mirror of
https://github.com/github/codeql.git
synced 2026-07-07 12:35:33 +02:00
Compare commits
1 Commits
codeql-cli
...
alexet/ssa
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
24b69038f6 |
4
.bazelrc
4
.bazelrc
@@ -33,6 +33,10 @@ common --@rules_dotnet//dotnet/settings:strict_deps=false
|
|||||||
# we only configure a nightly toolchain
|
# we only configure a nightly toolchain
|
||||||
common --@rules_rust//rust/toolchain/channel=nightly
|
common --@rules_rust//rust/toolchain/channel=nightly
|
||||||
|
|
||||||
|
# rust does not like the gold linker, while bazel does by default, so let's avoid using it
|
||||||
|
common:linux --linkopt=-fuse-ld=lld
|
||||||
|
common:macos --linkopt=-fuse-ld=lld
|
||||||
|
|
||||||
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
||||||
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
||||||
|
|
||||||
|
|||||||
4
.github/workflows/build-ripunzip.yml
vendored
4
.github/workflows/build-ripunzip.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
os: [ubuntu-22.04, macos-13, windows-2022]
|
os: [ubuntu-22.04, macos-13, windows-2022]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: google/ripunzip
|
repository: google/ripunzip
|
||||||
ref: ${{ inputs.ripunzip-version }}
|
ref: ${{ inputs.ripunzip-version }}
|
||||||
@@ -28,7 +28,7 @@ jobs:
|
|||||||
# see https://github.com/sfackler/rust-openssl/issues/183
|
# see https://github.com/sfackler/rust-openssl/issues/183
|
||||||
- if: runner.os == 'Linux'
|
- if: runner.os == 'Linux'
|
||||||
name: checkout openssl
|
name: checkout openssl
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: openssl/openssl
|
repository: openssl/openssl
|
||||||
path: openssl
|
path: openssl
|
||||||
|
|||||||
2
.github/workflows/buildifier.yml
vendored
2
.github/workflows/buildifier.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Check bazel formatting
|
- name: Check bazel formatting
|
||||||
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/check-implicit-this.yml
vendored
2
.github/workflows/check-implicit-this.yml
vendored
@@ -16,7 +16,7 @@ jobs:
|
|||||||
check:
|
check:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that implicit this warnings is enabled for all packs
|
- name: Check that implicit this warnings is enabled for all packs
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ jobs:
|
|||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check overlay annotations
|
- name: Check overlay annotations
|
||||||
run: python config/add-overlay-annotations.py --check java
|
run: python config/add-overlay-annotations.py --check java
|
||||||
|
|
||||||
|
|||||||
2
.github/workflows/check-qldoc.yml
vendored
2
.github/workflows/check-qldoc.yml
vendored
@@ -18,7 +18,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
|
|
||||||
|
|||||||
2
.github/workflows/check-query-ids.yml
vendored
2
.github/workflows/check-query-ids.yml
vendored
@@ -19,6 +19,6 @@ jobs:
|
|||||||
name: Check query IDs
|
name: Check query IDs
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check for duplicate query IDs
|
- name: Check for duplicate query IDs
|
||||||
run: python3 misc/scripts/check-query-ids.py
|
run: python3 misc/scripts/check-query-ids.py
|
||||||
|
|||||||
4
.github/workflows/codeql-analysis.yml
vendored
4
.github/workflows/codeql-analysis.yml
vendored
@@ -34,10 +34,10 @@ jobs:
|
|||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 9.0.300
|
dotnet-version: 9.0.100
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
2
.github/workflows/compile-queries.yml
vendored
2
.github/workflows/compile-queries.yml
vendored
@@ -22,7 +22,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/cpp-swift-analysis.yml
vendored
2
.github/workflows/cpp-swift-analysis.yml
vendored
@@ -28,7 +28,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
14
.github/workflows/csharp-qltest.yml
vendored
14
.github/workflows/csharp-qltest.yml
vendored
@@ -39,23 +39,23 @@ jobs:
|
|||||||
os: [ubuntu-latest, windows-latest]
|
os: [ubuntu-latest, windows-latest]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 9.0.300
|
dotnet-version: 9.0.100
|
||||||
- name: Extractor unit tests
|
- name: Extractor unit tests
|
||||||
run: |
|
run: |
|
||||||
dotnet tool restore
|
dotnet tool restore
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
|
||||||
shell: bash
|
shell: bash
|
||||||
stubgentest:
|
stubgentest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./csharp/actions/create-extractor-pack
|
- uses: ./csharp/actions/create-extractor-pack
|
||||||
- name: Run stub generator tests
|
- name: Run stub generator tests
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
4
.github/workflows/csv-coverage-metrics.yml
vendored
4
.github/workflows/csv-coverage-metrics.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
@@ -51,7 +51,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
|
|||||||
@@ -35,11 +35,11 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql) - MERGE
|
- name: Clone self (github/codeql) - MERGE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: merge
|
path: merge
|
||||||
- name: Clone self (github/codeql) - BASE
|
- name: Clone self (github/codeql) - BASE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
path: base
|
path: base
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -12,11 +12,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
2
.github/workflows/csv-coverage-update.yml
vendored
2
.github/workflows/csv-coverage-update.yml
vendored
@@ -21,7 +21,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: ql
|
path: ql
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
4
.github/workflows/csv-coverage.yml
vendored
4
.github/workflows/csv-coverage.yml
vendored
@@ -16,11 +16,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
||||||
|
|||||||
2
.github/workflows/fast-forward.yml
vendored
2
.github/workflows/fast-forward.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Git config
|
- name: Git config
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
2
.github/workflows/go-tests.yml
vendored
2
.github/workflows/go-tests.yml
vendored
@@ -22,7 +22,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
uses: ./go/actions/test
|
uses: ./go/actions/test
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/kotlin-build.yml
vendored
2
.github/workflows/kotlin-build.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel query //java/kotlin-extractor/...
|
bazel query //java/kotlin-extractor/...
|
||||||
# only build the default version as a quick check that we can build from `codeql`
|
# only build the default version as a quick check that we can build from `codeql`
|
||||||
|
|||||||
4
.github/workflows/mad_modelDiff.yml
vendored
4
.github/workflows/mad_modelDiff.yml
vendored
@@ -28,12 +28,12 @@ jobs:
|
|||||||
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
||||||
steps:
|
steps:
|
||||||
- name: Clone github/codeql from PR
|
- name: Clone github/codeql from PR
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
if: github.event.pull_request
|
if: github.event.pull_request
|
||||||
with:
|
with:
|
||||||
path: codeql-pr
|
path: codeql-pr
|
||||||
- name: Clone github/codeql from main
|
- name: Clone github/codeql from main
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql-main
|
path: codeql-main
|
||||||
ref: main
|
ref: main
|
||||||
|
|||||||
4
.github/workflows/mad_regenerate-models.yml
vendored
4
.github/workflows/mad_regenerate-models.yml
vendored
@@ -30,11 +30,11 @@ jobs:
|
|||||||
ref: "placeholder"
|
ref: "placeholder"
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL binaries
|
- name: Setup CodeQL binaries
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Clone repositories
|
- name: Clone repositories
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: repos/${{ matrix.ref }}
|
path: repos/${{ matrix.ref }}
|
||||||
ref: ${{ matrix.ref }}
|
ref: ${{ matrix.ref }}
|
||||||
|
|||||||
2
.github/workflows/python-tooling.yml
vendored
2
.github/workflows/python-tooling.yml
vendored
@@ -21,7 +21,7 @@ jobs:
|
|||||||
check-python-tooling:
|
check-python-tooling:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-python@v5
|
- uses: actions/setup-python@v5
|
||||||
with:
|
with:
|
||||||
python-version: '3.12'
|
python-version: '3.12'
|
||||||
|
|||||||
2
.github/workflows/qhelp-pr-preview.yml
vendored
2
.github/workflows/qhelp-pr-preview.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
|||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
|
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
|
|||||||
2
.github/workflows/ql-for-ql-build.yml
vendored
2
.github/workflows/ql-for-ql-build.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
### Build the queries ###
|
### Build the queries ###
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ jobs:
|
|||||||
- github/codeql
|
- github/codeql
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
@@ -46,7 +46,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -75,7 +75,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: measurements
|
name: measurements
|
||||||
|
|||||||
4
.github/workflows/ql-for-ql-tests.yml
vendored
4
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -24,7 +24,7 @@ jobs:
|
|||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@main
|
||||||
@@ -64,7 +64,7 @@ jobs:
|
|||||||
needs: [qltest]
|
needs: [qltest]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
4
.github/workflows/query-list.yml
vendored
4
.github/workflows/query-list.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql
|
path: codeql
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
@@ -31,7 +31,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
python-version: 3.8
|
python-version: 3.8
|
||||||
- name: Download CodeQL CLI
|
- name: Download CodeQL CLI
|
||||||
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
||||||
uses: ./codeql/.github/actions/fetch-codeql
|
uses: ./codeql/.github/actions/fetch-codeql
|
||||||
- name: Build code scanning query list
|
- name: Build code scanning query list
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
8
.github/workflows/ruby-build.yml
vendored
8
.github/workflows/ruby-build.yml
vendored
@@ -47,7 +47,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
@@ -113,7 +113,7 @@ jobs:
|
|||||||
if: github.repository_owner == 'github'
|
if: github.repository_owner == 'github'
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -146,7 +146,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [build, compile-queries]
|
needs: [build, compile-queries]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: ruby.dbscheme
|
name: ruby.dbscheme
|
||||||
@@ -209,7 +209,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
needs: [package]
|
needs: [package]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
|||||||
6
.github/workflows/ruby-dataset-measure.yml
vendored
6
.github/workflows/ruby-dataset-measure.yml
vendored
@@ -30,14 +30,14 @@ jobs:
|
|||||||
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
|
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
path: stats
|
path: stats
|
||||||
|
|||||||
2
.github/workflows/ruby-qltest-rtjo.yml
vendored
2
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -25,7 +25,7 @@ jobs:
|
|||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
|
|||||||
4
.github/workflows/ruby-qltest.yml
vendored
4
.github/workflows/ruby-qltest.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
|||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- name: Check DB upgrade scripts
|
- name: Check DB upgrade scripts
|
||||||
run: |
|
run: |
|
||||||
@@ -58,7 +58,7 @@ jobs:
|
|||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
|
|||||||
2
.github/workflows/rust-analysis.yml
vendored
2
.github/workflows/rust-analysis.yml
vendored
@@ -35,7 +35,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Query latest nightly CodeQL bundle
|
- name: Query latest nightly CodeQL bundle
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
6
.github/workflows/rust.yml
vendored
6
.github/workflows/rust.yml
vendored
@@ -30,7 +30,7 @@ jobs:
|
|||||||
working-directory: rust/ast-generator
|
working-directory: rust/ast-generator
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Inject sources
|
- name: Inject sources
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
working-directory: rust/extractor
|
working-directory: rust/extractor
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Format
|
- name: Format
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -69,7 +69,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Install CodeQL
|
- name: Install CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Code generation
|
- name: Code generation
|
||||||
|
|||||||
8
.github/workflows/swift.yml
vendored
8
.github/workflows/swift.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
|||||||
fail-fast: false
|
fail-fast: false
|
||||||
runs-on: ${{ matrix.runner }}
|
runs-on: ${{ matrix.runner }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup (Linux)
|
- name: Setup (Linux)
|
||||||
if: runner.os == 'Linux'
|
if: runner.os == 'Linux'
|
||||||
run: |
|
run: |
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
clang-format:
|
clang-format:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that python code is properly formatted
|
name: Check that python code is properly formatted
|
||||||
with:
|
with:
|
||||||
@@ -61,7 +61,7 @@ jobs:
|
|||||||
codegen:
|
codegen:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that QL generated code was checked in
|
name: Check that QL generated code was checked in
|
||||||
@@ -77,6 +77,6 @@ jobs:
|
|||||||
check-no-override:
|
check-no-override:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that no override is present in load.bzl
|
- name: Check that no override is present in load.bzl
|
||||||
run: bazel test ... --test_tag_filters=override --test_output=errors
|
run: bazel test ... --test_tag_filters=override --test_output=errors
|
||||||
|
|||||||
2
.github/workflows/sync-files.yml
vendored
2
.github/workflows/sync-files.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check synchronized files
|
- name: Check synchronized files
|
||||||
run: python config/sync-files.py
|
run: python config/sync-files.py
|
||||||
- name: Check dbscheme fragments
|
- name: Check dbscheme fragments
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ jobs:
|
|||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt -- --check
|
run: cargo fmt -- --check
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
@@ -38,12 +38,12 @@ jobs:
|
|||||||
fmt:
|
fmt:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt --check
|
run: cargo fmt --check
|
||||||
clippy:
|
clippy:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Run clippy
|
- name: Run clippy
|
||||||
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
||||||
|
|||||||
2
.github/workflows/validate-change-notes.yml
vendored
2
.github/workflows/validate-change-notes.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|||||||
2
.github/workflows/zipmerge-test.yml
vendored
2
.github/workflows/zipmerge-test.yml
vendored
@@ -18,6 +18,6 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
||||||
|
|||||||
3
.gitignore
vendored
3
.gitignore
vendored
@@ -76,6 +76,3 @@ node_modules/
|
|||||||
# some upgrade/downgrade checks create these files
|
# some upgrade/downgrade checks create these files
|
||||||
**/upgrades/*/*.dbscheme.stats
|
**/upgrades/*/*.dbscheme.stats
|
||||||
**/downgrades/*/*.dbscheme.stats
|
**/downgrades/*/*.dbscheme.stats
|
||||||
|
|
||||||
# Mergetool files
|
|
||||||
*.orig
|
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
# Catch-all for anything which isn't matched by a line lower down
|
|
||||||
* @github/code-scanning-alert-coverage
|
|
||||||
|
|
||||||
# CodeQL language libraries
|
|
||||||
/actions/ @github/codeql-dynamic
|
/actions/ @github/codeql-dynamic
|
||||||
/cpp/ @github/codeql-c-analysis
|
/cpp/ @github/codeql-c-analysis
|
||||||
/csharp/ @github/codeql-csharp
|
/csharp/ @github/codeql-csharp
|
||||||
@@ -11,10 +7,8 @@
|
|||||||
/java/ @github/codeql-java
|
/java/ @github/codeql-java
|
||||||
/javascript/ @github/codeql-javascript
|
/javascript/ @github/codeql-javascript
|
||||||
/python/ @github/codeql-python
|
/python/ @github/codeql-python
|
||||||
/ql/ @github/codeql-ql-for-ql-reviewers
|
|
||||||
/ruby/ @github/codeql-ruby
|
/ruby/ @github/codeql-ruby
|
||||||
/rust/ @github/codeql-rust
|
/rust/ @github/codeql-rust
|
||||||
/shared/ @github/codeql-shared-libraries-reviewers
|
|
||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-swift
|
||||||
/misc/codegen/ @github/codeql-swift
|
/misc/codegen/ @github/codeql-swift
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
@@ -31,6 +25,9 @@
|
|||||||
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
||||||
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
||||||
|
|
||||||
|
# QL for QL reviewers
|
||||||
|
/ql/ @github/codeql-ql-for-ql-reviewers
|
||||||
|
|
||||||
# Bazel (excluding BUILD.bazel files)
|
# Bazel (excluding BUILD.bazel files)
|
||||||
MODULE.bazel @github/codeql-ci-reviewers
|
MODULE.bazel @github/codeql-ci-reviewers
|
||||||
.bazelversion @github/codeql-ci-reviewers
|
.bazelversion @github/codeql-ci-reviewers
|
||||||
|
|||||||
1181
Cargo.lock
generated
1181
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
82
MODULE.bazel
82
MODULE.bazel
@@ -14,7 +14,7 @@ local_path_override(
|
|||||||
|
|
||||||
# see https://registry.bazel.build/ for a list of available packages
|
# see https://registry.bazel.build/ for a list of available packages
|
||||||
|
|
||||||
bazel_dep(name = "platforms", version = "1.0.0")
|
bazel_dep(name = "platforms", version = "0.0.11")
|
||||||
bazel_dep(name = "rules_go", version = "0.56.1")
|
bazel_dep(name = "rules_go", version = "0.56.1")
|
||||||
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
||||||
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
||||||
@@ -26,7 +26,7 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
|||||||
bazel_dep(name = "fmt", version = "10.0.0")
|
bazel_dep(name = "fmt", version = "10.0.0")
|
||||||
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
||||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||||
bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
|
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||||
bazel_dep(name = "rules_rust", version = "0.63.0")
|
bazel_dep(name = "rules_rust", version = "0.63.0")
|
||||||
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
||||||
@@ -89,8 +89,8 @@ use_repo(
|
|||||||
"vendor_py__cc-1.2.14",
|
"vendor_py__cc-1.2.14",
|
||||||
"vendor_py__clap-4.5.30",
|
"vendor_py__clap-4.5.30",
|
||||||
"vendor_py__regex-1.11.1",
|
"vendor_py__regex-1.11.1",
|
||||||
"vendor_py__tree-sitter-0.24.7",
|
"vendor_py__tree-sitter-0.20.4",
|
||||||
"vendor_py__tree-sitter-graph-0.12.0",
|
"vendor_py__tree-sitter-graph-0.7.0",
|
||||||
)
|
)
|
||||||
|
|
||||||
# deps for ruby+rust
|
# deps for ruby+rust
|
||||||
@@ -98,54 +98,54 @@ use_repo(
|
|||||||
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
||||||
use_repo(
|
use_repo(
|
||||||
tree_sitter_extractors_deps,
|
tree_sitter_extractors_deps,
|
||||||
"vendor_ts__anyhow-1.0.100",
|
"vendor_ts__anyhow-1.0.98",
|
||||||
"vendor_ts__argfile-0.2.1",
|
"vendor_ts__argfile-0.2.1",
|
||||||
"vendor_ts__chalk-ir-0.104.0",
|
"vendor_ts__chalk-ir-0.103.0",
|
||||||
"vendor_ts__chrono-0.4.42",
|
"vendor_ts__chrono-0.4.41",
|
||||||
"vendor_ts__clap-4.5.48",
|
"vendor_ts__clap-4.5.40",
|
||||||
"vendor_ts__dunce-1.0.5",
|
"vendor_ts__dunce-1.0.5",
|
||||||
"vendor_ts__either-1.15.0",
|
"vendor_ts__either-1.15.0",
|
||||||
"vendor_ts__encoding-0.2.33",
|
"vendor_ts__encoding-0.2.33",
|
||||||
"vendor_ts__figment-0.10.19",
|
"vendor_ts__figment-0.10.19",
|
||||||
"vendor_ts__flate2-1.1.2",
|
"vendor_ts__flate2-1.1.0",
|
||||||
"vendor_ts__glob-0.3.3",
|
"vendor_ts__glob-0.3.2",
|
||||||
"vendor_ts__globset-0.4.16",
|
"vendor_ts__globset-0.4.15",
|
||||||
"vendor_ts__itertools-0.14.0",
|
"vendor_ts__itertools-0.14.0",
|
||||||
"vendor_ts__lazy_static-1.5.0",
|
"vendor_ts__lazy_static-1.5.0",
|
||||||
"vendor_ts__mustache-0.9.0",
|
"vendor_ts__mustache-0.9.0",
|
||||||
"vendor_ts__num-traits-0.2.19",
|
"vendor_ts__num-traits-0.2.19",
|
||||||
"vendor_ts__num_cpus-1.17.0",
|
"vendor_ts__num_cpus-1.17.0",
|
||||||
"vendor_ts__proc-macro2-1.0.101",
|
"vendor_ts__proc-macro2-1.0.95",
|
||||||
"vendor_ts__quote-1.0.41",
|
"vendor_ts__quote-1.0.40",
|
||||||
"vendor_ts__ra_ap_base_db-0.0.301",
|
"vendor_ts__ra_ap_base_db-0.0.288",
|
||||||
"vendor_ts__ra_ap_cfg-0.0.301",
|
"vendor_ts__ra_ap_cfg-0.0.288",
|
||||||
"vendor_ts__ra_ap_hir-0.0.301",
|
"vendor_ts__ra_ap_hir-0.0.288",
|
||||||
"vendor_ts__ra_ap_hir_def-0.0.301",
|
"vendor_ts__ra_ap_hir_def-0.0.288",
|
||||||
"vendor_ts__ra_ap_hir_expand-0.0.301",
|
"vendor_ts__ra_ap_hir_expand-0.0.288",
|
||||||
"vendor_ts__ra_ap_hir_ty-0.0.301",
|
"vendor_ts__ra_ap_hir_ty-0.0.288",
|
||||||
"vendor_ts__ra_ap_ide_db-0.0.301",
|
"vendor_ts__ra_ap_ide_db-0.0.288",
|
||||||
"vendor_ts__ra_ap_intern-0.0.301",
|
"vendor_ts__ra_ap_intern-0.0.288",
|
||||||
"vendor_ts__ra_ap_load-cargo-0.0.301",
|
"vendor_ts__ra_ap_load-cargo-0.0.288",
|
||||||
"vendor_ts__ra_ap_parser-0.0.301",
|
"vendor_ts__ra_ap_parser-0.0.288",
|
||||||
"vendor_ts__ra_ap_paths-0.0.301",
|
"vendor_ts__ra_ap_paths-0.0.288",
|
||||||
"vendor_ts__ra_ap_project_model-0.0.301",
|
"vendor_ts__ra_ap_project_model-0.0.288",
|
||||||
"vendor_ts__ra_ap_span-0.0.301",
|
"vendor_ts__ra_ap_span-0.0.288",
|
||||||
"vendor_ts__ra_ap_stdx-0.0.301",
|
"vendor_ts__ra_ap_stdx-0.0.288",
|
||||||
"vendor_ts__ra_ap_syntax-0.0.301",
|
"vendor_ts__ra_ap_syntax-0.0.288",
|
||||||
"vendor_ts__ra_ap_vfs-0.0.301",
|
"vendor_ts__ra_ap_vfs-0.0.288",
|
||||||
"vendor_ts__rand-0.9.2",
|
"vendor_ts__rand-0.9.1",
|
||||||
"vendor_ts__rayon-1.11.0",
|
"vendor_ts__rayon-1.10.0",
|
||||||
"vendor_ts__regex-1.11.3",
|
"vendor_ts__regex-1.11.1",
|
||||||
"vendor_ts__serde-1.0.228",
|
"vendor_ts__serde-1.0.219",
|
||||||
"vendor_ts__serde_json-1.0.145",
|
"vendor_ts__serde_json-1.0.140",
|
||||||
"vendor_ts__serde_with-3.14.1",
|
"vendor_ts__serde_with-3.13.0",
|
||||||
"vendor_ts__syn-2.0.106",
|
"vendor_ts__syn-2.0.103",
|
||||||
"vendor_ts__toml-0.9.7",
|
"vendor_ts__toml-0.8.23",
|
||||||
"vendor_ts__tracing-0.1.41",
|
"vendor_ts__tracing-0.1.41",
|
||||||
"vendor_ts__tracing-flame-0.2.0",
|
"vendor_ts__tracing-flame-0.2.0",
|
||||||
"vendor_ts__tracing-subscriber-0.3.20",
|
"vendor_ts__tracing-subscriber-0.3.19",
|
||||||
"vendor_ts__tree-sitter-0.25.9",
|
"vendor_ts__tree-sitter-0.24.6",
|
||||||
"vendor_ts__tree-sitter-embedded-template-0.25.0",
|
"vendor_ts__tree-sitter-embedded-template-0.23.2",
|
||||||
"vendor_ts__tree-sitter-json-0.24.8",
|
"vendor_ts__tree-sitter-json-0.24.8",
|
||||||
"vendor_ts__tree-sitter-ql-0.23.1",
|
"vendor_ts__tree-sitter-ql-0.23.1",
|
||||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
"vendor_ts__tree-sitter-ruby-0.23.1",
|
||||||
@@ -172,7 +172,7 @@ http_archive(
|
|||||||
)
|
)
|
||||||
|
|
||||||
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
||||||
dotnet.toolchain(dotnet_version = "9.0.300")
|
dotnet.toolchain(dotnet_version = "9.0.100")
|
||||||
use_repo(dotnet, "dotnet_toolchains")
|
use_repo(dotnet, "dotnet_toolchains")
|
||||||
|
|
||||||
register_toolchains("@dotnet_toolchains//:all")
|
register_toolchains("@dotnet_toolchains//:all")
|
||||||
|
|||||||
@@ -1,17 +1,14 @@
|
|||||||
name: "actions"
|
name: "actions"
|
||||||
|
aliases: []
|
||||||
display_name: "GitHub Actions"
|
display_name: "GitHub Actions"
|
||||||
version: 0.0.1
|
version: 0.0.1
|
||||||
column_kind: "utf16"
|
column_kind: "utf16"
|
||||||
unicode_newlines: true
|
unicode_newlines: true
|
||||||
build_modes:
|
build_modes:
|
||||||
- none
|
- none
|
||||||
default_queries:
|
file_coverage_languages: []
|
||||||
- codeql/actions-queries
|
|
||||||
# Actions workflows are not reported separately by the GitHub API, so we can't
|
|
||||||
# associate them with a specific language.
|
|
||||||
github_api_languages: []
|
github_api_languages: []
|
||||||
scc_languages:
|
scc_languages: []
|
||||||
- YAML
|
|
||||||
file_types:
|
file_types:
|
||||||
- name: workflow
|
- name: workflow
|
||||||
display_name: GitHub Actions workflow files
|
display_name: GitHub Actions workflow files
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
{
|
|
||||||
"paths": [
|
|
||||||
".github/workflows/*.yml",
|
|
||||||
".github/workflows/*.yaml",
|
|
||||||
".github/reusable_workflows/**/*.yml",
|
|
||||||
".github/reusable_workflows/**/*.yaml",
|
|
||||||
"**/action.yml",
|
|
||||||
"**/action.yaml"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
@echo off
|
|
||||||
type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
|
|
||||||
@@ -1,4 +1,3 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||||
|
|||||||
@@ -1,5 +1,4 @@
|
|||||||
ql/actions/ql/src/Debug/SyntaxError.ql
|
ql/actions/ql/src/Debug/SyntaxError.ql
|
||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||||
|
|||||||
@@ -1,19 +1,3 @@
|
|||||||
## 0.4.19
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.18
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.17
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.16
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.15
|
## 0.4.15
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.16
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.17
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.18
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.19
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.4.19
|
lastReleaseVersion: 0.4.15
|
||||||
|
|||||||
@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if this element is at the specified location.
|
* Holds if this element is at the specified location.
|
||||||
* The location spans column `sc` of line `sl` to
|
* The location spans column `startcolumn` of line `startline` to
|
||||||
* column `ec` of line `el` in file `p`.
|
* column `endcolumn` of line `endline` in file `filepath`.
|
||||||
* For more information, see
|
* For more information, see
|
||||||
* [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
* [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* An Environment node representing a deployment environment.
|
* An Environemnt node representing a deployment environment.
|
||||||
*/
|
*/
|
||||||
class Environment extends AstNode instanceof EnvironmentImpl {
|
class Environment extends AstNode instanceof EnvironmentImpl {
|
||||||
string getName() { result = super.getName() }
|
string getName() { result = super.getName() }
|
||||||
|
|||||||
@@ -125,11 +125,12 @@ abstract class AstNodeImpl extends TAstNode {
|
|||||||
* Gets the enclosing Step.
|
* Gets the enclosing Step.
|
||||||
*/
|
*/
|
||||||
StepImpl getEnclosingStep() {
|
StepImpl getEnclosingStep() {
|
||||||
this instanceof StepImpl and
|
if this instanceof StepImpl
|
||||||
result = this
|
then result = this
|
||||||
or
|
else
|
||||||
this instanceof ScalarValueImpl and
|
if this instanceof ScalarValueImpl
|
||||||
result.getAChildNode*() = this.getParentNode()
|
then result.getAChildNode*() = this.getParentNode()
|
||||||
|
else none()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -1415,8 +1416,9 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
|
|||||||
override string getVersion() {
|
override string getVersion() {
|
||||||
exists(YamlString name |
|
exists(YamlString name |
|
||||||
n.lookup("uses") = name and
|
n.lookup("uses") = name and
|
||||||
not name.getValue().matches("\\.%") and
|
if not name.getValue().matches("\\.%")
|
||||||
result = name.getValue().regexpCapture(repoUsesParser(), 4)
|
then result = name.getValue().regexpCapture(repoUsesParser(), 4)
|
||||||
|
else none()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -286,7 +286,7 @@ private module Cached {
|
|||||||
/**
|
/**
|
||||||
* Holds if `cfn` is the `i`th node in basic block `bb`.
|
* Holds if `cfn` is the `i`th node in basic block `bb`.
|
||||||
*
|
*
|
||||||
* In other words, `i` is the shortest distance from a node `bbStart`
|
* In other words, `i` is the shortest distance from a node `bb`
|
||||||
* that starts a basic block to `cfn` along the `intraBBSucc` relation.
|
* that starts a basic block to `cfn` along the `intraBBSucc` relation.
|
||||||
*/
|
*/
|
||||||
cached
|
cached
|
||||||
|
|||||||
@@ -3,8 +3,6 @@ private import codeql.controlflow.Cfg as CfgShared
|
|||||||
private import codeql.Locations
|
private import codeql.Locations
|
||||||
|
|
||||||
module Completion {
|
module Completion {
|
||||||
import codeql.controlflow.SuccessorType
|
|
||||||
|
|
||||||
private newtype TCompletion =
|
private newtype TCompletion =
|
||||||
TSimpleCompletion() or
|
TSimpleCompletion() or
|
||||||
TBooleanCompletion(boolean b) { b in [false, true] } or
|
TBooleanCompletion(boolean b) { b in [false, true] } or
|
||||||
@@ -27,7 +25,7 @@ module Completion {
|
|||||||
|
|
||||||
override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
|
override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
|
||||||
|
|
||||||
override DirectSuccessor getAMatchingSuccessorType() { any() }
|
override NormalSuccessor getAMatchingSuccessorType() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
|
class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
|
||||||
@@ -51,6 +49,34 @@ module Completion {
|
|||||||
|
|
||||||
override ReturnSuccessor getAMatchingSuccessorType() { any() }
|
override ReturnSuccessor getAMatchingSuccessorType() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cached
|
||||||
|
private newtype TSuccessorType =
|
||||||
|
TNormalSuccessor() or
|
||||||
|
TBooleanSuccessor(boolean b) { b in [false, true] } or
|
||||||
|
TReturnSuccessor()
|
||||||
|
|
||||||
|
class SuccessorType extends TSuccessorType {
|
||||||
|
string toString() { none() }
|
||||||
|
}
|
||||||
|
|
||||||
|
class NormalSuccessor extends SuccessorType, TNormalSuccessor {
|
||||||
|
override string toString() { result = "successor" }
|
||||||
|
}
|
||||||
|
|
||||||
|
class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
|
||||||
|
boolean value;
|
||||||
|
|
||||||
|
BooleanSuccessor() { this = TBooleanSuccessor(value) }
|
||||||
|
|
||||||
|
override string toString() { result = value.toString() }
|
||||||
|
|
||||||
|
boolean getValue() { result = value }
|
||||||
|
}
|
||||||
|
|
||||||
|
class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
|
||||||
|
override string toString() { result = "return" }
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module CfgScope {
|
module CfgScope {
|
||||||
@@ -101,8 +127,14 @@ private module Implementation implements CfgShared::InputSig<Location> {
|
|||||||
last(scope.(CompositeAction), e, c)
|
last(scope.(CompositeAction), e, c)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
|
||||||
|
|
||||||
|
predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
|
||||||
|
|
||||||
SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
|
SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
|
||||||
|
|
||||||
|
predicate isAbnormalExitType(SuccessorType t) { none() }
|
||||||
|
|
||||||
int idOfAstNode(AstNode node) { none() }
|
int idOfAstNode(AstNode node) { none() }
|
||||||
|
|
||||||
int idOfCfgScope(CfgScope scope) { none() }
|
int idOfCfgScope(CfgScope scope) { none() }
|
||||||
|
|||||||
@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
|
|||||||
(
|
(
|
||||||
if fieldName.trim().matches("env.%")
|
if fieldName.trim().matches("env.%")
|
||||||
then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
|
then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
|
||||||
else (
|
else
|
||||||
fieldName.trim().matches("output.%") and
|
if fieldName.trim().matches("output.%")
|
||||||
source.asExpr() = uses
|
then source.asExpr() = uses
|
||||||
)
|
else none()
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
|
|||||||
class GitHubCtxSource extends RemoteFlowSource {
|
class GitHubCtxSource extends RemoteFlowSource {
|
||||||
string flag;
|
string flag;
|
||||||
string event;
|
string event;
|
||||||
|
GitHubExpression e;
|
||||||
|
|
||||||
GitHubCtxSource() {
|
GitHubCtxSource() {
|
||||||
exists(GitHubExpression e |
|
this.asExpr() = e and
|
||||||
this.asExpr() = e and
|
// github.head_ref
|
||||||
// github.head_ref
|
e.getFieldName() = "head_ref" and
|
||||||
e.getFieldName() = "head_ref" and
|
flag = "branch" and
|
||||||
flag = "branch"
|
(
|
||||||
|
|
|
||||||
event = e.getATriggerEvent().getName() and
|
event = e.getATriggerEvent().getName() and
|
||||||
event = "pull_request_target"
|
event = "pull_request_target"
|
||||||
or
|
or
|
||||||
@@ -148,6 +148,7 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
|
|||||||
class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
||||||
string cmd;
|
string cmd;
|
||||||
string flag;
|
string flag;
|
||||||
|
string access_path;
|
||||||
Run run;
|
Run run;
|
||||||
|
|
||||||
// Examples
|
// Examples
|
||||||
@@ -162,7 +163,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
|||||||
run.getScript().getACommand() = cmd and
|
run.getScript().getACommand() = cmd and
|
||||||
cmd.matches("jq%") and
|
cmd.matches("jq%") and
|
||||||
cmd.matches("%GITHUB_EVENT_PATH%") and
|
cmd.matches("%GITHUB_EVENT_PATH%") and
|
||||||
exists(string regexp, string access_path |
|
exists(string regexp |
|
||||||
untrustedEventPropertiesDataModel(regexp, flag) and
|
untrustedEventPropertiesDataModel(regexp, flag) and
|
||||||
not flag = "json" and
|
not flag = "json" and
|
||||||
access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
|
access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
|
|||||||
*/
|
*/
|
||||||
class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
||||||
string command;
|
string command;
|
||||||
|
string argument;
|
||||||
|
|
||||||
ArgumentInjectionFromEnvVarSink() {
|
ArgumentInjectionFromEnvVarSink() {
|
||||||
exists(Run run, string var |
|
exists(Run run, string var |
|
||||||
@@ -27,7 +28,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
|||||||
exists(run.getInScopeEnvVarExpr(var)) or
|
exists(run.getInScopeEnvVarExpr(var)) or
|
||||||
var = "GITHUB_HEAD_REF"
|
var = "GITHUB_HEAD_REF"
|
||||||
) and
|
) and
|
||||||
run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
|
run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -43,12 +44,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
|||||||
*/
|
*/
|
||||||
class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
|
class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
|
||||||
string command;
|
string command;
|
||||||
|
string argument;
|
||||||
|
|
||||||
ArgumentInjectionFromCommandSink() {
|
ArgumentInjectionFromCommandSink() {
|
||||||
exists(CommandSource source, Run run |
|
exists(CommandSource source, Run run |
|
||||||
run = source.getEnclosingRun() and
|
run = source.getEnclosingRun() and
|
||||||
this.asExpr() = run.getScript() and
|
this.asExpr() = run.getScript() and
|
||||||
run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
|
run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -125,6 +125,8 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
|
|||||||
}
|
}
|
||||||
|
|
||||||
class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
|
class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
|
||||||
|
string script;
|
||||||
|
|
||||||
ActionsGitHubScriptDownloadStep() {
|
ActionsGitHubScriptDownloadStep() {
|
||||||
// eg:
|
// eg:
|
||||||
// - uses: actions/github-script@v6
|
// - uses: actions/github-script@v6
|
||||||
@@ -147,14 +149,12 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
|
|||||||
// var fs = require('fs');
|
// var fs = require('fs');
|
||||||
// fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
|
// fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
|
||||||
this.getCallee() = "actions/github-script" and
|
this.getCallee() = "actions/github-script" and
|
||||||
exists(string script |
|
this.getArgument("script") = script and
|
||||||
this.getArgument("script") = script and
|
script.matches("%listWorkflowRunArtifacts(%") and
|
||||||
script.matches("%listWorkflowRunArtifacts(%") and
|
script.matches("%downloadArtifact(%") and
|
||||||
script.matches("%downloadArtifact(%") and
|
script.matches("%writeFileSync(%") and
|
||||||
script.matches("%writeFileSync(%") and
|
// Filter out artifacts that were created by pull-request.
|
||||||
// Filter out artifacts that were created by pull-request.
|
not script.matches("%exclude_pull_requests: true%")
|
||||||
not script.matches("%exclude_pull_requests: true%")
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override string getPath() {
|
override string getPath() {
|
||||||
@@ -171,10 +171,10 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
|
|||||||
.getScript()
|
.getScript()
|
||||||
.getACommand()
|
.getACommand()
|
||||||
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
|
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
|
||||||
else (
|
else
|
||||||
this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) and
|
if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
|
||||||
result = "GITHUB_WORKSPACE/"
|
then result = "GITHUB_WORKSPACE/"
|
||||||
)
|
else none()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -207,13 +207,12 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
|
|||||||
.getScript()
|
.getScript()
|
||||||
.getACommand()
|
.getACommand()
|
||||||
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
|
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
|
||||||
else (
|
else
|
||||||
(
|
if
|
||||||
this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
|
this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
|
||||||
this.getScript().getACommand().regexpMatch(unzipRegexp())
|
this.getScript().getACommand().regexpMatch(unzipRegexp())
|
||||||
) and
|
then result = "GITHUB_WORKSPACE/"
|
||||||
result = "GITHUB_WORKSPACE/"
|
else none()
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -260,15 +259,15 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
|
|||||||
|
|
||||||
class ArtifactPoisoningSink extends DataFlow::Node {
|
class ArtifactPoisoningSink extends DataFlow::Node {
|
||||||
UntrustedArtifactDownloadStep download;
|
UntrustedArtifactDownloadStep download;
|
||||||
|
PoisonableStep poisonable;
|
||||||
|
|
||||||
ArtifactPoisoningSink() {
|
ArtifactPoisoningSink() {
|
||||||
exists(PoisonableStep poisonable |
|
download.getAFollowingStep() = poisonable and
|
||||||
download.getAFollowingStep() = poisonable and
|
// excluding artifacts downloaded to the temporary directory
|
||||||
// excluding artifacts downloaded to the temporary directory
|
not download.getPath().regexpMatch("^/tmp.*") and
|
||||||
not download.getPath().regexpMatch("^/tmp.*") and
|
not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
|
||||||
not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
|
not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
|
||||||
not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
|
(
|
||||||
|
|
|
||||||
poisonable.(Run).getScript() = this.asExpr() and
|
poisonable.(Run).getScript() = this.asExpr() and
|
||||||
(
|
(
|
||||||
// Check if the poisonable step is a local script execution step
|
// Check if the poisonable step is a local script execution step
|
||||||
|
|||||||
@@ -159,8 +159,11 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {
|
|||||||
|
|
||||||
/* Specific implementations of control checks */
|
/* Specific implementations of control checks */
|
||||||
class LabelIfCheck extends LabelCheck instanceof If {
|
class LabelIfCheck extends LabelCheck instanceof If {
|
||||||
|
string condition;
|
||||||
|
|
||||||
LabelIfCheck() {
|
LabelIfCheck() {
|
||||||
exists(string condition | condition = normalizeExpr(this.getCondition()) |
|
condition = normalizeExpr(this.getCondition()) and
|
||||||
|
(
|
||||||
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
|
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
|
||||||
condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
|
condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
|
||||||
or
|
or
|
||||||
|
|||||||
@@ -55,8 +55,12 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
|
|||||||
* echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
|
* echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
|
||||||
*/
|
*/
|
||||||
class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
|
class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
|
||||||
|
CommandSource inCommand;
|
||||||
|
string injectedVar;
|
||||||
|
string command;
|
||||||
|
|
||||||
EnvVarInjectionFromCommandSink() {
|
EnvVarInjectionFromCommandSink() {
|
||||||
exists(Run run, CommandSource inCommand, string injectedVar, string command |
|
exists(Run run |
|
||||||
this.asExpr() = inCommand.getEnclosingRun().getScript() and
|
this.asExpr() = inCommand.getEnclosingRun().getScript() and
|
||||||
run = inCommand.getEnclosingRun() and
|
run = inCommand.getEnclosingRun() and
|
||||||
run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
|
run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
|
||||||
@@ -82,8 +86,12 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
|
|||||||
* echo "FOO=$BODY" >> $GITHUB_ENV
|
* echo "FOO=$BODY" >> $GITHUB_ENV
|
||||||
*/
|
*/
|
||||||
class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
|
class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
|
||||||
|
string inVar;
|
||||||
|
string injectedVar;
|
||||||
|
string command;
|
||||||
|
|
||||||
EnvVarInjectionFromEnvVarSink() {
|
EnvVarInjectionFromEnvVarSink() {
|
||||||
exists(Run run, string inVar, string injectedVar, string command |
|
exists(Run run |
|
||||||
run.getScript() = this.asExpr() and
|
run.getScript() = this.asExpr() and
|
||||||
exists(run.getInScopeEnvVarExpr(inVar)) and
|
exists(run.getInScopeEnvVarExpr(inVar)) and
|
||||||
run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
|
run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
|
||||||
|
|||||||
@@ -99,14 +99,18 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
|
|||||||
* echo $BODY
|
* echo $BODY
|
||||||
*/
|
*/
|
||||||
class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
|
class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
|
||||||
|
string clobbering_var;
|
||||||
|
string clobbered_value;
|
||||||
|
|
||||||
WorkflowCommandClobberingFromEnvVarSink() {
|
WorkflowCommandClobberingFromEnvVarSink() {
|
||||||
exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
|
exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
|
||||||
run.getScript() = this.asExpr() and
|
run.getScript() = this.asExpr() and
|
||||||
run.getScript().getAStmt() = clobbering_stmt and
|
run.getScript().getAStmt() = clobbering_stmt and
|
||||||
clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
|
clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
|
||||||
exists(run.getInScopeEnvVarExpr(clobbering_var)) and
|
exists(run.getInScopeEnvVarExpr(clobbering_var)) and
|
||||||
run.getScript().getAStmt() = workflow_cmd_stmt and
|
run.getScript().getAStmt() = workflow_cmd_stmt and
|
||||||
exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
|
clobbered_value =
|
||||||
|
trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,8 +1,10 @@
|
|||||||
import actions
|
import actions
|
||||||
|
|
||||||
class UnversionedImmutableAction extends UsesStep {
|
class UnversionedImmutableAction extends UsesStep {
|
||||||
|
string immutable_action;
|
||||||
|
|
||||||
UnversionedImmutableAction() {
|
UnversionedImmutableAction() {
|
||||||
isImmutableAction(this, _) and
|
isImmutableAction(this, immutable_action) and
|
||||||
not isSemVer(this.getVersion())
|
not isSemVer(this.getVersion())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-all
|
name: codeql/actions-all
|
||||||
version: 0.4.19
|
version: 0.4.16-dev
|
||||||
library: true
|
library: true
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
dependencies:
|
dependencies:
|
||||||
|
|||||||
@@ -1,21 +1,3 @@
|
|||||||
## 0.6.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.6.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.6.9
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Actions analysis now reports file coverage information on the CodeQL status page.
|
|
||||||
|
|
||||||
## 0.6.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.6.7
|
## 0.6.7
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
/**
|
|
||||||
* @id actions/diagnostics/successfully-extracted-files
|
|
||||||
* @name Extracted files
|
|
||||||
* @description List all files that were extracted.
|
|
||||||
* @kind diagnostic
|
|
||||||
* @tags successfully-extracted-files
|
|
||||||
*/
|
|
||||||
|
|
||||||
private import codeql.Locations
|
|
||||||
|
|
||||||
from File f
|
|
||||||
where exists(f.getRelativePath())
|
|
||||||
select f, ""
|
|
||||||
@@ -32,7 +32,7 @@ jobs:
|
|||||||
|
|
||||||
- uses: actions/setup-node@v1
|
- uses: actions/setup-node@v1
|
||||||
- run: |
|
- run: |
|
||||||
npm install # scripts in package.json from PR would be executed here
|
npm install # scripts in package.json from PR would be executed here
|
||||||
npm build
|
npm build
|
||||||
|
|
||||||
- uses: completely/fakeaction@v2
|
- uses: completely/fakeaction@v2
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ jobs:
|
|||||||
|
|
||||||
- uses: actions/setup-node@v1
|
- uses: actions/setup-node@v1
|
||||||
- run: |
|
- run: |
|
||||||
npm install # scripts in package.json from PR would be executed here
|
npm install # scripts in package.json from PR would be executed here
|
||||||
npm build
|
npm build
|
||||||
|
|
||||||
- uses: completely/fakeaction@v2
|
- uses: completely/fakeaction@v2
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ jobs:
|
|||||||
|
|
||||||
- uses: actions/setup-node@v1
|
- uses: actions/setup-node@v1
|
||||||
- run: |
|
- run: |
|
||||||
npm install # scripts in package.json from PR would be executed here
|
npm install # scripts in package.json from PR would be executed here
|
||||||
npm build
|
npm build
|
||||||
|
|
||||||
- uses: completely/fakeaction@v2
|
- uses: completely/fakeaction@v2
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.6.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.6.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.6.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
## 0.6.9
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Actions analysis now reports file coverage information on the CodeQL status page.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.6.11
|
lastReleaseVersion: 0.6.7
|
||||||
|
|||||||
@@ -19,5 +19,5 @@ import SecretExfiltrationFlow::PathGraph
|
|||||||
from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink
|
from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink
|
||||||
where SecretExfiltrationFlow::flowPath(source, sink)
|
where SecretExfiltrationFlow::flowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource.",
|
"Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.",
|
||||||
sink, sink.getNode().asExpr().(Expression).getRawExpression()
|
sink, sink.getNode().asExpr().(Expression).getRawExpression()
|
||||||
|
|||||||
@@ -37,6 +37,8 @@ where
|
|||||||
)
|
)
|
||||||
or
|
or
|
||||||
// upload artifact is not used in the same workflow
|
// upload artifact is not used in the same workflow
|
||||||
not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
|
not exists(UsesStep upload |
|
||||||
|
download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
|
||||||
|
)
|
||||||
)
|
)
|
||||||
select download, "Potential artifact poisoning"
|
select download, "Potential artifact poisoning"
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-queries
|
name: codeql/actions-queries
|
||||||
version: 0.6.11
|
version: 0.6.8-dev
|
||||||
library: false
|
library: false
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
groups: [actions, queries]
|
groups: [actions, queries]
|
||||||
|
|||||||
@@ -3,4 +3,4 @@ nodes
|
|||||||
| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
||||||
subpaths
|
subpaths
|
||||||
#select
|
#select
|
||||||
| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
|
| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
|
||||||
|
|||||||
@@ -177,12 +177,6 @@ def insert_overlay_caller_annotations(lines):
|
|||||||
out_lines.append(line)
|
out_lines.append(line)
|
||||||
return out_lines
|
return out_lines
|
||||||
|
|
||||||
explicitly_global = set([
|
|
||||||
"java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll",
|
|
||||||
"java/ql/lib/semmle/code/java/dispatch/internal/Unification.qll",
|
|
||||||
])
|
|
||||||
|
|
||||||
def annotate_as_appropriate(filename, lines):
|
def annotate_as_appropriate(filename, lines):
|
||||||
'''
|
'''
|
||||||
@@ -202,9 +196,6 @@ def annotate_as_appropriate(filename, lines):
|
|||||||
((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
|
((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
|
||||||
any("implements DataFlow::ConfigSig" in line for line in lines))):
|
any("implements DataFlow::ConfigSig" in line for line in lines))):
|
||||||
return None
|
return None
|
||||||
elif filename in explicitly_global:
|
|
||||||
# These files are explicitly global and should not be annotated.
|
|
||||||
return None
|
|
||||||
elif not any(line for line in lines if line.strip()):
|
elif not any(line for line in lines if line.strip()):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,4 +0,0 @@
|
|||||||
description: Link PCH creations and uses
|
|
||||||
compatibility: full
|
|
||||||
pch_uses.rel: delete
|
|
||||||
pch_creations.rel: delete
|
|
||||||
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
|
|||||||
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
||||||
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
||||||
|
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
||||||
|
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
||||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
||||||
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
|
|||||||
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
||||||
|
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
||||||
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
|
|||||||
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
||||||
|
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
||||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
||||||
|
|||||||
@@ -1,38 +1,3 @@
|
|||||||
## 6.0.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* C/C++ `build-mode: none` support is now generally available.
|
|
||||||
|
|
||||||
## 5.6.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 5.6.0
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.
|
|
||||||
|
|
||||||
## 5.5.0
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
|
|
||||||
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
|
|
||||||
|
|
||||||
## 5.4.1
|
## 5.4.1
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ class CustomOptions extends Options {
|
|||||||
override predicate returnsNull(Call call) { Options.super.returnsNull(call) }
|
override predicate returnsNull(Call call) { Options.super.returnsNull(call) }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if a call to the function `f` will never return.
|
* Holds if a call to this function will never return.
|
||||||
*
|
*
|
||||||
* By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
|
* By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
|
||||||
* `longjmp`, `error`, `__builtin_unreachable` and any function with a
|
* `longjmp`, `error`, `__builtin_unreachable` and any function with a
|
||||||
|
|||||||
4
cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md
Normal file
4
cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
## 5.5.0
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
|
|
||||||
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
## 5.6.0
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 5.6.1
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
## 6.0.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* C/C++ `build-mode: none` support is now generally available.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 6.0.0
|
lastReleaseVersion: 5.4.1
|
||||||
|
|||||||
@@ -15,7 +15,6 @@
|
|||||||
|
|
||||||
import Customizations
|
import Customizations
|
||||||
import semmle.code.cpp.File
|
import semmle.code.cpp.File
|
||||||
import semmle.code.cpp.PchFile
|
|
||||||
import semmle.code.cpp.Linkage
|
import semmle.code.cpp.Linkage
|
||||||
import semmle.code.cpp.Location
|
import semmle.code.cpp.Location
|
||||||
import semmle.code.cpp.Compilation
|
import semmle.code.cpp.Compilation
|
||||||
|
|||||||
@@ -127,7 +127,7 @@ abstract class CryptographicAlgorithm extends CryptographicArtifact {
|
|||||||
/**
|
/**
|
||||||
* Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
|
* Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
|
||||||
* Subclassess should override for more api-specific normalization.
|
* Subclassess should override for more api-specific normalization.
|
||||||
* By default, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
|
* By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
|
||||||
*/
|
*/
|
||||||
bindingset[s]
|
bindingset[s]
|
||||||
string normalizeName(string s) {
|
string normalizeName(string s) {
|
||||||
|
|||||||
@@ -652,14 +652,14 @@ module KeyGeneration {
|
|||||||
* Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
|
* Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
|
||||||
* users can then extrapolatae the matching algorithm from the alg sink to the keygen
|
* users can then extrapolatae the matching algorithm from the alg sink to the keygen
|
||||||
*/
|
*/
|
||||||
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSizeConfig implements DataFlow::ConfigSig {
|
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
|
||||||
predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
|
predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
|
predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
|
||||||
}
|
}
|
||||||
|
|
||||||
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
|
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
|
||||||
DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSizeConfig>;
|
DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
|
* UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user