mirror of
https://github.com/github/codeql.git
synced 2026-05-18 13:17:08 +02:00
Compare commits
3 Commits
codeql-cli
...
alexdeniso
| Author | SHA1 | Date | |
|---|---|---|---|
|
3444d9d993 | ||
|
|
44d61f2ed4 | ||
|
|
1c4dd78c5f |
@@ -1,7 +1,3 @@
|
||||
## 0.12.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.12.1
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.12.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.12.2
|
||||
lastReleaseVersion: 0.12.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 0.12.2
|
||||
version: 0.12.1
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -23,8 +23,9 @@ private module Internal {
|
||||
newtype TOperand =
|
||||
// RAW
|
||||
TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
|
||||
defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
|
||||
not RawConstruction::isInCycle(useInstr)
|
||||
defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
|
||||
not RawConstruction::isInCycle(useInstr) and
|
||||
strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
|
||||
} or
|
||||
// Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
|
||||
TNoOperand() { none() } or
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.9.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.9.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.9.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.9.1
|
||||
lastReleaseVersion: 0.9.0
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.dataflow.DataFlow
|
||||
import semmle.code.cpp.controlflow.Nullness
|
||||
|
||||
class StarOperator extends Operator {
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
|
||||
import experimental.cryptography.Concepts
|
||||
|
||||
from HashAlgorithm alg, Expr confSink, string msg
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 0.9.1
|
||||
version: 0.9.0
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
using System.Collections.Generic;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
|
||||
@@ -19,7 +20,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
/// assembly cache.
|
||||
/// </param>
|
||||
/// <param name="progressMonitor">Callback for progress.</param>
|
||||
public AssemblyCache(IEnumerable<string> paths, IEnumerable<string> frameworkPaths, ProgressMonitor progressMonitor)
|
||||
public AssemblyCache(IEnumerable<string> paths, ProgressMonitor progressMonitor)
|
||||
{
|
||||
foreach (var path in paths)
|
||||
{
|
||||
@@ -39,7 +40,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
progressMonitor.LogInfo("AssemblyCache: Path not found: " + path);
|
||||
}
|
||||
}
|
||||
IndexReferences(frameworkPaths);
|
||||
IndexReferences();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
@@ -56,11 +57,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
|
||||
|
||||
/// <summary>
|
||||
/// Indexes all DLLs we have located.
|
||||
/// Because this is a potentially time-consuming operation, it is put into a separate stage.
|
||||
/// </summary>
|
||||
private void IndexReferences(IEnumerable<string> frameworkPaths)
|
||||
private void IndexReferences()
|
||||
{
|
||||
// Read all of the files
|
||||
foreach (var filename in pendingDllsToIndex)
|
||||
@@ -68,9 +71,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
IndexReference(filename);
|
||||
}
|
||||
|
||||
// Index "assemblyInfo" by version string
|
||||
// The OrderBy is used to ensure that we by default select the highest version number.
|
||||
foreach (var info in assemblyInfoByFileName.Values
|
||||
.OrderBy(info => info.Name)
|
||||
.OrderAssemblyInfosByPreference(frameworkPaths))
|
||||
.ThenBy(info => info.NetCoreVersion ?? emptyVersion)
|
||||
.ThenBy(info => info.Version ?? emptyVersion)
|
||||
.ThenBy(info => info.Filename))
|
||||
{
|
||||
foreach (var index in info.IndexStrings)
|
||||
{
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
|
||||
namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
internal static class AssemblyCacheExtensions
|
||||
{
|
||||
private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
|
||||
|
||||
/// <summary>
|
||||
/// This method orders AssemblyInfos by version numbers (.net core version first, then assembly version). Finally, it orders by filename to make the order deterministic.
|
||||
/// </summary>
|
||||
public static IOrderedEnumerable<AssemblyInfo> OrderAssemblyInfosByPreference(this IEnumerable<AssemblyInfo> assemblies, IEnumerable<string> frameworkPaths)
|
||||
{
|
||||
// prefer framework assemblies over others
|
||||
int initialOrdering(AssemblyInfo info) => frameworkPaths.Any(framework => info.Filename.StartsWith(framework, StringComparison.OrdinalIgnoreCase)) ? 1 : 0;
|
||||
|
||||
var ordered = assemblies is IOrderedEnumerable<AssemblyInfo> o
|
||||
? o.ThenBy(initialOrdering)
|
||||
: assemblies.OrderBy(initialOrdering);
|
||||
|
||||
return ordered
|
||||
.ThenBy(info => info.NetCoreVersion ?? emptyVersion)
|
||||
.ThenBy(info => info.Version ?? emptyVersion)
|
||||
.ThenBy(info => info.Filename);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -128,18 +128,16 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
DownloadMissingPackages(allNonBinaryFiles, dllPaths);
|
||||
}
|
||||
|
||||
var frameworkLocations = new HashSet<string>();
|
||||
|
||||
// Find DLLs in the .Net / Asp.Net Framework
|
||||
// This block needs to come after the nuget restore, because the nuget restore might fetch the .NET Core/Framework reference assemblies.
|
||||
if (options.ScanNetFrameworkDlls)
|
||||
{
|
||||
AddNetFrameworkDlls(dllPaths, frameworkLocations);
|
||||
AddAspNetCoreFrameworkDlls(dllPaths, frameworkLocations);
|
||||
AddMicrosoftWindowsDesktopDlls(dllPaths, frameworkLocations);
|
||||
AddNetFrameworkDlls(dllPaths);
|
||||
AddAspNetCoreFrameworkDlls(dllPaths);
|
||||
AddMicrosoftWindowsDesktopDlls(dllPaths);
|
||||
}
|
||||
|
||||
assemblyCache = new AssemblyCache(dllPaths, frameworkLocations, progressMonitor);
|
||||
assemblyCache = new AssemblyCache(dllPaths, progressMonitor);
|
||||
AnalyseSolutions(solutions);
|
||||
|
||||
foreach (var filename in assemblyCache.AllAssemblies.Select(a => a.Filename))
|
||||
@@ -148,7 +146,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
|
||||
RemoveNugetAnalyzerReferences();
|
||||
ResolveConflicts(frameworkLocations);
|
||||
ResolveConflicts();
|
||||
|
||||
// Output the findings
|
||||
foreach (var r in usedReferences.Keys.OrderBy(r => r))
|
||||
@@ -230,7 +228,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
private void AddNetFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
|
||||
private void AddNetFrameworkDlls(ISet<string> dllPaths)
|
||||
{
|
||||
// Multiple dotnet framework packages could be present.
|
||||
// The order of the packages is important, we're adding the first one that is present in the nuget cache.
|
||||
@@ -243,7 +241,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
if (frameworkPath.Path is not null)
|
||||
{
|
||||
dllPaths.Add(frameworkPath.Path);
|
||||
frameworkLocations.Add(frameworkPath.Path);
|
||||
progressMonitor.LogInfo($"Found .NET Core/Framework DLLs in NuGet packages at {frameworkPath.Path}. Not adding installation directory.");
|
||||
|
||||
for (var i = frameworkPath.Index + 1; i < packagesInPrioOrder.Length; i++)
|
||||
@@ -273,7 +270,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
|
||||
progressMonitor.LogInfo($".NET runtime location selected: {runtimeLocation}");
|
||||
dllPaths.Add(runtimeLocation);
|
||||
frameworkLocations.Add(runtimeLocation);
|
||||
}
|
||||
|
||||
private void RemoveNugetPackageReference(string packagePrefix, ISet<string> dllPaths)
|
||||
@@ -298,7 +294,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
|
||||
private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths)
|
||||
{
|
||||
if (!fileContent.IsNewProjectStructureUsed || !fileContent.UseAspNetCoreDlls)
|
||||
{
|
||||
@@ -310,25 +306,20 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
|
||||
dllPaths.Add(aspNetCorePackage);
|
||||
frameworkLocations.Add(aspNetCorePackage);
|
||||
return;
|
||||
}
|
||||
|
||||
if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
|
||||
else if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
|
||||
{
|
||||
progressMonitor.LogInfo($"ASP.NET runtime location selected: {aspNetCoreRuntime}");
|
||||
dllPaths.Add(aspNetCoreRuntime);
|
||||
frameworkLocations.Add(aspNetCoreRuntime);
|
||||
}
|
||||
}
|
||||
|
||||
private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
|
||||
private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
|
||||
{
|
||||
if (GetPackageDirectory(FrameworkPackageNames.WindowsDesktopFramework) is string windowsDesktopApp)
|
||||
{
|
||||
progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
|
||||
dllPaths.Add(windowsDesktopApp);
|
||||
frameworkLocations.Add(windowsDesktopApp);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -354,13 +345,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
|
||||
return new DirectoryInfo(packageDirectory.DirInfo.FullName)
|
||||
.EnumerateDirectories("*", new EnumerationOptions { MatchCasing = MatchCasing.CaseInsensitive, RecurseSubdirectories = false })
|
||||
.Select(d => d.Name);
|
||||
.Select(d => d.FullName);
|
||||
}
|
||||
|
||||
private void LogAllUnusedPackages(DependencyContainer dependencies) =>
|
||||
GetAllPackageDirectories()
|
||||
.Where(package => !dependencies.Packages.Contains(package))
|
||||
.Order()
|
||||
.ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));
|
||||
|
||||
private void GenerateSourceFileFromImplicitUsings()
|
||||
@@ -482,7 +472,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
/// If the same assembly name is duplicated with different versions,
|
||||
/// resolve to the higher version number.
|
||||
/// </summary>
|
||||
private void ResolveConflicts(IEnumerable<string> frameworkPaths)
|
||||
private void ResolveConflicts()
|
||||
{
|
||||
var sortedReferences = new List<AssemblyInfo>();
|
||||
foreach (var usedReference in usedReferences)
|
||||
@@ -498,8 +488,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
var emptyVersion = new Version(0, 0);
|
||||
sortedReferences = sortedReferences
|
||||
.OrderAssemblyInfosByPreference(frameworkPaths)
|
||||
.OrderBy(r => r.NetCoreVersion ?? emptyVersion)
|
||||
.ThenBy(r => r.Version ?? emptyVersion)
|
||||
.ThenBy(r => r.Filename)
|
||||
.ToList();
|
||||
|
||||
var finalAssemblyList = new Dictionary<string, AssemblyInfo>();
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.5
|
||||
lastReleaseVersion: 1.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.5
|
||||
version: 1.7.4
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.5
|
||||
lastReleaseVersion: 1.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.5
|
||||
version: 1.7.4
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -105,10 +105,7 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
|
||||
* then both `{ return 0; }` and `{ return 1; }` are statement bodies of
|
||||
* `N.C.M()`.
|
||||
*/
|
||||
final BlockStmt getStatementBody() {
|
||||
result = getStatementBody(this) and
|
||||
not this.getFile().isStub()
|
||||
}
|
||||
final BlockStmt getStatementBody() { result = this.getAChildStmt() }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getStatementBody` instead.
|
||||
@@ -146,8 +143,8 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
|
||||
* then both `0` and `1` are expression bodies of `N.C.M()`.
|
||||
*/
|
||||
final Expr getExpressionBody() {
|
||||
result = getExpressionBody(this) and
|
||||
not this.getFile().isStub()
|
||||
result = this.getAChildExpr() and
|
||||
not result = this.(Constructor).getInitializer()
|
||||
}
|
||||
|
||||
/** Holds if this callable has an expression body. */
|
||||
|
||||
@@ -53,20 +53,6 @@ class TopLevelExprParent extends Element, @top_level_expr_parent {
|
||||
|
||||
private predicate hasNoSourceLocation(Element e) { not e.getALocation() instanceof SourceLocation }
|
||||
|
||||
/** INTERNAL: Do not use. */
|
||||
Expr getExpressionBody(Callable c) {
|
||||
result = c.getAChildExpr() and
|
||||
not result = c.(Constructor).getInitializer()
|
||||
}
|
||||
|
||||
/** INTERNAL: Do not use. */
|
||||
BlockStmt getStatementBody(Callable c) { result = c.getAChildStmt() }
|
||||
|
||||
private ControlFlowElement getBody(Callable c) {
|
||||
result = getExpressionBody(c) or
|
||||
result = getStatementBody(c)
|
||||
}
|
||||
|
||||
cached
|
||||
private module Cached {
|
||||
cached
|
||||
@@ -175,20 +161,20 @@ private module Cached {
|
||||
|
||||
private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
|
||||
child = getAChild(parent) and
|
||||
not child = getBody(_)
|
||||
not child = any(Callable c).getBody()
|
||||
}
|
||||
|
||||
/** Holds if the enclosing body of `cfe` is `body`. */
|
||||
cached
|
||||
predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
|
||||
body = getBody(_) and
|
||||
body = any(Callable c).getBody() and
|
||||
parent*(enclosingStart(cfe), body)
|
||||
}
|
||||
|
||||
/** Holds if the enclosing callable of `cfe` is `c`. */
|
||||
cached
|
||||
predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
|
||||
enclosingBody(cfe, getBody(c))
|
||||
enclosingBody(cfe, c.getBody())
|
||||
or
|
||||
parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
|
||||
}
|
||||
|
||||
@@ -54,14 +54,14 @@ class File extends Container, Impl::File {
|
||||
|
||||
/** Holds if this file is a QL test stub file. */
|
||||
pragma[noinline]
|
||||
predicate isStub() {
|
||||
private predicate isStub() {
|
||||
this.extractedQlTest() and
|
||||
this.getAbsolutePath().matches("%resources/stubs/%")
|
||||
}
|
||||
|
||||
/** Holds if this file contains source code. */
|
||||
final predicate fromSource() {
|
||||
this.getExtension() = ["cs", "cshtml"] and
|
||||
this.getExtension() = "cs" and
|
||||
not this.isStub()
|
||||
}
|
||||
|
||||
|
||||
@@ -13,14 +13,11 @@ private import semmle.code.csharp.commons.Compilation
|
||||
/** An element that defines a new CFG scope. */
|
||||
class CfgScope extends Element, @top_level_exprorstmt_parent {
|
||||
CfgScope() {
|
||||
this.getFile().fromSource() and
|
||||
(
|
||||
this instanceof Callable
|
||||
or
|
||||
// For now, static initializer values have their own scope. Eventually, they
|
||||
// should be treated like instance initializers.
|
||||
this.(Assignable).(Modifiable).isStatic()
|
||||
)
|
||||
this instanceof Callable
|
||||
or
|
||||
// For now, static initializer values have their own scope. Eventually, they
|
||||
// should be treated like instance initializers.
|
||||
this.(Assignable).(Modifiable).isStatic()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -168,8 +168,7 @@ private SummaryComponent delegateSelf() {
|
||||
|
||||
private predicate mayInvokeCallback(Callable c, int n) {
|
||||
c.getParameter(n).getType() instanceof SystemLinqExpressions::DelegateExtType and
|
||||
not c.hasBody() and
|
||||
(if c instanceof Accessor then not c.fromSource() else any())
|
||||
not c.fromSource()
|
||||
}
|
||||
|
||||
private class SummarizedCallableWithCallback extends SummarizedCallable {
|
||||
|
||||
@@ -81,9 +81,9 @@ newtype TReturnKind =
|
||||
*/
|
||||
class DataFlowSummarizedCallable instanceof FlowSummary::SummarizedCallable {
|
||||
DataFlowSummarizedCallable() {
|
||||
not this.hasBody()
|
||||
not this.fromSource()
|
||||
or
|
||||
this.hasBody() and not this.applyGeneratedModel()
|
||||
this.fromSource() and not this.applyGeneratedModel()
|
||||
}
|
||||
|
||||
string toString() { result = super.toString() }
|
||||
|
||||
@@ -310,12 +310,7 @@ private module CallGraph {
|
||||
c = any(DelegateCall dc | e = dc.getExpr()) and
|
||||
libraryDelegateCall = false
|
||||
or
|
||||
exists(Callable target |
|
||||
target = c.getTarget() and
|
||||
not target.hasBody()
|
||||
|
|
||||
if target instanceof Accessor then not target.fromSource() else any()
|
||||
) and
|
||||
c.getTarget().fromLibrary() and
|
||||
e = c.getAnArgument() and
|
||||
e.getType() instanceof SystemLinqExpressions::DelegateExtType and
|
||||
libraryDelegateCall = true
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
* @precision medium
|
||||
* @id cs/web/insecure-direct-object-reference
|
||||
* @tags security
|
||||
* external/cwe/cwe-639
|
||||
* external/cwe-639
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
* @id cs/hash-without-salt
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-759
|
||||
* external/cwe-759
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -185,16 +185,16 @@ namespace My.Qltest
|
||||
void M1()
|
||||
{
|
||||
var o = new object();
|
||||
Sink(GeneratedFlow(o)); // no flow because the modelled method exists in source code
|
||||
Sink(GeneratedFlow(o));
|
||||
}
|
||||
|
||||
void M2()
|
||||
{
|
||||
var o1 = new object();
|
||||
Sink(GeneratedFlowArgs(o1, null)); // no flow because the modelled method exists in source code
|
||||
Sink(GeneratedFlowArgs(o1, null));
|
||||
|
||||
var o2 = new object();
|
||||
Sink(GeneratedFlowArgs(null, o2)); // no flow because the modelled method exists in source code
|
||||
Sink(GeneratedFlowArgs(null, o2));
|
||||
}
|
||||
|
||||
void M3()
|
||||
|
||||
@@ -61,6 +61,12 @@ edges
|
||||
| ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object |
|
||||
| ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object |
|
||||
| ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:21 | access to array element |
|
||||
| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:32:188:32 | access to local variable o : Object |
|
||||
| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow |
|
||||
| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object |
|
||||
| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs |
|
||||
| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object |
|
||||
| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs |
|
||||
| ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object |
|
||||
| ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs |
|
||||
| ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:232:21:232:21 | access to local variable h : HC |
|
||||
@@ -145,6 +151,15 @@ nodes
|
||||
| ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object |
|
||||
| ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
|
||||
| ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element |
|
||||
| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
|
||||
| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
|
||||
| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
|
||||
| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
|
||||
| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
|
||||
| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
|
||||
| ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
|
||||
| ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
|
||||
@@ -174,5 +189,8 @@ subpaths
|
||||
| ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:233:18:233:18 | access to local variable o | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:233:18:233:18 | access to local variable o | $@ | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | object creation of type HC : HC |
|
||||
|
||||
@@ -18,7 +18,7 @@ When you open the model editor, it analyzes the currently selected CodeQL databa
|
||||
|
||||
The model editor has two different modes:
|
||||
|
||||
- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for a specific codebase.
|
||||
- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase.
|
||||
|
||||
- Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency.
|
||||
|
||||
@@ -28,45 +28,30 @@ Displaying the CodeQL model editor
|
||||
#. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace.
|
||||
If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor.
|
||||
#. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane.
|
||||
#. In the left side panel, expand the "CodeQL method modeling" section and click **Start modeling** to display the model editor. Alternatively, use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
|
||||
#. The CodeQL model editor runs a series of telemetry queries to identify APIs in the code and the editor is displayed in a new tab.
|
||||
#. When the telemetry queries are complete, the APIs that have been identified are shown in the editor.
|
||||
|
||||
.. tip::
|
||||
|
||||
The "CodeQL method modeling" section is a view that you can move from the primary sidebar to the secondary sidebar, when you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "Open Views" option in the **View** menu.
|
||||
#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
|
||||
#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code.
|
||||
#. When the queries are complete, the APIs that have been identified are shown in the editor.
|
||||
|
||||
Modeling the calls your codebase makes to external APIs
|
||||
-------------------------------------------------------
|
||||
|
||||
You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is useful when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
|
||||
You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
|
||||
|
||||
#. Select the CodeQL database that you want to improve CodeQL coverage for.
|
||||
#. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown.
|
||||
|
||||
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png
|
||||
:width: 800
|
||||
:alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing two of the external Java frameworks used by the "sofa-jraft" codebase.
|
||||
:alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase.
|
||||
|
||||
#. Click to expand an external API and view the list of calls from the codebase to the external dependency.
|
||||
#. Click **View** associated with an API call or method to show where it is used in your codebase.
|
||||
|
||||
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png
|
||||
:width: 800
|
||||
:alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline.
|
||||
|
||||
#. Click **View** associated with an API call or method to show where it is used in your codebase.
|
||||
|
||||
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-code.png
|
||||
:width: 800
|
||||
:alt: Screenshot of a file showing a place where your codebase calls the API is highlighted with a dark orange outline.
|
||||
|
||||
#. The file containing the first call from your codebase to the API is opened and a "CodeQL methods usage" view is displayed in the VS Code Panel (where the "Problems" and "Terminal" views are usually displayed). The "CodeQL methods usage" view lists of all the calls from your code to the API, grouped by method. You can click through each use to decide how to model your use of the method.
|
||||
|
||||
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-list.png
|
||||
:width: 800
|
||||
:alt: Screenshot of the "CodeQL methods usage" view. The currently displayed call to an external method is highlighted blue.
|
||||
|
||||
#. When you have determined how to model your use of the method, you can define the **Model type** in the "CodeQL method modeling" tab of the CodeQL extension. This change is automatically reflected in the main model editor.
|
||||
#. When you have determined how to model the call or method, define the **Model type**.
|
||||
#. The remaining fields are updated with available options:
|
||||
|
||||
- **Source**: choose the **Output** element to model.
|
||||
@@ -74,9 +59,9 @@ You typically use this approach when you are looking at a specific codebase wher
|
||||
- **Flow summary**: choose the **Input** and **Output** elements to model.
|
||||
|
||||
#. Define the **Kind** of dataflow for the model.
|
||||
#. When you have finished modeling, display the main model editor and click **Save all** or **Save** (shown at the bottom right of each expanded list of methods). The percentage of methods modeled in the editor is updated.
|
||||
#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
|
||||
|
||||
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
|
||||
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
|
||||
|
||||
The models are stored in a series of YAML data extension files, one for each external API. For example:
|
||||
|
||||
@@ -116,7 +101,7 @@ You typically use this method when you want to model a framework or library that
|
||||
#. Define the **Kind** of dataflow for the model.
|
||||
#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
|
||||
|
||||
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
|
||||
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
|
||||
|
||||
The models are stored in a series of YAML data extension files, one for each public method. For example:
|
||||
|
||||
@@ -129,19 +114,10 @@ The models are stored in a series of YAML data extension files, one for each pub
|
||||
|
||||
The editor will create a separate model file for each package that you model.
|
||||
|
||||
Modeling methods with multiple potential flows
|
||||
----------------------------------------------
|
||||
Testing CodeQL model packs
|
||||
--------------------------
|
||||
|
||||
Some methods support more than one data flow. It is important to model all the data flows for a method, otherwise you cannot detect all the potential problems associated with using the method. First you model one data flow for the method, and then use the **+** button in the method row to specify a second data flow model.
|
||||
|
||||
.. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
|
||||
:width: 800
|
||||
:alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing one model for the ``com.alipay.sofa.jraft.option.BallotBoxOptions.getClosureQueue()`` method. The "+" button is outlined in dark orange. Click this button to create a second model for the method.
|
||||
|
||||
Testing CodeQL model packs in VS Code
|
||||
-------------------------------------
|
||||
|
||||
You can test any CodeQL model packs you create in VS Code by turning the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
|
||||
You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
|
||||
|
||||
- To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "all",``
|
||||
- To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "none",``
|
||||
@@ -160,4 +136,4 @@ For more information, see the following articles on the GitHub Docs site:
|
||||
|
||||
- Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup>`__
|
||||
- Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs>`__
|
||||
- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
|
||||
- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
|
||||
|
||||
@@ -54,14 +54,14 @@ Data extensions use union semantics, which means that the tuples of all extensio
|
||||
Publish data extension files in a CodeQL model pack to share
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
You can group one or more data extension files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see `Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
|
||||
You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack/>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
|
||||
|
||||
Extensible predicates used to create custom models in Java and Kotlin
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates:
|
||||
|
||||
- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data. The ``kind`` of the sources defined using this predicate determine which threat model they are associated with. Different threat models can be used to customize the sources used in an analysis. For more information, see ":ref:`Threat models <threat-models>`."
|
||||
- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data.
|
||||
- ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable.
|
||||
- ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements.
|
||||
- ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis.
|
||||
@@ -151,7 +151,7 @@ The sixth value should be left empty and is out of scope for this documentation.
|
||||
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source.
|
||||
|
||||
- The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
|
||||
- The eighth value ``remote`` is the kind of the source. The source kind is used to define the threat model where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. For more information, see ":ref:`Threat models <threat-models>`."
|
||||
- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources.
|
||||
- The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.
|
||||
|
||||
Example: Add flow through the ``concat`` method
|
||||
@@ -291,19 +291,3 @@ The first four values identify the callable (in this case a method) to be modele
|
||||
- The fourth value ``()`` is the method input type signature.
|
||||
- The fifth value ``summary`` is the kind of the neutral.
|
||||
- The sixth value ``manual`` is the provenance of the neutral.
|
||||
|
||||
.. _threat-models:
|
||||
|
||||
Threat models
|
||||
-------------
|
||||
|
||||
.. include:: ../reusables/beta-note-threat-models-java.rst
|
||||
|
||||
A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. For example, one codebase may only consider remote HTTP requests to be tainted, whereas another may also consider data from local files to be unsafe. You can use threat models to ensure that the relevant taint sources are used in a CodeQL analysis.
|
||||
|
||||
The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories:
|
||||
|
||||
- ``remote`` which represents requests and responses from the network.
|
||||
- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``).
|
||||
|
||||
When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 100 KiB After Width: | Height: | Size: 149 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 509 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 135 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 210 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 75 KiB After Width: | Height: | Size: 99 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 116 KiB After Width: | Height: | Size: 74 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 74 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 83 KiB After Width: | Height: | Size: 88 KiB |
@@ -1,5 +0,0 @@
|
||||
.. pull-quote::
|
||||
|
||||
Note
|
||||
|
||||
Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java analysis.
|
||||
@@ -4,40 +4,39 @@
|
||||
:stub-columns: 1
|
||||
|
||||
Language,Variants,Compilers,Extensions
|
||||
C/C++,"C89, C99, C11, C17, C++98, C++03, C++11, C++14, C++17, C++20 [1]_ [2]_","Clang (including clang-cl [3]_ and armclang) extensions (up to Clang 12.0),
|
||||
C/C++,"C89, C99, C11, C17, C++98, C++03, C++11, C++14, C++17, C++20 [1]_","Clang (including clang-cl [2]_ and armclang) extensions (up to Clang 12.0),
|
||||
|
||||
GNU extensions (up to GCC 11.1),
|
||||
|
||||
Microsoft extensions (up to VS 2019),
|
||||
|
||||
Arm Compiler 5 [4]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
|
||||
Arm Compiler 5 [3]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
|
||||
C#,C# up to 11,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
|
||||
|
||||
.NET Core up to 3.1
|
||||
|
||||
.NET 5, .NET 6, .NET 7","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
|
||||
Go (aka Golang), "Go up to 1.21", "Go 1.11 or more recent", ``.go``
|
||||
Java,"Java 7 to 20 [5]_","javac (OpenJDK and Oracle JDK),
|
||||
Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),
|
||||
|
||||
Eclipse compiler for Java (ECJ) [6]_",``.java``
|
||||
Kotlin [7]_,"Kotlin 1.5.0 to 1.9.20","kotlinc",``.kt``
|
||||
JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
|
||||
Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12",Not applicable,``.py``
|
||||
Ruby [10]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
|
||||
Swift [11]_,"Swift 5.4-5.9.1","Swift compiler","``.swift``"
|
||||
TypeScript [12]_,"2.6-5.3",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
|
||||
Eclipse compiler for Java (ECJ) [5]_",``.java``
|
||||
Kotlin [6]_,"Kotlin 1.5.0 to 1.9.20","kotlinc",``.kt``
|
||||
JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
|
||||
Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12",Not applicable,``.py``
|
||||
Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
|
||||
Swift [10]_,"Swift 5.4-5.9.1","Swift compiler","``.swift``"
|
||||
TypeScript [11]_,"2.6-5.3",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
|
||||
|
||||
.. container:: footnote-group
|
||||
|
||||
.. [1] C++20 support is currently in beta. Supported for GCC on Linux only. Modules are *not* supported.
|
||||
.. [2] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
|
||||
.. [3] Support for the clang-cl compiler is preliminary.
|
||||
.. [4] Support for the Arm Compiler (armcc) is preliminary.
|
||||
.. [5] Builds that execute on Java 7 to 20 can be analyzed. The analysis understands Java 20 standard language features.
|
||||
.. [6] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
|
||||
.. [7] Kotlin support is currently in beta.
|
||||
.. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
|
||||
.. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
|
||||
.. [10] Requires glibc 2.17.
|
||||
.. [11] Swift support is currently in beta. Support for the analysis of Swift 5.4-5.8.1 requires macOS or Linux.
|
||||
.. [12] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
|
||||
.. [2] Support for the clang-cl compiler is preliminary.
|
||||
.. [3] Support for the Arm Compiler (armcc) is preliminary.
|
||||
.. [4] Builds that execute on Java 7 to 20 can be analyzed. The analysis understands Java 20 standard language features.
|
||||
.. [5] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
|
||||
.. [6] Kotlin support is currently in beta.
|
||||
.. [7] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
|
||||
.. [8] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
|
||||
.. [9] Requires glibc 2.17.
|
||||
.. [10] Swift support is currently in beta. Support for the analysis of Swift 5.4-5.8.1 requires macOS or Linux.
|
||||
.. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.0.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.0.4
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.4
|
||||
lastReleaseVersion: 0.0.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 0.0.4
|
||||
version: 0.0.3
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.7.4
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.5
|
||||
lastReleaseVersion: 0.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 0.7.5
|
||||
version: 0.7.4
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.5
|
||||
lastReleaseVersion: 0.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 0.7.5
|
||||
version: 0.7.4
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.0.10
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.9
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.0.10
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.10
|
||||
lastReleaseVersion: 0.0.9
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-automodel-queries
|
||||
version: 0.0.10
|
||||
version: 0.0.9
|
||||
groups:
|
||||
- java
|
||||
- automodel
|
||||
|
||||
@@ -1,12 +1,7 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The diagnostic query `java/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Java files, now considers any Java file seen during extraction, even one with some errors, to be extracted / scanned.
|
||||
* Switch cases using binding patterns and `case null[, default]` are now supported. Classes `PatternCase` and `NullDefaultCase` are introduced to represent new kinds of case statement.
|
||||
* Both switch cases and instanceof expressions using record patterns are now supported. The new class `RecordPatternExpr` is introduced to represent record patterns, and `InstanceOfExpr` gains `getPattern` to replace `getLocalVariableDeclExpr`.
|
||||
* The control-flow graph and therefore dominance information regarding switch blocks in statement context but with an expression rule (e.g. `switch(...) { case 1 -> System.out.println("Hello world!") }`) has been fixed. This reduces false positives and negatives from various queries relating to functions featuring such statements.
|
||||
|
||||
@@ -2,7 +2,6 @@
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The diagnostic query `java/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Java files, now considers any Java file seen during extraction, even one with some errors, to be extracted / scanned.
|
||||
* Switch cases using binding patterns and `case null[, default]` are now supported. Classes `PatternCase` and `NullDefaultCase` are introduced to represent new kinds of case statement.
|
||||
* Both switch cases and instanceof expressions using record patterns are now supported. The new class `RecordPatternExpr` is introduced to represent record patterns, and `InstanceOfExpr` gains `getPattern` to replace `getLocalVariableDeclExpr`.
|
||||
* The control-flow graph and therefore dominance information regarding switch blocks in statement context but with an expression rule (e.g. `switch(...) { case 1 -> System.out.println("Hello world!") }`) has been fixed. This reduces false positives and negatives from various queries relating to functions featuring such statements.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -79,16 +79,12 @@ predicate reportableErrors(Diagnostic d, string msg, int sev) {
|
||||
*/
|
||||
predicate reportableWarnings(Diagnostic d, string msg, int sev) { knownWarnings(d, msg, sev) }
|
||||
|
||||
/**
|
||||
* Holds if compilation unit `f` is a source file.
|
||||
*/
|
||||
predicate extracted(CompilationUnit f) { exists(f.getRelativePath()) and f.fromSource() }
|
||||
|
||||
/**
|
||||
* Holds if compilation unit `f` is a source file that has
|
||||
* no relevant extraction diagnostics associated with it.
|
||||
*/
|
||||
predicate successfullyExtracted(CompilationUnit f) {
|
||||
extracted(f) and
|
||||
not exists(Diagnostic d | reportableDiagnostics(d, _, _) and d.getLocation().getFile() = f)
|
||||
not exists(Diagnostic d | reportableDiagnostics(d, _, _) and d.getLocation().getFile() = f) and
|
||||
exists(f.getRelativePath()) and
|
||||
f.fromSource()
|
||||
}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Extracted files
|
||||
* @name Successfully extracted files
|
||||
* @description A list of all files in the source code directory that
|
||||
* were extracted.
|
||||
* were extracted without encountering an error in the file.
|
||||
* @kind diagnostic
|
||||
* @id java/diagnostics/successfully-extracted-files
|
||||
* @tags successfully-extracted-files
|
||||
@@ -11,5 +11,5 @@ import java
|
||||
import DiagnosticsReporting
|
||||
|
||||
from CompilationUnit f
|
||||
where extracted(f)
|
||||
where successfullyExtracted(f)
|
||||
select f, ""
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
* @id java/file-path-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-073
|
||||
* external/cwe-073
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
* @id java/unsafe-url-forward-dispatch-load
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-552
|
||||
* external/cwe-552
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -8,8 +8,8 @@
|
||||
* @id java/permissive-dot-regex
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-625
|
||||
* external/cwe/cwe-863
|
||||
* external/cwe-625
|
||||
* external/cwe-863
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -192,7 +192,7 @@ export function augmentAst(ast: AugmentedSourceFile, code: string, project: Proj
|
||||
}
|
||||
|
||||
if (typeChecker != null) {
|
||||
if (isTypedNode(node) && !typeTable.skipExtractingTypes) {
|
||||
if (isTypedNode(node)) {
|
||||
let contextualType = isContextuallyTypedNode(node)
|
||||
? typeChecker.getContextualType(node)
|
||||
: null;
|
||||
|
||||
@@ -554,7 +554,7 @@ function handleOpenProjectCommand(command: OpenProjectCommand) {
|
||||
let program = project.program;
|
||||
let typeChecker = program.getTypeChecker();
|
||||
|
||||
let shouldReportDiagnostics = getEnvironmentVariable("SEMMLE_TYPESCRIPT_REPORT_DIAGNOSTICS", v => v.trim().toLowerCase() === "true", false);
|
||||
let shouldReportDiagnostics = getEnvironmentVariable("SEMMLE_TYPESCRIPT_REPORT_DIAGNOSTICS", Boolean, false);
|
||||
let diagnostics = shouldReportDiagnostics
|
||||
? program.getSemanticDiagnostics().filter(d => d.category === ts.DiagnosticCategory.Error)
|
||||
: [];
|
||||
@@ -807,8 +807,7 @@ function handleGetMetadataCommand(command: GetMetadataCommand) {
|
||||
|
||||
function reset() {
|
||||
state = new State();
|
||||
state.typeTable.restrictedExpansion = getEnvironmentVariable("SEMMLE_TYPESCRIPT_NO_EXPANSION", v => v.trim().toLowerCase() === "true", true);
|
||||
state.typeTable.skipExtractingTypes = getEnvironmentVariable("CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES", v => v.trim().toLowerCase() === "true", false);
|
||||
state.typeTable.restrictedExpansion = getEnvironmentVariable("SEMMLE_TYPESCRIPT_NO_EXPANSION", Boolean, true);
|
||||
}
|
||||
|
||||
function getEnvironmentVariable<T>(name: string, parse: (x: string) => T, defaultValue: T) {
|
||||
@@ -887,7 +886,6 @@ if (process.argv.length > 2) {
|
||||
if (argument === "--version") {
|
||||
console.log("parser-wrapper with TypeScript " + ts.version);
|
||||
} else if (pathlib.basename(argument) === "tsconfig.json") {
|
||||
reset();
|
||||
handleOpenProjectCommand({
|
||||
command: "open-project",
|
||||
tsConfig: argument,
|
||||
@@ -897,7 +895,7 @@ if (process.argv.length > 2) {
|
||||
virtualSourceRoot: null,
|
||||
});
|
||||
for (let sf of state.project.program.getSourceFiles()) {
|
||||
if (/lib\..*\.d\.ts/.test(pathlib.basename(sf.fileName)) || pathlib.basename(sf.fileName) === "lib.d.ts") continue;
|
||||
if (pathlib.basename(sf.fileName) === "lib.d.ts") continue;
|
||||
handleParseCommand({
|
||||
command: "parse",
|
||||
filename: sf.fileName,
|
||||
|
||||
@@ -383,11 +383,6 @@ export class TypeTable {
|
||||
*/
|
||||
public restrictedExpansion = false;
|
||||
|
||||
/**
|
||||
* If set to true, skip extracting types.
|
||||
*/
|
||||
public skipExtractingTypes = false;
|
||||
|
||||
private virtualSourceRoot: VirtualSourceRoot;
|
||||
|
||||
/**
|
||||
@@ -1245,15 +1240,8 @@ export class TypeTable {
|
||||
let indexOnStack = stack.length;
|
||||
stack.push(id);
|
||||
|
||||
/** Indicates if a type contains no type variables, is a type variable, or strictly contains type variables. */
|
||||
const enum TypeVarDepth {
|
||||
noTypeVar = 0,
|
||||
isTypeVar = 1,
|
||||
containsTypeVar = 2,
|
||||
}
|
||||
|
||||
for (let symbol of type.getProperties()) {
|
||||
let propertyType = typeTable.tryGetTypeOfSymbol(symbol);
|
||||
let propertyType = this.tryGetTypeOfSymbol(symbol);
|
||||
if (propertyType == null) continue;
|
||||
traverseType(propertyType);
|
||||
}
|
||||
@@ -1279,6 +1267,13 @@ export class TypeTable {
|
||||
|
||||
return lowlinkTable.get(id);
|
||||
|
||||
/** Indicates if a type contains no type variables, is a type variable, or strictly contains type variables. */
|
||||
const enum TypeVarDepth {
|
||||
noTypeVar = 0,
|
||||
isTypeVar = 1,
|
||||
containsTypeVar = 2,
|
||||
}
|
||||
|
||||
function traverseType(type: ts.Type): TypeVarDepth {
|
||||
if (isTypeVariable(type)) return TypeVarDepth.isTypeVar;
|
||||
let depth = TypeVarDepth.noTypeVar;
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.8.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Creating biased random numbers from a cryptographically secure source
|
||||
* @name Creating biased random numbers from a cryptographically secure source.
|
||||
* @description Some mathematical operations on random numbers can cause bias in
|
||||
* the results and compromise security.
|
||||
* @kind problem
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-queries
|
||||
version: 0.8.5
|
||||
version: 0.8.4
|
||||
groups:
|
||||
- javascript
|
||||
- queries
|
||||
|
||||
@@ -5,12 +5,8 @@ if (CREATE_COMPILATION_DATABASE_LINK)
|
||||
set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
|
||||
endif ()
|
||||
|
||||
if (NOT DEFINED BAZEL_BIN)
|
||||
set(BAZEL_BIN "bazelisk")
|
||||
endif ()
|
||||
|
||||
macro(bazel)
|
||||
execute_process(COMMAND ${BAZEL_BIN} ${ARGN}
|
||||
execute_process(COMMAND bazel ${ARGN}
|
||||
COMMAND_ERROR_IS_FATAL ANY
|
||||
OUTPUT_STRIP_TRAILING_WHITESPACE
|
||||
WORKING_DIRECTORY ${PROJECT_SOURCE_DIR})
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.5
|
||||
lastReleaseVersion: 0.7.4
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
name: codeql/suite-helpers
|
||||
version: 0.7.5
|
||||
version: 0.7.4
|
||||
groups: shared
|
||||
warnOnImplicitThis: true
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user