mirror of
https://github.com/github/codeql.git
synced 2026-05-27 17:41:24 +02:00
Compare commits
4 Commits
oscarsj/te
...
aibaars/ru
| Author | SHA1 | Date | |
|---|---|---|---|
|
f6bd5381d2 | ||
|
|
1964daf71c | ||
|
|
dc847e4826 | ||
|
|
07b475ccc3 |
@@ -1 +1 @@
|
||||
8.1.1
|
||||
8.0.0
|
||||
|
||||
@@ -14,9 +14,6 @@
|
||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||
|
||||
# Experimental CodeQL cryptography
|
||||
**/experimental/quantum/ @github/ps-codeql
|
||||
|
||||
# CodeQL tools and associated docs
|
||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
||||
|
||||
@@ -1,34 +1,27 @@
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
if ($null -ne $env:LGTM_INDEX_FILTERS) {
|
||||
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
|
||||
$env:LGTM_INDEX_FILTERS = $PathFilters
|
||||
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
|
||||
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
|
||||
} else {
|
||||
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
|
||||
Write-Output 'No path filters set. Using the default filters.'
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
|
||||
}
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw 'Failed to resolve JavaScript extractor.'
|
||||
}
|
||||
@@ -47,7 +40,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
|
||||
|
||||
&"$JavaScriptAutoBuild"
|
||||
&$JavaScriptAutoBuild
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw "JavaScript autobuilder failed."
|
||||
}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
@echo off
|
||||
rem All of the work is done in the PowerShell script
|
||||
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
|
||||
powershell.exe -File "%~dp0autobuild-impl.ps1"
|
||||
powershell.exe %~dp0autobuild-impl.ps1
|
||||
|
||||
@@ -17,28 +17,16 @@ include:**/action.yaml
|
||||
END
|
||||
)
|
||||
|
||||
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
|
||||
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
PATH_FILTERS="$(cat << END
|
||||
${DEFAULT_PATH_FILTERS}
|
||||
${LGTM_INDEX_FILTERS}
|
||||
END
|
||||
)"
|
||||
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
|
||||
echo "Path filters set. Passing them through to the JavaScript extractor."
|
||||
else
|
||||
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
|
||||
echo "No path filters set. Using the default filters."
|
||||
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
fi
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
|
||||
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
|
||||
|
||||
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
|
||||
@@ -54,4 +42,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
|
||||
"${JAVASCRIPT_AUTO_BUILD}"
|
||||
${JAVASCRIPT_AUTO_BUILD}
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,6 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,4 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
@@ -1,6 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/excluded/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,5 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: A workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1 +0,0 @@
|
||||
name: 'Not an action, just a YAML file'
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,18 +0,0 @@
|
||||
import pytest
|
||||
|
||||
@pytest.mark.ql_test(expected=".default-filters.expected")
|
||||
def test_default_filters(codeql, actions, check_source_archive):
|
||||
check_source_archive.expected_suffix = ".default-filters.expected"
|
||||
codeql.database.create(source_root="src")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-only.expected")
|
||||
def test_config_paths_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
|
||||
def test_config_paths_ignore_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
|
||||
def test_config_paths_and_paths_ignore(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")
|
||||
@@ -154,13 +154,3 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
|
||||
predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
|
||||
Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
|
||||
}
|
||||
|
||||
/**
|
||||
* MaD models for permissions needed by actions
|
||||
* Fields:
|
||||
* - action: action name, e.g. `actions/checkout`
|
||||
* - permission: permission name, e.g. `contents: read`
|
||||
*/
|
||||
predicate actionsPermissionsDataModel(string action, string permission) {
|
||||
Extensions::actionsPermissionsDataModel(action, permission)
|
||||
}
|
||||
|
||||
@@ -77,14 +77,3 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
|
||||
* Holds for gh commands that may introduce untrusted data
|
||||
*/
|
||||
extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
|
||||
|
||||
/**
|
||||
* Holds if `action` needs `permission` to run.
|
||||
* - 'action' is the name of the action without any version information.
|
||||
* E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
|
||||
* - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
|
||||
* - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
|
||||
* for an example of recommended permissions.
|
||||
* - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
|
||||
*/
|
||||
extensible predicate actionsPermissionsDataModel(string action, string permission);
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: actionsPermissionsDataModel
|
||||
data:
|
||||
- ["actions/checkout", "contents: read"]
|
||||
- ["actions/setup-node", "contents: read"]
|
||||
- ["actions/setup-python", "contents: read"]
|
||||
- ["actions/setup-java", "contents: read"]
|
||||
- ["actions/setup-go", "contents: read"]
|
||||
- ["actions/setup-dotnet", "contents: read"]
|
||||
- ["actions/labeler", "contents: read"]
|
||||
- ["actions/labeler", "pull-requests: write"]
|
||||
- ["actions/attest", "id-token: write"]
|
||||
- ["actions/attest", "attestations: write"]
|
||||
# No permissions needed for actions/add-to-project
|
||||
- ["actions/dependency-review-action", "contents: read"]
|
||||
- ["actions/attest-sbom", "id-token: write"]
|
||||
- ["actions/attest-sbom", "attestations: write"]
|
||||
- ["actions/stale", "contents: write"]
|
||||
- ["actions/stale", "issues: write"]
|
||||
- ["actions/stale", "pull-requests: write"]
|
||||
- ["actions/attest-build-provenance", "id-token: write"]
|
||||
- ["actions/attest-build-provenance", "attestations: write"]
|
||||
- ["actions/jekyll-build-pages", "contents: read"]
|
||||
- ["actions/jekyll-build-pages", "pages: write"]
|
||||
- ["actions/jekyll-build-pages", "id-token: write"]
|
||||
- ["actions/publish-action", "contents: write"]
|
||||
- ["actions/versions-package-tools", "contents: read"]
|
||||
- ["actions/versions-package-tools", "actions: read"]
|
||||
- ["actions/reusable-workflows", "contents: read"]
|
||||
- ["actions/reusable-workflows", "actions: read"]
|
||||
# TODO: Add permissions for actions/download-artifact
|
||||
# TODO: Add permissions for actions/upload-artifact
|
||||
# TODO: Add permissions for actions/cache
|
||||
|
||||
|
||||
@@ -14,19 +14,7 @@
|
||||
|
||||
import actions
|
||||
|
||||
Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
|
||||
|
||||
string jobNeedsPermission(Job job) {
|
||||
actionsPermissionsDataModel(stepInJob(job).(UsesStep).getCallee(), result)
|
||||
}
|
||||
|
||||
/** Gets a suggestion for the minimal token permissions for `job`, as a JSON string. */
|
||||
string permissionsForJob(Job job) {
|
||||
result =
|
||||
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
|
||||
}
|
||||
|
||||
from Job job, string permissions
|
||||
from Job job
|
||||
where
|
||||
not exists(job.getPermissions()) and
|
||||
not exists(job.getEnclosingWorkflow().getPermissions()) and
|
||||
@@ -34,8 +22,5 @@ where
|
||||
exists(Event e |
|
||||
e = job.getATriggerEvent() and
|
||||
not e.getName() = "workflow_call"
|
||||
) and
|
||||
permissions = permissionsForJob(job)
|
||||
select job,
|
||||
"Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: "
|
||||
+ permissions
|
||||
)
|
||||
select job, "Actions Job or Workflow does not set permissions"
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
@@ -1,13 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/jekyll-build-pages
|
||||
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/add-to-project@v2
|
||||
@@ -1,5 +1,3 @@
|
||||
| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
|
||||
| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
|
||||
| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
|
||||
@@ -58,19 +58,7 @@ def file_checksum(filename):
|
||||
with open(filename, 'rb') as file_handle:
|
||||
return hashlib.sha1(file_handle.read()).hexdigest()
|
||||
|
||||
def accept_prefix(line1, line2):
|
||||
suffix = line2.removeprefix(line1)
|
||||
return not suffix or suffix.lstrip().startswith("//")
|
||||
|
||||
def equivalent_lines(lines1, lines2):
|
||||
if len(lines1) != len(lines2):
|
||||
return False
|
||||
for line1, line2 in zip(lines1, lines2):
|
||||
if not accept_prefix(line1, line2) and not accept_prefix(line2, line1):
|
||||
return False
|
||||
return True
|
||||
|
||||
def check_group(group_name, files, master_file_picker, emit_error, accept_prefix):
|
||||
def check_group(group_name, files, master_file_picker, emit_error):
|
||||
extant_files = [f for f in files if path.isfile(f)]
|
||||
if len(extant_files) == 0:
|
||||
emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
|
||||
@@ -82,23 +70,11 @@ def check_group(group_name, files, master_file_picker, emit_error, accept_prefix
|
||||
return
|
||||
|
||||
checksums = {file_checksum(f) for f in extant_files}
|
||||
same_lengths = len(extant_files) == len(files)
|
||||
if len(checksums) == 1 and same_lengths:
|
||||
|
||||
if len(checksums) == 1 and len(extant_files) == len(files):
|
||||
# All files are present and identical.
|
||||
return
|
||||
|
||||
# In this case we also consider files indentical, if
|
||||
# (1) The group only containts two files.
|
||||
# (2) The lines of one file are the same as the lines of another file
|
||||
# modulo comments.
|
||||
if accept_prefix and same_lengths and len(extant_files) == 2:
|
||||
with open(extant_files[0], 'r') as f1:
|
||||
file1_lines = [l.strip('\n\r') for l in f1.readlines()]
|
||||
with open(extant_files[1], 'r') as f2:
|
||||
file2_lines = [l.strip('\n\r') for l in f2.readlines()]
|
||||
if equivalent_lines(file1_lines, file2_lines):
|
||||
return
|
||||
|
||||
master_file = master_file_picker(extant_files)
|
||||
if master_file is None:
|
||||
emit_error(__file__, 0,
|
||||
@@ -163,10 +139,9 @@ def sync_identical_files(emit_error):
|
||||
raise Exception("Bad command line or file not found")
|
||||
chdir_repo_root()
|
||||
load_if_exists('.', 'config/identical-files.json')
|
||||
for group_name, files in csharp_test_files().items():
|
||||
check_group(group_name, files, master_file_picker, emit_error, True)
|
||||
file_groups.update(csharp_test_files())
|
||||
for group_name, files in file_groups.items():
|
||||
check_group(group_name, files, master_file_picker, emit_error, False)
|
||||
check_group(group_name, files, master_file_picker, emit_error)
|
||||
|
||||
def main():
|
||||
sync_identical_files(emit_local_error)
|
||||
|
||||
@@ -465,7 +465,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
|
||||
}
|
||||
|
||||
/** Gets the fully templated version of `f`. */
|
||||
Function getFullyTemplatedFunction(Function f) {
|
||||
private Function getFullyTemplatedFunction(Function f) {
|
||||
not f.isFromUninstantiatedTemplate(_) and
|
||||
(
|
||||
exists(Class c, Class templateClass, int i |
|
||||
@@ -559,15 +559,12 @@ private string getTypeName(Type t, boolean needsSpace) {
|
||||
|
||||
/**
|
||||
* Gets a type name for the `n`'th parameter of `f` without any template
|
||||
* arguments.
|
||||
*
|
||||
* If `canonical = false` then the result may be a string representing a type
|
||||
* for which the typedefs have been resolved. If `canonical = true` then the
|
||||
* result will be a string representing a type without resolving `typedefs`.
|
||||
* arguments. The result may be a string representing a type for which the
|
||||
* typedefs have been resolved.
|
||||
*/
|
||||
bindingset[f]
|
||||
pragma[inline_late]
|
||||
string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canonical) {
|
||||
string getParameterTypeWithoutTemplateArguments(Function f, int n) {
|
||||
exists(string s, string base, string specifiers, Type t |
|
||||
t = f.getParameter(n).getType() and
|
||||
// The name of the string can either be the possibly typedefed name
|
||||
@@ -575,19 +572,14 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
|
||||
// `getTypeName(t, _)` is almost equal to `t.resolveTypedefs().getName()`,
|
||||
// except that `t.resolveTypedefs()` doesn't have a result when the
|
||||
// resulting type doesn't appear in the database.
|
||||
(
|
||||
s = t.getName() and canonical = true
|
||||
or
|
||||
s = getTypeName(t, _) and canonical = false
|
||||
) and
|
||||
s = [t.getName(), getTypeName(t, _)] and
|
||||
parseAngles(s, base, _, specifiers) and
|
||||
result = base + specifiers
|
||||
)
|
||||
or
|
||||
f.isVarargs() and
|
||||
n = f.getNumberOfParameters() and
|
||||
result = "..." and
|
||||
canonical = true
|
||||
result = "..."
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -598,7 +590,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
|
||||
exists(Function templateFunction |
|
||||
templateFunction = getFullyTemplatedFunction(f) and
|
||||
remaining = templateFunction.getNumberOfTemplateArguments() and
|
||||
result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
|
||||
result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
|
||||
)
|
||||
or
|
||||
exists(string mid, TypeTemplateParameter tp, Function templateFunction |
|
||||
@@ -635,7 +627,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
|
||||
}
|
||||
|
||||
/** Gets the string representation of the `i`'th parameter of `c`. */
|
||||
string getParameterTypeName(Function c, int i) {
|
||||
private string getParameterTypeName(Function c, int i) {
|
||||
result = getTypeNameWithoutClassTemplates(c, i, 0)
|
||||
}
|
||||
|
||||
|
||||
@@ -371,7 +371,7 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
|
||||
PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
|
||||
|
||||
override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
|
||||
op = call.getArgumentOperand(pos.(DirectPosition).getArgumentIndex())
|
||||
op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
|
||||
}
|
||||
}
|
||||
|
||||
@@ -410,16 +410,8 @@ class ParameterPosition = Position;
|
||||
class ArgumentPosition = Position;
|
||||
|
||||
abstract class Position extends TPosition {
|
||||
/** Gets a textual representation of this position. */
|
||||
abstract string toString();
|
||||
|
||||
/**
|
||||
* Gets the argument index of this position. The qualifier of a call has
|
||||
* argument index `-1`.
|
||||
*/
|
||||
abstract int getArgumentIndex();
|
||||
|
||||
/** Gets the indirection index of this position. */
|
||||
abstract int getIndirectionIndex();
|
||||
}
|
||||
|
||||
@@ -436,7 +428,7 @@ class DirectPosition extends Position, TDirectPosition {
|
||||
result = index.toString()
|
||||
}
|
||||
|
||||
override int getArgumentIndex() { result = index }
|
||||
int getIndex() { result = index }
|
||||
|
||||
final override int getIndirectionIndex() { result = 0 }
|
||||
}
|
||||
@@ -453,29 +445,16 @@ class IndirectionPosition extends Position, TIndirectionPosition {
|
||||
else result = repeatStars(indirectionIndex) + argumentIndex.toString()
|
||||
}
|
||||
|
||||
override int getArgumentIndex() { result = argumentIndex }
|
||||
int getArgumentIndex() { result = argumentIndex }
|
||||
|
||||
final override int getIndirectionIndex() { result = indirectionIndex }
|
||||
}
|
||||
|
||||
newtype TPosition =
|
||||
TDirectPosition(int argumentIndex) {
|
||||
exists(any(CallInstruction c).getArgument(argumentIndex))
|
||||
or
|
||||
// Handle the rare case where there is a function definition but no call to
|
||||
// the function.
|
||||
exists(any(Cpp::Function f).getParameter(argumentIndex))
|
||||
} or
|
||||
TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or
|
||||
TIndirectionPosition(int argumentIndex, int indirectionIndex) {
|
||||
Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),
|
||||
indirectionIndex)
|
||||
or
|
||||
// Handle the rare case where there is a function definition but no call to
|
||||
// the function.
|
||||
exists(Cpp::Function f, Cpp::Parameter p |
|
||||
p = f.getParameter(argumentIndex) and
|
||||
indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
|
||||
)
|
||||
}
|
||||
|
||||
private newtype TReturnKind =
|
||||
@@ -522,15 +501,6 @@ class ReturnKind extends TReturnKind {
|
||||
|
||||
/** Gets a textual representation of this return kind. */
|
||||
abstract string toString();
|
||||
|
||||
/** Holds if this `ReturnKind` is generated from a `return` statement. */
|
||||
abstract predicate isNormalReturn();
|
||||
|
||||
/**
|
||||
* Holds if this `ReturnKind` is generated from a write to the parameter with
|
||||
* index `argumentIndex`
|
||||
*/
|
||||
abstract predicate isIndirectReturn(int argumentIndex);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -544,10 +514,6 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
|
||||
override int getIndirectionIndex() { result = indirectionIndex }
|
||||
|
||||
override string toString() { result = "indirect return" }
|
||||
|
||||
override predicate isNormalReturn() { any() }
|
||||
|
||||
override predicate isIndirectReturn(int argumentIndex) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -562,10 +528,6 @@ private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
|
||||
override int getIndirectionIndex() { result = indirectionIndex }
|
||||
|
||||
override string toString() { result = "indirect outparam[" + argumentIndex.toString() + "]" }
|
||||
|
||||
override predicate isNormalReturn() { none() }
|
||||
|
||||
override predicate isIndirectReturn(int argumentIndex_) { argumentIndex_ = argumentIndex }
|
||||
}
|
||||
|
||||
/** A data flow node that occurs as the result of a `ReturnStmt`. */
|
||||
|
||||
@@ -1445,7 +1445,7 @@ private class ExplicitParameterInstructionNode extends AbstractExplicitParameter
|
||||
ExplicitParameterInstructionNode() { exists(instr.getParameter()) }
|
||||
|
||||
override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
|
||||
f.getParameter(pos.(DirectPosition).getArgumentIndex()) = instr.getParameter()
|
||||
f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
|
||||
}
|
||||
|
||||
override string toStringImpl() { result = instr.getParameter().toString() }
|
||||
@@ -1460,7 +1460,7 @@ class ThisParameterInstructionNode extends AbstractExplicitParameterNode,
|
||||
ThisParameterInstructionNode() { instr.getIRVariable() instanceof IRThisVariable }
|
||||
|
||||
override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
|
||||
pos.(DirectPosition).getArgumentIndex() = -1 and
|
||||
pos.(DirectPosition).getIndex() = -1 and
|
||||
instr.getEnclosingFunction() = f
|
||||
}
|
||||
|
||||
@@ -1494,7 +1494,7 @@ private class DirectBodyLessParameterNode extends AbstractExplicitParameterNode,
|
||||
|
||||
override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
|
||||
this.getFunction() = f and
|
||||
f.getParameter(pos.(DirectPosition).getArgumentIndex()) = p
|
||||
f.getParameter(pos.(DirectPosition).getIndex()) = p
|
||||
}
|
||||
|
||||
override Parameter getParameter() { result = p }
|
||||
|
||||
@@ -229,11 +229,11 @@ private module SpeculativeTaintFlow {
|
||||
not exists(DataFlowDispatch::viableCallable(call)) and
|
||||
src.(DataFlowPrivate::ArgumentNode).argumentOf(call, argpos)
|
||||
|
|
||||
not argpos.(DirectPosition).getArgumentIndex() = -1 and
|
||||
not argpos.(DirectPosition).getIndex() = -1 and
|
||||
sink.(PostUpdateNode)
|
||||
.getPreUpdateNode()
|
||||
.(DataFlowPrivate::ArgumentNode)
|
||||
.argumentOf(call, any(DirectPosition qualpos | qualpos.getArgumentIndex() = -1))
|
||||
.argumentOf(call, any(DirectPosition qualpos | qualpos.getIndex() = -1))
|
||||
or
|
||||
sink.(DataFlowPrivate::OutNode).getCall() = call
|
||||
)
|
||||
|
||||
@@ -1,13 +1,10 @@
|
||||
|
||||
int* f() {
|
||||
int *buff = malloc(SIZE*sizeof(int));
|
||||
do_stuff(buff);
|
||||
free(buff);
|
||||
int *new_buffer = malloc(SIZE*sizeof(int));
|
||||
free(buff);
|
||||
// BAD: If new_buffer is assigned the same address as buff,
|
||||
// the memory allocator will free the new buffer memory region,
|
||||
// leading to use-after-free problems and memory corruption.
|
||||
// abc
|
||||
free(buff); // BAD: If new_buffer is assigned the same address as buff,
|
||||
// the memory allocator will free the new buffer memory region,
|
||||
// leading to use-after-free problems and memory corruption.
|
||||
return new_buffer;
|
||||
}
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
| Function | cpp20.cpp:62:8:62:8 | operator= | operator= | extern, inline, is_constexpr, public |
|
||||
| Function | cpp20.cpp:62:8:62:8 | operator= | operator= | extern, inline, is_constexpr, public |
|
||||
| Function | cpp20.cpp:64:5:64:21 | TestExplicitBool4 | TestExplicitBool4 | explicit, extern, public |
|
||||
| Function | file://:0:0:0:0 | TestExplicitBool | TestExplicitBool | explicit |
|
||||
| Function | file://:0:0:0:0 | TestExplicitBool | TestExplicitBool | explicit, has_trailing_return_type |
|
||||
| Function | file://:0:0:0:0 | operator delete | operator delete | extern |
|
||||
| Function | file://:0:0:0:0 | operator new | operator new | extern |
|
||||
| Function | specifiers2.c:11:6:11:6 | f | f | c_linkage, extern |
|
||||
@@ -67,8 +67,6 @@
|
||||
| Function | specifiers2pp.cpp:63:19:63:34 | member_constexpr | member_constexpr | const, declared_constexpr, inline, is_constexpr, private |
|
||||
| Function | specifiers2pp.cpp:64:19:64:40 | member_const_constexpr | member_const_constexpr | const, declared_constexpr, inline, is_constexpr, private |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:11:14:11:24 | declaration of TestExplict | TestExplict | explicit |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:23:1:23:1 | declaration of TestExplicitBool | TestExplicitBool | has_trailing_return_type |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:24:1:24:16 | definition of TestExplicitBool | TestExplicitBool | has_trailing_return_type |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:40:23:40:23 | definition of TestExplicitBool2 | TestExplicitBool2 | explicit |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:51:5:51:5 | definition of TestExplicitBool3 | TestExplicitBool3 | explicit |
|
||||
| FunctionDeclarationEntry | cpp20.cpp:51:5:51:21 | declaration of TestExplicitBool3 | TestExplicitBool3 | explicit |
|
||||
|
||||
@@ -424,7 +424,8 @@ namespace Semmle.Autobuild.CSharp.Tests
|
||||
return new CSharpAutobuilder(actions, options);
|
||||
}
|
||||
|
||||
private void SetupActionForDotnet()
|
||||
[Fact]
|
||||
public void TestDefaultCSharpAutoBuilder()
|
||||
{
|
||||
actions.RunProcess["cmd.exe /C dotnet --info"] = 0;
|
||||
actions.RunProcess[@"cmd.exe /C dotnet clean C:\Project\test.csproj"] = 0;
|
||||
@@ -437,80 +438,20 @@ namespace Semmle.Autobuild.CSharp.Tests
|
||||
actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SCRATCH_DIR"] = "scratch";
|
||||
actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbar.cs\ntest.csproj";
|
||||
actions.EnumerateDirectories[@"C:\Project"] = "";
|
||||
}
|
||||
var xml = new XmlDocument();
|
||||
xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>netcoreapp2.1</TargetFramework>
|
||||
</PropertyGroup>
|
||||
|
||||
private void CreateAndVerifyDotnetScript(XmlDocument xml)
|
||||
{
|
||||
</Project>");
|
||||
actions.LoadXml[@"C:\Project\test.csproj"] = xml;
|
||||
|
||||
var autobuilder = CreateAutoBuilder(true);
|
||||
TestAutobuilderScript(autobuilder, 0, 4);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestDefaultCSharpAutoBuilder1()
|
||||
{
|
||||
SetupActionForDotnet();
|
||||
var xml = new XmlDocument();
|
||||
xml.LoadXml(
|
||||
"""
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>netcoreapp2.1</TargetFramework>
|
||||
</PropertyGroup>
|
||||
</Project>
|
||||
""");
|
||||
CreateAndVerifyDotnetScript(xml);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestDefaultCSharpAutoBuilder2()
|
||||
{
|
||||
SetupActionForDotnet();
|
||||
var xml = new XmlDocument();
|
||||
|
||||
xml.LoadXml(
|
||||
"""
|
||||
<Project>
|
||||
<Sdk Name="Microsoft.NET.Sdk" />
|
||||
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>net9.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
</Project>
|
||||
"""
|
||||
);
|
||||
CreateAndVerifyDotnetScript(xml);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestDefaultCSharpAutoBuilder3()
|
||||
{
|
||||
SetupActionForDotnet();
|
||||
var xml = new XmlDocument();
|
||||
|
||||
xml.LoadXml(
|
||||
"""
|
||||
<Project>
|
||||
<Import Project="Sdk.props" Sdk="Microsoft.NET.Sdk" />
|
||||
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>net9.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
<Import Project="Sdk.targets" Sdk="Microsoft.NET.Sdk" />
|
||||
</Project>
|
||||
"""
|
||||
);
|
||||
CreateAndVerifyDotnetScript(xml);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestLinuxCSharpAutoBuilder()
|
||||
{
|
||||
|
||||
@@ -3,6 +3,7 @@ using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Xml;
|
||||
using Semmle.Util.Logging;
|
||||
|
||||
namespace Semmle.Autobuild.Shared
|
||||
{
|
||||
@@ -25,26 +26,6 @@ namespace Semmle.Autobuild.Shared
|
||||
private readonly Lazy<List<Project<TAutobuildOptions>>> includedProjectsLazy;
|
||||
public override IEnumerable<IProjectOrSolution> IncludedProjects => includedProjectsLazy.Value;
|
||||
|
||||
private static bool HasSdkAttribute(XmlElement xml) =>
|
||||
xml.HasAttribute("Sdk");
|
||||
|
||||
private static bool AnyElement(XmlNodeList l, Func<XmlElement, bool> f) =>
|
||||
l.OfType<XmlElement>().Any(f);
|
||||
|
||||
/// <summary>
|
||||
/// According to https://learn.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk?view=vs-2022#reference-a-project-sdk
|
||||
/// there are three ways to reference a project SDK:
|
||||
/// 1. As an attribute on the <Project/>.
|
||||
/// 2. As a top level element of <Project>.
|
||||
/// 3. As an attribute on an <Import> element.
|
||||
///
|
||||
/// Returns true, if the Sdk attribute is used, otherwise false.
|
||||
/// </summary>
|
||||
private static bool ReferencesSdk(XmlElement xml) =>
|
||||
HasSdkAttribute(xml) || // Case 1
|
||||
AnyElement(xml.ChildNodes, e => e.Name == "Sdk") || // Case 2
|
||||
AnyElement(xml.GetElementsByTagName("Import"), HasSdkAttribute); // Case 3
|
||||
|
||||
public Project(Autobuilder<TAutobuildOptions> builder, string path) : base(builder, path)
|
||||
{
|
||||
ToolsVersion = new Version();
|
||||
@@ -68,7 +49,7 @@ namespace Semmle.Autobuild.Shared
|
||||
|
||||
if (root?.Name == "Project")
|
||||
{
|
||||
if (ReferencesSdk(root))
|
||||
if (root.HasAttribute("Sdk"))
|
||||
{
|
||||
DotNetProject = true;
|
||||
return;
|
||||
|
||||
@@ -1,18 +1,8 @@
|
||||
#select
|
||||
| BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | User-provided value |
|
||||
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
|
||||
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
|
||||
edges
|
||||
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net8.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:497:59:505:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
|
||||
| BlazorTest/obj/Debug/net8.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:497:59:505:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
|
||||
models
|
||||
| 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
|
||||
| 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
|
||||
| 3 | Summary: Microsoft.AspNetCore.Components.CompilerServices; RuntimeHelpers; false; TypeCheck<T>; (T); ; Argument[0]; ReturnValue; value; manual |
|
||||
nodes
|
||||
| BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | semmle.label | access to property Value |
|
||||
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
|
||||
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
|
||||
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
|
||||
| BlazorTest/obj/Debug/net8.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:497:59:505:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
|
||||
subpaths
|
||||
|
||||
@@ -1,8 +1,2 @@
|
||||
import pytest
|
||||
import runs_on
|
||||
|
||||
|
||||
# Skipping the test on macos-15, as we're running into trouble.
|
||||
@pytest.mark.only_if(not runs_on.macos_15)
|
||||
def test(codeql, csharp):
|
||||
codeql.database.create(_assert_failure=True)
|
||||
|
||||
@@ -3,11 +3,8 @@ import pytest
|
||||
import os
|
||||
|
||||
|
||||
# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(
|
||||
runs_on.linux
|
||||
or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
|
||||
)
|
||||
# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
|
||||
def test(codeql, csharp):
|
||||
os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = (
|
||||
"/non-existent-path"
|
||||
|
||||
@@ -3,11 +3,8 @@ import runs_on
|
||||
import pytest
|
||||
|
||||
|
||||
# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(
|
||||
runs_on.linux
|
||||
or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
|
||||
)
|
||||
# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
|
||||
def test(codeql, csharp):
|
||||
# making sure we're not doing any fallback restore:
|
||||
os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1"
|
||||
|
||||
@@ -2,10 +2,7 @@ import runs_on
|
||||
import pytest
|
||||
|
||||
|
||||
# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(
|
||||
runs_on.linux
|
||||
or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
|
||||
)
|
||||
# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
|
||||
def test(codeql, csharp):
|
||||
codeql.database.create(build_mode="none")
|
||||
|
||||
@@ -3,9 +3,6 @@ import pytest
|
||||
|
||||
|
||||
# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
|
||||
@pytest.mark.only_if(
|
||||
runs_on.linux
|
||||
or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
|
||||
)
|
||||
@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
|
||||
def test(codeql, csharp):
|
||||
codeql.database.create(source_root="proj", build_mode="none")
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a `nameof` expression.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).
|
||||
@@ -175,9 +175,10 @@ module PreSsa {
|
||||
}
|
||||
|
||||
final AssignableRead getAFirstRead() {
|
||||
exists(SsaInput::BasicBlock bb, int i |
|
||||
SsaImpl::firstUse(this, bb, i, true) and
|
||||
result = bb.getElement(i)
|
||||
exists(SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 |
|
||||
this.definesAt(_, bb1, i1) and
|
||||
SsaImpl::adjacentDefRead(this, bb1, i1, bb2, i2) and
|
||||
result = bb2.getElement(i2)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -215,7 +216,8 @@ module PreSsa {
|
||||
predicate adjacentReadPairSameVar(AssignableRead read1, AssignableRead read2) {
|
||||
exists(SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 |
|
||||
read1 = bb1.getElement(i1) and
|
||||
SsaImpl::adjacentUseUse(bb1, i1, bb2, i2, _, true) and
|
||||
SsaInput::variableRead(bb1, i1, _, true) and
|
||||
SsaImpl::adjacentDefRead(_, bb1, i1, bb2, i2) and
|
||||
read2 = bb2.getElement(i2)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -756,11 +756,6 @@ class SystemDateTimeStruct extends SystemStruct {
|
||||
SystemDateTimeStruct() { this.hasName("DateTime") }
|
||||
}
|
||||
|
||||
/** The `System.DateTimeOffset` struct. */
|
||||
class SystemDateTimeOffsetStruct extends SystemStruct {
|
||||
SystemDateTimeOffsetStruct() { this.hasName("DateTimeOffset") }
|
||||
}
|
||||
|
||||
/** The `System.Span<T>` struct. */
|
||||
class SystemSpanStruct extends SystemUnboundGenericStruct {
|
||||
SystemSpanStruct() {
|
||||
|
||||
@@ -122,38 +122,6 @@ private class MicrosoftAspNetCoreComponentsAddComponentParameterMethod extends M
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The `Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder::OpenComponent<TComponent>` method.
|
||||
*/
|
||||
private class MicrosoftAspNetCoreComponentsOpenComponentTComponentMethod extends Method {
|
||||
MicrosoftAspNetCoreComponentsOpenComponentTComponentMethod() {
|
||||
this.hasFullyQualifiedName("Microsoft.AspNetCore.Components.Rendering", "RenderTreeBuilder",
|
||||
"OpenComponent`1") and
|
||||
this.getNumberOfParameters() = 1
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The `Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder::OpenComponent` method.
|
||||
*/
|
||||
private class MicrosoftAspNetCoreComponentsOpenComponentMethod extends Method {
|
||||
MicrosoftAspNetCoreComponentsOpenComponentMethod() {
|
||||
this.hasFullyQualifiedName("Microsoft.AspNetCore.Components.Rendering", "RenderTreeBuilder",
|
||||
"OpenComponent") and
|
||||
this.getNumberOfParameters() = 2
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The `Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder::CloseComponent` method.
|
||||
*/
|
||||
private class MicrosoftAspNetCoreComponentsCloseComponentMethod extends Method {
|
||||
MicrosoftAspNetCoreComponentsCloseComponentMethod() {
|
||||
this.hasFullyQualifiedName("Microsoft.AspNetCore.Components.Rendering", "RenderTreeBuilder",
|
||||
"CloseComponent")
|
||||
}
|
||||
}
|
||||
|
||||
private module Sources {
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.Remote
|
||||
|
||||
@@ -176,37 +144,6 @@ private module Sources {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds for matching `RenderTreeBuilder.OpenComponent` and `RenderTreeBuilder.CloseComponent` calls with index `openCallIndex` and `closeCallIndex` respectively
|
||||
* within the `enclosing` enclosing callabale. The `componentType` is the type of the component that is being opened and closed.
|
||||
*/
|
||||
private predicate matchingOpenCloseComponentCalls(
|
||||
MethodCall openCall, int openCallIndex, MethodCall closeCall, int closeCallIndex,
|
||||
Callable enclosing, Type componentType
|
||||
) {
|
||||
(
|
||||
openCall.getTarget().getUnboundDeclaration() instanceof
|
||||
MicrosoftAspNetCoreComponentsOpenComponentTComponentMethod and
|
||||
openCall.getTarget().(ConstructedGeneric).getTypeArgument(0) = componentType
|
||||
or
|
||||
openCall.getTarget() instanceof MicrosoftAspNetCoreComponentsOpenComponentMethod and
|
||||
openCall.getArgument(1).(TypeofExpr).getTypeAccess().getTarget() = componentType
|
||||
) and
|
||||
openCall.getEnclosingCallable() = enclosing and
|
||||
closeCall.getTarget() instanceof MicrosoftAspNetCoreComponentsCloseComponentMethod and
|
||||
closeCall.getEnclosingCallable() = enclosing and
|
||||
exists(BlockStmt block |
|
||||
block = closeCall.getParent().getParent() and
|
||||
block = openCall.getParent().getParent() and
|
||||
block.getChildStmt(openCallIndex) = openCall.getParent() and
|
||||
closeCallIndex =
|
||||
min(int closeCallIndex0 |
|
||||
block.getChildStmt(closeCallIndex0) = closeCall.getParent() and
|
||||
closeCallIndex0 > openCallIndex
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
private module JumpNodes {
|
||||
/**
|
||||
* A call to `Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder::AddComponentParameter` which
|
||||
@@ -222,23 +159,7 @@ private module JumpNodes {
|
||||
*/
|
||||
Property getParameterProperty() {
|
||||
result.getAnAttribute() instanceof MicrosoftAspNetCoreComponentsParameterAttribute and
|
||||
(
|
||||
exists(NameOfExpr ne | ne = this.getArgument(1) | result.getAnAccess() = ne.getAccess())
|
||||
or
|
||||
exists(
|
||||
string propertyName, MethodCall openComponent, BlockStmt block, int openIdx, int closeIdx,
|
||||
int thisIdx
|
||||
|
|
||||
propertyName = this.getArgument(1).(StringLiteral).getValue() and
|
||||
result.hasName(propertyName) and
|
||||
matchingOpenCloseComponentCalls(openComponent, openIdx, _, closeIdx,
|
||||
this.getEnclosingCallable(), result.getDeclaringType()) and
|
||||
block = this.getParent().getParent() and
|
||||
block = openComponent.getParent().getParent() and
|
||||
block.getChildStmt(thisIdx) = this.getParent() and
|
||||
thisIdx in [openIdx + 1 .. closeIdx - 1]
|
||||
)
|
||||
)
|
||||
exists(NameOfExpr ne | ne = this.getArgument(1) | result.getAnAccess() = ne.getAccess())
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -57,9 +57,7 @@ class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
|
||||
SimpleTypeSanitizedExpr() {
|
||||
exists(Type t | t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() |
|
||||
t instanceof SimpleType or
|
||||
t instanceof SystemDateTimeStruct or
|
||||
t instanceof SystemDateTimeOffsetStruct or
|
||||
t instanceof Enum
|
||||
t instanceof SystemDateTimeStruct
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Enums and `System.DateTimeOffset` are now treated as *simple* types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others the `cs/log-forging` query.
|
||||
@@ -12,4 +12,3 @@
|
||||
- cs/constant-condition
|
||||
- cs/useless-gethashcode-call
|
||||
- cs/non-short-circuit
|
||||
- cs/useless-assignment-to-local
|
||||
|
||||
@@ -22,16 +22,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CsharpDat
|
||||
|
||||
class Callable = CS::Callable;
|
||||
|
||||
class NodeExtended = CS::DataFlow::Node;
|
||||
|
||||
Callable getAsExprEnclosingCallable(NodeExtended node) {
|
||||
result = node.asExpr().getEnclosingCallable()
|
||||
class NodeExtended extends CS::DataFlow::Node {
|
||||
Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingCallable() }
|
||||
}
|
||||
|
||||
Callable getEnclosingCallable(NodeExtended node) { result = node.getEnclosingCallable() }
|
||||
|
||||
Parameter asParameter(NodeExtended node) { result = node.asParameter() }
|
||||
|
||||
/**
|
||||
* Holds if any of the parameters of `api` are `System.Func<>`.
|
||||
*/
|
||||
|
||||
@@ -1,50 +0,0 @@
|
||||
namespace VulnerableBlazorApp.Components
|
||||
{
|
||||
using System.Collections.Generic;
|
||||
using Microsoft.AspNetCore.Components;
|
||||
|
||||
[RouteAttribute("/names2/{name?}")]
|
||||
public partial class NameList2 : Microsoft.AspNetCore.Components.ComponentBase
|
||||
{
|
||||
protected override void BuildRenderTree(Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder builder)
|
||||
{
|
||||
if (Names is not null)
|
||||
{
|
||||
builder.OpenElement(0, "div");
|
||||
builder.OpenElement(1, "ul");
|
||||
foreach (var name in Names)
|
||||
{
|
||||
builder.OpenElement(2, "li");
|
||||
builder.OpenComponent<VulnerableBlazorApp.Components.Name>(3);
|
||||
builder.AddComponentParameter(4, "TheName", name);
|
||||
builder.CloseComponent();
|
||||
builder.CloseElement();
|
||||
}
|
||||
builder.CloseElement();
|
||||
builder.CloseElement();
|
||||
}
|
||||
|
||||
builder.OpenElement(5, "div");
|
||||
builder.OpenElement(6, "p");
|
||||
builder.AddContent(7, "Name: ");
|
||||
builder.OpenComponent<VulnerableBlazorApp.Components.Name>(8);
|
||||
builder.AddComponentParameter(9, "TheName", Name);
|
||||
builder.CloseComponent();
|
||||
builder.CloseElement();
|
||||
}
|
||||
|
||||
[Parameter]
|
||||
public string Name { get; set; }
|
||||
|
||||
protected override void OnParametersSet()
|
||||
{
|
||||
if (Name is not null)
|
||||
{
|
||||
Names.Add(Name);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public List<string> Names { get; set; } = new List<string>();
|
||||
}
|
||||
}
|
||||
@@ -1,15 +1,12 @@
|
||||
edges
|
||||
| NameList2.cs:31:57:31:60 | access to property Name : String | Name.cs:13:53:13:59 | access to property TheName | provenance | Sink:MaD:149 |
|
||||
| NameList.cs:31:99:31:102 | access to property Name : String | Name.cs:13:53:13:59 | access to property TheName | provenance | Sink:MaD:149 |
|
||||
nodes
|
||||
| Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | semmle.label | access to property UrlParam |
|
||||
| Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | semmle.label | access to property QueryParam |
|
||||
| Name.cs:13:53:13:59 | access to property TheName | semmle.label | access to property TheName |
|
||||
| NameList2.cs:31:57:31:60 | access to property Name : String | semmle.label | access to property Name : String |
|
||||
| NameList.cs:31:99:31:102 | access to property Name : String | semmle.label | access to property Name : String |
|
||||
subpaths
|
||||
#select
|
||||
| Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | User-provided value |
|
||||
| Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | User-provided value |
|
||||
| Name.cs:13:53:13:59 | access to property TheName | NameList2.cs:31:57:31:60 | access to property Name : String | Name.cs:13:53:13:59 | access to property TheName | $@ flows to here and is written to HTML or JavaScript. | NameList2.cs:31:57:31:60 | access to property Name : String | User-provided value |
|
||||
| Name.cs:13:53:13:59 | access to property TheName | NameList.cs:31:99:31:102 | access to property Name : String | Name.cs:13:53:13:59 | access to property TheName | $@ flows to here and is written to HTML or JavaScript. | NameList.cs:31:99:31:102 | access to property Name : String | User-provided value |
|
||||
|
||||
@@ -2,9 +2,6 @@
|
||||
| Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | ASP.NET Core component route parameter |
|
||||
| Components_Pages_TestPage_razor.g.cs:176:1:176:10 | access to property QueryParam | external |
|
||||
| Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | external |
|
||||
| NameList2.cs:31:57:31:60 | access to property Name | ASP.NET Core component route parameter |
|
||||
| NameList2.cs:41:17:41:20 | access to property Name | ASP.NET Core component route parameter |
|
||||
| NameList2.cs:43:27:43:30 | access to property Name | ASP.NET Core component route parameter |
|
||||
| NameList.cs:31:99:31:102 | access to property Name | ASP.NET Core component route parameter |
|
||||
| NameList.cs:41:17:41:20 | access to property Name | ASP.NET Core component route parameter |
|
||||
| NameList.cs:43:27:43:30 | access to property Name | ASP.NET Core component route parameter |
|
||||
|
||||
@@ -114,6 +114,15 @@ class Test
|
||||
public void Dispose() { }
|
||||
}
|
||||
|
||||
class Bad
|
||||
{
|
||||
long GetLength(string file)
|
||||
{
|
||||
var stream = new FileStream(file, FileMode.Open); // $ Alert
|
||||
return stream.Length;
|
||||
}
|
||||
}
|
||||
|
||||
static class Extensions
|
||||
{
|
||||
public static FileStream Fluent(this FileStream fs) => fs;
|
||||
|
||||
@@ -4,4 +4,4 @@
|
||||
| NoDisposeCallOnLocalIDisposable.cs:76:25:76:71 | call to method Create | Disposable 'XmlReader' is created but not disposed. |
|
||||
| NoDisposeCallOnLocalIDisposable.cs:76:42:76:64 | object creation of type StringReader | Disposable 'StringReader' is created but not disposed. |
|
||||
| NoDisposeCallOnLocalIDisposable.cs:104:23:104:38 | object creation of type HttpClient | Disposable 'HttpClient' is created but not disposed. |
|
||||
| NoDisposeCallOnLocalIDisposableBad.cs:8:22:8:56 | object creation of type FileStream | Disposable 'FileStream' is created but not disposed. |
|
||||
| NoDisposeCallOnLocalIDisposable.cs:121:22:121:56 | object creation of type FileStream | Disposable 'FileStream' is created but not disposed. |
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
using System;
|
||||
using System.IO;
|
||||
|
||||
class Bad
|
||||
{
|
||||
long GetLength(string file)
|
||||
{
|
||||
var stream = new FileStream(file, FileMode.Open); // $ Alert
|
||||
return stream.Length;
|
||||
}
|
||||
}
|
||||
@@ -11,7 +11,6 @@
|
||||
| ConstantCondition.cs:114:13:114:14 | access to parameter b1 | Condition always evaluates to 'true'. |
|
||||
| ConstantCondition.cs:114:19:114:20 | access to parameter b2 | Condition always evaluates to 'true'. |
|
||||
| ConstantCondition.cs:141:22:141:22 | _ | Pattern always matches. |
|
||||
| ConstantConditionBad.cs:5:16:5:20 | ... > ... | Condition always evaluates to 'false'. |
|
||||
| ConstantConditionalExpressionCondition.cs:11:22:11:34 | ... == ... | Condition always evaluates to 'true'. |
|
||||
| ConstantConditionalExpressionCondition.cs:12:21:12:25 | false | Condition always evaluates to 'false'. |
|
||||
| ConstantConditionalExpressionCondition.cs:13:21:13:30 | ... == ... | Condition always evaluates to 'true'. |
|
||||
@@ -20,6 +19,7 @@
|
||||
| ConstantIfCondition.cs:11:17:11:29 | ... == ... | Condition always evaluates to 'true'. |
|
||||
| ConstantIfCondition.cs:14:17:14:21 | false | Condition always evaluates to 'false'. |
|
||||
| ConstantIfCondition.cs:17:17:17:26 | ... == ... | Condition always evaluates to 'true'. |
|
||||
| ConstantIfCondition.cs:30:20:30:24 | ... > ... | Condition always evaluates to 'false'. |
|
||||
| ConstantIsNullOrEmpty.cs:10:21:10:54 | call to method IsNullOrEmpty | Condition always evaluates to 'false'. |
|
||||
| ConstantIsNullOrEmpty.cs:46:21:46:46 | call to method IsNullOrEmpty | Condition always evaluates to 'true'. |
|
||||
| ConstantIsNullOrEmpty.cs:50:21:50:44 | call to method IsNullOrEmpty | Condition always evaluates to 'true'. |
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
class Bad
|
||||
{
|
||||
public int Max(int a, int b)
|
||||
{
|
||||
return a > a ? a : b; // $ Alert
|
||||
}
|
||||
}
|
||||
@@ -25,6 +25,11 @@ namespace ConstantIfCondition
|
||||
}
|
||||
}
|
||||
|
||||
public int Max(int a, int b)
|
||||
{
|
||||
return a > a ? a : b; // $ Alert
|
||||
}
|
||||
|
||||
public int Bar()
|
||||
{
|
||||
return ZERO;
|
||||
|
||||
@@ -9,14 +9,14 @@ public class DeadStoreOfLocal
|
||||
|
||||
public int M1()
|
||||
{
|
||||
int x = M2(); // $ Alert
|
||||
int x = M2(); // BAD
|
||||
return (x = 1) + x; // GOOD
|
||||
}
|
||||
|
||||
public int M2()
|
||||
{
|
||||
int x = 1; // GOOD
|
||||
return x + (x = 1); // $ Alert
|
||||
return x + (x = 1); // BAD
|
||||
}
|
||||
|
||||
public int M3()
|
||||
@@ -41,19 +41,19 @@ public class DeadStoreOfLocal
|
||||
|
||||
public void M5()
|
||||
{
|
||||
int x = M3(); // $ Alert
|
||||
int x = M3(); // BAD
|
||||
}
|
||||
|
||||
public void M6()
|
||||
{
|
||||
int x = 42;
|
||||
x += 1; // $ Alert
|
||||
x += 1; // BAD
|
||||
}
|
||||
|
||||
public void M7()
|
||||
{
|
||||
int x = 42;
|
||||
x++; // $ Alert
|
||||
x++; // BAD
|
||||
}
|
||||
|
||||
public IEnumerable<string> M8(IEnumerable<string> source)
|
||||
@@ -79,8 +79,8 @@ public class DeadStoreOfLocal
|
||||
|
||||
public void M10(IEnumerable<string> source)
|
||||
{
|
||||
foreach (var val in source) // $ Alert
|
||||
{
|
||||
foreach (var val in source)
|
||||
{ // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -98,10 +98,10 @@ public abstract class ExceptionsFlow
|
||||
message = "Unsuccessful completion"; // GOOD: Used in finally
|
||||
Process();
|
||||
info2 = "Finishing"; // GOOD: Used in exception handler
|
||||
extra = "Dead store here"; // $ Alert Dead store
|
||||
extra = "Dead store here"; // BAD: Dead store
|
||||
Process();
|
||||
message = "Successful completion"; // GOOD: Used in finally
|
||||
info1 = "Used in handler"; // $ Alert Used in handler, but not a reachable handler
|
||||
info1 = "Used in handler"; // BAD: Used in handler, but not a reachable handler
|
||||
}
|
||||
catch (SystemException ex)
|
||||
{
|
||||
@@ -139,7 +139,7 @@ public abstract class ExceptionsFlow
|
||||
{
|
||||
Process();
|
||||
}
|
||||
catch (Exception ex) // $ Alert
|
||||
catch (Exception ex) // BAD
|
||||
{
|
||||
Console.WriteLine("Stage " + stage);
|
||||
stage = 3; // GOOD: Used in finally
|
||||
@@ -157,7 +157,7 @@ public class OutParam
|
||||
public void Test()
|
||||
{
|
||||
int x;
|
||||
Fn(out x); // $ MISSING: Alert
|
||||
Fn(out x); // BAD
|
||||
Fn(out _); // GOOD
|
||||
}
|
||||
|
||||
@@ -194,7 +194,7 @@ public class Captured
|
||||
|
||||
void M2()
|
||||
{
|
||||
var x = M6(); // $ MISSING: Alert
|
||||
var x = M6(); // BAD [FALSE NEGATIVE]
|
||||
Action a = () =>
|
||||
{
|
||||
x = 1; // GOOD
|
||||
@@ -208,7 +208,7 @@ public class Captured
|
||||
int x;
|
||||
Action a = () =>
|
||||
{
|
||||
x = 1; // $ MISSING: Alert
|
||||
x = 1; // BAD [FALSE NEGATIVE]
|
||||
};
|
||||
a();
|
||||
}
|
||||
@@ -230,7 +230,7 @@ public class Captured
|
||||
|
||||
void M5()
|
||||
{
|
||||
int x = 0; // $ MISSING: Alert
|
||||
int x = 0; // BAD: NOT DETECTED
|
||||
Action a = () =>
|
||||
{
|
||||
x = 1; // GOOD
|
||||
@@ -243,14 +243,14 @@ public class Captured
|
||||
{
|
||||
fn(() =>
|
||||
{
|
||||
int y = M6(); // $ Alert
|
||||
int y = M6(); // BAD
|
||||
return (y = 1) + y; // GOOD
|
||||
});
|
||||
|
||||
int captured = 0; // GOOD: Variable captured variable
|
||||
fn(() => { return captured; });
|
||||
|
||||
return captured = 1; // $ MISSING: Alert
|
||||
return captured = 1; // BAD: NOT DETECTED
|
||||
}
|
||||
|
||||
void M7()
|
||||
@@ -258,7 +258,7 @@ public class Captured
|
||||
var y = 12; // GOOD: Not a dead store (used in delegate)
|
||||
fn(() =>
|
||||
{
|
||||
var x = y; // $ Alert Dead store in lambda
|
||||
var x = y; // BAD: Dead store in lambda
|
||||
return 0;
|
||||
});
|
||||
}
|
||||
@@ -297,8 +297,8 @@ class Patterns
|
||||
{ // GOOD
|
||||
Console.WriteLine($"int {i1}");
|
||||
}
|
||||
else if (o is var v1) // $ Alert
|
||||
{
|
||||
else if (o is var v1)
|
||||
{ // BAD
|
||||
}
|
||||
|
||||
switch (o)
|
||||
@@ -311,7 +311,7 @@ class Patterns
|
||||
case int i3: // GOOD
|
||||
Console.WriteLine($"int {i3}");
|
||||
break;
|
||||
case var v2: // $ Alert
|
||||
case var v2: // BAD
|
||||
break;
|
||||
default:
|
||||
Console.WriteLine("Something else");
|
||||
@@ -328,7 +328,7 @@ class Tuples
|
||||
Use(x);
|
||||
Use(b);
|
||||
Use(s);
|
||||
(x, (b, s)) = GetTuple(); // $ Alert on `b`
|
||||
(x, (b, s)) = GetTuple(); // BAD: `b`
|
||||
Use(x);
|
||||
Use(s);
|
||||
(x, (_, s)) = GetTuple(); // GOOD
|
||||
@@ -369,7 +369,7 @@ class Initializers
|
||||
|
||||
string M4()
|
||||
{
|
||||
var s = M3(); // $ Alert
|
||||
var s = M3(); // BAD
|
||||
s = "";
|
||||
return s;
|
||||
}
|
||||
@@ -395,7 +395,7 @@ class Initializers
|
||||
{
|
||||
var s = "";
|
||||
if (b)
|
||||
s = "abc"; // $ Alert
|
||||
s = "abc"; // BAD
|
||||
if (!b)
|
||||
return s;
|
||||
return null;
|
||||
@@ -469,18 +469,8 @@ public static class Using
|
||||
using var x = new System.IO.FileStream("", System.IO.FileMode.Open); // GOOD
|
||||
using var _ = new System.IO.FileStream("", System.IO.FileMode.Open); // GOOD
|
||||
|
||||
using (var y = new System.IO.FileStream("", System.IO.FileMode.Open)) // $ Alert
|
||||
using (var y = new System.IO.FileStream("", System.IO.FileMode.Open)) // BAD
|
||||
{
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class StringInterpolation
|
||||
{
|
||||
void Pi()
|
||||
{
|
||||
float pi = 3.14159f; // GOOD
|
||||
const int align = 6; // GOOD
|
||||
Console.WriteLine($"Pi, {pi,align:F3}");
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,2 +1 @@
|
||||
query: Dead Code/DeadStoreOfLocal.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Dead Code/DeadStoreOfLocal.ql
|
||||
|
||||
@@ -4,7 +4,7 @@ class Bad
|
||||
{
|
||||
double ParseInt(string s)
|
||||
{
|
||||
var success = int.TryParse(s, out int i); // $ Alert
|
||||
var success = int.TryParse(s, out int i);
|
||||
return i;
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ class Bad
|
||||
{
|
||||
return double.Parse(s);
|
||||
}
|
||||
catch (FormatException e) // $ Alert
|
||||
catch (FormatException e)
|
||||
{
|
||||
return double.NaN;
|
||||
}
|
||||
@@ -29,14 +29,14 @@ class Bad
|
||||
int Count(string[] ss)
|
||||
{
|
||||
int count = 0;
|
||||
foreach (var s in ss) // $ Alert
|
||||
foreach (var s in ss)
|
||||
count++;
|
||||
return count;
|
||||
}
|
||||
|
||||
string IsInt(object o)
|
||||
{
|
||||
if (o is int i) // $ Alert
|
||||
if (o is int i)
|
||||
return "yes";
|
||||
else
|
||||
return "no";
|
||||
@@ -46,7 +46,7 @@ class Bad
|
||||
{
|
||||
switch (o)
|
||||
{
|
||||
case string s: // $ Alert
|
||||
case string s:
|
||||
return "yes";
|
||||
default:
|
||||
return "no";
|
||||
|
||||
@@ -15,10 +15,10 @@ public class LogForgingHandler : IHttpHandler
|
||||
|
||||
public void ProcessRequest(HttpContext ctx)
|
||||
{
|
||||
String username = ctx.Request.QueryString["username"]; // $ Source
|
||||
String username = ctx.Request.QueryString["username"];
|
||||
ILogger logger = new ILogger();
|
||||
// BAD: Logged as-is
|
||||
logger.Warn(username + " logged in"); // $ Alert
|
||||
logger.Warn(username + " logged in");
|
||||
// GOOD: New-lines removed
|
||||
logger.Warn(username.Replace(Environment.NewLine, "") + " logged in");
|
||||
// GOOD: New-lines removed
|
||||
@@ -28,11 +28,11 @@ public class LogForgingHandler : IHttpHandler
|
||||
// GOOD: Html encoded
|
||||
logger.Warn(WebUtility.HtmlEncode(username) + " logged in");
|
||||
// BAD: Logged as-is to TraceSource
|
||||
new TraceSource("Test").TraceInformation(username + " logged in"); // $ Alert
|
||||
new TraceSource("Test").TraceInformation(username + " logged in");
|
||||
|
||||
Microsoft.Extensions.Logging.ILogger logger2 = null;
|
||||
// BAD: Logged as-is
|
||||
logger2.LogError(username); // $ Alert
|
||||
logger2.LogError(username);
|
||||
}
|
||||
|
||||
public bool IsReusable
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
| LogForging.cs:21:21:21:43 | ... + ... | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:21:21:21:43 | ... + ... | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
|
||||
| LogForging.cs:31:50:31:72 | ... + ... | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:31:50:31:72 | ... + ... | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
|
||||
| LogForging.cs:35:26:35:33 | access to local variable username | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:35:26:35:33 | access to local variable username | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
|
||||
| LogForgingAsp.cs:17:21:17:43 | ... + ... | LogForgingAsp.cs:13:32:13:39 | username : String | LogForgingAsp.cs:17:21:17:43 | ... + ... | This log entry depends on a $@. | LogForgingAsp.cs:13:32:13:39 | username | user-provided value |
|
||||
| LogForgingAsp.cs:12:21:12:43 | ... + ... | LogForgingAsp.cs:8:32:8:39 | username : String | LogForgingAsp.cs:12:21:12:43 | ... + ... | This log entry depends on a $@. | LogForgingAsp.cs:8:32:8:39 | username | user-provided value |
|
||||
edges
|
||||
| LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:21:21:21:43 | ... + ... | provenance | |
|
||||
| LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:31:50:31:72 | ... + ... | provenance | |
|
||||
@@ -10,7 +10,7 @@ edges
|
||||
| LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:18:16:18:23 | access to local variable username : String | provenance | |
|
||||
| LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:18:27:18:61 | access to indexer : String | provenance | MaD:1 |
|
||||
| LogForging.cs:18:27:18:61 | access to indexer : String | LogForging.cs:18:16:18:23 | access to local variable username : String | provenance | |
|
||||
| LogForgingAsp.cs:13:32:13:39 | username : String | LogForgingAsp.cs:17:21:17:43 | ... + ... | provenance | |
|
||||
| LogForgingAsp.cs:8:32:8:39 | username : String | LogForgingAsp.cs:12:21:12:43 | ... + ... | provenance | |
|
||||
models
|
||||
| 1 | Summary: System.Collections.Specialized; NameValueCollection; false; get_Item; (System.String); ; Argument[this]; ReturnValue; taint; df-generated |
|
||||
nodes
|
||||
@@ -20,6 +20,6 @@ nodes
|
||||
| LogForging.cs:21:21:21:43 | ... + ... | semmle.label | ... + ... |
|
||||
| LogForging.cs:31:50:31:72 | ... + ... | semmle.label | ... + ... |
|
||||
| LogForging.cs:35:26:35:33 | access to local variable username | semmle.label | access to local variable username |
|
||||
| LogForgingAsp.cs:13:32:13:39 | username : String | semmle.label | username : String |
|
||||
| LogForgingAsp.cs:17:21:17:43 | ... + ... | semmle.label | ... + ... |
|
||||
| LogForgingAsp.cs:8:32:8:39 | username : String | semmle.label | username : String |
|
||||
| LogForgingAsp.cs:12:21:12:43 | ... + ... | semmle.label | ... + ... |
|
||||
subpaths
|
||||
|
||||
@@ -1,4 +1,2 @@
|
||||
query: Security Features/CWE-117/LogForging.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
|
||||
@@ -3,18 +3,13 @@ using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Http.Headers;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
public enum TestEnum
|
||||
{
|
||||
TestEnumValue
|
||||
}
|
||||
|
||||
public class AspController : ControllerBase
|
||||
{
|
||||
public void Action1(string username) // $ Source
|
||||
public void Action1(string username)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// BAD: Logged as-is
|
||||
logger.Warn(username + " logged in"); // $ Alert
|
||||
logger.Warn(username + " logged in");
|
||||
}
|
||||
|
||||
public void Action1(DateTime date)
|
||||
@@ -43,53 +38,4 @@ public class AspController : ControllerBase
|
||||
logger.Warn($"Warning about the bool: {b}");
|
||||
}
|
||||
}
|
||||
|
||||
public void ActionInt(int i)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: int is a sanitizer.
|
||||
logger.Warn($"Warning about the int: {i}");
|
||||
}
|
||||
|
||||
public void ActionLong(long l)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: long is a sanitizer.
|
||||
logger.Warn($"Warning about the long: {l}");
|
||||
}
|
||||
|
||||
public void ActionFloat(float f)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: float is a sanitizer.
|
||||
logger.Warn($"Warning about the float: {f}");
|
||||
}
|
||||
|
||||
public void ActionDouble(double d)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: double is a sanitizer.
|
||||
logger.Warn($"Warning about the double: {d}");
|
||||
}
|
||||
|
||||
public void ActionDecimal(decimal d)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: decimal is a sanitizer.
|
||||
logger.Warn($"Warning about the decimal: {d}");
|
||||
}
|
||||
|
||||
public void ActionEnum(TestEnum e)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: Enum is a sanitizer.
|
||||
logger.Warn($"Warning about the enum: {e}");
|
||||
}
|
||||
|
||||
public void ActionDateTime(DateTimeOffset dt)
|
||||
{
|
||||
var logger = new ILogger();
|
||||
// GOOD: DateTimeOffset is a sanitizer.
|
||||
logger.Warn($"Warning about the DateTimeOffset: {dt}");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
|
||||
.. _codeql-for-actions:
|
||||
|
||||
CodeQL for GitHub Actions
|
||||
=========================
|
||||
|
||||
Experiment and learn how to write effective and efficient queries for CodeQL databases generated from GitHub Actions code.
|
||||
|
||||
.. toctree::
|
||||
:hidden:
|
||||
|
||||
codeql-library-for-actions
|
||||
customizing-library-models-for-actions
|
||||
|
||||
- :doc:`CodeQL library for GitHub Actions <codeql-library-for-actions>`: When you're analyzing GitHub Actions code, you can make use of the large collection of classes in the CodeQL library for GitHub Actions.
|
||||
|
||||
- :doc:`Customizing library models for GitHub Actions <customizing-library-models-for-actions>`: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs.
|
||||
@@ -1,137 +0,0 @@
|
||||
.. _codeql-library-for-actions:
|
||||
|
||||
CodeQL library for GitHub Actions
|
||||
=================================
|
||||
|
||||
When you're analyzing GitHub Actions workflows and Action metadata files, you can make use of the large collection of classes in the CodeQL library for GitHub Actions.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
CodeQL ships with an extensive library for analyzing GitHub Actions code, particularly GitHub Actions workflow files and Action metadata files, each written in YAML.
|
||||
The classes in this library present the data from a CodeQL database in an object-oriented form and provide abstractions and predicates
|
||||
to help you with common analysis tasks.
|
||||
|
||||
The library is implemented as a set of CodeQL modules, that is, files with the extension ``.qll``. The
|
||||
module `actions.qll <https://github.com/github/codeql/blob/main/actions/ql/lib/actions.qll>`__ imports most other standard library modules, so you can include the complete
|
||||
library by beginning your query with:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import actions
|
||||
|
||||
The CodeQL libraries model various aspects of the YAML code used to define workflows and actions.
|
||||
The above import includes the abstract syntax tree (AST) library, which is used for locating program elements, to match syntactic
|
||||
elements in the YAML source code. This can be used to find values, patterns and structures.
|
||||
Both the underlying YAML elements and the GitHub Actions-specific meaning of those elements are modeled.
|
||||
|
||||
See the GitHub Actions documentation on `workflow syntax <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`__ and `metadata syntax <https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions>`__ for more information on GitHub Actions YAML syntax and meaning.
|
||||
|
||||
The control flow graph (CFG) is imported using
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import codeql.actions.Cfg
|
||||
|
||||
The CFG models the control flow between statements and expressions, for example whether one expression can
|
||||
be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
|
||||
expression must flow through another expression first.
|
||||
|
||||
The data flow library is imported using
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import codeql.actions.DataFlow
|
||||
|
||||
Data flow tracks the flow of data through the program, including through function calls (interprocedural data flow) and between steps in a job or workflow.
|
||||
Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program
|
||||
to exploit it. Related to data flow, is the taint-tracking library, which finds how data can *influence* other values
|
||||
in a program, even when it is not copied exactly.
|
||||
|
||||
To summarize, the main GitHub Actions library modules are:
|
||||
|
||||
.. list-table:: Main GitHub Actions library modules
|
||||
:header-rows: 1
|
||||
|
||||
* - Import
|
||||
- Description
|
||||
* - ``actions``
|
||||
- The standard GitHub Actions library
|
||||
* - ``codeql.actions.Ast``
|
||||
- The abstract syntax tree library (also imported by `actions.qll`)
|
||||
* - ``codeql.actions.Cfg``
|
||||
- The control flow graph library
|
||||
* - ``codeql.actions.DataFlow``
|
||||
- The data flow library
|
||||
* - ``codeql.actions.TaintTracking``
|
||||
- The taint tracking library
|
||||
|
||||
The CodeQL examples in this article are only excerpts and are not meant to represent complete queries.
|
||||
|
||||
Abstract syntax
|
||||
---------------
|
||||
|
||||
The abstract syntax tree (AST) represents the elements of the source code organized into a tree. The `AST viewer <https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code/>`__
|
||||
in Visual Studio Code shows the AST nodes, including the relevant CodeQL classes and predicates.
|
||||
|
||||
All CodeQL AST classes inherit from the `AstNode` class, which provides the following member predicates
|
||||
to all AST classes:
|
||||
|
||||
.. list-table:: Main predicates in ``AstNode``
|
||||
:header-rows: 1
|
||||
|
||||
* - Predicate
|
||||
- Description
|
||||
* - ``getEnclosingWorkflow()``
|
||||
- Gets the enclosing Actions workflow, if any. Applies only to elements within a workflow.
|
||||
* - ``getEnclosingJob()``
|
||||
- Gets the enclosing Actions workflow job, if any. Applies only to elements within a workflow.
|
||||
* - ``getEnclosingStep()``
|
||||
- Gets the enclosing Actions workflow job step, if any.
|
||||
* - ``getEnclosingCompositeAction()``
|
||||
- Gets the enclosing composite action, if any. Applies only to elements within an action metadata file.
|
||||
* - ``getLocation()``
|
||||
- Gets the location of this node.
|
||||
* - ``getAChildNode()``
|
||||
- Gets a child node of this node.
|
||||
* - ``getParentNode()``
|
||||
- Gets the parent of this ``AstNode``, if this node is not a root node.
|
||||
* - ``getATriggerEvent()``
|
||||
- Gets an Actions trigger event that can start the enclosing Actions workflow, if any.
|
||||
|
||||
|
||||
Workflows
|
||||
~~~~~~~~~
|
||||
|
||||
A workflow is a configurable automated process made up of one or more jobs,
|
||||
defined in a workflow YAML file in the ``.github/workflows`` directory of a GitHub repository.
|
||||
|
||||
In the CodeQL AST library, a ``Workflow`` is an ``AstNode`` representing the mapping at the top level of an Actions YAML workflow file.
|
||||
|
||||
See the GitHub Actions documentation on `workflows <https://docs.github.com/en/actions/writing-workflows/about-workflows>`__ and `workflow syntax <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`__ for more information.
|
||||
|
||||
.. list-table:: Callable classes
|
||||
:header-rows: 1
|
||||
|
||||
* - CodeQL class
|
||||
- Description and selected predicates
|
||||
* - ``Workflow``
|
||||
- An Actions workflow, defined as a mapping at the top level of a workflow YAML file in ``.github/workflows``. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.
|
||||
|
||||
- ``getAJob()`` - Gets a job within the ``jobs`` mapping of this workflow.
|
||||
- ``getEnv()`` - Gets an ``env`` mapping within this workflow declaring workflow-level environment variables, if any.
|
||||
- ``getJob(string jobId)`` - Gets a job within the ``jobs`` mapping of this workflow with the given job ID.
|
||||
- ``getOn()`` - Gets the ``on`` mapping defining the events that trigger this workflow.
|
||||
- ``getPermissions()`` - Gets a ``permissions`` mapping within this workflow declaring workflow-level token permissions, if any.
|
||||
- ``getStrategy()`` - Gets a ``strategy`` mapping for the jobs in this workflow, if any.
|
||||
- ``getName()`` - Gets the name of this workflow, if defined within the workflow.
|
||||
|
||||
The following example lists all jobs in a workflow with the name declaration ``name: test``:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import actions
|
||||
|
||||
from Workflow w
|
||||
where w.getName() = "test"
|
||||
select w, m.getAJob()
|
||||
@@ -1,46 +0,0 @@
|
||||
.. _customizing-library-models-for-actions:
|
||||
|
||||
Customizing library models for GitHub Actions
|
||||
=============================================
|
||||
|
||||
.. include:: ../reusables/beta-note-customizing-library-models.rst
|
||||
|
||||
GitHub Actions analysis can be customized by adding library models in data extension files.
|
||||
|
||||
A data extension for GitHub Actions is a YAML file of the form:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: <name of extensible predicate>
|
||||
data:
|
||||
- <tuple1>
|
||||
- <tuple2>
|
||||
- ...
|
||||
|
||||
The CodeQL library for GitHub Actions exposes the following extensible predicates:
|
||||
|
||||
Customizing data flow and taint tracking:
|
||||
|
||||
- **actionsSourceModel**\(action, version, output, kind, provenance)
|
||||
- **actionsSinkModel**\(action, version, input, kind, provenance)
|
||||
- **actionsSummaryModel**\(action, version, input, output, kind, provenance)
|
||||
|
||||
Customizing Actions-specific analysis:
|
||||
|
||||
- **argumentInjectionSinksDataModel**\(regexp, command_group, argument_group)
|
||||
- **contextTriggerDataModel**\(trigger, context_prefix)
|
||||
- **externallyTriggerableEventsDataModel**\(event)
|
||||
- **immutableActionsDataModel**\(action)
|
||||
- **poisonableActionsDataModel**\(action)
|
||||
- **poisonableCommandsDataModel**\(regexp)
|
||||
- **poisonableLocalScriptsDataModel**\(regexp, group)
|
||||
- **repositoryDataModel**\(visibility, default_branch_name)
|
||||
- **trustedActionsOwnerDataModel**\(owner)
|
||||
- **untrustedEventPropertiesDataModel**\(property, kind)
|
||||
- **untrustedGhCommandDataModel**\(cmd_regex, flag)
|
||||
- **untrustedGitCommandDataModel**\(cmd_regex, flag)
|
||||
- **vulnerableActionsDataModel**\(action, vulnerable_version, vulnerable_sha, fixed_version)
|
||||
- **workflowDataModel**\(path, trigger, job, secrets_source, permissions, runner)
|
||||
@@ -1,7 +1,7 @@
|
||||
.. _customizing-library-models-for-ruby:
|
||||
|
||||
|
||||
Customizing library models for Ruby
|
||||
Customizing Library Models for Ruby
|
||||
===================================
|
||||
|
||||
.. include:: ../reusables/beta-note-customizing-library-models.rst
|
||||
|
||||
@@ -9,7 +9,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
|
||||
|
||||
codeql-for-cpp
|
||||
codeql-for-csharp
|
||||
codeql-for-actions
|
||||
codeql-for-go
|
||||
codeql-for-java
|
||||
codeql-for-javascript
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
.. _codeql-cli-2.20.7:
|
||||
|
||||
==========================
|
||||
CodeQL 2.20.7 (2025-03-18)
|
||||
==========================
|
||||
|
||||
.. contents:: Contents
|
||||
:depth: 2
|
||||
:local:
|
||||
:backlinks: none
|
||||
|
||||
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
|
||||
|
||||
Security Coverage
|
||||
-----------------
|
||||
|
||||
CodeQL 2.20.7 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 137 queries (covering 35 more CWE).
|
||||
|
||||
CodeQL CLI
|
||||
----------
|
||||
|
||||
There are no user-facing CLI changes in this release.
|
||||
@@ -1,211 +0,0 @@
|
||||
.. _codeql-cli-2.21.0:
|
||||
|
||||
==========================
|
||||
CodeQL 2.21.0 (2025-04-03)
|
||||
==========================
|
||||
|
||||
.. contents:: Contents
|
||||
:depth: 2
|
||||
:local:
|
||||
:backlinks: none
|
||||
|
||||
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
|
||||
|
||||
Security Coverage
|
||||
-----------------
|
||||
|
||||
CodeQL 2.21.0 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE). 1 security query has been added with this release.
|
||||
|
||||
CodeQL CLI
|
||||
----------
|
||||
|
||||
Miscellaneous
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
* On macOS the :code:`CODEQL_TRACER_RELOCATION_EXCLUDE` environment variable can now be used to exclude certain paths from the tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries to be excluded.
|
||||
|
||||
Query Packs
|
||||
-----------
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* Fixed a bug, first introduced in :code:`2.20.3`, that would prevent :code:`v-html` attributes in Vue files from being flagged by the :code:`js/xss` query. The original behaviour has been restored and the :code:`v-html` attribute is once again functioning as a sink for the :code:`js/xss` query.
|
||||
* Fixed a bug that would in rare cases cause some regexp-based checks to be seen as generic taint sanitisers, even though the underlying regexp is not restrictive enough. The regexps are now analysed more precisely,
|
||||
and unrestrictive regexp checks will no longer block taint flow.
|
||||
* Fixed a recently-introduced bug that caused :code:`js/server-side-unvalidated-url-redirection` to ignore valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* The :code:`py/unused-global-variable` now no longer flags variables that are only used in forward references (e.g. the :code:`Foo` in :code:`def bar(x: "Foo"): ...`).
|
||||
|
||||
GitHub Actions
|
||||
""""""""""""""
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
:code:`actions/envpath-injection/critical`, :code:`actions/envpath-injection/medium`,
|
||||
:code:`actions/envvar-injection/critical`, and :code:`actions/envvar-injection/medium`.
|
||||
|
||||
Major Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* Updated the :code:`java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
|
||||
|
||||
Minor Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
|
||||
* The query "Use of basic integral type" (:code:`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (:code:`int8_t`, :code:`uint8_t`, etc.), and the :code:`_Bool` and :code:`bool` types.
|
||||
|
||||
C#
|
||||
""
|
||||
|
||||
* Improved dependency resolution in :code:`build-mode: none` extraction to handle failing :code:`dotnet restore` processes that managed to download a subset of the dependencies before the failure.
|
||||
* Increase query precision for :code:`cs/useless-gethashcode-call` by not flagging calls to :code:`GetHashCode` on :code:`uint`, :code:`long` and :code:`ulong`.
|
||||
* Increase query precision for :code:`cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.
|
||||
* The :code:`cs/local-not-disposed` query no longer flags un-disposed tasks as this is often not needed (explained `here <https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/>`__).
|
||||
* Increase query precision for :code:`cs/useless-assignment-to-local` and :code:`cs/constant-condition` when *unknown* types are involved (mostly relevant for :code:`build-mode: none` databases).
|
||||
* Don't consider an if-statement to be *useless* in :code:`cs/useless-if-statement` if there is at least a comment.
|
||||
|
||||
Golang
|
||||
""""""
|
||||
|
||||
* False positives in "Log entries created from user input" (:code:`go/log-injection`) and "Clear-text logging of sensitive information" (:code:`go/clear-text-logging`) which involved the verb :code:`%T` in a format specifier have been fixed. As a result, some users may also see more alerts from the "Use of constant :code:`state` value in OAuth 2.0 URL" (:code:`go/constant-oauth2-state`) query.
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* Fixed a false positive in "Time-of-check time-of-use race condition" (:code:`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
|
||||
* Overrides of :code:`BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the :code:`java/improper-intent-verification` query. This will reduce false positives from :code:`onReceive` methods which do not perform any actions.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* The :code:`py/special-method-wrong-signature` has been modernized and rewritten to no longer rely on outdated APIs. Moreover, the query no longer flags cases where a default value is never used, as these alerts were rarely useful.
|
||||
|
||||
New Queries
|
||||
~~~~~~~~~~~
|
||||
|
||||
C#
|
||||
""
|
||||
|
||||
* Added a new query, :code:`csharp/path-combine`, to recommend against the :code:`Path.Combine` method due to it silently discarding its earlier parameters if later parameters are rooted.
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* Added a new quality query, :code:`java/empty-method`, to detect empty methods.
|
||||
* The query :code:`java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the `CodeQL Community Packs <https://github.com/GitHubSecurityLab/CodeQL-Community-Packs>`__. This query was originally submitted as an experimental query `by @ggolawski <https://github.com/github/codeql/pull/2901>`__.
|
||||
|
||||
Swift
|
||||
"""""
|
||||
|
||||
* Added a new summary query counting the total number of extracted AST nodes.
|
||||
|
||||
Language Libraries
|
||||
------------------
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* In :code:`build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
|
||||
* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
|
||||
* Java build-mode :code:`none` no longer fails when a required version of Gradle cannot be downloaded using the :code:`gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode :code:`none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode :code:`none` now correctly uses Maven dependency information on Windows platforms.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* :code:`MatchLiteralPattern`\ s such as :code:`case None: ...` are now never pruned from the extracted source code. This fixes some situations where code was wrongly identified as unreachable.
|
||||
|
||||
GitHub Actions
|
||||
""""""""""""""
|
||||
|
||||
* The query :code:`actions/code-injection/medium` now produces alerts for injection vulnerabilities on :code:`pull_request` events.
|
||||
|
||||
Major Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* Added support for TypeScript 5.8.
|
||||
|
||||
Minor Analysis Improvements
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
C#
|
||||
""
|
||||
|
||||
* The models for :code:`System.Uri` have been modified to better model the flow of tainted URIs.
|
||||
* Modeled parameter passing between Blazor parent and child components.
|
||||
|
||||
Golang
|
||||
""""""
|
||||
|
||||
* We no longer track taint into a :code:`sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a :code:`sync.Map`.
|
||||
* :code:`database` source models have been added for v1 and v2 of the :code:`github.com/couchbase/gocb` package.
|
||||
* Added :code:`database` source models for the :code:`github.com/Masterminds/squirrel` ORM package.
|
||||
|
||||
Java/Kotlin
|
||||
"""""""""""
|
||||
|
||||
* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
|
||||
* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* Added support for additional :code:`fs-extra` methods as sinks in path-injection queries.
|
||||
* Added support for the newer version of :code:`Hapi` with the :code:`@hapi/hapi` import and :code:`server` function.
|
||||
* Improved modeling of the :code:`node:fs` module: :code:`await`\ -ed calls to :code:`read` and :code:`readFile` are now supported.
|
||||
* Added support for the :code:`@sap/hana-client`, :code:`@sap/hdbext` and :code:`hdb` packages.
|
||||
* Enhanced :code:`axios` support with new methods (:code:`postForm`, :code:`putForm`, :code:`patchForm`, :code:`getUri`, :code:`create`) and added support for :code:`interceptors.request` and :code:`interceptors.response`.
|
||||
* Improved support for :code:`got` package with :code:`Options`, :code:`paginate()` and :code:`extend()`
|
||||
* Added support for the :code:`ApolloServer` class from :code:`@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
|
||||
* Improved support for :code:`superagent` to handle the case where the package is directly called as a function, or via the :code:`.del()` or :code:`.agent()` method.
|
||||
* Added support for the :code:`underscore.string` package.
|
||||
* Added additional flow step for :code:`unescape()` and :code:`escape()`.
|
||||
* Added support for the :code:`@tanstack/vue-query` package.
|
||||
* Added taint-steps for :code:`unescape()`.
|
||||
* Added support for the :code:`@tanstack/angular-query-experimental` package.
|
||||
* Improved support for the :code:`@angular/common/http` package, detecting outgoing HTTP requests in more cases.
|
||||
* Improved the modeling of the :code:`markdown-table` package to ensure it handles nested arrays properly.
|
||||
* Added support for the :code:`react-relay` library.
|
||||
|
||||
Python
|
||||
""""""
|
||||
|
||||
* Added the methods :code:`getMinArguments` and :code:`getMaxArguments` to the :code:`Function` class. These return the minimum and maximum positional arguments that the given function accepts.
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
C/C++
|
||||
"""""
|
||||
|
||||
* Added :code:`Node.asUncertainDefinition` and :code:`Node.asCertainDefinition` to the :code:`DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
|
||||
|
||||
JavaScript/TypeScript
|
||||
"""""""""""""""""""""
|
||||
|
||||
* Extraction now supports regular expressions with the :code:`v` flag, using the new operators:
|
||||
|
||||
* Intersection :code:`&&`
|
||||
* Subtraction :code:`--`
|
||||
* :code:`\q` quoted string
|
||||
|
||||
@@ -11,8 +11,6 @@ A list of queries for each suite and language `is available here <https://docs.g
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
codeql-cli-2.21.0
|
||||
codeql-cli-2.20.7
|
||||
codeql-cli-2.20.6
|
||||
codeql-cli-2.20.5
|
||||
codeql-cli-2.20.4
|
||||
|
||||
@@ -23,8 +23,6 @@ The standard CodeQL query and library packs
|
||||
(`source <https://github.com/github/codeql/tree/codeql-cli/latest>`__)
|
||||
maintained by GitHub are:
|
||||
|
||||
- ``codeql/actions-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/src>`__)
|
||||
- ``codeql/actions-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/lib>`__)
|
||||
- ``codeql/cpp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src>`__)
|
||||
- ``codeql/cpp-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/lib>`__)
|
||||
- ``codeql/csharp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src>`__)
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
# CWE coverage for GitHub Actions
|
||||
|
||||
An overview of CWE coverage for GitHub Actions in the latest release of CodeQL.
|
||||
|
||||
## Overview
|
||||
|
||||
<!-- autogenerated CWE coverage table will be added below -->
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
CodeQL query help for GitHub Actions
|
||||
============================
|
||||
|
||||
.. include:: ../reusables/query-help-overview.rst
|
||||
|
||||
These queries are published in the CodeQL query pack ``codeql/actions-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/src>`__).
|
||||
|
||||
.. include:: toc-actions.rst
|
||||
@@ -27,7 +27,6 @@ Note that the CWE coverage includes both "`supported queries <https://github.com
|
||||
:titlesonly:
|
||||
|
||||
full-cwe
|
||||
actions-cwe
|
||||
cpp-cwe
|
||||
csharp-cwe
|
||||
go-cwe
|
||||
|
||||
@@ -5,7 +5,6 @@ View the query help for the queries included in the ``default``, ``security-exte
|
||||
|
||||
- :doc:`CodeQL query help for C and C++ <cpp>`
|
||||
- :doc:`CodeQL query help for C# <csharp>`
|
||||
- :doc:`CodeQL query help for GitHub Actions <actions>`
|
||||
- :doc:`CodeQL query help for Go <go>`
|
||||
- :doc:`CodeQL query help for Java and Kotlin <java>`
|
||||
- :doc:`CodeQL query help for JavaScript and TypeScript <javascript>`
|
||||
@@ -31,7 +30,6 @@ For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE cove
|
||||
|
||||
cpp
|
||||
csharp
|
||||
actions
|
||||
go
|
||||
java
|
||||
javascript
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
- `CodeQL queries for GitHub Actions <https://github.com/github/codeql/tree/main/actions/ql/src>`__
|
||||
- `CodeQL library reference for GitHub Actions <https://codeql.github.com/codeql-standard-libraries/actions/>`__
|
||||
@@ -4,8 +4,6 @@
|
||||
|
||||
* - Language
|
||||
- Identifier
|
||||
* - GitHub Actions
|
||||
- ``actions``
|
||||
* - C/C++
|
||||
- ``cpp``
|
||||
* - C#
|
||||
|
||||
@@ -40,23 +40,6 @@ and the CodeQL library pack ``codeql/csharp-all`` (`changelog <https://github.co
|
||||
NHibernate, Database ORM
|
||||
WinForms, User interface
|
||||
|
||||
GitHub Actions built-in support
|
||||
================================
|
||||
|
||||
Provided by the current versions of the
|
||||
CodeQL query pack ``codeql/actions-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/src>`__)
|
||||
and the CodeQL library pack ``codeql/actions-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/actions/ql/lib>`__).
|
||||
|
||||
.. csv-table::
|
||||
:header-rows: 1
|
||||
:class: fullWidthTable
|
||||
:widths: auto
|
||||
:align: left
|
||||
|
||||
Name, Category
|
||||
`GitHub Actions workflow YAML files <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`__, Workflows
|
||||
`GitHub Actions action metadata YAML files <https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions>`__, Actions
|
||||
|
||||
Go built-in support
|
||||
================================
|
||||
|
||||
|
||||
@@ -16,7 +16,6 @@
|
||||
.NET Core up to 3.1
|
||||
|
||||
.NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
|
||||
GitHub Actions [12]_,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
|
||||
Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
|
||||
Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK),
|
||||
|
||||
@@ -41,4 +40,3 @@
|
||||
.. [9] Requires glibc 2.17.
|
||||
.. [10] Support for the analysis of Swift requires macOS.
|
||||
.. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
|
||||
.. [12] Support for GitHub Actions is in public preview.
|
||||
|
||||
@@ -74,7 +74,6 @@ When writing your own alert queries, you would typically import the standard lib
|
||||
- :ref:`CodeQL library guide for C and C++ <codeql-library-for-cpp>`
|
||||
- :ref:`CodeQL library guide for C# <codeql-library-for-csharp>`
|
||||
- :ref:`CodeQL library guide for Go <codeql-library-for-go>`
|
||||
- :ref:`CodeQL library guide for GitHub Actions <codeql-library-for-actions>`
|
||||
- :ref:`CodeQL library guide for Java and Kotlin <codeql-library-for-java>`
|
||||
- :ref:`CodeQL library guide for JavaScript <codeql-library-for-javascript>`
|
||||
- :ref:`CodeQL library guide for Python <codeql-library-for-python>`
|
||||
|
||||
@@ -7,12 +7,9 @@ When you contribute a new [supported query](supported-queries.md) to this reposi
|
||||
* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
|
||||
* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
|
||||
* [Go queries](https://codeql.github.com/codeql-query-help/go/)
|
||||
* [GitHub Actions queries](https://codeql.github.com/codeql-query-help/actions/)
|
||||
* [Java/Kotlin queries](https://codeql.github.com/codeql-query-help/java/)
|
||||
* [JavaScript/TypeScript queries](https://codeql.github.com/codeql-query-help/javascript/)
|
||||
* [Java queries](https://codeql.github.com/codeql-query-help/java/)
|
||||
* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
|
||||
* [Python queries](https://codeql.github.com/codeql-query-help/python/)
|
||||
* [Ruby queries](https://codeql.github.com/codeql-query-help/ruby/)
|
||||
* [Swift queries](https://codeql.github.com/codeql-query-help/swift/)
|
||||
|
||||
### Location and file name
|
||||
|
||||
|
||||
@@ -19,13 +19,10 @@ For examples of query files for the languages supported by CodeQL, visit the fol
|
||||
|
||||
* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
|
||||
* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
|
||||
* [GitHub Actions queries](https://codeql.github.com/codeql-query-help/actions/)
|
||||
* [Go queries](https://codeql.github.com/codeql-query-help/go/)
|
||||
* [Java/Kotlin queries](https://codeql.github.com/codeql-query-help/java/)
|
||||
* [Java queries](https://codeql.github.com/codeql-query-help/java/)
|
||||
* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
|
||||
* [Python queries](https://codeql.github.com/codeql-query-help/python/)
|
||||
* [Ruby queries](https://codeql.github.com/codeql-query-help/ruby/)
|
||||
* [Swift queries](https://codeql.github.com/codeql-query-help/swift/)
|
||||
|
||||
## Metadata area
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,,,,,,7,,,,,
|
||||
github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,,,,,,2,,,
|
||||
github.com/gofiber/fiber,5,,,,,,,,4,,,,,,,,,1,,,,,,,,,
|
||||
github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,,,
|
||||
github.com/gogf/gf/database/gdb,51,39,21,,,,,,,,,,,,51,,,,,,39,,,,,21,
|
||||
github.com/gogf/gf/database/gdb,51,,,,,,,,,,,,,,51,,,,,,,,,,,,
|
||||
github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,,,
|
||||
github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,,,,,,11,
|
||||
github.com/golang/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,,,
|
||||
@@ -94,7 +94,7 @@ github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
github.com/sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,,,
|
||||
github.com/spf13/afero,34,,,,,,,,34,,,,,,,,,,,,,,,,,,
|
||||
github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,,,4,
|
||||
github.com/uptrace/bun,63,8,,,,,,,,,,,,,63,,,,,,8,,,,,,
|
||||
github.com/uptrace/bun,63,,,,,,,,,,,,,,63,,,,,,,,,,,,
|
||||
github.com/valyala/fasthttp,35,50,5,,,,,,8,,,,17,8,,2,,,,,,,,50,,5,
|
||||
go.mongodb.org/mongo-driver/mongo,14,11,5,,,,,14,,,,,,,,,,,,,11,,,,,5,
|
||||
go.uber.org/zap,33,,11,,,,33,,,,,,,,,,,,,,,,,,,11,
|
||||
|
||||
|
@@ -8,7 +8,7 @@ Go framework & library support
|
||||
|
||||
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total)
|
||||
`Afero <https://github.com/spf13/afero>`_,``github.com/spf13/afero*``,,,34
|
||||
`Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,8,,63
|
||||
`Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,,,63
|
||||
`CleverGo <https://github.com/clevergo/clevergo>`_,"``clevergo.tech/clevergo*``, ``github.com/clevergo/clevergo*``",,,2
|
||||
`Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",44,96,16
|
||||
`Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,22,48,8
|
||||
@@ -22,7 +22,7 @@ Go framework & library support
|
||||
`Go kit <https://gokit.io/>`_,``github.com/go-kit/kit*``,,,1
|
||||
`Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
|
||||
`GoDotEnv <https://github.com/joho/godotenv>`_,``github.com/joho/godotenv*``,4,,
|
||||
`GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,39,21,51
|
||||
`GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,,,51
|
||||
`Gokogiri <https://github.com/moovweb/gokogiri>`_,"``github.com/jbowtie/gokogiri*``, ``github.com/moovweb/gokogiri*``",,,10
|
||||
`Iris <https://www.iris-go.com/>`_,``github.com/kataras/iris*``,,,14
|
||||
`Kubernetes <https://kubernetes.io/>`_,"``k8s.io/api*``, ``k8s.io/apimachinery*``",,57,
|
||||
@@ -74,5 +74,5 @@ Go framework & library support
|
||||
`yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
|
||||
`zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
|
||||
Others,``github.com/kanikanema/gorqlite``,8,2,24
|
||||
Totals,,688,1069,1556
|
||||
Totals,,641,1048,1556
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user