Merge branch 'main' into main

Author: bananabr

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

@@ -16,15 +16,36 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions
 
-/** Gets the sub-expression of 'e' with the earliest-starting Location */
+/**
+ * Gets a child of `e`, including conversions but excluding call arguments.
+ */
+pragma[inline]
+Expr getAChildWithConversions(Expr e) {
+  result.getParentWithConversions() = e and
+  not result = any(Call c).getAnArgument()
+}
+
+/**
+ * Gets the left-most column position of any transitive child of `e` (including
+ * conversions but excluding call arguments).
+ */
+int getCandidateColumn(Expr e) {
+  result = e.getLocation().getStartColumn() or
+  result = getCandidateColumn(getAChildWithConversions(e))
+}
+
+/**
+ * Gets the transitive child of `e` (including conversions but excluding call
+ * arguments) at the left-most column position, preferring less deeply nested
+ * expressions if there is a choice.
+ */
 Expr normalizeExpr(Expr e) {
-  result =
-    min(Expr child |
-      child.getParentWithConversions*() = e.getFullyConverted() and
-      not child.getParentWithConversions*() = any(Call c).getAnArgument()
-    |
-      child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
-    )
+  e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
+  result = e
+  or
+  not e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
+  result = normalizeExpr(getAChildWithConversions(e)) and
+  result.getLocation().getStartColumn() = min(getCandidateColumn(e))
 }
 
 predicate isParenthesized(CommaExpr ce) {
@@ -43,8 +64,8 @@ from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
 where
   ce.fromSource() and
   not isFromMacroDefinition(ce) and
-  left = normalizeExpr(ce.getLeftOperand()) and
-  right = normalizeExpr(ce.getRightOperand()) and
+  left = normalizeExpr(ce.getLeftOperand().getFullyConverted()) and
+  right = normalizeExpr(ce.getRightOperand().getFullyConverted()) and
   leftLoc = left.getLocation() and
   rightLoc = right.getLocation() and
   not isParenthesized(ce) and

docs/codeql/codeql-for-visual-studio-code/exploring-data-flow-with-path-queries.rst

@@ -28,7 +28,7 @@ Running path queries in VS Code
 #. Once the query has finished running, you can see the results in the Results view as usual (under ``alerts`` in the dropdown menu). Each query result describes the flow of information between a source and a sink.
 #. Expand the result to see the individual steps that the data follows. 
 #. Click each step to jump to it in the source code and investigate the problem further.
-#. To navigate the path from your keyboard, you can bind shortcuts to the **CodeQL: Show Previous Step on Path** and **CodeQL: Show Next Step on Path** commands.
+#. To navigate the results from your keyboard, you can bind shortcuts to the **CodeQL: Navigate Up/Down/Left/Right in Result Viewer** commands.
 
 Further reading
 -----------------

java/documentation/library-coverage/coverage.rst

@@ -8,16 +8,20 @@ Java framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
    Android,``android.*``,52,479,116,,,3,67,,,
+   Android extensions,``androidx.*``,5,183,8,,,,,,,
    `Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1600,,,,,,,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
    `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,,
    `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
+   `Apache Log4j 2 <https://logging.apache.org/log4j/2.0/>`_,``org.apache.logging.log4j``,,8,359,,,,,,,
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
+   JBoss Logging,``org.jboss.logging``,,,324,,,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
    Java Standard Library,``java.*``,3,589,130,28,,,7,,,10
    Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
+   Kotlin Standard Library,``kotlin*``,,1835,12,10,,,,,,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,477,101,,,,19,14,,29
-   Others,"``androidx.core.app``, ``androidx.slice``, ``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``kotlin``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.logging.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jboss.logging``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",65,2326,972,10,,,14,18,,5
+   Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",60,300,269,,,,14,18,,3
    Totals,,217,8432,1524,129,6,10,107,33,1,86
 

java/kotlin-extractor/src/main/java/com/semmle/extractor/java/OdasaOutput.java

@@ -277,7 +277,7 @@ private TrapFileManager getMembersWriterForDecl(File trap, File trapFileBase, Tr
 				// Only re-write an existing trap file if we encountered a newer version of the same class.
 				TrapClassVersion trapVersion = readVersionInfo(trap);
 				if (!currVersion.isValid()) {
-					log.warn("Not rewriting trap file for: " + shortName + " " + trapVersion + " " + currVersion + " " + trap);
+					log.trace("Not rewriting trap file for: " + shortName + " " + trapVersion + " " + currVersion + " " + trap);
 				} else if (currVersion.newerThan(trapVersion)) {
 					log.trace("Rewriting trap file for: " + shortName + " " + trapVersion + " " + currVersion + " " + trap);
 					deleteTrapFileAndDependencies(sym, signature);
@@ -291,7 +291,7 @@ private TrapFileManager getMembersWriterForDecl(File trap, File trapFileBase, Tr
 			// If the TRAP file already exists then we
 			// don't need to write it.
 			if (trap.exists()) {
-				log.warn("Not rewriting trap file for " + trap.toString() + " as it exists");
+				log.trace("Not rewriting trap file for " + trap.toString() + " as it exists");
 				return null;
 			}
 			// If the TRAP file was written in the past, and
@@ -301,7 +301,7 @@ private TrapFileManager getMembersWriterForDecl(File trap, File trapFileBase, Tr
 			File trapFileDir = trap.getParentFile();
 			File trapOld = new File(trapFileDir, trap.getName().replace(".trap.gz", ".trap-old.gz"));
 			if (trapOld.exists()) {
-				log.warn("Not rewriting trap file for " + trap.toString() + " as the trap-old exists");
+				log.trace("Not rewriting trap file for " + trap.toString() + " as the trap-old exists");
 				return null;
 			}
 			// Otherwise, if any newer TRAP file has already
@@ -316,7 +316,7 @@ private TrapFileManager getMembersWriterForDecl(File trap, File trapFileBase, Tr
 					if (m.matches() && m.group(1).equals(trapFileBaseName)) {
 						TrapClassVersion v = new TrapClassVersion(Integer.valueOf(m.group(2)), Integer.valueOf(m.group(3)), Long.valueOf(m.group(4)), m.group(5));
 						if (v.newerThan(trapFileVersion)) {
-							log.warn("Not rewriting trap file for " + trap.toString() + " as " + f.toString() + " exists");
+							log.trace("Not rewriting trap file for " + trap.toString() + " as " + f.toString() + " exists");
 							return null;
 						}
 					}

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -1281,6 +1281,7 @@ open class KotlinUsesExtractor(
                         }
                         // Look for an exact type match...
                         javaClass.declarations.findSubType<IrFunction> { decl ->
+                            !decl.isFakeOverride &&
                             decl.name.asString() == jvmName &&
                             decl.valueParameters.size == f.valueParameters.size &&
                             decl.valueParameters.zip(f.valueParameters).all { p -> erase(p.first.type).classifierOrNull == erase(p.second.type).classifierOrNull }

java/ql/consistency-queries/diags.ql

@@ -0,0 +1,34 @@
+import semmle.code.java.Diagnostics
+
+/*
+ * This query fails if any unexpected diagnostics are recorded in the
+ * database. By putting
+ *    // Diagnostic Matches: PAT
+ * in any source files, you can declare that diagnostics matching PAT
+ * (in the string.matches(string) sense) are expected.
+ */
+
+class DiagnosticException extends Top {
+  string pattern;
+
+  DiagnosticException() {
+    this.(KtComment).getText() = "// Diagnostic Matches: " + pattern
+    or
+    this.(Javadoc).toString() = "// Diagnostic Matches: " + pattern
+  }
+
+  Diagnostic getException() { diagnosticMessage(result).matches(pattern) }
+}
+
+string diagnosticMessage(Diagnostic d) {
+  if d.getFullMessage() != "" then result = d.getFullMessage() else result = d.getMessage()
+}
+
+// Check that there aren't any old DiagnosticExceptions left after
+// something is fixed.
+query predicate unusedDiagnosticException(DiagnosticException de) { not exists(de.getException()) }
+
+query predicate unexpectedDiagnostic(Diagnostic d, string s) {
+  s = diagnosticMessage(d) and
+  not d = any(DiagnosticException de).getException()
+}

java/ql/integration-tests/linux-only/kotlin/custom_plugin/diagnostics.expected

@@ -1,3 +1 @@
 | CodeQL Kotlin extractor | 2 |  | IrProperty without a getter | d.kt:0:0:0:0 | d.kt:0:0:0:0 |
-| CodeQL Kotlin extractor | 2 |  | Not rewriting trap file for test-db/trap/java/classes/java/lang/Boolean.members/Boolean.members<VERSION>-<MODIFIED>-kotlin.trap.gz as it exists | file://:0:0:0:0 | file://:0:0:0:0 |
-| CodeQL Kotlin extractor | 2 |  | Not rewriting trap file for test-db/trap/java/classes/kotlin/Boolean.members/Boolean.members<VERSION>-<MODIFIED>-null.trap.gz as it exists | file://:0:0:0:0 | file://:0:0:0:0 |

java/ql/test/kotlin/library-tests/annotation_classes/def.kt

@@ -1,3 +1,5 @@
 
 annotation class SomeAnnotation
 
+// Diagnostic Matches: Incomplete annotation: @kotlin.Metadata(%)
+// Diagnostic Matches: Unknown location for kotlin.Metadata

java/ql/test/kotlin/library-tests/annotations/jvmName/test.kt

@@ -15,4 +15,12 @@ class X {
 
 annotation class Ann(
     val p: Int,
-    @get:JvmName("w") val q: Int)
+    @get:JvmName("w") val q: Int)
+
+// Diagnostic Matches: Incomplete annotation: @kotlin.Metadata(%)
+// Diagnostic Matches: Incomplete annotation: @kotlin.jvm.JvmName(name="changeY")
+// Diagnostic Matches: Incomplete annotation: @kotlin.jvm.JvmName(name="getX_prop")
+// Diagnostic Matches: Incomplete annotation: @kotlin.jvm.JvmName(name="method")
+// Diagnostic Matches: Incomplete annotation: @kotlin.jvm.JvmName(name="y")
+// Diagnostic Matches: Unknown location for kotlin.Metadata
+// Diagnostic Matches: Unknown location for kotlin.jvm.JvmName

java/ql/test/kotlin/library-tests/arrays-with-variances/takesArrayList.kt

@@ -110,3 +110,8 @@ public class TakesArrayList {
   fun inInArrayComparableAny(c: Comparable<Array<in Array<in Any>>>) { }
 
 }
+
+// Diagnostic Matches: Incomplete annotation: @kotlin.Metadata(%)
+// Diagnostic Matches: Unknown location for kotlin.Metadata
+// Diagnostic Matches: Completion failure for type: org.jetbrains.annotations.NotNull
+// Diagnostic Matches: Unknown location for org.jetbrains.annotations.NotNull