Merge branch 'main' into releases

Author: GeekMasher

.github/actions/install-codeql/action.yml

@@ -0,0 +1,48 @@
+name: Setup CodeQL CLI
+description: |
+  Install a CodeQL CLI or re-use an existing one from the cache and it to the path.
+inputs:
+  codeql-cli-version:
+    description: |
+      The version of the CodeQL CLI to be downloaded.
+
+runs:
+  using: composite
+  steps:
+    - name: Cache CodeQL
+      id: cache-codeql
+      uses: actions/cache@v4
+      with:
+        # A list of files, directories, and wildcard patterns to cache and restore
+        path: ${{github.workspace}}/codeql_home
+        # An explicit key for restoring and saving the cache
+        key: codeql-home-${{ inputs.codeql-cli-version }}
+  
+    - name: Install CodeQL
+      if: steps.cache-codeql.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        CODEQL_HOME: ${{ github.workspace }}/codeql_home
+        CODEQL_CLI_VERSION: ${{ inputs.codeql-cli-version }}
+      run: |
+        mkdir -p $CODEQL_HOME
+        echo "Change directory to $CODEQL_HOME"
+        pushd $CODEQL_HOME
+
+        echo "Downloading CodeQL CLI v${CODEQL_CLI_VERSION}."
+        gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip
+
+        echo "Unzipping CodeQL CLI."
+        unzip -q codeql-linux64.zip
+
+        popd
+        echo "Done."
+
+    - name: Add CodeQL to the PATH
+      shell: bash
+      env:
+        CODEQL_HOME: ${{ github.workspace }}/codeql_home
+      run: |
+        echo "Adding CodeQL CLI to the PATH."
+        echo "$CODEQL_HOME/codeql" >> $GITHUB_PATH

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+env:
+  CODEQL_CLI_VERSION: 2.19.3
+
 jobs:
   compile-and-test:
     runs-on: ubuntu-latest
@@ -24,23 +27,21 @@ jobs:
           filters: |
             src:
               - '${{ matrix.language }}/**'
+              - '.github/**'
 
-      - name: Initialize CodeQL
+      - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
-        run: |
-          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
-                       | sort \
-                       | tail -n 1 \
-                       | tr -d '\n')"
-          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
-        
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
+
       - name: Install Packs
         if: steps.changes.outputs.src == 'true'
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          CODEQL_CLI_VERSION: ${{ env.CODEQL_CLI_VERSION }}
         run: |
-          gh repo clone github/codeql # to make stubs available for tests
-          codeql pack download "codeql/${{ matrix.language }}-queries"
+          gh repo clone github/codeql -- -b codeql-cli-${CODEQL_CLI_VERSION} # to make stubs available for tests
           codeql pack install "${{ matrix.language }}/lib"
           codeql pack install "${{ matrix.language }}/src"
           codeql pack install "${{ matrix.language }}/test"
@@ -171,14 +172,11 @@ jobs:
             src:
               - '${{ matrix.language }}/ext/**'
 
-      - name: Initialize CodeQL
+      - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
-        run: |
-          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
-                       | sort \
-                       | tail -n 1 \
-                       | tr -d '\n')"
-          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Install Packs
         if: steps.changes.outputs.src == 'true'
@@ -209,14 +207,11 @@ jobs:
             src:
               - '${{ matrix.language }}/ext-library-sources/**'
 
-      - name: Initialize CodeQL
+      - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
-        run: |
-          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
-                       | sort \
-                       | tail -n 1 \
-                       | tr -d '\n')"
-          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Install CodeQL
         if: steps.changes.outputs.src == 'true'
@@ -240,14 +235,11 @@ jobs:
             src:
               - 'configs/**'
       
-      - name: Initialize CodeQL
+      - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
-        run: |
-          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
-                       | sort \
-                       | tail -n 1 \
-                       | tr -d '\n')"
-          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: "Check Configurations"
         if: steps.changes.outputs.src == 'true'

CONTRIBUTING.md

@@ -0,0 +1,71 @@
+# Contributing to CodeQL Community Packs
+
+We welcome contributions to our CodeQL Community Packs libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
+
+There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).
+
+## Change notes
+
+Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
+
+## Submitting a new query
+
+If you have an idea for a query that you would like to share with other CodeQL users, please open a pull request to add it to this repository. New queries start out in a `<language>/ql/src/` directory, to which they can be merged when they meet the following requirements.
+
+1. **Directory structure**
+
+    There are eight language-specific query directories in this repository:
+
+      * C/C++: `cpp/ql/src`
+      * C#: `csharp/ql/src`
+      * Go: `go/ql/src`
+      * Java/Kotlin: `java/ql/src`
+      * JavaScript: `javascript/ql/src`
+      * Python: `python/ql/src`
+      * Ruby: `ruby/ql/src`
+      * Swift: `swift/ql/src`
+
+    Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
+
+2. **Query metadata**
+
+    - The query `@id` must conform to all the requirements in the [guide on query metadata](docs/query-metadata-style-guide.md#query-id-id). In particular, it must not clash with any other queries in the repository, and it must start with the appropriate language-specific prefix.
+    - The query must have a `@name` and `@description` to explain its purpose.
+    - The query must have a `@kind` and `@problem.severity` as required by CodeQL tools.
+
+    For details, see the [guide on query metadata](docs/query-metadata-style-guide.md).
+
+    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/#select-clause) on codeql.github.com.
+
+3. **Formatting**
+
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/).
+
+    If you prefer, you can either:
+    1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or
+    2. use this [pre-commit hook](misc/scripts/pre-commit) that automatically checks whether your files are correctly formatted.
+
+    See the [pre-commit hook installation guide](docs/pre-commit-hook-setup.md) for instructions on the two approaches.
+
+4. **Compilation**
+
+    - Compilation of the query and any associated libraries and tests must be resilient to future development of the [supported](docs/supported-queries.md) libraries. This means that the functionality cannot use internal libraries, cannot depend on the output of `getAQlClass`, and cannot make use of regexp matching on `toString`.
+    - The query and any associated libraries and tests must not cause any compiler warnings to be emitted (such as use of deprecated functionality or missing `override` annotations).
+
+5. **Results**
+
+    - The query must have at least one true positive result on some revision of a real project.
+
+6. **Query help files and unit tests**
+
+	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries. For more information about contributing query help files and unit tests, see [Supported CodeQL queries and libraries](docs/supported-queries.md).
+
+Queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
+
+After the query is merged, we welcome pull requests to improve it.
+
+## Using your personal data
+
+If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product.
+
+Please do get in touch ([email protected]) if you have any questions about this or our data protection policies.

cpp/lib/codeql-pack.lock.yml

@@ -2,13 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.9.2
+    version: 2.1.0
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.1.5
+  codeql/mad:
+    version: 1.0.11
+  codeql/rangeanalysis:
+    version: 1.0.11
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.11
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/typeflow:
+    version: 1.0.11
+  codeql/typetracking:
+    version: 1.0.11
   codeql/util:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/xml:
+    version: 1.0.11
 compiled: false

cpp/src/codeql-pack.lock.yml

@@ -2,17 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.9.2
+    version: 2.1.0
   codeql/cpp-queries:
-    version: 0.7.4
+    version: 1.2.6
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.1.5
+  codeql/mad:
+    version: 1.0.11
+  codeql/rangeanalysis:
+    version: 1.0.11
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.11
   codeql/suite-helpers:
-    version: 0.6.4
+    version: 1.0.11
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/typeflow:
+    version: 1.0.11
+  codeql/typetracking:
+    version: 1.0.11
   codeql/util:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/xml:
+    version: 1.0.11
 compiled: false

cpp/test/codeql-pack.lock.yml

@@ -2,17 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.9.2
+    version: 2.1.0
   codeql/cpp-queries:
-    version: 0.7.4
+    version: 1.2.6
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.1.5
+  codeql/mad:
+    version: 1.0.11
+  codeql/rangeanalysis:
+    version: 1.0.11
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.11
   codeql/suite-helpers:
-    version: 0.6.4
+    version: 1.0.11
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/typeflow:
+    version: 1.0.11
+  codeql/typetracking:
+    version: 1.0.11
   codeql/util:
-    version: 0.1.4
+    version: 1.0.11
+  codeql/xml:
+    version: 1.0.11
 compiled: false

csharp/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 1.0.10
+    version: 1.0.11
   codeql/csharp-all:
-    version: 3.0.1
+    version: 3.1.0
   codeql/dataflow:
-    version: 1.1.4
+    version: 1.1.5
   codeql/mad:
-    version: 1.0.10
+    version: 1.0.11
   codeql/ssa:
-    version: 1.0.10
+    version: 1.0.11
   codeql/threat-models:
-    version: 1.0.10
+    version: 1.0.11
   codeql/tutorial:
-    version: 1.0.10
+    version: 1.0.11
   codeql/typetracking:
-    version: 1.0.10
+    version: 1.0.11
   codeql/util:
-    version: 1.0.10
+    version: 1.0.11
   codeql/xml:
-    version: 1.0.10
+    version: 1.0.11
 compiled: false

csharp/src/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 1.0.10
+    version: 1.0.11
   codeql/csharp-all:
-    version: 3.0.1
+    version: 3.1.0
   codeql/csharp-queries:
-    version: 1.0.10
+    version: 1.0.11
   codeql/dataflow:
-    version: 1.1.4
+    version: 1.1.5
   codeql/mad:
-    version: 1.0.10
+    version: 1.0.11
   codeql/ssa:
-    version: 1.0.10
+    version: 1.0.11
   codeql/suite-helpers:
-    version: 1.0.10
+    version: 1.0.11
   codeql/threat-models:
-    version: 1.0.10
+    version: 1.0.11
   codeql/tutorial:
-    version: 1.0.10
+    version: 1.0.11
   codeql/typetracking:
-    version: 1.0.10
+    version: 1.0.11
   codeql/util:
-    version: 1.0.10
+    version: 1.0.11
   codeql/xml:
-    version: 1.0.10
+    version: 1.0.11
 compiled: false