Merge branch 'master' of https://github.com/github/codeql

Author: raulgarciamsft

.devcontainer/devcontainer.json

@@ -0,0 +1,9 @@
+{
+  "extensions": [
+    "github.vscode-codeql",
+    "slevesque.vscode-zipexplorer"
+  ],
+  "settings": {
+    "codeQL.experimentalBqrsParsing": true
+  }
+}

.github/codeql/codeql-config.yml

@@ -0,0 +1,9 @@
+name: "CodeQL config"
+
+queries:
+  - uses: security-and-quality
+
+paths-ignore:
+  - '/cpp/'
+  - '/java/'
+  - '/python/'

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,52 @@
+name: "Code scanning - action"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 9 * * 1'
+
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+      
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      # Override language selection by uncommenting this and choosing your languages
+      with:
+        languages: csharp
+        config-file: ./.github/codeql/codeql-config.yml
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 We welcome contributions to our CodeQL libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
 
-There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [Writing CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
+There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
 
 
 ## Submitting a new experimental query
@@ -32,7 +32,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     For details, see the [guide on query metadata](docs/query-metadata-style-guide.md).
 
-    Make sure the `select` statement is compatible with the query `@kind`. See [Introduction to query files](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
+    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
 
 3. **Formatting**
 
@@ -53,14 +53,6 @@ After the experimental query is merged, we welcome pull requests to improve it.
 
 ## Using your personal data
 
-If you contribute to this project, we will record your name and email
-address (as provided by you with your contributions) as part of the code
-repositories, which are public. We might also use this information
-to contact you in relation to your contributions, as well as in the
-normal course of software development. We also store records of your
-CLA agreements. Under GDPR legislation, we do this
-on the basis of our legitimate interest in creating the CodeQL product.
-
-Please do get in touch ([email protected]) if you have any questions about
-this or our data protection policies.
+If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product. 
 
+Please do get in touch ([email protected]) if you have any questions about this or our data protection policies.

README.md

@@ -1,6 +1,6 @@
 # CodeQL
 
-This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide.
+This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
 
 ## How do I learn CodeQL and run queries?
 

change-notes/1.25/analysis-cpp.md

@@ -0,0 +1,46 @@
+# Improvements to C/C++ analysis
+
+The following changes in version 1.25 affect C/C++ analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Uncontrolled format string (`cpp/tainted-format-string`) |  | This query is now displayed by default on LGTM. |
+| Uncontrolled format string (through global variable) (`cpp/tainted-format-string-through-global`) |  | This query is now displayed by default on LGTM. |
+
+## Changes to libraries
+
+* The library `VCS.qll` and all queries that imported it have been removed.
+* The data-flow library has been improved, which affects most security queries by potentially
+  adding more results. Flow through functions now takes nested field reads/writes into account.
+  For example, the library is able to track flow from `taint()` to `sink()` via the method
+  `getf2f1()` in
+  ```c
+  struct C {
+      int f1;
+  };
+
+  struct C2
+  {
+      C f2;
+
+      int getf2f1() {
+          return f2.f1; // Nested field read
+      }
+
+      void m() {
+          f2.f1 = taint();
+          sink(getf2f1()); // NEW: taint() reaches here
+      }
+  };
+  ```
+* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
+* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.

change-notes/1.25/analysis-csharp.md

@@ -0,0 +1,54 @@
+# Improvements to C# analysis
+
+The following changes in version 1.25 affect C# analysis in all applications.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Removal of old queries
+
+## Changes to code extraction
+
+* Index initializers, of the form `{ [1] = "one" }`, are extracted correctly. Previously, the kind of the
+  expression was incorrect, and the index was not extracted.
+
+## Changes to libraries
+
+* The class `UnboundGeneric` has been refined to only be those declarations that actually
+  have type parameters. This means that non-generic nested types inside constructed types,
+  such as `A<int>.B`, no longer are considered unbound generics. (Such nested types do,
+  however, still have relevant `.getSourceDeclaration()`s, for example `A<>.B`.)
+* The data-flow library has been improved, which affects most security queries by potentially
+  adding more results. Flow through methods now takes nested field reads/writes into account.
+  For example, the library is able to track flow from `"taint"` to `Sink()` via the method
+  `GetF2F1()` in
+  ```csharp
+  class C1
+  {
+      string F1;
+  }
+
+  class C2
+  {
+      C1 F2;
+  
+      string GetF2F1() => F2.F1; // Nested field read
+
+      void M()
+      {
+          F2 = new C1() { F1 = "taint" };
+          Sink(GetF2F1()); // NEW: "taint" reaches here
+      }
+  }
+  ```
+
+## Changes to autobuilder

change-notes/1.25/analysis-java.md

@@ -0,0 +1,41 @@
+# Improvements to Java analysis
+
+The following changes in version 1.25 affect Java analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Changes to libraries
+
+* The data-flow library has been improved, which affects most security queries by potentially
+  adding more results. Flow through methods now takes nested field reads/writes into account.
+  For example, the library is able to track flow from `"taint"` to `sink()` via the method
+  `getF2F1()` in
+  ```java
+  class C1 {
+    String f1;
+    C1(String f1) { this.f1 = f1; }
+  }
+
+  class C2 {
+    C1 f2;
+    String getF2F1() {
+        return this.f2.f1; // Nested field read
+    }
+    void m() {
+        this.f2 = new C1("taint");
+        sink(this.getF2F1()); // NEW: "taint" reaches here
+    }
+  }
+  ```