diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 2bdc935dfac3..98666dfbbdb8 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,22 @@ +## 0.9.3 + +No user-facing changes. + +## 0.9.2 + +### Deprecated APIs + +* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead. + +### New Features + +* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr` + +### Minor Analysis Improvements + +* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation. +* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`. + ## 0.9.1 No user-facing changes. diff --git a/cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md b/cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md deleted file mode 100644 index 4baf9b770d61..000000000000 --- a/cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`. diff --git a/cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md b/cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md deleted file mode 100644 index f3f3a59e8f00..000000000000 --- a/cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr` \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md b/cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md deleted file mode 100644 index b9bb1fada5ba..000000000000 --- a/cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: deprecated ---- -* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2023-08-29-delete-ir.md b/cpp/ql/lib/change-notes/2023-08-29-delete-ir.md deleted file mode 100644 index 2b8817c8d2bb..000000000000 --- a/cpp/ql/lib/change-notes/2023-08-29-delete-ir.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/released/0.9.2.md b/cpp/ql/lib/change-notes/released/0.9.2.md new file mode 100644 index 000000000000..93b36c8e40a8 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.9.2.md @@ -0,0 +1,14 @@ +## 0.9.2 + +### Deprecated APIs + +* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead. + +### New Features + +* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr` + +### Minor Analysis Improvements + +* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation. +* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`. diff --git a/cpp/ql/lib/change-notes/released/0.9.3.md b/cpp/ql/lib/change-notes/released/0.9.3.md new file mode 100644 index 000000000000..1c859ebb6b34 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.9.3.md @@ -0,0 +1,3 @@ +## 0.9.3 + +No user-facing changes. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index 6789dcd18b70..7af7247cbb0a 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.9.1 +lastReleaseVersion: 0.9.3 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 1a8ab0be7bb7..0a60a2153e9b 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.9.2-dev +version: 0.10.0-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 967734f1cfd2..b6afadfe0e1b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -645,12 +645,24 @@ private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) { ) } +/** + * Holds if `nodeFrom` flows to `nodeTo` because there is `def-use` or + * `use-use` flow from `defOrUse` to `use`. + * + * `uncertain` is `true` if the `defOrUse` is an uncertain definition. + */ +private predicate localSsaFlow( + SsaDefOrUse defOrUse, Node nodeFrom, UseOrPhi use, Node nodeTo, boolean uncertain +) { + nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and + adjacentDefRead(defOrUse, use) and + useToNode(use, nodeTo) and + nodeFrom != nodeTo +} + private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) { exists(UseOrPhi use | - nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and - adjacentDefRead(defOrUse, use) and - useToNode(use, nodeTo) and - nodeFrom != nodeTo + localSsaFlow(defOrUse, nodeFrom, use, nodeTo, uncertain) or // Initial global variable value to a first use nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and @@ -728,15 +740,62 @@ private predicate isArgumentOfCallable(DataFlowCall call, Node n) { ) } -/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */ -predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) { - exists(UseOrPhi use, Node preUpdate | +/** + * Holds if there is use-use flow from `pun`'s pre-update node to `n`. + */ +private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) { + exists(UseOrPhi use | adjustForPointerArith(pun, use) and - useToNode(use, nodeTo) and + useToNode(use, n) + ) +} + +private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) { + isArgumentOfCallable(call, n1) and + exists(Node mid | localSsaFlow(_, n1, _, mid, _) | + isArgumentOfCallable(call, mid) and + stepUntilNotInCall(call, mid, n2) + or + not isArgumentOfCallable(call, mid) and + mid = n2 + ) +} + +bindingset[n1, n2] +pragma[inline_late] +private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) { + isArgumentOfCallable(call, n1) and isArgumentOfCallable(call, n2) +} + +/** + * Holds if there is def-use or use-use flow from `pun` to `nodeTo`. + * + * Note: This is more complex than it sounds. Consider a call such as: + * ```cpp + * write_first_argument(x, x); + * sink(x); + * ``` + * Assume flow comes out of the first argument to `write_first_argument`. We + * don't want flow to go to the `x` that's also an argument to + * `write_first_argument` (because we just flowed out of that function, and we + * don't want to flow back into it again). + * + * We do, however, want flow from the output argument to `x` on the next line, and + * similarly we want flow from the second argument of `write_first_argument` to `x` + * on the next line. + */ +predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) { + exists(Node preUpdate, Node mid | preUpdate = pun.getPreUpdateNode() and - not exists(DataFlowCall call | - isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo) + postUpdateNodeToFirstUse(pun, mid) + | + exists(DataFlowCall call | + isArgumentOfSameCall(call, preUpdate, mid) and + stepUntilNotInCall(call, mid, nodeTo) ) + or + not isArgumentOfSameCall(_, preUpdate, mid) and + nodeTo = mid ) } diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index f3d5cd46f668..700c0e331dd0 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,19 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### New Queries + +* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes. + +### Minor Analysis Improvements + +* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions. +* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result. +* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results. + ## 0.7.3 No user-facing changes. diff --git a/cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md b/cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md deleted file mode 100644 index d8207a756049..000000000000 --- a/cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes. diff --git a/cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md b/cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md deleted file mode 100644 index 74b8e6910da0..000000000000 --- a/cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result. diff --git a/cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md b/cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md deleted file mode 100644 index f4dcc011a292..000000000000 --- a/cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results. diff --git a/cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md b/cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md deleted file mode 100644 index 8872ba413fbb..000000000000 --- a/cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions. diff --git a/cpp/ql/src/change-notes/released/0.7.4.md b/cpp/ql/src/change-notes/released/0.7.4.md new file mode 100644 index 000000000000..bdec41d4f694 --- /dev/null +++ b/cpp/ql/src/change-notes/released/0.7.4.md @@ -0,0 +1,11 @@ +## 0.7.4 + +### New Queries + +* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes. + +### Minor Analysis Improvements + +* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions. +* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result. +* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results. diff --git a/cpp/ql/src/change-notes/released/0.7.5.md b/cpp/ql/src/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/cpp/ql/src/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index fd076044593a..88e5026c939f 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,12 +1,12 @@ name: codeql/cpp-queries -version: 0.7.4-dev -groups: +version: 0.8.0-dev +groups: - cpp - queries dependencies: - codeql/cpp-all: ${workspace} - codeql/suite-helpers: ${workspace} - codeql/util: ${workspace} + codeql/cpp-all: ${workspace} + codeql/suite-helpers: ${workspace} + codeql/util: ${workspace} suites: codeql-suites extractor: cpp defaultSuiteFile: codeql-suites/cpp-code-scanning.qls diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected index 4cac88980228..fe5eed1b9161 100644 --- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected +++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected @@ -1,4 +1,4 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47) WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28) -failures testFailures +failures diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index c49d9092cd70..c5f7ffcf1603 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -788,4 +788,12 @@ void test_sometimes_calls_sink_switch() { sometimes_calls_sink_switch(source(), 1); sometimes_calls_sink_switch(0, 0); sometimes_calls_sink_switch(source(), 0); +} + +void intPointerSource(int *ref_source, const int* another_arg); + +void test() { + MyStruct a; + intPointerSource(a.content, a.content); + indirect_sink(a.content); // $ ast ir } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected index dc5ea865b947..722909678573 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected @@ -46,3 +46,6 @@ | test.cpp:595:8:595:9 | xs | test.cpp:597:9:597:10 | xs | | test.cpp:733:7:733:7 | x | test.cpp:734:41:734:41 | x | | test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x | +| test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a | +| test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a | +| test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected index 73f93c6ba9b7..82049fc92295 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected @@ -7,6 +7,7 @@ edges | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection | | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument | | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument | +| overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument | | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection | | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection | | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection | diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 887b20471da0..cc79b182da60 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,11 @@ +## 1.6.5 + +No user-facing changes. + +## 1.6.4 + +No user-facing changes. + ## 1.6.3 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md new file mode 100644 index 000000000000..5c811dc46384 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md @@ -0,0 +1,3 @@ +## 1.6.4 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.5.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.5.md new file mode 100644 index 000000000000..44f1ca6de3e7 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.5.md @@ -0,0 +1,3 @@ +## 1.6.5 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 00b51441d882..031532705578 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.3 +lastReleaseVersion: 1.6.5 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 5719e05afcf8..8d400fbbaa4b 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,9 +1,9 @@ name: codeql/csharp-solorigate-all -version: 1.6.4-dev +version: 1.7.0-dev groups: - - csharp - - solorigate + - csharp + - solorigate library: true dependencies: - codeql/csharp-all: ${workspace} + codeql/csharp-all: ${workspace} warnOnImplicitThis: true diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 887b20471da0..cc79b182da60 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,11 @@ +## 1.6.5 + +No user-facing changes. + +## 1.6.4 + +No user-facing changes. + ## 1.6.3 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md new file mode 100644 index 000000000000..5c811dc46384 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md @@ -0,0 +1,3 @@ +## 1.6.4 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.5.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.5.md new file mode 100644 index 000000000000..44f1ca6de3e7 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.5.md @@ -0,0 +1,3 @@ +## 1.6.5 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 00b51441d882..031532705578 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.3 +lastReleaseVersion: 1.6.5 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 2a3524ece6d0..ddf6820236ff 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,10 +1,10 @@ name: codeql/csharp-solorigate-queries -version: 1.6.4-dev +version: 1.7.0-dev groups: - - csharp - - solorigate + - csharp + - solorigate defaultSuiteFile: codeql-suites/solorigate.qls dependencies: - codeql/csharp-all: ${workspace} - codeql/csharp-solorigate-all: ${workspace} + codeql/csharp-all: ${workspace} + codeql/csharp-solorigate-all: ${workspace} warnOnImplicitThis: true diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index c96f22b5aa8c..1d2703e856e2 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### Minor Analysis Improvements + +* The `--nostdlib` extractor option for the standalone extractor has been removed. + ## 0.7.3 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/2023-08-20-standaloneextraction-mscorlib.md b/csharp/ql/lib/change-notes/released/0.7.4.md similarity index 50% rename from csharp/ql/lib/change-notes/2023-08-20-standaloneextraction-mscorlib.md rename to csharp/ql/lib/change-notes/released/0.7.4.md index 47da98538aff..9665706305a3 100644 --- a/csharp/ql/lib/change-notes/2023-08-20-standaloneextraction-mscorlib.md +++ b/csharp/ql/lib/change-notes/released/0.7.4.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- -* The `--nostdlib` extractor option for the standalone extractor has been removed. \ No newline at end of file +## 0.7.4 + +### Minor Analysis Improvements + +* The `--nostdlib` extractor option for the standalone extractor has been removed. diff --git a/csharp/ql/lib/change-notes/released/0.7.5.md b/csharp/ql/lib/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index ba47a23065f5..1f96818bb7fe 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.7.4-dev +version: 0.8.0-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 0d165e05a258..d391679c5dfc 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +No user-facing changes. + ## 0.7.3 No user-facing changes. diff --git a/csharp/ql/src/change-notes/released/0.7.4.md b/csharp/ql/src/change-notes/released/0.7.4.md new file mode 100644 index 000000000000..1b33df9cb1e8 --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.7.4.md @@ -0,0 +1,3 @@ +## 0.7.4 + +No user-facing changes. diff --git a/csharp/ql/src/change-notes/released/0.7.5.md b/csharp/ql/src/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index a9d4c81c0f11..7690ae016fc5 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/csharp-queries -version: 0.7.4-dev -groups: +version: 0.8.0-dev +groups: - csharp - queries suites: codeql-suites diff --git a/docs/codeql/codeql-for-visual-studio-code/index.rst b/docs/codeql/codeql-for-visual-studio-code/index.rst index 1b45ef10a3e5..fc615f932f89 100644 --- a/docs/codeql/codeql-for-visual-studio-code/index.rst +++ b/docs/codeql/codeql-for-visual-studio-code/index.rst @@ -37,7 +37,10 @@ The CodeQL extension for Visual Studio Code adds rich language support for CodeQ CodeQL queries using the Visual Studio Code extension. - :doc:`Working with CodeQL packs in Visual Studio Code - `: You can view and edit CodeQL packs in Visual Studio Code. + `: You can view, create, and edit all types of CodeQL pack in Visual Studio Code. + +- :doc:`Using the CodeQL model editor + `: You can view, create, and edit CodeQL model packs using a dedicated editor. - :doc:`Customizing settings `: You can edit the settings for the @@ -67,6 +70,7 @@ The CodeQL extension for Visual Studio Code adds rich language support for CodeQ running-codeql-queries-at-scale-with-mrva testing-codeql-queries-in-visual-studio-code working-with-codeql-packs-in-visual-studio-code + using-the-codeql-model-editor customizing-settings troubleshooting-codeql-for-visual-studio-code troubleshooting-variant-analysis diff --git a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst index 6ed374381d8d..ac67d31afde0 100644 --- a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst +++ b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst @@ -74,6 +74,8 @@ To use the starter workspace: #. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository. +Remember to update the ``ql`` submodule in the starter workspace periodically to ensure that it remains compatible with newer versions of the VS Code extension and the CodeQL CLI. + .. _existing-workspace: Updating an existing workspace for CodeQL diff --git a/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst b/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst new file mode 100644 index 000000000000..c5586ba961ac --- /dev/null +++ b/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst @@ -0,0 +1,139 @@ +:tocdepth: 1 + +.. _using-the-codeql-model-editor: + +Using the CodeQL model editor +============================= + +.. include:: ../reusables/beta-note-model-pack-editor-vsc.rst + +You can view, write, and edit CodeQL packs in Visual Studio Code using the CodeQL extension. The model editor is designed to help you model external dependencies of your codebase that are not supported by the standard CodeQL Libraries. + +About the CodeQL model editor +----------------------------- + +The CodeQL model editor guides you through modeling the calls to external dependencies in your application or fully modeling all the public entry and exit points in an external dependency. + +When you open the model editor, it analyzes the currently selected CodeQL database and identifies where the application uses external APIs and all public methods. An external (or third party) API is any API that is not part of the CodeQL database you have selected. + +The model editor has two different modes: + +- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase. + +- Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency. + +Displaying the CodeQL model editor +---------------------------------- + +#. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace. + If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor. +#. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane. +#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command. +#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code. +#. When the queries are complete, the APIs that have been identified are shown in the editor. + +Modeling the calls your codebase makes to external APIs +------------------------------------------------------- + +You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis. + +#. Select the CodeQL database that you want to improve CodeQL coverage for. +#. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown. + + .. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png + :width: 800 + :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase. + +#. Click to expand an external API and view the list of calls from the codebase to the external dependency. +#. Click **View** associated with an API call or method to show where it is used in your codebase. + + .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png + :width: 800 + :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline. + +#. When you have determined how to model the call or method, define the **Model type**. +#. The remaining fields are updated with available options: + + - **Source**: choose the **Output** element to model. + - **Sink**: choose the **Input** element to model. + - **Flow summary**: choose the **Input** and **Output** elements to model. + +#. Define the **Kind** of dataflow for the model. +#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated. + +The models are stored in your workspace at ``.github/codeql/extensions/``, where ```` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. + +The models are stored in a series of YAML data extension files, one for each external API. For example: + +.. code-block:: none + + .github/codeql/extensions/sofa-jraft-java # the model pack directory + models + jmh-core.model.yml # models calls to jmh-core@1.20 + rocksdbjni.model.yml # models calls to rocksdbjni@7.7.3 + +Modeling the public API of a codebase +------------------------------------- + +You typically use this method when you want to model a framework or library that your organization uses in more than one codebase. Once you have finished creating and testing the model, you can publish the CodeQL model pack to the GitHub Container Registry for your whole organization to use. + +#. Select the CodeQL database that you want to model. +#. Display the CodeQL model editor. By default the editor runs in application mode. Click **Model as dependency** to display dependency mode. The screen changes to show the public API of the framework or library. + + .. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode.png + :width: 800 + :alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the packages published by the "sofa-jraft" codebase. + +#. Click to expand a package and view the list of available methods. +#. Click **View** associated with a method to show its definition. + + .. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png + :width: 800 + :alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing the public methods available in the "com.alipay.soft.jraft.option" package ready for modeling. The "View" option for the first method is highlighted with a dark orange outline. + +#. When you have determined how to model the method, define the **Model type**. +#. The remaining fields are updated with available options: + + - **Source**: choose the **Output** element to model. + - **Sink**: choose the **Input** element to model. + - **Flow summary**: choose the **Input** and **Output** elements to model. + +#. Define the **Kind** of dataflow for the model. +#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated. + +The models are stored in your workspace at ``.github/codeql/extensions/``, where ```` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. + +The models are stored in a series of YAML data extension files, one for each public method. For example: + +.. code-block:: none + + .github/codeql/extensions/sofa-jraft-java # the model pack directory + models + com.alipay.sofa.jraft.option.model.yml # models public methods in package + com.alipay.sofa.jraft.rhea.options.model.yml # models public methods in package + +The editor will create a separate model file for each package that you model. + +Testing CodeQL model packs +-------------------------- + +You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories. + +- To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useModelPacks": all,`` +- To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useModelPacks": none,`` + +If your model is working well, you should see a difference in the results of the two different runs. If you don't see any differences in results, you may need to introduce a known bug to verify that the model behaves as expected. + +Using CodeQL model packs with code scanning +------------------------------------------- + +There are two methods for using CodeQL model packs with code scanning: + +#. Copy the model pack directory into the ``.github/codeql/extensions`` directory of the repository. It will automatically be used by all future code scanning analysis for the repository (default setup or advanced setup). +#. Publish the model pack to the GitHub Container Registry as a CodeQL model pack. This can be downloaded and used by advanced setup for code scanning or by the CodeQL CLI running in an external CI system. + +For more information, see the following articles on the GitHub Docs site: + +- Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup `__ +- Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs `__ +- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies `__ diff --git a/docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst b/docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst index dabf59cc5636..fe1e9a0bbdd2 100644 --- a/docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst +++ b/docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst @@ -7,33 +7,49 @@ Working with CodeQL packs in Visual Studio Code .. include:: ../reusables/beta-note-package-management.rst -You can view CodeQL packs and write and edit queries for them in Visual Studio Code. +You can view, write, and edit all types of CodeQL packs in Visual Studio Code using the CodeQL extension. About CodeQL packs ------------------ -CodeQL packs are used to create, share, depend on, and run CodeQL queries and libraries. You can publish your own CodeQL packs and download packs created by others. For more information, see "`About CodeQL packs `__." +You use CodeQL packs to share your expertise in query writing, CodeQL library development, and modeling dependencies with other users. The CodeQL package management system ensures that when you publish a CodeQL pack it is ready to use, without any compilation. Anything the CodeQL pack depends on is explicitly defined within the pack. You can publish your own CodeQL packs and download packs created by others. For more information, see "`About CodeQL packs `__." -Using standard CodeQL packs in Visual Studio Code --------------------------------------------------------------- +There are three types of CodeQL packs, each with a specific purpose. + +- Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack. +- Model packs are used to model dependencies that are not supported by the standard CodeQL libraries. When you add a model pack to your analysis, all relevant queries also recognize the sources, sinks and flow steps of the dependencies defined in the pack. +- Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately. + +Using the CodeQL packs shipped with the CLI in Visual Studio Code +----------------------------------------------------------------- To install dependencies for a CodeQL pack in your Visual Studio Code workspace, run the **CodeQL: Install Pack Dependencies** command from the Command Palette and select the packs you want to install dependencies for. You can write and run query packs that depend on the CodeQL standard libraries, without needing to check out the standard libraries in your workspace. Instead, you can install only the dependencies required by the query packs you want to use. -Creating and editing CodeQL packs in Visual Studio Code -------------------------------------------------------- -To create a new CodeQL pack, you will need to use the CodeQL CLI from a terminal, which you can do within Visual Studio Code or outside of it with the ``codeql pack init`` command. Once you create an empty pack, you can edit the ``qlpack.yml`` file or run the ``codeql pack add`` command to add dependencies or change the name or version. For more information, see "`Creating and working with CodeQL packs `__." +Working with CodeQL query packs +------------------------------- + +One of the main benefits of working with a CodeQL query pack is that all dependencies are resolved, not just those defined within the query and standard libraries. + +Creating and editing CodeQL query packs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +To create a new query pack, you will need to use the CodeQL CLI from a terminal, which you can do within Visual Studio Code or outside of it with the ``codeql pack init`` command. Once you create an empty pack, you can edit the ``qlpack.yml`` file or run the ``codeql pack add`` command to add dependencies or change the name or version. For detailed information, see "`Creating and working with CodeQL packs `__." You can create or edit queries in a CodeQL pack in Visual Studio Code as you would with any CodeQL query, using the standard code editing features such as autocomplete suggestions to find elements to use from the pack's dependencies. -You can then use the CodeQL CLI to publish your pack to share with others. For more information, see "`Publishing and using CodeQL packs `__." +You can then use the CodeQL CLI to publish your pack to share with others. For detailed information, see "`Publishing and using CodeQL packs `__." -Viewing CodeQL packs and their dependencies in Visual Studio Code ------------------------------------------------------------------ -To download a CodeQL pack that someone else has created, run the **CodeQL: Download Packs** command from the Command Palette. -You can download all the core CodeQL query packs, or enter the full name of a specific pack to download. For example, to download the core queries for analyzing Java or Kotlin, enter ``codeql/java-queries``. +Viewing CodeQL query packs and their dependencies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +To download a query pack that someone else has created, run the **CodeQL: Download Packs** command from the Command Palette. +You can download all the core query packs, or enter the full name of a specific pack to download. For example, to download the core queries for analyzing Java and Kotlin, enter ``codeql/java-queries``. Whether you have downloaded a CodeQL pack or created your own, you can open the ``qlpack.yml`` file in the root of a CodeQL pack directory in Visual Studio Code and view the dependencies section to see what libraries the pack depends on. If you want to understand a query in a CodeQL pack better, you can open the query file and view the code, using the IntelliSense code editing features of Visual Studio Code. For example, if you hover over an element from a library depended on by the pack, Visual Studio Code will resolve it so you can see documentation about the element. To view the full definition of an element of a query, you can right-click and choose **Go to Definition**. If the library pack is present within the same Visual Studio Code workspace, this will take you to the definition within the workspace. Otherwise it will take you to the definition within your package cache, the shared location where downloaded dependencies are stored, which is in your home directory by default. + +Working with CodeQL model packs +------------------------------- + +The CodeQL extension for Visual Studio Code includes a dedicated editor for creating and editing model packs. For information on using the model editor, see ":ref:`Using the CodeQL model editor `." diff --git a/docs/codeql/codeql-language-guides/codeql-for-java.rst b/docs/codeql/codeql-language-guides/codeql-for-java.rst index 97f212ac64ba..0b4c3cb822a6 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-java.rst @@ -25,6 +25,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat javadoc working-with-source-locations abstract-syntax-tree-classes-for-working-with-java-programs + customizing-library-models-for-java-and-kotlin - :doc:`Basic query for Java and Kotlin code `: Learn to write and run a simple CodeQL query. @@ -45,3 +46,5 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Working with source locations `: You can use the location of entities within Java/Kotlin code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. - :doc:`Abstract syntax tree classes for working with Java and Kotlin programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Java/Kotlin programs. + +- :doc:`Customizing library models for Java and Kotlin `: You can model frameworks and libraries that your code base depends on using data extensions and publish them as CodeQL model packs. diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst new file mode 100644 index 000000000000..cc8e4e51b7b2 --- /dev/null +++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst @@ -0,0 +1,293 @@ +.. _customizing-library-models-for-java-and-kotlin: + +Customizing library models for Java and Kotlin +============================================== + +You can model the methods and callables that control data flow in any framework or library. This is especially useful for custom frameworks or niche libraries, that are not supported by the standard CodeQL libraries. + +.. include:: ../reusables/kotlin-beta-note.rst + +.. include:: ../reusables/beta-note-model-packs-java.rst + +About this article +------------------ + +This article contains reference material about how to define custom models for sources, sinks and flow summaries for Java dependencies in data extension files. + +The best way to create your own models is using the CodeQL model editor in the CodeQL extension for Visual Studio Code. The model editor automatically guides you through the process of defining models, displaying the properties you need to define and the options available. You can save the resulting models as data extension files in CodeQL model packs and use them without worrying about the syntax. + +For more information, see ":ref:`Using the CodeQL model editor `." + +About data extensions +--------------------- + +You can customize analysis by defining models (summaries, sinks, and sources) of your code's dependencies in data extension files. Each model defines the behavior of one or more elements of your library or framework, such as methods and callables. When you run dataflow analysis, these models expand the potential sources and sinks tracked by dataflow analysis and improve the precision of results. + +Most of the security queries search for paths from a source of untrusted input to a sink that represents a vulnerability. This is known as taint tracking. Each source is a starting point for dataflow analysis to track tainted data and each sink is an end point. + +Taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are modeled as summaries. A summary model enables queries to synthesize the flow behavior through elements in dependency code that is not stored in your repository. + +Syntax used to define an element in an extension file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Each model of an element is defined using a data extension where each tuple constitutes a model. +A data extension file to extend the standard Java queries included with CodeQL is a YAML file with the form: + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: + data: + - + - + - ... + +Each YAML file may contain one or more top-level extensions. + +- ``addsTo`` defines the CodeQL pack name and extensible predicate that the extension is injected into. +- ``data`` defines one or more rows of tuples that are injected as values into the extensible predicate. The number of columns and their types must match the definition of the extensible predicate. + +Data extensions use union semantics, which means that the tuples of all extensions for a single extensible predicate are combined, duplicates are removed, and all of the remaining tuples are queryable by referencing the extensible predicate. + +Publish data extension files in a CodeQL model pack to share +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack `__ and `Publishing and using CodeQL packs `__ in the CodeQL CLI documentation. + +Extensible predicates used to create custom models in Java and Kotlin +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates: + +- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data. +- ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable. +- ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements. +- ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis. + +The extensible predicates are populated using the models defined in data extension files. + +Examples of custom model definitions +------------------------------------ + +The examples in this section are taken from the standard CodeQL Java query pack published by GitHub. They demonstrate how to add tuples to extend extensible predicates that are used by the standard queries. + +Example: Taint sink in the ``java.sql`` package +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This example shows how the Java query pack models the argument of the ``execute`` method as a SQL injection sink. +This is the ``execute`` method in the ``Statement`` class, which is located in the ``java.sql`` package. + +.. code-block:: java + + public static void taintsink(Connection conn, String query) throws SQLException { + Statement stmt = conn.createStatement(); + stmt.execute(query); // The argument to this method is a SQL injection sink. + } + +We need to add a tuple to the ``sinkModel``\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate by updating a data extension file. + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql-injection", "manual"] + + +Since we want to add a new sink, we need to add a tuple to the ``sinkModel`` extensible predicate. +The first five values identify the callable (in this case a method) to be modeled as a sink. + +- The first value ``java.sql`` is the package name. +- The second value ``Statement`` is the name of the class (type) that contains the method. +- The third value ``True`` is a flag that indicates whether or not the sink also applies to all overrides of the method. +- The fourth value ``execute`` is the method name. +- The fifth value ``(String)`` is the method input type signature. + +The sixth value should be left empty and is out of scope for this documentation. +The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the sink. + +- The seventh value ``Argument[0]`` is the ``access path`` to the first argument passed to the method, which means that this is the location of the sink. +- The eighth value ``sql-injection`` is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries. +- The ninth value ``manual`` is the provenance of the sink, which is used to identify the origin of the sink. + +Example: Taint source from the ``java.net`` package +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This example shows how the Java query pack models the return value from the ``getInputStream`` method as a ``remote`` source. +This is the ``getInputStream`` method in the ``Socket`` class, which is located in the ``java.net`` package. + +.. code-block:: java + + public static void tainted(Socket socket) throws IOException { + InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint. + ... + } + +We need to add a tuple to the ``sourceModel``\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate by updating a data extension file. + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"] + + +Since we are adding a new source, we need to add a tuple to the ``sourceModel`` extensible predicate. +The first five values identify the callable (in this case a method) to be modeled as a source. + +- The first value ``java.net`` is the package name. +- The second value ``Socket`` is the name of the class (type) that contains the source. +- The third value ``False`` is a flag that indicates whether or not the source also applies to all overrides of the method. +- The fourth value ``getInputStream`` is the method name. +- The fifth value ``()`` is the method input type signature. + +The sixth value should be left empty and is out of scope for this documentation. +The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source. + +- The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input. +- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. +- The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source. + +Example: Add flow through the ``concat`` method +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This example shows how the Java query pack models flow through a method for a simple case. +This pattern covers many of the cases where we need to summarize flow through a method that is stored in a library or framework outside the repository. + +.. code-block:: java + + public static void taintflow(String s1, String s2) { + String t = s1.concat(s2); // There is taint flow from s1 and s2 to t. + ... + } + +We need to add tuples to the ``summaryModel``\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate by updating a data extension file: + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"] + - ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + +Since we are adding flow through a method, we need to add tuples to the ``summaryModel`` extensible predicate. +Each tuple defines flow from one argument to the return value. +The first row defines flow from the qualifier (``s1`` in the example) to the return value (``t`` in the example) and the second row defines flow from the first argument (``s2`` in the example) to the return value (``t`` in the example). + +The first five values identify the callable (in this case a method) to be modeled as a summary. +These are the same for both of the rows above as we are adding two summaries for the same method. + +- The first value ``java.lang`` is the package name. +- The second value ``String`` is the class (type) name. +- The third value ``False`` is a flag that indicates whether or not the summary also applies to all overrides of the method. +- The fourth value ``concat`` is the method name. +- The fifth value ``(String)`` is the method input type signature. + +The sixth value should be left empty and is out of scope for this documentation. +The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the summary. + +- The seventh value is the access path to the input (where data flows from). ``Argument[this]`` is the access path to the qualifier (``s1`` in the example) and ``Argument[0]`` is the access path to the first argument (``s2`` in the example). +- The eighth value ``ReturnValue`` is the access path to the output (where data flows to), in this case ``ReturnValue``, which means that the input flows to the return value. +- The ninth value ``taint`` is the kind of the flow. ``taint`` means that taint is propagated through the call. +- The tenth value ``manual`` is the provenance of the summary, which is used to identify the origin of the summary. + +Example: Add flow through the ``map`` method +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This example shows how the Java query pack models a more complex flow through a method. +Here we model flow through higher order methods and collection types. + +.. code-block:: java + + public static void taintflow(Stream s) { + Stream l = s.map(e -> e.concat("\n")); + ... + } + +We need to add tuples to the ``summaryModel``\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate by updating a data extension file: + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"] + - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"] + + +Since we are adding flow through a method, we need to add tuples to the ``summaryModel`` extensible predicate. +Each tuple defines part of the flow that comprises the total flow through the ``map`` method. +The first five values identify the callable (in this case a method) to be modeled as a summary. +These are the same for both of the rows above as we are adding two summaries for the same method. + +- The first value ``java.util.stream`` is the package name. +- The second value ``Stream`` is the class (type) name. +- The third value ``True`` is a flag that indicates whether or not the summary also applies to all overrides of the method. +- The fourth value ``map`` is the method name. +- The fifth value ``Function`` is the method input type signature. + +The sixth value should be left empty and is out of scope for this documentation. +The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the summary definition. + +- The seventh value is the access path to the ``input`` (where data flows from). +- The eighth value is the access path to the ``output`` (where data flows to). + +For the first row: + +- The seventh value is ``Argument[this].Element``, which is the access path to the elements of the qualifier (the elements of the stream ``s`` in the example). +- The eight value is ``Argument[0].Parameter[0]``, which is the access path to the first parameter of the ``Function`` argument of ``map`` (the lambda parameter ``e`` in the example). + +For the second row: + +- The seventh value is ``Argument[0].ReturnValue``, which is the access path to the return value of the ``Function`` argument of ``map`` (the return value of the lambda in the example). +- The eighth value is ``ReturnValue.Element``, which is the access path to the elements of the return value of ``map`` (the elements of the stream ``l`` in the example). + +For the remaining values for both rows: + +- The ninth value ``value`` is the kind of the flow. ``value`` means that the value is preserved. +- The tenth value ``manual`` is the provenance of the summary, which is used to identify the origin of the summary. + +That is, the first row specifies that values can flow from the elements of the qualifier stream into the first argument of the function provided to ``map``. The second row specifies that values can flow from the return value of the function to the elements of the stream returned from ``map``. + +Example: Add a ``neutral`` method +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This example shows how the Java query pack models the ``now`` method as being neutral with respect to flow. +A neutral model is used to define that there is no flow through a method. + +.. code-block:: java + + public static void taintflow() { + Instant t = Instant.now(); // There is no flow from now to t. + ... + } + +We need to add a tuple to the ``neutralModel``\(package, type, name, signature, kind, provenance) extensible predicate by updating a data extension file. + +.. code-block:: yaml + + extensions: + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: + - ["java.time", "Instant", "now", "()", "summary", "manual"] + + +Since we are adding a neutral model, we need to add tuples to the ``neutralModel`` extensible predicate. +The first four values identify the callable (in this case a method) to be modeled as a neutral, the fifth value is the kind, and the sixth value is the provenance (origin) of the neutral. + +- The first value ``java.time`` is the package name. +- The second value ``Instant`` is the class (type) name. +- The third value ``now`` is the method name. +- The fourth value ``()`` is the method input type signature. +- The fifth value ``summary`` is the kind of the neutral. +- The sixth value ``manual`` is the provenance of the neutral. diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst deleted file mode 100644 index cbd8d6c1fadd..000000000000 --- a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst +++ /dev/null @@ -1,437 +0,0 @@ -.. _customizing-library-models-for-java: - -:orphan: -:nosearch: - -Customizing Library Models for Java and Kotlin -============================================== - -.. include:: ../reusables/beta-note-customizing-library-models.rst - -.. include:: ../reusables/kotlin-beta-note.rst - -The Java/Kotlin analysis can be customized by adding library models (summaries, sinks and sources) in data extension files. -A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results. -Most of the security related queries are taint tracking queries that try to find paths from a source of untrusted input to a sink that represents a vulnerability. Sources are the starting points of a taint tracking data flow analysis, and sinks are the end points of a taint tracking data flow analysis. - -Furthermore, the taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are named summaries: they are models of elements that allow us to synthesize the elements flow behavior without having them in the source code. This is especially helpful when using a third party (or the standard) library. - -The models are defined using data extensions where each tuple constitutes a model. -A data extension file for Java is a YAML file in the form: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: - data: - - - - - - ... - -Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation. - -The CodeQL library for Java/Kotlin exposes the following extensible predicates: - -- **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models. -- **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models. -- **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance). This is used for **summary** models. -- **neutralModel**\(package, type, name, signature, kind, provenance). This is used for **neutral** models, which only have minor impact on the data flow analysis. - -The extensible predicates are populated using data extensions specified in YAML files. - -In the sections below, we will provide examples of how to add tuples to the different extensible predicates. -The extensible predicates are used to customize and improve the existing data flow queries, by providing sources, sinks, and flow through (summaries) for library elements. -The :ref:`reference-material` section will provide details on the *mini DSLs* that define models for each extensible predicate. - -Example: Taint sink in the **java.sql** package ------------------------------------------------- - -In this example we will show how to model the argument of the **execute** method as a SQL injection sink. -This is the **execute** method in the **Statement** class, which is located in the **java.sql** package. -Note that this sink is already added to the CodeQL Java/Kotlin analysis. - -.. code-block:: java - - public static void taintsink(Connection conn, String query) throws SQLException { - Statement stmt = conn.createStatement(); - stmt.execute(query); // The argument to this method is a SQL injection sink. - } - -We need to add a tuple to the **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate. To do this, add the following to a data extension file: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: sinkModel - data: - - ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql", "manual"] - - -Since we are adding a new sink, we need to add a tuple to the **sinkModel** extensible predicate. -The first five values identify the callable (in this case a method) to be modeled as a sink. - -- The first value **java.sql** is the package name. -- The second value **Statement** is the name of the class (type) that contains the method. -- The third value **True** is a flag that indicates whether or not the sink also applies to all overrides of the method. -- The fourth value **execute** is the method name. -- The fifth value **(String)** is the method input type signature. - -The sixth value should be left empty and is out of scope for this documentation. -The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the sink. - -- The seventh value **Argument[0]** is the **access path** to the first argument passed to the method, which means that this is the location of the sink. -- The eighth value **sql** is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries. -- The ninth value **manual** is the provenance of the sink, which is used to identify the origin of the sink. - -Example: Taint source from the **java.net** package ----------------------------------------------------- -In this example we show how to model the return value from the **getInputStream** method as a **remote** source. -This is the **getInputStream** method in the **Socket** class, which is located in the **java.net** package. -Note that this source is already added to the CodeQL Java/Kotlin analysis. - -.. code-block:: java - - public static void tainted(Socket socket) throws IOException { - InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint. - ... - } - -We need to add a tuple to the **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: sourceModel - data: - - ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"] - - -Since we are adding a new source, we need to add a tuple to the **sourceModel** extensible predicate. -The first five values identify the callable (in this case a method) to be modeled as a source. - -- The first value **java.net** is the package name. -- The second value **Socket** is the name of the class (type) that contains the source. -- The third value **False** is a flag that indicates whether or not the source also applies to all overrides of the method. -- The fourth value **getInputStream** is the method name. -- The fifth value **()** is the method input type signature. - -The sixth value should be left empty and is out of scope for this documentation. -The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the source. - -- The seventh value **ReturnValue** is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input. -- The eighth value **remote** is the kind of the source. The source kind is used to define the queries where the source is in scope. **remote** applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses **remote** sources. -- The ninth value **manual** is the provenance of the source, which is used to identify the origin of the source. - -Example: Add flow through the **concat** method ------------------------------------------------- -In this example we show how to model flow through a method for a simple case. -This pattern covers many of the cases where we need to define flow through a method. -Note that the flow through the **concat** method is already added to the CodeQL Java/Kotlin analysis. - -.. code-block:: java - - public static void taintflow(String s1, String s2) { - String t = s1.concat(s2); // There is taint flow from s1 and s2 to t. - ... - } - -We need to add tuples to the **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: summaryModel - data: - - ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"] - - ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] - -Reasoning: - -Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate. -Each tuple defines flow from one argument to the return value. -The first row defines flow from the qualifier (**s1** in the example) to the return value (**t** in the example) and the second row defines flow from the first argument (**s2** in the example) to the return value (**t** in the example). - -The first five values identify the callable (in this case a method) to be modeled as a summary. -These are the same for both of the rows above as we are adding two summaries for the same method. - -- The first value **java.lang** is the package name. -- The second value **String** is the class (type) name. -- The third value **False** is a flag that indicates whether or not the summary also applies to all overrides of the method. -- The fourth value **concat** is the method name. -- The fifth value **(String)** is the method input type signature. - -The sixth value should be left empty and is out of scope for this documentation. -The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary. - -- The seventh value is the access path to the input (where data flows from). **Argument[this]** is the access path to the qualifier (**s1** in the example) and **Argument[0]** is the access path to the first argument (**s2** in the example). -- The eighth value **ReturnValue** is the access path to the output (where data flows to), in this case **ReturnValue**, which means that the input flows to the return value. -- The ninth value **taint** is the kind of the flow. **taint** means that taint is propagated through the call. -- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary. - -Example: Add flow through the **map** method ---------------------------------------------- -In this example, we will see a more complex example of modeling flow through a method. -This pattern shows how to model flow through higher order methods and collection types. -Note that the flow through the **map** method is already added to the CodeQL Java/Kotlin analysis. - -.. code-block:: java - - public static void taintflow(Stream s) { - Stream l = s.map(e -> e.concat("\n")); - ... - } - -To do this, add the following to a data extension file: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: summaryModel - data: - - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"] - - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"] - - -Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate. -Each tuple defines part of the flow that comprises the total flow through the **map** method. -The first five values identify the callable (in this case a method) to be modeled as a summary. -These are the same for both of the rows above as we are adding two summaries for the same method. - -- The first value **java.util.stream** is the package name. -- The second value **Stream** is the class (type) name. -- The third value **True** is a flag that indicates whether or not the summary also applies to all overrides of the method. -- The fourth value **map** is the method name. -- The fifth value **Function** is the method input type signature. - -The sixth value should be left empty and is out of scope for this documentation. -The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary definition. - -- The seventh value is the access path to the **input** (where data flows from). -- The eighth value is the access path to the **output** (where data flows to). - -For the first row: - -- The seventh value is **Argument[this].Element**, which is the access path to the elements of the qualifier (the elements of the stream **s** in the example). -- The eight value is **Argument[0].Parameter[0]**, which is the access path to the first parameter of the **Function** argument of **map** (the lambda parameter **e** in the example). - -For the second row: - -- The seventh value is **Argument[0].ReturnValue**, which is the access path to the return value of the **Function** argument of **map** (the return value of the lambda in the example). -- The eighth value is **ReturnValue.Element**, which is the access path to the elements of the return value of **map** (the elements of the stream **l** in the example). - -For the remaining values for both rows: - -- The ninth value **value** is the kind of the flow. **value** means that the value is preserved. -- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary. - -That is, the first row models that there is value flow from the elements of the qualifier stream into the first argument of the function provided to **map** and the second row models that there is value flow from the return value of the function to the elements of the stream returned from **map**. - -Example: Add a **neutral** method ----------------------------------- -In this example we will show how to model the **now** method as being neutral with respect to flow. -A neutral model is used to define that there is no flow through a method. -Note that the neutral model for the **now** method is already added to the CodeQL Java/Kotlin analysis. - -.. code-block:: java - - public static void taintflow() { - Instant t = Instant.now(); // There is no flow from now to t. - ... - } - -We need to add a tuple to the **neutralModel**\(package, type, name, signature, kind, provenance) extensible predicate. To do this, add the following to a data extension file: - -.. code-block:: yaml - - extensions: - - addsTo: - pack: codeql/java-all - extensible: neutralModel - data: - - ["java.time", "Instant", "now", "()", "summary", "manual"] - - -Since we are adding a neutral model, we need to add tuples to the **neutralModel** extensible predicate. -The first four values identify the callable (in this case a method) to be modeled as a neutral, the fifth value is the kind, and the sixth value is the provenance (origin) of the neutral. - -- The first value **java.time** is the package name. -- The second value **Instant** is the class (type) name. -- The third value **now** is the method name. -- The fourth value **()** is the method input type signature. -- The fifth value **summary** is the kind of the neutral. -- The sixth value **manual** is the provenance of the neutral. - -.. _reference-material: - -Reference material ------------------- - -The following sections provide reference material for extensible predicates. -This includes descriptions of each of the arguments (e.g. access paths, kinds and provenance). - -Extensible predicates ---------------------- - -Below is a description of the columns for each extensible predicate. -Sources, sinks, summaries and neutrals are commonly known as models. -The semantics of many of the columns of the extensible predicates are shared. - -The shared columns are: - -- **package**: Name of the package containing the element(s) to be modeled. -- **type**: Name of the type containing the element(s) to be modeled. -- **subtypes**: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s). -- **name**: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria. -- **signature**: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria. -- **ext**: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document. -- **provenance**: Provenance (origin) of the model definition. - -The columns **package**, **type**, **subtypes**, **name**, and **signature** are used to select the element(s) that the model applies to. - -The :ref:`access-paths` section describes how access paths are composed. -This is the most complicated part of the extensible predicates and the **mini DSL** for access paths is shared across all extensible predicates. - -sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind. - -- **output**: Access path to the source, where the possibly tainted data flows from. -- **kind**: Kind of the source. -- **provenance**: Provenance (origin) of the source definition. - -As most sources are used by all taint tracking queries there are only a few different source kinds. -The following source kinds are supported: - -- **remote**: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries. - -Below is an enumeration of the remaining source kinds, but they are out of scope for this documentation: - -- **contentprovider**, **android-external-storage-dir**. - -sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific. - -- **input**: Access path to the sink, where we want to check if tainted data can flow into. -- **kind**: Kind of the sink. - -The following sink kinds are supported: - -- **bean-validation**: A sink that can be used for insecure bean validation, such as in calls to **ConstraintValidatorContext.buildConstraintViolationWithTemplate**. -- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **Runtime.exec**. -- **file-content-store**: A sink that can be used to control the contents of a file, such as in a **Files.write** call. -- **fragment-injection**: A sink that can be used for Android fragment injection, such as in a **FragmentTransaction.replace** call. -- **groovy-injection**: A sink that can be used for Groovy injection, such as in a **GroovyShell.evaluate** call. -- **hostname-verification**: A sink that can be used for unsafe hostname verification, such as in calls to **HttpsURLConnection.setHostnameVerifier**. -- **html-injection**: A sink that can be used for XSS via HTML injection, such as in a **ResponseStream.write** call. -- **information-leak**: A sink that can be used to leak information to an HTTP response, such as in calls to **HttpServletResponse.sendError**. -- **intent-redirection**: A sink that can be used for Android intent redirection, such as in a **Context.startActivity** call. -- **jexl-injection**: A sink that can be used for JEXL expression injection, such as in a **JexlExpression.evaluate** call. -- **jndi-injection**: A sink that can be used for JNDI injection, such as in a **Context.lookup** call. -- **js-injection**: A sink that can be used for XSS via JavaScript injection, such as in a **Webview.evaluateJavaScript** call. -- **ldap-injection**: A sink that can be used for LDAP injection, such as in a **DirContext.search** call. -- **log-injection**: A sink that can be used for log injection, such as in a **Logger.warn** call. -- **mvel-injection**: A sink that can be used for MVEL expression injection, such as in a **MVEL.eval** call. -- **ognl-injection**: A sink that can be used for OGNL injection, such as in an **Ognl.getValue** call. -- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **new FileReader**. -- **pending-intents**: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an **Activity.setResult** call. -- **request-forgery**: A sink that controls the URL of a request, such as in an **HttpRequest.newBuilder** call. -- **response-splitting**: A sink that can be used for HTTP response splitting, such as in calls to **HttpServletResponse.setHeader**. -- **sql-injection**: A sink that can be used for SQL injection, such as in a **Statement.executeQuery** call. -- **template-injection**: A sink that can be used for server side template injection, such as in a **Velocity.evaluate** call. -- **trust-boundary-violation**: A sink that can be used to cross a trust boundary, such as in a **HttpSession.setAttribute** call. -- **url-redirection**: A sink that can be used to redirect the user to a malicious URL, such as in a **Response.temporaryRedirect** call. -- **xpath-injection**: A sink that can be used for XPath injection, such as in a **XPath.evaluate** call. -- **xslt-injection**: A sink that can be used for XSLT injection, such as in a **Transformer.transform** call. - -summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Flow through (summary). This extensible predicate is used to model flow through elements. - -- **input**: Access path to the input of the element (where data will flow from to the output). -- **output**: Access path to the output of the element (where data will flow to from the input). -- **kind**: Kind of the flow through. -- **provenance**: Provenance (origin) of the flow through. - -The following kinds are supported: - -- **taint**: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well. -- **value**: This means that the output equals the input or a copy of the input such that all of its properties are preserved. - -neutralModel(package, type, name, signature, kind, provenance) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This extensible predicate is not typically needed externally, but included here for completeness. -It only has minor impact on the data flow analysis. -Manual neutrals are considered high confidence dispatch call targets and can reduce the number of dispatch call targets during data flow analysis (a performance optimization). - -- **kind**: Kind of the neutral. For neutrals the kind can be **summary**, **source**, or **sink** to indicate that the callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). -- **provenance**: Provenance (origin) of the flow through. - -.. _access-paths: - -Access paths ------------- -The **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values. - -The following components are supported: - -- **Argument[**\ `n`\ **]** selects the argument at index `n` (zero-indexed). -- **Argument[**\ `this`\ **]** selects the qualifier (instance parameter). -- **Argument[**\ `n1..n2`\ **]** selects the arguments in the given range (both ends included). -- **Parameter[**\ `n`\ **]** selects the parameter at index `n` (zero-indexed). -- **Parameter[**\ `n1..n2`\ **]** selects the parameters in the given range (both ends included). -- **ReturnValue** selects the return value. -- **Field[**\ `name`\ **]** selects the field with the fully qualified name `name`. -- **SyntheticField[**\ `name`\ **]** selects the synthetic field with name `name`. -- **SyntheticGlobal[**\ `name`\ **]** selects the synthetic global with name `name`. -- **ArrayElement** selects the elements of an array. -- **Element** selects the elements of a collection-like container. -- **WithoutElement** selects a collection-like container without its elements. This is for input only. -- **WithElement** selects the elements of a collection-like container, but points to the container itself. This is for input only. -- **MapKey** selects the element keys of a map. -- **MapValue** selects the element values of a map. - -Provenance ----------- - -The **provenance** column is used to specify the provenance (origin) of the model definition and how the model was verified. -The following values are supported: - -- **manual**: The model was manually created and added to the extensible predicate. - -or values in the form **origin-verification**, where origin is one of: - -- **ai**: The model was generated by AI. -- **df**: The model was generated by the dataflow model generator. -- **tb**: The model was generated by the type based model generator. -- **hq**: The model was generated using a heuristic query. - -and verification is one of: - -- **manual**: The model was verified by a human. -- **generated**: The model was generated, but not verified by a human. - -The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated. -Furthermore, it impacts the data flow analysis in the following way: - -- A **manual** model takes precedence over **generated** models. If a **manual** model exists for an element then all **generated** models are ignored. -- A **generated** model is ignored during analysis, if the source code of the element it is modeling is available. - -That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available. - - -.. include:: ../reusables/data-extensions.rst diff --git a/docs/codeql/codeql-language-guides/extensible-predicates.rst b/docs/codeql/codeql-language-guides/extensible-predicates.rst new file mode 100644 index 000000000000..2ef077fe0562 --- /dev/null +++ b/docs/codeql/codeql-language-guides/extensible-predicates.rst @@ -0,0 +1,183 @@ +.. _extensible-predicates: + +:orphan: +:nosearch: + +Extensible predicates and their interaction with data extensions +================================================================ + +You can use data extensions to model the methods and callables that control dataflow in any framework or library. This is especially useful for custom frameworks or niche libraries, that are not supported by the standard CodeQL libraries. + +.. include:: ../reusables/beta-note-model-packs-java.rst + +About this article +------------------ + +This reference article describes the available inputs for the extensible predicates, including access paths, kinds, and provenance. + +Sources, sinks, summaries, and neutrals are commonly known as models. These models support several shared arguments and a few model-specific arguments. The arguments populate a series of columns for each extensible predicate. + +About extensible predicates +--------------------------- + +At a high level, there are two main components to using data extensions. The query writer defines one or more extensible predicates in their query libraries. CLI and code scanning users who want to augment these predicates supply one or more extension files whose data gets injected into the extensible predicate during evaluation. The extension files are either stored directly in the repository where the codebase to be analyzed is hosted, or downloaded as CodeQL model packs. + +This example of an extensible predicate for a source is taken from the core Java libraries https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/ExternalFlowExtensions.qll#L8-L11 + +.. code-block:: ql + + extensible predicate sourceModel( + string package, string type, boolean subtypes, string name, + string signature, string ext, string output, string kind, + string provenance + ); + +An extensible predicate is a CodeQL predicate with the following restrictions: + +- It uses the ``extensible`` keyword. +- It has no body. +- All predicate parameters have primitive types. +- It is not in a module. + +Columns shared by all extensible predicates +------------------------------------------- + +The semantics of many of the columns of the extensible predicates are shared. The columns ``package``, ``type``, ``subtypes``, ``name``, and ``signature`` define which element(s) the model applies to. + +- ``package``: Name of the package containing the element(s) to be modeled. +- ``type``: Name of the type containing the element(s) to be modeled. +- ``subtypes``: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s). +- ``name``: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria. +- ``signature``: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria. +- ``ext``: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document. +- ``provenance``: Provenance (origin) of the model definition. For more information, see ":ref:`provenance`." + +The sematics for access paths are also common to all extensible predicates. For more information, see ":ref:`access-paths`." + +sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance) +------------------------------------------------------------------------------------ + +Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind. + +- ``output``: Access path to the source, where the possibly tainted data flows from. +- ``kind``: Kind of the source. + +As most sources are used by all taint tracking queries there are only a few different source kinds. +The following source kinds are supported: + +- ``remote``: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries. +- ``contentprovider``, ``android-external-storage-dir``: These kinds are also supported but usage is advanced. + +sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) +--------------------------------------------------------------------------------- + +Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific. + +- ``input``: Access path to the sink, where we want to check if tainted data can flow into. +- ``kind``: Kind of the sink. + +The following sink kinds are supported: + +- ``bean-validation``: A sink that can be used for insecure bean validation, such as in calls to ``ConstraintValidatorContext.buildConstraintViolationWithTemplate``. +- ``command-injection``: A sink that can be used to inject shell commands, such as in calls to ``Runtime.exec``. +- ``file-content-store``: A sink that can be used to control the contents of a file, such as in a ``Files.write`` call. +- ``fragment-injection``: A sink that can be used for Android fragment injection, such as in a ``FragmentTransaction.replace`` call. +- ``groovy-injection``: A sink that can be used for Groovy injection, such as in a ``GroovyShell.evaluate`` call. +- ``hostname-verification``: A sink that can be used for unsafe hostname verification, such as in calls to ``HttpsURLConnection.setHostnameVerifier``. +- ``html-injection``: A sink that can be used for XSS via HTML injection, such as in a ``ResponseStream.write`` call. +- ``information-leak``: A sink that can be used to leak information to an HTTP response, such as in calls to ``HttpServletResponse.sendError``. +- ``intent-redirection``: A sink that can be used for Android intent redirection, such as in a ``Context.startActivity`` call. +- ``jexl-injection``: A sink that can be used for JEXL expression injection, such as in a ``JexlExpression.evaluate`` call. +- ``jndi-injection``: A sink that can be used for JNDI injection, such as in a ``Context.lookup`` call. +- ``js-injection``: A sink that can be used for XSS via JavaScript injection, such as in a ``Webview.evaluateJavaScript`` call. +- ``ldap-injection``: A sink that can be used for LDAP injection, such as in a ``DirContext.search`` call. +- ``log-injection``: A sink that can be used for log injection, such as in a ``Logger.warn`` call. +- ``mvel-injection``: A sink that can be used for MVEL expression injection, such as in a ``MVEL.eval`` call. +- ``ognl-injection``: A sink that can be used for OGNL injection, such as in an ``Ognl.getValue`` call. +- ``path-injection``: A sink that can be used for path injection in a file system access, such as in calls to ``new FileReader``. +- ``pending-intents``: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an ``Activity.setResult`` call. +- ``request-forgery``: A sink that controls the URL of a request, such as in an ``HttpRequest.newBuilder`` call. +- ``response-splitting``: A sink that can be used for HTTP response splitting, such as in calls to ``HttpServletResponse.setHeader``. +- ``sql-injection``: A sink that can be used for SQL injection, such as in a ``Statement.executeQuery`` call. +- ``template-injection``: A sink that can be used for server-side template injection, such as in a ``Velocity.evaluate`` call. +- ``trust-boundary-violation``: A sink that can be used to cross a trust boundary, such as in a ``HttpSession.setAttribute`` call. +- ``url-redirection``: A sink that can be used to redirect the user to a malicious URL, such as in a ``Response.temporaryRedirect`` call. +- ``xpath-injection``: A sink that can be used for XPath injection, such as in a ``XPath.evaluate`` call. +- ``xslt-injection``: A sink that can be used for XSLT injection, such as in a ``Transformer.transform`` call. + +summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance) +-------------------------------------------------------------------------------------------- + +Flow through (summary). This extensible predicate is used to model flow through elements. + +- ``input``: Access path to the input of the element (where data will flow from to the output). +- ``output``: Access path to the output of the element (where data will flow to from the input). +- ``kind``: Kind of the flow through. + +The following kinds are supported: + +- ``taint``: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well. +- ``value``: This means that the output equals the input or a copy of the input such that all of its properties are preserved. + +neutralModel(package, type, name, signature, kind, provenance) +-------------------------------------------------------------- + +This extensible predicate is not typically needed externally, but is included here for completeness. +It has limited impact on dataflow analysis. +Manual neutrals are considered high-confidence dispatch call targets and can reduce the number of dispatch call targets during dataflow analysis (a performance optimization). + +- ``kind``: Kind of the neutral. For neutrals the kind can be ``summary``, ``source``, or ``sink`` to indicate that the callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). + +.. _access-paths: + +Access paths +------------ +The ``input``, and ``output`` columns consist of a ``.``-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values. + +The following components are supported: + +- ``Argument[``\ `n`\ ``]`` selects the argument at index `n` (zero-indexed). +- ``Argument[``\ `this`\ ``]`` selects the qualifier (instance parameter). +- ``Argument[``\ `n1..n2`\ ``]`` selects the arguments in the given range (both ends included). +- ``Parameter[``\ `n`\ ``]`` selects the parameter at index `n` (zero-indexed). +- ``Parameter[``\ `n1..n2`\ ``]`` selects the parameters in the given range (both ends included). +- ``ReturnValue`` selects the return value. +- ``Field[``\ `name`\ ``]`` selects the field with the fully qualified name `name`. +- ``SyntheticField[``\ `name`\ ``]`` selects the synthetic field with name `name`. +- ``SyntheticGlobal[``\ `name`\ ``]`` selects the synthetic global with name `name`. +- ``ArrayElement`` selects the elements of an array. +- ``Element`` selects the elements of a collection-like container. +- ``WithoutElement`` selects a collection-like container without its elements. This is for input only. +- ``WithElement`` selects the elements of a collection-like container, but points to the container itself. This is for input only. +- ``MapKey`` selects the element keys of a map. +- ``MapValue`` selects the element values of a map. + +.. _provenance: + +Provenance +---------- + +The ``provenance`` column is used to specify the provenance (origin) of the model definition and how the model was verified. +The following values are supported. + +- ``manual``: The model was manually created and added to the extensible predicate. + +Values can also take the form ``ORIGIN-VERIFICATION``, where ``ORIGIN`` is one of: + +- ``ai``: The model was generated by artificial intelligence (AI). +- ``df``: The model was generated by the dataflow model generator. +- ``tb``: The model was generated by the type based model generator. +- ``hq``: The model was generated using a heuristic query. + +And ``VERIFICATION`` is one of: + +- ``manual``: The model was verified by a human. +- ``generated``: The model was generated, but not verified by a human. + +The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated. +Furthermore, it impacts the dataflow analysis in the following way: + +- A ``manual`` model takes precedence over ``generated`` models. If a ``manual`` model exists for an element then all ``generated`` models are ignored. +- A ``generated`` model is ignored during analysis, if the source code of the element it is modeling is available. + +That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available. diff --git a/docs/codeql/codeql-overview/codeql-glossary.rst b/docs/codeql/codeql-overview/codeql-glossary.rst index 458651e36936..f86b5346e2c2 100644 --- a/docs/codeql/codeql-overview/codeql-glossary.rst +++ b/docs/codeql/codeql-overview/codeql-glossary.rst @@ -34,6 +34,19 @@ A database (or CodeQL database) is a directory containing: - log files generated during database creation, query execution, and other operations. +.. _codeql-packs: + +CodeQL packs +------------ + +CodeQL packs are used to create, share, depend on, and run CodeQL queries, libraries, and models. You can publish your own CodeQL packs and download packs created by others. CodeQL query packs may contain queries, library files, query suites, and metadata. CodeQL library packs include one or more CodeQL libraries. CodeQL model packs include one or more data extension files that extend the core libraries by modeling additional libraries and frameworks (dependencies of your code base). + +.. _data-extensions: + +Data extensions +--------------- +When you want to model the sources and sinks of a custom dependency, you can create a CodeQL library (``.qll`` file) and write queries that use it, but it's usually much simpler to create a data extension file. If you model the sources and sinks in data extension, you can use this information to expand the standard queries to cover your custom dependencies. You don't need to write any new queries. + .. _dil: DIL diff --git a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png new file mode 100644 index 000000000000..b319918e891b Binary files /dev/null and b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png differ diff --git a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png new file mode 100644 index 000000000000..b2ecaaf80507 Binary files /dev/null and b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png differ diff --git a/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png new file mode 100644 index 000000000000..2528ee9ed0be Binary files /dev/null and b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png differ diff --git a/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png new file mode 100644 index 000000000000..033a133b1ed6 Binary files /dev/null and b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png differ diff --git a/docs/codeql/reusables/beta-note-model-pack-editor-vsc.rst b/docs/codeql/reusables/beta-note-model-pack-editor-vsc.rst new file mode 100644 index 000000000000..161a837d71ae --- /dev/null +++ b/docs/codeql/reusables/beta-note-model-pack-editor-vsc.rst @@ -0,0 +1,5 @@ +.. pull-quote:: + + Note + + The CodeQL model editor and CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL extension for Visual Studio Code. diff --git a/docs/codeql/reusables/beta-note-model-packs-java.rst b/docs/codeql/reusables/beta-note-model-packs-java.rst new file mode 100644 index 000000000000..049621a57f79 --- /dev/null +++ b/docs/codeql/reusables/beta-note-model-packs-java.rst @@ -0,0 +1,5 @@ +.. pull-quote:: + + Note + + CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases. diff --git a/docs/codeql/reusables/beta-note-package-management.rst b/docs/codeql/reusables/beta-note-package-management.rst index 7697c9a47d9c..51e1fd225e4c 100644 --- a/docs/codeql/reusables/beta-note-package-management.rst +++ b/docs/codeql/reusables/beta-note-package-management.rst @@ -2,4 +2,4 @@ Note - The CodeQL package management functionality, including CodeQL packs, is currently available as a beta release and is subject to change. During the beta release, CodeQL packs are available only using GitHub Packages - the GitHub Container registry. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases. + The CodeQL package management functionality, including all types of CodeQL pack, is currently available as a beta release and is subject to change. During the beta release, CodeQL packs are available only using GitHub Packages - the GitHub Container registry. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases. diff --git a/go/extractor/cli/go-autobuilder/go-autobuilder.go b/go/extractor/cli/go-autobuilder/go-autobuilder.go index 0b1011db866f..fc309a3d44ca 100644 --- a/go/extractor/cli/go-autobuilder/go-autobuilder.go +++ b/go/extractor/cli/go-autobuilder/go-autobuilder.go @@ -370,7 +370,7 @@ func getDepMode(emitDiagnostics bool) (DependencyInstallerMode, string) { // Tries to open `go.mod` and read a go directive, returning the version and whether it was found. func tryReadGoDirective(buildInfo BuildInfo) (string, bool) { if buildInfo.DepMode == GoGetWithModules { - versionRe := regexp.MustCompile(`(?m)^go[ \t\r]+([0-9]+\.[0-9]+)$`) + versionRe := regexp.MustCompile(`(?m)^go[ \t\r]+([0-9]+\.[0-9]+(\.[0-9]+)?)$`) goMod, err := os.ReadFile(filepath.Join(buildInfo.BaseDir, "go.mod")) if err != nil { log.Println("Failed to read go.mod to check for missing Go version") diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index fb9e1f49e540..fba37b581ac0 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.6.5 + +No user-facing changes. + +## 0.6.4 + +### Minor Analysis Improvements + +* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers. + ## 0.6.3 No user-facing changes. diff --git a/go/ql/lib/change-notes/2023-08-28-add-error-sanitizer-for-xss.md b/go/ql/lib/change-notes/released/0.6.4.md similarity index 54% rename from go/ql/lib/change-notes/2023-08-28-add-error-sanitizer-for-xss.md rename to go/ql/lib/change-notes/released/0.6.4.md index 2f1f5037390a..6c561f821777 100644 --- a/go/ql/lib/change-notes/2023-08-28-add-error-sanitizer-for-xss.md +++ b/go/ql/lib/change-notes/released/0.6.4.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- -* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers. \ No newline at end of file +## 0.6.4 + +### Minor Analysis Improvements + +* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers. diff --git a/go/ql/lib/change-notes/released/0.6.5.md b/go/ql/lib/change-notes/released/0.6.5.md new file mode 100644 index 000000000000..b2bc387588d8 --- /dev/null +++ b/go/ql/lib/change-notes/released/0.6.5.md @@ -0,0 +1,3 @@ +## 0.6.5 + +No user-facing changes. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index b7dafe32c5d8..86780fb61480 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.3 +lastReleaseVersion: 0.6.5 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index d3765da2f89d..cdacb07367df 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.6.4-dev +version: 0.7.0-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index cfe3163c6e99..4b7c6babedc1 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.6.5 + +No user-facing changes. + +## 0.6.4 + +No user-facing changes. + ## 0.6.3 No user-facing changes. diff --git a/go/ql/src/change-notes/released/0.6.4.md b/go/ql/src/change-notes/released/0.6.4.md new file mode 100644 index 000000000000..7e98b0159fc0 --- /dev/null +++ b/go/ql/src/change-notes/released/0.6.4.md @@ -0,0 +1,3 @@ +## 0.6.4 + +No user-facing changes. diff --git a/go/ql/src/change-notes/released/0.6.5.md b/go/ql/src/change-notes/released/0.6.5.md new file mode 100644 index 000000000000..b2bc387588d8 --- /dev/null +++ b/go/ql/src/change-notes/released/0.6.5.md @@ -0,0 +1,3 @@ +## 0.6.5 + +No user-facing changes. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index b7dafe32c5d8..86780fb61480 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.3 +lastReleaseVersion: 0.6.5 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index a625c40a9c82..8a187f1080e0 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.6.4-dev +version: 0.7.0-dev groups: - go - queries diff --git a/java/ql/automodel/src/CHANGELOG.md b/java/ql/automodel/src/CHANGELOG.md new file mode 100644 index 000000000000..a78acd769605 --- /dev/null +++ b/java/ql/automodel/src/CHANGELOG.md @@ -0,0 +1,7 @@ +## 0.0.4 + +No user-facing changes. + +## 0.0.3 + +No user-facing changes. diff --git a/java/ql/automodel/src/change-notes/released/0.0.3.md b/java/ql/automodel/src/change-notes/released/0.0.3.md new file mode 100644 index 000000000000..af7864fc7d54 --- /dev/null +++ b/java/ql/automodel/src/change-notes/released/0.0.3.md @@ -0,0 +1,3 @@ +## 0.0.3 + +No user-facing changes. diff --git a/java/ql/automodel/src/change-notes/released/0.0.4.md b/java/ql/automodel/src/change-notes/released/0.0.4.md new file mode 100644 index 000000000000..eefe286a4d88 --- /dev/null +++ b/java/ql/automodel/src/change-notes/released/0.0.4.md @@ -0,0 +1,3 @@ +## 0.0.4 + +No user-facing changes. diff --git a/java/ql/automodel/src/codeql-pack.release.yml b/java/ql/automodel/src/codeql-pack.release.yml new file mode 100644 index 000000000000..ec411a674bcd --- /dev/null +++ b/java/ql/automodel/src/codeql-pack.release.yml @@ -0,0 +1,2 @@ +--- +lastReleaseVersion: 0.0.4 diff --git a/java/ql/automodel/src/qlpack.yml b/java/ql/automodel/src/qlpack.yml index 1fe48a3541ca..d41368cab933 100644 --- a/java/ql/automodel/src/qlpack.yml +++ b/java/ql/automodel/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-automodel-queries -version: 0.0.4-dev +version: 0.0.5-dev groups: - java - automodel diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 42a5c07e8269..c5d72b195012 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,20 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### New Features + +* Kotlin versions up to 1.9.10 are now supported. + +### Minor Analysis Improvements + +* Fixed the MaD signature specifications to use proper nested type names. +* Added new sanitizer to Java command injection model +* Added more dataflow models for JAX-RS. +* The predicate `JaxWsEndpoint::getARemoteMethod` no longer requires the result to be annotated with `@WebMethod`. Instead, the requirements listed in the JAX-RPC Specification 1.1 for required parameter and return types are used. Applications using JAX-RS may see an increase in results. + ## 0.7.3 ### Major Analysis Improvements diff --git a/java/ql/lib/change-notes/2023-08-07-jaxrs-new-models.md b/java/ql/lib/change-notes/2023-08-07-jaxrs-new-models.md deleted file mode 100644 index 8b34698758b0..000000000000 --- a/java/ql/lib/change-notes/2023-08-07-jaxrs-new-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added more dataflow models for JAX-RS. diff --git a/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md b/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md deleted file mode 100644 index ca183d5d0652..000000000000 --- a/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added new sanitizer to Java command injection model \ No newline at end of file diff --git a/java/ql/lib/change-notes/2023-08-23-mad-nestednames.md b/java/ql/lib/change-notes/2023-08-23-mad-nestednames.md deleted file mode 100644 index 0a804f1866f9..000000000000 --- a/java/ql/lib/change-notes/2023-08-23-mad-nestednames.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Fixed the MaD signature specifications to use proper nested type names. diff --git a/java/ql/lib/change-notes/2023-08-24-kotlin-1.9.10.md b/java/ql/lib/change-notes/2023-08-24-kotlin-1.9.10.md deleted file mode 100644 index ee878bb11af2..000000000000 --- a/java/ql/lib/change-notes/2023-08-24-kotlin-1.9.10.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Kotlin versions up to 1.9.10 are now supported. diff --git a/java/ql/lib/change-notes/2023-08-07-jaxrs-webmethod-improvements.md b/java/ql/lib/change-notes/released/0.7.4.md similarity index 50% rename from java/ql/lib/change-notes/2023-08-07-jaxrs-webmethod-improvements.md rename to java/ql/lib/change-notes/released/0.7.4.md index be19599c8655..78491df85ebd 100644 --- a/java/ql/lib/change-notes/2023-08-07-jaxrs-webmethod-improvements.md +++ b/java/ql/lib/change-notes/released/0.7.4.md @@ -1,4 +1,12 @@ ---- -category: minorAnalysis ---- +## 0.7.4 + +### New Features + +* Kotlin versions up to 1.9.10 are now supported. + +### Minor Analysis Improvements + +* Fixed the MaD signature specifications to use proper nested type names. +* Added new sanitizer to Java command injection model +* Added more dataflow models for JAX-RS. * The predicate `JaxWsEndpoint::getARemoteMethod` no longer requires the result to be annotated with `@WebMethod`. Instead, the requirements listed in the JAX-RPC Specification 1.1 for required parameter and return types are used. Applications using JAX-RS may see an increase in results. diff --git a/java/ql/lib/change-notes/released/0.7.5.md b/java/ql/lib/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/java/ql/lib/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index e708ee160f20..df095807bd53 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.7.4-dev +version: 0.8.0-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 4c5b963ada71..956a81d7802d 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### New Queries + +* Added the `java/trust-boundary-violation` query to detect trust boundary violations between HTTP requests and the HTTP session. Also added the `trust-boundary-violation` sink kind for sinks which may cross a trust boundary, such as calls to the `HttpSession#setAttribute` method. + +### Minor Analysis Improvements + +* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the MDHT library. + ## 0.7.3 No user-facing changes. diff --git a/java/ql/src/change-notes/2023-07-19-xxe-new-sinks.md b/java/ql/src/change-notes/2023-07-19-xxe-new-sinks.md deleted file mode 100644 index 6f062a63e813..000000000000 --- a/java/ql/src/change-notes/2023-07-19-xxe-new-sinks.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the MDHT library. diff --git a/java/ql/src/change-notes/2023-07-25-trust-boundary-violation-query.md b/java/ql/src/change-notes/released/0.7.4.md similarity index 50% rename from java/ql/src/change-notes/2023-07-25-trust-boundary-violation-query.md rename to java/ql/src/change-notes/released/0.7.4.md index 802e367bf109..c214e52bd23b 100644 --- a/java/ql/src/change-notes/2023-07-25-trust-boundary-violation-query.md +++ b/java/ql/src/change-notes/released/0.7.4.md @@ -1,5 +1,9 @@ ---- -category: newQuery ---- +## 0.7.4 + +### New Queries + * Added the `java/trust-boundary-violation` query to detect trust boundary violations between HTTP requests and the HTTP session. Also added the `trust-boundary-violation` sink kind for sinks which may cross a trust boundary, such as calls to the `HttpSession#setAttribute` method. +### Minor Analysis Improvements + +* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the MDHT library. diff --git a/java/ql/src/change-notes/released/0.7.5.md b/java/ql/src/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/java/ql/src/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index b2a297894fa8..f09f03cb987a 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/java-queries -version: 0.7.4-dev -groups: +version: 0.8.0-dev +groups: - java - queries suites: codeql-suites diff --git a/javascript/extractor/lib/typescript/src/main.ts b/javascript/extractor/lib/typescript/src/main.ts index 2594f4e35f5b..e9849f42f5c0 100644 --- a/javascript/extractor/lib/typescript/src/main.ts +++ b/javascript/extractor/lib/typescript/src/main.ts @@ -361,7 +361,10 @@ function handleParseCommand(command: ParseCommand, checkPending = true) { let filename = command.filename; let expectedFilename = state.pendingFiles[state.pendingFileIndex]; if (expectedFilename !== filename && checkPending) { - throw new Error("File requested out of order. Expected '" + expectedFilename + "' but got '" + filename + "'"); + // File was requested out of order. This happens in rare cases because the Java process decided against extracting it, + // for example because it was too large. Just recover and accept that some work was wasted. + state.pendingResponse = null; + state.pendingFileIndex = state.pendingFiles.indexOf(filename); } ++state.pendingFileIndex; let response = state.pendingResponse || extractFile(command.filename); diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index ad0301e9c7bd..022aebbd6932 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### Major Analysis Improvements + +* Added support for TypeScript 5.2. + ## 0.7.3 No user-facing changes. diff --git a/javascript/ql/lib/change-notes/2023-06-30-typescript-5-2.md b/javascript/ql/lib/change-notes/2023-06-30-typescript-5-2.md deleted file mode 100644 index 2aa36cac278c..000000000000 --- a/javascript/ql/lib/change-notes/2023-06-30-typescript-5-2.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: majorAnalysis ---- -* Added support for TypeScript 5.2. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/released/0.7.4.md b/javascript/ql/lib/change-notes/released/0.7.4.md new file mode 100644 index 000000000000..7608c571bdfe --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.7.4.md @@ -0,0 +1,5 @@ +## 0.7.4 + +### Major Analysis Improvements + +* Added support for TypeScript 5.2. diff --git a/javascript/ql/lib/change-notes/released/0.7.5.md b/javascript/ql/lib/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index d65eefd366ca..2b5b69eccf94 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.7.4-dev +version: 0.8.0-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index d77e565ad901..c67be888c57e 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,20 @@ +## 0.7.5 + +### Bug Fixes + +* Fixed an extractor crash that could occur in projects containing TypeScript files larger than 10 MB. + +## 0.7.4 + +### Minor Analysis Improvements + +* Files larger than 10 MB are no longer be extracted or analyzed. +* Imports can now be resolved in more cases, where a non-constant string expression is passed to a `require()` call. + +### Bug Fixes + +* Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias. + ## 0.7.3 No user-facing changes. diff --git a/javascript/ql/src/change-notes/2023-08-23-fix-cyclic-alias-extraction.md b/javascript/ql/src/change-notes/2023-08-23-fix-cyclic-alias-extraction.md deleted file mode 100644 index 66769f2b8fa6..000000000000 --- a/javascript/ql/src/change-notes/2023-08-23-fix-cyclic-alias-extraction.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias. diff --git a/javascript/ql/src/change-notes/2023-08-23-ignore-huge-files.md b/javascript/ql/src/change-notes/2023-08-23-ignore-huge-files.md deleted file mode 100644 index fc82b3b5a3fa..000000000000 --- a/javascript/ql/src/change-notes/2023-08-23-ignore-huge-files.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Files larger than 10 MB are no longer be extracted or analyzed. diff --git a/javascript/ql/src/change-notes/2023-08-23-import-path-string.md b/javascript/ql/src/change-notes/2023-08-23-import-path-string.md deleted file mode 100644 index 64a70c1fe102..000000000000 --- a/javascript/ql/src/change-notes/2023-08-23-import-path-string.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Imports can now be resolved in more cases, where a non-constant string expression is passed to a `require()` call. diff --git a/javascript/ql/src/change-notes/released/0.7.4.md b/javascript/ql/src/change-notes/released/0.7.4.md new file mode 100644 index 000000000000..55118b12535d --- /dev/null +++ b/javascript/ql/src/change-notes/released/0.7.4.md @@ -0,0 +1,10 @@ +## 0.7.4 + +### Minor Analysis Improvements + +* Files larger than 10 MB are no longer be extracted or analyzed. +* Imports can now be resolved in more cases, where a non-constant string expression is passed to a `require()` call. + +### Bug Fixes + +* Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias. diff --git a/javascript/ql/src/change-notes/released/0.7.5.md b/javascript/ql/src/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..775a6657446b --- /dev/null +++ b/javascript/ql/src/change-notes/released/0.7.5.md @@ -0,0 +1,5 @@ +## 0.7.5 + +### Bug Fixes + +* Fixed an extractor crash that could occur in projects containing TypeScript files larger than 10 MB. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 04ee9ae61350..831f4e9aa57b 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/javascript-queries -version: 0.7.4-dev -groups: +version: 0.8.0-dev +groups: - javascript - queries suites: codeql-suites diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 0abf0d493177..9435d172e6f3 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.6.5 + +No user-facing changes. + +## 0.6.4 + +No user-facing changes. + ## 0.6.3 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/0.6.4.md b/misc/suite-helpers/change-notes/released/0.6.4.md new file mode 100644 index 000000000000..7e98b0159fc0 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/0.6.4.md @@ -0,0 +1,3 @@ +## 0.6.4 + +No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/0.6.5.md b/misc/suite-helpers/change-notes/released/0.6.5.md new file mode 100644 index 000000000000..b2bc387588d8 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/0.6.5.md @@ -0,0 +1,3 @@ +## 0.6.5 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index b7dafe32c5d8..86780fb61480 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.3 +lastReleaseVersion: 0.6.5 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 0c423deb64d7..820c1bfc571e 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 0.6.4-dev +version: 0.7.0-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index d3b291f4b48f..0f7d9c299758 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.10.5 + +No user-facing changes. + +## 0.10.4 + +### Minor Analysis Improvements + +* Regular expressions containing multiple parse mode flags are now interpretted correctly. For example `"(?is)abc.*"` with both the `i` and `s` flags. +* Added `shlex.quote` as a sanitizer for the `py/shell-command-constructed-from-input` query. + ## 0.10.3 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2023-07-20-shlex-quote-sanitizer.md b/python/ql/lib/change-notes/2023-07-20-shlex-quote-sanitizer.md deleted file mode 100644 index 71238715831c..000000000000 --- a/python/ql/lib/change-notes/2023-07-20-shlex-quote-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added `shlex.quote` as a sanitizer for the `py/shell-command-constructed-from-input` query. \ No newline at end of file diff --git a/python/ql/lib/change-notes/2023-07-20-regex-parse-modes.md b/python/ql/lib/change-notes/released/0.10.4.md similarity index 52% rename from python/ql/lib/change-notes/2023-07-20-regex-parse-modes.md rename to python/ql/lib/change-notes/released/0.10.4.md index 2d6762274910..7f93237c6213 100644 --- a/python/ql/lib/change-notes/2023-07-20-regex-parse-modes.md +++ b/python/ql/lib/change-notes/released/0.10.4.md @@ -1,4 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.10.4 + +### Minor Analysis Improvements + * Regular expressions containing multiple parse mode flags are now interpretted correctly. For example `"(?is)abc.*"` with both the `i` and `s` flags. +* Added `shlex.quote` as a sanitizer for the `py/shell-command-constructed-from-input` query. diff --git a/python/ql/lib/change-notes/released/0.10.5.md b/python/ql/lib/change-notes/released/0.10.5.md new file mode 100644 index 000000000000..62e32e257b6d --- /dev/null +++ b/python/ql/lib/change-notes/released/0.10.5.md @@ -0,0 +1,3 @@ +## 0.10.5 + +No user-facing changes. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index c6c21ef7d6ce..2e5e2af8307c 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.10.3 +lastReleaseVersion: 0.10.5 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index cac5d51e2e46..9f2da148abf0 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.10.4-dev +version: 0.11.0-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index d8bc409ff86f..ca2dfaae5460 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.8.5 + +No user-facing changes. + +## 0.8.4 + +### Minor Analysis Improvements + +* Improved _Reflected server-side cross-site scripting_ (`py/reflective-xss`) query to not alert on data passed to `flask.jsonify`. Since these HTTP responses are returned with mime-type `application/json`, they do not pose a security risk for XSS. +* Updated path explanations for `@kind path-problem` queries to always include left hand side of assignments, making paths easier to understand. + ## 0.8.3 No user-facing changes. diff --git a/python/ql/src/change-notes/2023-08-17-improved-path-graph.md b/python/ql/src/change-notes/2023-08-17-improved-path-graph.md deleted file mode 100644 index a2545d362e9e..000000000000 --- a/python/ql/src/change-notes/2023-08-17-improved-path-graph.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Updated path explanations for `@kind path-problem` queries to always include left hand side of assignments, making paths easier to understand. diff --git a/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md b/python/ql/src/change-notes/released/0.8.4.md similarity index 56% rename from python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md rename to python/ql/src/change-notes/released/0.8.4.md index 8268f2966062..223f2a83361c 100644 --- a/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md +++ b/python/ql/src/change-notes/released/0.8.4.md @@ -1,4 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.8.4 + +### Minor Analysis Improvements + * Improved _Reflected server-side cross-site scripting_ (`py/reflective-xss`) query to not alert on data passed to `flask.jsonify`. Since these HTTP responses are returned with mime-type `application/json`, they do not pose a security risk for XSS. +* Updated path explanations for `@kind path-problem` queries to always include left hand side of assignments, making paths easier to understand. diff --git a/python/ql/src/change-notes/released/0.8.5.md b/python/ql/src/change-notes/released/0.8.5.md new file mode 100644 index 000000000000..cb2a467c35b0 --- /dev/null +++ b/python/ql/src/change-notes/released/0.8.5.md @@ -0,0 +1,3 @@ +## 0.8.5 + +No user-facing changes. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index b6e46394f370..cbe6bc6b7c62 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.3 +lastReleaseVersion: 0.8.5 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index f7ff3ff23484..7790d40858b6 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/python-queries -version: 0.8.4-dev -groups: +version: 0.9.0-dev +groups: - python - queries dependencies: diff --git a/ql/ql/src/qlpack.yml b/ql/ql/src/qlpack.yml index 68991ef1c20f..8169a0971358 100644 --- a/ql/ql/src/qlpack.yml +++ b/ql/ql/src/qlpack.yml @@ -1,6 +1,8 @@ name: codeql/ql -version: 0.0.0 -groups: [ql, queries] +version: 0.1.0-dev +groups: + - ql + - queries dbscheme: ql.dbscheme suites: codeql-suites defaultSuiteFile: codeql-suites/ql-code-scanning.qls diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index ae92859730f3..60cc08a923dd 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +No user-facing changes. + ## 0.7.3 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/released/0.7.4.md b/ruby/ql/lib/change-notes/released/0.7.4.md new file mode 100644 index 000000000000..1b33df9cb1e8 --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.7.4.md @@ -0,0 +1,3 @@ +## 0.7.4 + +No user-facing changes. diff --git a/ruby/ql/lib/change-notes/released/0.7.5.md b/ruby/ql/lib/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index e50377dfb130..d90c77225c7e 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.7.4-dev +version: 0.8.0-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 9e85e2317d3b..f69f774d1711 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.7.5 + +No user-facing changes. + +## 0.7.4 + +### New Queries + +* Added a new experimental query, `rb/improper-ldap-auth`, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass. + ## 0.7.3 No user-facing changes. diff --git a/ruby/ql/src/change-notes/2023-05-29-improper-ldap-auth-query.md b/ruby/ql/src/change-notes/released/0.7.4.md similarity index 88% rename from ruby/ql/src/change-notes/2023-05-29-improper-ldap-auth-query.md rename to ruby/ql/src/change-notes/released/0.7.4.md index 13c5a89c8083..228683b8a68e 100644 --- a/ruby/ql/src/change-notes/2023-05-29-improper-ldap-auth-query.md +++ b/ruby/ql/src/change-notes/released/0.7.4.md @@ -1,4 +1,5 @@ ---- -category: newQuery ---- +## 0.7.4 + +### New Queries + * Added a new experimental query, `rb/improper-ldap-auth`, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass. diff --git a/ruby/ql/src/change-notes/released/0.7.5.md b/ruby/ql/src/change-notes/released/0.7.5.md new file mode 100644 index 000000000000..b2759d5bd80f --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.7.5.md @@ -0,0 +1,3 @@ +## 0.7.5 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index a4ea9c8de172..b5108ee0bda8 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.3 +lastReleaseVersion: 0.7.5 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 441effac8274..86ea5c3b18d7 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/ruby-queries -version: 0.7.4-dev -groups: +version: 0.8.0-dev +groups: - ruby - queries suites: codeql-suites diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index aab63b11f750..3370a04b28cc 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.0.4 + +No user-facing changes. + +## 0.0.3 + +No user-facing changes. + ## 0.0.2 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/0.0.3.md b/shared/controlflow/change-notes/released/0.0.3.md new file mode 100644 index 000000000000..af7864fc7d54 --- /dev/null +++ b/shared/controlflow/change-notes/released/0.0.3.md @@ -0,0 +1,3 @@ +## 0.0.3 + +No user-facing changes. diff --git a/shared/controlflow/change-notes/released/0.0.4.md b/shared/controlflow/change-notes/released/0.0.4.md new file mode 100644 index 000000000000..eefe286a4d88 --- /dev/null +++ b/shared/controlflow/change-notes/released/0.0.4.md @@ -0,0 +1,3 @@ +## 0.0.4 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index 55dc06fbd76a..ec411a674bcd 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.2 +lastReleaseVersion: 0.0.4 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 90520957d85e..075a5632883e 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 0.0.3-dev +version: 0.1.0-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index 1a5f4d386634..e18f52c02373 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,17 @@ +## 0.0.4 + +No user-facing changes. + +## 0.0.3 + +### New Features + +* The various inline flow test libraries have been consolidated as a shared library part in the dataflow qlpack. + +### Minor Analysis Improvements + +* The shared taint-tracking library is now part of the dataflow qlpack. + ## 0.0.2 ### Major Analysis Improvements diff --git a/shared/dataflow/change-notes/2023-08-04-taint-tracking.md b/shared/dataflow/change-notes/2023-08-04-taint-tracking.md deleted file mode 100644 index 000d7ea265c3..000000000000 --- a/shared/dataflow/change-notes/2023-08-04-taint-tracking.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The shared taint-tracking library is now part of the dataflow qlpack. diff --git a/shared/dataflow/change-notes/2023-08-24-inline-flow-test.md b/shared/dataflow/change-notes/2023-08-24-inline-flow-test.md deleted file mode 100644 index 4f879df3fd3d..000000000000 --- a/shared/dataflow/change-notes/2023-08-24-inline-flow-test.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* The various inline flow test libraries have been consolidated as a shared library part in the dataflow qlpack. diff --git a/shared/dataflow/change-notes/released/0.0.3.md b/shared/dataflow/change-notes/released/0.0.3.md new file mode 100644 index 000000000000..4b6ac03adc1c --- /dev/null +++ b/shared/dataflow/change-notes/released/0.0.3.md @@ -0,0 +1,9 @@ +## 0.0.3 + +### New Features + +* The various inline flow test libraries have been consolidated as a shared library part in the dataflow qlpack. + +### Minor Analysis Improvements + +* The shared taint-tracking library is now part of the dataflow qlpack. diff --git a/shared/dataflow/change-notes/released/0.0.4.md b/shared/dataflow/change-notes/released/0.0.4.md new file mode 100644 index 000000000000..eefe286a4d88 --- /dev/null +++ b/shared/dataflow/change-notes/released/0.0.4.md @@ -0,0 +1,3 @@ +## 0.0.4 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index 55dc06fbd76a..ec411a674bcd 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.2 +lastReleaseVersion: 0.0.4 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 42bdbb50379f..3ed09bbbbd91 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 0.0.3-dev +version: 0.1.0-dev groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index 4c7b7dd6878a..85c1fc61056f 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/mad/change-notes/released/0.1.4.md b/shared/mad/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/mad/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/mad/change-notes/released/0.1.5.md b/shared/mad/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/mad/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index cf6c9c6ea7d6..df8815691e0a 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/mad -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true -dependencies: +dependencies: null warnOnImplicitThis: true diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index 8cd409f97351..52d8a94f585f 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/regex/change-notes/released/0.1.4.md b/shared/regex/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/regex/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/regex/change-notes/released/0.1.5.md b/shared/regex/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/regex/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index a30e17c4d967..a844c6216f0d 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 466f3f453269..c9857f9ad971 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/ssa/change-notes/released/0.1.4.md b/shared/ssa/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/ssa/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/ssa/change-notes/released/0.1.5.md b/shared/ssa/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/ssa/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 0db56594e866..767b14897070 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index 0474ebe68659..9466e4c6a087 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/0.1.4.md b/shared/tutorial/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/tutorial/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/tutorial/change-notes/released/0.1.5.md b/shared/tutorial/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/tutorial/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 4beadd851228..7e247846603f 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,6 +1,7 @@ name: codeql/tutorial -description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 0.1.4-dev +description: Library for the CodeQL detective tutorials, helping new users learn to + write CodeQL queries. +version: 0.2.0-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index ee0d1b59186d..30f8294e16af 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/0.1.4.md b/shared/typetracking/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/typetracking/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/typetracking/change-notes/released/0.1.5.md b/shared/typetracking/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/typetracking/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 3505e8f33f1a..ab4805633996 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index a8f556aa029d..73d10ecca5bb 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/typos/change-notes/released/0.1.4.md b/shared/typos/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/typos/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/typos/change-notes/released/0.1.5.md b/shared/typos/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/typos/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index ec757b0242c4..1d226cca2df4 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index cf58b4ea37c9..5d4ee4dd27f4 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 No user-facing changes. diff --git a/shared/util/change-notes/released/0.1.4.md b/shared/util/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/util/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/util/change-notes/released/0.1.5.md b/shared/util/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/util/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 24020172913d..56e7751a8daa 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,6 +1,6 @@ name: codeql/util -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true -dependencies: +dependencies: null warnOnImplicitThis: true diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index e41dc84c7c8f..b6247037fd48 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.5 + +No user-facing changes. + +## 0.1.4 + +No user-facing changes. + ## 0.1.3 ### New Features diff --git a/shared/yaml/change-notes/released/0.1.4.md b/shared/yaml/change-notes/released/0.1.4.md new file mode 100644 index 000000000000..a77c429adbac --- /dev/null +++ b/shared/yaml/change-notes/released/0.1.4.md @@ -0,0 +1,3 @@ +## 0.1.4 + +No user-facing changes. diff --git a/shared/yaml/change-notes/released/0.1.5.md b/shared/yaml/change-notes/released/0.1.5.md new file mode 100644 index 000000000000..83cd9c5ff46a --- /dev/null +++ b/shared/yaml/change-notes/released/0.1.5.md @@ -0,0 +1,3 @@ +## 0.1.5 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index b79d8f9d00a2..157cff8108d3 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.3 +lastReleaseVersion: 0.1.5 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 58627ae3db8b..efef7197a428 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 0.1.4-dev +version: 0.2.0-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index ad443f621cb3..e159bf2fbfc2 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.2.5 + +No user-facing changes. + +## 0.2.4 + +### Minor Analysis Improvements + +* Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library. +* Added flow models of collection `.withContiguous[Mutable]StorageIfAvailable`, `.withUnsafe[Mutable]BufferPointer` and `.withUnsafe[Mutable]Bytes` methods. + ## 0.2.3 ### Major Analysis Improvements diff --git a/swift/ql/lib/change-notes/2023-08-21-keypath-optionals.md b/swift/ql/lib/change-notes/2023-08-21-keypath-optionals.md deleted file mode 100644 index 9e2d3bd0e258..000000000000 --- a/swift/ql/lib/change-notes/2023-08-21-keypath-optionals.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -* Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library. diff --git a/swift/ql/lib/change-notes/2023-08-04-closure-models.md b/swift/ql/lib/change-notes/released/0.2.4.md similarity index 50% rename from swift/ql/lib/change-notes/2023-08-04-closure-models.md rename to swift/ql/lib/change-notes/released/0.2.4.md index ba655f59774d..b7e6c5dcc0f7 100644 --- a/swift/ql/lib/change-notes/2023-08-04-closure-models.md +++ b/swift/ql/lib/change-notes/released/0.2.4.md @@ -1,5 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.2.4 +### Minor Analysis Improvements + +* Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library. * Added flow models of collection `.withContiguous[Mutable]StorageIfAvailable`, `.withUnsafe[Mutable]BufferPointer` and `.withUnsafe[Mutable]Bytes` methods. diff --git a/swift/ql/lib/change-notes/released/0.2.5.md b/swift/ql/lib/change-notes/released/0.2.5.md new file mode 100644 index 000000000000..5837551476fa --- /dev/null +++ b/swift/ql/lib/change-notes/released/0.2.5.md @@ -0,0 +1,3 @@ +## 0.2.5 + +No user-facing changes. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 0b605901b424..211454ed3064 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.3 +lastReleaseVersion: 0.2.5 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index cd9b209ffae1..22634a946371 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 0.2.4-dev +version: 0.3.0-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index 71fec278599e..18a68d6c8757 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,13 @@ +## 0.2.5 + +No user-facing changes. + +## 0.2.4 + +### New Queries + +* Added new query "Incomplete regular expression for hostnames" (`swift/incomplete-hostname-regexp`). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected. + ## 0.2.3 No user-facing changes. diff --git a/swift/ql/src/change-notes/2023-08-23-incomplete-hostname-regex.md b/swift/ql/src/change-notes/released/0.2.4.md similarity index 88% rename from swift/ql/src/change-notes/2023-08-23-incomplete-hostname-regex.md rename to swift/ql/src/change-notes/released/0.2.4.md index d70dfce16f72..12170e4fdf60 100644 --- a/swift/ql/src/change-notes/2023-08-23-incomplete-hostname-regex.md +++ b/swift/ql/src/change-notes/released/0.2.4.md @@ -1,5 +1,5 @@ ---- -category: newQuery ---- +## 0.2.4 + +### New Queries * Added new query "Incomplete regular expression for hostnames" (`swift/incomplete-hostname-regexp`). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected. diff --git a/swift/ql/src/change-notes/released/0.2.5.md b/swift/ql/src/change-notes/released/0.2.5.md new file mode 100644 index 000000000000..5837551476fa --- /dev/null +++ b/swift/ql/src/change-notes/released/0.2.5.md @@ -0,0 +1,3 @@ +## 0.2.5 + +No user-facing changes. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index 0b605901b424..211454ed3064 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.3 +lastReleaseVersion: 0.2.5 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 87c3fb14701d..6649542b2c59 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 0.2.4-dev +version: 0.3.0-dev groups: - swift - queries