зеркало из https://github.com/github/codeql.git
Merge remote-tracking branch 'origin/main' into rb/rack-redirect
This commit is contained in:
Alex Ford
Коммит
397a809426
|
|
@ -11,7 +11,7 @@ Go:
|
|||
- change-notes/**/*go.*
|
||||
|
||||
Java:
|
||||
- any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
|
||||
- any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
|
||||
- change-notes/**/*java.*
|
||||
|
||||
JS:
|
||||
|
|
@ -20,7 +20,6 @@ JS:
|
|||
|
||||
Kotlin:
|
||||
- java/kotlin-extractor/**/*
|
||||
- java/kotlin-explorer/**/*
|
||||
- java/ql/test/kotlin/**/*
|
||||
|
||||
Python:
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@
|
|||
/swift/ @github/codeql-swift
|
||||
/misc/codegen/ @github/codeql-swift
|
||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||
/java/kotlin-explorer/ @github/codeql-kotlin
|
||||
|
||||
# ML-powered queries
|
||||
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
||||
|
|
|
|||
|
|
@ -511,7 +511,8 @@
|
|||
"SensitiveDataHeuristics Python/JS": [
|
||||
"javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
|
||||
"python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
|
||||
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
|
||||
"ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
|
||||
"swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
|
||||
],
|
||||
"CFG": [
|
||||
"csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
|
||||
|
|
@ -598,4 +599,4 @@
|
|||
"python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
|
||||
"java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
|
||||
* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `CodeDuplication.qll` file.
|
||||
|
|
@ -176,20 +176,6 @@ class Class extends UserType {
|
|||
/** Holds if this class, struct or union has a constructor. */
|
||||
predicate hasConstructor() { exists(this.getAConstructor()) }
|
||||
|
||||
/**
|
||||
* Holds if this class has a copy constructor that is either explicitly
|
||||
* declared (though possibly `= delete`) or is auto-generated, non-trivial
|
||||
* and called from somewhere.
|
||||
*
|
||||
* DEPRECATED: There is more than one reasonable definition of what it means
|
||||
* to have a copy constructor, and we do not want to promote one particular
|
||||
* definition by naming it with this predicate. Having a copy constructor
|
||||
* could mean that such a member is declared or defined in the source or that
|
||||
* it is callable by a particular caller. For C++11, there's also a question
|
||||
* of whether to include members that are defaulted or deleted.
|
||||
*/
|
||||
deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
|
||||
|
||||
/**
|
||||
* Like accessOfBaseMember but returns multiple results if there are multiple
|
||||
* paths to `base` through the inheritance graph.
|
||||
|
|
|
|||
|
|
@ -27,9 +27,6 @@ class PrintAstConfiguration extends TPrintAstConfiguration {
|
|||
predicate shouldPrintFunction(Function func) { any() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for PrintAstConfiguration */
|
||||
deprecated class PrintASTConfiguration = PrintAstConfiguration;
|
||||
|
||||
private predicate shouldPrintFunction(Function func) {
|
||||
exists(PrintAstConfiguration config | config.shouldPrintFunction(func))
|
||||
}
|
||||
|
|
@ -239,9 +236,6 @@ class PrintAstNode extends TPrintAstNode {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for PrintAstNode */
|
||||
deprecated class PrintASTNode = PrintAstNode;
|
||||
|
||||
/**
|
||||
* Class that restricts the elements that we compute `qlClass` for.
|
||||
*/
|
||||
|
|
@ -286,9 +280,6 @@ abstract class BaseAstNode extends PrintAstNode {
|
|||
deprecated Locatable getAST() { result = this.getAst() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseAstNode */
|
||||
deprecated class BaseASTNode = BaseAstNode;
|
||||
|
||||
/**
|
||||
* A node representing an AST node other than a `DeclarationEntry`.
|
||||
*/
|
||||
|
|
@ -296,9 +287,6 @@ abstract class AstNode extends BaseAstNode, TAstNode {
|
|||
AstNode() { this = TAstNode(ast) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AstNode */
|
||||
deprecated class ASTNode = AstNode;
|
||||
|
||||
/**
|
||||
* A node representing an `Expr`.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -14,9 +14,6 @@ library class StandardSsa extends SsaHelper {
|
|||
StandardSsa() { this = 0 }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StandardSsa */
|
||||
deprecated class StandardSSA = StandardSsa;
|
||||
|
||||
/**
|
||||
* A definition of one or more SSA variables, including phi node definitions.
|
||||
* An _SSA variable_, as defined in the literature, is effectively the pair of
|
||||
|
|
|
|||
|
|
@ -312,6 +312,3 @@ library class SsaHelper extends int {
|
|||
ssa_use(v, result, _, _)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SsaHelper */
|
||||
deprecated class SSAHelper = SsaHelper;
|
||||
|
|
|
|||
|
|
@ -1385,9 +1385,6 @@ private module Cached {
|
|||
conditionalSuccessor(n1, _, n2)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for qlCfgSuccessor */
|
||||
deprecated predicate qlCFGSuccessor = qlCfgSuccessor/2;
|
||||
|
||||
/**
|
||||
* Holds if `n2` is a control-flow node such that the control-flow
|
||||
* edge `(n1, n2)` may be taken when `n1` is an expression that is true.
|
||||
|
|
@ -1398,9 +1395,6 @@ private module Cached {
|
|||
not conditionalSuccessor(n1, false, n2)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for qlCfgTrueSuccessor */
|
||||
deprecated predicate qlCFGTrueSuccessor = qlCfgTrueSuccessor/2;
|
||||
|
||||
/**
|
||||
* Holds if `n2` is a control-flow node such that the control-flow
|
||||
* edge `(n1, n2)` may be taken when `n1` is an expression that is false.
|
||||
|
|
@ -1410,7 +1404,4 @@ private module Cached {
|
|||
conditionalSuccessor(n1, false, n2) and
|
||||
not conditionalSuccessor(n1, true, n2)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for qlCfgFalseSuccessor */
|
||||
deprecated predicate qlCFGFalseSuccessor = qlCfgFalseSuccessor/2;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -144,6 +144,20 @@ class AllocationInstruction extends CallInstruction {
|
|||
AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
|
||||
}
|
||||
|
||||
private predicate isIndirectionType(Type t) { t instanceof Indirection }
|
||||
|
||||
private predicate hasUnspecifiedBaseType(Indirection t, Type base) {
|
||||
base = t.getBaseType().getUnspecifiedType()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `t2` is the same type as `t1`, but after stripping away `result` number
|
||||
* of indirections.
|
||||
* Furthermore, specifies in `t2` been deeply stripped and typedefs has been resolved.
|
||||
*/
|
||||
private int getNumberOfIndirectionsImpl(Type t1, Type t2) =
|
||||
shortestDistances(isIndirectionType/1, hasUnspecifiedBaseType/2)(t1, t2, result)
|
||||
|
||||
/**
|
||||
* An abstract class for handling indirections.
|
||||
*
|
||||
|
|
@ -162,7 +176,10 @@ abstract class Indirection extends Type {
|
|||
* For example, the number of indirections of a variable `p` of type
|
||||
* `int**` is `3` (i.e., `p`, `*p` and `**p`).
|
||||
*/
|
||||
abstract int getNumberOfIndirections();
|
||||
final int getNumberOfIndirections() {
|
||||
result =
|
||||
getNumberOfIndirectionsImpl(this.getType(), any(Type end | not end instanceof Indirection))
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `deref` is an instruction that behaves as a `LoadInstruction`
|
||||
|
|
@ -200,19 +217,11 @@ private class PointerOrArrayOrReferenceTypeIndirection extends Indirection insta
|
|||
PointerOrArrayOrReferenceTypeIndirection() {
|
||||
baseType = PointerOrArrayOrReferenceType.super.getBaseType()
|
||||
}
|
||||
|
||||
override int getNumberOfIndirections() {
|
||||
result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
|
||||
}
|
||||
}
|
||||
|
||||
private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper {
|
||||
PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() }
|
||||
|
||||
override int getNumberOfIndirections() {
|
||||
result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override predicate isAdditionalDereference(Instruction deref, Operand address) {
|
||||
exists(CallInstruction call |
|
||||
operandForFullyConvertedCall(getAUse(deref), call) and
|
||||
|
|
@ -233,10 +242,6 @@ private module IteratorIndirections {
|
|||
baseType = super.getValueType()
|
||||
}
|
||||
|
||||
override int getNumberOfIndirections() {
|
||||
result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override predicate isAdditionalDereference(Instruction deref, Operand address) {
|
||||
exists(CallInstruction call |
|
||||
operandForFullyConvertedCall(getAUse(deref), call) and
|
||||
|
|
|
|||
|
|
@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
|
|||
*/
|
||||
final Language::AST getAst() { result = Construction::getInstructionAst(this) }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the location of the source code for this instruction.
|
||||
*/
|
||||
|
|
@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
|
|||
* Gets the AST variable that this instruction's IR variable refers to, if one exists.
|
||||
*/
|
||||
final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
|
||||
|
||||
/** DEPRECATED: Alias for getAstVariable */
|
||||
deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -577,9 +577,6 @@ private Overlap getVariableMemoryLocationOverlap(
|
|||
*/
|
||||
predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMemoryResult(instr) }
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForOldResult */
|
||||
deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
|
||||
|
||||
bindingset[result, b]
|
||||
private boolean unbindBool(boolean b) { result != b.booleanNot() }
|
||||
|
||||
|
|
|
|||
|
|
@ -422,12 +422,6 @@ private module Cached {
|
|||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getInstructionAst */
|
||||
cached
|
||||
deprecated Language::AST getInstructionAST(Instruction instr) {
|
||||
result = getInstructionAst(instr)
|
||||
}
|
||||
|
||||
cached
|
||||
Language::LanguageType getInstructionResultType(Instruction instr) {
|
||||
result = instr.(RawIR::Instruction).getResultLanguageType()
|
||||
|
|
@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
|
|||
// We don't support reusing SSA for any location that could create a `Chi` instruction.
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
|
||||
deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
|
||||
|
||||
/**
|
||||
* Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
|
||||
* `DebugSsa` module, which is then imported by PrintSSA.
|
||||
|
|
@ -1005,9 +996,6 @@ module DebugSsa {
|
|||
import DefUse
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DebugSsa */
|
||||
deprecated module DebugSSA = DebugSsa;
|
||||
|
||||
import CachedForDebugging
|
||||
|
||||
cached
|
||||
|
|
|
|||
|
|
@ -73,9 +73,6 @@ module UnaliasedSsaInstructions {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UnaliasedSsaInstructions */
|
||||
deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions;
|
||||
|
||||
/**
|
||||
* Provides wrappers for the constructors of each branch of `TInstruction` that is used by the
|
||||
* aliased SSA stage.
|
||||
|
|
@ -107,6 +104,3 @@ module AliasedSsaInstructions {
|
|||
result = TAliasedSsaUnreachedInstruction(irFunc)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AliasedSsaInstructions */
|
||||
deprecated module AliasedSSAInstructions = AliasedSsaInstructions;
|
||||
|
|
|
|||
|
|
@ -74,20 +74,12 @@ private module Shared {
|
|||
|
||||
class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand;
|
||||
|
||||
/** DEPRECATED: Alias for TNonSsaMemoryOperand */
|
||||
deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand;
|
||||
|
||||
/**
|
||||
* Returns the non-Phi memory operand with the specified parameters.
|
||||
*/
|
||||
TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
|
||||
result = Internal::TNonSsaMemoryOperand(useInstr, tag)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for nonSsaMemoryOperand */
|
||||
deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
|
||||
result = nonSsaMemoryOperand(useInstr, tag)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -167,9 +159,6 @@ module UnaliasedSsaOperands {
|
|||
TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UnaliasedSsaOperands */
|
||||
deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands;
|
||||
|
||||
/**
|
||||
* Provides wrappers for the constructors of each branch of `TOperand` that is used by the
|
||||
* aliased SSA stage.
|
||||
|
|
@ -217,6 +206,3 @@ module AliasedSsaOperands {
|
|||
result = Internal::TAliasedChiOperand(useInstr, tag)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AliasedSsaOperands */
|
||||
deprecated module AliasedSSAOperands = AliasedSsaOperands;
|
||||
|
|
|
|||
|
|
@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
|
|||
*/
|
||||
final Language::AST getAst() { result = Construction::getInstructionAst(this) }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the location of the source code for this instruction.
|
||||
*/
|
||||
|
|
@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
|
|||
* Gets the AST variable that this instruction's IR variable refers to, if one exists.
|
||||
*/
|
||||
final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
|
||||
|
||||
/** DEPRECATED: Alias for getAstVariable */
|
||||
deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -375,11 +375,6 @@ Locatable getInstructionAst(TStageInstruction instr) {
|
|||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getInstructionAst */
|
||||
deprecated Locatable getInstructionAST(TStageInstruction instr) {
|
||||
result = getInstructionAst(instr)
|
||||
}
|
||||
|
||||
CppType getInstructionResultType(TStageInstruction instr) {
|
||||
getInstructionTranslatedElement(instr).hasInstruction(_, getInstructionTag(instr), result)
|
||||
or
|
||||
|
|
|
|||
|
|
@ -76,9 +76,6 @@ abstract class TranslatedExpr extends TranslatedElement {
|
|||
|
||||
final override Locatable getAst() { result = expr }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Locatable getAST() { result = this.getAst() }
|
||||
|
||||
final override Declaration getFunction() { result = getEnclosingDeclaration(expr) }
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
|
|||
*/
|
||||
final Language::AST getAst() { result = Construction::getInstructionAst(this) }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the location of the source code for this instruction.
|
||||
*/
|
||||
|
|
@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
|
|||
* Gets the AST variable that this instruction's IR variable refers to, if one exists.
|
||||
*/
|
||||
final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
|
||||
|
||||
/** DEPRECATED: Alias for getAstVariable */
|
||||
deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -422,12 +422,6 @@ private module Cached {
|
|||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getInstructionAst */
|
||||
cached
|
||||
deprecated Language::AST getInstructionAST(Instruction instr) {
|
||||
result = getInstructionAst(instr)
|
||||
}
|
||||
|
||||
cached
|
||||
Language::LanguageType getInstructionResultType(Instruction instr) {
|
||||
result = instr.(RawIR::Instruction).getResultLanguageType()
|
||||
|
|
@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
|
|||
// We don't support reusing SSA for any location that could create a `Chi` instruction.
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
|
||||
deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
|
||||
|
||||
/**
|
||||
* Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
|
||||
* `DebugSsa` module, which is then imported by PrintSSA.
|
||||
|
|
@ -1005,9 +996,6 @@ module DebugSsa {
|
|||
import DefUse
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DebugSsa */
|
||||
deprecated module DebugSSA = DebugSsa;
|
||||
|
||||
import CachedForDebugging
|
||||
|
||||
cached
|
||||
|
|
|
|||
|
|
@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) {
|
|||
not allocationEscapes(var)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForVariable */
|
||||
deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1;
|
||||
|
||||
private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
|
||||
|
||||
private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
|
||||
|
|
@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation {
|
|||
|
||||
predicate canReuseSsaForOldResult(Instruction instr) { none() }
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForOldResult */
|
||||
deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
|
||||
|
||||
/**
|
||||
* Represents a set of `MemoryLocation`s that cannot overlap with
|
||||
* `MemoryLocation`s outside of the set. The `VirtualVariable` will be
|
||||
|
|
|
|||
|
|
@ -40,9 +40,6 @@ library class RangeSsa extends SsaHelper {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for RangeSsa */
|
||||
deprecated class RangeSSA = RangeSsa;
|
||||
|
||||
private predicate guard_defn(VariableAccess v, Expr guard, BasicBlock b, boolean branch) {
|
||||
guardCondition(guard, v, branch) and
|
||||
guardSuccessor(guard, branch, b)
|
||||
|
|
|
|||
|
|
@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
|||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
private newtype TExternalApi =
|
||||
/** An untrusted API method `m` where untrusted data is passed at `index`. */
|
||||
|
|
@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
|
|||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
|
||||
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
|
||||
|
|
|
|||
|
|
@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
|||
string getFunctionDescription() { result = this.getExternalFunction().toString() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiDataNode */
|
||||
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
|
||||
|
||||
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
||||
|
|
@ -58,9 +55,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
|
|||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
|
||||
|
||||
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
|
|
|
|||
|
|
@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect
|
|||
*/
|
||||
abstract class SafeExternalApiFunction extends Function { }
|
||||
|
||||
/** DEPRECATED: Alias for SafeExternalApiFunction */
|
||||
deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
|
||||
|
||||
/** The default set of "safe" external APIs. */
|
||||
private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
|
||||
DefaultSafeExternalApiFunction() {
|
||||
|
|
|
|||
|
|
@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
|||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
private newtype TExternalApi =
|
||||
/** An untrusted API method `m` where untrusted data is passed at `index`. */
|
||||
|
|
@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
|
|||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
|
||||
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
|
||||
|
|
|
|||
|
|
@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
|||
string getFunctionDescription() { result = this.getExternalFunction().toString() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiDataNode */
|
||||
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
|
||||
|
||||
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" }
|
||||
|
|
@ -53,9 +50,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
|
|||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
|
||||
|
||||
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
|
|
|||
|
|
@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect
|
|||
*/
|
||||
abstract class SafeExternalApiFunction extends Function { }
|
||||
|
||||
/** DEPRECATED: Alias for SafeExternalApiFunction */
|
||||
deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
|
||||
|
||||
/** The default set of "safe" external APIs. */
|
||||
private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
|
||||
DefaultSafeExternalApiFunction() {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<overview>
|
||||
<p>
|
||||
Detects <code>if (a+b>c) a=c-b</code>, which incorrectly implements
|
||||
<code>a = min(a,c-b)</code> if <code>a+b</code> overflows.
|
||||
</p>
|
||||
<p>
|
||||
Also detects variants such as <code>if (b+a>c) a=c-b</code> (swapped
|
||||
terms in addition), <code>if (a+b>c) { a=c-b }</code> (assignment
|
||||
inside block), <code>c<a+b</code> (swapped operands), and
|
||||
<code>>=</code>, <code><</code>, <code><=</code> instead of
|
||||
<code>></code> (all operators).
|
||||
</p>
|
||||
<p>
|
||||
This integer overflow is the root cause of the buffer overflow in
|
||||
the SHA-3 reference implementation (CVE-2022-37454).
|
||||
</p>
|
||||
</overview>
|
||||
<recommendation>
|
||||
<p>
|
||||
Replace by <code>if (a>c-b) a=c-b</code>. This avoids the overflow
|
||||
and makes it easy to see that <code>a = min(a,c-b)</code>.
|
||||
</p>
|
||||
</recommendation>
|
||||
<references>
|
||||
<li>CVE-2022-37454: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.</a></li>
|
||||
<li>GitHub Advisory Database: <a href="https://github.com/advisories/GHSA-6w4m-2xhg-2658">CVE-2022-37454: Buffer overflow in sponge queue functions</a></li>
|
||||
</references>
|
||||
</qhelp>
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
/**
|
||||
* @name Integer addition may overflow inside if statement
|
||||
* @description Writing 'if (a+b>c) a=c-b' incorrectly implements
|
||||
* 'a = min(a,c-b)' if 'a+b' overflows. This integer
|
||||
* overflow is the root cause of the buffer overflow
|
||||
* in the SHA-3 reference implementation (CVE-2022-37454).
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @id cpp/if-statement-addition-overflow
|
||||
* @tags: experimental
|
||||
* correctness
|
||||
* security
|
||||
* external/cwe/cwe-190
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
||||
import semmle.code.cpp.valuenumbering.HashCons
|
||||
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||
import semmle.code.cpp.controlflow.Guards
|
||||
|
||||
from
|
||||
GuardCondition guard, Expr expr, ExprStmt exprstmt, BasicBlock block, AssignExpr assignexpr,
|
||||
AddExpr addexpr, SubExpr subexpr
|
||||
where
|
||||
(guard.ensuresLt(expr, addexpr, 0, block, _) or guard.ensuresLt(addexpr, expr, 0, block, _)) and
|
||||
addexpr.getUnspecifiedType() instanceof IntegralType and
|
||||
exprMightOverflowPositively(addexpr) and
|
||||
block.getANode() = exprstmt and
|
||||
exprstmt.getExpr() = assignexpr and
|
||||
assignexpr.getRValue() = subexpr and
|
||||
(
|
||||
hashCons(addexpr.getLeftOperand()) = hashCons(assignexpr.getLValue()) and
|
||||
globalValueNumber(addexpr.getRightOperand()) = globalValueNumber(subexpr.getRightOperand())
|
||||
or
|
||||
hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and
|
||||
globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand())
|
||||
) and
|
||||
globalValueNumber(expr) = globalValueNumber(subexpr.getLeftOperand())
|
||||
select guard,
|
||||
"\"if (a+b>c) a=c-b\" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as \"if (a>c-b) a=c-b\" which avoids the overflow.",
|
||||
addexpr, "addition"
|
||||
|
|
@ -179,6 +179,24 @@ predicate isSinkImpl(
|
|||
pointerAddInstructionHasBounds(pai, sink1, sink2, delta)
|
||||
}
|
||||
|
||||
/**
|
||||
* Yields any instruction that is control-flow reachable from `instr`.
|
||||
*/
|
||||
bindingset[instr, result]
|
||||
pragma[inline_late]
|
||||
Instruction getASuccessor(Instruction instr) {
|
||||
exists(IRBlock b, int instrIndex, int resultIndex |
|
||||
result.getBlock() = b and
|
||||
instr.getBlock() = b and
|
||||
b.getInstruction(instrIndex) = instr and
|
||||
b.getInstruction(resultIndex) = result
|
||||
|
|
||||
resultIndex >= instrIndex
|
||||
)
|
||||
or
|
||||
instr.getBlock().getASuccessor+() = result.getBlock()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a sink for `InvalidPointerToDerefConfig` and `i` is a `StoreInstruction` that
|
||||
* writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
|
||||
|
|
@ -186,8 +204,9 @@ predicate isSinkImpl(
|
|||
*/
|
||||
pragma[inline]
|
||||
predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) {
|
||||
exists(AddressOperand addr |
|
||||
bounded1(addr.getDef(), sink.asInstruction(), delta) and
|
||||
exists(AddressOperand addr, Instruction s |
|
||||
s = sink.asInstruction() and
|
||||
bounded1(addr.getDef(), s, delta) and
|
||||
delta >= 0 and
|
||||
i.getAnOperand() = addr
|
||||
|
|
||||
|
|
@ -247,7 +266,8 @@ newtype TMergedPathNode =
|
|||
TPathNodeSink(Instruction i) {
|
||||
exists(DataFlow::Node n |
|
||||
InvalidPointerToDerefFlow::flowTo(n) and
|
||||
isInvalidPointerDerefSink(n, i, _, _)
|
||||
isInvalidPointerDerefSink(n, i, _, _) and
|
||||
i = getASuccessor(n.asInstruction())
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -377,15 +397,19 @@ predicate hasFlowPath(
|
|||
}
|
||||
|
||||
from
|
||||
MergedPathNode source, MergedPathNode sink, int k2, int k3, string kstr,
|
||||
InvalidPointerToDerefFlow::PathNode source3, PointerArithmeticInstruction pai, string operation,
|
||||
Expr offset, DataFlow::Node n
|
||||
MergedPathNode source, MergedPathNode sink, int k, string kstr, PointerArithmeticInstruction pai,
|
||||
string operation, Expr offset, DataFlow::Node n
|
||||
where
|
||||
hasFlowPath(source, sink, source3, pai, operation, k3) and
|
||||
invalidPointerToDerefSource(pai, source3.getNode(), k2) and
|
||||
k =
|
||||
min(int k2, int k3, InvalidPointerToDerefFlow::PathNode source3 |
|
||||
hasFlowPath(source, sink, source3, pai, operation, k3) and
|
||||
invalidPointerToDerefSource(pai, source3.getNode(), k2)
|
||||
|
|
||||
k2 + k3
|
||||
) and
|
||||
offset = pai.getRight().getUnconvertedResultExpression() and
|
||||
n = source.asPathNode1().getNode() and
|
||||
if (k2 + k3) = 0 then kstr = "" else kstr = " + " + (k2 + k3)
|
||||
if k = 0 then kstr = "" else kstr = " + " + k
|
||||
select sink, source, sink,
|
||||
"This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr +
|
||||
".", n, n.toString(), offset, offset.toString()
|
||||
|
|
|
|||
|
|
@ -1,373 +0,0 @@
|
|||
/** Provides classes for detecting duplicate or similar code. */
|
||||
|
||||
import cpp
|
||||
|
||||
deprecated private newtype TDuplicationOrSimilarity = MKDuplicationOrSimilarity()
|
||||
|
||||
/**
|
||||
* DEPRECATED: This class is no longer used.
|
||||
*
|
||||
* A token block used for detection of duplicate and similar code.
|
||||
*/
|
||||
deprecated class Copy extends TDuplicationOrSimilarity {
|
||||
/** Gets the index of the token in this block starting at the location `loc`, if any. */
|
||||
int tokenStartingAt(Location loc) { none() }
|
||||
|
||||
/** Gets the index of the token in this block ending at the location `loc`, if any. */
|
||||
int tokenEndingAt(Location loc) { none() }
|
||||
|
||||
/** Gets the line on which the first token in this block starts. */
|
||||
int sourceStartLine() { none() }
|
||||
|
||||
/** Gets the column on which the first token in this block starts. */
|
||||
int sourceStartColumn() { none() }
|
||||
|
||||
/** Gets the line on which the last token in this block ends. */
|
||||
int sourceEndLine() { none() }
|
||||
|
||||
/** Gets the column on which the last token in this block ends. */
|
||||
int sourceEndColumn() { none() }
|
||||
|
||||
/** Gets the number of lines containing at least (part of) one token in this block. */
|
||||
int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() }
|
||||
|
||||
/** Gets an opaque identifier for the equivalence class of this block. */
|
||||
int getEquivalenceClass() { none() }
|
||||
|
||||
/** Gets the source file in which this block appears. */
|
||||
File sourceFile() { none() }
|
||||
|
||||
/**
|
||||
* Holds if this element is at the specified location.
|
||||
* The location spans column `startcolumn` of line `startline` to
|
||||
* column `endcolumn` of line `endline` in file `filepath`.
|
||||
* For more information, see
|
||||
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||
*/
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.sourceFile().getAbsolutePath() = filepath and
|
||||
startline = this.sourceStartLine() and
|
||||
startcolumn = this.sourceStartColumn() and
|
||||
endline = this.sourceEndLine() and
|
||||
endcolumn = this.sourceEndColumn()
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: This class is no longer used.
|
||||
*
|
||||
* A block of duplicated code.
|
||||
*/
|
||||
deprecated class DuplicateBlock extends Copy {
|
||||
override string toString() {
|
||||
result = "Duplicate code: " + this.sourceLines() + " duplicated lines."
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: This class is no longer used.
|
||||
*
|
||||
* A block of similar code.
|
||||
*/
|
||||
deprecated class SimilarBlock extends Copy {
|
||||
override string toString() {
|
||||
result = "Similar code: " + this.sourceLines() + " almost duplicated lines."
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: The `CodeDuplication` library will be removed in a future release.
|
||||
*
|
||||
* Gets a function with a body and a location.
|
||||
*/
|
||||
deprecated FunctionDeclarationEntry sourceMethod() {
|
||||
result.isDefinition() and
|
||||
exists(result.getLocation()) and
|
||||
numlines(unresolveElement(result.getFunction()), _, _, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: The `CodeDuplication` library will be removed in a future release.
|
||||
*
|
||||
* Gets the number of member functions in `c` with a body and a location.
|
||||
*/
|
||||
deprecated int numberOfSourceMethods(Class c) {
|
||||
result =
|
||||
count(FunctionDeclarationEntry m |
|
||||
m = sourceMethod() and
|
||||
m.getFunction().getDeclaringType() = c
|
||||
)
|
||||
}
|
||||
|
||||
deprecated private predicate blockCoversStatement(int equivClass, int first, int last, Stmt stmt) {
|
||||
exists(DuplicateBlock b, Location loc |
|
||||
stmt.getLocation() = loc and
|
||||
first = b.tokenStartingAt(loc) and
|
||||
last = b.tokenEndingAt(loc) and
|
||||
b.getEquivalenceClass() = equivClass
|
||||
)
|
||||
}
|
||||
|
||||
deprecated private Stmt statementInMethod(FunctionDeclarationEntry m) {
|
||||
result.getParent+() = m.getBlock() and
|
||||
not result.getLocation() instanceof UnknownStmtLocation and
|
||||
not result instanceof BlockStmt
|
||||
}
|
||||
|
||||
deprecated private predicate duplicateStatement(
|
||||
FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, Stmt s1, Stmt s2
|
||||
) {
|
||||
exists(int equivClass, int first, int last |
|
||||
s1 = statementInMethod(m1) and
|
||||
s2 = statementInMethod(m2) and
|
||||
blockCoversStatement(equivClass, first, last, s1) and
|
||||
blockCoversStatement(equivClass, first, last, s2) and
|
||||
s1 != s2 and
|
||||
m1 != m2
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicated statements is no longer available.
|
||||
*
|
||||
* Holds if `m1` is a function with `total` lines, and `m2` is a function
|
||||
* that has `duplicate` lines in common with `m1`.
|
||||
*/
|
||||
deprecated predicate duplicateStatements(
|
||||
FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, int duplicate, int total
|
||||
) {
|
||||
duplicate = strictcount(Stmt s | duplicateStatement(m1, m2, s, _)) and
|
||||
total = strictcount(statementInMethod(m1))
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicated methods is no longer available.
|
||||
*
|
||||
* Holds if `m` and other are identical functions.
|
||||
*/
|
||||
deprecated predicate duplicateMethod(FunctionDeclarationEntry m, FunctionDeclarationEntry other) {
|
||||
exists(int total | duplicateStatements(m, other, total, total))
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on similar lines is no longer available.
|
||||
*
|
||||
* INTERNAL: do not use.
|
||||
*
|
||||
* Holds if `line` in `f` is similar to a line somewhere else.
|
||||
*/
|
||||
deprecated predicate similarLines(File f, int line) {
|
||||
exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()])
|
||||
}
|
||||
|
||||
deprecated private predicate similarLinesPerEquivalenceClass(int equivClass, int lines, File f) {
|
||||
lines =
|
||||
strictsum(SimilarBlock b, int toSum |
|
||||
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
|
||||
toSum = b.sourceLines()
|
||||
|
|
||||
toSum
|
||||
)
|
||||
}
|
||||
|
||||
deprecated private predicate similarLinesCoveredFiles(File f, File otherFile) {
|
||||
exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
|
||||
exists(int coveredApprox |
|
||||
coveredApprox =
|
||||
strictsum(int num |
|
||||
exists(int equivClass |
|
||||
similarLinesPerEquivalenceClass(equivClass, num, f) and
|
||||
similarLinesPerEquivalenceClass(equivClass, num, otherFile) and
|
||||
f != otherFile
|
||||
)
|
||||
) and
|
||||
(coveredApprox * 100) / numLines > 75
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on similar lines is no longer available.
|
||||
*
|
||||
* Holds if `coveredLines` lines of `f` are similar to lines in `otherFile`.
|
||||
*/
|
||||
deprecated predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
|
||||
exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
|
||||
similarLinesCoveredFiles(f, otherFile) and
|
||||
exists(int notCovered |
|
||||
notCovered =
|
||||
count(int j |
|
||||
j in [1 .. numLines] and
|
||||
not similarLines(f, j)
|
||||
) and
|
||||
coveredLines = numLines - notCovered
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicate lines is no longer available.
|
||||
*
|
||||
* INTERNAL: do not use.
|
||||
*
|
||||
* Holds if `line` in `f` is duplicated by a line somewhere else.
|
||||
*/
|
||||
deprecated predicate duplicateLines(File f, int line) {
|
||||
exists(DuplicateBlock b |
|
||||
b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]
|
||||
)
|
||||
}
|
||||
|
||||
deprecated private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, File f) {
|
||||
lines =
|
||||
strictsum(DuplicateBlock b, int toSum |
|
||||
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
|
||||
toSum = b.sourceLines()
|
||||
|
|
||||
toSum
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicate lines is no longer available.
|
||||
*
|
||||
* Holds if `coveredLines` lines of `f` are duplicates of lines in `otherFile`.
|
||||
*/
|
||||
deprecated predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
|
||||
exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
|
||||
exists(int coveredApprox |
|
||||
coveredApprox =
|
||||
strictsum(int num |
|
||||
exists(int equivClass |
|
||||
duplicateLinesPerEquivalenceClass(equivClass, num, f) and
|
||||
duplicateLinesPerEquivalenceClass(equivClass, num, otherFile) and
|
||||
f != otherFile
|
||||
)
|
||||
) and
|
||||
(coveredApprox * 100) / numLines > 75
|
||||
) and
|
||||
exists(int notCovered |
|
||||
notCovered =
|
||||
count(int j |
|
||||
j in [1 .. numLines] and
|
||||
not duplicateLines(f, j)
|
||||
) and
|
||||
coveredLines = numLines - notCovered
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on similar files is no longer available.
|
||||
*
|
||||
* Holds if most of `f` (`percent`%) is similar to `other`.
|
||||
*/
|
||||
deprecated predicate similarFiles(File f, File other, int percent) {
|
||||
exists(int covered, int total |
|
||||
similarLinesCovered(f, covered, other) and
|
||||
total = f.getMetrics().getNumberOfLines() and
|
||||
covered * 100 / total = percent and
|
||||
percent > 80
|
||||
) and
|
||||
not duplicateFiles(f, other, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicate files is no longer available.
|
||||
*
|
||||
* Holds if most of `f` (`percent`%) is duplicated by `other`.
|
||||
*/
|
||||
deprecated predicate duplicateFiles(File f, File other, int percent) {
|
||||
exists(int covered, int total |
|
||||
duplicateLinesCovered(f, covered, other) and
|
||||
total = f.getMetrics().getNumberOfLines() and
|
||||
covered * 100 / total = percent and
|
||||
percent > 70
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicate classes is no longer available.
|
||||
*
|
||||
* Holds if most member functions of `c` (`numDup` out of `total`) are
|
||||
* duplicates of member functions in `other`.
|
||||
*/
|
||||
deprecated predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) {
|
||||
numDup =
|
||||
strictcount(FunctionDeclarationEntry m1 |
|
||||
exists(FunctionDeclarationEntry m2 |
|
||||
duplicateMethod(m1, m2) and
|
||||
m1 = sourceMethod() and
|
||||
exists(Function f | f = m1.getFunction() and f.getDeclaringType() = c) and
|
||||
exists(Function f | f = m2.getFunction() and f.getDeclaringType() = other) and
|
||||
c != other
|
||||
)
|
||||
) and
|
||||
total = numberOfSourceMethods(c) and
|
||||
(numDup * 100) / total > 80
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on duplicate classes is no longer available.
|
||||
*
|
||||
* Holds if most member functions of `c` are duplicates of member functions in
|
||||
* `other`. Provides the human-readable `message` to describe the amount of
|
||||
* duplication.
|
||||
*/
|
||||
deprecated predicate mostlyDuplicateClass(Class c, Class other, string message) {
|
||||
exists(int numDup, int total |
|
||||
mostlyDuplicateClassBase(c, other, numDup, total) and
|
||||
(
|
||||
total != numDup and
|
||||
exists(string s1, string s2, string s3, string name |
|
||||
s1 = " out of " and
|
||||
s2 = " methods in " and
|
||||
s3 = " are duplicated in $@." and
|
||||
name = c.getName()
|
||||
|
|
||||
message = numDup + s1 + total + s2 + name + s3
|
||||
)
|
||||
or
|
||||
total = numDup and
|
||||
exists(string s1, string s2, string name |
|
||||
s1 = "All methods in " and s2 = " are identical in $@." and name = c.getName()
|
||||
|
|
||||
message = s1 + name + s2
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on file duplication is no longer available.
|
||||
*
|
||||
* Holds if `f` and `other` are similar or duplicates.
|
||||
*/
|
||||
deprecated predicate fileLevelDuplication(File f, File other) {
|
||||
similarFiles(f, other, _) or duplicateFiles(f, other, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Information on class duplication is no longer available.
|
||||
*
|
||||
* Holds if most member functions of `c` are duplicates of member functions in
|
||||
* `other`.
|
||||
*/
|
||||
deprecated predicate classLevelDuplication(Class c, Class other) {
|
||||
mostlyDuplicateClass(c, other, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: The CodeDuplication library will be removed in a future release.
|
||||
*
|
||||
* Holds if `line` in `f` should be allowed to be duplicated. This is the case
|
||||
* for `#include` directives.
|
||||
*/
|
||||
deprecated predicate whitelistedLineForDuplication(File f, int line) {
|
||||
exists(Include i | i.getFile() = f and i.getLocation().getStartLine() = line)
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
| test.cpp:18:6:18:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:18:6:18:8 | ... + ... | addition |
|
||||
| test.cpp:19:6:19:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:19:6:19:8 | ... + ... | addition |
|
||||
| test.cpp:20:6:20:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:20:6:20:8 | ... + ... | addition |
|
||||
| test.cpp:21:6:21:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:21:6:21:8 | ... + ... | addition |
|
||||
| test.cpp:22:6:22:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:22:8:22:10 | ... + ... | addition |
|
||||
| test.cpp:23:6:23:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:23:8:23:10 | ... + ... | addition |
|
||||
| test.cpp:24:6:24:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:24:8:24:10 | ... + ... | addition |
|
||||
| test.cpp:25:6:25:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:25:8:25:10 | ... + ... | addition |
|
||||
| test.cpp:27:6:27:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:27:6:27:8 | ... + ... | addition |
|
||||
| test.cpp:28:6:28:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:28:6:28:8 | ... + ... | addition |
|
||||
| test.cpp:29:6:29:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:29:6:29:8 | ... + ... | addition |
|
||||
| test.cpp:30:6:30:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:30:6:30:8 | ... + ... | addition |
|
||||
| test.cpp:31:6:31:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:31:9:31:11 | ... + ... | addition |
|
||||
| test.cpp:32:6:32:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:32:9:32:11 | ... + ... | addition |
|
||||
| test.cpp:33:6:33:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:33:9:33:11 | ... + ... | addition |
|
||||
| test.cpp:34:6:34:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:34:9:34:11 | ... + ... | addition |
|
||||
| test.cpp:36:6:36:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:36:6:36:8 | ... + ... | addition |
|
||||
| test.cpp:37:6:37:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:37:6:37:8 | ... + ... | addition |
|
||||
| test.cpp:38:6:38:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:38:6:38:8 | ... + ... | addition |
|
||||
| test.cpp:39:6:39:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:39:6:39:8 | ... + ... | addition |
|
||||
| test.cpp:40:6:40:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:40:8:40:10 | ... + ... | addition |
|
||||
| test.cpp:41:6:41:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:41:8:41:10 | ... + ... | addition |
|
||||
| test.cpp:42:6:42:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:42:8:42:10 | ... + ... | addition |
|
||||
| test.cpp:43:6:43:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:43:8:43:10 | ... + ... | addition |
|
||||
| test.cpp:45:6:45:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:45:6:45:8 | ... + ... | addition |
|
||||
| test.cpp:46:6:46:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:46:6:46:8 | ... + ... | addition |
|
||||
| test.cpp:47:6:47:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:47:6:47:8 | ... + ... | addition |
|
||||
| test.cpp:48:6:48:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:48:6:48:8 | ... + ... | addition |
|
||||
| test.cpp:49:6:49:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:49:9:49:11 | ... + ... | addition |
|
||||
| test.cpp:50:6:50:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:50:9:50:11 | ... + ... | addition |
|
||||
| test.cpp:51:6:51:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:51:9:51:11 | ... + ... | addition |
|
||||
| test.cpp:52:6:52:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:52:9:52:11 | ... + ... | addition |
|
||||
| test.cpp:54:6:54:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:54:6:54:8 | ... + ... | addition |
|
||||
| test.cpp:61:6:61:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:61:6:61:8 | ... + ... | addition |
|
||||
| test.cpp:62:6:62:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:62:6:62:8 | ... + ... | addition |
|
||||
|
|
@ -0,0 +1 @@
|
|||
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
|
||||
int getAnInt();
|
||||
double getADouble();
|
||||
unsigned short getAnUnsignedShort();
|
||||
|
||||
void test()
|
||||
{
|
||||
int a = getAnInt();
|
||||
int b = getAnInt();
|
||||
int c = getAnInt();
|
||||
int x = getAnInt();
|
||||
int y = getAnInt();
|
||||
double d = getADouble();
|
||||
unsigned short a1 = getAnUnsignedShort();
|
||||
unsigned short b1 = getAnUnsignedShort();
|
||||
unsigned short c1 = getAnUnsignedShort();
|
||||
|
||||
if (a+b>c) a = c-b; // BAD
|
||||
if (a+b>c) { a = c-b; } // BAD
|
||||
if (b+a>c) a = c-b; // BAD
|
||||
if (b+a>c) { a = c-b; } // BAD
|
||||
if (c>a+b) a = c-b; // BAD
|
||||
if (c>a+b) { a = c-b; } // BAD
|
||||
if (c>b+a) a = c-b; // BAD
|
||||
if (c>b+a) { a = c-b; } // BAD
|
||||
|
||||
if (a+b>=c) a = c-b; // BAD
|
||||
if (a+b>=c) { a = c-b; } // BAD
|
||||
if (b+a>=c) a = c-b; // BAD
|
||||
if (b+a>=c) { a = c-b; } // BAD
|
||||
if (c>=a+b) a = c-b; // BAD
|
||||
if (c>=a+b) { a = c-b; } // BAD
|
||||
if (c>=b+a) a = c-b; // BAD
|
||||
if (c>=b+a) { a = c-b; } // BAD
|
||||
|
||||
if (a+b<c) a = c-b; // BAD
|
||||
if (a+b<c) { a = c-b; } // BAD
|
||||
if (b+a<c) a = c-b; // BAD
|
||||
if (b+a<c) { a = c-b; } // BAD
|
||||
if (c<a+b) a = c-b; // BAD
|
||||
if (c<a+b) { a = c-b; } // BAD
|
||||
if (c<b+a) a = c-b; // BAD
|
||||
if (c<b+a) { a = c-b; } // BAD
|
||||
|
||||
if (a+b<=c) a = c-b; // BAD
|
||||
if (a+b<=c) { a = c-b; } // BAD
|
||||
if (b+a<=c) a = c-b; // BAD
|
||||
if (b+a<=c) { a = c-b; } // BAD
|
||||
if (c<=a+b) a = c-b; // BAD
|
||||
if (c<=a+b) { a = c-b; } // BAD
|
||||
if (c<=b+a) a = c-b; // BAD
|
||||
if (c<=b+a) { a = c-b; } // BAD
|
||||
|
||||
if (a+b>d) a = d-b; // BAD
|
||||
if (a+(double)b>c) a = c-b; // GOOD
|
||||
if (a+(-x)>c) a = c-(-y); // GOOD
|
||||
if (a+b>c) { b++; a = c-b; } // GOOD
|
||||
if (a+d>c) a = c-d; // GOOD
|
||||
if (a1+b1>c1) a1 = c1-b1; // GOOD
|
||||
|
||||
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
|
||||
if (a+b<=c) { return; } a = c-b; // BAD
|
||||
}
|
||||
|
|
@ -663,8 +663,6 @@ edges
|
|||
| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... |
|
||||
| test.cpp:342:8:342:17 | * ... | test.cpp:333:5:333:21 | Store: ... = ... |
|
||||
| test.cpp:342:8:342:17 | * ... | test.cpp:341:5:341:21 | Store: ... = ... |
|
||||
| test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs |
|
||||
| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
|
||||
| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
|
||||
|
|
@ -732,6 +730,29 @@ edges
|
|||
| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
|
||||
| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
|
||||
| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:7 | end |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
|
||||
| test.cpp:378:15:378:16 | xs | test.cpp:384:14:384:16 | end |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
|
||||
| test.cpp:381:5:381:7 | end | test.cpp:384:13:384:16 | Load: * ... |
|
||||
| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
|
||||
| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
|
||||
| test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
|
||||
nodes
|
||||
| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:5:15:5:15 | p | semmle.label | p |
|
||||
|
|
@ -1031,9 +1052,7 @@ nodes
|
|||
| test.cpp:326:15:326:16 | xs | semmle.label | xs |
|
||||
| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:333:5:333:21 | Store: ... = ... | semmle.label | Store: ... = ... |
|
||||
| test.cpp:338:8:338:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:341:5:341:21 | Store: ... = ... | semmle.label | Store: ... = ... |
|
||||
| test.cpp:341:8:341:17 | * ... | semmle.label | * ... |
|
||||
| test.cpp:342:8:342:17 | * ... | semmle.label | * ... |
|
||||
| test.cpp:347:14:347:27 | new[] | semmle.label | new[] |
|
||||
|
|
@ -1066,6 +1085,17 @@ nodes
|
|||
| test.cpp:371:7:371:7 | p | semmle.label | p |
|
||||
| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
|
||||
| test.cpp:372:16:372:16 | p | semmle.label | p |
|
||||
| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:378:15:378:16 | xs | semmle.label | xs |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:381:5:381:7 | end | semmle.label | end |
|
||||
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
|
||||
| test.cpp:384:14:384:16 | end | semmle.label | end |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
|
||||
|
|
@ -1088,9 +1118,8 @@ subpaths
|
|||
| test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
|
||||
| test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
|
||||
| test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
|
||||
| test.cpp:333:5:333:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:333:5:333:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
|
||||
| test.cpp:341:5:341:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:341:5:341:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
|
||||
| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
|
||||
| test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
|
||||
| test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
|
||||
| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
|
||||
| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
|
||||
|
|
|
|||
|
|
@ -330,7 +330,7 @@ void test23(unsigned size, int val) {
|
|||
if(*current - xs < 1)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD [FALSE POSITIVE]
|
||||
*--(*current) = 0; // GOOD
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -338,7 +338,7 @@ void test23(unsigned size, int val) {
|
|||
if(*current - xs < 2)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD [FALSE POSITIVE]
|
||||
*--(*current) = 0; // GOOD
|
||||
*--(*current) = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
|
@ -372,3 +372,14 @@ void test26(unsigned size) {
|
|||
int val = *p; // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
|
||||
void test27(unsigned size, bool b) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size;
|
||||
|
||||
if (b) {
|
||||
end++;
|
||||
}
|
||||
|
||||
int val = *end; // BAD
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,9 +34,6 @@ class AstNode extends Node, TAstNode {
|
|||
override Location getLocation() { result = n.getLocation() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AstNode */
|
||||
deprecated class ASTNode = AstNode;
|
||||
|
||||
class IRNode extends Node, TIRNode {
|
||||
IR::DataFlow::Node n;
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,9 @@ namespace Semmle.Extraction.CSharp.Standalone
|
|||
CSharp.Extractor.Analyse(stopwatch, analyser, options,
|
||||
references => GetResolvedReferencesStandalone(referencePaths, references),
|
||||
(analyser, syntaxTrees) => CSharp.Extractor.ReadSyntaxTrees(sources, analyser, null, null, syntaxTrees),
|
||||
(syntaxTrees, references) => CSharpCompilation.Create("csharp.dll", syntaxTrees, references),
|
||||
(syntaxTrees, references) => CSharpCompilation.Create(
|
||||
"csharp.dll", syntaxTrees, references, new CSharpCompilationOptions(OutputKind.ConsoleApplication, allowUnsafe: true)
|
||||
),
|
||||
(compilation, options) => analyser.Initialize(compilation, options),
|
||||
() => { },
|
||||
_ => { },
|
||||
|
|
|
|||
|
|
@ -211,6 +211,11 @@ namespace Semmle.Extraction.CSharp.Entities
|
|||
return Default.CreateGenerated(cx, parent, childIndex, location, ValueAsString(null));
|
||||
}
|
||||
|
||||
if (type.SpecialType is SpecialType.None)
|
||||
{
|
||||
return ImplicitCast.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
|
||||
}
|
||||
|
||||
if (type.SpecialType is SpecialType.System_DateTime)
|
||||
{
|
||||
return DateTimeObjectCreation.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
using System.Linq;
|
||||
using Microsoft.CodeAnalysis;
|
||||
using Semmle.Extraction.Kinds;
|
||||
|
||||
|
|
@ -11,33 +12,73 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
|
|||
private set;
|
||||
}
|
||||
|
||||
public ImplicitCast(ExpressionNodeInfo info)
|
||||
private ImplicitCast(ExpressionNodeInfo info)
|
||||
: base(new ExpressionInfo(info.Context, info.ConvertedType, info.Location, ExprKind.CAST, info.Parent, info.Child, true, info.ExprValue))
|
||||
{
|
||||
Expr = Factory.Create(new ExpressionNodeInfo(Context, info.Node, this, 0));
|
||||
}
|
||||
|
||||
public ImplicitCast(ExpressionNodeInfo info, IMethodSymbol method)
|
||||
private ImplicitCast(ExpressionNodeInfo info, IMethodSymbol method)
|
||||
: base(new ExpressionInfo(info.Context, info.ConvertedType, info.Location, ExprKind.OPERATOR_INVOCATION, info.Parent, info.Child, true, info.ExprValue))
|
||||
{
|
||||
Expr = Factory.Create(info.SetParent(this, 0));
|
||||
|
||||
var target = Method.Create(Context, method);
|
||||
if (target is not null)
|
||||
Context.TrapWriter.Writer.expr_call(this, target);
|
||||
else
|
||||
Context.ModelError(info.Node, "Failed to resolve target for operator invocation");
|
||||
AddOperatorCall(method);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Creates a new expression, adding casts as required.
|
||||
/// </summary>
|
||||
/// <param name="cx">The extraction context.</param>
|
||||
/// <param name="node">The expression node.</param>
|
||||
/// <param name="parent">The parent of the expression.</param>
|
||||
/// <param name="child">The child number.</param>
|
||||
/// <param name="type">A type hint.</param>
|
||||
/// <returns>A new expression.</returns>
|
||||
private ImplicitCast(ExpressionInfo info, IMethodSymbol method, object value) : base(info)
|
||||
{
|
||||
Expr = Literal.CreateGenerated(Context, this, 0, method.Parameters[0].Type, value, info.Location);
|
||||
|
||||
AddOperatorCall(method);
|
||||
}
|
||||
|
||||
private void AddOperatorCall(IMethodSymbol method)
|
||||
{
|
||||
var target = Method.Create(Context, method);
|
||||
Context.TrapWriter.Writer.expr_call(this, target);
|
||||
}
|
||||
|
||||
private static IMethodSymbol? GetImplicitConversionMethod(ITypeSymbol type, object value) =>
|
||||
type
|
||||
.GetMembers()
|
||||
.OfType<IMethodSymbol>()
|
||||
.Where(method =>
|
||||
method.GetName() == "op_Implicit" &&
|
||||
method.Parameters.Length == 1 &&
|
||||
method.Parameters[0].Type.Name == value.GetType().Name
|
||||
)
|
||||
.FirstOrDefault();
|
||||
|
||||
// Creates a new generated expression with an implicit cast added, if needed.
|
||||
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value,
|
||||
Extraction.Entities.Location location)
|
||||
{
|
||||
ExpressionInfo create(ExprKind kind, string? v) =>
|
||||
new ExpressionInfo(
|
||||
cx,
|
||||
AnnotatedTypeSymbol.CreateNotAnnotated(type),
|
||||
location,
|
||||
kind,
|
||||
parent,
|
||||
childIndex,
|
||||
true,
|
||||
v);
|
||||
|
||||
var method = GetImplicitConversionMethod(type, value);
|
||||
if (method is not null)
|
||||
{
|
||||
var info = create(ExprKind.OPERATOR_INVOCATION, null);
|
||||
return new ImplicitCast(info, method, value);
|
||||
}
|
||||
else
|
||||
{
|
||||
cx.ModelError(location, "Failed to resolve target for implicit operator invocation for a parameter default.");
|
||||
return new Expression(create(ExprKind.UNKNOWN, ValueAsString(value)));
|
||||
}
|
||||
}
|
||||
|
||||
// Creates a new expression, adding casts as required.
|
||||
public static Expression Create(ExpressionNodeInfo info)
|
||||
{
|
||||
var resolvedType = info.ResolvedType;
|
||||
|
|
|
|||
|
|
@ -243,7 +243,12 @@ namespace Semmle.Extraction.CSharp.Entities
|
|||
if (methodKind == MethodKind.ExplicitInterfaceImplementation)
|
||||
{
|
||||
// Retrieve the original method kind
|
||||
methodKind = methodDecl.ExplicitInterfaceImplementations.Select(m => m.MethodKind).FirstOrDefault();
|
||||
if (methodDecl.ExplicitInterfaceImplementations.IsEmpty)
|
||||
{
|
||||
throw new InternalError(methodDecl, "Couldn't get the original method kind for an explicit interface implementation");
|
||||
}
|
||||
|
||||
methodKind = methodDecl.ExplicitInterfaceImplementations.Select(m => m.MethodKind).First();
|
||||
}
|
||||
|
||||
switch (methodKind)
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ namespace Semmle.Extraction.CSharp
|
|||
Nullability = nullability;
|
||||
}
|
||||
|
||||
public static AnnotatedTypeSymbol? CreateNotAnnotated(ITypeSymbol symbol) =>
|
||||
public static AnnotatedTypeSymbol? CreateNotAnnotated(ITypeSymbol? symbol) =>
|
||||
symbol is null ? (AnnotatedTypeSymbol?)null : new AnnotatedTypeSymbol(symbol, NullableAnnotation.None);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
|
||||
* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
|
||||
* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
|
||||
* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
|
||||
* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
|
||||
|
|
@ -18,9 +18,6 @@ class WebConfigReleaseTransformXml extends XmlFile {
|
|||
WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for WebConfigXml */
|
||||
deprecated class WebConfigXML = WebConfigXml;
|
||||
|
||||
/** A `<configuration>` tag in an ASP.NET configuration file. */
|
||||
class ConfigurationXmlElement extends XmlElement {
|
||||
ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" }
|
||||
|
|
@ -31,9 +28,6 @@ class CompilationXmlElement extends XmlElement {
|
|||
CompilationXmlElement() { this.getName().toLowerCase() = "compilation" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ConfigurationXmlElement */
|
||||
deprecated class ConfigurationXMLElement = ConfigurationXmlElement;
|
||||
|
||||
/** A `<location>` tag in an ASP.NET configuration file. */
|
||||
class LocationXmlElement extends XmlElement {
|
||||
LocationXmlElement() {
|
||||
|
|
@ -42,9 +36,6 @@ class LocationXmlElement extends XmlElement {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LocationXmlElement */
|
||||
deprecated class LocationXMLElement = LocationXmlElement;
|
||||
|
||||
/** A `<system.web>` tag in an ASP.NET configuration file. */
|
||||
class SystemWebXmlElement extends XmlElement {
|
||||
SystemWebXmlElement() {
|
||||
|
|
@ -57,9 +48,6 @@ class SystemWebXmlElement extends XmlElement {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SystemWebXmlElement */
|
||||
deprecated class SystemWebXMLElement = SystemWebXmlElement;
|
||||
|
||||
/** A `<system.webServer>` tag in an ASP.NET configuration file. */
|
||||
class SystemWebServerXmlElement extends XmlElement {
|
||||
SystemWebServerXmlElement() {
|
||||
|
|
@ -72,9 +60,6 @@ class SystemWebServerXmlElement extends XmlElement {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SystemWebServerXmlElement */
|
||||
deprecated class SystemWebServerXMLElement = SystemWebServerXmlElement;
|
||||
|
||||
/** A `<customErrors>` tag in an ASP.NET configuration file. */
|
||||
class CustomErrorsXmlElement extends XmlElement {
|
||||
CustomErrorsXmlElement() {
|
||||
|
|
@ -83,9 +68,6 @@ class CustomErrorsXmlElement extends XmlElement {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for CustomErrorsXmlElement */
|
||||
deprecated class CustomErrorsXMLElement = CustomErrorsXmlElement;
|
||||
|
||||
/** A `<httpRuntime>` tag in an ASP.NET configuration file. */
|
||||
class HttpRuntimeXmlElement extends XmlElement {
|
||||
HttpRuntimeXmlElement() {
|
||||
|
|
@ -94,9 +76,6 @@ class HttpRuntimeXmlElement extends XmlElement {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpRuntimeXmlElement */
|
||||
deprecated class HttpRuntimeXMLElement = HttpRuntimeXmlElement;
|
||||
|
||||
/** A `<forms>` tag under `<system.web><authentication>` in an ASP.NET configuration file. */
|
||||
class FormsElement extends XmlElement {
|
||||
FormsElement() {
|
||||
|
|
|
|||
|
|
@ -60,11 +60,6 @@ class Class extends ValueOrRefType {
|
|||
Class() { this.isClass() }
|
||||
}
|
||||
|
||||
/** A `record`. */
|
||||
deprecated class Record extends Class {
|
||||
Record() { this.isRecord() }
|
||||
}
|
||||
|
||||
/** An `interface`. */
|
||||
class Interface extends ValueOrRefType {
|
||||
Interface() { this.isInterface() }
|
||||
|
|
|
|||
|
|
@ -780,16 +780,6 @@ class Class extends RefType, @class_type {
|
|||
override string getAPrimaryQlClass() { result = "Class" }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RecordClass` instead.
|
||||
*/
|
||||
deprecated class Record extends Class {
|
||||
Record() { this.isRecord() }
|
||||
|
||||
/** Gets the clone method of this record. */
|
||||
RecordCloneMethod getCloneMethod() { result = this.getAMember() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A `record`, for example
|
||||
*
|
||||
|
|
|
|||
|
|
@ -200,45 +200,3 @@ predicate sameGvn(ControlFlowElement x, ControlFlowElement y) {
|
|||
pragma[only_bind_into](toGvn(pragma[only_bind_out](x))) =
|
||||
pragma[only_bind_into](toGvn(pragma[only_bind_out](y)))
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `sameGvn` instead.
|
||||
*
|
||||
* A configuration for performing structural comparisons of program elements
|
||||
* (expressions and statements).
|
||||
*
|
||||
* The predicate `candidate()` must be overridden, in order to identify the
|
||||
* elements for which to perform structural comparison.
|
||||
*
|
||||
* Each use of the library is identified by a unique string value.
|
||||
*/
|
||||
abstract deprecated class StructuralComparisonConfiguration extends string {
|
||||
bindingset[this]
|
||||
StructuralComparisonConfiguration() { any() }
|
||||
|
||||
/**
|
||||
* Holds if elements `x` and `y` are candidates for testing structural
|
||||
* equality.
|
||||
*
|
||||
* Subclasses are expected to override this predicate to identify the
|
||||
* top-level elements which they want to compare. Care should be
|
||||
* taken to avoid identifying too many pairs of elements, as in general
|
||||
* there are very many structurally equal subtrees in a program, and
|
||||
* in order to keep the computation feasible we must focus attention.
|
||||
*
|
||||
* Note that this relation is not expected to be symmetric -- it's
|
||||
* fine to include a pair `(x, y)` but not `(y, x)`.
|
||||
* In fact, not including the symmetrically implied fact will save
|
||||
* half the computation time on the structural comparison.
|
||||
*/
|
||||
abstract predicate candidate(ControlFlowElement x, ControlFlowElement y);
|
||||
|
||||
/**
|
||||
* Holds if elements `x` and `y` structurally equal. `x` and `y` must be
|
||||
* flagged as candidates for structural equality, that is,
|
||||
* `candidate(x, y)` must hold.
|
||||
*/
|
||||
predicate same(ControlFlowElement x, ControlFlowElement y) {
|
||||
this.candidate(x, y) and sameGvn(x, y)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -106,16 +106,6 @@ class ParameterNode extends Node instanceof ParameterNodeImpl {
|
|||
result = c.asCallable().getParameter(ppos.getPosition())
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED
|
||||
*
|
||||
* Holds if this node is the parameter of callable `c` at the specified
|
||||
* (zero-based) position.
|
||||
*/
|
||||
deprecated predicate isParameterOf(DataFlowCallable c, int i) {
|
||||
super.isParameterOf(c, any(ParameterPosition pos | i = pos.getPosition()))
|
||||
}
|
||||
}
|
||||
|
||||
/** A definition, viewed as a node in a data flow graph. */
|
||||
|
|
|
|||
|
|
@ -14,9 +14,6 @@ private import semmle.code.csharp.dataflow.FlowSummary
|
|||
*/
|
||||
abstract class SafeExternalApiCallable extends Callable { }
|
||||
|
||||
/** DEPRECATED: Alias for SafeExternalApiCallable */
|
||||
deprecated class SafeExternalAPICallable = SafeExternalApiCallable;
|
||||
|
||||
private class SummarizedCallableSafe extends SafeExternalApiCallable instanceof SummarizedCallable {
|
||||
}
|
||||
|
||||
|
|
@ -87,9 +84,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiDataNode */
|
||||
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteSourceToExternalApi` instead.
|
||||
*
|
||||
|
|
@ -113,9 +107,6 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
|
|||
/** A module for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalApiConfig>;
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
|
||||
|
|
@ -124,9 +115,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
|||
DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
private newtype TExternalApi =
|
||||
/** An untrusted API method `m` where untrusted data is passed at `index`. */
|
||||
|
|
@ -161,6 +149,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
|
|||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
|
||||
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
|
||||
|
|
|
|||
|
|
@ -149,9 +149,6 @@ class LdapEncodeSanitizer extends Sanitizer {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapEncodeSanitizer */
|
||||
deprecated class LDAPEncodeSanitizer = LdapEncodeSanitizer;
|
||||
|
||||
private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
|
||||
|
||||
private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
|
||||
|
|
|
|||
|
|
@ -78,4 +78,4 @@ where
|
|||
exposesByStore(c, f, why, whyText)
|
||||
select c,
|
||||
"'" + c.getName() + "' exposes the internal representation stored in field '" + f.getName() +
|
||||
"'. The value may be modified $@.", why.getLocation(), whyText
|
||||
"'. The value may be modified $@.", why, whyText
|
||||
|
|
|
|||
|
|
@ -26,4 +26,4 @@ where
|
|||
operators =
|
||||
count(BinaryLogicalOperation op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and
|
||||
operators > 3
|
||||
select e.getLocation(), "Complex condition: too many logical operations in this expression."
|
||||
select e, "Complex condition: too many logical operations in this expression."
|
||||
|
|
|
|||
|
|
@ -73,9 +73,6 @@ module UnaliasedSsaInstructions {
|
|||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UnaliasedSsaInstructions */
|
||||
deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions;
|
||||
|
||||
/**
|
||||
* Provides wrappers for the constructors of each branch of `TInstruction` that is used by the
|
||||
* aliased SSA stage.
|
||||
|
|
@ -107,6 +104,3 @@ module AliasedSsaInstructions {
|
|||
result = TAliasedSsaUnreachedInstruction(irFunc)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for AliasedSsaInstructions */
|
||||
deprecated module AliasedSSAInstructions = AliasedSsaInstructions;
|
||||
|
|
|
|||
|
|
@ -59,20 +59,12 @@ private module Shared {
|
|||
|
||||
class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand;
|
||||
|
||||
/** DEPRECATED: Alias for TNonSsaMemoryOperand */
|
||||
deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand;
|
||||
|
||||
/**
|
||||
* Returns the non-Phi memory operand with the specified parameters.
|
||||
*/
|
||||
TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
|
||||
result = Internal::TNonSsaMemoryOperand(useInstr, tag)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for nonSsaMemoryOperand */
|
||||
deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
|
||||
result = nonSsaMemoryOperand(useInstr, tag)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -156,6 +148,3 @@ module UnaliasedSsaOperands {
|
|||
*/
|
||||
TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UnaliasedSsaOperands */
|
||||
deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands;
|
||||
|
|
|
|||
|
|
@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
|
|||
*/
|
||||
final Language::AST getAst() { result = Construction::getInstructionAst(this) }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the location of the source code for this instruction.
|
||||
*/
|
||||
|
|
@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
|
|||
* Gets the AST variable that this instruction's IR variable refers to, if one exists.
|
||||
*/
|
||||
final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
|
||||
|
||||
/** DEPRECATED: Alias for getAstVariable */
|
||||
deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -378,12 +378,6 @@ private module Cached {
|
|||
result = getInstructionTranslatedElement(instruction).getAst()
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getInstructionAst */
|
||||
cached
|
||||
deprecated Language::AST getInstructionAST(Instruction instruction) {
|
||||
result = getInstructionAst(instruction)
|
||||
}
|
||||
|
||||
cached
|
||||
CSharpType getInstructionResultType(Instruction instruction) {
|
||||
getInstructionTranslatedElement(instruction)
|
||||
|
|
|
|||
|
|
@ -17,9 +17,6 @@ abstract class TranslatedCondition extends ConditionBase {
|
|||
|
||||
final override Language::AST getAst() { result = expr }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final Expr getExpr() { result = expr }
|
||||
|
||||
final override Callable getFunction() { result = expr.getEnclosingCallable() }
|
||||
|
|
|
|||
|
|
@ -30,9 +30,6 @@ abstract class TranslatedLocalDeclaration extends TranslatedElement, TTranslated
|
|||
final override string toString() { result = expr.toString() }
|
||||
|
||||
final override Language::AST getAst() { result = expr }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -366,9 +366,6 @@ abstract class TranslatedElement extends TTranslatedElement {
|
|||
*/
|
||||
abstract Language::AST getAst();
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Get the first instruction to be executed in the evaluation of this element.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -63,9 +63,6 @@ abstract class TranslatedExpr extends TranslatedExprBase {
|
|||
|
||||
final override Language::AST getAst() { result = expr }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final override Callable getFunction() { result = expr.getEnclosingCallable() }
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -30,9 +30,6 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
|
|||
|
||||
final override Language::AST getAst() { result = callable }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the function being translated.
|
||||
*/
|
||||
|
|
@ -287,9 +284,6 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
|
|||
|
||||
final override Language::AST getAst() { result = param }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final override Callable getFunction() { result = param.getCallable() }
|
||||
|
||||
final override Instruction getFirstInstruction() {
|
||||
|
|
|
|||
|
|
@ -52,9 +52,6 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
|
|||
|
||||
final override Language::AST getAst() { result = expr }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the expression that is doing the initialization.
|
||||
*/
|
||||
|
|
@ -210,9 +207,6 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
|
|||
|
||||
final override Language::AST getAst() { result = initList }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final override Callable getFunction() { result = initList.getEnclosingCallable() }
|
||||
|
||||
final override Instruction getFirstInstruction() {
|
||||
|
|
@ -319,9 +313,6 @@ abstract class TranslatedConstructorCallFromConstructor extends TranslatedElemen
|
|||
|
||||
final override Language::AST getAst() { result = call }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final override TranslatedElement getChild(int id) {
|
||||
id = 0 and result = this.getConstructorCall()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,9 +26,6 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
|
|||
|
||||
final override Language::AST getAst() { result = stmt }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
final override Callable getFunction() { result = stmt.getEnclosingCallable() }
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,4 @@ abstract class TranslatedCompilerGeneratedElement extends TranslatedElement,
|
|||
final override Callable getFunction() { result = generatedBy.getEnclosingCallable() }
|
||||
|
||||
final override Language::AST getAst() { result = generatedBy }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated override Language::AST getAST() { result = this.getAst() }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
|
|||
*/
|
||||
final Language::AST getAst() { result = Construction::getInstructionAst(this) }
|
||||
|
||||
/** DEPRECATED: Alias for getAst */
|
||||
deprecated Language::AST getAST() { result = this.getAst() }
|
||||
|
||||
/**
|
||||
* Gets the location of the source code for this instruction.
|
||||
*/
|
||||
|
|
@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
|
|||
* Gets the AST variable that this instruction's IR variable refers to, if one exists.
|
||||
*/
|
||||
final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
|
||||
|
||||
/** DEPRECATED: Alias for getAstVariable */
|
||||
deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -422,12 +422,6 @@ private module Cached {
|
|||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getInstructionAst */
|
||||
cached
|
||||
deprecated Language::AST getInstructionAST(Instruction instr) {
|
||||
result = getInstructionAst(instr)
|
||||
}
|
||||
|
||||
cached
|
||||
Language::LanguageType getInstructionResultType(Instruction instr) {
|
||||
result = instr.(RawIR::Instruction).getResultLanguageType()
|
||||
|
|
@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
|
|||
// We don't support reusing SSA for any location that could create a `Chi` instruction.
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
|
||||
deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
|
||||
|
||||
/**
|
||||
* Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
|
||||
* `DebugSsa` module, which is then imported by PrintSSA.
|
||||
|
|
@ -1005,9 +996,6 @@ module DebugSsa {
|
|||
import DefUse
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DebugSsa */
|
||||
deprecated module DebugSSA = DebugSsa;
|
||||
|
||||
import CachedForDebugging
|
||||
|
||||
cached
|
||||
|
|
|
|||
|
|
@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) {
|
|||
not allocationEscapes(var)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForVariable */
|
||||
deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1;
|
||||
|
||||
private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
|
||||
|
||||
private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
|
||||
|
|
@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation {
|
|||
|
||||
predicate canReuseSsaForOldResult(Instruction instr) { none() }
|
||||
|
||||
/** DEPRECATED: Alias for canReuseSsaForOldResult */
|
||||
deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
|
||||
|
||||
/**
|
||||
* Represents a set of `MemoryLocation`s that cannot overlap with
|
||||
* `MemoryLocation`s outside of the set. The `VirtualVariable` will be
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
*
|
||||
* ```
|
||||
*
|
||||
* To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
|
||||
* To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
|
||||
* Example of the corresponding test file, e.g. Test.cs
|
||||
* ```csharp
|
||||
* public class Test
|
||||
|
|
|
|||
|
|
@ -25,7 +25,14 @@ public class Parameters
|
|||
public void M17([Optional, DefaultParameterValue(null)] object arg7) => throw null;
|
||||
public void M18([Optional, DefaultParameterValue(3)] int? arg8) => throw null;
|
||||
public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null;
|
||||
public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null;
|
||||
public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null;
|
||||
|
||||
public struct MyStruct { }
|
||||
public struct MyStruct
|
||||
{
|
||||
public static implicit operator MyStruct(int i) => new MyStruct();
|
||||
public static implicit operator MyStruct(string s) => new MyStruct();
|
||||
|
||||
}
|
||||
public enum MyEnum { A = 1, B = 2 }
|
||||
}
|
||||
|
|
@ -25,7 +25,14 @@ public class ParametersDll
|
|||
public void M17([Optional, DefaultParameterValue(null)] object arg7) => throw null;
|
||||
public void M18([Optional, DefaultParameterValue(3)] int? arg8) => throw null;
|
||||
public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null;
|
||||
public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null;
|
||||
public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null;
|
||||
|
||||
public struct MyStruct { }
|
||||
public struct MyStruct
|
||||
{
|
||||
public static implicit operator MyStruct(int i) => new MyStruct();
|
||||
public static implicit operator MyStruct(string s) => new MyStruct();
|
||||
|
||||
}
|
||||
public enum MyEnum { A = 1, B = 2 }
|
||||
}
|
||||
Двоичные данные
csharp/ql/test/library-tests/parameters/Parameters.dll
Двоичные данные
csharp/ql/test/library-tests/parameters/Parameters.dll
Двоичный файл не отображается.
|
|
@ -5,12 +5,16 @@ noDefaultValue
|
|||
| Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:24:8:24 | a | 0 |
|
||||
| Parameters.cs:12:17:12:18 | M6 | Parameters.cs:12:29:12:30 | s1 | 0 |
|
||||
| Parameters.cs:13:17:13:18 | M7 | Parameters.cs:13:27:13:28 | e1 | 0 |
|
||||
| Parameters.cs:33:32:33:39 | implicit conversion | Parameters.cs:33:54:33:54 | i | 0 |
|
||||
| Parameters.cs:34:32:34:39 | implicit conversion | Parameters.cs:34:57:34:57 | s | 0 |
|
||||
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | a | 0 |
|
||||
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | b | 1 |
|
||||
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | c | 2 |
|
||||
| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | a | 0 |
|
||||
| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s1 | 0 |
|
||||
| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e1 | 0 |
|
||||
| Parameters.dll:0:0:0:0 | implicit conversion | Parameters.dll:0:0:0:0 | i | 0 |
|
||||
| Parameters.dll:0:0:0:0 | implicit conversion | Parameters.dll:0:0:0:0 | s | 0 |
|
||||
withDefaultValue
|
||||
| Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:34:8:34 | b | 1 | Parameters.cs:8:38:8:41 | null | null |
|
||||
| Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:51:8:51 | c | 2 | Parameters.cs:8:55:8:70 | "default string" | default string |
|
||||
|
|
@ -39,6 +43,8 @@ withDefaultValue
|
|||
| Parameters.cs:25:17:25:19 | M17 | Parameters.cs:25:68:25:71 | arg7 | 0 | Parameters.cs:25:21:25:71 | default | null |
|
||||
| Parameters.cs:26:17:26:19 | M18 | Parameters.cs:26:63:26:66 | arg8 | 0 | Parameters.cs:26:21:26:66 | 3 | 3 |
|
||||
| Parameters.cs:27:17:27:19 | M19 | Parameters.cs:27:74:27:77 | arg9 | 0 | Parameters.cs:27:21:27:77 | 10.3 | 10.3 |
|
||||
| Parameters.cs:28:17:28:19 | M20 | Parameters.cs:28:67:28:71 | arg10 | 0 | Parameters.cs:28:21:28:71 | call to operator implicit conversion | - |
|
||||
| Parameters.cs:29:17:29:19 | M21 | Parameters.cs:29:76:29:80 | arg10 | 0 | Parameters.cs:29:21:29:80 | call to operator implicit conversion | - |
|
||||
| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
|
||||
| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "default string" | default string |
|
||||
| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 1 | 1 |
|
||||
|
|
@ -66,8 +72,15 @@ withDefaultValue
|
|||
| Parameters.dll:0:0:0:0 | M17 | Parameters.dll:0:0:0:0 | arg7 | 0 | Parameters.dll:0:0:0:0 | default | null |
|
||||
| Parameters.dll:0:0:0:0 | M18 | Parameters.dll:0:0:0:0 | arg8 | 0 | Parameters.dll:0:0:0:0 | 3 | 3 |
|
||||
| Parameters.dll:0:0:0:0 | M19 | Parameters.dll:0:0:0:0 | arg9 | 0 | Parameters.dll:0:0:0:0 | 10.3 | 10.3 |
|
||||
| Parameters.dll:0:0:0:0 | M20 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - |
|
||||
| Parameters.dll:0:0:0:0 | M21 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - |
|
||||
dateTimeDefaults
|
||||
| Parameters.cs:22:17:22:19 | M14 | Parameters.cs:22:64:22:67 | arg4 | Parameters.cs:22:21:22:67 | object creation of type DateTime | DateTime(long) | 14 |
|
||||
| Parameters.cs:23:17:23:19 | M15 | Parameters.cs:23:68:23:71 | arg5 | Parameters.cs:23:21:23:71 | object creation of type DateTime | DateTime(long) | 10001 |
|
||||
| Parameters.dll:0:0:0:0 | M14 | Parameters.dll:0:0:0:0 | arg4 | Parameters.dll:0:0:0:0 | object creation of type DateTime | DateTime(long) | 14 |
|
||||
| Parameters.dll:0:0:0:0 | M15 | Parameters.dll:0:0:0:0 | arg5 | Parameters.dll:0:0:0:0 | object creation of type DateTime | DateTime(long) | 10001 |
|
||||
implicitConversionDefaults
|
||||
| Parameters.cs:28:17:28:19 | M20 | Parameters.cs:28:67:28:71 | arg10 | Parameters.cs:28:21:28:71 | call to operator implicit conversion | Parameters.cs:28:21:28:71 | 7 | Int32 | 7 |
|
||||
| Parameters.cs:29:17:29:19 | M21 | Parameters.cs:29:76:29:80 | arg10 | Parameters.cs:29:21:29:80 | call to operator implicit conversion | Parameters.cs:29:21:29:80 | "mystring" | String | mystring |
|
||||
| Parameters.dll:0:0:0:0 | M20 | Parameters.dll:0:0:0:0 | arg10 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | Parameters.dll:0:0:0:0 | 7 | Int32 | 7 |
|
||||
| Parameters.dll:0:0:0:0 | M21 | Parameters.dll:0:0:0:0 | arg10 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | Parameters.dll:0:0:0:0 | "mystring" | String | mystring |
|
||||
|
|
|
|||
|
|
@ -16,11 +16,15 @@ query predicate noDefaultValue(Parameterizable container, Parameter p, int i) {
|
|||
not compilerGeneratedAttribute(container)
|
||||
}
|
||||
|
||||
query predicate withDefaultValue(Parameterizable container, Parameter p, int i, Expr e, string value) {
|
||||
private predicate defaultValue(Parameterizable container, Parameter p, int i, Expr e) {
|
||||
fromTestLocation(container) and
|
||||
p.hasDefaultValue() and
|
||||
container.getParameter(i) = p and
|
||||
p.getDefaultValue() = e and
|
||||
p.getDefaultValue() = e
|
||||
}
|
||||
|
||||
query predicate withDefaultValue(Parameterizable container, Parameter p, int i, Expr e, string value) {
|
||||
defaultValue(container, p, i, e) and
|
||||
(if exists(e.getValue()) then value = e.getValue() else value = "-") and
|
||||
not compilerGeneratedAttribute(container)
|
||||
}
|
||||
|
|
@ -28,11 +32,17 @@ query predicate withDefaultValue(Parameterizable container, Parameter p, int i,
|
|||
query predicate dateTimeDefaults(
|
||||
Parameterizable container, Parameter p, ObjectCreation o, string constructor, string value
|
||||
) {
|
||||
fromTestLocation(container) and
|
||||
p.hasDefaultValue() and
|
||||
container.getAParameter() = p and
|
||||
p.getDefaultValue() = o and
|
||||
defaultValue(container, p, _, o) and
|
||||
o.getTarget().toStringWithTypes() = constructor and
|
||||
o.getAnArgument().getValue() = value and
|
||||
not compilerGeneratedAttribute(container)
|
||||
}
|
||||
|
||||
query predicate implicitConversionDefaults(
|
||||
Parameterizable container, Parameter p, OperatorCall o, Expr e, string type, string value
|
||||
) {
|
||||
defaultValue(container, p, _, o) and
|
||||
o.getAnArgument() = e and
|
||||
type = e.getType().toString() and
|
||||
value = e.getValue()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
| ExposeRepresentation.cs:8:21:8:23 | Set | 'Set' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentation.cs:16:9:16:9 | ExposeRepresentation.cs:16:9:16:9 | through the variable a |
|
||||
| ExposeRepresentationBad.cs:18:22:18:24 | Get | 'Get' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentationBad.cs:24:23:24:29 | ExposeRepresentationBad.cs:24:23:24:29 | after this call to Get |
|
||||
| ExposeRepresentation.cs:8:21:8:23 | Set | 'Set' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentation.cs:16:9:16:9 | access to local variable a | through the variable a |
|
||||
| ExposeRepresentationBad.cs:18:22:18:24 | Get | 'Get' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentationBad.cs:24:23:24:29 | call to method Get | after this call to Get |
|
||||
|
|
|
|||
|
|
@ -315,7 +315,7 @@ The following source kinds are supported:
|
|||
|
||||
Below is an enumeration of the remaining source kinds, but they are out of scope for this documentation:
|
||||
|
||||
- **contentprovider**, **android-widget**, **android-external-storage-dir**.
|
||||
- **contentprovider**, **android-external-storage-dir**.
|
||||
|
||||
sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
@ -327,18 +327,31 @@ Taint sink. As opposed to source kinds, there are many different kinds of sinks
|
|||
|
||||
The following sink kinds are supported:
|
||||
|
||||
- **sql**: A SQL injection vulnerability sink.
|
||||
- **xss**: A cross-site scripting vulnerability sink.
|
||||
- **logging**: A log output sink.
|
||||
|
||||
Below is an enumeration of the remaining sinks, but they are out of scope for this documentation:
|
||||
|
||||
- **open-url**, **jndi-injection**, **ldap**, **jdbc-url**
|
||||
- **mvel**, **xpath**, **groovy**, **ognl-injection**
|
||||
- **intent-start**, **pending-intent-sent**, **url-redirect**
|
||||
- **create-file**, **read-file**, **write-file**, **set-hostname-verifier**
|
||||
- **header-splitting**, **information-leak**, **xslt**, **jexl**
|
||||
- **bean-validation**, **ssti**, **fragment-injection**, **regex-use[**\ `arg`\ **]**
|
||||
- **bean-validation**: A sink that can be used for insecure bean validation, such as in calls to **ConstraintValidatorContext.buildConstraintViolationWithTemplate**.
|
||||
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **Runtime.exec**.
|
||||
- **file-content-store**: A sink that can be used to control the contents of a file, such as in a **Files.write** call.
|
||||
- **fragment-injection**: A sink that can be used for Android fragment injection, such as in a **FragmentTransaction.replace** call.
|
||||
- **groovy-injection**: A sink that can be used for Groovy injection, such as in a **GroovyShell.evaluate** call.
|
||||
- **hostname-verification**: A sink that can be used for unsafe hostname verification, such as in calls to **HttpsURLConnection.setHostnameVerifier**.
|
||||
- **html-injection**: A sink that can be used for XSS via HTML injection, such as in a **ResponseStream.write** call.
|
||||
- **information-leak**: A sink that can be used to leak information to an HTTP response, such as in calls to **HttpServletResponse.sendError**.
|
||||
- **intent-redirection**: A sink that can be used for Android intent redirection, such as in a **Context.startActivity** call.
|
||||
- **jexl-injection**: A sink that can be used for JEXL expression injection, such as in a **JexlExpression.evaluate** call.
|
||||
- **jndi-injection**: A sink that can be used for JNDI injection, such as in a **Context.lookup** call.
|
||||
- **js-injection**: A sink that can be used for XSS via JavaScript injection, such as in a **Webview.evaluateJavaScript** call.
|
||||
- **ldap-injection**: A sink that can be used for LDAP injection, such as in a **DirContext.search** call.
|
||||
- **log-injection**: A sink that can be used for log injection, such as in a **Logger.warn** call.
|
||||
- **mvel-injection**: A sink that can be used for MVEL expression injection, such as in a **MVEL.eval** call.
|
||||
- **ognl-injection**: A sink that can be used for OGNL injection, such as in an **Ognl.getValue** call.
|
||||
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **new FileReader**.
|
||||
- **pending-intents**: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an **Activity.setResult** call.
|
||||
- **request-forgery**: A sink that controls the URL of a request, such as in an **HttpRequest.newBuilder** call.
|
||||
- **response-splitting**: A sink that can be used for HTTP response splitting, such as in calls to **HttpServletResponse.setHeader**.
|
||||
- **sql-injection**: A sink that can be used for SQL injection, such as in a **Statement.executeQuery** call.
|
||||
- **template-injection**: A sink that can be used for server side template injection, such as in a **Velocity.evaluate** call.
|
||||
- **url-redirection**: A sink that can be used to redirect the user to a malicious URL, such as in a **Response.temporaryRedirect** call.
|
||||
- **xpath-injection**: A sink that can be used for XPath injection, such as in a **XPath.evaluate** call.
|
||||
- **xslt-injection**: A sink that can be used for XSLT injection, such as in a **Transformer.transform** call.
|
||||
|
||||
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
|
|||
pack: codeql/javascript-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["execa", "Member[shell].Argument[0]", "command-line-injection"]
|
||||
- ["execa", "Member[shell].Argument[0]", "command-injection"]
|
||||
|
||||
|
||||
- Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
|
||||
|
|
@ -64,7 +64,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
|
|||
- **Member[shell]** selects accesses to the **shell** member of the **execa** package.
|
||||
- **Argument[0]** selects the first argument to calls to that member.
|
||||
|
||||
- **command-line-injection** indicates that this is considered a sink for the command injection query.
|
||||
- **command-injection** indicates that this is considered a sink for the command injection query.
|
||||
|
||||
Example: Taint sources from window 'message' events
|
||||
---------------------------------------------------
|
||||
|
|
@ -463,7 +463,7 @@ Sink kinds
|
|||
Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries. Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
|
||||
|
||||
- **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
|
||||
- **command-line-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
|
||||
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
|
||||
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **fs.readFile**.
|
||||
- **sql-injection**: A sink that can be used for SQL injection, such as in a MySQL **query** call.
|
||||
- **nosql-injection**: A sink that can be used for NoSQL injection, such as in a MongoDB **findOne** call.
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11",Not applicable,``.py``
|
||||
Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
|
||||
Swift [10]_,"Swift 5.4-5.7","Swift compiler","``.swift``"
|
||||
TypeScript [11]_,"2.6-5.0",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
|
||||
TypeScript [11]_,"2.6-5.1",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
|
||||
|
||||
.. container:: footnote-group
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ CODEQL_PLATFORM = osx64
|
|||
endif
|
||||
endif
|
||||
|
||||
CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh pre-finalize.cmd pre-finalize.sh index.cmd index.sh tracing-config.lua)
|
||||
CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh pre-finalize.cmd pre-finalize.sh index.cmd index.sh identify-environment.cmd identify-environment.sh tracing-config.lua)
|
||||
|
||||
EXTRACTOR_PACK_OUT = build/codeql-extractor-go
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ Build behavior:
|
|||
to 'false' disables the GOPATH set-up, CODEQL_EXTRACTOR_GO_BUILD_COMMAND (or alternatively
|
||||
LGTM_INDEX_BUILD_COMMAND), can be set to a newline-separated list of commands to run in order to
|
||||
install dependencies, and LGTM_INDEX_IMPORT_PATH can be used to override the package import path,
|
||||
which is otherwise inferred from the SEMMLE_REPO_URL or GITHUB_REPOSITORY environment variables.
|
||||
which is otherwise inferred from the SEMMLE_REPO_URL or GITHUB_REPOSITORY environment variables.
|
||||
|
||||
In resource-constrained environments, the environment variable CODEQL_EXTRACTOR_GO_MAX_GOROUTINES
|
||||
(or its legacy alias SEMMLE_MAX_GOROUTINES) can be used to limit the number of parallel goroutines
|
||||
|
|
@ -910,6 +910,17 @@ func getVersionWhenGoModVersionSupported(v versionInfo) (msg, version string) {
|
|||
|
||||
// Check the versions of Go found in the environment and in the `go.mod` file, and return a
|
||||
// version to install. If the version is the empty string then no installation is required.
|
||||
// We never return a version of Go that is outside of the supported range.
|
||||
//
|
||||
// +-----------------------+-----------------------+-----------------------+-----------------------------------------------------+------------------------------------------------+
|
||||
// | Found in go.mod > | *None* | *Below min supported* | *In supported range* | *Above max supported |
|
||||
// | Installed \/ | | | | |
|
||||
// |-----------------------|-----------------------|-----------------------|-----------------------------------------------------|------------------------------------------------|
|
||||
// | *None* | Install max supported | Install min supported | Install version from go.mod | Install max supported |
|
||||
// | *Below min supported* | Install max supported | Install min supported | Install version from go.mod | Install max supported |
|
||||
// | *In supported range* | No action | No action | Install version from go.mod if newer than installed | Install max supported if newer than installed |
|
||||
// | *Above max supported* | Install max supported | Install min supported | Install version from go.mod | No action |
|
||||
// +-----------------------+-----------------------+-----------------------+-----------------------------------------------------+------------------------------------------------+
|
||||
func getVersionToInstall(v versionInfo) (msg, version string) {
|
||||
if !v.goModVersionFound {
|
||||
return getVersionWhenGoModVersionNotFound(v)
|
||||
|
|
@ -931,9 +942,9 @@ func getVersionToInstall(v versionInfo) (msg, version string) {
|
|||
func outputEnvironmentJson(version string) {
|
||||
var content string
|
||||
if version == "" {
|
||||
content = `{ "include": [] }`
|
||||
content = `{ "go": {} }`
|
||||
} else {
|
||||
content = `{ "include": [ { "go": { "version": "` + version + `" } } ] }`
|
||||
content = `{ "go": { "version": "` + version + `" } }`
|
||||
}
|
||||
_, err := fmt.Fprint(os.Stdout, content)
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
* import TestUtilities.InlineFlowTest
|
||||
* ```
|
||||
*
|
||||
* To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
|
||||
* To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
|
||||
* Example of the corresponding test file, e.g. Test.java
|
||||
* ```go
|
||||
* public class Test {
|
||||
|
|
|
|||
|
|
@ -1,167 +1,174 @@
|
|||
package,sink,source,summary,sink:bean-validation,sink:create-file,sink:fragment-injection,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:read-file,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value
|
||||
android.app,35,,103,,,11,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,18,85
|
||||
android.content,24,31,154,,,,,,,16,,,,,,,,,,,,,,,,,,,8,,,,,,,4,,27,,63,91
|
||||
android.database,59,,41,,,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,41,
|
||||
android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
|
||||
android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81
|
||||
android.support.v4.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
android.util,6,16,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,16,,
|
||||
android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,,
|
||||
android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1,
|
||||
androidx.core.app,6,,95,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,12,83
|
||||
androidx.fragment.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
androidx.slice,2,5,88,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,5,,27,61
|
||||
cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
com.google.common.base,4,,87,,,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,63,24
|
||||
com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
|
||||
com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
|
||||
com.google.common.flogger,29,,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.google.common.io,8,,73,,2,,,,,,,,,,,,,,,5,,,,,,,,,,,,1,,,,,,,,72,1
|
||||
com.google.gson,,,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,25,14
|
||||
com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
|
||||
com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
|
||||
com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
|
||||
com.thoughtworks.xstream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,
|
||||
com.unboundid.ldap.sdk,17,,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.zaxxer.hikari,2,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,
|
||||
groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.text,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
hudson,44,,16,,19,,,,,,,,,,,,,6,,17,,,,,,,,,,,,2,,,,,,,,16,
|
||||
io.jsonwebtoken,,2,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,4,
|
||||
io.netty.bootstrap,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77
|
||||
io.netty.channel,9,2,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,2,,
|
||||
io.netty.handler.codec,4,13,259,,,,,,,,,,,,,,,3,,1,,,,,,,,,,,,,,,,,,,13,143,116
|
||||
io.netty.handler.ssl,2,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
io.netty.util,2,,23,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,21,2
|
||||
jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
|
||||
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
java.io,44,,45,,18,,,,,,,,,,,,,,,4,,,,,,,,,,,,22,,,,,,,,43,2
|
||||
java.lang,18,,92,,,,,,,,,,,,8,,,,,5,,4,,,1,,,,,,,,,,,,,,,56,36
|
||||
java.net,13,3,20,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,20,
|
||||
java.nio,38,,31,,22,,,,,,,,,,,,,,,13,,,,,,,,,,,,3,,,,,,,,31,
|
||||
java.sql,13,,3,,,,,,,,4,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,2,1
|
||||
java.util,44,,484,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,44,440
|
||||
javafx.scene.web,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
|
||||
javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
javax.management.remote,2,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.naming,7,,1,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,
|
||||
javax.script,1,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.servlet,5,21,2,,,,,3,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,21,2,
|
||||
javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
|
||||
javax.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
javax.ws.rs.core,3,,149,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
javax.xml.transform,2,,6,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6,
|
||||
javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,
|
||||
jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
|
||||
kotlin,16,,1843,,11,,,,,,,,,,,,,2,,3,,,,,,,,,,,,,,,,,,,,1836,7
|
||||
net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,
|
||||
ognl,6,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
okhttp3,4,,47,,,,,,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,22,25
|
||||
org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,
|
||||
org.apache.commons.httpclient.util,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.commons.io,111,,560,,93,,,,,,,,,,,,,15,,1,,,,,,,,,,,,2,,,,,,,,546,14
|
||||
org.apache.commons.jelly,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.jexl2,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.jexl3,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,293,131
|
||||
org.apache.commons.logging,6,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.net,9,12,,,,,,,,,,,,,,,,6,,3,,,,,,,,,,,,,,,,,,,12,,
|
||||
org.apache.commons.ognl,6,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
|
||||
org.apache.directory.ldap.client.api,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hadoop.fs,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,
|
||||
org.apache.hadoop.hive.metastore,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,
|
||||
org.apache.hc.client5.http.async.methods,84,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.client5.http.classic.methods,37,,,,,,,,,,,,,,,,,37,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.client5.http.fluent,19,,,,,,,,,,,,,,,,,19,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.core5.benchmark,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.hc.core5.http,73,2,45,,,,,,,,,,,,,,,72,,,,,,,,,,,,,,,,,1,,,,2,45,
|
||||
org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,
|
||||
org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
|
||||
org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
org.apache.http,48,3,94,,,,,,,,,,,,,,,46,,,,,,,,,,,,,,,,,2,,,,3,86,8
|
||||
org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,57,
|
||||
org.apache.log4j,11,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.logging.log4j,359,,8,,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,,4,4
|
||||
org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.shiro.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.tools.ant,11,,,,3,,,,,,,,,,,,,,,8,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.tools.zip,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,
|
||||
org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,
|
||||
org.codehaus.cargo.container.installer,3,,,,2,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.codehaus.groovy.control,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,,
|
||||
org.eclipse.jetty.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.geogebra.web.full.main,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,
|
||||
org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
|
||||
org.jboss.logging,324,,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jdbi.v3.core,6,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
|
||||
org.kohsuke.stapler,3,,1,,,,,,,,,,,,,,,1,,1,,,,,,,,,,,1,,,,,,,,,1,
|
||||
org.mvel2,16,,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.openjdk.jmh.runner.options,1,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.scijava.log,13,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.slf4j,55,,6,,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,,2,4
|
||||
org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
|
||||
org.springframework.boot.jdbc,1,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
|
||||
org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
org.springframework.http,14,,71,,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,,61,10
|
||||
org.springframework.jdbc.core,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,,,
|
||||
org.springframework.jdbc.datasource,4,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,
|
||||
org.springframework.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.ldap,47,,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
|
||||
org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
|
||||
org.springframework.util,3,,142,,2,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,90,52
|
||||
org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
|
||||
org.springframework.web.client,13,3,,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
|
||||
org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
|
||||
org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.web.util,,,165,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,140,25
|
||||
org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,2,
|
||||
org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
play.libs.ws,2,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,
|
||||
play.mvc,,13,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,24,
|
||||
ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
|
||||
ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
retrofit2,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
package,sink,source,summary,sink:bean-validation,sink:file-content-store,sink:fragment-injection,sink:groovy-injection,sink:hostname-verification,sink:html-injection,sink:information-leak,sink:intent-redirection,sink:jexl-injection,sink:jndi-injection,sink:js-injection,sink:ldap-injection,sink:log-injection,sink:mvel-injection,sink:ognl-injection,sink:path-injection,sink:pending-intents,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:request-forgery,sink:response-splitting,sink:sql-injection,sink:template-injection,sink:url-redirection,sink:xpath-injection,sink:xslt-injection,source:android-external-storage-dir,source:contentprovider,source:remote,summary:taint,summary:value
|
||||
android.app,35,,103,,,11,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,18,85
|
||||
android.content,24,31,154,,,,,,,,16,,,,,,,,,,,,,,,,,,,8,,,,,4,27,,63,91
|
||||
android.database,59,,41,,,,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,41,
|
||||
android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
|
||||
android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,41,81
|
||||
android.support.v4.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
android.util,6,16,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,16,,
|
||||
android.webkit,3,2,,,,,,,2,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,,
|
||||
android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,1,
|
||||
androidx.core.app,6,,95,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,12,83
|
||||
androidx.fragment.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
androidx.slice,2,5,88,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,5,,27,61
|
||||
cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.alibaba.druid.sql,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.databind,2,,6,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,6,
|
||||
com.google.common.base,4,,87,,,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,63,24
|
||||
com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
|
||||
com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
|
||||
com.google.common.flogger,29,,,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.google.common.io,8,,73,,1,,,,,,,,,,,,,,7,,,,,,,,,,,,,,,,,,,72,1
|
||||
com.google.gson,,,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,25,14
|
||||
com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,
|
||||
com.jcraft.jsch,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,1,
|
||||
com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,
|
||||
com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,
|
||||
com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
|
||||
com.thoughtworks.xstream,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,
|
||||
com.unboundid.ldap.sdk,17,,,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.zaxxer.hikari,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
|
||||
flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,
|
||||
freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,
|
||||
groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.text,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
hudson,44,,16,,2,,,,,,,,,,,,,,36,,,,,,,,,6,,,,,,,,,,16,
|
||||
io.jsonwebtoken,,2,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,4,
|
||||
io.netty.bootstrap,3,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,
|
||||
io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77
|
||||
io.netty.channel,9,2,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,2,,
|
||||
io.netty.handler.codec,4,13,259,,,,,,,,,,,,,,,,1,,,,,,,,,3,,,,,,,,,13,143,116
|
||||
io.netty.handler.ssl,4,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
io.netty.util,2,,23,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,21,2
|
||||
jakarta.faces.context,2,7,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,
|
||||
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,94,55
|
||||
java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
|
||||
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
java.io,49,,45,,22,,,,,,,,,,,,,,27,,,,,,,,,,,,,,,,,,,43,2
|
||||
java.lang,18,,92,,,,,,,,,,,,,8,,,5,,,4,,,1,,,,,,,,,,,,,56,36
|
||||
java.net,13,3,20,,,,,,,,,,,,,,,,,,,,,,,,,13,,,,,,,,,3,20,
|
||||
java.nio,47,,35,,3,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,35,
|
||||
java.sql,13,,3,,,,,,,,,,,,,,,,,,,,,,,,,4,,9,,,,,,,,2,1
|
||||
java.util,44,,484,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440
|
||||
javafx.scene.web,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
javax.faces.context,2,7,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,
|
||||
javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
|
||||
javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
javax.management.remote,2,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.naming,7,,1,,,,,,,,,,6,,1,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
javax.net.ssl,2,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.script,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.servlet,5,21,2,,,,,,,1,,,,,,,,,1,,,,,,,,,,3,,,,,,,,21,2,
|
||||
javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
|
||||
javax.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
javax.ws.rs.core,3,,149,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,2,,,,,,94,55
|
||||
javax.xml.transform,2,,6,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,1,,,,6,
|
||||
javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,
|
||||
jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
|
||||
kotlin,16,,1847,,,,,,,,,,,,,,,,14,,,,,,,,,2,,,,,,,,,,1836,11
|
||||
net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,
|
||||
ognl,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,
|
||||
okhttp3,4,,48,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,23,25
|
||||
org.antlr.runtime,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,
|
||||
org.apache.commons.httpclient.util,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.commons.io,111,,560,,2,,,,,,,,,,,,,,94,,,,,,,,,15,,,,,,,,,,546,14
|
||||
org.apache.commons.jelly,6,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,
|
||||
org.apache.commons.jexl2,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.jexl3,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,293,131
|
||||
org.apache.commons.logging,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.net,9,12,,,,,,,,,,,,,,,,,3,,,,,,,,,6,,,,,,,,,12,,
|
||||
org.apache.commons.ognl,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
|
||||
org.apache.directory.ldap.client.api,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hadoop.fs,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,
|
||||
org.apache.hadoop.hive.metastore,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,
|
||||
org.apache.hc.client5.http.async.methods,84,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,,
|
||||
org.apache.hc.client5.http.classic.methods,37,,,,,,,,,,,,,,,,,,,,,,,,,,,37,,,,,,,,,,,
|
||||
org.apache.hc.client5.http.fluent,19,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,,
|
||||
org.apache.hc.core5.benchmark,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.hc.core5.http,73,2,45,,,,,,1,,,,,,,,,,,,,,,,,,,72,,,,,,,,,2,45,
|
||||
org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,
|
||||
org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
|
||||
org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,
|
||||
org.apache.http,48,3,94,,,,,,2,,,,,,,,,,,,,,,,,,,46,,,,,,,,,3,86,8
|
||||
org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,57,
|
||||
org.apache.log4j,11,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.logging.log4j,359,,8,,,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,4,4
|
||||
org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.shiro.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.tools.ant,11,,,,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.tools.zip,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,
|
||||
org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,
|
||||
org.codehaus.cargo.container.installer,3,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,,,,,,,,,,,
|
||||
org.codehaus.groovy.control,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,
|
||||
org.eclipse.jetty.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
org.fusesource.leveldbjni,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,
|
||||
org.geogebra.web.full.main,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,
|
||||
org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,
|
||||
org.influxdb,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
org.jboss.logging,324,,,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jdbi.v3.core,6,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,
|
||||
org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,
|
||||
org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
|
||||
org.kohsuke.stapler,3,,1,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,1,,,,,,1,
|
||||
org.mvel2,16,,,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.openjdk.jmh.runner.options,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,
|
||||
org.scijava.log,13,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.slf4j,55,,6,,,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,2,4
|
||||
org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
|
||||
org.springframework.boot.jdbc,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
|
||||
org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
org.springframework.core.io,2,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,
|
||||
org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
org.springframework.http,14,,71,,,,,,,,,,,,,,,,,,,,,,,,,14,,,,,,,,,,61,10
|
||||
org.springframework.jdbc.core,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,
|
||||
org.springframework.jdbc.datasource,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,
|
||||
org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,
|
||||
org.springframework.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.ldap,47,,,,,,,,,,,,33,,14,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
|
||||
org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
|
||||
org.springframework.util,3,,142,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,90,52
|
||||
org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
|
||||
org.springframework.web.client,13,3,,,,,,,,,,,,,,,,,,,,,,,,,,13,,,,,,,,,3,,
|
||||
org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
|
||||
org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
|
||||
org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
|
||||
org.springframework.web.util,,,165,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,140,25
|
||||
org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,2,
|
||||
org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
org.yaml.snakeyaml,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
play.libs.ws,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
|
||||
play.mvc,,13,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,24,
|
||||
ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
|
||||
ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
retrofit2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,
|
||||
|
|
|
|||
|
|
|
@ -6,22 +6,22 @@ Java framework & library support
|
|||
:class: fullWidthTable
|
||||
:widths: auto
|
||||
|
||||
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
|
||||
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑918` :sub:`Request Forgery`
|
||||
Android,``android.*``,52,481,138,,3,67,,,
|
||||
Android extensions,``androidx.*``,5,183,19,,,,,,
|
||||
`Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1600,,,,,,,
|
||||
`Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,560,111,93,,,,,15
|
||||
`Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,560,111,94,,,,,15
|
||||
`Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,
|
||||
`Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,
|
||||
`Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,182,122,,3,,,,119
|
||||
`Apache Log4j 2 <https://logging.apache.org/log4j/2.0/>`_,``org.apache.logging.log4j``,,8,359,,,,,,
|
||||
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,41,2,,,,,
|
||||
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,41,7,,,,,
|
||||
JBoss Logging,``org.jboss.logging``,,,324,,,,,,
|
||||
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
|
||||
Java Standard Library,``java.*``,3,679,170,40,,9,,,13
|
||||
Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,1,4,,1,1,2
|
||||
Kotlin Standard Library,``kotlin*``,,1843,16,11,,,,,2
|
||||
`Spring <https://spring.io/>`_,``org.springframework.*``,29,483,113,2,,28,14,,29
|
||||
Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",98,890,520,26,,18,18,,185
|
||||
Totals,,255,9182,1973,175,10,122,33,1,365
|
||||
Java Standard Library,``java.*``,3,683,184,76,,9,,,17
|
||||
Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,2,4,,1,1,2
|
||||
Kotlin Standard Library,``kotlin*``,,1847,16,14,,,,,2
|
||||
`Spring <https://spring.io/>`_,``org.springframework.*``,29,483,115,4,,28,14,,35
|
||||
Others,"``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",98,894,528,66,,18,18,,195
|
||||
Totals,,255,9194,1997,263,10,122,33,1,385
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
CWE,Sink identifier,Label
|
||||
CWE‑089,sql,SQL injection
|
||||
CWE‑022,create-file,Path injection
|
||||
CWE‑089,sql-injection,SQL injection
|
||||
CWE‑022,path-injection,Path injection
|
||||
CWE‑094,bean-validation,Code injection
|
||||
CWE‑319,open-url,Cleartext transmission
|
||||
CWE‑079,xss,Cross-site scripting
|
||||
CWE‑090,ldap,LDAP injection
|
||||
CWE‑918,request-forgery,Request Forgery
|
||||
CWE‑079,html-injection js-injection,Cross-site scripting
|
||||
CWE‑090,ldap-injection,LDAP injection
|
||||
|
|
|
|||
|
|
|
@ -1,10 +0,0 @@
|
|||
.classpath
|
||||
.gradle
|
||||
.idea
|
||||
.project
|
||||
.settings
|
||||
bin/
|
||||
build/
|
||||
gradle/
|
||||
gradlew
|
||||
gradlew.bat
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
|
||||
This shows what is encoded in the kotlin.Metadata section shown in the
|
||||
output of `javap -v SomeKotlinClass`.
|
||||
|
||||
It is not currently able to extract the information from .class files
|
||||
itself; the values are hard coded in src/main/kotlin/Explorer.kt
|
||||
|
||||
Run `gradle run` in this directory to run it.
|
||||
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
plugins {
|
||||
id 'org.jetbrains.kotlin.jvm' version "${kotlinVersion}"
|
||||
id 'org.jetbrains.dokka' version '1.4.32'
|
||||
id "com.vanniktech.maven.publish" version '0.15.1'
|
||||
id 'application'
|
||||
}
|
||||
|
||||
group 'com.github.codeql'
|
||||
version '0.0.1'
|
||||
|
||||
dependencies {
|
||||
implementation "org.jetbrains.kotlin:kotlin-stdlib"
|
||||
implementation "org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.3.0"
|
||||
}
|
||||
|
||||
repositories {
|
||||
mavenCentral()
|
||||
}
|
||||
|
||||
tasks.withType(org.jetbrains.kotlin.gradle.tasks.KotlinCompile).configureEach {
|
||||
kotlinOptions {
|
||||
jvmTarget = "1.8"
|
||||
}
|
||||
}
|
||||
|
||||
application {
|
||||
mainClass = 'com.github.codeql.ExplorerKt'
|
||||
}
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
kotlin.code.style=official
|
||||
kotlinVersion=1.5.21
|
||||
|
||||
GROUP=com.github.codeql
|
||||
VERSION_NAME=0.0.1
|
||||
POM_DESCRIPTION=CodeQL Kotlin explorer
|
||||
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
pluginManagement {
|
||||
repositories {
|
||||
mavenCentral()
|
||||
gradlePluginPortal()
|
||||
}
|
||||
}
|
||||
|
||||
rootProject.name = 'codeql-kotlin-explorer'
|
||||
|
|
@ -1,217 +0,0 @@
|
|||
package com.github.codeql
|
||||
import kotlinx.metadata.internal.metadata.jvm.deserialization.JvmMetadataVersion
|
||||
import kotlinx.metadata.jvm.*
|
||||
import kotlinx.metadata.*
|
||||
|
||||
fun main(args : Array<String>) {
|
||||
/*
|
||||
Values from `javap -v` on TestKt.class from:
|
||||
|
||||
class MyClass {}
|
||||
|
||||
class MyParamClass<T> {}
|
||||
|
||||
fun f(x: MyClass, y: MyClass?,
|
||||
l1: MyParamClass<MyClass>,
|
||||
l2: MyParamClass<MyClass?>,
|
||||
l3: MyParamClass<MyClass>?,
|
||||
l4: MyParamClass<MyClass?>?) {
|
||||
}
|
||||
*/
|
||||
val kind = 2
|
||||
val metadataVersion = intArrayOf(1, 5, 1)
|
||||
val data1 = arrayOf("\u0000\u0018\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\u001aX\u0010\u0000\u001a\u00020\u00012\u0006\u0010\u0002\u001a\u00020\u00032\b\u0010\u0004\u001a\u0004\u0018\u00010\u00032\u000c\u0010\u0005\u001a\b\u0012\u0004\u0012\u00020\u00030\u00062\u000e\u0010\u0007\u001a\n\u0012\u0006\u0012\u0004\u0018\u00010\u00030\u00062\u000e\u0010\b\u001a\n\u0012\u0004\u0012\u00020\u0003\u0018\u00010\u00062\u0010\u0010\t\u001a\u000c\u0012\u0006\u0012\u0004\u0018\u00010\u0003\u0018\u00010\u0006")
|
||||
val data2 = arrayOf("f","","x","LMyClass;","y","l1","LMyParamClass;","l2","l3","l4")
|
||||
val extraString = null
|
||||
val packageName = null
|
||||
val extraInt = 48
|
||||
val kch = KotlinClassHeader(kind, metadataVersion, data1, data2, extraString, packageName, extraInt)
|
||||
|
||||
val md = KotlinClassMetadata.read(kch)
|
||||
when (md) {
|
||||
is KotlinClassMetadata.Class -> println("Metadata for Class not yet supported")
|
||||
is KotlinClassMetadata.FileFacade -> {
|
||||
println("Metadata for FileFacade:")
|
||||
val kmp = md.toKmPackage()
|
||||
kmp.accept(MyPackageVisitor(0))
|
||||
}
|
||||
is KotlinClassMetadata.SyntheticClass -> println("Metadata for SyntheticClass not yet supported")
|
||||
is KotlinClassMetadata.MultiFileClassFacade -> println("Metadata for MultiFileClassFacade not yet supported")
|
||||
is KotlinClassMetadata.MultiFileClassPart -> println("Metadata for MultiFileClassPart not yet supported")
|
||||
is KotlinClassMetadata.Unknown -> println("Unknown kind")
|
||||
else -> println("Unexpected kind")
|
||||
}
|
||||
}
|
||||
|
||||
fun pr(indent: Int, s: String) {
|
||||
println(" ".repeat(indent) + s)
|
||||
}
|
||||
|
||||
class MyPackageVisitor(val indent: Int): KmPackageVisitor() {
|
||||
override fun visitFunction(flags: Flags, name: String): KmFunctionVisitor? {
|
||||
pr(indent, "=> Function; flags:$flags, name:$name")
|
||||
return MyFunctionVisitor(indent + 1)
|
||||
}
|
||||
|
||||
override fun visitProperty(flags: Flags, name: String, getterFlags: Flags, setterFlags: Flags): KmPropertyVisitor? {
|
||||
pr(indent, "=> Properties not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitTypeAlias(flags: Flags, name: String): KmTypeAliasVisitor? {
|
||||
pr(indent, "=> Type aliases not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitExtensions(type: KmExtensionType): KmPackageExtensionVisitor? {
|
||||
pr(indent, "=> Package extensions; type:$type")
|
||||
when (type) {
|
||||
JvmPackageExtensionVisitor.TYPE -> return MyJvmPackageExtensionVisitor(indent + 1)
|
||||
else -> {
|
||||
pr(indent, "- Not yet handled")
|
||||
return null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class MyFunctionVisitor(val indent: Int): KmFunctionVisitor() {
|
||||
override fun visitTypeParameter(flags: Flags, name: String, id: Int, variance: KmVariance): KmTypeParameterVisitor? {
|
||||
pr(indent, "=> Type parameter; flags:$flags, name:$name, id:$id, variance:$variance")
|
||||
pr(indent, " -> Not yet handled")
|
||||
return null
|
||||
}
|
||||
override fun visitReceiverParameterType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> Receiver parameter type; flags:$flags")
|
||||
pr(indent, " -> Not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitValueParameter(flags: Flags, name: String): KmValueParameterVisitor? {
|
||||
pr(indent, "=> Value parameter; flags:$flags, name:$name")
|
||||
return MyValueParameterVisitor(indent + 1)
|
||||
}
|
||||
|
||||
override fun visitReturnType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> Return type; flags:$flags")
|
||||
return MyTypeVisitor(indent + 1)
|
||||
}
|
||||
|
||||
override fun visitVersionRequirement(): KmVersionRequirementVisitor? {
|
||||
pr(indent, "=> VersionRequirement not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitContract(): KmContractVisitor? {
|
||||
pr(indent, "=> Contract not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitExtensions(type: KmExtensionType): KmFunctionExtensionVisitor? {
|
||||
pr(indent, "=> Function extensions; type:$type")
|
||||
when (type) {
|
||||
JvmFunctionExtensionVisitor.TYPE -> return MyJvmFunctionExtensionVisitor(indent + 1)
|
||||
else -> {
|
||||
pr(indent, "- Not yet handled")
|
||||
return null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class MyValueParameterVisitor(val indent: Int): KmValueParameterVisitor() {
|
||||
override fun visitType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> Type; flags:$flags")
|
||||
return MyTypeVisitor(indent + 1)
|
||||
}
|
||||
|
||||
override fun visitVarargElementType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> VarargElementType not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitExtensions(type: KmExtensionType): KmValueParameterExtensionVisitor? {
|
||||
pr(indent, "=> Value parameter extensions; type:$type; not yet handled")
|
||||
return null
|
||||
}
|
||||
}
|
||||
|
||||
class MyTypeVisitor(val indent: Int): KmTypeVisitor() {
|
||||
override fun visitClass(name: ClassName) {
|
||||
pr(indent, "=> Class; name:$name")
|
||||
}
|
||||
|
||||
override fun visitTypeAlias(name: ClassName) {
|
||||
pr(indent, "=> Type alias; name:$name")
|
||||
}
|
||||
|
||||
override fun visitTypeParameter(id: Int) {
|
||||
pr(indent, "=> Type parameter; id:$id")
|
||||
}
|
||||
|
||||
override fun visitArgument(flags: Flags, variance: KmVariance): KmTypeVisitor? {
|
||||
pr(indent, "=> Argument; flags:$flags, variance:$variance")
|
||||
return MyTypeVisitor(indent + 1)
|
||||
}
|
||||
|
||||
override fun visitStarProjection() {
|
||||
pr(indent, "=> Star projection")
|
||||
}
|
||||
|
||||
override fun visitAbbreviatedType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> AbbreviatedType not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitOuterType(flags: Flags): KmTypeVisitor? {
|
||||
pr(indent, "=> OuterType not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitFlexibleTypeUpperBound(flags: Flags, typeFlexibilityId: String?): KmTypeVisitor? {
|
||||
pr(indent, "=> FlexibleTypeUpperBound not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitExtensions(type: KmExtensionType): KmTypeExtensionVisitor? {
|
||||
pr(indent, "=> Type extensions; type:$type")
|
||||
when (type) {
|
||||
JvmTypeExtensionVisitor.TYPE -> return MyJvmTypeExtensionVisitor(indent + 1)
|
||||
else -> {
|
||||
pr(indent, "- Not yet handled")
|
||||
return null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class MyJvmTypeExtensionVisitor(val indent: Int): JvmTypeExtensionVisitor() {
|
||||
override fun visit(isRaw: Boolean) {
|
||||
pr(indent, "=> isRaw:$isRaw")
|
||||
}
|
||||
|
||||
override fun visitAnnotation(annotation: KmAnnotation) {
|
||||
pr(indent, "=> Annotation; annotation:$annotation")
|
||||
}
|
||||
}
|
||||
|
||||
class MyJvmPackageExtensionVisitor(val indent: Int): JvmPackageExtensionVisitor() {
|
||||
override fun visitLocalDelegatedProperty(flags: Flags, name: String, getterFlags: Flags, setterFlags: Flags): KmPropertyVisitor? {
|
||||
pr(indent, "=> Local delegate not yet handled")
|
||||
return null
|
||||
}
|
||||
|
||||
override fun visitModuleName(name: String) {
|
||||
pr(indent, "=> Module name; name:$name")
|
||||
}
|
||||
}
|
||||
|
||||
class MyJvmFunctionExtensionVisitor(val indent: Int): JvmFunctionExtensionVisitor() {
|
||||
override fun visit(signature: JvmMethodSignature?) {
|
||||
pr(indent, "=> signature:$signature")
|
||||
}
|
||||
|
||||
override fun visitLambdaClassOriginName(internalName: String) {
|
||||
pr(indent, "=> LambdaClassOriginName; internalName:$internalName")
|
||||
}
|
||||
}
|
||||
|
|
@ -24,7 +24,6 @@ def version_string_to_tuple(version):
|
|||
# Version number used by CI.
|
||||
ci_version = '1.8.10'
|
||||
|
||||
# Version numbers in the list need to be in semantically increasing order
|
||||
many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta' ]
|
||||
|
||||
many_versions_tuples = [version_string_to_tuple(v) for v in many_versions]
|
||||
|
|
@ -42,18 +41,13 @@ def get_single_version(fakeVersionOutput = None):
|
|||
if m is None:
|
||||
raise Exception('Cannot detect version of kotlinc (got ' + str(versionOutput) + ')')
|
||||
current_version = version_string_to_tuple(m.group(1))
|
||||
matching_minor_versions = [ version for version in many_versions_tuples if version[0:2] == current_version[0:2] ]
|
||||
if len(matching_minor_versions) == 0:
|
||||
raise Exception(f'Cannot find a matching minor version for kotlinc version {current_version} (got {versionOutput}; know about {str(many_versions)})')
|
||||
|
||||
matching_minor_versions.sort(reverse = True)
|
||||
many_versions_tuples.sort(reverse = True)
|
||||
|
||||
for version in matching_minor_versions:
|
||||
for version in many_versions_tuples:
|
||||
if version[0:3] <= current_version[0:3]:
|
||||
return version_tuple_to_string(version)
|
||||
|
||||
return version_tuple_to_string(matching_minor_versions[-1])
|
||||
|
||||
raise Exception(f'No suitable kotlinc version found for {current_version} (got {versionOutput}; know about {str(many_versions)})')
|
||||
|
||||
def get_latest_url():
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
|
||||
* `sql` to `sql-injection`
|
||||
* `url-redirect` to `url-redirection`
|
||||
* `xpath` to `xpath-injection`
|
||||
* `ssti` to `template-injection`
|
||||
* `logging` to `log-injection`
|
||||
* `groovy` to `groovy-injection`
|
||||
* `jexl` to `jexl-injection`
|
||||
* `mvel` to `mvel-injection`
|
||||
* `xslt` to `xslt-injection`
|
||||
* `ldap` to `ldap-injection`
|
||||
* `pending-intent-sent` to `pending-intents`
|
||||
* `intent-start` to `intent-redirection`
|
||||
* `set-hostname-verifier` to `hostname-verification`
|
||||
* `header-splitting` to `response-splitting`
|
||||
* `xss` to `html-injection` and `js-injection`
|
||||
* `write-file` to `file-system-store`
|
||||
* `create-file` and `read-file` to `path-injection`
|
||||
* `open-url` and `jdbc-url` to `request-forgery`
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* java.lang
|
||||
* java.nio.file
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
|
||||
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql
|
||||
* com.fasterxml.jackson.databind
|
||||
* com.jcraft.jsch
|
||||
* io.netty.handler.ssl
|
||||
* okhttp3
|
||||
* org.antlr.runtime
|
||||
* org.fusesource.leveldbjni
|
||||
* org.influxdb
|
||||
* org.springframework.core.io
|
||||
* org.yaml.snakeyaml
|
||||
|
|
@ -3,22 +3,22 @@ extensions:
|
|||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-start", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setExact", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setExactAndAllowWhileIdle", "", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setInexactRepeating", "", "", "Argument[3]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setRepeating", "", "", "Argument[3]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setWindow", "(int,long,long,PendingIntent)", "", "Argument[3]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intents", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-redirection", "manual"]
|
||||
- ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setExact", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setExactAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setInexactRepeating", "", "", "Argument[3]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setRepeating", "", "", "Argument[3]", "pending-intents", "manual"]
|
||||
- ["android.app", "AlarmManager", True, "setWindow", "(int,long,long,PendingIntent)", "", "Argument[3]", "pending-intents", "manual"]
|
||||
- ["android.app", "FragmentTransaction", True, "add", "(Class,Bundle,String)", "", "Argument[0]", "fragment-injection", "manual"]
|
||||
- ["android.app", "FragmentTransaction", True, "add", "(Fragment,String)", "", "Argument[0]", "fragment-injection", "manual"]
|
||||
- ["android.app", "FragmentTransaction", True, "add", "(int,Class,Bundle)", "", "Argument[1]", "fragment-injection", "manual"]
|
||||
|
|
@ -30,14 +30,14 @@ extensions:
|
|||
- ["android.app", "FragmentTransaction", True, "replace", "(int,Class,Bundle,String)", "", "Argument[1]", "fragment-injection", "manual"]
|
||||
- ["android.app", "FragmentTransaction", True, "replace", "(int,Fragment)", "", "Argument[1]", "fragment-injection", "manual"]
|
||||
- ["android.app", "FragmentTransaction", True, "replace", "(int,Fragment,String)", "", "Argument[1]", "fragment-injection", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intent-sent", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intents", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "pending-intents", "manual"]
|
||||
- ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intents", "manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
|
|
|
|||
|
|
@ -39,30 +39,30 @@ extensions:
|
|||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["android.content", "ContentProvider", True, "delete", "(Uri,String,String[])", "", "Argument[1]", "sql", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "delete", "(Uri,String,String[])", "", "Argument[1]", "sql", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "delete", "(Uri,String,String[])", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentProvider", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "delete", "(Uri,String,String[])", "", "Argument[1]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "ContentResolver", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql-injection", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
|
|
|
|||
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче