Merge branch 'main' into rust-cleartext-transmission

Author: paldepind

Cargo.lock

@@ -73,6 +73,7 @@ use_repo(
     tree_sitter_extractors_deps,
     "vendor_ts__anyhow-1.0.96",
     "vendor_ts__argfile-0.2.1",
+    "vendor_ts__chalk-ir-0.99.0",
     "vendor_ts__chrono-0.4.39",
     "vendor_ts__clap-4.5.31",
     "vendor_ts__dunce-1.0.5",
@@ -94,6 +95,7 @@ use_repo(
     "vendor_ts__ra_ap_hir-0.0.266",
     "vendor_ts__ra_ap_hir_def-0.0.266",
     "vendor_ts__ra_ap_hir_expand-0.0.266",
+    "vendor_ts__ra_ap_hir_ty-0.0.266",
     "vendor_ts__ra_ap_ide_db-0.0.266",
     "vendor_ts__ra_ap_intern-0.0.266",
     "vendor_ts__ra_ap_load-cargo-0.0.266",

MODULE.bazel

@@ -1,2 +1,4 @@
 - description: Security-and-quality queries for GitHub Actions
-- import: codeql-suites/actions-security-extended.qls
+- queries: .
+- apply: security-and-quality-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-and-quality.qls

@@ -1,2 +1,4 @@
 - description: Extended and experimental security queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-experimental-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-experimental.qls

@@ -119,9 +119,14 @@ class ConstantMatchingCondition extends ConstantCondition {
   }
 
   override predicate isWhiteListed() {
-    exists(SwitchExpr se, int i |
-      se.getCase(i).getPattern() = this.(DiscardExpr) and
+    exists(Switch se, Case c, int i |
+      c = se.getCase(i) and
+      c.getPattern() = this.(DiscardExpr)
+    |
       i > 0
+      or
+      i = 0 and
+      exists(Expr cond | c.getCondition() = cond and not isConstantCondition(cond, true))
     )
     or
     this = any(PositionalPatternExpr ppe).getPattern(_)

csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Increase query precision for `cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.

csharp/ql/src/change-notes/2025-03-11-constant-condition.md

@@ -9,3 +9,4 @@
       - cs/inefficient-containskey
       - cs/call-to-object-tostring
       - cs/local-not-disposed
+      - cs/constant-condition

csharp/ql/src/codeql-suites/csharp-ccr.qls

@@ -1,10 +1,11 @@
 using System;
-using System.Text;
 using System.IO;
 using System.IO.Compression;
-using System.Xml;
+using System.Net.Http;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Xml;
 
 class Test
 {
@@ -48,9 +49,9 @@ public IDisposable Method()
         }
 
         // BAD: No Dispose call
-        var c1d = new Timer(TimerProc);
-        var fs = new FileStream("", FileMode.CreateNew, FileAccess.Write);
-        new FileStream("", FileMode.CreateNew, FileAccess.Write).Fluent();
+        var c1d = new Timer(TimerProc); // $ Alert
+        var fs = new FileStream("", FileMode.CreateNew, FileAccess.Write); // $ Alert
+        new FileStream("", FileMode.CreateNew, FileAccess.Write).Fluent(); // $ Alert
 
         // GOOD: Disposed via wrapper
         fs = new FileStream("", FileMode.CreateNew, FileAccess.Write);
@@ -72,13 +73,10 @@ public IDisposable Method()
             ;
 
         // GOOD: XmlDocument.Load disposes incoming XmlReader (False positive as this is disposed in library code)
-        var xmlReader = XmlReader.Create(new StringReader("xml"), null);
+        var xmlReader = XmlReader.Create(new StringReader("xml"), null); // $ Alert
         var xmlDoc = new XmlDocument();
         xmlDoc.Load(xmlReader);
 
-        // GOOD: Passed to a library (False positive as this is disposed in library code).
-        DisposalTests.Class1.Dispose(new StreamWriter("output.txt"));
-
         // GOOD: Disposed automatically.
         using var c2 = new Timer(TimerProc);
 
@@ -97,6 +95,15 @@ public IDisposable Method()
         return null;
     }
 
+    public void M(IHttpClientFactory factory)
+    {
+        // GOOD: Factory tracks and disposes.
+        HttpClient client1 = factory.CreateClient();
+
+        // BAD: No Dispose call
+        var client2 = new HttpClient(); // $ Alert
+    }
+
     // GOOD: Escapes
     IDisposable Create() => new Timer(TimerProc);
 
@@ -107,6 +114,15 @@ void TimerProc(object obj)
     public void Dispose() { }
 }
 
+class Bad
+{
+    long GetLength(string file)
+    {
+        var stream = new FileStream(file, FileMode.Open); // $ Alert
+        return stream.Length;
+    }
+}
+
 static class Extensions
 {
     public static FileStream Fluent(this FileStream fs) => fs;