Merge branch 'main' into equiv

Author: erik-krogh

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v6
+    - uses: actions/stale@v7
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

cpp/ql/src/AlertSuppression.ql

@@ -5,10 +5,18 @@
  * @id cpp/alert-suppression
  */
 
-private import codeql.suppression.AlertSuppression as AS
+private import codeql.util.suppression.AlertSuppression as AS
 private import semmle.code.cpp.Element
 
-class SingleLineComment extends Comment {
+class AstNode extends Locatable {
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+class SingleLineComment extends Comment, AstNode {
   private string text;
 
   SingleLineComment() {
@@ -26,14 +34,8 @@ class SingleLineComment extends Comment {
     not text.matches("%\n%")
   }
 
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
   /** Gets the text in this comment, excluding the leading //. */
   string getText() { result = text }
 }
 
-import AS::Make<SingleLineComment>
+import AS::Make<AstNode, SingleLineComment>

cpp/ql/src/change-notes/2022-12-19-alert-suppressions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.

cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.expected

@@ -34,4 +34,11 @@ int x = 0; // lgtm
 
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
-/* lgtm[@tag:nullness] */
+/* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+int y; // codeql[js/debugger-statement]

cpp/ql/test/query-tests/AlertSuppression/tst.c

@@ -34,4 +34,11 @@ int x = 0; // lgtm
 
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
-/* lgtm[@tag:nullness] */
+/* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+int y; // codeql[js/debugger-statement]

cpp/ql/test/query-tests/AlertSuppression/tstWindows.c

@@ -260,6 +260,12 @@ module Public {
      *  Holds if the neutral is auto generated.
      */
     predicate isAutoGenerated() { neutralElement(this, true) }
+
+    /**
+     * Holds if the neutral has the given provenance where `true` is
+     * `generated` and `false` is `manual`.
+     */
+    predicate hasProvenance(boolean generated) { neutralElement(this, generated) }
   }
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -5,9 +5,17 @@
  * @id cs/alert-suppression
  */
 
-private import codeql.suppression.AlertSuppression as AS
+private import codeql.util.suppression.AlertSuppression as AS
 private import semmle.code.csharp.Comments
 
+class AstNode extends Element {
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
 class SingleLineComment extends CommentLine {
   SingleLineComment() {
     // Must be either `// ...` or `/* ... */` on a single line.
@@ -21,4 +29,4 @@ class SingleLineComment extends CommentLine {
   }
 }
 
-import AS::Make<SingleLineComment>
+import AS::Make<AstNode, SingleLineComment>

csharp/ql/src/AlertSuppression.ql

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.

csharp/ql/src/change-notes/2022-12-19-alert-suppressions.md

@@ -26,3 +26,11 @@ class Dead { } // lgtm
 // LGTM[cs/unused-reftype]
 // lgtm[cs/unused-reftype] and lgtm[cs/unused-field]
 // lgtm[cs/unused-reftype]; lgtm
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+class End { } // codeql[js/debugger-statement]
+