Merge branch 'main' into calumgrant/slow-predicates

Author: tausbn

csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs

@@ -77,12 +77,8 @@ private static IEnumerable<SyntaxToken> GetModifiers<T>(this ISymbol symbol, Fun
         /// <summary>
         /// Gets the source-level modifiers belonging to this symbol, if any.
         /// </summary>
-        public static IEnumerable<string> GetSourceLevelModifiers(this ISymbol symbol)
-        {
-            var methodModifiers = symbol.GetModifiers<Microsoft.CodeAnalysis.CSharp.Syntax.BaseMethodDeclarationSyntax>(md => md.Modifiers);
-            var typeModifiers = symbol.GetModifiers<Microsoft.CodeAnalysis.CSharp.Syntax.TypeDeclarationSyntax>(cd => cd.Modifiers);
-            return methodModifiers.Concat(typeModifiers).Select(m => m.Text);
-        }
+        public static IEnumerable<string> GetSourceLevelModifiers(this ISymbol symbol) =>
+            symbol.GetModifiers<Microsoft.CodeAnalysis.CSharp.Syntax.MemberDeclarationSyntax>(md => md.Modifiers).Select(m => m.Text);
 
         /// <summary>
         /// Holds if the ID generated for `dependant` will contain a reference to

csharp/ql/lib/change-notes/2023-02-22-modifierextraction.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The extraction of member modifiers has been generalised, which could lead to the extraction of more modifiers.

csharp/ql/src/Telemetry/ExternalApi.qll

@@ -8,6 +8,7 @@ private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlowDispatch
+private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 
@@ -104,8 +105,17 @@ class ExternalApi extends DotNet::Callable {
   pragma[nomagic]
   predicate isSink() { sinkNode(this.getAnInput(), _) }
 
-  /** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */
-  predicate isSupported() { this.hasSummary() or this.isSource() or this.isSink() }
+  /** Holds if this API is a known neutral. */
+  pragma[nomagic]
+  predicate isNeutral() { this instanceof FlowSummaryImpl::Public::NeutralCallable }
+
+  /**
+   * Holds if this API is supported by existing CodeQL libraries, that is, it is either a
+   * recognized source, sink or neutral or it has a flow summary.
+   */
+  predicate isSupported() {
+    this.hasSummary() or this.isSource() or this.isSink() or this.isNeutral()
+  }
 }
 
 /**

csharp/ql/src/Telemetry/SupportedExternalApis.ql

@@ -8,13 +8,9 @@
 
 private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import ExternalApi
 
-private predicate relevant(ExternalApi api) {
-  api.isSupported() or
-  api instanceof FlowSummaryImpl::Public::NeutralCallable
-}
+private predicate relevant(ExternalApi api) { api.isSupported() }
 
 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)

csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql

@@ -7,14 +7,9 @@
  */
 
 private import csharp
-private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import ExternalApi
 
-private predicate relevant(ExternalApi api) {
-  not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NeutralCallable
-}
+private predicate relevant(ExternalApi api) { not api.isSupported() }
 
 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)

csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql

@@ -9,13 +9,10 @@
  */
 
 private import csharp
-private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import Telemetry.ExternalApi
 
 from Call c, ExternalApi api
 where
   c.getTarget().getUnboundDeclaration() = api and
-  not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NeutralCallable
+  not api.isSupported()
 select c, "Call to unsupported external API $@.", api, api.toString()

java/ql/integration-tests/all-platforms/java/diagnostics/android-gradle-incompatibility/.gitattributes

@@ -0,0 +1,6 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# These are explicitly windows files and should use crlf
+*.bat           text eol=crlf
+

java/ql/integration-tests/all-platforms/java/diagnostics/android-gradle-incompatibility/build.gradle

@@ -0,0 +1,13 @@
+plugins {
+
+    /**
+     * Use `apply false` in the top-level build.gradle file to add a Gradle
+     * plugin as a build dependency but not apply it to the current (root)
+     * project. Don't use `apply false` in sub-projects. For more information,
+     * see Applying external plugins with same version to subprojects.
+     */
+
+    id 'com.android.application' version '7.3.1' apply false
+    id 'com.android.library' version '7.3.1' apply false
+    id 'org.jetbrains.kotlin.android' version '1.7.20' apply false
+}

java/ql/integration-tests/all-platforms/java/diagnostics/android-gradle-incompatibility/diagnostics.expected

@@ -0,0 +1,28 @@
+{
+  "markdownMessage": "An Android build may have failed. Ensure the Code Scanning workflow installs required dependencies, and that the [Gradle and Android SDK versions are compatible](https://developer.android.com/studio/releases/gradle-plugin#updating-gradle). Suspicious output line: `   > Minimum supported Gradle version is 7.4. Current version is 7.3. If using the gradle wrapper, try editing the distributionUrl in <test-root-directory>/gradle/wrapper/gradle-wrapper.properties to gradle-7.4-all.zip`",
+  "severity": "error",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/android-build-failure",
+    "name": "Android build failure"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "An Android build may have failed. Ensure the Code Scanning workflow installs required dependencies, and that the [Gradle and Android SDK versions are compatible](https://developer.android.com/studio/releases/gradle-plugin#updating-gradle). Suspicious output line: `Caused by: java.lang.RuntimeException: Minimum supported Gradle version is 7.4. Current version is 7.3. If using the gradle wrapper, try editing the distributionUrl in <test-root-directory>/gradle/wrapper/gradle-wrapper.properties to gradle-7.4-all.zip`",
+  "severity": "error",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/android-build-failure",
+    "name": "Android build failure"
+  },
+  "visibility": {
+    "cliSummaryTable": false,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/all-platforms/java/diagnostics/android-gradle-incompatibility/force_sequential_test_execution

@@ -0,0 +1,4 @@
+# We currently have a bug where gradle tests become flaky when executed in parallel
+# - sometimes, gradle fails to connect to the gradle daemon.
+# Therefore, force this test to run sequentially.
+# Additionally, Android SDK on-demand downloading can fail when multiple tests try to download the same SDK in parallel.