hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
codeql/change-notes/1.23/analysis-csharp.md
Felicity Chapman 3b7ab8f734 Update shared data-flow note to match that for C/C++
2019-11-26 18:02:09 +00:00

4.0 KiB
Raw Permalink Blame History

Improvements to C# analysis

The following changes in version 1.23 affect C# analysis in all applications.

New queries

Query Tags Purpose
Deserialized delegate (cs/deserialized-delegate) security, external/cwe/cwe-502 Finds unsafe deserialization of delegate types. Results are shown on LGTM by default.
Deserialization of untrusted data (cs/unsafe-deserialization-untrusted-input) security, external/cwe/cwe-502 Finds flow of untrusted input to calls to unsafe deserializers. Results are shown on LGTM by default.
Mishandling the Japanese era start date (cs/mishandling-japanese-era) reliability, date-time Finds hard-coded Japanese era start dates that could be invalid. Results are not shown on LGTM by default.
Unsafe year argument for 'DateTime' constructor (cs/unsafe-year-construction) reliability, date-time Finds incorrect manipulation of DateTime values, which could lead to invalid dates. Results are not shown on LGTM by default.
Unsafe deserializer (cs/unsafe-deserialization) security, external/cwe/cwe-502 Finds calls to unsafe deserializers. By default, the query is not run on LGTM.

Changes to existing queries

Query Expected impact Change
Dereferenced variable may be null (cs/dereferenced-value-may-be-null) Fewer false positive results More null checks are now taken into account, including null checks for dynamic expressions and null checks such as object alwaysNull = null; if (x != alwaysNull) ....
Missing Dispose call on local IDisposable (cs/local-not-disposed) Fewer false positive results The query has been rewritten in order to identify more dispose patterns. For example, a local IDisposable that is disposed of by passing through a fluent API is no longer reported as missing a dispose call.

Changes to code extraction

  • nameof expressions are now extracted correctly when the name is a namespace.

Changes to libraries

  • The new class NamespaceAccess models accesses to namespaces, for example in nameof expressions.
  • The data-flow library now makes it easier to specify barriers/sanitizers arising from guards. You can override the predicate isBarrierGuard/isSanitizerGuard on data-flow and taint-tracking configurations respectively.
  • The data-flow library has been extended with a new feature to aid debugging. Previously, to explore the possible flow from all sources you could specify isSink(Node n) { any() } on a configuration. Now you can use the new Configuration::hasPartialFlow predicate, which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink. The feature is disabled by default and can be enabled for individual configurations by overriding int explorationLimit().
  • foreach statements where the body is guaranteed to be executed at least once, such as foreach (var x in new string[]{ "a", "b", "c" }) { ... }, are now recognized by all analyses based on the control-flow graph (such as SSA, data flow and taint tracking).
  • Fixed the control-flow graph for switch statements where the default case was not the last case. This had caused the remaining cases to be unreachable. SwitchStmt.getCase(int i) now puts the default case last.
  • There is now a DataFlow::localExprFlow predicate and a TaintTracking::localExprTaint predicate to make it easy to use the most common case of local data flow and taint: from one Expr to another.
  • Data is now tracked through null-coalescing expressions (??).
  • A new library semmle.code.csharp.Unification has been added. This library exposes two predicates unifiable and subsumes for calculating type unification and type subsumption, respectively.