Merge branch 'main' into improve-tainted-arithmetic

Author: MathiasVP

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -0,0 +1,87 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+        path: base
+    - run: |
+        git checkout HEAD^1
+        git log -1 --format='%H'
+      working-directory: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge and base of the PR
+      run: |
+        echo "Running generator on merge"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+
+        echo "Running generator on base"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -0,0 +1,65 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    # download artifacts from the PR job:
+
+    - name: Download artifact - MERGE
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "csv-framework-coverage-merge" --dir "out_merge" "$RUN_ID"
+
+    - name: Download artifact - BASE
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "csv-framework-coverage-base" --dir "out_base" "$RUN_ID"
+
+    - name: Download artifact - PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "pr" --dir "pr" "$RUN_ID"
+
+    - name: Check coverage files
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        PR=$(cat "pr/NR")
+        python misc/scripts/library-coverage/compare-files-comment-pr.py \
+          out_base out_merge comparison.md "$GITHUB_REPOSITORY" "$PR" "$RUN_ID"
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
  * @precision medium
  * @tags reliability
  *       security

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/GlobalUseBeforeInit.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-457

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476