Merge branch 'main' into sourcesinkdoc

Author: geoffw0

.github/codeql/codeql-config.yml

@@ -8,5 +8,6 @@ paths-ignore:
   - '/java/'
   - '/python/'
   - '/javascript/ql/test'
+  - '/javascript/ql/integration-tests'
   - '/javascript/extractor/tests'
   - '/rust/ql'

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,10 @@ on:
 
 jobs:
   CodeQL-Build:
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions', 'csharp']
 
     runs-on: ubuntu-latest
 
@@ -38,9 +42,8 @@ jobs:
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
       with:
-        languages: csharp
+        languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/qlpack.yml

@@ -8,3 +8,4 @@ extractor: actions
 defaultSuiteFile: codeql-suites/actions-code-scanning.qls
 dependencies:
   codeql/actions-all: ${workspace}
+  codeql/suite-helpers: ${workspace}

csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql

@@ -16,6 +16,7 @@
 import csharp
 import Dispose
 import semmle.code.csharp.frameworks.System
+import semmle.code.csharp.frameworks.system.threading.Tasks
 import semmle.code.csharp.commons.Disposal
 
 private class ReturnNode extends DataFlow::ExprNode {
@@ -24,15 +25,27 @@ private class ReturnNode extends DataFlow::ExprNode {
   }
 }
 
+private class Task extends Type {
+  Task() {
+    this instanceof SystemThreadingTasksTaskClass or
+    this instanceof SystemThreadingTasksTaskTClass
+  }
+}
+
 module DisposeCallOnLocalIDisposableConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    node.asExpr() =
-      any(LocalScopeDisposableCreation disposable |
-        // Only care about library types - user types often have spurious IDisposable declarations
-        disposable.getType().fromLibrary() and
-        // WebControls are usually disposed automatically
-        not disposable.getType() instanceof WebControl
-      )
+    exists(LocalScopeDisposableCreation disposable, Type t |
+      node.asExpr() = disposable and
+      t = disposable.getType()
+    |
+      // Only care about library types - user types often have spurious IDisposable declarations
+      t.fromLibrary() and
+      // WebControls are usually disposed automatically
+      not t instanceof WebControl and
+      // It is typically not nessesary to dispose tasks
+      // https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/
+      not t instanceof Task
+    )
   }
 
   predicate isSink(DataFlow::Node node) {

csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql

@@ -119,9 +119,14 @@ class ConstantMatchingCondition extends ConstantCondition {
   }
 
   override predicate isWhiteListed() {
-    exists(SwitchExpr se, int i |
-      se.getCase(i).getPattern() = this.(DiscardExpr) and
+    exists(Switch se, Case c, int i |
+      c = se.getCase(i) and
+      c.getPattern() = this.(DiscardExpr)
+    |
       i > 0
+      or
+      i = 0 and
+      exists(Expr cond | c.getCondition() = cond and not isConstantCondition(cond, true))
     )
     or
     this = any(PositionalPatternExpr ppe).getPattern(_)

csharp/ql/src/change-notes/2025-03-10-task-not-disposed.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cs/local-not-disposed` query no longer flags un-disposed tasks as this is often not needed (explained [here](https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/)).

csharp/ql/src/change-notes/2025-03-11-constant-condition.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Increase query precision for `cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.

csharp/ql/src/codeql-suites/csharp-ccr.qls

@@ -8,3 +8,4 @@
       - cs/self-assignment
       - cs/inefficient-containskey
       - cs/call-to-object-tostring
+      - cs/local-not-disposed