||
@@ -50,10 +50,10 @@ jobs:
|
|||||||
SLUG: ${{ matrix.slug }}
|
SLUG: ${{ matrix.slug }}
|
||||||
run: |
|
run: |
|
||||||
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
|
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
|
||||||
java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
|
java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
|
||||||
- name: Stage changes
|
- name: Stage changes
|
||||||
run: |
|
run: |
|
||||||
find java -name "*.model.yml" -print0 | xargs -0 git add
|
find java -name "*.qll" -print0 | xargs -0 git add
|
||||||
git status
|
git status
|
||||||
git diff --cached > models.patch
|
git diff --cached > models.patch
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
|
|||||||
6
.github/workflows/qhelp-pr-preview.yml
vendored
6
.github/workflows/qhelp-pr-preview.yml
vendored
@@ -27,7 +27,7 @@ on:
|
|||||||
- main
|
- main
|
||||||
- "rc/*"
|
- "rc/*"
|
||||||
paths:
|
paths:
|
||||||
- "**/*.qhelp"
|
- "ruby/**/*.qhelp"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
qhelp:
|
qhelp:
|
||||||
@@ -43,7 +43,7 @@ jobs:
|
|||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
@@ -52,7 +52,7 @@ jobs:
|
|||||||
id: changes
|
id: changes
|
||||||
run: |
|
run: |
|
||||||
(git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
|
(git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
|
||||||
git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) |
|
git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
|
||||||
grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
|
grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
|
||||||
|
|
||||||
- name: QHelp preview
|
- name: QHelp preview
|
||||||
|
|||||||
156
.github/workflows/ql-for-ql-build.yml
vendored
156
.github/workflows/ql-for-ql-build.yml
vendored
@@ -5,6 +5,13 @@ on:
|
|||||||
branches: [main]
|
branches: [main]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
|
paths:
|
||||||
|
- "ql/**"
|
||||||
|
- "**.qll"
|
||||||
|
- "**.ql"
|
||||||
|
- "**.dbscheme"
|
||||||
|
- "**/qlpack.yml"
|
||||||
|
- ".github/workflows/ql-for-ql-build.yml"
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CARGO_TERM_COLOR: always
|
CARGO_TERM_COLOR: always
|
||||||
@@ -14,61 +21,138 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
### Build the queries ###
|
### Build the queries ###
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@v2
|
uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
- name: Get CodeQL version
|
||||||
id: os_version
|
id: get-codeql-version
|
||||||
|
run: |
|
||||||
|
echo "::set-output name=version::$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)"
|
||||||
|
shell: bash
|
||||||
|
env:
|
||||||
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
|
- name: Cache entire pack
|
||||||
|
id: cache-pack
|
||||||
|
uses: actions/cache@v3
|
||||||
|
with:
|
||||||
|
path: ${{ runner.temp }}/pack
|
||||||
|
key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
|
||||||
|
- name: Cache queries
|
||||||
|
if: steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
id: cache-queries
|
||||||
|
uses: actions/cache@v3
|
||||||
|
with:
|
||||||
|
path: ${{ runner.temp }}/queries
|
||||||
|
key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
|
||||||
|
- name: Build query pack
|
||||||
|
if: steps.cache-queries.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
run: |
|
||||||
|
cd ql/ql/src
|
||||||
|
"${CODEQL}" pack create -j 16
|
||||||
|
mv .codeql/pack/codeql/ql/0.0.0 ${{ runner.temp }}/queries
|
||||||
|
env:
|
||||||
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
|
- name: Move cache queries to pack
|
||||||
|
if: steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
run: |
|
||||||
|
cp -r ${{ runner.temp }}/queries ${{ runner.temp }}/pack
|
||||||
|
env:
|
||||||
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
|
|
||||||
### Build the extractor ###
|
### Build the extractor ###
|
||||||
- name: Cache entire extractor
|
- name: Cache entire extractor
|
||||||
|
if: steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
id: cache-extractor
|
id: cache-extractor
|
||||||
uses: actions/cache@v3
|
uses: actions/cache@v3
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
ql/extractor-pack/
|
ql/target/release/ql-autobuilder
|
||||||
ql/target/release/buramu
|
ql/target/release/ql-autobuilder.exe
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
|
ql/target/release/ql-extractor
|
||||||
|
ql/target/release/ql-extractor.exe
|
||||||
|
key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
|
||||||
- name: Cache cargo
|
- name: Cache cargo
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
uses: actions/cache@v3
|
uses: actions/cache@v3
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
ql/target
|
ql/target
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
|
key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
|
||||||
|
- name: Check formatting
|
||||||
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
run: cd ql; cargo fmt --all -- --check
|
||||||
|
- name: Build
|
||||||
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
run: cd ql; cargo build --verbose
|
||||||
|
- name: Run tests
|
||||||
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
|
run: cd ql; cargo test --verbose
|
||||||
- name: Release build
|
- name: Release build
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
run: cd ql; ./scripts/create-extractor-pack.sh
|
run: cd ql; cargo build --release
|
||||||
env:
|
- name: Generate dbscheme
|
||||||
GH_TOKEN: ${{ github.token }}
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
- name: Cache compilation cache
|
run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
### Package the queries and extractor ###
|
||||||
with:
|
- name: Package pack
|
||||||
key: run-ql-for-ql
|
if: steps.cache-pack.outputs.cache-hit != 'true'
|
||||||
- name: Make database and analyze
|
|
||||||
run: |
|
run: |
|
||||||
./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
|
cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats ${PACK}/
|
||||||
${CODEQL} database create -l=ql --search-path ql/extractor-pack ${DB}
|
mkdir -p ${PACK}/tools/linux64
|
||||||
${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
cp ql/target/release/ql-autobuilder ${PACK}/tools/linux64/autobuilder
|
||||||
env:
|
cp ql/target/release/ql-extractor ${PACK}/tools/linux64/extractor
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
chmod +x ${PACK}/tools/linux64/autobuilder
|
||||||
DB: ${{ runner.temp }}/DB
|
chmod +x ${PACK}/tools/linux64/extractor
|
||||||
LGTM_INDEX_FILTERS: |
|
env:
|
||||||
exclude:ql/ql/test
|
PACK: ${{ runner.temp }}/pack
|
||||||
exclude:*/ql/lib/upgrades/
|
|
||||||
exclude:java/ql/integration-tests
|
### Run the analysis ###
|
||||||
- name: Upload sarif to code-scanning
|
- name: Hack codeql-action options
|
||||||
uses: github/codeql-action/upload-sarif@v2
|
run: |
|
||||||
|
JSON=$(jq -nc --arg pack "${PACK}" '.database."run-queries"=["--search-path", $pack] | .resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .resolve.languages=["--search-path", $pack] | .database.init=["--search-path", $pack]')
|
||||||
|
echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
|
||||||
|
env:
|
||||||
|
PACK: ${{ runner.temp }}/pack
|
||||||
|
|
||||||
|
- name: Create CodeQL config file
|
||||||
|
run: |
|
||||||
|
echo "paths-ignore:" >> ${CONF}
|
||||||
|
echo " - ql/ql/test" >> ${CONF}
|
||||||
|
echo " - \"*/ql/lib/upgrades/\"" >> ${CONF}
|
||||||
|
echo "disable-default-queries: true" >> ${CONF}
|
||||||
|
echo "queries:" >> ${CONF}
|
||||||
|
echo " - uses: ./ql/ql/src/codeql-suites/ql-code-scanning.qls" >> ${CONF}
|
||||||
|
echo "Config file: "
|
||||||
|
cat ${CONF}
|
||||||
|
env:
|
||||||
|
CONF: ./ql-for-ql-config.yml
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
|
||||||
with:
|
with:
|
||||||
sarif_file: ql-for-ql.sarif
|
languages: ql
|
||||||
category: ql-for-ql
|
db-location: ${{ runner.temp }}/db
|
||||||
|
config-file: ./ql-for-ql-config.yml
|
||||||
|
- name: Move pack cache
|
||||||
|
run: |
|
||||||
|
cp -r ${PACK}/.cache ql/ql/src/.cache
|
||||||
|
env:
|
||||||
|
PACK: ${{ runner.temp }}/pack
|
||||||
|
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
|
||||||
|
with:
|
||||||
|
category: "ql-for-ql"
|
||||||
|
- name: Copy sarif file to CWD
|
||||||
|
run: cp ../results/ql.sarif ./ql-for-ql.sarif
|
||||||
|
- name: Fixup the $scema in sarif # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
|
||||||
|
run: |
|
||||||
|
sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif
|
||||||
- name: Sarif as artifact
|
- name: Sarif as artifact
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
@@ -83,4 +167,4 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: ql-for-ql-langs
|
name: ql-for-ql-langs
|
||||||
path: split-sarif
|
path: split-sarif
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
12
.github/workflows/ql-for-ql-dataset_measure.yml
vendored
12
.github/workflows/ql-for-ql-dataset_measure.yml
vendored
@@ -21,28 +21,26 @@ jobs:
|
|||||||
- github/codeql
|
- github/codeql
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@v2
|
uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
|
||||||
id: os_version
|
|
||||||
- uses: actions/cache@v3
|
- uses: actions/cache@v3
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
ql/target
|
ql/target
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
|
key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
|
||||||
- name: Build Extractor
|
- name: Build Extractor
|
||||||
run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
|
run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
|
||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -71,7 +69,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/download-artifact@v3
|
- uses: actions/download-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: measurements
|
name: measurements
|
||||||
|
|||||||
75
.github/workflows/ql-for-ql-tests.yml
vendored
75
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -6,13 +6,11 @@ on:
|
|||||||
paths:
|
paths:
|
||||||
- "ql/**"
|
- "ql/**"
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
- .github/workflows/ql-for-ql-tests.yml
|
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
paths:
|
paths:
|
||||||
- "ql/**"
|
- "ql/**"
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
- .github/workflows/ql-for-ql-tests.yml
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CARGO_TERM_COLOR: always
|
CARGO_TERM_COLOR: always
|
||||||
@@ -21,89 +19,36 @@ jobs:
|
|||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@v2
|
uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
|
||||||
id: os_version
|
|
||||||
- uses: actions/cache@v3
|
- uses: actions/cache@v3
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
ql/target
|
ql/target
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
|
key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
|
||||||
- name: Check formatting
|
|
||||||
run: cd ql; cargo fmt --all -- --check
|
|
||||||
- name: Build extractor
|
- name: Build extractor
|
||||||
run: |
|
run: |
|
||||||
cd ql;
|
cd ql;
|
||||||
codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
|
codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
|
||||||
env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
|
env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: ql-for-ql-tests
|
|
||||||
- name: Run QL tests
|
- name: Run QL tests
|
||||||
run: |
|
run: |
|
||||||
"${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
|
"${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
|
||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
|
- name: Check QL formatting
|
||||||
other-os:
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
os: [macos-latest, windows-latest]
|
|
||||||
needs: [qltest]
|
|
||||||
runs-on: ${{ matrix.os }}
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Install GNU tar
|
|
||||||
if: runner.os == 'macOS'
|
|
||||||
run: |
|
run: |
|
||||||
brew install gnu-tar
|
find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
|
||||||
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
|
||||||
- name: Find codeql
|
|
||||||
id: find-codeql
|
|
||||||
uses: github/codeql-action/init@v2
|
|
||||||
with:
|
|
||||||
languages: javascript # does not matter
|
|
||||||
- uses: ./.github/actions/os-version
|
|
||||||
id: os_version
|
|
||||||
- uses: actions/cache@v3
|
|
||||||
with:
|
|
||||||
path: |
|
|
||||||
~/.cargo/registry
|
|
||||||
~/.cargo/git
|
|
||||||
ql/target
|
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
|
|
||||||
- name: Build extractor
|
|
||||||
if: runner.os != 'Windows'
|
|
||||||
run: |
|
|
||||||
cd ql;
|
|
||||||
codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
|
|
||||||
env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
|
|
||||||
- name: Build extractor (Windows)
|
|
||||||
if: runner.os == 'Windows'
|
|
||||||
shell: pwsh
|
|
||||||
run: |
|
|
||||||
cd ql;
|
|
||||||
$Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
|
|
||||||
pwsh ./scripts/create-extractor-pack.ps1
|
|
||||||
- name: Run a single QL tests - Unix
|
|
||||||
if: runner.os != 'Windows'
|
|
||||||
run: |
|
|
||||||
"${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
|
|
||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
- name: Run a single QL tests - Windows
|
- name: Check QL compilation
|
||||||
if: runner.os == 'Windows'
|
|
||||||
shell: pwsh
|
|
||||||
run: |
|
run: |
|
||||||
$Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
|
"${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
|
||||||
codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
|
env:
|
||||||
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
|
|||||||
2
.github/workflows/query-list.yml
vendored
2
.github/workflows/query-list.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
path: codeql
|
path: codeql
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
|
|||||||
166
.github/workflows/ruby-build.yml
vendored
166
.github/workflows/ruby-build.yml
vendored
@@ -42,57 +42,30 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
brew install gnu-tar
|
brew install gnu-tar
|
||||||
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
||||||
- name: Install cargo-cross
|
|
||||||
if: runner.os == 'Linux'
|
|
||||||
run: cargo install cross --version 0.2.5
|
|
||||||
- uses: ./.github/actions/os-version
|
|
||||||
id: os_version
|
|
||||||
- name: Cache entire extractor
|
|
||||||
uses: actions/cache@v3
|
|
||||||
id: cache-extractor
|
|
||||||
with:
|
|
||||||
path: |
|
|
||||||
ruby/extractor/target/release/codeql-extractor-ruby
|
|
||||||
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
|
||||||
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
|
|
||||||
- uses: actions/cache@v3
|
- uses: actions/cache@v3
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
ruby/target
|
ruby/target
|
||||||
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
|
key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
run: cargo fmt --all -- --check
|
||||||
run: cd extractor && cargo fmt --all -- --check
|
|
||||||
- name: Build
|
- name: Build
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
run: cargo build --verbose
|
||||||
run: cd extractor && cargo build --verbose
|
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
run: cargo test --verbose
|
||||||
run: cd extractor && cargo test --verbose
|
- name: Release build
|
||||||
# On linux, build the extractor via cross in a centos7 container.
|
run: cargo build --release
|
||||||
# This ensures we don't depend on glibc > 2.17.
|
|
||||||
- name: Release build (linux)
|
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
|
|
||||||
run: |
|
|
||||||
cd extractor
|
|
||||||
cross build --release
|
|
||||||
mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
|
|
||||||
- name: Release build (windows and macos)
|
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
|
|
||||||
run: cd extractor && cargo build --release
|
|
||||||
- name: Generate dbscheme
|
- name: Generate dbscheme
|
||||||
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
||||||
run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
if: ${{ matrix.os == 'ubuntu-latest' }}
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
||||||
with:
|
with:
|
||||||
@@ -107,45 +80,40 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: extractor-${{ matrix.os }}
|
name: extractor-${{ matrix.os }}
|
||||||
path: |
|
path: |
|
||||||
ruby/extractor/target/release/codeql-extractor-ruby
|
ruby/target/release/ruby-autobuilder
|
||||||
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
ruby/target/release/ruby-autobuilder.exe
|
||||||
|
ruby/target/release/ruby-extractor
|
||||||
|
ruby/target/release/ruby-extractor.exe
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
compile-queries:
|
compile-queries:
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: ruby-build
|
|
||||||
- name: Build Query Pack
|
- name: Build Query Pack
|
||||||
run: |
|
run: |
|
||||||
PACKS=${{ runner.temp }}/query-packs
|
codeql pack create ../shared/ssa --output target/packs
|
||||||
rm -rf $PACKS
|
codeql pack create ql/lib --output target/packs
|
||||||
codeql pack create ../misc/suite-helpers --output "$PACKS"
|
codeql pack install ql/src
|
||||||
codeql pack create ../shared/regex --output "$PACKS"
|
codeql pack create ql/src --output target/packs
|
||||||
codeql pack create ../shared/ssa --output "$PACKS"
|
PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
|
||||||
codeql pack create ../shared/tutorial --output "$PACKS"
|
|
||||||
codeql pack create ql/lib --output "$PACKS"
|
|
||||||
codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
|
||||||
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
|
|
||||||
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
|
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
|
||||||
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
|
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: codeql-ruby-queries
|
name: codeql-ruby-queries
|
||||||
path: |
|
path: |
|
||||||
${{ runner.temp }}/query-packs/*
|
ruby/target/packs/*
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
|
|
||||||
package:
|
package:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [build, compile-queries]
|
needs: [build, compile-queries]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/download-artifact@v3
|
- uses: actions/download-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: ruby.dbscheme
|
name: ruby.dbscheme
|
||||||
@@ -166,10 +134,13 @@ jobs:
|
|||||||
mkdir -p ruby
|
mkdir -p ruby
|
||||||
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
|
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
|
||||||
mkdir -p ruby/tools/{linux64,osx64,win64}
|
mkdir -p ruby/tools/{linux64,osx64,win64}
|
||||||
cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
|
cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
|
||||||
cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
|
cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
|
||||||
cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
|
cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
|
||||||
chmod +x ruby/tools/{linux64,osx64}/extractor
|
cp linux64/ruby-extractor ruby/tools/linux64/extractor
|
||||||
|
cp osx64/ruby-extractor ruby/tools/osx64/extractor
|
||||||
|
cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
|
||||||
|
chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
|
||||||
zip -rq codeql-ruby.zip ruby
|
zip -rq codeql-ruby.zip ruby
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
@@ -206,10 +177,15 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
needs: [package]
|
needs: [package]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
with:
|
||||||
|
repository: Shopify/example-ruby-app
|
||||||
|
ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
|
||||||
|
|
||||||
- name: Download Ruby bundle
|
- name: Download Ruby bundle
|
||||||
uses: actions/download-artifact@v3
|
uses: actions/download-artifact@v3
|
||||||
with:
|
with:
|
||||||
@@ -218,67 +194,27 @@ jobs:
|
|||||||
- name: Unzip Ruby bundle
|
- name: Unzip Ruby bundle
|
||||||
shell: bash
|
shell: bash
|
||||||
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
|
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
|
||||||
|
- name: Prepare test files
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
echo "import codeql.ruby.AST select count(File f)" > "test.ql"
|
||||||
|
echo "| 4 |" > "test.expected"
|
||||||
|
echo 'name: sample-tests
|
||||||
|
version: 0.0.0
|
||||||
|
dependencies:
|
||||||
|
codeql/ruby-all: 0.0.1
|
||||||
|
extractor: ruby
|
||||||
|
tests: .
|
||||||
|
' > qlpack.yml
|
||||||
- name: Run QL test
|
- name: Run QL test
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
|
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
|
||||||
- name: Create database
|
- name: Create database
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
|
||||||
- name: Analyze database
|
- name: Analyze database
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
||||||
|
|
||||||
# This is a copy of the 'test' job that runs in a centos7 container.
|
|
||||||
# This tests that the extractor works correctly on systems with an old glibc.
|
|
||||||
test-centos7:
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: ${{ github.workspace }}
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
container:
|
|
||||||
image: centos:centos7
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
needs: [package]
|
|
||||||
steps:
|
|
||||||
- name: Install gh cli
|
|
||||||
run: |
|
|
||||||
yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
|
|
||||||
# fetch-codeql requires unzip and jq
|
|
||||||
# jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
|
|
||||||
yum install -y gh unzip epel-release
|
|
||||||
yum install -y jq
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
- name: Fetch CodeQL
|
|
||||||
uses: ./.github/actions/fetch-codeql
|
|
||||||
|
|
||||||
# Due to a bug in Actions, we can't use runner.temp in the run blocks here.
|
|
||||||
# https://github.com/actions/runner/issues/2185
|
|
||||||
|
|
||||||
- name: Download Ruby bundle
|
|
||||||
uses: actions/download-artifact@v3
|
|
||||||
with:
|
|
||||||
name: codeql-ruby-bundle
|
|
||||||
path: ${{ runner.temp }}
|
|
||||||
- name: Unzip Ruby bundle
|
|
||||||
shell: bash
|
|
||||||
run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
|
|
||||||
|
|
||||||
- name: Run QL test
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
|
|
||||||
- name: Create database
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
|
||||||
- name: Analyze database
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
|
||||||
|
|||||||
6
.github/workflows/ruby-dataset-measure.yml
vendored
6
.github/workflows/ruby-dataset-measure.yml
vendored
@@ -27,14 +27,14 @@ jobs:
|
|||||||
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
|
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -59,7 +59,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/download-artifact@v3
|
- uses: actions/download-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: measurements
|
name: measurements
|
||||||
|
|||||||
36
.github/workflows/ruby-qltest.yml
vendored
36
.github/workflows/ruby-qltest.yml
vendored
@@ -4,8 +4,7 @@ on:
|
|||||||
push:
|
push:
|
||||||
paths:
|
paths:
|
||||||
- "ruby/**"
|
- "ruby/**"
|
||||||
- "shared/**"
|
- .github/workflows/ruby-qltest.yml
|
||||||
- .github/workflows/ruby-build.yml
|
|
||||||
- .github/actions/fetch-codeql/action.yml
|
- .github/actions/fetch-codeql/action.yml
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
branches:
|
branches:
|
||||||
@@ -14,7 +13,6 @@ on:
|
|||||||
pull_request:
|
pull_request:
|
||||||
paths:
|
paths:
|
||||||
- "ruby/**"
|
- "ruby/**"
|
||||||
- "shared/**"
|
|
||||||
- .github/workflows/ruby-qltest.yml
|
- .github/workflows/ruby-qltest.yml
|
||||||
- .github/actions/fetch-codeql/action.yml
|
- .github/actions/fetch-codeql/action.yml
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
@@ -30,10 +28,27 @@ defaults:
|
|||||||
working-directory: ruby
|
working-directory: ruby
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
qlformat:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- name: Check QL formatting
|
||||||
|
run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
|
||||||
|
qlcompile:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- name: Check QL compilation
|
||||||
|
run: |
|
||||||
|
codeql query compile --check-only --threads=0 --ram 5000 --warnings=error "ql/src" "ql/examples"
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- name: Check DB upgrade scripts
|
- name: Check DB upgrade scripts
|
||||||
run: |
|
run: |
|
||||||
@@ -50,20 +65,17 @@ jobs:
|
|||||||
xargs codeql execute upgrades testdb
|
xargs codeql execute upgrades testdb
|
||||||
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
|
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
|
||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
slice: ["1/2", "2/2"]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: ruby-qltest
|
|
||||||
- name: Run QL tests
|
- name: Run QL tests
|
||||||
run: |
|
run: |
|
||||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
codeql test run --threads=0 --ram 5000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
39
.github/workflows/swift-codegen.yml
vendored
Normal file
39
.github/workflows/swift-codegen.yml
vendored
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
name: "Swift: Check code generation"
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "swift/**"
|
||||||
|
- "misc/bazel/**"
|
||||||
|
- "*.bazel*"
|
||||||
|
- .github/workflows/swift-codegen.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
codegen:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- uses: bazelbuild/setup-bazelisk@v2
|
||||||
|
- uses: actions/setup-python@v3
|
||||||
|
- uses: pre-commit/action@v3.0.0
|
||||||
|
name: Check that python code is properly formatted
|
||||||
|
with:
|
||||||
|
extra_args: autopep8 --all-files
|
||||||
|
- name: Run unit tests
|
||||||
|
run: |
|
||||||
|
bazel test //swift/codegen/test --test_output=errors
|
||||||
|
- uses: pre-commit/action@v3.0.0
|
||||||
|
name: Check that QL generated code was checked in
|
||||||
|
with:
|
||||||
|
extra_args: swift-codegen --all-files
|
||||||
|
- name: Generate C++ files
|
||||||
|
run: |
|
||||||
|
bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-cpp-files
|
||||||
|
- uses: actions/upload-artifact@v3
|
||||||
|
with:
|
||||||
|
name: swift-generated-cpp-files
|
||||||
|
path: swift-generated-cpp-files/**
|
||||||
45
.github/workflows/swift-integration-tests.yml
vendored
Normal file
45
.github/workflows/swift-integration-tests.yml
vendored
Normal file
@@ -0,0 +1,45 @@
|
|||||||
|
name: "Swift: Run Integration Tests"
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "swift/**"
|
||||||
|
- "misc/bazel/**"
|
||||||
|
- "*.bazel*"
|
||||||
|
- .github/workflows/swift-integration-tests.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: swift
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
integration-tests:
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
os:
|
||||||
|
- ubuntu-20.04
|
||||||
|
# - macos-latest TODO
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- uses: bazelbuild/setup-bazelisk@v2
|
||||||
|
- uses: actions/setup-python@v3
|
||||||
|
- name: Build Swift extractor
|
||||||
|
run: |
|
||||||
|
bazel run //swift:create-extractor-pack
|
||||||
|
- name: Get Swift version
|
||||||
|
id: get_swift_version
|
||||||
|
run: |
|
||||||
|
VERSION=$(bazel run //swift/extractor -- --version | sed -ne 's/.*version \(\S*\).*/\1/p')
|
||||||
|
echo "::set-output name=version::$VERSION"
|
||||||
|
- uses: swift-actions/setup-swift@v1
|
||||||
|
with:
|
||||||
|
swift-version: "${{steps.get_swift_version.outputs.version}}"
|
||||||
|
- name: Run integration tests
|
||||||
|
run: |
|
||||||
|
python integration-tests/runner.py
|
||||||
43
.github/workflows/swift-qltest.yml
vendored
Normal file
43
.github/workflows/swift-qltest.yml
vendored
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
name: "Swift: Run QL Tests"
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "swift/**"
|
||||||
|
- "misc/bazel/**"
|
||||||
|
- "*.bazel*"
|
||||||
|
- .github/workflows/swift-qltest.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: swift
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
qlformat:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- name: Check QL formatting
|
||||||
|
run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
|
||||||
|
qltest:
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
os : [ubuntu-20.04, macos-latest]
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
- uses: bazelbuild/setup-bazelisk@v2
|
||||||
|
- name: Build Swift extractor
|
||||||
|
run: |
|
||||||
|
bazel run //swift:create-extractor-pack
|
||||||
|
- name: Run QL tests
|
||||||
|
run: |
|
||||||
|
codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
107
.github/workflows/swift.yml
vendored
107
.github/workflows/swift.yml
vendored
@@ -1,107 +0,0 @@
|
|||||||
name: "Swift"
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "swift/**"
|
|
||||||
- "misc/bazel/**"
|
|
||||||
- "misc/codegen/**"
|
|
||||||
- "*.bazel*"
|
|
||||||
- .github/workflows/swift.yml
|
|
||||||
- .github/actions/**
|
|
||||||
- codeql-workspace.yml
|
|
||||||
- .pre-commit-config.yaml
|
|
||||||
- "!**/*.md"
|
|
||||||
- "!**/*.qhelp"
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- rc/*
|
|
||||||
- codeql-cli-*
|
|
||||||
push:
|
|
||||||
paths:
|
|
||||||
- "swift/**"
|
|
||||||
- "misc/bazel/**"
|
|
||||||
- "misc/codegen/**"
|
|
||||||
- "*.bazel*"
|
|
||||||
- .github/workflows/swift.yml
|
|
||||||
- .github/actions/**
|
|
||||||
- codeql-workspace.yml
|
|
||||||
- "!**/*.md"
|
|
||||||
- "!**/*.qhelp"
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- rc/*
|
|
||||||
- codeql-cli-*
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
|
|
||||||
# without waiting for the macOS build
|
|
||||||
build-and-test-macos:
|
|
||||||
runs-on: macos-12-xl
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/build-and-test
|
|
||||||
build-and-test-linux:
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/build-and-test
|
|
||||||
qltests-linux:
|
|
||||||
needs: build-and-test-linux
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/run-ql-tests
|
|
||||||
qltests-macos:
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
needs: build-and-test-macos
|
|
||||||
runs-on: macos-12-xl
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/run-ql-tests
|
|
||||||
integration-tests-linux:
|
|
||||||
needs: build-and-test-linux
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/run-integration-tests
|
|
||||||
integration-tests-macos:
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
needs: build-and-test-macos
|
|
||||||
runs-on: macos-12-xl
|
|
||||||
timeout-minutes: 60
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./swift/actions/run-integration-tests
|
|
||||||
codegen:
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: bazelbuild/setup-bazelisk@v2
|
|
||||||
- uses: actions/setup-python@v4
|
|
||||||
with:
|
|
||||||
python-version-file: 'swift/.python-version'
|
|
||||||
- uses: pre-commit/action@v3.0.0
|
|
||||||
name: Check that python code is properly formatted
|
|
||||||
with:
|
|
||||||
extra_args: autopep8 --all-files
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
|
||||||
- uses: pre-commit/action@v3.0.0
|
|
||||||
name: Check that QL generated code was checked in
|
|
||||||
with:
|
|
||||||
extra_args: swift-codegen --all-files
|
|
||||||
- name: Generate C++ files
|
|
||||||
run: |
|
|
||||||
bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
|
|
||||||
- uses: actions/upload-artifact@v3
|
|
||||||
with:
|
|
||||||
name: swift-generated-cpp-files
|
|
||||||
path: generated-cpp-files/**
|
|
||||||
database-upgrade-scripts:
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
|
||||||
- uses: ./swift/actions/database-upgrade-scripts
|
|
||||||
4
.github/workflows/sync-files.yml
vendored
4
.github/workflows/sync-files.yml
vendored
@@ -14,9 +14,7 @@ jobs:
|
|||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v3
|
||||||
- name: Check synchronized files
|
- name: Check synchronized files
|
||||||
run: python config/sync-files.py
|
run: python config/sync-files.py
|
||||||
- name: Check dbscheme fragments
|
|
||||||
run: python config/sync-dbscheme-fragments.py
|
|
||||||
|
|
||||||
|
|||||||
46
.github/workflows/tree-sitter-extractor-test.yml
vendored
46
.github/workflows/tree-sitter-extractor-test.yml
vendored
@@ -1,46 +0,0 @@
|
|||||||
name: Test tree-sitter-extractor
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
paths:
|
|
||||||
- "shared/tree-sitter-extractor/**"
|
|
||||||
- .github/workflows/tree-sitter-extractor-test.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "shared/tree-sitter-extractor/**"
|
|
||||||
- .github/workflows/tree-sitter-extractor-test.yml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- "rc/*"
|
|
||||||
|
|
||||||
env:
|
|
||||||
CARGO_TERM_COLOR: always
|
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: shared/tree-sitter-extractor
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
test:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Check formatting
|
|
||||||
run: cargo fmt --all -- --check
|
|
||||||
- name: Run tests
|
|
||||||
run: cargo test --verbose
|
|
||||||
fmt:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Check formatting
|
|
||||||
run: cargo fmt --check
|
|
||||||
clippy:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Run clippy
|
|
||||||
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
|
||||||
2
.github/workflows/validate-change-notes.yml
vendored
2
.github/workflows/validate-change-notes.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|||||||
2
.gitignore
vendored
2
.gitignore
vendored
@@ -27,6 +27,8 @@
|
|||||||
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
|
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
|
||||||
/codeql/
|
/codeql/
|
||||||
|
|
||||||
|
csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
|
||||||
|
|
||||||
# Avoid committing cached package components
|
# Avoid committing cached package components
|
||||||
.codeql
|
.codeql
|
||||||
|
|
||||||
|
|||||||
@@ -5,9 +5,9 @@ repos:
|
|||||||
rev: v3.2.0
|
rev: v3.2.0
|
||||||
hooks:
|
hooks:
|
||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
|
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
|
||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
|
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
|
||||||
|
|
||||||
- repo: https://github.com/pre-commit/mirrors-clang-format
|
- repo: https://github.com/pre-commit/mirrors-clang-format
|
||||||
rev: v13.0.1
|
rev: v13.0.1
|
||||||
@@ -19,12 +19,7 @@ repos:
|
|||||||
rev: v1.6.0
|
rev: v1.6.0
|
||||||
hooks:
|
hooks:
|
||||||
- id: autopep8
|
- id: autopep8
|
||||||
files: ^misc/codegen/.*\.py
|
files: ^swift/codegen/.*\.py
|
||||||
|
|
||||||
- repo: https://github.com/warchant/pre-commit-buildifier
|
|
||||||
rev: 0.0.2
|
|
||||||
hooks:
|
|
||||||
- id: buildifier
|
|
||||||
|
|
||||||
- repo: local
|
- repo: local
|
||||||
hooks:
|
hooks:
|
||||||
@@ -36,7 +31,7 @@ repos:
|
|||||||
|
|
||||||
- id: sync-files
|
- id: sync-files
|
||||||
name: Fix files required to be identical
|
name: Fix files required to be identical
|
||||||
files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
|
files: \.(qll?|qhelp|swift)$
|
||||||
language: system
|
language: system
|
||||||
entry: python3 config/sync-files.py --latest
|
entry: python3 config/sync-files.py --latest
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
@@ -49,7 +44,7 @@ repos:
|
|||||||
|
|
||||||
- id: swift-codegen
|
- id: swift-codegen
|
||||||
name: Run Swift checked in code generation
|
name: Run Swift checked in code generation
|
||||||
files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
|
files: ^swift/(codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
|
||||||
language: system
|
language: system
|
||||||
entry: bazel run //swift/codegen -- --quiet
|
entry: bazel run //swift/codegen -- --quiet
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
@@ -58,5 +53,5 @@ repos:
|
|||||||
name: Run Swift code generation unit tests
|
name: Run Swift code generation unit tests
|
||||||
files: ^swift/codegen/.*\.py$
|
files: ^swift/codegen/.*\.py$
|
||||||
language: system
|
language: system
|
||||||
entry: bazel test //misc/codegen/test
|
entry: bazel test //swift/codegen/test
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
|
|||||||
4
.vscode/settings.json
vendored
4
.vscode/settings.json
vendored
@@ -1,5 +1,3 @@
|
|||||||
{
|
{
|
||||||
"omnisharp.autoStart": false,
|
"omnisharp.autoStart": false
|
||||||
"cmake.sourceDirectory": "${workspaceFolder}/swift",
|
|
||||||
"cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build"
|
|
||||||
}
|
}
|
||||||
|
|||||||
18
.vscode/tasks.json
vendored
18
.vscode/tasks.json
vendored
@@ -22,22 +22,6 @@
|
|||||||
"command": "${config:python.pythonPath}",
|
"command": "${config:python.pythonPath}",
|
||||||
},
|
},
|
||||||
"problemMatcher": []
|
"problemMatcher": []
|
||||||
},
|
|
||||||
{
|
|
||||||
"label": "Accept .expected changes from CI",
|
|
||||||
"type": "process",
|
|
||||||
// Non-Windows OS will usually have Python 3 already installed at /usr/bin/python3.
|
|
||||||
"command": "python3",
|
|
||||||
"args": [
|
|
||||||
"misc/scripts/accept-expected-changes-from-ci.py"
|
|
||||||
],
|
|
||||||
"group": "build",
|
|
||||||
"windows": {
|
|
||||||
// On Windows, use whatever Python interpreter is configured for this workspace. The default is
|
|
||||||
// just `python`, so if Python is already on the path, this will find it.
|
|
||||||
"command": "${config:python.pythonPath}",
|
|
||||||
},
|
|
||||||
"problemMatcher": []
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
23
CODEOWNERS
23
CODEOWNERS
@@ -5,17 +5,24 @@
|
|||||||
/javascript/ @github/codeql-javascript
|
/javascript/ @github/codeql-javascript
|
||||||
/python/ @github/codeql-python
|
/python/ @github/codeql-python
|
||||||
/ruby/ @github/codeql-ruby
|
/ruby/ @github/codeql-ruby
|
||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-c
|
||||||
/misc/codegen/ @github/codeql-swift
|
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
|
/java/kotlin-explorer/ @github/codeql-kotlin
|
||||||
|
|
||||||
# ML-powered queries
|
# ML-powered queries
|
||||||
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
||||||
|
|
||||||
|
# Notify members of codeql-go about PRs to the shared data-flow library files
|
||||||
|
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
|
||||||
|
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
|
||||||
|
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
|
||||||
|
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
|
||||||
|
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
|
||||||
|
|
||||||
# CodeQL tools and associated docs
|
# CodeQL tools and associated docs
|
||||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
/docs/codeql-cli/ @github/codeql-cli-reviewers
|
||||||
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
||||||
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
/docs/ql-language-reference/ @github/codeql-frontend-reviewers
|
||||||
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
||||||
|
|
||||||
# QL for QL reviewers
|
# QL for QL reviewers
|
||||||
@@ -33,12 +40,8 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
|
|||||||
|
|
||||||
# Workflows
|
# Workflows
|
||||||
/.github/workflows/ @github/codeql-ci-reviewers
|
/.github/workflows/ @github/codeql-ci-reviewers
|
||||||
/.github/workflows/atm-* @github/codeql-ml-powered-queries-reviewers
|
|
||||||
/.github/workflows/go-* @github/codeql-go
|
/.github/workflows/go-* @github/codeql-go
|
||||||
/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
|
/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
|
||||||
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
|
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
|
||||||
/.github/workflows/ruby-* @github/codeql-ruby
|
/.github/workflows/ruby-* @github/codeql-ruby
|
||||||
/.github/workflows/swift.yml @github/codeql-swift
|
/.github/workflows/swift-* @github/codeql-c
|
||||||
|
|
||||||
# Misc
|
|
||||||
/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
|
|
||||||
|
|||||||
@@ -14,20 +14,17 @@ If you have an idea for a query that you would like to share with other CodeQL u
|
|||||||
|
|
||||||
1. **Directory structure**
|
1. **Directory structure**
|
||||||
|
|
||||||
There are eight language-specific query directories in this repository:
|
There are six language-specific query directories in this repository:
|
||||||
|
|
||||||
* C/C++: `cpp/ql/src`
|
* C/C++: `cpp/ql/src`
|
||||||
* C#: `csharp/ql/src`
|
* C#: `csharp/ql/src`
|
||||||
* Go: `go/ql/src`
|
* Java: `java/ql/src`
|
||||||
* Java/Kotlin: `java/ql/src`
|
|
||||||
* JavaScript: `javascript/ql/src`
|
* JavaScript: `javascript/ql/src`
|
||||||
* Python: `python/ql/src`
|
* Python: `python/ql/src`
|
||||||
* Ruby: `ruby/ql/src`
|
* Ruby: `ruby/ql/src`
|
||||||
* Swift: `swift/ql/src`
|
|
||||||
|
|
||||||
Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
|
Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
|
||||||
- Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
|
- Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
|
||||||
- Experimental queries need to include `experimental` in their `@tags`
|
|
||||||
- The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
|
- The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
|
||||||
- Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
|
- Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
|
||||||
|
|
||||||
|
|||||||
@@ -4,14 +4,13 @@ This open source repository contains the standard CodeQL libraries and queries t
|
|||||||
|
|
||||||
## How do I learn CodeQL and run queries?
|
## How do I learn CodeQL and run queries?
|
||||||
|
|
||||||
There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
|
There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
|
||||||
|
You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
|
||||||
|
|
||||||
## Contributing
|
## Contributing
|
||||||
|
|
||||||
We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
|
We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
|
||||||
|
|
||||||
For information on contributing to CodeQL documentation, see the "[contributing guide](docs/codeql/CONTRIBUTING.md)" for docs.
|
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
|
The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
|
||||||
|
|||||||
@@ -52,7 +52,7 @@
|
|||||||
| Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
|
| Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
|
||||||
| Unsafe dynamic method access | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
|
| Unsafe dynamic method access | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
|
||||||
| Unused parameter | Fewer false positive results | This query no longer flags parameters with leading underscore. |
|
| Unused parameter | Fewer false positive results | This query no longer flags parameters with leading underscore. |
|
||||||
| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implicitly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
|
| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
|
||||||
| Unvalidated dynamic method call | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
|
| Unvalidated dynamic method call | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
|
||||||
| Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
|
| Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
|
||||||
| Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |
|
| Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
|
|||||||
| Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
|
| Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
|
||||||
| Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
|
| Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
|
||||||
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
|
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
|
||||||
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
|
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. |
|
||||||
| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
|
| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
|
||||||
| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
|
| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
|
||||||
| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
|
| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
|
||||||
|
|||||||
@@ -91,7 +91,7 @@
|
|||||||
|
|
||||||
## Changes to libraries
|
## Changes to libraries
|
||||||
|
|
||||||
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimic this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
|
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
|
||||||
* An extensible model of the `EventEmitter` pattern has been implemented.
|
* An extensible model of the `EventEmitter` pattern has been implemented.
|
||||||
* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
|
* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
|
||||||
that combine taint-tracking and flow labels.
|
that combine taint-tracking and flow labels.
|
||||||
|
|||||||
@@ -4,8 +4,6 @@ provide:
|
|||||||
- "*/ql/test/qlpack.yml"
|
- "*/ql/test/qlpack.yml"
|
||||||
- "*/ql/examples/qlpack.yml"
|
- "*/ql/examples/qlpack.yml"
|
||||||
- "*/ql/consistency-queries/qlpack.yml"
|
- "*/ql/consistency-queries/qlpack.yml"
|
||||||
- "*/ql/automodel/src/qlpack.yml"
|
|
||||||
- "*/ql/automodel/test/qlpack.yml"
|
|
||||||
- "shared/*/qlpack.yml"
|
- "shared/*/qlpack.yml"
|
||||||
- "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
|
- "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
|
||||||
- "go/ql/config/legacy-support/qlpack.yml"
|
- "go/ql/config/legacy-support/qlpack.yml"
|
||||||
@@ -19,7 +17,6 @@ provide:
|
|||||||
# - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
|
# - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
|
||||||
- "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
|
- "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
|
||||||
- "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
|
- "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
|
||||||
- "javascript/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
|
|
||||||
- "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
|
- "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
|
||||||
- "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
|
- "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
|
||||||
- "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
|
- "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
|
||||||
@@ -27,8 +24,7 @@ provide:
|
|||||||
- "misc/suite-helpers/qlpack.yml"
|
- "misc/suite-helpers/qlpack.yml"
|
||||||
- "ruby/extractor-pack/codeql-extractor.yml"
|
- "ruby/extractor-pack/codeql-extractor.yml"
|
||||||
- "swift/extractor-pack/codeql-extractor.yml"
|
- "swift/extractor-pack/codeql-extractor.yml"
|
||||||
- "swift/integration-tests/qlpack.yml"
|
- "ql/extractor-pack/codeql-extractor.ym"
|
||||||
- "ql/extractor-pack/codeql-extractor.yml"
|
|
||||||
|
|
||||||
versionPolicies:
|
versionPolicies:
|
||||||
default:
|
default:
|
||||||
|
|||||||
@@ -1,21 +0,0 @@
|
|||||||
const mongoose = require('mongoose');
|
|
||||||
|
|
||||||
Logger = require('./logger').Logger;
|
|
||||||
Note = require('./models/note').Note;
|
|
||||||
|
|
||||||
(async () => {
|
|
||||||
if (process.argv.length != 5) {
|
|
||||||
Logger.log("Creates a private note. Usage: node add-note.js <token> <title> <body>")
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Open the default mongoose connection
|
|
||||||
await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
|
|
||||||
|
|
||||||
const [userToken, title, body] = process.argv.slice(2);
|
|
||||||
await Note.create({ title, body, userToken });
|
|
||||||
|
|
||||||
Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
|
|
||||||
|
|
||||||
await mongoose.connection.close();
|
|
||||||
})();
|
|
||||||
@@ -1,68 +0,0 @@
|
|||||||
const bodyParser = require('body-parser');
|
|
||||||
const express = require('express');
|
|
||||||
const mongoose = require('mongoose');
|
|
||||||
|
|
||||||
const notesApi = require('./notes-api');
|
|
||||||
const usersApi = require('./users-api');
|
|
||||||
|
|
||||||
const addSampleData = module.exports.addSampleData = async () => {
|
|
||||||
const [userA, userB] = await User.create([
|
|
||||||
{
|
|
||||||
name: "A",
|
|
||||||
token: "tokenA"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "B",
|
|
||||||
token: "tokenB"
|
|
||||||
}
|
|
||||||
]);
|
|
||||||
|
|
||||||
await Note.create([
|
|
||||||
{
|
|
||||||
title: "Public note belonging to A",
|
|
||||||
body: "This is a public note belonging to A",
|
|
||||||
isPublic: true,
|
|
||||||
ownerToken: userA.token
|
|
||||||
},
|
|
||||||
{
|
|
||||||
title: "Public note belonging to B",
|
|
||||||
body: "This is a public note belonging to B",
|
|
||||||
isPublic: true,
|
|
||||||
ownerToken: userB.token
|
|
||||||
},
|
|
||||||
{
|
|
||||||
title: "Private note belonging to A",
|
|
||||||
body: "This is a private note belonging to A",
|
|
||||||
ownerToken: userA.token
|
|
||||||
},
|
|
||||||
{
|
|
||||||
title: "Private note belonging to B",
|
|
||||||
body: "This is a private note belonging to B",
|
|
||||||
ownerToken: userB.token
|
|
||||||
}
|
|
||||||
]);
|
|
||||||
}
|
|
||||||
|
|
||||||
module.exports.startApp = async () => {
|
|
||||||
// Open the default mongoose connection
|
|
||||||
await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
|
|
||||||
// Drop contents of DB
|
|
||||||
mongoose.connection.dropDatabase();
|
|
||||||
// Add some sample data
|
|
||||||
await addSampleData();
|
|
||||||
|
|
||||||
const app = express();
|
|
||||||
|
|
||||||
app.use(bodyParser.json());
|
|
||||||
app.use(bodyParser.urlencoded());
|
|
||||||
|
|
||||||
app.get('/', async (_req, res) => {
|
|
||||||
res.send('Hello World');
|
|
||||||
});
|
|
||||||
|
|
||||||
app.use('/api/notes', notesApi.router);
|
|
||||||
app.use('/api/users', usersApi.router);
|
|
||||||
|
|
||||||
app.listen(3000);
|
|
||||||
Logger.log('Express started on port 3000');
|
|
||||||
};
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
const startApp = require('./app').startApp;
|
|
||||||
|
|
||||||
Logger = require('./logger').Logger;
|
|
||||||
Note = require('./models/note').Note;
|
|
||||||
User = require('./models/user').User;
|
|
||||||
|
|
||||||
startApp();
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
module.exports.Logger = class {
|
|
||||||
log(message, ...objs) {
|
|
||||||
console.log(message, objs);
|
|
||||||
}
|
|
||||||
};
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
const mongoose = require('mongoose');
|
|
||||||
|
|
||||||
module.exports.Note = mongoose.model('Note', new mongoose.Schema({
|
|
||||||
title: String,
|
|
||||||
body: String,
|
|
||||||
ownerToken: String,
|
|
||||||
isPublic: Boolean
|
|
||||||
}));
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
const mongoose = require('mongoose');
|
|
||||||
|
|
||||||
module.exports.User = mongoose.model('User', new mongoose.Schema({
|
|
||||||
name: String,
|
|
||||||
token: String
|
|
||||||
}));
|
|
||||||
@@ -1,44 +0,0 @@
|
|||||||
const express = require('express')
|
|
||||||
|
|
||||||
const router = module.exports.router = express.Router();
|
|
||||||
|
|
||||||
function serializeNote(note) {
|
|
||||||
return {
|
|
||||||
title: note.title,
|
|
||||||
body: note.body
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
router.post('/find', async (req, res) => {
|
|
||||||
const notes = await Note.find({
|
|
||||||
ownerToken: req.body.token
|
|
||||||
}).exec();
|
|
||||||
res.json({
|
|
||||||
notes: notes.map(serializeNote)
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
router.get('/findPublic', async (_req, res) => {
|
|
||||||
const notes = await Note.find({
|
|
||||||
isPublic: true
|
|
||||||
}).exec();
|
|
||||||
res.json({
|
|
||||||
notes: notes.map(serializeNote)
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
router.post('/findVisible', async (req, res) => {
|
|
||||||
const notes = await Note.find({
|
|
||||||
$or: [
|
|
||||||
{
|
|
||||||
isPublic: true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ownerToken: req.body.token
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}).exec();
|
|
||||||
res.json({
|
|
||||||
notes: notes.map(serializeNote)
|
|
||||||
});
|
|
||||||
});
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
const mongoose = require('mongoose');
|
|
||||||
|
|
||||||
Logger = require('./logger').Logger;
|
|
||||||
Note = require('./models/note').Note;
|
|
||||||
User = require('./models/user').User;
|
|
||||||
|
|
||||||
(async () => {
|
|
||||||
if (process.argv.length != 3) {
|
|
||||||
Logger.log("Outputs all notes visible to a user. Usage: node read-notes.js <token>")
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Open the default mongoose connection
|
|
||||||
await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
|
|
||||||
|
|
||||||
const ownerToken = process.argv[2];
|
|
||||||
|
|
||||||
const user = await User.findOne({
|
|
||||||
token: ownerToken
|
|
||||||
}).exec();
|
|
||||||
|
|
||||||
const notes = await Note.find({
|
|
||||||
$or: [
|
|
||||||
{ isPublic: true },
|
|
||||||
{ ownerToken }
|
|
||||||
]
|
|
||||||
}).exec();
|
|
||||||
|
|
||||||
notes.map(note => {
|
|
||||||
Logger.log("Title:" + note.title);
|
|
||||||
Logger.log("By:" + user.name);
|
|
||||||
Logger.log("Body:" + note.body);
|
|
||||||
Logger.log();
|
|
||||||
});
|
|
||||||
|
|
||||||
await mongoose.connection.close();
|
|
||||||
})();
|
|
||||||
@@ -1,25 +0,0 @@
|
|||||||
const express = require('express')
|
|
||||||
|
|
||||||
Logger = require('./logger').Logger;
|
|
||||||
const router = module.exports.router = express.Router();
|
|
||||||
|
|
||||||
router.post('/updateName', async (req, res) => {
|
|
||||||
Logger.log("/updateName called with new name", req.body.name);
|
|
||||||
await User.findOneAndUpdate({
|
|
||||||
token: req.body.token
|
|
||||||
}, {
|
|
||||||
name: req.body.name
|
|
||||||
}).exec();
|
|
||||||
res.json({
|
|
||||||
name: req.body.name
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
router.post('/getName', async (req, res) => {
|
|
||||||
const user = await User.findOne({
|
|
||||||
token: req.body.token
|
|
||||||
}).exec();
|
|
||||||
res.json({
|
|
||||||
name: user.name
|
|
||||||
});
|
|
||||||
});
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
{
|
|
||||||
"files": [
|
|
||||||
"javascript/ql/lib/semmlecode.javascript.dbscheme",
|
|
||||||
"python/ql/lib/semmlecode.python.dbscheme",
|
|
||||||
"ruby/ql/lib/ruby.dbscheme",
|
|
||||||
"ql/ql/src/ql.dbscheme"
|
|
||||||
],
|
|
||||||
"fragments": [
|
|
||||||
"/*- External data -*/",
|
|
||||||
"/*- Files and folders -*/",
|
|
||||||
"/*- Diagnostic messages -*/",
|
|
||||||
"/*- Diagnostic messages: severity -*/",
|
|
||||||
"/*- Source location prefix -*/",
|
|
||||||
"/*- Lines of code -*/",
|
|
||||||
"/*- Configuration files with key value pairs -*/",
|
|
||||||
"/*- YAML -*/",
|
|
||||||
"/*- XML Files -*/",
|
|
||||||
"/*- XML: sourceline -*/",
|
|
||||||
"/*- DEPRECATED: External defects and metrics -*/",
|
|
||||||
"/*- DEPRECATED: Snapshot date -*/",
|
|
||||||
"/*- DEPRECATED: Duplicate code -*/",
|
|
||||||
"/*- DEPRECATED: Version control data -*/",
|
|
||||||
"/*- JavaScript-specific part -*/",
|
|
||||||
"/*- Ruby dbscheme -*/",
|
|
||||||
"/*- Erb dbscheme -*/",
|
|
||||||
"/*- QL dbscheme -*/",
|
|
||||||
"/*- Dbscheme dbscheme -*/",
|
|
||||||
"/*- Yaml dbscheme -*/",
|
|
||||||
"/*- Blame dbscheme -*/",
|
|
||||||
"/*- JSON dbscheme -*/",
|
|
||||||
"/*- Python dbscheme -*/"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,48 +1,66 @@
|
|||||||
{
|
{
|
||||||
"DataFlow Java/C++/C#/Go/Python/Ruby/Swift Legacy Configuration": [
|
"DataFlow Java/C++/C#/Python": [
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
|
||||||
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll",
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll",
|
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
|
||||||
],
|
],
|
||||||
"TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
|
"DataFlow Java/C++/C#/Python Common": [
|
||||||
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
|
||||||
|
],
|
||||||
|
"TaintTracking::Configuration Java/C++/C#/Python": [
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
@@ -51,12 +69,22 @@
|
|||||||
"python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
|
||||||
"swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
|
"swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
|
||||||
],
|
],
|
||||||
"DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
|
"DataFlow Java/C++/C#/Python Consistency checks": [
|
||||||
|
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
|
||||||
|
],
|
||||||
|
"DataFlow Java/C#/Ruby/Python/Swift Flow Summaries": [
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
|
|
||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
|
||||||
"swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
|
"swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
|
||||||
@@ -66,12 +94,8 @@
|
|||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
||||||
],
|
],
|
||||||
"Model as Data Generation Java/C# - CaptureModels": [
|
"Model as Data Generation Java/C# - CaptureModels": [
|
||||||
"java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
|
"java/ql/src/utils/model-generator/internal/CaptureModels.qll",
|
||||||
"csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
|
"csharp/ql/src/utils/model-generator/internal/CaptureModels.qll"
|
||||||
],
|
|
||||||
"Model as Data Generation Java/C# - CaptureModelsPrinting": [
|
|
||||||
"java/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll",
|
|
||||||
"csharp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll"
|
|
||||||
],
|
],
|
||||||
"Sign Java/C#": [
|
"Sign Java/C#": [
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
|
||||||
@@ -229,11 +253,6 @@
|
|||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
|
"cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
|
||||||
],
|
],
|
||||||
"C++ IR IRConsistencyImports": [
|
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll",
|
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll",
|
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll"
|
|
||||||
],
|
|
||||||
"C++ IR IRFunctionImports": [
|
"C++ IR IRFunctionImports": [
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
|
||||||
"cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
|
"cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
|
||||||
@@ -377,6 +396,16 @@
|
|||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
|
||||||
],
|
],
|
||||||
|
"Inline Test Expectations": [
|
||||||
|
"cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"java/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"python/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"go/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
|
"swift/ql/test/TestUtilities/InlineExpectationsTest.qll"
|
||||||
|
],
|
||||||
"C++ ExternalAPIs": [
|
"C++ ExternalAPIs": [
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
|
"cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
|
"cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
|
||||||
@@ -435,10 +464,6 @@
|
|||||||
"javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
|
"javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
|
||||||
"python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
|
"python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
|
||||||
],
|
],
|
||||||
"ThreadResourceAbuse qhelp": [
|
|
||||||
"java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
|
|
||||||
"java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
|
|
||||||
],
|
|
||||||
"IDE Contextual Queries": [
|
"IDE Contextual Queries": [
|
||||||
"cpp/ql/lib/IDEContextual.qll",
|
"cpp/ql/lib/IDEContextual.qll",
|
||||||
"csharp/ql/lib/IDEContextual.qll",
|
"csharp/ql/lib/IDEContextual.qll",
|
||||||
@@ -459,20 +484,61 @@
|
|||||||
"SensitiveDataHeuristics Python/JS": [
|
"SensitiveDataHeuristics Python/JS": [
|
||||||
"javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
|
"javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
|
||||||
"python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
|
"python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
|
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
|
||||||
"swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
|
],
|
||||||
|
"ReDoS Util Python/JS/Ruby/Java": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/regexp/NfaUtils.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll"
|
||||||
|
],
|
||||||
|
"ReDoS Exponential Python/JS/Ruby/Java": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/regexp/ExponentialBackTracking.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/regexp/ExponentialBackTracking.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/regexp/ExponentialBackTracking.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/security/regexp/ExponentialBackTracking.qll"
|
||||||
|
],
|
||||||
|
"ReDoS Polynomial Python/JS/Ruby/Java": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/regexp/SuperlinearBackTracking.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/regexp/SuperlinearBackTracking.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/regexp/SuperlinearBackTracking.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/security/regexp/SuperlinearBackTracking.qll"
|
||||||
|
],
|
||||||
|
"RegexpMatching Python/JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/regexp/RegexpMatching.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/regexp/RegexpMatching.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/regexp/RegexpMatching.qll"
|
||||||
|
],
|
||||||
|
"BadTagFilterQuery Python/JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/BadTagFilterQuery.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll"
|
||||||
|
],
|
||||||
|
"OverlyLargeRange Python/JS/Ruby/Java": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/OverlyLargeRangeQuery.qll",
|
||||||
|
"python/ql/lib/semmle/python/security/OverlyLargeRangeQuery.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/OverlyLargeRangeQuery.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/security/OverlyLargeRangeQuery.qll"
|
||||||
|
],
|
||||||
|
"CFG": [
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImplShared.qll"
|
||||||
],
|
],
|
||||||
"TypeTracker": [
|
"TypeTracker": [
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
|
"python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
|
"ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
|
||||||
],
|
],
|
||||||
"SummaryTypeTracker": [
|
"CodeQL Tutorial": [
|
||||||
"python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
|
"cpp/ql/lib/tutorial.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
|
"csharp/ql/lib/tutorial.qll",
|
||||||
|
"java/ql/lib/tutorial.qll",
|
||||||
|
"javascript/ql/lib/tutorial.qll",
|
||||||
|
"python/ql/lib/tutorial.qll",
|
||||||
|
"ruby/ql/lib/tutorial.qll"
|
||||||
],
|
],
|
||||||
"AccessPathSyntax": [
|
"AccessPathSyntax": [
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
|
||||||
"go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
|
||||||
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
|
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
|
||||||
@@ -488,15 +554,31 @@
|
|||||||
"ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
|
"ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
|
||||||
"javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
|
"javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
|
||||||
],
|
],
|
||||||
|
"Hostname Regexp queries": [
|
||||||
|
"javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
|
||||||
|
"python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
|
||||||
|
"ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
|
||||||
|
],
|
||||||
"ApiGraphModels": [
|
"ApiGraphModels": [
|
||||||
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
|
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
|
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
|
||||||
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
|
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
|
||||||
],
|
],
|
||||||
"ApiGraphModelsExtensions": [
|
"TaintedFormatStringQuery Ruby/JS": [
|
||||||
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll",
|
"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
|
"ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
|
||||||
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
|
],
|
||||||
|
"TaintedFormatStringCustomizations Ruby/JS": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
|
||||||
|
],
|
||||||
|
"HttpToFileAccessQuery JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
|
||||||
|
],
|
||||||
|
"HttpToFileAccessCustomizations JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
|
||||||
],
|
],
|
||||||
"Typo database": [
|
"Typo database": [
|
||||||
"javascript/ql/src/Expressions/TypoDatabase.qll",
|
"javascript/ql/src/Expressions/TypoDatabase.qll",
|
||||||
@@ -518,20 +600,8 @@
|
|||||||
"swift/ql/test/extractor-tests/patterns/patterns.swift",
|
"swift/ql/test/extractor-tests/patterns/patterns.swift",
|
||||||
"swift/ql/test/library-tests/ast/patterns.swift"
|
"swift/ql/test/library-tests/ast/patterns.swift"
|
||||||
],
|
],
|
||||||
"Swift control flow test file": [
|
|
||||||
"swift/ql/test/library-tests/controlflow/graph/cfg.swift",
|
|
||||||
"swift/ql/test/library-tests/ast/cfg.swift"
|
|
||||||
],
|
|
||||||
"IncompleteMultiCharacterSanitization JS/Ruby": [
|
"IncompleteMultiCharacterSanitization JS/Ruby": [
|
||||||
"javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
|
"javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
|
||||||
"ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
|
"ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
|
||||||
],
|
|
||||||
"EncryptionKeySizes Python/Java": [
|
|
||||||
"python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
|
|
||||||
],
|
|
||||||
"Python model summaries test extension": [
|
|
||||||
"python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
|
|
||||||
"python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -1,86 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
|
|
||||||
import argparse
|
|
||||||
import json
|
|
||||||
import os
|
|
||||||
import pathlib
|
|
||||||
import re
|
|
||||||
|
|
||||||
|
|
||||||
def make_groups(blocks):
|
|
||||||
groups = {}
|
|
||||||
for block in blocks:
|
|
||||||
groups.setdefault("".join(block["lines"]), []).append(block)
|
|
||||||
return list(groups.values())
|
|
||||||
|
|
||||||
|
|
||||||
def validate_fragments(fragments):
|
|
||||||
ok = True
|
|
||||||
for header, blocks in fragments.items():
|
|
||||||
groups = make_groups(blocks)
|
|
||||||
if len(groups) > 1:
|
|
||||||
ok = False
|
|
||||||
print("Warning: dbscheme fragments with header '{}' are different for {}".format(header, ["{}:{}:{}".format(
|
|
||||||
group[0]["file"], group[0]["start"], group[0]["end"]) for group in groups]))
|
|
||||||
return ok
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
script_path = os.path.realpath(__file__)
|
|
||||||
script_dir = os.path.dirname(script_path)
|
|
||||||
parser = argparse.ArgumentParser(
|
|
||||||
prog=os.path.basename(script_path),
|
|
||||||
description='Sync dbscheme fragments across files.'
|
|
||||||
)
|
|
||||||
parser.add_argument('files', metavar='dbscheme_file', type=pathlib.Path, nargs='*', default=[],
|
|
||||||
help='dbscheme files to check')
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
with open(os.path.join(script_dir, "dbscheme-fragments.json"), "r") as f:
|
|
||||||
config = json.load(f)
|
|
||||||
|
|
||||||
fragment_headers = set(config["fragments"])
|
|
||||||
fragments = {}
|
|
||||||
ok = True
|
|
||||||
for file in args.files + config["files"]:
|
|
||||||
with open(os.path.join(os.path.dirname(script_dir), file), "r") as dbscheme:
|
|
||||||
header = None
|
|
||||||
line_number = 1
|
|
||||||
block = {"file": file, "start": line_number,
|
|
||||||
"end": None, "lines": []}
|
|
||||||
|
|
||||||
def end_block():
|
|
||||||
block["end"] = line_number - 1
|
|
||||||
if len(block["lines"]) > 0:
|
|
||||||
if header is None:
|
|
||||||
if re.match(r'(?m)\A(\s|//.*$|/\*(\**[^\*])*\*+/)*\Z', "".join(block["lines"])):
|
|
||||||
# Ignore comments at the beginning of the file
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
ok = False
|
|
||||||
print("Warning: dbscheme fragment without header: {}:{}:{}".format(
|
|
||||||
block["file"], block["start"], block["end"]))
|
|
||||||
else:
|
|
||||||
fragments.setdefault(header, []).append(block)
|
|
||||||
for line in dbscheme:
|
|
||||||
m = re.match(r"^\/\*-.*-\*\/$", line)
|
|
||||||
if m:
|
|
||||||
end_block()
|
|
||||||
header = line.strip()
|
|
||||||
if header not in fragment_headers:
|
|
||||||
ok = False
|
|
||||||
print("Warning: unknown header for dbscheme fragment: '{}': {}:{}".format(
|
|
||||||
header, file, line_number))
|
|
||||||
block = {"file": file, "start": line_number,
|
|
||||||
"end": None, "lines": []}
|
|
||||||
block["lines"].append(line)
|
|
||||||
line_number += 1
|
|
||||||
block["lines"].append('\n')
|
|
||||||
line_number += 1
|
|
||||||
end_block()
|
|
||||||
if not ok or not validate_fragments(fragments):
|
|
||||||
exit(1)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
||||||
@@ -1,17 +1,12 @@
|
|||||||
load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
|
|
||||||
|
|
||||||
package(default_visibility = ["//visibility:public"])
|
package(default_visibility = ["//visibility:public"])
|
||||||
|
|
||||||
|
load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
|
||||||
|
|
||||||
alias(
|
alias(
|
||||||
name = "dbscheme",
|
name = "dbscheme",
|
||||||
actual = "//cpp/ql/lib:dbscheme",
|
actual = "//cpp/ql/lib:dbscheme",
|
||||||
)
|
)
|
||||||
|
|
||||||
alias(
|
|
||||||
name = "dbscheme-stats",
|
|
||||||
actual = "//cpp/ql/lib:dbscheme-stats",
|
|
||||||
)
|
|
||||||
|
|
||||||
pkg_filegroup(
|
pkg_filegroup(
|
||||||
name = "db-files",
|
name = "db-files",
|
||||||
srcs = [
|
srcs = [
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
using Xunit;
|
using Xunit;
|
||||||
using Semmle.Autobuild.Shared;
|
using Semmle.Autobuild.Shared;
|
||||||
using Semmle.Util;
|
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using System;
|
using System;
|
||||||
using System.Linq;
|
using System.Linq;
|
||||||
@@ -76,15 +75,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
throw new ArgumentException("Missing RunProcess " + pattern);
|
throw new ArgumentException("Missing RunProcess " + pattern);
|
||||||
}
|
}
|
||||||
|
|
||||||
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, BuildOutputHandler onOutput, BuildOutputHandler onError)
|
|
||||||
{
|
|
||||||
var ret = (this as IBuildActions).RunProcess(cmd, args, workingDirectory, env, out var stdout);
|
|
||||||
|
|
||||||
stdout.ForEach(line => onOutput(line));
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
public IList<string> DirectoryDeleteIn = new List<string>();
|
public IList<string> DirectoryDeleteIn = new List<string>();
|
||||||
|
|
||||||
void IBuildActions.DirectoryDelete(string dir, bool recursive)
|
void IBuildActions.DirectoryDelete(string dir, bool recursive)
|
||||||
@@ -141,14 +131,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
|
|
||||||
bool IBuildActions.IsWindows() => IsWindows;
|
bool IBuildActions.IsWindows() => IsWindows;
|
||||||
|
|
||||||
public bool IsMacOs { get; set; }
|
|
||||||
|
|
||||||
bool IBuildActions.IsMacOs() => IsMacOs;
|
|
||||||
|
|
||||||
public bool IsArm { get; set; }
|
|
||||||
|
|
||||||
bool IBuildActions.IsArm() => IsArm;
|
|
||||||
|
|
||||||
string IBuildActions.PathCombine(params string[] parts)
|
string IBuildActions.PathCombine(params string[] parts)
|
||||||
{
|
{
|
||||||
return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
|
return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
|
||||||
@@ -194,15 +176,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
if (!DownloadFiles.Contains((address, fileName)))
|
if (!DownloadFiles.Contains((address, fileName)))
|
||||||
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
|
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
|
||||||
}
|
}
|
||||||
|
|
||||||
public IDiagnosticsWriter CreateDiagnosticsWriter(string filename) => new TestDiagnosticWriter();
|
|
||||||
}
|
|
||||||
|
|
||||||
internal class TestDiagnosticWriter : IDiagnosticsWriter
|
|
||||||
{
|
|
||||||
public IList<DiagnosticMessage> Diagnostics { get; } = new List<DiagnosticMessage>();
|
|
||||||
|
|
||||||
public void AddEntry(DiagnosticMessage message) => this.Diagnostics.Add(message);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -262,7 +235,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_TRAP_DIR"] = "";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_TRAP_DIR"] = "";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_DIAGNOSTIC_DIR"] = "";
|
|
||||||
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
||||||
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
|
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
||||||
@@ -285,11 +257,11 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.GetCurrentDirectory = cwd;
|
Actions.GetCurrentDirectory = cwd;
|
||||||
Actions.IsWindows = isWindows;
|
Actions.IsWindows = isWindows;
|
||||||
|
|
||||||
var options = new CppAutobuildOptions(Actions);
|
var options = new AutobuildOptions(Actions, Language.Cpp);
|
||||||
return new CppAutobuilder(Actions, options);
|
return new CppAutobuilder(Actions, options);
|
||||||
}
|
}
|
||||||
|
|
||||||
void TestAutobuilderScript(CppAutobuilder autobuilder, int expectedOutput, int commandsRun)
|
void TestAutobuilderScript(Autobuilder autobuilder, int expectedOutput, int commandsRun)
|
||||||
{
|
{
|
||||||
Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(Actions, StartCallback, EndCallback));
|
Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(Actions, StartCallback, EndCallback));
|
||||||
|
|
||||||
@@ -327,7 +299,7 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
{
|
{
|
||||||
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
||||||
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
||||||
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
|
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
||||||
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
<OutputType>Exe</OutputType>
|
||||||
<TargetFramework>net7.0</TargetFramework>
|
<TargetFramework>net6.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
<Nullable>enable</Nullable>
|
<Nullable>enable</Nullable>
|
||||||
@@ -11,12 +11,11 @@
|
|||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.4.2" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
|
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -1,28 +1,10 @@
|
|||||||
using Semmle.Autobuild.Shared;
|
using Semmle.Autobuild.Shared;
|
||||||
using Semmle.Util;
|
|
||||||
|
|
||||||
namespace Semmle.Autobuild.Cpp
|
namespace Semmle.Autobuild.Cpp
|
||||||
{
|
{
|
||||||
/// <summary>
|
public class CppAutobuilder : Autobuilder
|
||||||
/// Encapsulates C++ build options.
|
|
||||||
/// </summary>
|
|
||||||
public class CppAutobuildOptions : AutobuildOptionsShared
|
|
||||||
{
|
{
|
||||||
public override Language Language => Language.Cpp;
|
public CppAutobuilder(IBuildActions actions, AutobuildOptions options) : base(actions, options) { }
|
||||||
|
|
||||||
|
|
||||||
/// <summary>
|
|
||||||
/// Reads options from environment variables.
|
|
||||||
/// Throws ArgumentOutOfRangeException for invalid arguments.
|
|
||||||
/// </summary>
|
|
||||||
public CppAutobuildOptions(IBuildActions actions) : base(actions)
|
|
||||||
{
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public class CppAutobuilder : Autobuilder<CppAutobuildOptions>
|
|
||||||
{
|
|
||||||
public CppAutobuilder(IBuildActions actions, CppAutobuildOptions options) : base(actions, options, new DiagnosticClassifier()) { }
|
|
||||||
|
|
||||||
public override BuildScript GetBuildScript()
|
public override BuildScript GetBuildScript()
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -11,14 +11,14 @@ namespace Semmle.Autobuild.Cpp
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
var actions = SystemBuildActions.Instance;
|
var actions = SystemBuildActions.Instance;
|
||||||
var options = new CppAutobuildOptions(actions);
|
var options = new AutobuildOptions(actions, Language.Cpp);
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
Console.WriteLine("CodeQL C++ autobuilder");
|
Console.WriteLine("CodeQL C++ autobuilder");
|
||||||
var builder = new CppAutobuilder(actions, options);
|
var builder = new CppAutobuilder(actions, options);
|
||||||
return builder.AttemptBuild();
|
return builder.AttemptBuild();
|
||||||
}
|
}
|
||||||
catch (InvalidEnvironmentException ex)
|
catch(InvalidEnvironmentException ex)
|
||||||
{
|
{
|
||||||
Console.WriteLine("The environment is invalid: {0}", ex.Message);
|
Console.WriteLine("The environment is invalid: {0}", ex.Message);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<TargetFramework>net7.0</TargetFramework>
|
<TargetFramework>net6.0</TargetFramework>
|
||||||
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
||||||
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
||||||
<ApplicationIcon />
|
<ApplicationIcon />
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
|
<PackageReference Include="Microsoft.Build" Version="16.11.0" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,4 +0,0 @@
|
|||||||
description: Revert support for repeated initializers, which are allowed in C with designated initializers.
|
|
||||||
compatibility: full
|
|
||||||
aggregate_field_init.rel: reorder aggregate_field_init.rel (int aggregate, int initializer, int field, int position) aggregate initializer field
|
|
||||||
aggregate_array_init.rel: reorder aggregate_array_init.rel (int aggregate, int initializer, int element_index, int position) aggregate initializer element_index
|
|
||||||
@@ -13,5 +13,5 @@ predicate isExprWithNewBuiltin(Expr expr) {
|
|||||||
from Expr expr, int kind, int kind_new, Location location
|
from Expr expr, int kind, int kind_new, Location location
|
||||||
where
|
where
|
||||||
exprs(expr, kind, location) and
|
exprs(expr, kind, location) and
|
||||||
if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
|
if isExprWithNewBuiltin(expr) then kind_new = 0 else kind_new = kind
|
||||||
select expr, kind_new, location
|
select expr, kind_new, location
|
||||||
|
|||||||
@@ -9,5 +9,5 @@ class Location extends @location_expr {
|
|||||||
from Expr expr, int kind, int kind_new, Location location
|
from Expr expr, int kind, int kind_new, Location location
|
||||||
where
|
where
|
||||||
exprs(expr, kind, location) and
|
exprs(expr, kind, location) and
|
||||||
if expr instanceof @blockassignexpr then kind_new = 1 else kind_new = kind
|
if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
|
||||||
select expr, kind_new, location
|
select expr, kind_new, location
|
||||||
|
|||||||
@@ -1,11 +0,0 @@
|
|||||||
class BuiltinType extends @builtintype {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
|
|
||||||
where
|
|
||||||
builtintypes(type, name, kind, size, sign, alignment) and
|
|
||||||
if type instanceof @float16 or type instanceof @complex_float16
|
|
||||||
then kind_new = 2
|
|
||||||
else kind_new = kind
|
|
||||||
select type, name, kind_new, size, sign, alignment
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Introduce (_Complex) _Float16 type
|
|
||||||
compatibility: backwards
|
|
||||||
builtintypes.rel: run builtintypes.qlo
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +0,0 @@
|
|||||||
description: Uncomment case splits in dbscheme
|
|
||||||
compatibility: full
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +0,0 @@
|
|||||||
description: Remove _Float128 type
|
|
||||||
compatibility: full
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +0,0 @@
|
|||||||
description: Make __is_trivial a builtin operation
|
|
||||||
compatibility: full
|
|
||||||
@@ -2,4 +2,3 @@ name: codeql/cpp-downgrades
|
|||||||
groups: cpp
|
groups: cpp
|
||||||
downgrades: .
|
downgrades: .
|
||||||
library: true
|
library: true
|
||||||
warnOnImplicitThis: true
|
|
||||||
|
|||||||
@@ -3,5 +3,4 @@ groups:
|
|||||||
- cpp
|
- cpp
|
||||||
- examples
|
- examples
|
||||||
dependencies:
|
dependencies:
|
||||||
codeql/cpp-all: ${workspace}
|
codeql/cpp-all: "*"
|
||||||
warnOnImplicitThis: true
|
|
||||||
|
|||||||
1
cpp/ql/examples/queries.xml
Normal file
1
cpp/ql/examples/queries.xml
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<queries language="cpp"/>
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
load("@rules_pkg//:mappings.bzl", "pkg_files")
|
|
||||||
|
|
||||||
package(default_visibility = ["//cpp:__pkg__"])
|
package(default_visibility = ["//cpp:__pkg__"])
|
||||||
|
|
||||||
|
load("@rules_pkg//:mappings.bzl", "pkg_files")
|
||||||
|
|
||||||
pkg_files(
|
pkg_files(
|
||||||
name = "dbscheme",
|
name = "dbscheme",
|
||||||
srcs = ["semmlecode.cpp.dbscheme"],
|
srcs = ["semmlecode.cpp.dbscheme"],
|
||||||
|
|||||||
@@ -1,271 +1,3 @@
|
|||||||
## 0.10.1
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
|
|
||||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
|
||||||
|
|
||||||
## 0.10.0
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
|
|
||||||
non-returning in the IR and dataflow.
|
|
||||||
* Treat functions that reach the end of the function as returning in the IR.
|
|
||||||
They used to be treated as unreachable but it is allowed in C.
|
|
||||||
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
|
|
||||||
|
|
||||||
## 0.9.3
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.9.2
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
|
|
||||||
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
|
|
||||||
|
|
||||||
## 0.9.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.9.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The `shouldPrintFunction` predicate from `PrintAstConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
|
|
||||||
* The `shouldPrintFunction` predicate from `PrintIRConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* The `PrintAST` library now also prints global and namespace variables and their initializers.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
|
|
||||||
|
|
||||||
## 0.8.1
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The library `semmle.code.cpp.dataflow.DataFlow` has been deprecated. Please use `semmle.code.cpp.dataflow.new.DataFlow` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
|
|
||||||
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Data flow configurations can now include a predicate `neverSkip(Node node)`
|
|
||||||
in order to ensure inclusion of certain nodes in the path explanations. The
|
|
||||||
predicate defaults to the end-points of the additional flow steps provided in
|
|
||||||
the configuration, which means that such steps now always are visible by
|
|
||||||
default in path explanations.
|
|
||||||
* The `IRGuards` library has improved handling of pointer addition and subtraction operations.
|
|
||||||
|
|
||||||
## 0.8.0
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* The `ProductFlow::StateConfigSig` signature now includes default predicates for `isBarrier1`, `isBarrier2`, `isAdditionalFlowStep1`, and `isAdditionalFlowStep1`. Hence, it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.
|
|
||||||
|
|
||||||
## 0.7.4
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.7.3
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
|
|
||||||
* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
|
|
||||||
* Deleted the deprecated `CodeDuplication.qll` file.
|
|
||||||
|
|
||||||
## 0.7.2
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added an AST-based interface (`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.
|
|
||||||
* A new predicate `BarrierGuard::getAnIndirectBarrierNode` has been added to the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow`) to mark indirect expressions as barrier nodes using the `BarrierGuard` API.
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The `StdNamespace` class now also includes all inline namespaces that are children of `std` namespace.
|
|
||||||
* The new dataflow (`semmle.code.cpp.dataflow.new.DataFlow`) and taint-tracking libraries (`semmle.code.cpp.dataflow.new.TaintTracking`) now support tracking flow through static local variables.
|
|
||||||
|
|
||||||
## 0.7.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.7.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The internal `SsaConsistency` module has been moved from `SSAConstruction` to `SSAConsitency`, and the deprecated `SSAConsistency` module has been removed.
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
|
|
||||||
* The recently introduced new data flow and taint tracking APIs have had a
|
|
||||||
number of module and predicate renamings. The old APIs remain in place for
|
|
||||||
now.
|
|
||||||
* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added overridable predicates `getSizeExpr` and `getSizeMult` to the `BufferAccess` class (`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The `BufferAccess` library (`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside `sizeof` or `decltype` expressions). As a result, queries using this library may see fewer false positives.
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
|
|
||||||
|
|
||||||
## 0.6.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.6.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The `semmle.code.cpp.commons.Buffer` and `semmle.code.cpp.commons.NullTermination` libraries no longer expose `semmle.code.cpp.dataflow.DataFlow`. Please import `semmle.code.cpp.dataflow.DataFlow` directly.
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The `WriteConfig` taint tracking configuration has been deprecated. Please use `WriteFlow`.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added support for merging two `PathGraph`s via disjoint union to allow results from multiple data flow computations in a single `path-problem` query.
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* A new C/C++ dataflow library (`semmle.code.cpp.dataflow.new.DataFlow`) has been added.
|
|
||||||
The new library behaves much more like the dataflow library of other CodeQL supported
|
|
||||||
languages by following use-use dataflow paths instead of def-use dataflow paths.
|
|
||||||
The new library also better supports dataflow through indirections, and new predicates
|
|
||||||
such as `Node::asIndirectExpr` have been added to facilitate working with indirections.
|
|
||||||
|
|
||||||
The `semmle.code.cpp.ir.dataflow.DataFlow` library is now identical to the new
|
|
||||||
`semmle.code.cpp.dataflow.new.DataFlow` library.
|
|
||||||
* The main data flow and taint tracking APIs have been changed. The old APIs
|
|
||||||
remain in place for now and translate to the new through a
|
|
||||||
backwards-compatible wrapper. If multiple configurations are in scope
|
|
||||||
simultaneously, then this may affect results slightly. The new API is quite
|
|
||||||
similar to the old, but makes use of a configuration module instead of a
|
|
||||||
configuration class.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `hasGeneratedCopyConstructor` and `hasGeneratedCopyAssignmentOperator` predicates from the `Folder` class.
|
|
||||||
* Deleted the deprecated `getPath` and `getFolder` predicates from the `XmlFile` class.
|
|
||||||
* Deleted the deprecated `getMustlockFunction`, `getTrylockFunction`, `getLockFunction`, and `getUnlockFunction` predicates from the `MutexType` class.
|
|
||||||
* Deleted the deprecated `getPosInBasicBlock` predicate from the `SubBasicBlock` class.
|
|
||||||
* Deleted the deprecated `getExpr` predicate from the `PointerDereferenceExpr` class.
|
|
||||||
* Deleted the deprecated `getUseInstruction` and `getDefinitionInstruction` predicates from the `Operand` class.
|
|
||||||
* Deleted the deprecated `isInParameter`, `isInParameterPointer`, and `isInQualifier` predicates from the `FunctionInput` class.
|
|
||||||
* Deleted the deprecated `isOutParameterPointer`, `isOutQualifier`, `isOutReturnValue`, and `isOutReturnPointer` predicate from the `FunctionOutput` class.
|
|
||||||
* Deleted the deprecated 3-argument `isGuardPhi` predicate from the `RangeSsaDefinition` class.
|
|
||||||
|
|
||||||
## 0.5.4
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.5.3
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.5.2
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.5.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.5.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
|
|
||||||
* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
|
|
||||||
* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
|
|
||||||
* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
|
|
||||||
* The `getaddrinfo` function is now recognized as a flow source.
|
|
||||||
* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
|
|
||||||
* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
|
|
||||||
* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
|
|
||||||
|
|
||||||
## 0.4.6
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.4
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.3
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.
|
|
||||||
|
|
||||||
## 0.4.2
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.0
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
|
|
||||||
The old name still exists as a deprecated alias.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
|
|
||||||
|
|
||||||
## 0.3.5
|
## 0.3.5
|
||||||
|
|
||||||
## 0.3.4
|
## 0.3.4
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: feature
|
||||||
|
---
|
||||||
|
* Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user