Merge branch 'main' into redsun82/kotlin

Author: redsun82

csharp/.gitignore

@@ -14,5 +14,4 @@ csharp.log
 .vscode/launch.json
 
 extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
-extractor-pack
 paket-files/

csharp/documentation/library-coverage/coverage.csv

@@ -4,41 +4,41 @@ Amazon.Lambda.Core,10,,,,,,,,,,,10,,,,,,,,,,,
 Dapper,55,42,1,,,,,,,,,,55,,42,,,,,,,,1
 ILCompiler,,,81,,,,,,,,,,,,,,,,,,,81,
 ILLink.RoslynAnalyzer,,,63,,,,,,,,,,,,,,,,,,,63,
-ILLink.Shared,,,32,,,,,,,,,,,,,,,,,,,29,3
+ILLink.Shared,,,32,,,,,,,,,,,,,,,,,,,30,2
 ILLink.Tasks,,,3,,,,,,,,,,,,,,,,,,,3,
-Internal.IL,,,69,,,,,,,,,,,,,,,,,,,67,2
+Internal.IL,,,46,,,,,,,,,,,,,,,,,,,44,2
 Internal.Pgo,,,9,,,,,,,,,,,,,,,,,,,8,1
-Internal.TypeSystem,,,367,,,,,,,,,,,,,,,,,,,331,36
+Internal.TypeSystem,,,291,,,,,,,,,,,,,,,,,,,275,16
 JsonToItemsTaskFactory,,,5,,,,,,,,,,,,,,,,,,,5,
 Microsoft.Android.Build,,,14,,,,,,,,,,,,,,,,,,,14,
 Microsoft.Apple.Build,,,5,,,,,,,,,,,,,,,,,,,5,
 Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,,
-Microsoft.CSharp,,,24,,,,,,,,,,,,,,,,,,,24,
-Microsoft.Diagnostics.Tools.Pgo,,,13,,,,,,,,,,,,,,,,,,,13,
+Microsoft.CSharp,,,10,,,,,,,,,,,,,,,,,,,10,
+Microsoft.Diagnostics.Tools.Pgo,,,12,,,,,,,,,,,,,,,,,,,12,
 Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,,,,,12
 Microsoft.Extensions.Caching.Distributed,,,9,,,,,,,,,,,,,,,,,,,9,
 Microsoft.Extensions.Caching.Memory,,,30,,,,,,,,,,,,,,,,,,,29,1
-Microsoft.Extensions.Configuration,,2,83,,,,,,,,,,,,,2,,,,,,81,2
-Microsoft.Extensions.DependencyInjection,,,120,,,,,,,,,,,,,,,,,,,120,
-Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,,,,,,,12,
-Microsoft.Extensions.Diagnostics.Metrics,,,13,,,,,,,,,,,,,,,,,,,13,
+Microsoft.Extensions.Configuration,,2,77,,,,,,,,,,,,,2,,,,,,76,1
+Microsoft.Extensions.DependencyInjection,,,96,,,,,,,,,,,,,,,,,,,95,1
+Microsoft.Extensions.DependencyModel,,,9,,,,,,,,,,,,,,,,,,,9,
+Microsoft.Extensions.Diagnostics.Metrics,,,15,,,,,,,,,,,,,,,,,,,15,
 Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,,,,,,,,15,
 Microsoft.Extensions.FileSystemGlobbing,,,16,,,,,,,,,,,,,,,,,,,14,2
-Microsoft.Extensions.Hosting,,,23,,,,,,,,,,,,,,,,,,,22,1
+Microsoft.Extensions.Hosting,,,26,,,,,,,,,,,,,,,,,,,25,1
 Microsoft.Extensions.Http,,,8,,,,,,,,,,,,,,,,,,,8,
-Microsoft.Extensions.Logging,,,60,,,,,,,,,,,,,,,,,,,59,1
+Microsoft.Extensions.Logging,,,53,,,,,,,,,,,,,,,,,,,52,1
 Microsoft.Extensions.Options,,,8,,,,,,,,,,,,,,,,,,,8,
 Microsoft.Extensions.Primitives,,,64,,,,,,,,,,,,,,,,,,,64,
-Microsoft.Interop,,,78,,,,,,,,,,,,,,,,,,,78,
+Microsoft.Interop,,,73,,,,,,,,,,,,,,,,,,,73,
 Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.NET.WebAssembly.Webcil,,,7,,,,,,,,,,,,,,,,,,,7,
-Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,,,,,,5,5
+Microsoft.VisualBasic,,,6,,,,,,,,,,,,,,,,,,,1,5
 Microsoft.WebAssembly.Build.Tasks,,,3,,,,,,,,,,,,,,,,,,,3,
 Microsoft.Win32,,4,4,,,,,,,,,,,,,,,,,,4,4,
-Mono.Linker,,,161,,,,,,,,,,,,,,,,,,,161,
+Mono.Linker,,,158,,,,,,,,,,,,,,,,,,,158,
 MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,4,,,,,,,,,,,,,,,,,,,4,
-System,59,44,10429,,8,8,1,,,4,5,,33,2,,3,15,17,3,4,,8460,1969
+System,49,44,9873,,3,3,1,,,4,5,,33,2,,3,15,17,3,4,,7968,1905
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",44,10429,59,9
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",54,1518,148,
-   Totals,,98,11954,401,9
+   System,"``System.*``, ``System``",44,9873,49,9
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",54,1357,148,
+   Totals,,98,11237,391,9
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs

@@ -97,6 +97,15 @@ private string ResolveNugetExe()
                 return envVarPath;
             }
 
+            try
+            {
+                return DownloadNugetExe(fileProvider.SourceDir.FullName);
+            }
+            catch (Exception exc)
+            {
+                logger.LogInfo($"Download of nuget.exe failed: {exc.Message}");
+            }
+
             var nugetExesInRepo = fileProvider.NugetExes;
             if (nugetExesInRepo.Count > 1)
             {
@@ -119,7 +128,7 @@ private string ResolveNugetExe()
                 return nugetPath;
             }
 
-            return DownloadNugetExe(fileProvider.SourceDir.FullName);
+            throw new Exception("Could not find or download nuget.exe.");
         }
 
         private string DownloadNugetExe(string sourceDir)
@@ -136,28 +145,20 @@ private string DownloadNugetExe(string sourceDir)
 
             Directory.CreateDirectory(directory);
             logger.LogInfo("Attempting to download nuget.exe");
-            try
-            {
-                FileUtils.DownloadFile(FileUtils.NugetExeUrl, nuget);
-                logger.LogInfo($"Downloaded nuget.exe to {nuget}");
-                return nuget;
-            }
-            catch
-            {
-                // Download failed.
-                throw new FileNotFoundException("Download of nuget.exe failed.");
-            }
+            FileUtils.DownloadFile(FileUtils.NugetExeUrl, nuget);
+            logger.LogInfo($"Downloaded nuget.exe to {nuget}");
+            return nuget;
         }
 
         private bool RunWithMono => !Win32.IsWindows() && !string.IsNullOrEmpty(Path.GetExtension(nugetExe));
 
         /// <summary>
-        /// Restore all files in a specified package.
+        /// Restore all packages in the specified packages.config file.
         /// </summary>
-        /// <param name="package">The package file.</param>
-        private bool TryRestoreNugetPackage(string package)
+        /// <param name="packagesConfig">The packages.config file.</param>
+        private bool TryRestoreNugetPackage(string packagesConfig)
         {
-            logger.LogInfo($"Restoring file {package}...");
+            logger.LogInfo($"Restoring file \"{packagesConfig}\"...");
 
             /* Use nuget.exe to install a package.
              * Note that there is a clutch of NuGet assemblies which could be used to
@@ -169,12 +170,12 @@ private bool TryRestoreNugetPackage(string package)
             if (RunWithMono)
             {
                 exe = "mono";
-                args = $"{nugetExe} install -OutputDirectory {packageDirectory} {package}";
+                args = $"\"{nugetExe}\" install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
             }
             else
             {
                 exe = nugetExe!;
-                args = $"install -OutputDirectory {packageDirectory} {package}";
+                args = $"install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
             }
 
             var pi = new ProcessStartInfo(exe, args)
@@ -195,7 +196,7 @@ private bool TryRestoreNugetPackage(string package)
             }
             else
             {
-                logger.LogInfo($"Restored file {package}");
+                logger.LogInfo($"Restored file \"{packagesConfig}\"");
                 return true;
             }
         }
@@ -205,7 +206,7 @@ private bool TryRestoreNugetPackage(string package)
         /// </summary>
         public int InstallPackages()
         {
-            return fileProvider.PackagesConfigs.Count(package => TryRestoreNugetPackage(package));
+            return fileProvider.PackagesConfigs.Count(TryRestoreNugetPackage);
         }
 
         private bool HasNoPackageSource()
@@ -239,7 +240,7 @@ private void RunMonoNugetCommand(string command, out IList<string> stdout)
             if (RunWithMono)
             {
                 exe = "mono";
-                args = $"{nugetExe} {command}";
+                args = $"\"{nugetExe}\" {command}";
             }
             else
             {

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/Assemblies.expected

@@ -0,0 +1 @@
+| [...]/Newtonsoft.Json.6.0.4/lib/portable-net45+wp80+win8+wpa81/Newtonsoft.Json.dll |

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/Assemblies.ql

@@ -0,0 +1,15 @@
+import csharp
+
+private string getPath(Assembly a) {
+  not a.getCompilation().getOutputAssembly() = a and
+  exists(string s | s = a.getFile().getAbsolutePath() |
+    result =
+      "[...]" +
+        s.substring(s.indexOf("test-db/working/") + "test-db/working/".length() + 16 +
+            "/legacypackages".length(), s.length())
+    // TODO: include all other assemblies from the test results. Initially disable because mono installations were problematic on ARM runners.
+  )
+}
+
+from Assembly a
+select getPath(a)

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/Program.cs

@@ -0,0 +1,6 @@
+class Program
+{
+    static void Main(string[] args)
+    {
+    }
+}

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "8.0.101"
+    }
+}

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/packages.config

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Newtonsoft.Json" version="6.0.4" targetFramework="net461" />
+  <package id="NUnit.ConsoleRunner" version="3.12.0" />
+</packages>

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget with_space/skip-on-platform-osx-arm

@@ -0,0 +1 @@
+Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.