mirror of
https://github.com/github/codeql.git
synced 2026-05-24 16:17:07 +02:00
Compare commits
109 Commits
dependabot
...
codeql-cli
| Author | SHA1 | Date | |
|---|---|---|---|
|
367cea64c0 | ||
|
|
cd56fa89f6 | ||
|
|
310c41ed3d | ||
|
|
f817bd4924 | ||
|
|
03c3b3f4c4 | ||
|
|
019ec0caf7 | ||
|
|
6787beb8e7 | ||
|
|
9f70f718e3 | ||
|
|
a73f7cb79d | ||
|
|
abf374433b | ||
|
|
34b5dcfd5f | ||
|
|
c861d99802 | ||
|
|
2764580cdf | ||
|
|
fb2d53e72a | ||
|
|
f5131f9bc6 | ||
|
|
29b07d5d07 | ||
|
|
14bdb62cf8 | ||
|
|
3073c1c94c | ||
|
|
bc28e1726c | ||
|
|
7bfdfbefa9 | ||
|
|
0235df8758 | ||
|
|
abec00cd34 | ||
|
|
9f4fd7fab0 | ||
|
|
5342cc79fb | ||
|
|
426962e348 | ||
|
|
33e9c02079 | ||
|
|
553ed103c3 | ||
|
|
d2d594a8ff | ||
|
|
f6135b70ea | ||
|
|
ee34e3353d | ||
|
|
f95ee129df | ||
|
|
d24fb29ff4 | ||
|
|
97d8993fc5 | ||
|
|
7d1c62daa6 | ||
|
|
597d81038a | ||
|
|
069431941e | ||
|
|
609621f638 | ||
|
|
ae2226345e | ||
|
|
6e0bee7471 | ||
|
|
cb1fd76a4c | ||
|
|
467933bbb1 | ||
|
|
43c9b95e6f | ||
|
|
878cfd720c | ||
|
|
666c8bf87a | ||
|
|
07b02942db | ||
|
|
9ef088d423 | ||
|
|
c748fdf8ee | ||
|
|
b749ad645a | ||
|
|
12868e5140 | ||
|
|
fe7e8480b2 | ||
|
|
e0952948ba | ||
|
|
7458674470 | ||
|
|
3483050526 | ||
|
|
0e66555e37 | ||
|
|
0724c22f28 | ||
|
|
d69be77035 | ||
|
|
0db62b2e68 | ||
|
|
26715fc95c | ||
|
|
b19f2c6874 | ||
|
|
19c4b2ff8f | ||
|
|
d3e580fd0e | ||
|
|
2eeb31b472 | ||
|
|
40eff6525d | ||
|
|
86020d9eed | ||
|
|
6b7d47ee7d | ||
|
|
1ddfed6b6b | ||
|
|
fe94828fe4 | ||
|
|
2c79f9d828 | ||
|
|
ad4018f399 | ||
|
|
27f7f747a4 | ||
|
|
be329c8ab4 | ||
|
|
0714ca816a | ||
|
|
42fe2d5002 | ||
|
|
43f48001e3 | ||
|
|
4ada727bab | ||
|
|
23f081006e | ||
|
|
3fa5c952b3 | ||
|
|
85c42ae932 | ||
|
|
94fb011b90 | ||
|
|
21937c2415 | ||
|
|
7879d0a006 | ||
|
|
34b626e8bb | ||
|
|
d09e2f66cd | ||
|
|
7bf78de167 | ||
|
|
f7de0abe60 | ||
|
|
5eb8db0d48 | ||
|
|
6b2494c3e5 | ||
|
|
d473c7143d | ||
|
|
fd83515843 | ||
|
|
2fbfcb970e | ||
|
|
b21dba6131 | ||
|
|
242090e0ac | ||
|
|
868ccfbb04 | ||
|
|
4fe2f6d2b4 | ||
|
|
cc89b6ea91 | ||
|
|
70b72f70e1 | ||
|
|
37aac05964 | ||
|
|
a7fdc4b543 | ||
|
|
b3285c6ae2 | ||
|
|
5451424e75 | ||
|
|
886a16bfad | ||
|
|
e680d49c93 | ||
|
|
df842665b7 | ||
|
|
805d2ec46c | ||
|
|
61b13d5702 | ||
|
|
10fddc7b96 | ||
|
|
e0bc18c228 | ||
|
|
e807545591 | ||
|
|
55d16e8781 |
@@ -1,3 +1,13 @@
|
||||
## 0.4.34
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
|
||||
|
||||
## 0.4.33
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.32
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
actions/ql/lib/change-notes/released/0.4.33.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.33.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.33
|
||||
|
||||
No user-facing changes.
|
||||
5
actions/ql/lib/change-notes/released/0.4.34.md
Normal file
5
actions/ql/lib/change-notes/released/0.4.34.md
Normal file
@@ -0,0 +1,5 @@
|
||||
## 0.4.34
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.32
|
||||
lastReleaseVersion: 0.4.34
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: actionsSinkModel
|
||||
data:
|
||||
- ["docker/build-push-action", "*", "input.context", "code-injection", "manual"]
|
||||
@@ -1,6 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: actionsSinkModel
|
||||
data:
|
||||
- ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"]
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.33-dev
|
||||
version: 0.4.34
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,17 @@
|
||||
## 0.6.26
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
|
||||
|
||||
## 0.6.25
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.24
|
||||
|
||||
No user-facing changes.
|
||||
@@ -159,7 +173,7 @@ No user-facing changes.
|
||||
* `actions/if-expression-always-true/critical`
|
||||
* `actions/if-expression-always-true/high`
|
||||
* `actions/unnecessary-use-of-advanced-config`
|
||||
|
||||
|
||||
* The following query has been moved from the `code-scanning` suite to the `security-extended`
|
||||
suite. Any existing alerts for this query will be closed automatically unless the analysis is
|
||||
configured to use the `security-extended` suite.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
|
||||
3
actions/ql/src/change-notes/released/0.6.25.md
Normal file
3
actions/ql/src/change-notes/released/0.6.25.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.6.25
|
||||
|
||||
No user-facing changes.
|
||||
9
actions/ql/src/change-notes/released/0.6.26.md
Normal file
9
actions/ql/src/change-notes/released/0.6.26.md
Normal file
@@ -0,0 +1,9 @@
|
||||
## 0.6.26
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.24
|
||||
lastReleaseVersion: 0.6.26
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.25-dev
|
||||
version: 0.6.26
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -43,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
||||
|
||||
@@ -1,3 +1,34 @@
|
||||
## 10.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
|
||||
* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
|
||||
|
||||
## 9.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
|
||||
## 8.0.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
|
||||
10
cpp/ql/lib/change-notes/released/10.0.0.md
Normal file
10
cpp/ql/lib/change-notes/released/10.0.0.md
Normal file
@@ -0,0 +1,10 @@
|
||||
## 10.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
|
||||
* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
|
||||
19
cpp/ql/lib/change-notes/released/9.0.0.md
Normal file
19
cpp/ql/lib/change-notes/released/9.0.0.md
Normal file
@@ -0,0 +1,19 @@
|
||||
## 9.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 8.0.3
|
||||
lastReleaseVersion: 10.0.0
|
||||
|
||||
@@ -12,4 +12,7 @@ extensions:
|
||||
- ["", "", False, "_malloca", "0", "", "", False]
|
||||
- ["", "", False, "calloc", "1", "0", "", True]
|
||||
- ["std", "", False, "calloc", "1", "0", "", True]
|
||||
- ["bsl", "", False, "calloc", "1", "0", "", True]
|
||||
- ["bsl", "", False, "calloc", "1", "0", "", True]
|
||||
- ["", "", False, "aligned_alloc", "1", "", "", True]
|
||||
- ["std", "", False, "aligned_alloc", "1", "", "", True]
|
||||
- ["bsl", "", False, "aligned_alloc", "1", "", "", True]
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 8.0.4-dev
|
||||
version: 10.0.0
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -459,6 +459,13 @@ class FormatLiteral extends Literal instanceof StringLiteral {
|
||||
*/
|
||||
int getConvSpecOffset(int n) { result = this.getFormat().indexOf("%", n, 0) }
|
||||
|
||||
/**
|
||||
* Gets the nth conversion specifier string.
|
||||
*/
|
||||
private string getConvSpecString(int n) {
|
||||
n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
|
||||
}
|
||||
|
||||
/*
|
||||
* Each of these predicates gets a regular expressions to match each individual
|
||||
* parts of a conversion specifier.
|
||||
@@ -524,22 +531,20 @@ class FormatLiteral extends Literal instanceof StringLiteral {
|
||||
int n, string spec, string params, string flags, string width, string prec, string len,
|
||||
string conv
|
||||
) {
|
||||
exists(int offset, string fmt, string rst, string regexp |
|
||||
offset = this.getConvSpecOffset(n) and
|
||||
fmt = this.getFormat() and
|
||||
rst = fmt.substring(offset, fmt.length()) and
|
||||
exists(string convSpec, string regexp |
|
||||
convSpec = this.getConvSpecString(n) and
|
||||
regexp = this.getConvSpecRegexp() and
|
||||
(
|
||||
spec = rst.regexpCapture(regexp, 1) and
|
||||
params = rst.regexpCapture(regexp, 2) and
|
||||
flags = rst.regexpCapture(regexp, 3) and
|
||||
width = rst.regexpCapture(regexp, 4) and
|
||||
prec = rst.regexpCapture(regexp, 5) and
|
||||
len = rst.regexpCapture(regexp, 6) and
|
||||
conv = rst.regexpCapture(regexp, 7)
|
||||
spec = convSpec.regexpCapture(regexp, 1) and
|
||||
params = convSpec.regexpCapture(regexp, 2) and
|
||||
flags = convSpec.regexpCapture(regexp, 3) and
|
||||
width = convSpec.regexpCapture(regexp, 4) and
|
||||
prec = convSpec.regexpCapture(regexp, 5) and
|
||||
len = convSpec.regexpCapture(regexp, 6) and
|
||||
conv = convSpec.regexpCapture(regexp, 7)
|
||||
or
|
||||
spec = rst.regexpCapture(regexp, 1) and
|
||||
not exists(rst.regexpCapture(regexp, 2)) and
|
||||
spec = convSpec.regexpCapture(regexp, 1) and
|
||||
not exists(convSpec.regexpCapture(regexp, 2)) and
|
||||
params = "" and
|
||||
flags = "" and
|
||||
width = "" and
|
||||
@@ -554,12 +559,10 @@ class FormatLiteral extends Literal instanceof StringLiteral {
|
||||
* Gets the nth conversion specifier (including the initial `%`).
|
||||
*/
|
||||
string getConvSpec(int n) {
|
||||
exists(int offset, string fmt, string rst, string regexp |
|
||||
offset = this.getConvSpecOffset(n) and
|
||||
fmt = this.getFormat() and
|
||||
rst = fmt.substring(offset, fmt.length()) and
|
||||
exists(string convSpec, string regexp |
|
||||
convSpec = this.getConvSpecString(n) and
|
||||
regexp = this.getConvSpecRegexp() and
|
||||
result = rst.regexpCapture(regexp, 1)
|
||||
result = convSpec.regexpCapture(regexp, 1)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -194,6 +194,13 @@ class ScanfFormatLiteral extends Expr {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the nth conversion specifier string.
|
||||
*/
|
||||
private string getConvSpecString(int n) {
|
||||
n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the regular expression to match each individual part of a conversion specifier.
|
||||
*/
|
||||
@@ -227,16 +234,14 @@ class ScanfFormatLiteral extends Expr {
|
||||
* specifier.
|
||||
*/
|
||||
predicate parseConvSpec(int n, string spec, string width, string len, string conv) {
|
||||
exists(int offset, string fmt, string rst, string regexp |
|
||||
offset = this.getConvSpecOffset(n) and
|
||||
fmt = this.getFormat() and
|
||||
rst = fmt.substring(offset, fmt.length()) and
|
||||
exists(string convSpec, string regexp |
|
||||
convSpec = this.getConvSpecString(n) and
|
||||
regexp = this.getConvSpecRegexp() and
|
||||
(
|
||||
spec = rst.regexpCapture(regexp, 1) and
|
||||
width = rst.regexpCapture(regexp, 2) and
|
||||
len = rst.regexpCapture(regexp, 3) and
|
||||
conv = rst.regexpCapture(regexp, 4)
|
||||
spec = convSpec.regexpCapture(regexp, 1) and
|
||||
width = convSpec.regexpCapture(regexp, 2) and
|
||||
len = convSpec.regexpCapture(regexp, 3) and
|
||||
conv = convSpec.regexpCapture(regexp, 4)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -6,11 +6,15 @@
|
||||
*
|
||||
* The extensible relations have the following columns:
|
||||
* - Sources:
|
||||
* `namespace; type; subtypes; name; signature; ext; output; kind`
|
||||
* `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
|
||||
* - Sinks:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; kind`
|
||||
* `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
|
||||
* - Summaries:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; output; kind`
|
||||
* `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
|
||||
* - Barriers:
|
||||
* `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
|
||||
* - BarrierGuards:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
|
||||
*
|
||||
* The interpretation of a row is similar to API-graphs with a left-to-right
|
||||
* reading.
|
||||
@@ -87,11 +91,23 @@
|
||||
* value, and
|
||||
* - flow from the _second_ indirection of the 0th argument to the first
|
||||
* indirection of the return value, etc.
|
||||
* 8. The `kind` column is a tag that can be referenced from QL to determine to
|
||||
* 8. The `acceptingValue` column of barrier guard models specifies the condition
|
||||
* under which the guard blocks flow. It can be one of "true" or "false". In
|
||||
* the future "no-exception", "not-zero", "null", "not-null" may be supported.
|
||||
* 9. The `kind` column is a tag that can be referenced from QL to determine to
|
||||
* which classes the interpreted elements should be added. For example, for
|
||||
* sources "remote" indicates a default remote flow source, and for summaries
|
||||
* "taint" indicates a default additional taint step and "value" indicates a
|
||||
* globally applicable value-preserving step.
|
||||
* 10. The `provenance` column is a tag to indicate the origin and verification of a model.
|
||||
* The format is {origin}-{verification} or just "manual" where the origin describes
|
||||
* the origin of the model and verification describes how the model has been verified.
|
||||
* Some examples are:
|
||||
* - "df-generated": The model has been generated by the model generator tool.
|
||||
* - "df-manual": The model has been generated by the model generator and verified by a human.
|
||||
* - "manual": The model has been written by hand.
|
||||
* This information is used in a heuristic for dataflow analysis to determine, if a
|
||||
* model or source code should be used for determining flow.
|
||||
*/
|
||||
|
||||
import cpp
|
||||
@@ -931,13 +947,13 @@ private module Cached {
|
||||
|
||||
private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) {
|
||||
exists(
|
||||
SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
|
||||
SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
|
||||
string kind, string model
|
||||
|
|
||||
isBarrierGuardNode(n, acceptingvalue, kind, model) and
|
||||
isBarrierGuardNode(n, acceptingValue, kind, model) and
|
||||
n.asNode().asExpr() = e and
|
||||
kmp = TMkPair(kind, model) and
|
||||
gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
|
||||
gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
|
||||
n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g
|
||||
)
|
||||
}
|
||||
@@ -954,14 +970,14 @@ private module Cached {
|
||||
) {
|
||||
exists(
|
||||
SourceSinkInterpretationInput::InterpretNode interpretNode,
|
||||
Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex,
|
||||
Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex,
|
||||
Private::ArgumentNode arg
|
||||
|
|
||||
isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and
|
||||
isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and
|
||||
arg = interpretNode.asNode() and
|
||||
arg.asIndirectExpr(indirectionIndex) = e and
|
||||
kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and
|
||||
gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
|
||||
gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
|
||||
arg.getCall().asCallInstruction() = g
|
||||
)
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
|
||||
*/
|
||||
extensible predicate barrierGuardModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
|
||||
string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
|
||||
);
|
||||
|
||||
/**
|
||||
|
||||
@@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements
|
||||
}
|
||||
|
||||
predicate barrierGuardElement(
|
||||
Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
|
||||
Element e, string input, Public::AcceptingValue acceptingValue, string kind,
|
||||
Public::Provenance provenance, string model
|
||||
) {
|
||||
exists(
|
||||
string package, string type, boolean subtypes, string name, string signature, string ext
|
||||
|
|
||||
barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
|
||||
barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
|
||||
provenance, model) and
|
||||
e = interpretElement(package, type, subtypes, name, signature, ext)
|
||||
)
|
||||
|
||||
@@ -11,10 +11,3 @@ import semmle.code.cpp.models.Models
|
||||
* The function may still raise a structured exception handling (SEH) exception.
|
||||
*/
|
||||
abstract class NonCppThrowingFunction extends Function { }
|
||||
|
||||
/**
|
||||
* A function that is guaranteed to never throw.
|
||||
*
|
||||
* DEPRECATED: use `NonCppThrowingFunction` instead.
|
||||
*/
|
||||
deprecated class NonThrowingFunction = NonCppThrowingFunction;
|
||||
|
||||
@@ -10,19 +10,6 @@ import semmle.code.cpp.Function
|
||||
import semmle.code.cpp.models.Models
|
||||
import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
|
||||
|
||||
/**
|
||||
* A function that is known to raise an exception.
|
||||
*
|
||||
* DEPRECATED: use `AlwaysSehThrowingFunction` instead.
|
||||
*/
|
||||
abstract deprecated class ThrowingFunction extends Function {
|
||||
/**
|
||||
* Holds if this function may throw an exception during evaluation.
|
||||
* If `unconditional` is `true` the function always throws an exception.
|
||||
*/
|
||||
abstract predicate mayThrowException(boolean unconditional);
|
||||
}
|
||||
|
||||
/**
|
||||
* A function that unconditionally raises a structured exception handling (SEH) exception.
|
||||
*/
|
||||
|
||||
@@ -1,3 +1,28 @@
|
||||
## 1.6.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
|
||||
* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
|
||||
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
|
||||
## 1.5.15
|
||||
|
||||
No user-facing changes.
|
||||
@@ -341,7 +366,7 @@ No user-facing changes.
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
|
||||
* Added dataflow models for the `gettext` function variants.
|
||||
* Added dataflow models for the `gettext` function variants.
|
||||
|
||||
## 0.9.4
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ function may behave unpredictably.</p>
|
||||
<p>This may indicate a misspelled function name, or that the required header containing
|
||||
the function declaration has not been included.</p>
|
||||
|
||||
<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
|
||||
<p>Note: This query is not compatible with <code>build-mode: none</code> databases, and produces
|
||||
no results on those databases.</p>
|
||||
|
||||
</overview>
|
||||
|
||||
@@ -18,7 +18,7 @@ import TooManyArguments
|
||||
import semmle.code.cpp.commons.Exclusions
|
||||
|
||||
/*
|
||||
* This query is not compatible with build mode: none databases, and produces
|
||||
* This query is not compatible with build-mode: none databases, and produces
|
||||
* no results on those databases.
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @precision high
|
||||
* @id cpp/suspicious-add-sizeof
|
||||
* @tags security
|
||||
* external/cwe/cwe-468
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query no longer produces results on `build mode: none` databases. These results were found to be very noisy and fundamentally imprecise in this mode.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
13
cpp/ql/src/change-notes/released/1.6.0.md
Normal file
13
cpp/ql/src/change-notes/released/1.6.0.md
Normal file
@@ -0,0 +1,13 @@
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
10
cpp/ql/src/change-notes/released/1.6.1.md
Normal file
10
cpp/ql/src/change-notes/released/1.6.1.md
Normal file
@@ -0,0 +1,10 @@
|
||||
## 1.6.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
|
||||
* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.5.15
|
||||
lastReleaseVersion: 1.6.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.5.16-dev
|
||||
version: 1.6.1
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.65
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.63
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.65
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.63
|
||||
lastReleaseVersion: 1.7.65
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.64-dev
|
||||
version: 1.7.65
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.65
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.63
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.65
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.63
|
||||
lastReleaseVersion: 1.7.65
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.64-dev
|
||||
version: 1.7.65
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -9,5 +9,5 @@
|
||||
import csharp
|
||||
|
||||
from IntegerLiteral literal
|
||||
where literal.getValue().toInt() = 0
|
||||
where literal.getIntValue() = 0
|
||||
select literal
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
## 5.5.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.
|
||||
|
||||
## 5.4.12
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
* The `cs/log-forging` query no longer treats arguments to extension methods with
|
||||
source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
|
||||
through extension method bodies, reducing false positives when extension methods
|
||||
sanitize input internally.
|
||||
|
||||
## 5.4.11
|
||||
|
||||
No user-facing changes.
|
||||
@@ -48,9 +64,9 @@ No user-facing changes.
|
||||
* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
|
||||
* Updated the generated .NET “models as data” runtime models to cover .NET 10.
|
||||
* C# 14: Support for *implicit* span conversions in the QL library.
|
||||
* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
|
||||
* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
|
||||
* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
|
||||
* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
|
||||
* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
|
||||
* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -121,15 +121,17 @@ predicate missedOfTypeOpportunity(ForeachStmtEnumerable fes, LocalVariableDeclSt
|
||||
/**
|
||||
* Holds if `foreach` statement `fes` can be converted to a `.Select()` call.
|
||||
* That is, the loop variable is accessed only in the first statement of the
|
||||
* block, the access is not a cast, and the first statement is a
|
||||
* local variable declaration statement `s`.
|
||||
* block, the access is not a cast, the first statement is a
|
||||
* local variable declaration statement `s`, and the initializer does not
|
||||
* contain an `await` expression (since `Select` does not support async lambdas).
|
||||
*/
|
||||
predicate missedSelectOpportunity(ForeachStmtGenericEnumerable fes, LocalVariableDeclStmt s) {
|
||||
s = firstStmt(fes) and
|
||||
forex(VariableAccess va | va = fes.getVariable().getAnAccess() |
|
||||
va = s.getAVariableDeclExpr().getAChildExpr*()
|
||||
) and
|
||||
not s.getAVariableDeclExpr().getInitializer() instanceof Cast
|
||||
not s.getAVariableDeclExpr().getInitializer() instanceof Cast and
|
||||
not s.getAVariableDeclExpr().getInitializer().getAChildExpr*() instanceof AwaitExpr
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
@@ -1,6 +1,8 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 5.4.12
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
* The `cs/log-forging` query no longer treats arguments to extension methods with
|
||||
source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
|
||||
through extension method bodies, reducing false positives when extension methods
|
||||
@@ -5,9 +5,9 @@
|
||||
* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
|
||||
* Updated the generated .NET “models as data” runtime models to cover .NET 10.
|
||||
* C# 14: Support for *implicit* span conversions in the QL library.
|
||||
* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
|
||||
* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
|
||||
* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
|
||||
* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
|
||||
* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
|
||||
* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
## 5.5.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.4.11
|
||||
lastReleaseVersion: 5.5.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 5.4.12-dev
|
||||
version: 5.5.0
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -713,7 +713,7 @@ private class SignedIntegralConstantExpr extends Expr {
|
||||
}
|
||||
|
||||
private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType toType) {
|
||||
exists(int n | n = e.getValue().toInt() |
|
||||
exists(int n | n = e.getIntValue() |
|
||||
toType = any(SByteType t | n in [t.minValue() .. t.maxValue()])
|
||||
or
|
||||
toType = any(ByteType t | n in [t.minValue() .. t.maxValue()])
|
||||
@@ -730,7 +730,7 @@ private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType t
|
||||
|
||||
private predicate convConstantLongExpr(SignedIntegralConstantExpr e) {
|
||||
e.getType() instanceof LongType and
|
||||
e.getValue().toInt() >= 0
|
||||
e.getIntValue() >= 0
|
||||
}
|
||||
|
||||
/** 6.1.10: Implicit reference conversions involving type parameters. */
|
||||
|
||||
@@ -161,7 +161,7 @@ private newtype TComparisonTest =
|
||||
compare.getComparisonKind().isCompare() and
|
||||
outerKind = outer.getComparisonKind() and
|
||||
outer.getAnArgument() = compare.getExpr() and
|
||||
i = outer.getAnArgument().getValue().toInt()
|
||||
i = outer.getAnArgument().getIntValue()
|
||||
|
|
||||
outerKind.isEquality() and
|
||||
(
|
||||
|
||||
@@ -32,13 +32,13 @@ private module ConstantComparisonOperation {
|
||||
|
||||
private int maxValue(Expr expr) {
|
||||
if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
|
||||
then result = expr.getValue().toInt()
|
||||
then result = expr.getIntValue()
|
||||
else result = convertedType(expr).maxValue()
|
||||
}
|
||||
|
||||
private int minValue(Expr expr) {
|
||||
if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
|
||||
then result = expr.getValue().toInt()
|
||||
then result = expr.getIntValue()
|
||||
else result = convertedType(expr).minValue()
|
||||
}
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@ class ImplicitToStringExpr extends Expr {
|
||||
m = p.getCallable()
|
||||
|
|
||||
m = any(SystemTextStringBuilderClass c).getAMethod() and
|
||||
m.getName().regexpMatch("Append(Line)?") and
|
||||
m.getName() = "Append" and
|
||||
not p.getType() instanceof ArrayType
|
||||
or
|
||||
p instanceof StringFormatItemParameter and
|
||||
|
||||
@@ -60,25 +60,16 @@ private module GuardsInput implements
|
||||
override boolean asBooleanValue() { boolConst(this, result) }
|
||||
}
|
||||
|
||||
private predicate intConst(Expr e, int i) {
|
||||
e.getValue().toInt() = i and
|
||||
(
|
||||
e.getType() instanceof Enum
|
||||
or
|
||||
e.getType() instanceof IntegralType
|
||||
)
|
||||
}
|
||||
|
||||
private class IntegerConstant extends ConstantExpr {
|
||||
IntegerConstant() { intConst(this, _) }
|
||||
IntegerConstant() { exists(this.getIntValue()) }
|
||||
|
||||
override int asIntegerValue() { intConst(this, result) }
|
||||
override int asIntegerValue() { result = this.getIntValue() }
|
||||
}
|
||||
|
||||
private class EnumConst extends ConstantExpr {
|
||||
EnumConst() { this.getType() instanceof Enum and this.hasValue() }
|
||||
|
||||
override int asIntegerValue() { result = this.getValue().toInt() }
|
||||
override int asIntegerValue() { result = this.getIntValue() }
|
||||
}
|
||||
|
||||
private class StringConstant extends ConstantExpr instanceof StringLiteral {
|
||||
@@ -517,35 +508,35 @@ class EnumerableCollectionExpr extends Expr {
|
||||
|
|
||||
// x.Length == 0
|
||||
ct.getComparisonKind().isEquality() and
|
||||
ct.getAnArgument().getValue().toInt() = 0 and
|
||||
ct.getAnArgument().getIntValue() = 0 and
|
||||
branch = isEmpty
|
||||
or
|
||||
// x.Length == k, k > 0
|
||||
ct.getComparisonKind().isEquality() and
|
||||
ct.getAnArgument().getValue().toInt() > 0 and
|
||||
ct.getAnArgument().getIntValue() > 0 and
|
||||
branch = true and
|
||||
isEmpty = false
|
||||
or
|
||||
// x.Length != 0
|
||||
ct.getComparisonKind().isInequality() and
|
||||
ct.getAnArgument().getValue().toInt() = 0 and
|
||||
ct.getAnArgument().getIntValue() = 0 and
|
||||
branch = isEmpty.booleanNot()
|
||||
or
|
||||
// x.Length != k, k != 0
|
||||
ct.getComparisonKind().isInequality() and
|
||||
ct.getAnArgument().getValue().toInt() != 0 and
|
||||
ct.getAnArgument().getIntValue() != 0 and
|
||||
branch = false and
|
||||
isEmpty = false
|
||||
or
|
||||
// x.Length > k, k >= 0
|
||||
ct.getComparisonKind().isLessThan() and
|
||||
ct.getFirstArgument().getValue().toInt() >= 0 and
|
||||
ct.getFirstArgument().getIntValue() >= 0 and
|
||||
branch = true and
|
||||
isEmpty = false
|
||||
or
|
||||
// x.Length >= k, k > 0
|
||||
ct.getComparisonKind().isLessThanEquals() and
|
||||
ct.getFirstArgument().getValue().toInt() > 0 and
|
||||
ct.getFirstArgument().getIntValue() > 0 and
|
||||
branch = true and
|
||||
isEmpty = false
|
||||
)
|
||||
|
||||
@@ -4,13 +4,17 @@
|
||||
* Provides classes and predicates for dealing with MaD flow models specified
|
||||
* in data extensions and CSV format.
|
||||
*
|
||||
* The CSV specification has the following columns:
|
||||
* The extensible relations have the following columns:
|
||||
* - Sources:
|
||||
* `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
|
||||
* - Sinks:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
|
||||
* - Summaries:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
|
||||
* - Barriers:
|
||||
* `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
|
||||
* - BarrierGuards:
|
||||
* `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
|
||||
* - Neutrals:
|
||||
* `namespace; type; name; signature; kind; provenance`
|
||||
* A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
|
||||
@@ -69,14 +73,17 @@
|
||||
* - "Field[f]": Selects the contents of field `f`.
|
||||
* - "Property[p]": Selects the contents of property `p`.
|
||||
*
|
||||
* 8. The `kind` column is a tag that can be referenced from QL to determine to
|
||||
* 8. The `acceptingValue` column of barrier guard models specifies the condition
|
||||
* under which the guard blocks flow. It can be one of "true" or "false". In
|
||||
* the future "no-exception", "not-zero", "null", "not-null" may be supported.
|
||||
* 9. The `kind` column is a tag that can be referenced from QL to determine to
|
||||
* which classes the interpreted elements should be added. For example, for
|
||||
* sources "remote" indicates a default remote flow source, and for summaries
|
||||
* "taint" indicates a default additional taint step and "value" indicates a
|
||||
* globally applicable value-preserving step. For neutrals the kind can be `summary`,
|
||||
* `source` or `sink` to indicate that the neutral is neutral with respect to
|
||||
* flow (no summary), source (is not a source) or sink (is not a sink).
|
||||
* 9. The `provenance` column is a tag to indicate the origin and verification of a model.
|
||||
* 10. The `provenance` column is a tag to indicate the origin and verification of a model.
|
||||
* The format is {origin}-{verification} or just "manual" where the origin describes
|
||||
* the origin of the model and verification describes how the model has been verified.
|
||||
* Some examples are:
|
||||
@@ -230,11 +237,11 @@ module ModelValidation {
|
||||
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
|
||||
)
|
||||
or
|
||||
exists(string acceptingvalue |
|
||||
barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
|
||||
invalidAcceptingValue(acceptingvalue) and
|
||||
exists(string acceptingValue |
|
||||
barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
|
||||
invalidAcceptingValue(acceptingValue) and
|
||||
result =
|
||||
"Unrecognized accepting value description \"" + acceptingvalue +
|
||||
"Unrecognized accepting value description \"" + acceptingValue +
|
||||
"\" in barrier guard model."
|
||||
)
|
||||
}
|
||||
@@ -482,13 +489,13 @@ private module Cached {
|
||||
|
||||
private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
|
||||
exists(
|
||||
SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
|
||||
SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind,
|
||||
string model
|
||||
|
|
||||
isBarrierGuardNode(n, acceptingvalue, kind, model) and
|
||||
isBarrierGuardNode(n, acceptingValue, kind, model) and
|
||||
n.asNode().asExpr() = e and
|
||||
kmp = TMkPair(kind, model) and
|
||||
gv = convertAcceptingValue(acceptingvalue)
|
||||
gv = convertAcceptingValue(acceptingValue)
|
||||
|
|
||||
g.(Call).getAnArgument() = e or g.(QualifiableExpr).getQualifier() = e
|
||||
)
|
||||
|
||||
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
|
||||
*/
|
||||
extensible predicate barrierGuardModel(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext,
|
||||
string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
|
||||
string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
|
||||
);
|
||||
|
||||
/**
|
||||
|
||||
@@ -253,13 +253,13 @@ module SourceSinkInterpretationInput implements
|
||||
}
|
||||
|
||||
predicate barrierGuardElement(
|
||||
Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
|
||||
Element e, string input, Public::AcceptingValue acceptingValue, string kind,
|
||||
Public::Provenance provenance, string model
|
||||
) {
|
||||
exists(
|
||||
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
||||
|
|
||||
barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingvalue,
|
||||
barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingValue,
|
||||
kind, provenance, model) and
|
||||
e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
|
||||
)
|
||||
|
||||
@@ -23,7 +23,7 @@ predicate systemArrayLengthAccess(PropertyAccess pa) {
|
||||
* - a read of the `Length` of an array with `val` lengths.
|
||||
*/
|
||||
private predicate constantIntegerExpr(ExprNode e, int val) {
|
||||
e.getValue().toInt() = val
|
||||
e.getExpr().getIntValue() = val
|
||||
or
|
||||
exists(ExprNode src |
|
||||
e = getAnExplicitDefinitionRead(src) and
|
||||
|
||||
@@ -57,6 +57,13 @@ class Expr extends ControlFlowElement, @expr {
|
||||
/** Gets the value of this expression, if any */
|
||||
string getValue() { expr_value(this, result) }
|
||||
|
||||
/** Gets the integer value of this expression, if any. */
|
||||
cached
|
||||
int getIntValue() {
|
||||
result = this.getValue().toInt() and
|
||||
(this.getType() instanceof IntegralType or this.getType() instanceof Enum)
|
||||
}
|
||||
|
||||
/** Holds if this expression has a value. */
|
||||
final predicate hasValue() { exists(this.getValue()) }
|
||||
|
||||
|
||||
@@ -81,7 +81,7 @@ class SystemRuntimeCompilerServicesInlineArrayAttribute extends Attribute {
|
||||
/**
|
||||
* Gets the length of the inline array.
|
||||
*/
|
||||
int getLength() { result = this.getConstructorArgument(0).getValue().toInt() }
|
||||
int getLength() { result = this.getConstructorArgument(0).getIntValue() }
|
||||
}
|
||||
|
||||
/** An attribute of type `System.Runtime.CompilerServices.OverloadResolutionPriority`. */
|
||||
@@ -94,5 +94,5 @@ class SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute extends A
|
||||
/**
|
||||
* Gets the priority number.
|
||||
*/
|
||||
int getPriority() { result = this.getConstructorArgument(0).getValue().toInt() }
|
||||
int getPriority() { result = this.getConstructorArgument(0).getIntValue() }
|
||||
}
|
||||
|
||||
@@ -1,3 +1,23 @@
|
||||
## 1.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `cs/useless-tostring-call` has been updated to avoid false
|
||||
positive results in calls to `StringBuilder.AppendLine` and calls of
|
||||
the form `base.ToString()`. Moreover, the alert message has been
|
||||
made more precise.
|
||||
|
||||
## 1.7.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
|
||||
* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
|
||||
|
||||
## 1.6.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
import csharp
|
||||
|
||||
predicate isDefinitelyPositive(Expr e) {
|
||||
e.getValue().toInt() >= 0 or
|
||||
e.getIntValue() >= 0 or
|
||||
e.(PropertyAccess).getTarget().hasName("Length") or
|
||||
e.(MethodCall).getTarget().hasUndecoratedName("Count")
|
||||
}
|
||||
@@ -23,12 +23,12 @@ where
|
||||
t.getLeftOperand() = lhs and
|
||||
t.getRightOperand() = rhs and
|
||||
not isDefinitelyPositive(lhs.getLeftOperand().stripCasts()) and
|
||||
lhs.getRightOperand().(IntegerLiteral).getValue() = "2" and
|
||||
lhs.getRightOperand().(IntegerLiteral).getIntValue() = 2 and
|
||||
(
|
||||
t instanceof EQExpr and rhs.getValue() = "1" and parity = "oddness"
|
||||
t instanceof EQExpr and rhs.getIntValue() = 1 and parity = "oddness"
|
||||
or
|
||||
t instanceof NEExpr and rhs.getValue() = "1" and parity = "evenness"
|
||||
t instanceof NEExpr and rhs.getIntValue() = 1 and parity = "evenness"
|
||||
or
|
||||
t instanceof GTExpr and rhs.getValue() = "0" and parity = "oddness"
|
||||
t instanceof GTExpr and rhs.getIntValue() = 0 and parity = "oddness"
|
||||
)
|
||||
select t, "Possibly invalid test for " + parity + ". This will fail for negative numbers."
|
||||
|
||||
@@ -27,8 +27,8 @@ predicate isExactEraStartDateCreation(ObjectCreation cr) {
|
||||
cr.getType().hasFullyQualifiedName("System", "DateTime") or
|
||||
cr.getType().hasFullyQualifiedName("System", "DateTimeOffset")
|
||||
) and
|
||||
isEraStart(cr.getArgument(0).getValue().toInt(), cr.getArgument(1).getValue().toInt(),
|
||||
cr.getArgument(2).getValue().toInt())
|
||||
isEraStart(cr.getArgument(0).getIntValue(), cr.getArgument(1).getIntValue(),
|
||||
cr.getArgument(2).getIntValue())
|
||||
}
|
||||
|
||||
predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
|
||||
@@ -44,7 +44,7 @@ predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
|
||||
mc.getNumberOfArguments() = 7 // implicitly current era
|
||||
or
|
||||
mc.getNumberOfArguments() = 8 and
|
||||
mc.getArgument(7).getValue() = "0"
|
||||
mc.getArgument(7).getIntValue() = 0
|
||||
) // explicitly current era
|
||||
}
|
||||
|
||||
|
||||
@@ -40,8 +40,8 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
|
||||
/** Holds if `div` is an exact integer division. */
|
||||
predicate exactDivision(DivExpr div) {
|
||||
exists(int numerator, int denominator |
|
||||
numerator = div.getNumerator().stripCasts().getValue().toInt() and
|
||||
denominator = div.getDenominator().stripCasts().getValue().toInt() and
|
||||
numerator = div.getNumerator().stripCasts().getIntValue() and
|
||||
denominator = div.getDenominator().stripCasts().getIntValue() and
|
||||
numerator % denominator = 0
|
||||
)
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
|
||||
.getDeclaringType()
|
||||
.hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider")
|
||||
) and
|
||||
e.getRightOperand().getValue().toInt() < 128 and
|
||||
e.getRightOperand().getIntValue() < 128 and
|
||||
msg = "Key size should be at least 128 bits for RC2 encryption."
|
||||
}
|
||||
|
||||
@@ -28,7 +28,7 @@ predicate incorrectUseOfDsa(ObjectCreation e, string msg) {
|
||||
e.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
|
||||
msg = "Key size should be at least 2048 bits for DSA encryption."
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ predicate incorrectUseOfRsa(ObjectCreation e, string msg) {
|
||||
e.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasFullyQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
|
||||
msg = "Key size should be at least 2048 bits for RSA encryption."
|
||||
}
|
||||
|
||||
|
||||
@@ -18,5 +18,6 @@ import semmle.code.csharp.frameworks.System
|
||||
from MethodCall mc
|
||||
where
|
||||
mc instanceof ImplicitToStringExpr and
|
||||
mc.getTarget() instanceof ToStringMethod
|
||||
select mc, "Redundant call to 'ToString' on a String object."
|
||||
mc.getTarget() instanceof ToStringMethod and
|
||||
not mc.getQualifier() instanceof BaseAccess
|
||||
select mc, "Redundant call to 'ToString'."
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
|
||||
* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
@@ -1,4 +1,10 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
## 1.7.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
|
||||
* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
|
||||
8
csharp/ql/src/change-notes/released/1.7.1.md
Normal file
8
csharp/ql/src/change-notes/released/1.7.1.md
Normal file
@@ -0,0 +1,8 @@
|
||||
## 1.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `cs/useless-tostring-call` has been updated to avoid false
|
||||
positive results in calls to `StringBuilder.AppendLine` and calls of
|
||||
the form `base.ToString()`. Moreover, the alert message has been
|
||||
made more precise.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.6
|
||||
lastReleaseVersion: 1.7.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.6.7-dev
|
||||
version: 1.7.1
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
using System;
|
||||
using System.Linq;
|
||||
using System.Collections.Generic;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
class MissedSelectOpportunity
|
||||
{
|
||||
public void M1(List<int> lst)
|
||||
{
|
||||
// BAD: Can be replaced with lst.Select(i => i * i)
|
||||
foreach (int i in lst)
|
||||
{
|
||||
int j = i * i;
|
||||
Console.WriteLine(j);
|
||||
} // $ Alert
|
||||
}
|
||||
|
||||
public async Task M2(IEnumerable<ICounter> counters)
|
||||
{
|
||||
// GOOD: Cannot use Select because the initializer contains an await expression
|
||||
foreach (var counter in counters)
|
||||
{
|
||||
var count = await counter.CountAsync();
|
||||
Console.WriteLine(count);
|
||||
}
|
||||
}
|
||||
|
||||
public interface ICounter
|
||||
{
|
||||
Task<int> CountAsync();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
| MissedSelectOpportunity.cs:11:9:15:9 | foreach (... ... in ...) ... | This foreach loop immediately $@ - consider mapping the sequence explicitly using '.Select(...)'. | MissedSelectOpportunity.cs:13:13:13:26 | ... ...; | maps its iteration variable to another variable |
|
||||
@@ -0,0 +1,2 @@
|
||||
query: Linq/MissedSelectOpportunity.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1,2 @@
|
||||
semmle-extractor-options: /nostdlib /noconfig
|
||||
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user