mirror of
https://github.com/github/codeql.git
synced 2026-06-10 15:31:12 +02:00
Compare commits
2 Commits
copilot/co
...
bazookamus
| Author | SHA1 | Date | |
|---|---|---|---|
|
e40a7124d4 | ||
|
|
7b5cceadf5 |
208
.github/workflows/go-version-update.yml
vendored
208
.github/workflows/go-version-update.yml
vendored
@@ -1,208 +0,0 @@
|
||||
name: Update Go version
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "0 3 * * 1" # Run weekly on Mondays at 3 AM UTC (1 = Monday)
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
update-go-version:
|
||||
name: Check and update Go version
|
||||
if: github.repository == 'github/codeql'
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Set up Git
|
||||
run: |
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
|
||||
- name: Fetch latest Go version
|
||||
id: fetch-version
|
||||
run: |
|
||||
LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
|
||||
|
||||
if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
|
||||
echo "Error: Failed to fetch latest Go version from go.dev"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
|
||||
echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract version numbers (e.g., go1.26.0 -> 1.26.0)
|
||||
LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
|
||||
echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract major.minor version (e.g., 1.26.0 -> 1.26)
|
||||
LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
|
||||
echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check current Go version
|
||||
id: current-version
|
||||
run: |
|
||||
CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
|
||||
|
||||
if [ -z "$CURRENT_VERSION" ]; then
|
||||
echo "Error: Could not extract Go version from MODULE.bazel"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
|
||||
echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract major.minor version
|
||||
CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
|
||||
echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Compare versions
|
||||
id: compare
|
||||
run: |
|
||||
LATEST="${{ steps.fetch-version.outputs.version_num }}"
|
||||
CURRENT="${{ steps.current-version.outputs.version }}"
|
||||
|
||||
echo "Latest: $LATEST"
|
||||
echo "Current: $CURRENT"
|
||||
|
||||
if [ "$LATEST" = "$CURRENT" ]; then
|
||||
echo "Go version is up to date"
|
||||
echo "needs_update=false" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "Go version needs update from $CURRENT to $LATEST"
|
||||
echo "needs_update=true" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Update Go version in files
|
||||
if: steps.compare.outputs.needs_update == 'true'
|
||||
run: |
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
|
||||
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
|
||||
CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
|
||||
|
||||
echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
|
||||
|
||||
# Escape dots in current version strings for use in sed patterns
|
||||
CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
|
||||
CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
|
||||
|
||||
# Update MODULE.bazel
|
||||
sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
|
||||
if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
|
||||
echo "Error: Failed to update MODULE.bazel"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Update go/extractor/go.mod
|
||||
if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
|
||||
echo "Warning: Failed to update go directive in go.mod"
|
||||
fi
|
||||
if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
|
||||
echo "Warning: Failed to update toolchain in go.mod"
|
||||
fi
|
||||
|
||||
# Update go/extractor/autobuilder/build-environment.go
|
||||
if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
|
||||
echo "Warning: Failed to update build-environment.go"
|
||||
fi
|
||||
|
||||
# Update go/actions/test/action.yml
|
||||
if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
|
||||
echo "Warning: Failed to update action.yml"
|
||||
fi
|
||||
|
||||
# Show what changed
|
||||
git diff
|
||||
|
||||
- name: Check for changes
|
||||
id: check-changes
|
||||
if: steps.compare.outputs.needs_update == 'true'
|
||||
run: |
|
||||
if git diff --quiet; then
|
||||
echo "No changes detected"
|
||||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "Changes detected"
|
||||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Check for existing PR
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
id: check-pr
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
|
||||
|
||||
if [ -n "$PR_NUMBER" ]; then
|
||||
echo "Existing PR found: #$PR_NUMBER"
|
||||
echo "pr_exists=true" >> $GITHUB_OUTPUT
|
||||
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "No existing PR found"
|
||||
echo "pr_exists=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Commit and push changes
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
|
||||
|
||||
# Create or switch to branch
|
||||
git checkout -B "$BRANCH_NAME"
|
||||
|
||||
# Stage and commit changes
|
||||
git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
|
||||
git commit -m "Go: Update to $LATEST_VERSION_NUM"
|
||||
|
||||
# Push changes
|
||||
git push --force-with-lease origin "$BRANCH_NAME"
|
||||
|
||||
- name: Create or update PR
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
|
||||
|
||||
PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
|
||||
|
||||
PR_BODY=$(cat <<EOF
|
||||
This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
|
||||
|
||||
Updated files:
|
||||
- \`MODULE.bazel\` - go_sdk.download version
|
||||
- \`go/extractor/go.mod\` - go directive and toolchain
|
||||
- \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
|
||||
- \`go/actions/test/action.yml\` - default go-test-version
|
||||
|
||||
This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
|
||||
EOF
|
||||
)
|
||||
|
||||
if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
|
||||
echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
|
||||
gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
|
||||
else
|
||||
echo "Creating new PR"
|
||||
gh pr create \
|
||||
--title "$PR_TITLE" \
|
||||
--body "$PR_BODY" \
|
||||
--base main \
|
||||
--head "$BRANCH_NAME" \
|
||||
--label "Go"
|
||||
fi
|
||||
@@ -273,7 +273,7 @@ use_repo(
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(version = "1.26.4")
|
||||
go_sdk.download(version = "1.26.0")
|
||||
|
||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.4.37
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
|
||||
|
||||
## 0.4.36
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.4.37
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.37
|
||||
lastReleaseVersion: 0.4.36
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.38-dev
|
||||
version: 0.4.37-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,22 +1,3 @@
|
||||
## 0.6.29
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
|
||||
* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
|
||||
|
||||
## 0.6.28
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
|
||||
@@ -1,18 +0,0 @@
|
||||
## 0.6.29
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
|
||||
* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.29
|
||||
lastReleaseVersion: 0.6.28
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.30-dev
|
||||
version: 0.6.29-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Models/CompositeActionsSinks.ql
|
||||
Models/CompositeActionsSinks.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Models/CompositeActionsSources.ql
|
||||
Models/CompositeActionsSources.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Models/CompositeActionsSummaries.ql
|
||||
Models/CompositeActionsSummaries.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSinks.ql
|
||||
Models/ReusableWorkflowsSinks.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSources.ql
|
||||
Models/ReusableWorkflowsSources.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSummaries.ql
|
||||
Models/ReusableWorkflowsSummaries.ql
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-094/CodeInjectionCritical.ql
|
||||
Security/CWE-094/CodeInjectionCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-094/CodeInjectionMedium.ql
|
||||
Security/CWE-094/CodeInjectionMedium.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: experimental/Security/CWE-200/SecretExfiltration.ql
|
||||
experimental/Security/CWE-200/SecretExfiltration.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-275/MissingActionsPermissions.ql
|
||||
Security/CWE-275/MissingActionsPermissions.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
||||
experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-285/ImproperAccessControl.ql
|
||||
Security/CWE-285/ImproperAccessControl.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-312/SecretsInArtifacts.ql
|
||||
Security/CWE-312/SecretsInArtifacts.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
||||
Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
||||
Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
query: experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
||||
experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-829/UnpinnedActionsTag.ql
|
||||
Security/CWE-829/UnpinnedActionsTag.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
||||
experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE-918/RequestForgery.ql
|
||||
experimental/Security/CWE-918/RequestForgery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Debug/SyntaxError.ql
|
||||
Debug/SyntaxError.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
||||
Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
||||
@@ -11,6 +11,10 @@
|
||||
"java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
|
||||
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
|
||||
],
|
||||
"Bound Java/C#": [
|
||||
"java/ql/lib/semmle/code/java/dataflow/Bound.qll",
|
||||
"csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
|
||||
],
|
||||
"ModulusAnalysis Java/C#": [
|
||||
"java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
|
||||
"csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
|
||||
|
||||
@@ -1,19 +1,3 @@
|
||||
## 10.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
|
||||
* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow source models for `scanf_s` and related functions.
|
||||
* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
|
||||
|
||||
## 10.1.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
5
cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
Normal file
5
cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow source models for `scanf_s` and related functions.
|
||||
* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
|
||||
4
cpp/ql/lib/change-notes/2026-05-16-alias-template.md
Normal file
4
cpp/ql/lib/change-notes/2026-05-16-alias-template.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
|
||||
4
cpp/ql/lib/change-notes/2026-05-18-alias-type.md
Normal file
4
cpp/ql/lib/change-notes/2026-05-18-alias-type.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
|
||||
4
cpp/ql/lib/change-notes/2026-05-21-generated-from.md
Normal file
4
cpp/ql/lib/change-notes/2026-05-21-generated-from.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
|
||||
@@ -1,15 +0,0 @@
|
||||
## 10.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
|
||||
* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow source models for `scanf_s` and related functions.
|
||||
* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 10.2.0
|
||||
lastReleaseVersion: 10.1.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 10.2.1-dev
|
||||
version: 10.1.2-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -276,45 +276,6 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
|
||||
not c.isConstructedFrom(_) and c = templateClass
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `c`. */
|
||||
private Class getFullyTemplatedClassOld(Class c) {
|
||||
not c.isFromUninstantiatedTemplate(_) and
|
||||
isClassConstructedFrom(c, result)
|
||||
}
|
||||
|
||||
private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
|
||||
result = tc.getOriginalTemplate()
|
||||
or
|
||||
not exists(tc.getOriginalTemplate()) and
|
||||
result = tc
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `c`. */
|
||||
private Class getFullyTemplatedClassNew(Class c) {
|
||||
not c.isFromUninstantiatedTemplate(_) and
|
||||
exists(Class mid |
|
||||
c.isConstructedFrom(mid)
|
||||
or
|
||||
not c.isConstructedFrom(_) and c = mid
|
||||
|
|
||||
result = getOriginalClassTemplate(mid)
|
||||
or
|
||||
not mid instanceof TemplateClass and mid = result
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `c`. */
|
||||
private Class getFullyTemplatedClass(Class c) {
|
||||
// The `Class::getOriginalTemplate` predicate was introduced in CodeQL
|
||||
// version 2.25.6 and the upgrade script leaves the
|
||||
// `class_template_generated_from` extensionals empty if the database
|
||||
// was generated with an older extractor. So we use the old implementation
|
||||
// if the `class_template_generated_from` extensional is empty.
|
||||
if class_template_generated_from(_, _)
|
||||
then result = getFullyTemplatedClassNew(c)
|
||||
else result = getFullyTemplatedClassOld(c)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `f` is an instantiation of a function template `templateFunc`, or
|
||||
* holds with `f = templateFunc` if `f` is not an instantiation of any function
|
||||
@@ -331,7 +292,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `f`. */
|
||||
private Function getFullyTemplatedFunctionOld(Function f) {
|
||||
Function getFullyTemplatedFunction(Function f) {
|
||||
not f.isFromUninstantiatedTemplate(_) and
|
||||
(
|
||||
exists(Class c, Class templateClass, int i |
|
||||
@@ -345,46 +306,13 @@ private Function getFullyTemplatedFunctionOld(Function f) {
|
||||
)
|
||||
}
|
||||
|
||||
private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
|
||||
result = tf.getOriginalTemplate()
|
||||
or
|
||||
not exists(tf.getOriginalTemplate()) and
|
||||
result = tf
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `f`. */
|
||||
private Function getFullyTemplatedFunctionNew(Function f) {
|
||||
not f.isFromUninstantiatedTemplate(_) and
|
||||
exists(Function mid |
|
||||
f.isConstructedFrom(mid)
|
||||
or
|
||||
not f.isConstructedFrom(_) and f = mid
|
||||
|
|
||||
result = getOriginalFunctionTemplate(mid)
|
||||
or
|
||||
not mid instanceof TemplateFunction and mid = result
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `f`. */
|
||||
Function getFullyTemplatedFunction(Function f) {
|
||||
// The `Function::getOriginalTemplate` predicate was introduced in CodeQL
|
||||
// version 2.25.6 and the upgrade script leaves the
|
||||
// `function_template_generated_from` extensionals empty if the database
|
||||
// was generated with an older extractor. So we use the old implementation
|
||||
// if the `function_template_generated_from` extensional is empty.
|
||||
if function_template_generated_from(_, _)
|
||||
then result = getFullyTemplatedFunctionNew(f)
|
||||
else result = getFullyTemplatedFunctionOld(f)
|
||||
}
|
||||
|
||||
/** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
|
||||
bindingset[s, t]
|
||||
private string withConst(string s, Type t) {
|
||||
if t.isConst() then result = "const " + s else result = s
|
||||
}
|
||||
|
||||
/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
|
||||
/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
|
||||
bindingset[s, t]
|
||||
private string withVolatile(string s, Type t) {
|
||||
if t.isVolatile() then result = "volatile " + s else result = s
|
||||
@@ -562,7 +490,7 @@ pragma[nomagic]
|
||||
private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
|
||||
// If there is a declaring type then we start by expanding the function templates
|
||||
exists(Class template |
|
||||
template = getFullyTemplatedClass(f.getDeclaringType()) and
|
||||
isClassConstructedFrom(f.getDeclaringType(), template) and
|
||||
remaining = getNumberOfSupportedClassTemplateArguments(template) and
|
||||
result = getTypeNameWithoutFunctionTemplates(f, n, 0)
|
||||
)
|
||||
@@ -574,7 +502,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
|
||||
or
|
||||
exists(string mid, TypeTemplateParameter tp, Class template |
|
||||
mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
|
||||
template = getFullyTemplatedClass(f.getDeclaringType()) and
|
||||
isClassConstructedFrom(f.getDeclaringType(), template) and
|
||||
tp = getSupportedClassTemplateArgument(template, remaining)
|
||||
|
|
||||
result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.4
|
||||
lastReleaseVersion: 1.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.6.5-dev
|
||||
version: 1.6.4-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: jsf/4.13 Functions/AV Rule 107.ql
|
||||
jsf/4.13 Functions/AV Rule 107.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: semmle/code/cpp/PrintAST.ql
|
||||
semmle/code/cpp/PrintAST.ql
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
query: experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user