Compare commits

..

1 Commits

Author SHA1 Message Date
Asger F
0751ef5c72 JS: Use HTTP responses as taint sources 2024-06-13 09:33:06 +02:00
217 changed files with 325 additions and 7312 deletions

View File

@@ -28,7 +28,6 @@
"/*- Yaml dbscheme -*/", "/*- Yaml dbscheme -*/",
"/*- Blame dbscheme -*/", "/*- Blame dbscheme -*/",
"/*- JSON dbscheme -*/", "/*- JSON dbscheme -*/",
"/*- Python dbscheme -*/", "/*- Python dbscheme -*/"
"/*- Empty location -*/"
] ]
} }

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.13.1 ## 0.13.1
No user-facing changes. No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 1.0.0 ---
category: breaking
### Breaking Changes ---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0. * CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.13.1

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all name: codeql/cpp-all
version: 1.0.0 version: 1.0.0-dev
groups: cpp groups: cpp
dbscheme: semmlecode.cpp.dbscheme dbscheme: semmlecode.cpp.dbscheme
extractor: cpp extractor: cpp

View File

@@ -1,14 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* The "Use of unique pointer after lifetime ends" query (`cpp/use-of-unique-pointer-after-lifetime-ends`) no longer reports an alert when the pointer is converted to a boolean
* The "Variable not initialized before use" query (`cpp/not-initialised`) no longer reports an alert on static variables.
## 0.9.12 ## 0.9.12
### New Queries ### New Queries

View File

@@ -12,8 +12,8 @@ the required buffer size, but do not allocate space for the zero terminator.
</overview> </overview>
<recommendation> <recommendation>
<p> <p>
The highlighted code segment creates a buffer without ensuring it's large enough to accommodate the copied data. The expression highlighted by this rule creates a buffer that is of insufficient size to contain
This leaves the code susceptible to a buffer overflow attack, which could lead to anything from program crashes to malicious code execution. the data being copied. This makes the code vulnerable to buffer overflow which can result in anything from a segmentation fault to a security vulnerability (particularly if the array is on stack-allocated memory).
</p> </p>
<p> <p>

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The "Variable not initialized before use" query (`cpp/not-initialised`) no longer reports an alert on static variables.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The "Use of unique pointer after lifetime ends" query (`cpp/use-of-unique-pointer-after-lifetime-ends`) no longer reports an alert when the pointer is converted to a boolean

View File

@@ -1,5 +1,4 @@
## 1.0.0 ---
category: breaking
### Breaking Changes ---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0. * CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,10 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* The "Use of unique pointer after lifetime ends" query (`cpp/use-of-unique-pointer-after-lifetime-ends`) no longer reports an alert when the pointer is converted to a boolean
* The "Variable not initialized before use" query (`cpp/not-initialised`) no longer reports an alert on static variables.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.9.12

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries name: codeql/cpp-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- cpp - cpp
- queries - queries

View File

@@ -1 +0,0 @@
semmle-extractor-options: -D__x86_64=1

View File

@@ -1,7 +1,3 @@
## 1.7.17
No user-facing changes.
## 1.7.16 ## 1.7.16
No user-facing changes. No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 1.7.17
No user-facing changes.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.7.17 lastReleaseVersion: 1.7.16

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all name: codeql/csharp-solorigate-all
version: 1.7.17 version: 1.7.17-dev
groups: groups:
- csharp - csharp
- solorigate - solorigate

View File

@@ -1,7 +1,3 @@
## 1.7.17
No user-facing changes.
## 1.7.16 ## 1.7.16
No user-facing changes. No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 1.7.17
No user-facing changes.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.7.17 lastReleaseVersion: 1.7.16

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries name: codeql/csharp-solorigate-queries
version: 1.7.17 version: 1.7.17-dev
groups: groups:
- csharp - csharp
- solorigate - solorigate

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.10.1 ## 0.10.1
No user-facing changes. No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 1.0.0 ---
category: breaking
### Breaking Changes ---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0. * CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.10.1

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all name: codeql/csharp-all
version: 1.0.0 version: 1.0.0-dev
groups: csharp groups: csharp
dbscheme: semmlecode.csharp.dbscheme dbscheme: semmlecode.csharp.dbscheme
extractor: csharp extractor: csharp

View File

@@ -94,8 +94,6 @@ private import FlowSummaryImpl::Public
private import FlowSummaryImpl::Private private import FlowSummaryImpl::Private
private import FlowSummaryImpl::Private::External private import FlowSummaryImpl::Private::External
private import semmle.code.csharp.commons.QualifiedName private import semmle.code.csharp.commons.QualifiedName
private import semmle.code.csharp.dispatch.OverridableCallable
private import semmle.code.csharp.frameworks.System
private import codeql.mad.ModelValidation as SharedModelVal private import codeql.mad.ModelValidation as SharedModelVal
private predicate relevantNamespace(string namespace) { private predicate relevantNamespace(string namespace) {
@@ -444,16 +442,20 @@ predicate sourceNode(Node node, string kind) { sourceNode(node, kind, _) }
*/ */
predicate sinkNode(Node node, string kind) { sinkNode(node, kind, _) } predicate sinkNode(Node node, string kind) { sinkNode(node, kind, _) }
private predicate isOverridableCallable(OverridableCallable c) { /** Holds if the summary should apply for all overrides of `c`. */
not exists(Type t, Callable base | c.getOverridee+() = base and t = base.getDeclaringType() | predicate isBaseCallableOrPrototype(UnboundCallable c) {
t instanceof SystemObjectClass or c.getDeclaringType() instanceof Interface
t instanceof SystemValueTypeClass or
exists(Modifiable m | m = [c.(Modifiable), c.(Accessor).getDeclaration()] |
m.isAbstract()
or
c.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
) )
} }
/** Gets a string representing whether the summary should apply for all overrides of `c`. */ /** Gets a string representing whether the summary should apply for all overrides of `c`. */
private string getCallableOverride(UnboundCallable c) { private string getCallableOverride(UnboundCallable c) {
if isOverridableCallable(c) then result = "true" else result = "false" if isBaseCallableOrPrototype(c) then result = "true" else result = "false"
} }
private module QualifiedNameInput implements QualifiedNameInputSig { private module QualifiedNameInput implements QualifiedNameInputSig {

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.8.16 ## 0.8.16
No user-facing changes. No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 1.0.0 ---
category: breaking
### Breaking Changes ---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0. * CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.8.16

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries name: codeql/csharp-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- csharp - csharp
- queries - queries

View File

@@ -8,7 +8,6 @@ private import semmle.code.csharp.commons.Collections as Collections
private import semmle.code.csharp.dataflow.internal.DataFlowDispatch private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
private import semmle.code.csharp.frameworks.system.linq.Expressions private import semmle.code.csharp.frameworks.system.linq.Expressions
private import semmle.code.csharp.frameworks.System
import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow
import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
@@ -20,12 +19,10 @@ module TaintTracking = CS::TaintTracking;
class Type = CS::Type; class Type = CS::Type;
class Callable = CS::Callable;
/** /**
* Holds if any of the parameters of `api` are `System.Func<>`. * Holds if any of the parameters of `api` are `System.Func<>`.
*/ */
private predicate isHigherOrder(Callable api) { private predicate isHigherOrder(CS::Callable api) {
exists(Type t | t = api.getAParameter().getType().getUnboundDeclaration() | exists(Type t | t = api.getAParameter().getType().getUnboundDeclaration() |
t instanceof SystemLinqExpressions::DelegateExtType t instanceof SystemLinqExpressions::DelegateExtType
) )
@@ -35,56 +32,23 @@ private predicate irrelevantAccessor(CS::Accessor a) {
a.getDeclaration().(CS::Property).isReadWrite() a.getDeclaration().(CS::Property).isReadWrite()
} }
private predicate isUninterestingForModels(Callable api) { /**
api.getDeclaringType().getNamespace().getFullName() = "" * Holds if it is relevant to generate models for `api`.
or */
api instanceof CS::ConversionOperator private predicate isRelevantForModels(CS::Callable api) {
or [api.(CS::Modifiable), api.(CS::Accessor).getDeclaration()].isEffectivelyPublic() and
api instanceof Util::MainMethod api.getDeclaringType().getNamespace().getFullName() != "" and
or not api instanceof CS::ConversionOperator and
api instanceof CS::Destructor not api instanceof Util::MainMethod and
or not api instanceof CS::Destructor and
api instanceof CS::AnonymousFunctionExpr not api instanceof CS::AnonymousFunctionExpr and
or not api.(CS::Constructor).isParameterless() and
api.(CS::Constructor).isParameterless() // Disregard all APIs that have a manual model.
or not api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) and
exists(Type decl | decl = api.getDeclaringType() | not api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel()) and
decl instanceof SystemObjectClass or
decl instanceof SystemValueTypeClass
)
or
// Disregard properties that have both a get and a set accessor, // Disregard properties that have both a get and a set accessor,
// which implicitly means auto implemented properties. // which implicitly means auto implemented properties.
irrelevantAccessor(api) not irrelevantAccessor(api)
}
private predicate relevant(Callable api) {
[api.(CS::Modifiable), api.(CS::Accessor).getDeclaration()].isEffectivelyPublic() and
api.fromSource() and
api.isUnboundDeclaration() and
not isUninterestingForModels(api)
}
private Callable getARelevantOverrideeOrImplementee(Overridable m) {
m.overridesOrImplements(result) and relevant(result)
}
/**
* Gets the super implementation of `api` if it is relevant.
* If such a super implementation does not exist, returns `api` if it is relevant.
*/
private Callable liftedImpl(Callable api) {
(
result = getARelevantOverrideeOrImplementee(api)
or
result = api and relevant(api)
) and
not exists(getARelevantOverrideeOrImplementee(result))
}
private predicate hasManualModel(Callable api) {
api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
} }
/** /**
@@ -102,37 +66,23 @@ predicate isUninterestingForDataFlowModels(CS::Callable api) { isHigherOrder(api
predicate isUninterestingForTypeBasedFlowModels(CS::Callable api) { none() } predicate isUninterestingForTypeBasedFlowModels(CS::Callable api) { none() }
/** /**
* A class of callables that are potentially relevant for generating summary, source, sink * A class of callables that are relevant generating summary, source and sinks models for.
* and neutral models.
* *
* In the Standard library and 3rd party libraries it is the callables (or callables that have a * In the Standard library and 3rd party libraries it the callables that can be called
* super implementation) that can be called from outside the library itself. * from outside the library itself.
*/ */
class TargetApiSpecific extends Callable { class TargetApiSpecific extends CS::Callable {
private Callable lift;
TargetApiSpecific() { TargetApiSpecific() {
lift = liftedImpl(this) and this.fromSource() and
not hasManualModel(lift) this.isUnboundDeclaration() and
isRelevantForModels(this)
} }
/**
* Gets the callable that a model will be lifted to.
*
* The lifted callable is relevant in terms of model
* generation (this is ensured by `liftedImpl`).
*/
Callable lift() { result = lift }
/**
* Holds if `this` is relevant in terms of model generation.
*/
predicate isRelevant() { relevant(this) }
} }
string asPartialModel(TargetApiSpecific api) { result = ExternalFlow::asPartialModel(api.lift()) } predicate asPartialModel = ExternalFlow::asPartialModel/1;
string asPartialNeutralModel(TargetApiSpecific api) { result = ExternalFlow::getSignature(api) } /** Computes the first 4 columns for neutral CSV rows of `c`. */
predicate asPartialNeutralModel = ExternalFlow::getSignature/1;
/** /**
* Holds if `t` is a type that is generally used for bulk data in collection types. * Holds if `t` is a type that is generally used for bulk data in collection types.
@@ -201,7 +151,7 @@ string paramReturnNodeAsOutput(CS::Callable c, ParameterPosition pos) {
/** /**
* Gets the enclosing callable of `ret`. * Gets the enclosing callable of `ret`.
*/ */
Callable returnNodeEnclosingCallable(DataFlow::Node ret) { CS::Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asCallable() result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asCallable()
} }
@@ -226,24 +176,12 @@ private predicate isRelevantMemberAccess(DataFlow::Node node) {
predicate sinkModelSanitizer(DataFlow::Node node) { none() } predicate sinkModelSanitizer(DataFlow::Node node) { none() }
private class ManualNeutralSinkCallable extends Callable {
ManualNeutralSinkCallable() {
this =
any(FlowSummaryImpl::Public::NeutralCallable nc |
nc.hasManualModel() and nc.getKind() = "sink"
)
}
}
/** /**
* Holds if `source` is an api entrypoint relevant for creating sink models. * Holds if `source` is an api entrypoint relevant for creating sink models.
*/ */
predicate apiSource(DataFlow::Node source) { predicate apiSource(DataFlow::Node source) {
(isRelevantMemberAccess(source) or source instanceof DataFlow::ParameterNode) and (isRelevantMemberAccess(source) or source instanceof DataFlow::ParameterNode) and
exists(Callable enclosing | enclosing = source.getEnclosingCallable() | isRelevantForModels(source.getEnclosingCallable())
relevant(enclosing) and
not enclosing instanceof ManualNeutralSinkCallable
)
} }
/** /**

View File

@@ -81,13 +81,10 @@ string captureFlow(DataFlowTargetApi api) {
} }
/** /**
* Gets the neutral summary model for `api`, if any. * Gets the neutral model for `api`, if any.
* A neutral summary model is generated, if we are not generating * A neutral model is generated, if there does not exist summary model.
* a summary model that applies to `api` and if it relevant to generate
* a model for `api`.
*/ */
string captureNoFlow(DataFlowTargetApi api) { string captureNoFlow(DataFlowTargetApi api) {
not exists(DataFlowTargetApi api0 | exists(captureFlow(api0)) and api0.lift() = api.lift()) and not exists(captureFlow(api)) and
api.isRelevant() and
result = ModelPrinting::asNeutralSummaryModel(api) result = ModelPrinting::asNeutralSummaryModel(api)
} }

View File

@@ -1,17 +1,6 @@
import shared.FlowSummaries import shared.FlowSummaries
private import semmle.code.csharp.dataflow.internal.ExternalFlow private import semmle.code.csharp.dataflow.internal.ExternalFlow
/** Holds if `c` is a base callable or prototype. */
private predicate isBaseCallableOrPrototype(UnboundCallable c) {
c.getDeclaringType() instanceof Interface
or
exists(Modifiable m | m = [c.(Modifiable), c.(Accessor).getDeclaration()] |
m.isAbstract()
or
c.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
)
}
class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable { class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
/** /**
* Holds if flow is propagated between `input` and `output` and * Holds if flow is propagated between `input` and `output` and

View File

@@ -245,7 +245,7 @@ public class DerivedClass1Flow : BaseClassFlow
public class DerivedClass2Flow : BaseClassFlow public class DerivedClass2Flow : BaseClassFlow
{ {
// summary=Models;BaseClassFlow;true;ReturnParam;(System.Object);;Argument[0];ReturnValue;taint;df-generated // summary=Models;DerivedClass2Flow;false;ReturnParam;(System.Object);;Argument[0];ReturnValue;taint;df-generated
public override object ReturnParam(object input) public override object ReturnParam(object input)
{ {
return input; return input;
@@ -490,76 +490,3 @@ public class ParameterlessConstructor
IsInitialized = true; IsInitialized = true;
} }
} }
public class Inheritance
{
public abstract class BasePublic
{
public abstract string Id(string x);
}
public class AImplBasePublic : BasePublic
{
// summary=Models;Inheritance+BasePublic;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
public override string Id(string x)
{
return x;
}
}
public interface IPublic1
{
string Id(string x);
}
public interface IPublic2
{
string Id(string x);
}
public abstract class B : IPublic1
{
public abstract string Id(string x);
}
private abstract class C : IPublic2
{
public abstract string Id(string x);
}
public class BImpl : B
{
// summary=Models;Inheritance+IPublic1;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
public override string Id(string x)
{
return x;
}
}
private class CImpl : C
{
// summary=Models;Inheritance+IPublic2;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
public override string Id(string x)
{
return x;
}
}
public interface IPublic3
{
string Prop { get; }
}
public abstract class D : IPublic3
{
public abstract string Prop { get; }
}
public class DImpl : D
{
private string tainted;
// summary=Models;Inheritance+IPublic3;true;get_Prop;();;Argument[this];ReturnValue;taint;df-generated
public override string Prop { get { return tainted; } }
}
}

View File

@@ -1,170 +0,0 @@
.. _codeql-cli-2.17.2:
==========================
CodeQL 2.17.2 (2024-05-07)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.17.2 runs a total of 413 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Improvements
~~~~~~~~~~~~
* When uploading a SARIF file to GitHub using :code:`codeql github upload-results`, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the
:code:`--no-wait-for-processing` flag.
By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the
:code:`--wait-for-processing-timeout` option.
* The build tracer is no longer enabled when using the |link-code-none-build-mode-1|_
to analyze a compiled language, thus improving performance.
Known Issues
~~~~~~~~~~~~
* The beta support for analyzing Swift in this release and all previous releases requires :code:`g++-13` when running on Linux. Users analyzing Swift using the :code:`ubuntu-latest`, :code:`ubuntu-22.04`, or
:code:`ubuntu-20.04` runner images for GitHub Actions should update their workflows to install :code:`g++-13`. For more information, see `the runner images announcement <https://github.com/actions/runner-images/issues/9679>`__.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Uncontrolled data used in path expression" query (:code:`cpp/path-injection`) query produces fewer near-duplicate results.
* The "Global variable may be used before initialization" query (:code:`cpp/global-use-before-init`) no longer raises an alert on global variables that are initialized when they are declared.
* The "Inconsistent null check of pointer" query (:code:`cpp/inconsistent-nullness-testing`) query no longer raises an alert when the guarded check is in a macro expansion.
Golang
""""""
* The query :code:`go/incomplete-hostname-regexp` now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
* Added some more barriers to flow for :code:`go/incorrect-integer-conversion` to reduce false positives, especially around type switches.
JavaScript/TypeScript
"""""""""""""""""""""
* The JavaScript extractor will on longer report syntax errors related to "strict mode".
Files containing such errors are now being fully analyzed along with other sources files.
This improves our support for source files that technically break the "strict mode" rules,
but where a build steps transforms the code such that it ends up working at runtime.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`GlobalValueNumberingImpl.qll` implementation.
C#
""
* Deleted the deprecated :code:`getAssemblyName` predicate from the :code:`Operator` class. Use :code:`getFunctionName` instead.
* Deleted the deprecated :code:`LShiftOperator`, :code:`RShiftOperator`, :code:`AssignLShiftExpr`, :code:`AssignRShiftExpr`, :code:`LShiftExpr`, and :code:`RShiftExpr` aliases.
* Deleted the deprecated :code:`getCallableDescription` predicate from the :code:`ExternalApiDataNode` class. Use :code:`hasQualifiedName` instead.
Golang
""""""
* Deleted the deprecated :code:`CsvRemoteSource` alias. Use :code:`MaDRemoteSource` instead.
Java
""""
* Deleted the deprecated :code:`AssignLShiftExpr`, :code:`AssignRShiftExpr`, :code:`AssignURShiftExpr`, :code:`LShiftExpr`, :code:`RShiftExpr`, and :code:`URShiftExpr` aliases.
JavaScript/TypeScript
"""""""""""""""""""""
* Deleted the deprecated :code:`getInput` predicate from the :code:`CryptographicOperation` class. Use :code:`getAnInput` instead.
* Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
* Deleted the deprecated :code:`semmle/javascript/security/BadTagFilterQuery.qll`, :code:`semmle/javascript/security/OverlyLargeRangeQuery.qll`, :code:`semmle/javascript/security/regexp/RegexpMatching.qll`, and :code:`Security/CWE-020/HostnameRegexpShared.qll` files.
Python
""""""
* Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
* Deleted the deprecated :code:`Security/CWE-020/HostnameRegexpShared.qll` file.
Ruby
""""
* Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
* Deleted the deprecated :code:`security/cwe-020/HostnameRegexpShared.qll` file.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Source models have been added for the standard library function :code:`getc` (and variations).
* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
* Parameters of functions without definitions now have :code:`ParameterNode`\ s.
* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
C#
""
* Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved detection of whether a file uses CommonJS module system.
Deprecated APIs
~~~~~~~~~~~~~~~
Golang
""""""
* To make Go consistent with other language libraries, the :code:`UntrustedFlowSource` name has been deprecated throughout. Use :code:`RemoteFlowSource` instead, which replaces it.
* Where modules have classes named :code:`UntrustedFlowAsSource`, these are also deprecated and the :code:`Source` class in the same module or the :code:`RemoteFlowSource` class should be used instead.
Python
""""""
* Renamed the :code:`StrConst` class to :code:`StringLiteral`, for greater consistency with other languages. The :code:`StrConst` and :code:`Str` classes are now deprecated and will be removed in a future release.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See :code:`dataflow/ExternalFlow.qll` for documentation and specification of the model format, and :code:`models/implementations/ZMQ.qll` for a simple example of models. Importing models from :code:`.yml` is not yet supported.
Shared Libraries
----------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The data flow library performs heuristic filtering of code paths that have a high degree of control-flow uncertainty for improved performance in cases that are deemed unlikely to yield true positive flow paths. This filtering can be controlled with the :code:`fieldFlowBranchLimit` predicate in configurations. Two bugs have been fixed in relation to this: Some cases of high uncertainty were not being correctly identified. This fix improves performance in certain scenarios. Another group of cases of low uncertainty were also being misidentified, which led to false negatives. Taken together, we generally expect some additional query results with more true positives and fewer false positives.
.. |link-code-none-build-mode-1| replace:: :code:`none` build mode
.. _link-code-none-build-mode-1: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes

View File

@@ -1,74 +0,0 @@
.. _codeql-cli-2.17.3:
==========================
CodeQL 2.17.3 (2024-05-17)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.17.3 runs a total of 414 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Improvements
~~~~~~~~~~~~
* The language server that our IDE integration is built on now defaults to fine-grained dependency tracking for incremental error-checking after file changes. This slightly improves the latency of refreshing errors after local source code edits and will enable significant speedups in the future.
* We now properly handle globs (such as :code:`folder/**/*.py`) in :code:`paths` configuration to specify what files to include for Python analysis (see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan).
* TRAP import (a part of :code:`codeql database create` and :code:`codeql database finalize`)
now supports allocating 2^32 IDs during the import process. The previous limit was 2^31 IDs.
Query Packs
-----------
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new query, :code:`cpp/iterator-to-expired-container`, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.
Python
""""""
* The :code:`py/header-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack and renamed to :code:`py/http-response-splitting`. This query finds instances of http header injection / response splitting vulnerabilities.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
* The Java extractor no longer supports the :code:`ODASA_JAVA_LAYOUT`, :code:`ODASA_TOOLS` and :code:`ODASA_HOME` legacy environment variables.
* The Java extractor no longer supports the :code:`ODASA_BUILD_ERROR_DIR` legacy environment variable.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Added modeling of the :code:`pyramid` framework, leading to new remote flow sources and sinks.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Fixed a bug that stopped built-in functions from being referenced using the predicate :code:`hasQualifiedName` because technically they do not belong to any package. Now you can use the empty string as the package, e.g. :code:`f.hasQualifiedName("", "len")`.
* Fixed a bug that stopped data flow models for built-in functions from having any effect because the package "" was not parsed correctly.
* Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.

View File

@@ -1,127 +0,0 @@
.. _codeql-cli-2.17.4:
==========================
CodeQL 2.17.4 (2024-06-03)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.17.4 runs a total of 414 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE).
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
* Removed :code:`local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by :code:`java/unvalidated-url-redirection-local` can be found by :code:`java/unvalidated-url-redirection`, if the :code:`local` threat model is enabled. The removed queries are :code:`java/path-injection-local`, :code:`java/command-line-injection-local`, :code:`java/xss-local`, :code:`java/sql-injection-local`, :code:`java/http-response-splitting-local`, :code:`java/improper-validation-of-array-construction-local`, :code:`java/improper-validation-of-array-index-local`, :code:`java/tainted-format-string-local`, :code:`java/tainted-arithmetic-local`, :code:`java/unvalidated-url-redirection-local`, :code:`java/xxe-local` and :code:`java/tainted-numeric-cast-local`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Use of unique pointer after lifetime ends" query (:code:`cpp/use-of-unique-pointer-after-lifetime-ends`) no longer reports an alert when the pointer is converted to a boolean
* The "Variable not initialized before use" query (:code:`cpp/not-initialised`) no longer reports an alert on static variables.
Golang
""""""
* The query :code:`go/incorrect-integer-conversion` has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.
Java
""""
* The alert message for the query "Trust boundary violation" (:code:`java/trust-boundary-violation`) has been updated to include a link to the remote source.
* The sanitizer of the query :code:`java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.
Python
""""""
* Added models of :code:`gradio` PyPI package.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug where very large TypeScript files would cause database creation to crash. Large files over 10MB were already excluded from analysis, but the file size check was not applied to TypeScript files.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* A bug has been fixed which meant that the query :code:`go/incorrect-integer-conversion` did not consider type assertions and type switches which use a defined type whose underlying type is an integer type. This may lead to fewer false positive alerts.
* A bug has been fixed which meant flow was not followed through some ranged for loops. This may lead to more alerts being found.
* Added value flow models for the built-in functions :code:`append`, :code:`copy`, :code:`max` and :code:`min` using Models-as-Data. Removed the old-style models for :code:`max` and :code:`min`.
Java
""""
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes :code:`autobuild` or :code:`none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.
JavaScript/TypeScript
"""""""""""""""""""""
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared :code:`SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as :code:`js/clear-text-storage-sensitive-data` and :code:`js/clear-text-logging`.
Python
""""""
* The :code:`request` parameter of Flask :code:`SessionInterface.open_session` method is now modeled as a remote flow source.
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared :code:`SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as :code:`py/clear-text-storage-sensitive-data` and :code:`py/clear-text-logging-sensitive-data`.
Ruby
""""
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared :code:`SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as :code:`rb/sensitive-get-query`.
New Features
~~~~~~~~~~~~
Python
""""""
* A Python MaD (Models as Data) row may now contain a dotted path in the :code:`type` column. Like in Ruby, a path to a class will refer to instances of that class. This means that the summary :code:`["foo", "Member[MyClass].Instance.Member[instance_method]", "Argument[0]", "ReturnValue", "value"]` can now be written :code:`["foo.MS_Class", "Member[instance_method]", "Argument[0]", "ReturnValue", "value"]`. To refer to an actual class, one may add a :code:`!` at the end of the path.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The data flow library now adds intermediate nodes when data flows out of a function via a parameter, in order to make path explanations easier to follow. The intermediate nodes have the same location as the underlying parameter, but must be accessed via :code:`PathNode.asParameterReturnNode` instead of :code:`PathNode.asNode`.

View File

@@ -82,7 +82,7 @@ Bug Fixes
Python Python
"""""" """"""
* The `View AST functionality <https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code>`__ no longer prints detailed information about regular expressions, greatly improving performance. * The `View AST functionality <https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code/>`__ no longer prints detailed information about regular expressions, greatly improving performance.
Minor Analysis Improvements Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@@ -11,9 +11,6 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
codeql-cli-2.17.4
codeql-cli-2.17.3
codeql-cli-2.17.2
codeql-cli-2.17.1 codeql-cli-2.17.1
codeql-cli-2.17.0 codeql-cli-2.17.0
codeql-cli-2.16.6 codeql-cli-2.16.6

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.0.15 ## 0.0.15
No user-facing changes. No user-facing changes.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.0.15

View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries name: codeql-go-consistency-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- go - go
- queries - queries

View File

@@ -1,15 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* A bug has been fixed which meant that the query `go/incorrect-integer-conversion` did not consider type assertions and type switches which use a defined type whose underlying type is an integer type. This may lead to fewer false positive alerts.
* A bug has been fixed which meant flow was not followed through some ranged for loops. This may lead to more alerts being found.
* Added value flow models for the built-in functions `append`, `copy`, `max` and `min` using Models-as-Data. Removed the old-style models for `max` and `min`.
## 0.8.1 ## 0.8.1
### Minor Analysis Improvements ### Minor Analysis Improvements

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Converted the models for the built-in functions `append`, `copy`, `max` and `min` to value flow and Models-as-Data.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* A bug has been fixed which meant that the query `go/incorrect-integer-conversion` did not consider type assertions and type switches which use a defined type whose underlying type is an integer type. This may lead to fewer false positive alerts.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* A bug has been fixed which meant flow was not followed through some ranged for loops. This may lead to more alerts being found.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,11 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* A bug has been fixed which meant that the query `go/incorrect-integer-conversion` did not consider type assertions and type switches which use a defined type whose underlying type is an integer type. This may lead to fewer false positive alerts.
* A bug has been fixed which meant flow was not followed through some ranged for loops. This may lead to more alerts being found.
* Added value flow models for the built-in functions `append`, `copy`, `max` and `min` using Models-as-Data. Removed the old-style models for `max` and `min`.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.8.1

View File

@@ -1,5 +1,5 @@
name: codeql/go-all name: codeql/go-all
version: 1.0.0 version: 1.0.0-dev
groups: go groups: go
dbscheme: go.dbscheme dbscheme: go.dbscheme
extractor: go extractor: go

View File

@@ -44,30 +44,6 @@ import semmle.go.frameworks.stdlib.TextTabwriter
import semmle.go.frameworks.stdlib.TextTemplate import semmle.go.frameworks.stdlib.TextTemplate
import semmle.go.frameworks.stdlib.Unsafe import semmle.go.frameworks.stdlib.Unsafe
/**
* A model of the built-in `append` function, which propagates taint from its arguments to its
* result.
*/
private class AppendFunction extends TaintTracking::FunctionModel {
AppendFunction() { this = Builtin::append() }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(_) and outp.isResult()
}
}
/**
* A model of the built-in `copy` function, which propagates taint from its second argument
* to its first.
*/
private class CopyFunction extends TaintTracking::FunctionModel {
CopyFunction() { this = Builtin::copy() }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(1) and outp.isParameter(0)
}
}
/** Provides a class for modeling functions which convert strings into integers. */ /** Provides a class for modeling functions which convert strings into integers. */
module IntegerParser { module IntegerParser {
/** /**

View File

@@ -1,13 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* The query `go/incorrect-integer-conversion` has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.
## 0.7.16 ## 0.7.16
No user-facing changes. No user-facing changes.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `go/incorrect-integer-conversion` has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,9 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* The query `go/incorrect-integer-conversion` has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.7.16

View File

@@ -1,5 +1,5 @@
name: codeql/go-queries name: codeql/go-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- go - go
- queries - queries

View File

@@ -3,13 +3,6 @@
| main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal | | main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal |
| main.go:38:16:38:16 | 2 | main.go:38:7:38:20 | slice literal | | main.go:38:16:38:16 | 2 | main.go:38:7:38:20 | slice literal |
| main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal | | main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal |
| main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
| main.go:39:18:39:18 | 4 | main.go:39:8:39:25 | call to append |
| main.go:39:21:39:21 | 5 | main.go:39:8:39:25 | call to append |
| main.go:39:24:39:24 | 6 | main.go:39:8:39:25 | call to append |
| main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |
| main.go:40:18:40:19 | s1 | main.go:40:8:40:23 | call to append |
| main.go:42:10:42:11 | s4 | main.go:38:2:38:2 | definition of s |
| main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[0] | | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[0] |
| main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] | | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] |
| main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] | | main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] |

View File

@@ -26,7 +26,6 @@ edges
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | |
| SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | |
@@ -39,23 +38,17 @@ edges
| SanitizingDoubleDash.go:39:14:39:44 | call to append | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:39:14:39:44 | call to append | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:39:14:39:44 | call to append [array] | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:39:14:39:44 | call to append [array] | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance | | | SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance | |
| SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:28 | | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:28 |
| SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | provenance | MaD:28 | | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | provenance | MaD:28 |
| SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | SanitizingDoubleDash.go:68:14:68:38 | call to append | provenance | MaD:29 |
| SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | provenance | MaD:29 | | SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | provenance | MaD:29 |
| SanitizingDoubleDash.go:68:14:68:38 | call to append | SanitizingDoubleDash.go:69:21:69:28 | arrayLit | provenance | |
| SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:68:31:68:37 | tainted | SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:68:31:68:37 | tainted | SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:68:31:68:37 | tainted | SanitizingDoubleDash.go:68:14:68:38 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:69:14:69:35 | call to append | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:69:14:69:35 | call to append | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:69:21:69:28 | arrayLit | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | MaD:28 | | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | MaD:28 |
| SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | provenance | MaD:28 | | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | provenance | MaD:28 |
| SanitizingDoubleDash.go:92:13:92:19 | selection of URL | SanitizingDoubleDash.go:92:13:92:27 | call to Query | provenance | MaD:735 | | SanitizingDoubleDash.go:92:13:92:19 | selection of URL | SanitizingDoubleDash.go:92:13:92:27 | call to Query | provenance | MaD:735 |
@@ -69,7 +62,6 @@ edges
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:117:31:117:37 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:117:31:117:37 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:123:31:123:37 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:123:31:123:37 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:128:24:128:30 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:128:24:128:30 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:129:21:129:28 | arrayLit | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:136:31:136:37 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:136:31:136:37 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:142:31:142:37 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:142:31:142:37 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:148:30:148:36 | tainted | provenance | | | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:148:30:148:36 | tainted | provenance | |
@@ -91,24 +83,20 @@ edges
| SanitizingDoubleDash.go:111:14:111:44 | call to append | SanitizingDoubleDash.go:112:24:112:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:111:14:111:44 | call to append | SanitizingDoubleDash.go:112:24:112:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:111:14:111:44 | call to append [array] | SanitizingDoubleDash.go:112:24:112:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:111:14:111:44 | call to append [array] | SanitizingDoubleDash.go:112:24:112:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:111:37:111:43 | tainted | SanitizingDoubleDash.go:111:14:111:44 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:111:37:111:43 | tainted | SanitizingDoubleDash.go:111:14:111:44 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:111:37:111:43 | tainted | SanitizingDoubleDash.go:111:14:111:44 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | SanitizingDoubleDash.go:117:14:117:44 | call to append | provenance | MaD:29 | | SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | SanitizingDoubleDash.go:117:14:117:44 | call to append | provenance | MaD:29 |
| SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | SanitizingDoubleDash.go:117:14:117:44 | call to append [array] | provenance | MaD:29 | | SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | SanitizingDoubleDash.go:117:14:117:44 | call to append [array] | provenance | MaD:29 |
| SanitizingDoubleDash.go:117:14:117:44 | call to append | SanitizingDoubleDash.go:118:24:118:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:117:14:117:44 | call to append | SanitizingDoubleDash.go:118:24:118:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:117:14:117:44 | call to append [array] | SanitizingDoubleDash.go:118:24:118:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:117:14:117:44 | call to append [array] | SanitizingDoubleDash.go:118:24:118:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:117:31:117:37 | tainted | SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:117:31:117:37 | tainted | SanitizingDoubleDash.go:117:14:117:44 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:117:31:117:37 | tainted | SanitizingDoubleDash.go:117:14:117:44 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | SanitizingDoubleDash.go:123:14:123:38 | call to append | provenance | MaD:29 | | SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | SanitizingDoubleDash.go:123:14:123:38 | call to append | provenance | MaD:29 |
| SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | provenance | MaD:29 | | SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | provenance | MaD:29 |
| SanitizingDoubleDash.go:123:14:123:38 | call to append | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:123:14:123:38 | call to append | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:123:31:123:37 | tainted | SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:123:31:123:37 | tainted | SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:123:31:123:37 | tainted | SanitizingDoubleDash.go:123:14:123:38 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:128:24:128:30 | tainted | SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | provenance | | | SanitizingDoubleDash.go:128:24:128:30 | tainted | SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | provenance | |
| SanitizingDoubleDash.go:129:14:129:35 | call to append | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:129:14:129:35 | call to append | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:28 | | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:28 |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | provenance | MaD:28 | | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | provenance | MaD:28 |
| SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | SanitizingDoubleDash.go:136:14:136:38 | call to append | provenance | MaD:29 | | SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | SanitizingDoubleDash.go:136:14:136:38 | call to append | provenance | MaD:29 |
@@ -116,16 +104,11 @@ edges
| SanitizingDoubleDash.go:136:14:136:38 | call to append | SanitizingDoubleDash.go:137:24:137:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:136:14:136:38 | call to append | SanitizingDoubleDash.go:137:24:137:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:136:14:136:38 | call to append [array] | SanitizingDoubleDash.go:137:24:137:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:136:14:136:38 | call to append [array] | SanitizingDoubleDash.go:137:24:137:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:136:31:136:37 | tainted | SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:136:31:136:37 | tainted | SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:136:31:136:37 | tainted | SanitizingDoubleDash.go:136:14:136:38 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | SanitizingDoubleDash.go:142:14:142:38 | call to append | provenance | MaD:29 |
| SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | provenance | MaD:29 | | SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | provenance | MaD:29 |
| SanitizingDoubleDash.go:142:14:142:38 | call to append | SanitizingDoubleDash.go:143:21:143:28 | arrayLit | provenance | |
| SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:142:31:142:37 | tainted | SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:142:31:142:37 | tainted | SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:142:31:142:37 | tainted | SanitizingDoubleDash.go:142:14:142:38 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:143:14:143:35 | call to append | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:143:14:143:35 | call to append | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance | | | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:143:21:143:28 | arrayLit | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | FunctionModel |
| SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | MaD:28 | | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | MaD:28 |
| SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | provenance | MaD:28 | | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | provenance | MaD:28 |
nodes nodes
@@ -172,16 +155,13 @@ nodes
| SanitizingDoubleDash.go:52:24:52:30 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:52:24:52:30 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:53:14:53:35 | call to append | semmle.label | call to append | | SanitizingDoubleDash.go:53:14:53:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:53:21:53:28 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | semmle.label | arrayLit [array] | | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:54:23:54:30 | arrayLit | semmle.label | arrayLit | | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | semmle.label | []type{args} [array] | | SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | semmle.label | []type{args} [array] |
| SanitizingDoubleDash.go:68:14:68:38 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:68:14:68:38 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:68:31:68:37 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:68:31:68:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:69:14:69:35 | call to append | semmle.label | call to append | | SanitizingDoubleDash.go:69:14:69:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:69:21:69:28 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | semmle.label | arrayLit [array] | | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:70:23:70:30 | arrayLit | semmle.label | arrayLit | | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:80:23:80:29 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:80:23:80:29 | tainted | semmle.label | tainted |
@@ -221,7 +201,6 @@ nodes
| SanitizingDoubleDash.go:128:24:128:30 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:128:24:128:30 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:129:14:129:35 | call to append | semmle.label | call to append | | SanitizingDoubleDash.go:129:14:129:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | semmle.label | arrayLit [array] | | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:130:24:130:31 | arrayLit | semmle.label | arrayLit | | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | semmle.label | []type{args} [array] | | SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | semmle.label | []type{args} [array] |
@@ -230,12 +209,10 @@ nodes
| SanitizingDoubleDash.go:136:31:136:37 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:136:31:136:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:137:24:137:31 | arrayLit | semmle.label | arrayLit | | SanitizingDoubleDash.go:137:24:137:31 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | semmle.label | []type{args} [array] | | SanitizingDoubleDash.go:142:14:142:38 | []type{args} [array] | semmle.label | []type{args} [array] |
| SanitizingDoubleDash.go:142:14:142:38 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:142:14:142:38 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:142:31:142:37 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:142:31:142:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:143:14:143:35 | call to append | semmle.label | call to append | | SanitizingDoubleDash.go:143:14:143:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | semmle.label | call to append [array] | | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:143:21:143:28 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | semmle.label | arrayLit [array] | | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:144:24:144:31 | arrayLit | semmle.label | arrayLit | | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:148:30:148:36 | tainted | semmle.label | tainted | | SanitizingDoubleDash.go:148:30:148:36 | tainted | semmle.label | tainted |

View File

@@ -15,33 +15,25 @@ edges
| UnsafeTLS.go:313:5:313:45 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:312:18:314:4 | slice literal | provenance | | | UnsafeTLS.go:313:5:313:45 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:312:18:314:4 | slice literal | provenance | |
| UnsafeTLS.go:329:25:329:94 | []type{args} [array] | UnsafeTLS.go:329:25:329:94 | call to append | provenance | MaD:29 | | UnsafeTLS.go:329:25:329:94 | []type{args} [array] | UnsafeTLS.go:329:25:329:94 | call to append | provenance | MaD:29 |
| UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:329:25:329:94 | []type{args} [array] | provenance | | | UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:329:25:329:94 | []type{args} [array] | provenance | |
| UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:329:25:329:94 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites | UnsafeTLS.go:336:54:336:57 | selection of ID | provenance | | | UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites | UnsafeTLS.go:336:54:336:57 | selection of ID | provenance | |
| UnsafeTLS.go:336:26:336:58 | []type{args} [array] | UnsafeTLS.go:336:26:336:58 | call to append | provenance | MaD:29 | | UnsafeTLS.go:336:26:336:58 | []type{args} [array] | UnsafeTLS.go:336:26:336:58 | call to append | provenance | MaD:29 |
| UnsafeTLS.go:336:54:336:57 | selection of ID | UnsafeTLS.go:336:26:336:58 | []type{args} [array] | provenance | | | UnsafeTLS.go:336:54:336:57 | selection of ID | UnsafeTLS.go:336:26:336:58 | []type{args} [array] | provenance | |
| UnsafeTLS.go:336:54:336:57 | selection of ID | UnsafeTLS.go:336:26:336:58 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites | UnsafeTLS.go:344:40:344:43 | selection of ID | provenance | | | UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites | UnsafeTLS.go:344:40:344:43 | selection of ID | provenance | |
| UnsafeTLS.go:344:19:344:44 | []type{args} [array] | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:29 | | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:29 |
| UnsafeTLS.go:344:19:344:44 | []type{args} [array] | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:29 | | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:29 |
| UnsafeTLS.go:344:19:344:44 | call to append | UnsafeTLS.go:344:26:344:37 | cipherSuites | provenance | |
| UnsafeTLS.go:344:19:344:44 | call to append | UnsafeTLS.go:346:25:346:36 | cipherSuites | provenance | | | UnsafeTLS.go:344:19:344:44 | call to append | UnsafeTLS.go:346:25:346:36 | cipherSuites | provenance | |
| UnsafeTLS.go:344:19:344:44 | call to append [array] | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | provenance | | | UnsafeTLS.go:344:19:344:44 | call to append [array] | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | provenance | |
| UnsafeTLS.go:344:26:344:37 | cipherSuites | UnsafeTLS.go:344:19:344:44 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:28 | | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:28 |
| UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:28 | | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:28 |
| UnsafeTLS.go:344:40:344:43 | selection of ID | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | provenance | | | UnsafeTLS.go:344:40:344:43 | selection of ID | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | provenance | |
| UnsafeTLS.go:344:40:344:43 | selection of ID | UnsafeTLS.go:344:19:344:44 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites | UnsafeTLS.go:353:40:353:51 | selection of ID | provenance | | | UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites | UnsafeTLS.go:353:40:353:51 | selection of ID | provenance | |
| UnsafeTLS.go:353:19:353:52 | []type{args} [array] | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:29 | | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:29 |
| UnsafeTLS.go:353:19:353:52 | []type{args} [array] | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:29 | | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:29 |
| UnsafeTLS.go:353:19:353:52 | call to append | UnsafeTLS.go:353:26:353:37 | cipherSuites | provenance | |
| UnsafeTLS.go:353:19:353:52 | call to append | UnsafeTLS.go:355:25:355:36 | cipherSuites | provenance | | | UnsafeTLS.go:353:19:353:52 | call to append | UnsafeTLS.go:355:25:355:36 | cipherSuites | provenance | |
| UnsafeTLS.go:353:19:353:52 | call to append [array] | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | provenance | | | UnsafeTLS.go:353:19:353:52 | call to append [array] | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | provenance | |
| UnsafeTLS.go:353:26:353:37 | cipherSuites | UnsafeTLS.go:353:19:353:52 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:28 | | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:28 |
| UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:28 | | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:28 |
| UnsafeTLS.go:353:40:353:51 | selection of ID | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | provenance | | | UnsafeTLS.go:353:40:353:51 | selection of ID | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | provenance | |
| UnsafeTLS.go:353:40:353:51 | selection of ID | UnsafeTLS.go:353:19:353:52 | call to append | provenance | FunctionModel |
| UnsafeTLS.go:363:5:363:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:362:18:364:4 | slice literal | provenance | | | UnsafeTLS.go:363:5:363:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:362:18:364:4 | slice literal | provenance | |
| UnsafeTLS.go:371:5:371:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:370:18:372:4 | slice literal | provenance | | | UnsafeTLS.go:371:5:371:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:370:18:372:4 | slice literal | provenance | |
| UnsafeTLS.go:379:5:379:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:378:18:380:4 | slice literal | provenance | | | UnsafeTLS.go:379:5:379:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | UnsafeTLS.go:378:18:380:4 | slice literal | provenance | |
@@ -126,7 +118,6 @@ nodes
| UnsafeTLS.go:344:19:344:44 | []type{args} [array] | semmle.label | []type{args} [array] | | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | semmle.label | []type{args} [array] |
| UnsafeTLS.go:344:19:344:44 | call to append | semmle.label | call to append | | UnsafeTLS.go:344:19:344:44 | call to append | semmle.label | call to append |
| UnsafeTLS.go:344:19:344:44 | call to append [array] | semmle.label | call to append [array] | | UnsafeTLS.go:344:19:344:44 | call to append [array] | semmle.label | call to append [array] |
| UnsafeTLS.go:344:26:344:37 | cipherSuites | semmle.label | cipherSuites |
| UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | semmle.label | cipherSuites [array] | | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | semmle.label | cipherSuites [array] |
| UnsafeTLS.go:344:40:344:43 | selection of ID | semmle.label | selection of ID | | UnsafeTLS.go:344:40:344:43 | selection of ID | semmle.label | selection of ID |
| UnsafeTLS.go:346:25:346:36 | cipherSuites | semmle.label | cipherSuites | | UnsafeTLS.go:346:25:346:36 | cipherSuites | semmle.label | cipherSuites |
@@ -134,7 +125,6 @@ nodes
| UnsafeTLS.go:353:19:353:52 | []type{args} [array] | semmle.label | []type{args} [array] | | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | semmle.label | []type{args} [array] |
| UnsafeTLS.go:353:19:353:52 | call to append | semmle.label | call to append | | UnsafeTLS.go:353:19:353:52 | call to append | semmle.label | call to append |
| UnsafeTLS.go:353:19:353:52 | call to append [array] | semmle.label | call to append [array] | | UnsafeTLS.go:353:19:353:52 | call to append [array] | semmle.label | call to append [array] |
| UnsafeTLS.go:353:26:353:37 | cipherSuites | semmle.label | cipherSuites |
| UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | semmle.label | cipherSuites [array] | | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | semmle.label | cipherSuites [array] |
| UnsafeTLS.go:353:40:353:51 | selection of ID | semmle.label | selection of ID | | UnsafeTLS.go:353:40:353:51 | selection of ID | semmle.label | selection of ID |
| UnsafeTLS.go:355:25:355:36 | cipherSuites | semmle.label | cipherSuites | | UnsafeTLS.go:355:25:355:36 | cipherSuites | semmle.label | cipherSuites |

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.0.23 ## 0.0.23
No user-facing changes. No user-facing changes.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,5 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.0.23

View File

@@ -1,5 +1,5 @@
name: codeql/java-automodel-queries name: codeql/java-automodel-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- java - java
- automodel - automodel

View File

@@ -1,17 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Major Analysis Improvements
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
### Minor Analysis Improvements
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes `autobuild` or `none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.
## 0.11.0 ## 0.11.0
### Breaking Changes ### Breaking Changes

View File

@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes `autobuild` or `none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,13 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Major Analysis Improvements
* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
### Minor Analysis Improvements
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes `autobuild` or `none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.11.0

View File

@@ -1,5 +1,5 @@
name: codeql/java-all name: codeql/java-all
version: 1.0.0 version: 1.0.0-dev
groups: java groups: java
dbscheme: config/semmlecode.dbscheme dbscheme: config/semmlecode.dbscheme
extractor: java extractor: java

View File

@@ -1,15 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
* Removed `local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by `java/unvalidated-url-redirection-local` can be found by `java/unvalidated-url-redirection`, if the `local` threat model is enabled. The removed queries are `java/path-injection-local`, `java/command-line-injection-local`, `java/xss-local`, `java/sql-injection-local`, `java/http-response-splitting-local`, `java/improper-validation-of-array-construction-local`, `java/improper-validation-of-array-index-local`, `java/tainted-format-string-local`, `java/tainted-arithmetic-local`, `java/unvalidated-url-redirection-local`, `java/xxe-local` and `java/tainted-numeric-cast-local`.
### Minor Analysis Improvements
* The alert message for the query "Trust boundary violation" (`java/trust-boundary-violation`) has been updated to include a link to the remote source.
* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.
## 0.8.16 ## 0.8.16
No user-facing changes. No user-facing changes.

View File

@@ -1,11 +1,4 @@
## 1.0.0 ---
category: breaking
### Breaking Changes ---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
* Removed `local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by `java/unvalidated-url-redirection-local` can be found by `java/unvalidated-url-redirection`, if the `local` threat model is enabled. The removed queries are `java/path-injection-local`, `java/command-line-injection-local`, `java/xss-local`, `java/sql-injection-local`, `java/http-response-splitting-local`, `java/improper-validation-of-array-construction-local`, `java/improper-validation-of-array-index-local`, `java/tainted-format-string-local`, `java/tainted-arithmetic-local`, `java/unvalidated-url-redirection-local`, `java/xxe-local` and `java/tainted-numeric-cast-local`. * Removed `local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by `java/unvalidated-url-redirection-local` can be found by `java/unvalidated-url-redirection`, if the `local` threat model is enabled. The removed queries are `java/path-injection-local`, `java/command-line-injection-local`, `java/xss-local`, `java/sql-injection-local`, `java/http-response-splitting-local`, `java/improper-validation-of-array-construction-local`, `java/improper-validation-of-array-index-local`, `java/tainted-format-string-local`, `java/tainted-arithmetic-local`, `java/unvalidated-url-redirection-local`, `java/xxe-local` and `java/tainted-numeric-cast-local`.
### Minor Analysis Improvements
* The alert message for the query "Trust boundary violation" (`java/trust-boundary-violation`) has been updated to include a link to the remote source.
* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The alert message for the query "Trust boundary violation" (`java/trust-boundary-violation`) has been updated to include a link to the remote source.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.8.16

View File

@@ -1,5 +1,5 @@
name: codeql/java-queries name: codeql/java-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- java - java
- queries - queries

View File

@@ -1,17 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared `SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as `js/clear-text-storage-sensitive-data` and `js/clear-text-logging`.
### Bug Fixes
* Fixed a bug where very large TypeScript files would cause database creation to crash. Large files over 10MB were already excluded from analysis, but the file size check was not applied to TypeScript files.
## 0.9.1 ## 0.9.1
No user-facing changes. No user-facing changes.

View File

@@ -1,9 +1,4 @@
## 1.0.0 ---
category: minorAnalysis
### Breaking Changes ---
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared `SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as `js/clear-text-storage-sensitive-data` and `js/clear-text-logging`.
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared `SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as `rb/sensitive-get-query`.

View File

@@ -0,0 +1,4 @@
---
category: fix
---
* Fixed a bug where very large TypeScript files would cause database creation to crash. Large files over 10MB were already excluded from analysis, but the file size check was not applied to TypeScript files.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,13 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### Minor Analysis Improvements
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared `SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as `js/clear-text-storage-sensitive-data` and `js/clear-text-logging`.
### Bug Fixes
* Fixed a bug where very large TypeScript files would cause database creation to crash. Large files over 10MB were already excluded from analysis, but the file size check was not applied to TypeScript files.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.9.1

View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all name: codeql/javascript-all
version: 1.0.0 version: 1.0.0-dev
groups: javascript groups: javascript
dbscheme: semmlecode.javascript.dbscheme dbscheme: semmlecode.javascript.dbscheme
extractor: javascript extractor: javascript

View File

@@ -177,3 +177,12 @@ private class ExternalRemoteFlowSource extends RemoteFlowSource {
override string getSourceType() { result = ap.getSourceType() } override string getSourceType() { result = ap.getSourceType() }
} }
/**
* A response from an outgoing network request.
*/
private class ResponseSource extends RemoteFlowSource {
ResponseSource() { this = any(ClientRequest r).getAResponseDataNode() }
override string getSourceType() { result = "a response from a remote server" }
}

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.8.16 ## 0.8.16
No user-facing changes. No user-facing changes.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,5 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.8.16

View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries name: codeql/javascript-queries
version: 1.0.0 version: 1.0.0-dev
groups: groups:
- javascript - javascript
- queries - queries

View File

@@ -1,9 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.7.16 ## 0.7.16
No user-facing changes. No user-facing changes.

View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,5 +0,0 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

View File

@@ -1,2 +1,2 @@
--- ---
lastReleaseVersion: 1.0.0 lastReleaseVersion: 0.7.16

View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers name: codeql/suite-helpers
version: 1.0.0 version: 1.0.0-dev
groups: shared groups: shared
warnOnImplicitThis: true warnOnImplicitThis: true

View File

@@ -1,18 +1,3 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
### New Features
* A Python MaD (Models as Data) row may now contain a dotted path in the `type` column. Like in Ruby, a path to a class will refer to instances of that class. This means that the summary `["foo", "Member[MyClass].Instance.Member[instance_method]", "Argument[0]", "ReturnValue", "value"]` can now be written `["foo.MS_Class", "Member[instance_method]", "Argument[0]", "ReturnValue", "value"]`. To refer to an actual class, one may add a `!` at the end of the path.
### Minor Analysis Improvements
* The `request` parameter of Flask `SessionInterface.open_session` method is now modeled as a remote flow source.
* Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared `SensitiveDataHeuristics.qll` library. This may result in additional results for queries that use sensitive data such as `py/clear-text-storage-sensitive-data` and `py/clear-text-logging-sensitive-data`.
## 0.12.1 ## 0.12.1
### Major Analysis Improvements ### Major Analysis Improvements

Some files were not shown because too many files have changed in this diff Show More