Merge branch 'main' into post-release-prep/codeql-cli-2.10.1

Author: asgerf

.github/workflows/ql-for-ql-build.yml

@@ -10,9 +10,10 @@ env:
   CARGO_TERM_COLOR: always
 
 jobs:
-  queries:
-    runs-on: ubuntu-latest
+  analyze:
+    runs-on: ubuntu-latest-xl
     steps:
+      ### Build the queries ###
       - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
@@ -48,11 +49,7 @@ jobs:
           name: query-pack-zip
           path: ${{ runner.temp }}/query-pack.zip
 
-  extractors:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
+      ### Build the extractor ###
       - name: Cache entire extractor
         id: cache-extractor
         uses: actions/cache@v3
@@ -96,15 +93,8 @@ jobs:
             ql/target/release/ql-extractor
             ql/target/release/ql-extractor.exe
           retention-days: 1
-  package:
-    runs-on: ubuntu-latest
-
-    needs:
-      - extractors
-      - queries
 
-    steps:
-      - uses: actions/checkout@v3
+      ### Package the queries and extractor ###
       - uses: actions/download-artifact@v3
         with:
           name: query-pack-zip
@@ -132,16 +122,8 @@ jobs:
           name: codeql-ql-pack
           path: codeql-ql.zip
           retention-days: 1
-  analyze:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift, go]
-
-    needs:
-      - package
 
-    steps:
+      ### Run the analysis ###
       - name: Download pack
         uses: actions/download-artifact@v3
         with:
@@ -161,22 +143,18 @@ jobs:
         env:
           PACK: ${{ runner.temp }}/pack
 
-      - name: Checkout repository
-        uses: actions/checkout@v3
       - name: Create CodeQL config file
         run: |
-          echo "paths:" > ${CONF}
-          echo "  - ${FOLDER}" >> ${CONF}
           echo "paths-ignore:" >> ${CONF}
           echo "  - ql/ql/test" >> ${CONF} 
+          echo "  - \"*/ql/lib/upgrades/\"" >> ${CONF} 
           echo "disable-default-queries: true" >> ${CONF}
           echo "packs:" >> ${CONF}
           echo "  - codeql/ql" >> ${CONF}
           echo "Config file: "
           cat ${CONF}
         env: 
           CONF: ./ql-for-ql-config.yml
-          FOLDER: ${{ matrix.folder }}
       - name: Initialize CodeQL
         uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
@@ -187,39 +165,24 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with: 
-          category: "ql-for-ql-${{ matrix.folder }}"
+          category: "ql-for-ql"
       - name: Copy sarif file to CWD
-        run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
+        run: cp ../results/ql.sarif ./ql-for-ql.sarif
       - name: Fixup the $scema in sarif  # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
         run: |
-          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ${{ matrix.folder }}.sarif 
+          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif 
       - name: Sarif as artifact
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ matrix.folder }}.sarif
-          path: ${{ matrix.folder }}.sarif
-
-  combine:
-    runs-on: ubuntu-latest
-    needs:
-      - analyze
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Make a folder for artifacts. 
-        run: mkdir -p results
-      - name: Download all sarif files
-        uses: actions/download-artifact@v3
-        with: 
-            path: results
-      - uses: actions/setup-node@v3
-        with:
-            node-version: 16
-      - name: Combine all sarif files
-        run: | 
-          node ./ql/scripts/merge-sarif.js results/**/*.sarif combined.sarif
-      - name: Upload combined sarif file
+          name: ql-for-ql.sarif
+          path: ql-for-ql.sarif
+      - name: Split out the sarif file into langs
+        run: |
+          mkdir split-sarif
+          node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
+      - name: Upload langs as artifacts
         uses: actions/upload-artifact@v3
         with:
-            name: combined.sarif
-            path: combined.sarif
+          name: ql-for-ql-langs
+          path: split-sarif
+          retention-days: 1

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs

@@ -0,0 +1,44 @@
+
+{
+    SymmetricKey aesKey = new SymmetricKey(kid: "symencryptionkey");
+
+    // BAD: Using the outdated client side encryption version V1_0
+    BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key: aesKey, keyResolver: null);
+    BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
+
+    MemoryStream stream = new MemoryStream(buffer);
+    blob.UploadFromStream(stream, length: size, accessCondition: null, options: uploadOptions);
+}
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using an outdated SDK that does not support client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions() 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using the outdated client side encryption version V1_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // GOOD: Using client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V2_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.cs" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,81 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
+ * @problem.severity error
+ * @precision high
+ */
+
+import csharp
+
+/**
+ * Holds if `oc` is creating an object of type `c` = `Azure.Storage.ClientSideEncryptionOptions`
+ * and `e` is the `version` argument to the constructor
+ */
+predicate isCreatingAzureClientSideEncryptionObject(ObjectCreation oc, Class c, Expr e) {
+  exists(Parameter p | p.hasName("version") |
+    c.hasQualifiedName("Azure.Storage.ClientSideEncryptionOptions") and
+    oc.getTarget() = c.getAConstructor() and
+    e = oc.getArgumentForParameter(p)
+  )
+}
+
+/**
+ * Holds if `oc` is an object creation of the outdated type `c` = `Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy`
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(ObjectCreation oc, Class c) {
+  c.hasQualifiedName("Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy") and
+  oc.getTarget() = c.getAConstructor()
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption
+ */
+predicate doesAzureStorageAssemblySupportSafeClientSideEncryption(Assembly asm) {
+  exists(int versionCompare |
+    versionCompare = asm.getVersion().compareTo("12.12.0.0") and
+    versionCompare >= 0
+  ) and
+  asm.getName() = "Azure.Storage.Common"
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption and if the argument for the constructor `version`
+ * is set to a secure value.
+ */
+predicate isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(Expr versionExpr, Assembly asm) {
+  // Check if the Azure.Storage assembly version has the fix
+  doesAzureStorageAssemblySupportSafeClientSideEncryption(asm) and
+  // and that the version argument for the constructor is guaranteed to be Version2
+  isExprAnAccessToSafeClientSideEncryptionVersionValue(versionExpr)
+}
+
+/**
+ * Holds if the expression `e` is an access to a safe version of the enum `ClientSideEncryptionVersion`
+ * or an equivalent numeric value
+ */
+predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
+  exists(EnumConstant ec |
+    ec.hasQualifiedName("Azure.Storage.ClientSideEncryptionVersion.V2_0") and
+    ec.getAnAccess() = e
+  )
+}
+
+from Expr e, Class c, Assembly asm
+where
+  asm = c.getLocation() and
+  (
+    exists(Expr e2 |
+      isCreatingAzureClientSideEncryptionObject(e, c, e2) and
+      not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
+    )
+    or
+    isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+  )
+select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."

docs/codeql/query-help/cpp.rst

@@ -3,7 +3,9 @@ CodeQL query help for C and C++
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/cpp/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/cpp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/examples>`__.
 
 .. include:: toc-cpp.rst
 

docs/codeql/query-help/csharp.rst

@@ -3,6 +3,8 @@ CodeQL query help for C#
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/csharp/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/csharp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/examples>`__.
 
 .. include:: toc-csharp.rst

docs/codeql/query-help/go.rst

@@ -3,6 +3,8 @@ CodeQL query help for Go
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/go/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/go-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/examples>`__.
 
 .. include:: toc-go.rst

docs/codeql/query-help/java.rst

@@ -3,6 +3,8 @@ CodeQL query help for Java
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/java/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/java-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/examples>`__.
 
 .. include:: toc-java.rst

docs/codeql/query-help/javascript.rst

@@ -3,6 +3,8 @@ CodeQL query help for JavaScript
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/javascript/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/javascript-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/examples>`__.
 
 .. include:: toc-javascript.rst

docs/codeql/query-help/python.rst

@@ -3,6 +3,8 @@ CodeQL query help for Python
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/python/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/python-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/examples>`__.
 
 .. include:: toc-python.rst