mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
31 Commits
codeql-cli
...
rb/modgen-
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
2edbfa0f67 | ||
|
|
9c8ccacd96 | ||
|
|
95bf9fdf1a | ||
|
|
cd7077d74e | ||
|
|
68c62e17bd | ||
|
|
ba8a853751 | ||
|
|
3b95d247ec | ||
|
|
1ef406ce45 | ||
|
|
87202e3f33 | ||
|
|
39f1f7fe9b | ||
|
|
af0874abf1 | ||
|
|
2a8af6d552 | ||
|
|
088aad5de2 | ||
|
|
58c8ae641b | ||
|
|
99cb3e4dc9 | ||
|
|
75ef34355e | ||
|
|
a4799c3b16 | ||
|
|
8e9eea22c0 | ||
|
|
2bf0d926a4 | ||
|
|
669e41347c | ||
|
|
14c88874d2 | ||
|
|
7fed75637e | ||
|
|
2e2df29416 | ||
|
|
f3ffb93b40 | ||
|
|
3074756a1b | ||
|
|
91659ff76d | ||
|
|
e819336b9f | ||
|
|
6b12c8cb3b | ||
|
|
6fa63f13f7 | ||
|
|
182893c756 | ||
|
|
9504f45c87 |
8
.bazelrc
8
.bazelrc
@@ -1,12 +1,4 @@
|
|||||||
common --enable_platform_specific_config
|
common --enable_platform_specific_config
|
||||||
common --enable_bzlmod
|
|
||||||
# because we use --override_module with `%workspace%`, the lock file is not stable
|
|
||||||
common --lockfile_mode=off
|
|
||||||
|
|
||||||
# when building from this repository in isolation, the internal repository will not be found at ..
|
|
||||||
# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
|
|
||||||
# that we can build things that do not rely on that
|
|
||||||
common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
|
|
||||||
|
|
||||||
build --repo_env=CC=clang --repo_env=CXX=clang++
|
build --repo_env=CC=clang --repo_env=CXX=clang++
|
||||||
|
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
7.0.2
|
6.3.1
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
DisableFormat: true
|
|
||||||
7
.gitattributes
vendored
7
.gitattributes
vendored
@@ -71,10 +71,3 @@ go/extractor/opencsv/CSVReader.java -text
|
|||||||
# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
|
# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
|
||||||
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
|
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
|
||||||
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
|
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
|
||||||
|
|
||||||
# Auto-generated modeling for Python
|
|
||||||
python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
|
|
||||||
|
|
||||||
# auto-generated bazel lock file
|
|
||||||
ruby/extractor/cargo-bazel-lock.json linguist-generated=true
|
|
||||||
ruby/extractor/cargo-bazel-lock.json -merge
|
|
||||||
|
|||||||
23
.github/dependabot.yml
vendored
23
.github/dependabot.yml
vendored
@@ -17,26 +17,3 @@ updates:
|
|||||||
ignore:
|
ignore:
|
||||||
- dependency-name: '*'
|
- dependency-name: '*'
|
||||||
update-types: ['version-update:semver-patch', 'version-update:semver-minor']
|
update-types: ['version-update:semver-patch', 'version-update:semver-minor']
|
||||||
|
|
||||||
- package-ecosystem: "gomod"
|
|
||||||
directory: "go/extractor"
|
|
||||||
schedule:
|
|
||||||
interval: "daily"
|
|
||||||
allow:
|
|
||||||
- dependency-name: "golang.org/x/mod"
|
|
||||||
- dependency-name: "golang.org/x/tools"
|
|
||||||
groups:
|
|
||||||
extractor-dependencies:
|
|
||||||
patterns:
|
|
||||||
- "golang.org/x/*"
|
|
||||||
reviewers:
|
|
||||||
- "github/codeql-go"
|
|
||||||
|
|
||||||
- package-ecosystem: "gomod"
|
|
||||||
directory: "go/ql/test"
|
|
||||||
schedule:
|
|
||||||
interval: "monthly"
|
|
||||||
ignore:
|
|
||||||
- dependency-name: "*"
|
|
||||||
reviewers:
|
|
||||||
- "github/codeql-go"
|
|
||||||
|
|||||||
2
.github/labeler.yml
vendored
2
.github/labeler.yml
vendored
@@ -20,7 +20,7 @@ JS:
|
|||||||
|
|
||||||
Kotlin:
|
Kotlin:
|
||||||
- java/kotlin-extractor/**/*
|
- java/kotlin-extractor/**/*
|
||||||
- java/ql/test-kotlin*/**/*
|
- java/ql/test/kotlin/**/*
|
||||||
|
|
||||||
Python:
|
Python:
|
||||||
- python/**/*
|
- python/**/*
|
||||||
|
|||||||
35
.github/workflows/check-change-note.yml
vendored
35
.github/workflows/check-change-note.yml
vendored
@@ -1,8 +1,5 @@
|
|||||||
name: Check change note
|
name: Check change note
|
||||||
|
|
||||||
permissions:
|
|
||||||
pull-requests: read
|
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request_target:
|
pull_request_target:
|
||||||
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
|
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
|
||||||
@@ -12,42 +9,26 @@ on:
|
|||||||
- "*/ql/lib/**/*.ql"
|
- "*/ql/lib/**/*.ql"
|
||||||
- "*/ql/lib/**/*.qll"
|
- "*/ql/lib/**/*.qll"
|
||||||
- "*/ql/lib/**/*.yml"
|
- "*/ql/lib/**/*.yml"
|
||||||
- "shared/**/*.ql"
|
|
||||||
- "shared/**/*.qll"
|
|
||||||
- "!**/experimental/**"
|
- "!**/experimental/**"
|
||||||
- "!ql/**"
|
- "!ql/**"
|
||||||
- ".github/workflows/check-change-note.yml"
|
- ".github/workflows/check-change-note.yml"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check-change-note:
|
check-change-note:
|
||||||
env:
|
|
||||||
REPO: ${{ github.repository }}
|
|
||||||
PULL_REQUEST_NUMBER: ${{ github.event.number }}
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
|
||||||
- name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
|
- name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
|
||||||
if: |
|
if: |
|
||||||
github.event.pull_request.draft == false &&
|
github.event.pull_request.draft == false &&
|
||||||
!contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
|
!contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
|
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
|
||||||
|
grep true -c
|
||||||
if [ -z "$change_note_files" ]; then
|
|
||||||
echo "No change note found. Either add one, or add the 'no-change-note-required' label."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Change notes found:"
|
|
||||||
echo "$change_note_files"
|
|
||||||
|
|
||||||
- name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
|
- name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
|
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
|
||||||
|
grep true -c
|
||||||
if [ -n "$bad_change_note_file_names" ]; then
|
|
||||||
echo "The following change note file names are invalid:"
|
|
||||||
echo "$bad_change_note_file_names"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|||||||
3
.github/workflows/check-implicit-this.yml
vendored
3
.github/workflows/check-implicit-this.yml
vendored
@@ -9,9 +9,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
- "rc/*"
|
- "rc/*"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check:
|
check:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
3
.github/workflows/check-qldoc.yml
vendored
3
.github/workflows/check-qldoc.yml
vendored
@@ -10,9 +10,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
- "rc/*"
|
- "rc/*"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
qldoc:
|
qldoc:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
3
.github/workflows/check-query-ids.yml
vendored
3
.github/workflows/check-query-ids.yml
vendored
@@ -11,9 +11,6 @@ on:
|
|||||||
- "rc/*"
|
- "rc/*"
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check:
|
check:
|
||||||
name: Check query IDs
|
name: Check query IDs
|
||||||
|
|||||||
5
.github/workflows/close-stale.yml
vendored
5
.github/workflows/close-stale.yml
vendored
@@ -5,9 +5,6 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
- cron: "30 1 * * *"
|
- cron: "30 1 * * *"
|
||||||
|
|
||||||
permissions:
|
|
||||||
issues: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
stale:
|
stale:
|
||||||
if: github.repository == 'github/codeql'
|
if: github.repository == 'github/codeql'
|
||||||
@@ -15,7 +12,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/stale@v9
|
- uses: actions/stale@v8
|
||||||
with:
|
with:
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
||||||
|
|||||||
4
.github/workflows/codeql-analysis.yml
vendored
4
.github/workflows/codeql-analysis.yml
vendored
@@ -28,9 +28,9 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v3
|
||||||
with:
|
with:
|
||||||
dotnet-version: 8.0.101
|
dotnet-version: 7.0.102
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|||||||
10
.github/workflows/compile-queries.yml
vendored
10
.github/workflows/compile-queries.yml
vendored
@@ -8,12 +8,8 @@ on:
|
|||||||
- "codeql-cli-*"
|
- "codeql-cli-*"
|
||||||
pull_request:
|
pull_request:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
compile-queries:
|
compile-queries:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
@@ -28,14 +24,14 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
key: all-queries
|
key: all-queries
|
||||||
- name: check formatting
|
- name: check formatting
|
||||||
run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
|
run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
|
||||||
- name: compile queries - check-only
|
- name: compile queries - check-only
|
||||||
# run with --check-only if running in a PR (github.sha != main)
|
# run with --check-only if running in a PR (github.sha != main)
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
shell: bash
|
shell: bash
|
||||||
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
|
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
- name: compile queries - full
|
- name: compile queries - full
|
||||||
# do full compile if running on main - this populates the cache
|
# do full compile if running on main - this populates the cache
|
||||||
if : ${{ github.event_name != 'pull_request' }}
|
if : ${{ github.event_name != 'pull_request' }}
|
||||||
shell: bash
|
shell: bash
|
||||||
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
|
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
|
|||||||
24
.github/workflows/csharp-qltest.yml
vendored
24
.github/workflows/csharp-qltest.yml
vendored
@@ -25,9 +25,6 @@ defaults:
|
|||||||
run:
|
run:
|
||||||
working-directory: csharp
|
working-directory: csharp
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -49,7 +46,6 @@ jobs:
|
|||||||
xargs codeql execute upgrades testdb
|
xargs codeql execute upgrades testdb
|
||||||
diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
|
diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
|
||||||
qltest:
|
qltest:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
@@ -69,23 +65,19 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
unit-tests:
|
unit-tests:
|
||||||
strategy:
|
runs-on: ubuntu-latest
|
||||||
matrix:
|
|
||||||
os: [ubuntu-latest, windows-2019]
|
|
||||||
runs-on: ${{ matrix.os }}
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v3
|
||||||
with:
|
with:
|
||||||
dotnet-version: 8.0.101
|
dotnet-version: 7.0.102
|
||||||
- name: Extractor unit tests
|
- name: Extractor unit tests
|
||||||
run: |
|
run: |
|
||||||
dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Util.Tests
|
dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Extraction.Tests
|
dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.CSharp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=8.0.1 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
|
dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
|
||||||
shell: bash
|
|
||||||
stubgentest:
|
stubgentest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
@@ -95,7 +87,7 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
# Generate (Asp)NetCore stubs
|
# Generate (Asp)NetCore stubs
|
||||||
STUBS_PATH=stubs_output
|
STUBS_PATH=stubs_output
|
||||||
python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
|
python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger latest "$STUBS_PATH"
|
||||||
rm -rf ql/test/resources/stubs/_frameworks
|
rm -rf ql/test/resources/stubs/_frameworks
|
||||||
# Update existing stubs in the repo with the freshly generated ones
|
# Update existing stubs in the repo with the freshly generated ones
|
||||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
||||||
|
|||||||
4
.github/workflows/csv-coverage-metrics.yml
vendored
4
.github/workflows/csv-coverage-metrics.yml
vendored
@@ -14,10 +14,6 @@ on:
|
|||||||
- ".github/workflows/csv-coverage-metrics.yml"
|
- ".github/workflows/csv-coverage-metrics.yml"
|
||||||
- ".github/actions/fetch-codeql/action.yml"
|
- ".github/actions/fetch-codeql/action.yml"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
security-events: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
publish-java:
|
publish-java:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
29
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
29
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
@@ -19,10 +19,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
- "rc/*"
|
- "rc/*"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
pull-requests: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
generate:
|
generate:
|
||||||
name: Generate framework coverage artifacts
|
name: Generate framework coverage artifacts
|
||||||
@@ -93,32 +89,9 @@ jobs:
|
|||||||
- name: Save PR number
|
- name: Save PR number
|
||||||
run: |
|
run: |
|
||||||
mkdir -p pr
|
mkdir -p pr
|
||||||
echo ${PR_NUMBER} > pr/NR
|
echo ${{ github.event.pull_request.number }} > pr/NR
|
||||||
env:
|
|
||||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
||||||
- name: Upload PR number
|
- name: Upload PR number
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: pr
|
name: pr
|
||||||
path: pr/
|
path: pr/
|
||||||
- name: Save comment ID (if it exists)
|
|
||||||
run: |
|
|
||||||
# Find the latest comment starting with COMMENT_PREFIX
|
|
||||||
COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
|
|
||||||
COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
|
|
||||||
if [[ -z ${COMMENT_ID} ]]
|
|
||||||
then
|
|
||||||
echo "Comment not found. Not uploading 'comment/ID' artifact."
|
|
||||||
else
|
|
||||||
mkdir -p comment
|
|
||||||
echo ${COMMENT_ID} > comment/ID
|
|
||||||
fi
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
|
||||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
||||||
- name: Upload comment ID (if it exists)
|
|
||||||
uses: actions/upload-artifact@v3
|
|
||||||
with:
|
|
||||||
name: comment
|
|
||||||
path: comment/
|
|
||||||
if-no-files-found: ignore
|
|
||||||
|
|||||||
@@ -6,10 +6,6 @@ on:
|
|||||||
types:
|
types:
|
||||||
- completed
|
- completed
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check:
|
check:
|
||||||
name: Check framework coverage differences and comment
|
name: Check framework coverage differences and comment
|
||||||
|
|||||||
@@ -3,9 +3,6 @@ name: Build framework coverage timeseries reports
|
|||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
4
.github/workflows/csv-coverage-update.yml
vendored
4
.github/workflows/csv-coverage-update.yml
vendored
@@ -5,10 +5,6 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
- cron: "0 0 * * *"
|
- cron: "0 0 * * *"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
update:
|
update:
|
||||||
name: Update framework coverage report
|
name: Update framework coverage report
|
||||||
|
|||||||
3
.github/workflows/csv-coverage.yml
vendored
3
.github/workflows/csv-coverage.yml
vendored
@@ -7,9 +7,6 @@ on:
|
|||||||
description: "github/codeql repo SHA used for looking up the CSV models"
|
description: "github/codeql repo SHA used for looking up the CSV models"
|
||||||
required: false
|
required: false
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
5
.github/workflows/fast-forward.yml
vendored
5
.github/workflows/fast-forward.yml
vendored
@@ -7,14 +7,13 @@ name: Fast-forward tracking branch for selected CodeQL version
|
|||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
fast-forward:
|
fast-forward:
|
||||||
name: Fast-forward tracking branch for selected CodeQL version
|
name: Fast-forward tracking branch for selected CodeQL version
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: github.repository == 'github/codeql'
|
if: github.repository == 'github/codeql'
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
env:
|
env:
|
||||||
BRANCH_NAME: 'lgtm.com'
|
BRANCH_NAME: 'lgtm.com'
|
||||||
steps:
|
steps:
|
||||||
|
|||||||
13
.github/workflows/go-tests-other-os.yml
vendored
13
.github/workflows/go-tests-other-os.yml
vendored
@@ -8,21 +8,16 @@ on:
|
|||||||
- .github/actions/**
|
- .github/actions/**
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
env:
|
env:
|
||||||
GO_VERSION: '~1.22.0'
|
GO_VERSION: '~1.21.0'
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test-mac:
|
test-mac:
|
||||||
name: Test MacOS
|
name: Test MacOS
|
||||||
runs-on: macos-latest
|
runs-on: macos-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
- name: Set up Go ${{ env.GO_VERSION }}
|
||||||
uses: actions/setup-go@v5
|
uses: actions/setup-go@v4
|
||||||
with:
|
with:
|
||||||
go-version: ${{ env.GO_VERSION }}
|
go-version: ${{ env.GO_VERSION }}
|
||||||
cache: false
|
|
||||||
id: go
|
id: go
|
||||||
|
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
@@ -51,15 +46,13 @@ jobs:
|
|||||||
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
|
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
|
|
||||||
test-win:
|
test-win:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
name: Test Windows
|
name: Test Windows
|
||||||
runs-on: windows-latest-xl
|
runs-on: windows-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
- name: Set up Go ${{ env.GO_VERSION }}
|
||||||
uses: actions/setup-go@v5
|
uses: actions/setup-go@v4
|
||||||
with:
|
with:
|
||||||
go-version: ${{ env.GO_VERSION }}
|
go-version: ${{ env.GO_VERSION }}
|
||||||
cache: false
|
|
||||||
id: go
|
id: go
|
||||||
|
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
|
|||||||
11
.github/workflows/go-tests.yml
vendored
11
.github/workflows/go-tests.yml
vendored
@@ -15,24 +15,17 @@ on:
|
|||||||
- .github/workflows/go-tests.yml
|
- .github/workflows/go-tests.yml
|
||||||
- .github/actions/**
|
- .github/actions/**
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
|
|
||||||
env:
|
env:
|
||||||
GO_VERSION: '~1.22.0'
|
GO_VERSION: '~1.21.0'
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test-linux:
|
test-linux:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
name: Test Linux (Ubuntu)
|
name: Test Linux (Ubuntu)
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- name: Set up Go ${{ env.GO_VERSION }}
|
- name: Set up Go ${{ env.GO_VERSION }}
|
||||||
uses: actions/setup-go@v5
|
uses: actions/setup-go@v4
|
||||||
with:
|
with:
|
||||||
go-version: ${{ env.GO_VERSION }}
|
go-version: ${{ env.GO_VERSION }}
|
||||||
cache: false
|
|
||||||
id: go
|
id: go
|
||||||
|
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
|
|||||||
65
.github/workflows/js-ml-tests.yml
vendored
Normal file
65
.github/workflows/js-ml-tests.yml
vendored
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
name: JS ML-powered queries tests
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- "javascript/ql/experimental/adaptivethreatmodeling/**"
|
||||||
|
- .github/workflows/js-ml-tests.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "rc/*"
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "javascript/ql/experimental/adaptivethreatmodeling/**"
|
||||||
|
- .github/workflows/js-ml-tests.yml
|
||||||
|
- .github/actions/fetch-codeql/action.yml
|
||||||
|
- codeql-workspace.yml
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: javascript/ql/experimental/adaptivethreatmodeling
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
qltest:
|
||||||
|
name: Test QL
|
||||||
|
runs-on: ubuntu-latest-xl
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
- name: Install pack dependencies
|
||||||
|
run: |
|
||||||
|
for pack in modelbuilding src test; do
|
||||||
|
codeql pack install --mode verify -- "${pack}"
|
||||||
|
done
|
||||||
|
|
||||||
|
- name: Cache compilation cache
|
||||||
|
id: query-cache
|
||||||
|
uses: ./.github/actions/cache-query-compilation
|
||||||
|
with:
|
||||||
|
key: js-ml-test
|
||||||
|
|
||||||
|
- name: Check QL compilation
|
||||||
|
run: |
|
||||||
|
codeql query compile \
|
||||||
|
--check-only \
|
||||||
|
--ram 50000 \
|
||||||
|
--additional-packs "${{ github.workspace }}" \
|
||||||
|
--threads=0 \
|
||||||
|
--compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
|
||||||
|
-- \
|
||||||
|
lib modelbuilding src
|
||||||
|
|
||||||
|
- name: Run QL tests
|
||||||
|
run: |
|
||||||
|
codeql test run \
|
||||||
|
--threads=0 \
|
||||||
|
--ram 50000 \
|
||||||
|
--additional-packs "${{ github.workspace }}" \
|
||||||
|
--compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
|
||||||
|
-- \
|
||||||
|
test
|
||||||
7
.github/workflows/labeler.yml
vendored
7
.github/workflows/labeler.yml
vendored
@@ -2,12 +2,11 @@ name: "Pull Request Labeler"
|
|||||||
on:
|
on:
|
||||||
- pull_request_target
|
- pull_request_target
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
triage:
|
triage:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/labeler@v4
|
- uses: actions/labeler@v4
|
||||||
|
|||||||
12
.github/workflows/mad_modelDiff.yml
vendored
12
.github/workflows/mad_modelDiff.yml
vendored
@@ -12,7 +12,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
paths:
|
paths:
|
||||||
- "java/ql/src/utils/modelgenerator/**/*.*"
|
- "java/ql/src/utils/modelgenerator/**/*.*"
|
||||||
- "misc/scripts/models-as-data/*.*"
|
|
||||||
- ".github/workflows/mad_modelDiff.yml"
|
- ".github/workflows/mad_modelDiff.yml"
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
@@ -62,9 +61,8 @@ jobs:
|
|||||||
DATABASE=$2
|
DATABASE=$2
|
||||||
cd codeql-$QL_VARIANT
|
cd codeql-$QL_VARIANT
|
||||||
SHORTNAME=`basename $DATABASE`
|
SHORTNAME=`basename $DATABASE`
|
||||||
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
|
||||||
mkdir -p $MODELS/$SHORTNAME
|
mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
|
||||||
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
|
||||||
cd ..
|
cd ..
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -87,16 +85,16 @@ jobs:
|
|||||||
set -x
|
set -x
|
||||||
MODELS=`pwd`/tmp-models
|
MODELS=`pwd`/tmp-models
|
||||||
ls -1 tmp-models/
|
ls -1 tmp-models/
|
||||||
for m in $MODELS/*/main/*.model.yml ; do
|
for m in $MODELS/*_main.model.yml ; do
|
||||||
t="${m/main/"pr"}"
|
t="${m/main/"pr"}"
|
||||||
basename=`basename $m`
|
basename=`basename $m`
|
||||||
name="diff_${basename/.model.yml/""}"
|
name="diff_${basename/_main.model.yml/""}"
|
||||||
(diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
|
(diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
|
||||||
done
|
done
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: models
|
name: models
|
||||||
path: tmp-models/**/**/*.model.yml
|
path: tmp-models/*.model.yml
|
||||||
retention-days: 20
|
retention-days: 20
|
||||||
- uses: actions/upload-artifact@v3
|
- uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
|
|||||||
3
.github/workflows/mad_regenerate-models.yml
vendored
3
.github/workflows/mad_regenerate-models.yml
vendored
@@ -11,9 +11,6 @@ on:
|
|||||||
- ".github/workflows/mad_regenerate-models.yml"
|
- ".github/workflows/mad_regenerate-models.yml"
|
||||||
- ".github/actions/fetch-codeql/action.yml"
|
- ".github/actions/fetch-codeql/action.yml"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
regenerate-models:
|
regenerate-models:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
2
.github/workflows/qhelp-pr-preview.yml
vendored
2
.github/workflows/qhelp-pr-preview.yml
vendored
@@ -77,7 +77,7 @@ jobs:
|
|||||||
done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
|
done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
|
||||||
exit "${EXIT_CODE}"
|
exit "${EXIT_CODE}"
|
||||||
|
|
||||||
- if: ${{ !cancelled() }}
|
- if: always()
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: comment
|
name: comment
|
||||||
|
|||||||
9
.github/workflows/ql-for-ql-build.yml
vendored
9
.github/workflows/ql-for-ql-build.yml
vendored
@@ -9,13 +9,8 @@ on:
|
|||||||
env:
|
env:
|
||||||
CARGO_TERM_COLOR: always
|
CARGO_TERM_COLOR: always
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
security-events: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analyze:
|
analyze:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
### Build the queries ###
|
### Build the queries ###
|
||||||
@@ -24,7 +19,7 @@ jobs:
|
|||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@v2
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
- uses: ./.github/actions/os-version
|
||||||
@@ -70,7 +65,7 @@ jobs:
|
|||||||
exclude:*/ql/lib/upgrades/
|
exclude:*/ql/lib/upgrades/
|
||||||
exclude:java/ql/integration-tests
|
exclude:java/ql/integration-tests
|
||||||
- name: Upload sarif to code-scanning
|
- name: Upload sarif to code-scanning
|
||||||
uses: github/codeql-action/upload-sarif@main
|
uses: github/codeql-action/upload-sarif@v2
|
||||||
with:
|
with:
|
||||||
sarif_file: ql-for-ql.sarif
|
sarif_file: ql-for-ql.sarif
|
||||||
category: ql-for-ql
|
category: ql-for-ql
|
||||||
|
|||||||
@@ -11,10 +11,6 @@ on:
|
|||||||
- ql/ql/src/ql.dbscheme
|
- ql/ql/src/ql.dbscheme
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
security-events: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
measure:
|
measure:
|
||||||
env:
|
env:
|
||||||
@@ -29,7 +25,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@v2
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
- uses: ./.github/actions/os-version
|
||||||
|
|||||||
7
.github/workflows/ql-for-ql-tests.yml
vendored
7
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -17,9 +17,6 @@ on:
|
|||||||
env:
|
env:
|
||||||
CARGO_TERM_COLOR: always
|
CARGO_TERM_COLOR: always
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -27,7 +24,7 @@ jobs:
|
|||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@v2
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
- uses: ./.github/actions/os-version
|
||||||
@@ -72,7 +69,7 @@ jobs:
|
|||||||
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@v2
|
||||||
with:
|
with:
|
||||||
languages: javascript # does not matter
|
languages: javascript # does not matter
|
||||||
- uses: ./.github/actions/os-version
|
- uses: ./.github/actions/os-version
|
||||||
|
|||||||
3
.github/workflows/query-list.yml
vendored
3
.github/workflows/query-list.yml
vendored
@@ -13,9 +13,6 @@ on:
|
|||||||
- '.github/actions/fetch-codeql/action.yml'
|
- '.github/actions/fetch-codeql/action.yml'
|
||||||
- 'misc/scripts/generate-code-scanning-query-list.py'
|
- 'misc/scripts/generate-code-scanning-query-list.py'
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|
||||||
|
|||||||
77
.github/workflows/ruby-build.yml
vendored
77
.github/workflows/ruby-build.yml
vendored
@@ -32,9 +32,6 @@ defaults:
|
|||||||
run:
|
run:
|
||||||
working-directory: ruby
|
working-directory: ruby
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
strategy:
|
strategy:
|
||||||
@@ -51,11 +48,9 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
brew install gnu-tar
|
brew install gnu-tar
|
||||||
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
||||||
- name: Prepare Windows
|
- name: Install cargo-cross
|
||||||
if: runner.os == 'Windows'
|
if: runner.os == 'Linux'
|
||||||
shell: powershell
|
run: cargo install cross --version 0.2.5
|
||||||
run: |
|
|
||||||
git config --global core.longpaths true
|
|
||||||
- uses: ./.github/actions/os-version
|
- uses: ./.github/actions/os-version
|
||||||
id: os_version
|
id: os_version
|
||||||
- name: Cache entire extractor
|
- name: Cache entire extractor
|
||||||
@@ -84,8 +79,16 @@ jobs:
|
|||||||
- name: Run tests
|
- name: Run tests
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
||||||
run: cd extractor && cargo test --verbose
|
run: cd extractor && cargo test --verbose
|
||||||
- name: Release build
|
# On linux, build the extractor via cross in a centos7 container.
|
||||||
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
# This ensures we don't depend on glibc > 2.17.
|
||||||
|
- name: Release build (linux)
|
||||||
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
|
||||||
|
run: |
|
||||||
|
cd extractor
|
||||||
|
cross build --release
|
||||||
|
mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
|
||||||
|
- name: Release build (windows and macos)
|
||||||
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
|
||||||
run: cd extractor && cargo build --release
|
run: cd extractor && cargo build --release
|
||||||
- name: Generate dbscheme
|
- name: Generate dbscheme
|
||||||
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
|
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
|
||||||
@@ -108,7 +111,6 @@ jobs:
|
|||||||
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
compile-queries:
|
compile-queries:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
@@ -117,7 +119,7 @@ jobs:
|
|||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
id: query-cache
|
id: query-cache
|
||||||
uses: ./.github/actions/cache-query-compilation
|
uses: ./.github/actions/cache-query-compilation
|
||||||
with:
|
with:
|
||||||
key: ruby-build
|
key: ruby-build
|
||||||
- name: Build Query Pack
|
- name: Build Query Pack
|
||||||
run: |
|
run: |
|
||||||
@@ -229,3 +231,54 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
||||||
|
|
||||||
|
# This is a copy of the 'test' job that runs in a centos7 container.
|
||||||
|
# This tests that the extractor works correctly on systems with an old glibc.
|
||||||
|
test-centos7:
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: ${{ github.workspace }}
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container:
|
||||||
|
image: centos:centos7
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
needs: [package]
|
||||||
|
steps:
|
||||||
|
- name: Install gh cli
|
||||||
|
run: |
|
||||||
|
yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
|
||||||
|
# fetch-codeql requires unzip and jq
|
||||||
|
# jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
|
||||||
|
yum install -y gh unzip epel-release
|
||||||
|
yum install -y jq
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Fetch CodeQL
|
||||||
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
# Due to a bug in Actions, we can't use runner.temp in the run blocks here.
|
||||||
|
# https://github.com/actions/runner/issues/2185
|
||||||
|
|
||||||
|
- name: Download Ruby bundle
|
||||||
|
uses: actions/download-artifact@v3
|
||||||
|
with:
|
||||||
|
name: codeql-ruby-bundle
|
||||||
|
path: ${{ runner.temp }}
|
||||||
|
- name: Unzip Ruby bundle
|
||||||
|
shell: bash
|
||||||
|
run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
|
||||||
|
|
||||||
|
- name: Run QL test
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
|
||||||
|
- name: Create database
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
||||||
|
- name: Analyze database
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
||||||
|
|||||||
3
.github/workflows/ruby-dataset-measure.yml
vendored
3
.github/workflows/ruby-dataset-measure.yml
vendored
@@ -17,9 +17,6 @@ on:
|
|||||||
- .github/workflows/ruby-dataset-measure.yml
|
- .github/workflows/ruby-dataset-measure.yml
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
measure:
|
measure:
|
||||||
env:
|
env:
|
||||||
|
|||||||
4
.github/workflows/ruby-qltest.yml
vendored
4
.github/workflows/ruby-qltest.yml
vendored
@@ -29,9 +29,6 @@ defaults:
|
|||||||
run:
|
run:
|
||||||
working-directory: ruby
|
working-directory: ruby
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -53,7 +50,6 @@ jobs:
|
|||||||
xargs codeql execute upgrades testdb
|
xargs codeql execute upgrades testdb
|
||||||
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
|
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
|
||||||
qltest:
|
qltest:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
|
|||||||
24
.github/workflows/swift.yml
vendored
24
.github/workflows/swift.yml
vendored
@@ -33,62 +33,46 @@ on:
|
|||||||
- rc/*
|
- rc/*
|
||||||
- codeql-cli-*
|
- codeql-cli-*
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
|
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
|
||||||
# without waiting for the macOS build
|
# without waiting for the macOS build
|
||||||
build-and-test-macos:
|
build-and-test-macos:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: macos-12-xl
|
runs-on: macos-12-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/build-and-test
|
- uses: ./swift/actions/build-and-test
|
||||||
build-and-test-linux:
|
build-and-test-linux:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/build-and-test
|
- uses: ./swift/actions/build-and-test
|
||||||
qltests-linux:
|
qltests-linux:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
needs: build-and-test-linux
|
needs: build-and-test-linux
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/run-ql-tests
|
- uses: ./swift/actions/run-ql-tests
|
||||||
qltests-macos:
|
qltests-macos:
|
||||||
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
needs: build-and-test-macos
|
needs: build-and-test-macos
|
||||||
runs-on: macos-12-xl
|
runs-on: macos-12-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/run-ql-tests
|
- uses: ./swift/actions/run-ql-tests
|
||||||
integration-tests-linux:
|
integration-tests-linux:
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
needs: build-and-test-linux
|
needs: build-and-test-linux
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/run-integration-tests
|
- uses: ./swift/actions/run-integration-tests
|
||||||
integration-tests-macos:
|
integration-tests-macos:
|
||||||
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
needs: build-and-test-macos
|
needs: build-and-test-macos
|
||||||
runs-on: macos-12-xl
|
runs-on: macos-12-xl
|
||||||
timeout-minutes: 60
|
timeout-minutes: 60
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: ./swift/actions/run-integration-tests
|
- uses: ./swift/actions/run-integration-tests
|
||||||
clang-format:
|
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
|
||||||
name: Check that python code is properly formatted
|
|
||||||
with:
|
|
||||||
extra_args: clang-format --all-files
|
|
||||||
codegen:
|
codegen:
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -98,12 +82,12 @@ jobs:
|
|||||||
- uses: actions/setup-python@v4
|
- uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
python-version-file: 'swift/.python-version'
|
python-version-file: 'swift/.python-version'
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@v3.0.0
|
||||||
name: Check that python code is properly formatted
|
name: Check that python code is properly formatted
|
||||||
with:
|
with:
|
||||||
extra_args: autopep8 --all-files
|
extra_args: autopep8 --all-files
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@v3.0.0
|
||||||
name: Check that QL generated code was checked in
|
name: Check that QL generated code was checked in
|
||||||
with:
|
with:
|
||||||
extra_args: swift-codegen --all-files
|
extra_args: swift-codegen --all-files
|
||||||
|
|||||||
3
.github/workflows/sync-files.yml
vendored
3
.github/workflows/sync-files.yml
vendored
@@ -10,9 +10,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
- 'rc/*'
|
- 'rc/*'
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
@@ -23,9 +23,6 @@ defaults:
|
|||||||
run:
|
run:
|
||||||
working-directory: shared/tree-sitter-extractor
|
working-directory: shared/tree-sitter-extractor
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
3
.github/workflows/validate-change-notes.yml
vendored
3
.github/workflows/validate-change-notes.yml
vendored
@@ -15,9 +15,6 @@ on:
|
|||||||
- ".github/workflows/validate-change-notes.yml"
|
- ".github/workflows/validate-change-notes.yml"
|
||||||
- ".github/actions/fetch-codeql/action.yml"
|
- ".github/actions/fetch-codeql/action.yml"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check-change-note:
|
check-change-note:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
3
.gitignore
vendored
3
.gitignore
vendored
@@ -39,9 +39,6 @@
|
|||||||
# local bazel options
|
# local bazel options
|
||||||
/local.bazelrc
|
/local.bazelrc
|
||||||
|
|
||||||
# generated cmake directory
|
|
||||||
/.bazel-cmake
|
|
||||||
|
|
||||||
# CLion project files
|
# CLion project files
|
||||||
/.clwb
|
/.clwb
|
||||||
|
|
||||||
|
|||||||
@@ -10,9 +10,10 @@ repos:
|
|||||||
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
|
exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
|
||||||
|
|
||||||
- repo: https://github.com/pre-commit/mirrors-clang-format
|
- repo: https://github.com/pre-commit/mirrors-clang-format
|
||||||
rev: v17.0.6
|
rev: v13.0.1
|
||||||
hooks:
|
hooks:
|
||||||
- id: clang-format
|
- id: clang-format
|
||||||
|
files: ^swift/.*\.(h|c|cpp)$
|
||||||
|
|
||||||
- repo: https://github.com/pre-commit/mirrors-autopep8
|
- repo: https://github.com/pre-commit/mirrors-autopep8
|
||||||
rev: v1.6.0
|
rev: v1.6.0
|
||||||
|
|||||||
@@ -8,8 +8,6 @@
|
|||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-swift
|
||||||
/misc/codegen/ @github/codeql-swift
|
/misc/codegen/ @github/codeql-swift
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
|
||||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
|
||||||
|
|
||||||
# ML-powered queries
|
# ML-powered queries
|
||||||
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
||||||
@@ -25,7 +23,6 @@
|
|||||||
|
|
||||||
# Bazel (excluding BUILD.bazel files)
|
# Bazel (excluding BUILD.bazel files)
|
||||||
WORKSPACE.bazel @github/codeql-ci-reviewers
|
WORKSPACE.bazel @github/codeql-ci-reviewers
|
||||||
MODULE.bazel @github/codeql-ci-reviewers
|
|
||||||
.bazelversion @github/codeql-ci-reviewers
|
.bazelversion @github/codeql-ci-reviewers
|
||||||
.bazelrc @github/codeql-ci-reviewers
|
.bazelrc @github/codeql-ci-reviewers
|
||||||
**/*.bzl @github/codeql-ci-reviewers
|
**/*.bzl @github/codeql-ci-reviewers
|
||||||
@@ -45,4 +42,3 @@ MODULE.bazel @github/codeql-ci-reviewers
|
|||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
|
/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
|
||||||
/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
|
|
||||||
|
|||||||
53
MODULE.bazel
53
MODULE.bazel
@@ -1,53 +0,0 @@
|
|||||||
module(
|
|
||||||
name = "codeql",
|
|
||||||
version = "0.0",
|
|
||||||
)
|
|
||||||
|
|
||||||
# this points to our internal repository when `codeql` is checked out as a submodule thereof
|
|
||||||
# when building things from `codeql` independently this is stubbed out in `.bazelrc`
|
|
||||||
bazel_dep(name = "semmle_code", version = "0.0")
|
|
||||||
local_path_override(
|
|
||||||
module_name = "semmle_code",
|
|
||||||
path = "..",
|
|
||||||
)
|
|
||||||
|
|
||||||
# see https://registry.bazel.build/ for a list of available packages
|
|
||||||
|
|
||||||
bazel_dep(name = "platforms", version = "0.0.8")
|
|
||||||
bazel_dep(name = "rules_pkg", version = "0.9.1")
|
|
||||||
bazel_dep(name = "rules_nodejs", version = "6.0.3")
|
|
||||||
bazel_dep(name = "rules_python", version = "0.31.0")
|
|
||||||
bazel_dep(name = "bazel_skylib", version = "1.5.0")
|
|
||||||
bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
|
|
||||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
|
||||||
bazel_dep(name = "fmt", version = "10.0.0")
|
|
||||||
|
|
||||||
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
|
|
||||||
pip.parse(
|
|
||||||
hub_name = "codegen_deps",
|
|
||||||
python_version = "3.11",
|
|
||||||
requirements_lock = "//misc/codegen:requirements_lock.txt",
|
|
||||||
)
|
|
||||||
use_repo(pip, "codegen_deps")
|
|
||||||
|
|
||||||
swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
|
|
||||||
use_repo(
|
|
||||||
swift_deps,
|
|
||||||
"binlog",
|
|
||||||
"picosha2",
|
|
||||||
"swift_prebuilt_darwin_x86_64",
|
|
||||||
"swift_prebuilt_linux",
|
|
||||||
"swift_toolchain_linux",
|
|
||||||
"swift_toolchain_macos",
|
|
||||||
)
|
|
||||||
|
|
||||||
node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
|
|
||||||
node.toolchain(
|
|
||||||
name = "nodejs",
|
|
||||||
node_version = "18.15.0",
|
|
||||||
)
|
|
||||||
use_repo(node, "nodejs", "nodejs_toolchains")
|
|
||||||
|
|
||||||
register_toolchains(
|
|
||||||
"@nodejs_toolchains//:all",
|
|
||||||
)
|
|
||||||
@@ -1,2 +1,12 @@
|
|||||||
# please use MODULE.bazel to add dependencies
|
# Please notice that any bazel targets and definitions in this repository are currently experimental
|
||||||
# this empty file is required by internal repositories, don't remove it
|
# and for internal use only.
|
||||||
|
|
||||||
|
workspace(name = "codeql")
|
||||||
|
|
||||||
|
load("//misc/bazel:workspace.bzl", "codeql_workspace")
|
||||||
|
|
||||||
|
codeql_workspace()
|
||||||
|
|
||||||
|
load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
|
||||||
|
|
||||||
|
codeql_workspace_deps()
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
provide:
|
provide:
|
||||||
- "*/ql/src/qlpack.yml"
|
- "*/ql/src/qlpack.yml"
|
||||||
- "*/ql/lib/qlpack.yml"
|
- "*/ql/lib/qlpack.yml"
|
||||||
- "*/ql/test*/qlpack.yml"
|
- "*/ql/test/qlpack.yml"
|
||||||
- "*/ql/examples/qlpack.yml"
|
- "*/ql/examples/qlpack.yml"
|
||||||
- "*/ql/consistency-queries/qlpack.yml"
|
- "*/ql/consistency-queries/qlpack.yml"
|
||||||
- "*/ql/automodel/src/qlpack.yml"
|
- "*/ql/automodel/src/qlpack.yml"
|
||||||
- "*/ql/automodel/test/qlpack.yml"
|
- "*/ql/automodel/test/qlpack.yml"
|
||||||
- "shared/**/qlpack.yml"
|
- "shared/*/qlpack.yml"
|
||||||
- "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
|
- "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
|
||||||
- "go/ql/config/legacy-support/qlpack.yml"
|
- "go/ql/config/legacy-support/qlpack.yml"
|
||||||
- "go/build/codeql-extractor-go/codeql-extractor.yml"
|
- "go/build/codeql-extractor-go/codeql-extractor.yml"
|
||||||
@@ -29,7 +29,6 @@ provide:
|
|||||||
- "swift/extractor-pack/codeql-extractor.yml"
|
- "swift/extractor-pack/codeql-extractor.yml"
|
||||||
- "swift/integration-tests/qlpack.yml"
|
- "swift/integration-tests/qlpack.yml"
|
||||||
- "ql/extractor-pack/codeql-extractor.yml"
|
- "ql/extractor-pack/codeql-extractor.yml"
|
||||||
- ".github/codeql/extensions/**/codeql-pack.yml"
|
|
||||||
|
|
||||||
versionPolicies:
|
versionPolicies:
|
||||||
default:
|
default:
|
||||||
|
|||||||
@@ -53,6 +53,14 @@
|
|||||||
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
|
"swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
|
||||||
],
|
],
|
||||||
|
"DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
|
||||||
|
"java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
|
"go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
|
||||||
|
],
|
||||||
"SsaReadPosition Java/C#": [
|
"SsaReadPosition Java/C#": [
|
||||||
"java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
"java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
||||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
||||||
@@ -431,6 +439,13 @@
|
|||||||
"java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
|
"java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
|
||||||
"java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
|
"java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
|
||||||
],
|
],
|
||||||
|
"IDE Contextual Queries": [
|
||||||
|
"cpp/ql/lib/IDEContextual.qll",
|
||||||
|
"csharp/ql/lib/IDEContextual.qll",
|
||||||
|
"java/ql/lib/IDEContextual.qll",
|
||||||
|
"javascript/ql/lib/IDEContextual.qll",
|
||||||
|
"python/ql/lib/analysis/IDEContextual.qll"
|
||||||
|
],
|
||||||
"CryptoAlgorithms Python/JS/Ruby": [
|
"CryptoAlgorithms Python/JS/Ruby": [
|
||||||
"javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
|
"javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
|
||||||
"python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
|
"python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
|
||||||
@@ -447,6 +462,23 @@
|
|||||||
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
|
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
|
||||||
"swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
|
"swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
|
||||||
],
|
],
|
||||||
|
"TypeTracker": [
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
|
||||||
|
],
|
||||||
|
"SummaryTypeTracker": [
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
|
||||||
|
],
|
||||||
|
"AccessPathSyntax": [
|
||||||
|
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
|
||||||
|
"go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
|
||||||
|
"java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
|
||||||
|
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
|
||||||
|
"python/ql/lib/semmle/python/dataflow/new/internal/AccessPathSyntax.qll",
|
||||||
|
"swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
|
||||||
|
],
|
||||||
"IncompleteUrlSubstringSanitization": [
|
"IncompleteUrlSubstringSanitization": [
|
||||||
"javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
|
"javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
|
||||||
"ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
|
"ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
|
||||||
@@ -466,6 +498,26 @@
|
|||||||
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
|
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
|
||||||
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
|
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
|
||||||
],
|
],
|
||||||
|
"TaintedFormatStringQuery Ruby/JS": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
|
||||||
|
],
|
||||||
|
"TaintedFormatStringCustomizations Ruby/JS": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
|
||||||
|
],
|
||||||
|
"HttpToFileAccessQuery JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
|
||||||
|
],
|
||||||
|
"HttpToFileAccessCustomizations JS/Ruby": [
|
||||||
|
"javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
|
||||||
|
"ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
|
||||||
|
],
|
||||||
|
"Typo database": [
|
||||||
|
"javascript/ql/src/Expressions/TypoDatabase.qll",
|
||||||
|
"ql/ql/src/codeql_ql/style/TypoDatabase.qll"
|
||||||
|
],
|
||||||
"Swift declarations test file": [
|
"Swift declarations test file": [
|
||||||
"swift/ql/test/extractor-tests/declarations/declarations.swift",
|
"swift/ql/test/extractor-tests/declarations/declarations.swift",
|
||||||
"swift/ql/test/library-tests/ast/declarations.swift"
|
"swift/ql/test/library-tests/ast/declarations.swift"
|
||||||
@@ -498,4 +550,4 @@
|
|||||||
"python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
|
"python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
|
||||||
"python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
|
"python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,17 +1,12 @@
|
|||||||
load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
|
|
||||||
|
|
||||||
package(default_visibility = ["//visibility:public"])
|
package(default_visibility = ["//visibility:public"])
|
||||||
|
|
||||||
|
load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
|
||||||
|
|
||||||
alias(
|
alias(
|
||||||
name = "dbscheme",
|
name = "dbscheme",
|
||||||
actual = "//cpp/ql/lib:dbscheme",
|
actual = "//cpp/ql/lib:dbscheme",
|
||||||
)
|
)
|
||||||
|
|
||||||
alias(
|
|
||||||
name = "dbscheme-stats",
|
|
||||||
actual = "//cpp/ql/lib:dbscheme-stats",
|
|
||||||
)
|
|
||||||
|
|
||||||
pkg_filegroup(
|
pkg_filegroup(
|
||||||
name = "db-files",
|
name = "db-files",
|
||||||
srcs = [
|
srcs = [
|
||||||
|
|||||||
@@ -145,9 +145,9 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
|
|
||||||
bool IBuildActions.IsMacOs() => IsMacOs;
|
bool IBuildActions.IsMacOs() => IsMacOs;
|
||||||
|
|
||||||
public bool IsRunningOnAppleSilicon { get; set; }
|
public bool IsArm { get; set; }
|
||||||
|
|
||||||
bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
|
bool IBuildActions.IsArm() => IsArm;
|
||||||
|
|
||||||
string IBuildActions.PathCombine(params string[] parts)
|
string IBuildActions.PathCombine(params string[] parts)
|
||||||
{
|
{
|
||||||
@@ -326,7 +326,7 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
public void TestCppAutobuilderSuccess()
|
public void TestCppAutobuilderSuccess()
|
||||||
{
|
{
|
||||||
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
||||||
Actions.RunProcess[@"cmd.exe /C scratch\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
||||||
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
|
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
|
||||||
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
||||||
@@ -337,11 +337,10 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
|
||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
|
||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
||||||
Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CPP_SCRATCH_DIR"] = "scratch";
|
|
||||||
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
||||||
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
||||||
Actions.CreateDirectories.Add(@"scratch\.nuget");
|
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
|
||||||
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"scratch\.nuget\nuget.exe"));
|
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
|
||||||
|
|
||||||
var autobuilder = CreateAutoBuilder(true);
|
var autobuilder = CreateAutoBuilder(true);
|
||||||
var solution = new TestSolution(@"C:\Project\test.sln");
|
var solution = new TestSolution(@"C:\Project\test.sln");
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
<OutputType>Exe</OutputType>
|
||||||
<TargetFramework>net8.0</TargetFramework>
|
<TargetFramework>net7.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
<Nullable>enable</Nullable>
|
<Nullable>enable</Nullable>
|
||||||
@@ -11,12 +11,12 @@
|
|||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.6.2" />
|
<PackageReference Include="xunit" Version="2.4.2" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -1,7 +1,5 @@
|
|||||||
using System;
|
using System;
|
||||||
|
|
||||||
using Semmle.Autobuild.Shared;
|
using Semmle.Autobuild.Shared;
|
||||||
using Semmle.Util;
|
|
||||||
|
|
||||||
namespace Semmle.Autobuild.Cpp
|
namespace Semmle.Autobuild.Cpp
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<TargetFramework>net8.0</TargetFramework>
|
<TargetFramework>net7.0</TargetFramework>
|
||||||
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
||||||
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
||||||
<ApplicationIcon />
|
<ApplicationIcon />
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.Build" Version="17.8.3" />
|
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Expose whether a function was prototyped or not
|
|
||||||
compatibility: backwards
|
|
||||||
function_prototyped.rel: delete
|
|
||||||
@@ -1,19 +0,0 @@
|
|||||||
class Element extends @element {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class Expr extends @expr {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class Stmt extends @stmt {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
|
|
||||||
|
|
||||||
from Expr child, int index, int index_new, Element parent
|
|
||||||
where
|
|
||||||
exprparents(child, index, parent) and
|
|
||||||
if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
|
|
||||||
select child, index_new, parent
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
class Stmt extends @stmt {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from Stmt f, Stmt i
|
|
||||||
where
|
|
||||||
for_initialization(f, i) and
|
|
||||||
f instanceof @stmt_for
|
|
||||||
select f, i
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,20 +0,0 @@
|
|||||||
class Element extends @element {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class Stmt extends @stmt {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
|
|
||||||
|
|
||||||
from Stmt child, int index, int index_new, Element parent
|
|
||||||
where
|
|
||||||
stmtparents(child, index, parent) and
|
|
||||||
(
|
|
||||||
not isStmtWithInitializer(parent)
|
|
||||||
or
|
|
||||||
index > 0
|
|
||||||
) and
|
|
||||||
if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
|
|
||||||
select child, index_new, parent
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
description: Support C++20 range-based for initializers
|
|
||||||
compatibility: partial
|
|
||||||
exprparents.rel: run exprparents.qlo
|
|
||||||
stmtparents.rel: run stmtparents.qlo
|
|
||||||
for_initialization.rel: run for_initialization.qlo
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
class Declaration extends @declaration {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class MangledName extends @mangledname {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from Declaration d, MangledName n
|
|
||||||
where mangled_name(d, n, _)
|
|
||||||
select d, n
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Add completness information to mangled name table
|
|
||||||
compatibility: full
|
|
||||||
mangled_name.rel: run mangled_name.qlo
|
|
||||||
@@ -1,19 +0,0 @@
|
|||||||
class BuiltinType extends @builtintype {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
|
|
||||||
where
|
|
||||||
builtintypes(type, name, kind, size, sign, alignment) and
|
|
||||||
if
|
|
||||||
type instanceof @fp16 or
|
|
||||||
type instanceof @std_bfloat16 or
|
|
||||||
type instanceof @std_float16 or
|
|
||||||
type instanceof @complex_std_float32 or
|
|
||||||
type instanceof @complex_float32x or
|
|
||||||
type instanceof @complex_std_float64 or
|
|
||||||
type instanceof @complex_float64x or
|
|
||||||
type instanceof @complex_std_float128
|
|
||||||
then kind_new = 2
|
|
||||||
else kind_new = kind
|
|
||||||
select type, name, kind_new, size, sign, alignment
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Introduce new floating-point types from C23 and C++23
|
|
||||||
compatibility: backwards
|
|
||||||
builtintypes.rel: run builtintypes.qlo
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
class Function extends @function {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from Function fun, string name, int kind, int kind_new
|
|
||||||
where
|
|
||||||
functions(fun, name, kind) and
|
|
||||||
if kind = 7 or kind = 8 then kind_new = 0 else kind_new = kind
|
|
||||||
select fun, name, kind_new
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Support more function types
|
|
||||||
compatibility: full
|
|
||||||
functions.rel: run functions.qlo
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +0,0 @@
|
|||||||
description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
|
|
||||||
compatibility: full
|
|
||||||
@@ -1,6 +1,5 @@
|
|||||||
description: Support C++17 if and switch initializers
|
description: Support C++17 if and switch initializers
|
||||||
compatibility: partial
|
compatibility: partial
|
||||||
constexpr_if_initialization.rel: delete
|
|
||||||
if_initialization.rel: delete
|
if_initialization.rel: delete
|
||||||
switch_initialization.rel: delete
|
switch_initialization.rel: delete
|
||||||
exprparents.rel: run exprparents.qlo
|
exprparents.rel: run exprparents.qlo
|
||||||
|
|||||||
@@ -1,17 +0,0 @@
|
|||||||
class AttributeArg extends @attribute_arg {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class Attribute extends @attribute {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class Location extends @location_default {
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from AttributeArg arg, int kind, int kind_new, Attribute attr, int index, Location location
|
|
||||||
where
|
|
||||||
attribute_args(arg, kind, attr, index, location) and
|
|
||||||
if arg instanceof @attribute_arg_expr then kind_new = 0 else kind_new = kind
|
|
||||||
select arg, kind_new, attr, index, location
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,4 +0,0 @@
|
|||||||
description: Support expression attribute arguments
|
|
||||||
compatibility: partial
|
|
||||||
attribute_arg_expr.rel: delete
|
|
||||||
attribute_args.rel: run attribute_args.qlo
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
|||||||
description: Introduce extractor version numbers
|
|
||||||
compatibility: breaking
|
|
||||||
extractor_version.rel: delete
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +0,0 @@
|
|||||||
description: Revert removal of uniqueness constraint on link_targets/2
|
|
||||||
compatibility: backwards
|
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
load("@rules_pkg//:mappings.bzl", "pkg_files")
|
|
||||||
|
|
||||||
package(default_visibility = ["//cpp:__pkg__"])
|
package(default_visibility = ["//cpp:__pkg__"])
|
||||||
|
|
||||||
|
load("@rules_pkg//:mappings.bzl", "pkg_files")
|
||||||
|
|
||||||
pkg_files(
|
pkg_files(
|
||||||
name = "dbscheme",
|
name = "dbscheme",
|
||||||
srcs = ["semmlecode.cpp.dbscheme"],
|
srcs = ["semmlecode.cpp.dbscheme"],
|
||||||
|
|||||||
@@ -1,129 +1,3 @@
|
|||||||
## 0.12.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.12.7
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Added destructors for named objects to the intermediate representation.
|
|
||||||
|
|
||||||
## 0.12.6
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.
|
|
||||||
|
|
||||||
## 0.12.5
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
|
|
||||||
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.
|
|
||||||
|
|
||||||
## 0.12.4
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
|
|
||||||
* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.
|
|
||||||
|
|
||||||
## 0.12.3
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
|
|
||||||
* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
|
|
||||||
* The deprecated `DefaultTaintTracking` library has been removed.
|
|
||||||
* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
|
|
||||||
|
|
||||||
## 0.12.2
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.12.1
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
|
|
||||||
|
|
||||||
## 0.12.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
|
|
||||||
* Added models for `strlcpy` and `strlcat`.
|
|
||||||
* Added models for the `sprintf` variants from the `StrSafe.h` header.
|
|
||||||
* Added SQL API models for `ODBC`.
|
|
||||||
* Added taint models for `realloc` and related functions.
|
|
||||||
|
|
||||||
## 0.11.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added a new class `AdditionalCallTarget` for specifying additional call targets.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* More field accesses are identified as `ImplicitThisFieldAccess`.
|
|
||||||
* Added support for new floating-point types in C23 and C++23.
|
|
||||||
|
|
||||||
## 0.10.1
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
|
|
||||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
|
||||||
|
|
||||||
## 0.10.0
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
|
|
||||||
non-returning in the IR and dataflow.
|
|
||||||
* Treat functions that reach the end of the function as returning in the IR.
|
|
||||||
They used to be treated as unreachable but it is allowed in C.
|
|
||||||
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
|
|
||||||
|
|
||||||
## 0.9.3
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.9.2
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
|
|
||||||
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
|
|
||||||
|
|
||||||
## 0.9.1
|
## 0.9.1
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -52,18 +52,17 @@ class Options extends string {
|
|||||||
/**
|
/**
|
||||||
* Holds if a call to this function will never return.
|
* Holds if a call to this function will never return.
|
||||||
*
|
*
|
||||||
* By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
|
* By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
|
||||||
* `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
|
* `longjmp`, `__builtin_unreachable` and any function with a
|
||||||
* function with a `noreturn` or `__noreturn__` attribute or
|
* `noreturn` attribute or specifier.
|
||||||
* `noreturn` specifier.
|
|
||||||
*/
|
*/
|
||||||
predicate exits(Function f) {
|
predicate exits(Function f) {
|
||||||
f.getAnAttribute().hasName(["noreturn", "__noreturn__"])
|
f.getAnAttribute().hasName("noreturn")
|
||||||
or
|
or
|
||||||
f.getASpecifier().hasName("noreturn")
|
f.getASpecifier().hasName("noreturn")
|
||||||
or
|
or
|
||||||
f.hasGlobalOrStdName([
|
f.hasGlobalOrStdName([
|
||||||
"exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
|
"exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
|
||||||
])
|
])
|
||||||
or
|
or
|
||||||
CustomOptions::exits(f) // old Options.qll
|
CustomOptions::exits(f) // old Options.qll
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import semmle.files.FileSystem
|
import semmle.files.FileSystem
|
||||||
private import codeql.util.FileSystem
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the `File` matching the given source file name as encoded by the VS
|
* Returns the `File` matching the given source file name as encoded by the VS
|
||||||
@@ -11,5 +10,13 @@ private import codeql.util.FileSystem
|
|||||||
*/
|
*/
|
||||||
cached
|
cached
|
||||||
File getFileBySourceArchiveName(string name) {
|
File getFileBySourceArchiveName(string name) {
|
||||||
result = IdeContextual<File>::getFileBySourceArchiveName(name)
|
// The name provided for a file in the source archive by the VS Code extension
|
||||||
|
// has some differences from the absolute path in the database:
|
||||||
|
// 1. colons are replaced by underscores
|
||||||
|
// 2. there's a leading slash, even for Windows paths: "C:/foo/bar" ->
|
||||||
|
// "/C_/foo/bar"
|
||||||
|
// 3. double slashes in UNC prefixes are replaced with a single slash
|
||||||
|
// We can handle 2 and 3 together by unconditionally adding a leading slash
|
||||||
|
// before replacing double slashes.
|
||||||
|
name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: feature
|
||||||
|
---
|
||||||
|
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: deprecated
|
||||||
|
---
|
||||||
|
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
|
||||||
4
cpp/ql/lib/change-notes/2023-08-29-delete-ir.md
Normal file
4
cpp/ql/lib/change-notes/2023-08-29-delete-ir.md
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
|
||||||
5
cpp/ql/lib/change-notes/2023-09-07-return-from-end.md
Normal file
5
cpp/ql/lib/change-notes/2023-09-07-return-from-end.md
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Treat functions that reach the end of the function as returning in the IR.
|
||||||
|
They used to be treated as unreachable but it is allowed in C.
|
||||||
5
cpp/ql/lib/change-notes/2023-09-08-more-unreachble.md
Normal file
5
cpp/ql/lib/change-notes/2023-09-08-more-unreachble.md
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
|
||||||
|
non-returning in the IR and dataflow.
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
## 0.10.0
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
|
|
||||||
non-returning in the IR and dataflow.
|
|
||||||
* Treat functions that reach the end of the function as returning in the IR.
|
|
||||||
They used to be treated as unreachable but it is allowed in C.
|
|
||||||
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
## 0.10.1
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
|
|
||||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
## 0.11.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* Added a new class `AdditionalCallTarget` for specifying additional call targets.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* More field accesses are identified as `ImplicitThisFieldAccess`.
|
|
||||||
* Added support for new floating-point types in C23 and C++23.
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user