Merge branch 'main' into child-stmt

Author: jketema

cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

@@ -24,7 +24,7 @@ predicate exprMayBeString(Expr exp) {
         fctmp.getAnArgument().(VariableAccess).getTarget() = exp.(VariableAccess).getTarget() or
         globalValueNumber(fctmp.getAnArgument()) = globalValueNumber(exp)
       ) and
-      fctmp.getTarget().hasName(["strlen", "strcat", "strncat", "strcpy", "sptintf", "printf"])
+      fctmp.getTarget().hasName(["strlen", "strcat", "strncat", "strcpy", "sprintf", "printf"])
     )
     or
     exists(AssignExpr astmp |

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -191,6 +191,7 @@ void exitCallback(int ret, string msg, bool silent)
 
         private HashSet<string> AddFrameworkDlls(HashSet<AssemblyLookupLocation> dllLocations)
         {
+            logger.LogInfo("Adding .NET Framework DLLs");
             var frameworkLocations = new HashSet<string>();
 
             var frameworkReferences = Environment.GetEnvironmentVariable(EnvironmentVariableNames.DotnetFrameworkReferences);

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

@@ -91,9 +91,9 @@ public bool AddPackage(string folder, string package)
             return dotnetCliInvoker.RunCommand(args);
         }
 
-        public IList<string> GetListedRuntimes() => GetResultList("--list-runtimes", null, false);
+        public IList<string> GetListedRuntimes() => GetResultList("--list-runtimes");
 
-        public IList<string> GetListedSdks() => GetResultList("--list-sdks", null, false);
+        public IList<string> GetListedSdks() => GetResultList("--list-sdks");
 
         private IList<string> GetResultList(string args, string? workingDirectory = null, bool silent = true)
         {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs

@@ -19,6 +19,7 @@ public DotNetCliInvoker(ILogger logger, string exec)
         {
             this.logger = logger;
             this.Exec = exec;
+            logger.LogInfo($"Using .NET CLI executable: '{Exec}'");
         }
 
         private ProcessStartInfo MakeDotnetStartInfo(string args, string? workingDirectory)
@@ -43,15 +44,15 @@ private ProcessStartInfo MakeDotnetStartInfo(string args, string? workingDirecto
         private bool RunCommandAux(string args, string? workingDirectory, out IList<string> output, bool silent)
         {
             var dirLog = string.IsNullOrWhiteSpace(workingDirectory) ? "" : $" in {workingDirectory}";
-            logger.LogInfo($"Running {Exec} {args}{dirLog}");
+            logger.LogInfo($"Running '{Exec} {args}'{dirLog}");
             var pi = MakeDotnetStartInfo(args, workingDirectory);
             var threadId = Environment.CurrentManagedThreadId;
             void onOut(string s) => logger.Log(silent ? Severity.Debug : Severity.Info, s, threadId);
             void onError(string s) => logger.LogError(s, threadId);
             var exitCode = pi.ReadOutput(out output, onOut, onError);
             if (exitCode != 0)
             {
-                logger.LogError($"Command {Exec} {args}{dirLog} failed with exit code {exitCode}");
+                logger.LogError($"Command '{Exec} {args}'{dirLog} failed with exit code {exitCode}");
                 return false;
             }
             return true;

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileProvider.cs

@@ -21,6 +21,7 @@ public class FileProvider
         private readonly Lazy<string[]> dlls;
         private readonly Lazy<string[]> nugetConfigs;
         private readonly Lazy<string[]> globalJsons;
+        private readonly Lazy<string[]> packagesConfigs;
         private readonly Lazy<string[]> razorViews;
         private readonly Lazy<string[]> resources;
         private readonly Lazy<string?> rootNugetConfig;
@@ -32,31 +33,38 @@ public FileProvider(DirectoryInfo sourceDir, ILogger logger)
 
             all = GetAllFiles();
             allNonBinary = new Lazy<FileInfo[]>(() => all.Where(f => !binaryFileExtensions.Contains(f.Extension.ToLowerInvariant())).ToArray());
-            smallNonBinary = new Lazy<string[]>(() =>
-            {
-                var ret = SelectSmallFiles(allNonBinary.Value).SelectFileNames().ToArray();
-                logger.LogInfo($"Found {ret.Length} small non-binary files in {SourceDir}.");
-                return ret;
-            });
+            smallNonBinary = new Lazy<string[]>(() => ReturnAndLogFiles("small non-binary", SelectSmallFiles(allNonBinary.Value).SelectFileNames().ToArray()));
             sources = new Lazy<string[]>(() => SelectTextFileNamesByExtension("source", ".cs"));
             projects = new Lazy<string[]>(() => SelectTextFileNamesByExtension("project", ".csproj"));
             solutions = new Lazy<string[]>(() => SelectTextFileNamesByExtension("solution", ".sln"));
             dlls = new Lazy<string[]>(() => SelectBinaryFileNamesByExtension("DLL", ".dll"));
-            nugetConfigs = new Lazy<string[]>(() => allNonBinary.Value.SelectFileNamesByName("nuget.config").ToArray());
-            globalJsons = new Lazy<string[]>(() => allNonBinary.Value.SelectFileNamesByName("global.json").ToArray());
+            nugetConfigs = new Lazy<string[]>(() => SelectTextFileNamesByName("nuget.config"));
+            globalJsons = new Lazy<string[]>(() => SelectTextFileNamesByName("global.json"));
+            packagesConfigs = new Lazy<string[]>(() => SelectTextFileNamesByName("packages.config"));
             razorViews = new Lazy<string[]>(() => SelectTextFileNamesByExtension("razor view", ".cshtml", ".razor"));
             resources = new Lazy<string[]>(() => SelectTextFileNamesByExtension("resource", ".resx"));
 
             rootNugetConfig = new Lazy<string?>(() => all.SelectRootFiles(SourceDir).SelectFileNamesByName("nuget.config").FirstOrDefault());
         }
 
-        private string[] SelectTextFileNamesByExtension(string filetype, params string[] extensions)
+        private string[] ReturnAndLogFiles(string filetype, IEnumerable<string> files)
         {
-            var ret = allNonBinary.Value.SelectFileNamesByExtension(extensions).ToArray();
+            var ret = files.ToArray();
             logger.LogInfo($"Found {ret.Length} {filetype} files in {SourceDir}.");
             return ret;
         }
 
+        private string[] SelectTextFileNamesByExtension(string filetype, params string[] extensions)
+            => ReturnAndLogFiles(filetype, allNonBinary.Value.SelectFileNamesByExtension(extensions));
+
+        private string[] SelectTextFileNamesByName(string name)
+        {
+            var ret = allNonBinary.Value.SelectFileNamesByName(name).ToArray();
+            var ending = ret.Length == 0 ? "." : $": {string.Join(", ", ret.OrderBy(s => s))}.";
+            logger.LogInfo($"Found {ret.Length} {name} files in {SourceDir}{ending}");
+            return ret;
+        }
+
         private string[] SelectBinaryFileNamesByExtension(string filetype, params string[] extensions)
         {
             var ret = all.SelectFileNamesByExtension(extensions).ToArray();
@@ -117,6 +125,7 @@ private FileInfo[] GetAllFiles()
         public ICollection<string> NugetConfigs => nugetConfigs.Value;
         public string? RootNugetConfig => rootNugetConfig.Value;
         public IEnumerable<string> GlobalJsons => globalJsons.Value;
+        public ICollection<string> PackagesConfigs => packagesConfigs.Value;
         public ICollection<string> RazorViews => razorViews.Value;
         public ICollection<string> Resources => resources.Value;
     }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs

@@ -20,9 +20,9 @@ internal class NugetExeWrapper : IDisposable
         /// <summary>
         /// The list of package files.
         /// </summary>
-        private readonly FileInfo[] packageFiles;
+        private readonly ICollection<string> packageFiles;
 
-        public int PackageCount => packageFiles.Length;
+        public int PackageCount => packageFiles.Count;
 
         private readonly string? backupNugetConfig;
         private readonly string? nugetConfigPath;
@@ -37,23 +37,21 @@ internal class NugetExeWrapper : IDisposable
         /// <summary>
         /// Create the package manager for a specified source tree.
         /// </summary>
-        public NugetExeWrapper(string sourceDir, TemporaryDirectory packageDirectory, Util.Logging.ILogger logger)
+        public NugetExeWrapper(FileProvider fileProvider, TemporaryDirectory packageDirectory, Util.Logging.ILogger logger)
         {
             this.packageDirectory = packageDirectory;
             this.logger = logger;
 
-            packageFiles = new DirectoryInfo(sourceDir)
-                .EnumerateFiles("packages.config", SearchOption.AllDirectories)
-                .ToArray();
+            packageFiles = fileProvider.PackagesConfigs;
 
-            if (packageFiles.Length > 0)
+            if (packageFiles.Count > 0)
             {
-                logger.LogInfo($"Found {packageFiles.Length} packages.config files, trying to use nuget.exe for package restore");
-                nugetExe = ResolveNugetExe(sourceDir);
+                logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");
+                nugetExe = ResolveNugetExe(fileProvider.SourceDir.FullName);
                 if (HasNoPackageSource())
                 {
                     // We only modify or add a top level nuget.config file
-                    nugetConfigPath = Path.Combine(sourceDir, "nuget.config");
+                    nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config");
                     try
                     {
                         if (File.Exists(nugetConfigPath))
@@ -86,10 +84,6 @@ public NugetExeWrapper(string sourceDir, TemporaryDirectory packageDirectory, Ut
                     }
                 }
             }
-            else
-            {
-                logger.LogInfo("Found no packages.config file");
-            }
         }
 
         /// <summary>
@@ -195,7 +189,7 @@ private bool TryRestoreNugetPackage(string package)
         /// </summary>
         public int InstallPackages()
         {
-            return packageFiles.Count(package => TryRestoreNugetPackage(package.FullName));
+            return packageFiles.Count(package => TryRestoreNugetPackage(package));
         }
 
         private bool HasNoPackageSource()

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs

@@ -105,7 +105,7 @@ public HashSet<AssemblyLookupLocation> Restore()
                         : [unresponsiveMissingPackageLocation];
                 }
 
-                using (var nuget = new NugetExeWrapper(fileProvider.SourceDir.FullName, legacyPackageDirectory, logger))
+                using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger))
                 {
                     var count = nuget.InstallPackages();
 
@@ -178,7 +178,7 @@ private List<string> GetReachableFallbackNugetFeeds()
                 logger.LogInfo($"No fallback Nuget feeds specified. Using default feed: {PublicNugetOrgFeed}");
             }
 
-            logger.LogInfo($"Checking fallback Nuget feed reachability on feeds:  {string.Join(", ", fallbackFeeds.OrderBy(f => f))}");
+            logger.LogInfo($"Checking fallback Nuget feed reachability on feeds: {string.Join(", ", fallbackFeeds.OrderBy(f => f))}");
             var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: true);
             var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false)).ToList();
             if (reachableFallbackFeeds.Count == 0)

csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs

@@ -121,17 +121,20 @@ public void Started(int item, int total, string source)
 
             public void MissingType(string type)
             {
-                logger.Log(Severity.Debug, "Missing type {0}", type);
+                logger.LogDebug($"Missing type {type}");
             }
 
             public void MissingNamespace(string @namespace)
             {
-                logger.Log(Severity.Info, "Missing namespace {0}", @namespace);
+                logger.LogInfo($"Missing namespace {@namespace}");
             }
 
             public void MissingSummary(int missingTypes, int missingNamespaces)
             {
-                logger.Log(Severity.Info, "Failed to resolve {0} types in {1} namespaces", missingTypes, missingNamespaces);
+                if (missingTypes > 0 || missingNamespaces > 0)
+                {
+                    logger.LogInfo($"Failed to resolve {missingTypes} types in {missingNamespaces} namespaces");
+                }
             }
         }
 

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.1.rst

@@ -0,0 +1,106 @@
+.. _codeql-cli-2.17.1:
+
+==========================
+CodeQL 2.17.1 (2024-04-24)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.17.1 runs a total of 412 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--mode` option and :code:`-m` alias to :code:`codeql database create`,
+    :code:`codeql database cleanup`, and :code:`codeql dataset cleanup` has been deprecated. Instead, use the new :code:`--cache-cleanup` option, which has identical behavior.
+
+Improvements
+~~~~~~~~~~~~
+
+*   Improved the diagnostic message produced when no code is processed when creating a database. If a build mode was specified using
+    :code:`--build-mode`, the message is now tailored to your build mode.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The :code:`scc` tool used by the CodeQL CLI to calculate source code baseline information has been updated to version `3.2.0 <https://github.com/boyter/scc/releases/tag/v3.2.0>`__.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`java/unknown-javadoc-parameter` now accepts :code:`@param` tags that apply to the parameters of a record.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   :code:`API::Node#getInstance()` now includes instances of subclasses, include transitive subclasses.
+    The same changes applies to uses of the :code:`Instance` token in data extensions.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/insecure-mass-assignment`, for finding instances of mass assignment operations accepting arbitrary parameters from remote user input.
+*   Added a new query, :code:`rb/csrf-protection-not-enabled`, to detect cases where Cross-Site Request Forgery protection is not enabled in Ruby on Rails controllers.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Extracting suppress nullable warning expressions did not work when applied directly to a method call (like :code:`System.Console.Readline()!`). This has been fixed.
+
+Golang
+""""""
+
+*   Data flow through variables declared in statements of the form :code:`x := y.(type)` at the beginning of type switches has been fixed, which may result in more alerts.
+*   Added strings.ReplaceAll, http.ParseMultipartForm sanitizers and remove path sanitizer.
+
+Java
+""""
+
+*   About 6,700 summary models and 6,800 neutral summary models for the JDK that were generated using data flow have been added. This may lead to new alerts being reported.
+
+Python
+""""""
+
+*   Improved the type-tracking capabilities (and therefore also API graphs) to allow tracking items in tuples and dictionaries.
+
+Shared Libraries
+----------------
+
+New Features
+~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The :code:`PathGraph` result of a data flow computation has been augmented with model provenance information for each of the flow steps. Any qltests that include the edges relation in their output (for example, :code:`.qlref`\ s that reference path-problem queries) will need to be have their expected output updated accordingly.
+
+Type-flow Analysis
+""""""""""""""""""
+
+*   Initial release. Adds a library to implement type-flow analysis.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.17.1
    codeql-cli-2.17.0
    codeql-cli-2.16.6
    codeql-cli-2.16.5