зеркало из https://github.com/github/codeql.git
Merge branch 'main' into alamofire2
This commit is contained in:
Коммит
949cfb758d
|
@ -0,0 +1,60 @@
|
|||
name: Cache query compilation
|
||||
description: Caches CodeQL compilation caches - should be run both on PRs and pushes to main.
|
||||
|
||||
inputs:
|
||||
key:
|
||||
description: 'The cache key to use - should be unique to the workflow'
|
||||
required: true
|
||||
|
||||
outputs:
|
||||
cache-dir:
|
||||
description: "The directory where the cache was stored"
|
||||
value: ${{ steps.fill-compilation-dir.outputs.compdir }}
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
# Cache the query compilation caches.
|
||||
# calculate the merge-base with main, in a way that works both on PRs and pushes to main.
|
||||
- name: Calculate merge-base
|
||||
shell: bash
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
env:
|
||||
BASE_BRANCH: ${{ github.base_ref }}
|
||||
run: |
|
||||
MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
|
||||
echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
|
||||
- name: Read CodeQL query compilation - PR
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: '**/.cache'
|
||||
key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
|
||||
restore-keys: |
|
||||
codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
|
||||
codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
|
||||
codeql-compile-${{ inputs.key }}-main-
|
||||
- name: Fill CodeQL query compilation cache - main
|
||||
if: ${{ github.event_name != 'pull_request' }}
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: '**/.cache'
|
||||
key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
|
||||
restore-keys: | # restore from another random commit, to speed up compilation.
|
||||
codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
|
||||
codeql-compile-${{ inputs.key }}-main-
|
||||
- name: Fill compilation cache directory
|
||||
id: fill-compilation-dir
|
||||
shell: bash
|
||||
run: |
|
||||
# Move all the existing cache into another folder, so we only preserve the cache for the current queries.
|
||||
mkdir -p ${COMBINED_CACHE_DIR}
|
||||
rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
|
||||
# copy the contents of the .cache folders into the combined cache folder.
|
||||
cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
|
||||
# clean up the .cache folders
|
||||
rm -rf **/.cache/*
|
||||
|
||||
echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
|
||||
env:
|
||||
COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir
|
|
@ -14,58 +14,26 @@ jobs:
|
|||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
# calculate the merge-base with main, in a way that works both on PRs and pushes to main.
|
||||
- name: Calculate merge-base
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
env:
|
||||
BASE_BRANCH: ${{ github.base_ref }}
|
||||
run: |
|
||||
MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
|
||||
echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
|
||||
- name: Read CodeQL query compilation - PR
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: '*/ql/src/.cache'
|
||||
key: codeql-compile-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
|
||||
restore-keys: |
|
||||
codeql-compile-${{ github.base_ref }}-${{ env.merge-base }}
|
||||
codeql-compile-${{ github.base_ref }}-
|
||||
codeql-compile-main-
|
||||
- name: Fill CodeQL query compilation cache - main
|
||||
if: ${{ github.event_name != 'pull_request' }}
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: '*/ql/src/.cache'
|
||||
key: codeql-compile-${{ github.ref_name }}-${{ github.sha }} # just fill on main
|
||||
restore-keys: | # restore from another random commit, to speed up compilation.
|
||||
codeql-compile-${{ github.ref_name }}-
|
||||
codeql-compile-main-
|
||||
- name: Setup CodeQL
|
||||
uses: ./.github/actions/fetch-codeql
|
||||
with:
|
||||
channel: 'release'
|
||||
- name: Cache compilation cache
|
||||
id: query-cache
|
||||
uses: ./.github/actions/cache-query-compilation
|
||||
with:
|
||||
key: all-queries
|
||||
- name: check formatting
|
||||
run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 codeql query format --check-only
|
||||
- name: compile queries - check-only
|
||||
# run with --check-only if running in a PR (github.sha != main)
|
||||
if : ${{ github.event_name == 'pull_request' }}
|
||||
shell: bash
|
||||
run: codeql query compile -j0 */ql/src --keep-going --warnings=error --check-only
|
||||
run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
- name: compile queries - full
|
||||
# do full compile if running on main - this populates the cache
|
||||
if : ${{ github.event_name != 'pull_request' }}
|
||||
shell: bash
|
||||
run: |
|
||||
# Move all the existing cache into another folder, so we only preserve the cache for the current queries.
|
||||
mkdir -p ${COMBINED_CACHE_DIR}
|
||||
rm */ql/src/.cache/{lock,size}
|
||||
# copy the contents of the .cache folders into the combined cache folder.
|
||||
cp -r */ql/src/.cache/* ${COMBINED_CACHE_DIR}/
|
||||
# clean up the .cache folders
|
||||
rm -rf */ql/src/.cache/*
|
||||
|
||||
# compile the queries
|
||||
codeql query compile -j0 */ql/src --keep-going --warnings=error --compilation-cache ${COMBINED_CACHE_DIR}
|
||||
run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir
|
|
@ -47,8 +47,3 @@ jobs:
|
|||
find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
|
||||
env:
|
||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||
- name: Check QL compilation
|
||||
run: |
|
||||
"${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
|
||||
env:
|
||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||
|
|
|
@ -86,19 +86,23 @@ jobs:
|
|||
ruby/target/release/ruby-extractor.exe
|
||||
retention-days: 1
|
||||
compile-queries:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
|
||||
runs-on: ubuntu-latest-xl
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Fetch CodeQL
|
||||
uses: ./.github/actions/fetch-codeql
|
||||
- name: Cache compilation cache
|
||||
id: query-cache
|
||||
uses: ./.github/actions/cache-query-compilation
|
||||
with:
|
||||
key: ruby-build
|
||||
- name: Build Query Pack
|
||||
run: |
|
||||
codeql pack create ../shared/ssa --output target/packs
|
||||
codeql pack create ../misc/suite-helpers --output target/packs
|
||||
codeql pack create ../shared/regex --output target/packs
|
||||
codeql pack create ql/lib --output target/packs
|
||||
codeql pack create ql/src --output target/packs
|
||||
codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
|
||||
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
|
||||
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
|
||||
|
|
|
@ -4,7 +4,7 @@ on:
|
|||
push:
|
||||
paths:
|
||||
- "ruby/**"
|
||||
- .github/workflows/ruby-qltest.yml
|
||||
- .github/workflows/ruby-build.yml
|
||||
- .github/actions/fetch-codeql/action.yml
|
||||
- codeql-workspace.yml
|
||||
branches:
|
||||
|
@ -28,16 +28,6 @@ defaults:
|
|||
working-directory: ruby
|
||||
|
||||
jobs:
|
||||
qlcompile:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- name: Check QL compilation
|
||||
run: |
|
||||
codeql query compile --check-only --threads=0 --ram 5000 --warnings=error "ql/src" "ql/examples"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
qlupgrade:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
@ -58,17 +48,20 @@ jobs:
|
|||
xargs codeql execute upgrades testdb
|
||||
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
|
||||
qltest:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-latest-xl
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
slice: ["1/2", "2/2"]
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- uses: ./ruby/actions/create-extractor-pack
|
||||
- name: Cache compilation cache
|
||||
id: query-cache
|
||||
uses: ./.github/actions/cache-query-compilation
|
||||
with:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --threads=0 --ram 5000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
|
||||
codeql test run --threads=0 --ram 52000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
|
|
@ -39,6 +39,7 @@ jobs:
|
|||
- 'swift/ql/lib/codeql/swift/elements/**'
|
||||
- 'swift/ql/lib/codeql/swift/generated/**'
|
||||
- 'swift/ql/test/extractor-tests/generated/**'
|
||||
- 'swift/ql/.generated.list'
|
||||
ql:
|
||||
- 'github/workflows/swift.yml'
|
||||
- 'swift/**/*.ql'
|
||||
|
|
|
@ -44,7 +44,7 @@ repos:
|
|||
|
||||
- id: swift-codegen
|
||||
name: Run Swift checked in code generation
|
||||
files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
|
||||
files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
|
||||
language: system
|
||||
entry: bazel run //swift/codegen -- --quiet
|
||||
pass_filenames: false
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
category: deprecated
|
||||
---
|
||||
|
||||
|
||||
* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: breaking
|
||||
---
|
||||
The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
|
|
@ -0,0 +1,3 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/cpp-all
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
|
|
@ -189,18 +189,6 @@ class Folder extends Container, @folder {
|
|||
* Gets the URL of this folder.
|
||||
*/
|
||||
deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
|
||||
|
||||
/**
|
||||
* DEPRECATED: use `getAbsolutePath` instead.
|
||||
* Gets the name of this folder.
|
||||
*/
|
||||
deprecated string getName() { folders(underlyingElement(this), result) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: use `getBaseName` instead.
|
||||
* Gets the last part of the folder name.
|
||||
*/
|
||||
deprecated string getShortName() { result = this.getBaseName() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
*/
|
||||
|
||||
private import cpp
|
||||
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.IR
|
||||
|
||||
/**
|
||||
|
@ -25,18 +24,18 @@ abstract class MustFlowConfiguration extends string {
|
|||
/**
|
||||
* Holds if `source` is a relevant data flow source.
|
||||
*/
|
||||
abstract predicate isSource(DataFlow::Node source);
|
||||
abstract predicate isSource(Instruction source);
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a relevant data flow sink.
|
||||
*/
|
||||
abstract predicate isSink(DataFlow::Node sink);
|
||||
abstract predicate isSink(Operand sink);
|
||||
|
||||
/**
|
||||
* Holds if the additional flow step from `node1` to `node2` must be taken
|
||||
* into account in the analysis.
|
||||
*/
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
|
||||
predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() }
|
||||
|
||||
/** Holds if this configuration allows flow from arguments to parameters. */
|
||||
predicate allowInterproceduralFlow() { any() }
|
||||
|
@ -48,17 +47,17 @@ abstract class MustFlowConfiguration extends string {
|
|||
* included in the module `PathGraph`.
|
||||
*/
|
||||
final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) {
|
||||
this.isSource(source.getNode()) and
|
||||
this.isSource(source.getInstruction()) and
|
||||
source.getASuccessor+() = sink
|
||||
}
|
||||
}
|
||||
|
||||
/** Holds if `node` flows from a source. */
|
||||
pragma[nomagic]
|
||||
private predicate flowsFromSource(DataFlow::Node node, MustFlowConfiguration config) {
|
||||
private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
|
||||
config.isSource(node)
|
||||
or
|
||||
exists(DataFlow::Node mid |
|
||||
exists(Instruction mid |
|
||||
step(mid, node, config) and
|
||||
flowsFromSource(mid, pragma[only_bind_into](config))
|
||||
)
|
||||
|
@ -66,12 +65,12 @@ private predicate flowsFromSource(DataFlow::Node node, MustFlowConfiguration con
|
|||
|
||||
/** Holds if `node` flows to a sink. */
|
||||
pragma[nomagic]
|
||||
private predicate flowsToSink(DataFlow::Node node, MustFlowConfiguration config) {
|
||||
private predicate flowsToSink(Instruction node, MustFlowConfiguration config) {
|
||||
flowsFromSource(node, pragma[only_bind_into](config)) and
|
||||
(
|
||||
config.isSink(node)
|
||||
config.isSink(node.getAUse())
|
||||
or
|
||||
exists(DataFlow::Node mid |
|
||||
exists(Instruction mid |
|
||||
step(node, mid, config) and
|
||||
flowsToSink(mid, pragma[only_bind_into](config))
|
||||
)
|
||||
|
@ -198,12 +197,13 @@ private module Cached {
|
|||
}
|
||||
|
||||
cached
|
||||
predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||
instructionToOperandStep(nodeFrom.asInstruction(), nodeTo.asOperand())
|
||||
predicate step(Instruction nodeFrom, Instruction nodeTo) {
|
||||
exists(Operand mid |
|
||||
instructionToOperandStep(nodeFrom, mid) and
|
||||
operandToInstructionStep(mid, nodeTo)
|
||||
)
|
||||
or
|
||||
flowThroughCallable(nodeFrom.asInstruction(), nodeTo.asInstruction())
|
||||
or
|
||||
operandToInstructionStep(nodeFrom.asOperand(), nodeTo.asInstruction())
|
||||
flowThroughCallable(nodeFrom, nodeTo)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -213,12 +213,12 @@ private module Cached {
|
|||
* way around.
|
||||
*/
|
||||
pragma[inline]
|
||||
private Declaration getEnclosingCallable(DataFlow::Node n) {
|
||||
pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingCallable()
|
||||
private IRFunction getEnclosingCallable(Instruction n) {
|
||||
pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction()
|
||||
}
|
||||
|
||||
/** Holds if `nodeFrom` flows to `nodeTo`. */
|
||||
private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowConfiguration config) {
|
||||
private predicate step(Instruction nodeFrom, Instruction nodeTo, MustFlowConfiguration config) {
|
||||
exists(config) and
|
||||
Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and
|
||||
(
|
||||
|
@ -227,37 +227,37 @@ private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowC
|
|||
getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo)
|
||||
)
|
||||
or
|
||||
config.isAdditionalFlowStep(nodeFrom, nodeTo)
|
||||
config.isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo)
|
||||
}
|
||||
|
||||
private newtype TLocalPathNode =
|
||||
MkLocalPathNode(DataFlow::Node n, MustFlowConfiguration config) {
|
||||
MkLocalPathNode(Instruction n, MustFlowConfiguration config) {
|
||||
flowsToSink(n, config) and
|
||||
(
|
||||
config.isSource(n)
|
||||
or
|
||||
exists(MustFlowPathNode mid | step(mid.getNode(), n, config))
|
||||
exists(MustFlowPathNode mid | step(mid.getInstruction(), n, config))
|
||||
)
|
||||
}
|
||||
|
||||
/** A `Node` that is in a path from a source to a sink. */
|
||||
class MustFlowPathNode extends TLocalPathNode {
|
||||
DataFlow::Node n;
|
||||
Instruction n;
|
||||
|
||||
MustFlowPathNode() { this = MkLocalPathNode(n, _) }
|
||||
|
||||
/** Gets the underlying node. */
|
||||
DataFlow::Node getNode() { result = n }
|
||||
Instruction getInstruction() { result = n }
|
||||
|
||||
/** Gets a textual representation of this node. */
|
||||
string toString() { result = n.toString() }
|
||||
string toString() { result = n.getAst().toString() }
|
||||
|
||||
/** Gets the location of this element. */
|
||||
Location getLocation() { result = n.getLocation() }
|
||||
|
||||
/** Gets a successor node, if any. */
|
||||
MustFlowPathNode getASuccessor() {
|
||||
step(this.getNode(), result.getNode(), this.getConfiguration())
|
||||
step(this.getInstruction(), result.getInstruction(), this.getConfiguration())
|
||||
}
|
||||
|
||||
/** Gets the associated configuration. */
|
||||
|
@ -265,7 +265,7 @@ class MustFlowPathNode extends TLocalPathNode {
|
|||
}
|
||||
|
||||
private class MustFlowPathSink extends MustFlowPathNode {
|
||||
MustFlowPathSink() { this.getConfiguration().isSink(this.getNode()) }
|
||||
MustFlowPathSink() { this.getConfiguration().isSink(this.getInstruction().getAUse()) }
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
/**
|
||||
* DEPRECATED: This library has been replaced with a newer version which
|
||||
* provides better performance and precision. Use
|
||||
* `semmle.code.cpp.valuenumbering.GlobalValueNumbering` instead.
|
||||
*
|
||||
* Provides an implementation of Global Value Numbering.
|
||||
* See https://en.wikipedia.org/wiki/Global_value_numbering
|
||||
*
|
||||
|
@ -221,7 +225,7 @@ private newtype GvnBase =
|
|||
* expression with this `GVN` and using its `toString` and `getLocation`
|
||||
* methods.
|
||||
*/
|
||||
class GVN extends GvnBase {
|
||||
deprecated class GVN extends GvnBase {
|
||||
GVN() { this instanceof GvnBase }
|
||||
|
||||
/** Gets an expression that has this GVN. */
|
||||
|
@ -503,7 +507,7 @@ private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceE
|
|||
|
||||
/** Gets the global value number of expression `e`. */
|
||||
cached
|
||||
GVN globalValueNumber(Expr e) {
|
||||
deprecated GVN globalValueNumber(Expr e) {
|
||||
exists(int val, Type t |
|
||||
mk_IntConst(val, t, e) and
|
||||
result = GVN_IntConst(val, t)
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
|
|
@ -26,11 +26,11 @@ predicate intentionallyReturnsStackPointer(Function f) {
|
|||
class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
|
||||
ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
override predicate isSource(Instruction source) {
|
||||
// Holds if `source` is a node that represents the use of a stack variable
|
||||
exists(VariableAddressInstruction var, Function func |
|
||||
var = source.asInstruction() and
|
||||
func = var.getEnclosingFunction() and
|
||||
var = source and
|
||||
func = source.getEnclosingFunction() and
|
||||
var.getAstVariable() instanceof StackVariable and
|
||||
// Pointer-to-member types aren't properly handled in the dbscheme.
|
||||
not var.getResultType() instanceof PointerToMemberType and
|
||||
|
@ -40,7 +40,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
|
|||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
override predicate isSink(Operand sink) {
|
||||
// Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in
|
||||
// a `ReturnValueInstruction`.
|
||||
// We use the `StoreInstruction` instead of the instruction that defines the
|
||||
|
@ -48,7 +48,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
|
|||
exists(StoreInstruction store |
|
||||
store.getDestinationAddress().(VariableAddressInstruction).getIRVariable() instanceof
|
||||
IRReturnVariable and
|
||||
sink.asOperand() = store.getSourceValueOperand()
|
||||
sink = store.getSourceValueOperand()
|
||||
)
|
||||
}
|
||||
|
||||
|
@ -77,10 +77,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
|
|||
* }
|
||||
* ```
|
||||
*/
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
node2.asInstruction().(FieldAddressInstruction).getObjectAddressOperand() = node1.asOperand()
|
||||
override predicate isAdditionalFlowStep(Operand node1, Instruction node2) {
|
||||
node2.(FieldAddressInstruction).getObjectAddressOperand() = node1
|
||||
or
|
||||
node2.asInstruction().(PointerOffsetInstruction).getLeftOperand() = node1.asOperand()
|
||||
node2.(PointerOffsetInstruction).getLeftOperand() = node1
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -89,6 +89,6 @@ from
|
|||
ReturnStackAllocatedMemoryConfig conf
|
||||
where
|
||||
conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
|
||||
source.getNode().asInstruction() = var
|
||||
select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(),
|
||||
var.getAst().toString()
|
||||
source.getInstruction() = var
|
||||
select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
|
||||
var.getAst(), var.getAst().toString()
|
||||
|
|
|
@ -22,37 +22,40 @@ import PathGraph
|
|||
class UnsafeUseOfThisConfig extends MustFlowConfiguration {
|
||||
UnsafeUseOfThisConfig() { this = "UnsafeUseOfThisConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { isSource(source, _, _) }
|
||||
override predicate isSource(Instruction source) { isSource(source, _, _) }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
|
||||
override predicate isSink(Operand sink) { isSink(sink, _) }
|
||||
}
|
||||
|
||||
/** Holds if `instr` is a `this` pointer used by the call instruction `call`. */
|
||||
predicate isSink(DataFlow::Node sink, CallInstruction call) {
|
||||
/** Holds if `sink` is a `this` pointer used by the call instruction `call`. */
|
||||
predicate isSink(Operand sink, CallInstruction call) {
|
||||
exists(PureVirtualFunction func |
|
||||
call.getStaticCallTarget() = func and
|
||||
call.getThisArgument() = sink.asInstruction() and
|
||||
call.getThisArgumentOperand() = sink and
|
||||
// Weed out implicit calls to destructors of a base class
|
||||
not func instanceof Destructor
|
||||
)
|
||||
}
|
||||
|
||||
/** Holds if `init` initializes the `this` pointer in class `c`. */
|
||||
predicate isSource(DataFlow::Node source, string msg, Class c) {
|
||||
exists(InitializeParameterInstruction init | init = source.asInstruction() |
|
||||
(
|
||||
exists(Constructor func |
|
||||
not func instanceof CopyConstructor and
|
||||
not func instanceof MoveConstructor and
|
||||
func = init.getEnclosingFunction() and
|
||||
msg = "construction"
|
||||
)
|
||||
or
|
||||
init.getEnclosingFunction() instanceof Destructor and msg = "destruction"
|
||||
) and
|
||||
init.getIRVariable() instanceof IRThisVariable and
|
||||
init.getEnclosingFunction().getDeclaringType() = c
|
||||
)
|
||||
/**
|
||||
* Holds if `source` initializes the `this` pointer in class `c`.
|
||||
*
|
||||
* The string `msg` describes whether the enclosing function is a
|
||||
* constructor or destructor.
|
||||
*/
|
||||
predicate isSource(InitializeParameterInstruction source, string msg, Class c) {
|
||||
(
|
||||
exists(Constructor func |
|
||||
not func instanceof CopyConstructor and
|
||||
not func instanceof MoveConstructor and
|
||||
func = source.getEnclosingFunction() and
|
||||
msg = "construction"
|
||||
)
|
||||
or
|
||||
source.getEnclosingFunction() instanceof Destructor and msg = "destruction"
|
||||
) and
|
||||
source.getIRVariable() instanceof IRThisVariable and
|
||||
source.getEnclosingFunction().getDeclaringType() = c
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -68,8 +71,8 @@ predicate flows(
|
|||
) {
|
||||
exists(UnsafeUseOfThisConfig conf |
|
||||
conf.hasFlowPath(source, sink) and
|
||||
isSource(source.getNode(), msg, sourceClass) and
|
||||
isSink(sink.getNode(), call)
|
||||
isSource(source.getInstruction(), msg, sourceClass) and
|
||||
isSink(sink.getInstruction().getAUse(), call)
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/cpp-queries
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
WARNING: Type GVN has been deprecated and may be removed in future (ast_gvn.ql:4,6-9)
|
||||
| test.cpp:5:3:5:3 | x | 5:c3-c3 6:c3-c3 |
|
||||
| test.cpp:5:7:5:8 | p0 | 5:c7-c8 6:c7-c8 |
|
||||
| test.cpp:5:7:5:13 | ... + ... | 5:c7-c13 6:c7-c13 7:c7-c7 |
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (ast_uniqueness.ql:7,13-30)
|
||||
WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (ast_uniqueness.ql:8,30-47)
|
||||
WARNING: Type GVN has been deprecated and may be removed in future (ast_uniqueness.ql:8,18-21)
|
|
@ -1,3 +1,4 @@
|
|||
WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (diff_ir_expr.ql:8,29-51)
|
||||
| test.cpp:5:3:5:13 | ... = ... | test.cpp:5:3:5:13 | ... = ... | AST only |
|
||||
| test.cpp:6:3:6:13 | ... = ... | test.cpp:6:3:6:13 | ... = ... | AST only |
|
||||
| test.cpp:7:3:7:7 | ... = ... | test.cpp:7:3:7:7 | ... = ... | AST only |
|
||||
|
|
|
@ -1,103 +1,61 @@
|
|||
edges
|
||||
| test.cpp:7:3:7:3 | this | test.cpp:8:12:8:15 | Load |
|
||||
| test.cpp:8:12:8:15 | Load | test.cpp:8:12:8:15 | this |
|
||||
| test.cpp:7:3:7:3 | B | test.cpp:8:12:8:15 | this |
|
||||
| test.cpp:8:12:8:15 | this | test.cpp:34:16:34:16 | x |
|
||||
| test.cpp:11:8:11:8 | b | test.cpp:12:5:12:5 | Load |
|
||||
| test.cpp:12:5:12:5 | (reference dereference) | test.cpp:12:5:12:5 | Unary |
|
||||
| test.cpp:12:5:12:5 | Load | test.cpp:12:5:12:5 | b |
|
||||
| test.cpp:12:5:12:5 | Unary | test.cpp:12:5:12:5 | (A)... |
|
||||
| test.cpp:12:5:12:5 | Unary | test.cpp:12:5:12:5 | (reference dereference) |
|
||||
| test.cpp:12:5:12:5 | b | test.cpp:12:5:12:5 | Unary |
|
||||
| test.cpp:15:3:15:4 | this | test.cpp:16:5:16:5 | Load |
|
||||
| test.cpp:16:5:16:5 | Load | test.cpp:16:5:16:5 | this |
|
||||
| test.cpp:16:5:16:5 | Unary | file://:0:0:0:0 | (A *)... |
|
||||
| test.cpp:16:5:16:5 | this | test.cpp:16:5:16:5 | Unary |
|
||||
| test.cpp:21:3:21:3 | Unary | test.cpp:21:13:21:13 | ConvertToNonVirtualBase |
|
||||
| test.cpp:21:3:21:3 | this | test.cpp:21:3:21:3 | Unary |
|
||||
| test.cpp:21:3:21:3 | this | test.cpp:22:12:22:15 | Load |
|
||||
| test.cpp:21:3:21:3 | this | test.cpp:25:7:25:10 | Load |
|
||||
| test.cpp:21:13:21:13 | ConvertToNonVirtualBase | test.cpp:7:3:7:3 | this |
|
||||
| test.cpp:11:8:11:8 | b | test.cpp:12:5:12:5 | b |
|
||||
| test.cpp:12:5:12:5 | (reference dereference) | test.cpp:12:5:12:5 | (A)... |
|
||||
| test.cpp:12:5:12:5 | b | test.cpp:12:5:12:5 | (reference dereference) |
|
||||
| test.cpp:15:3:15:4 | ~B | test.cpp:16:5:16:5 | this |
|
||||
| test.cpp:16:5:16:5 | this | file://:0:0:0:0 | (A *)... |
|
||||
| test.cpp:21:3:21:3 | C | test.cpp:21:13:21:13 | call to B |
|
||||
| test.cpp:21:3:21:3 | C | test.cpp:22:12:22:15 | this |
|
||||
| test.cpp:21:3:21:3 | C | test.cpp:25:7:25:10 | this |
|
||||
| test.cpp:21:13:21:13 | call to B | test.cpp:7:3:7:3 | B |
|
||||
| test.cpp:22:12:22:15 | (B *)... | test.cpp:34:16:34:16 | x |
|
||||
| test.cpp:22:12:22:15 | Load | test.cpp:22:12:22:15 | this |
|
||||
| test.cpp:22:12:22:15 | Unary | test.cpp:22:12:22:15 | (B *)... |
|
||||
| test.cpp:22:12:22:15 | this | test.cpp:22:12:22:15 | Unary |
|
||||
| test.cpp:25:7:25:10 | (B *)... | test.cpp:25:7:25:10 | Unary |
|
||||
| test.cpp:25:7:25:10 | Load | test.cpp:25:7:25:10 | this |
|
||||
| test.cpp:25:7:25:10 | Unary | test.cpp:25:7:25:10 | (A *)... |
|
||||
| test.cpp:25:7:25:10 | Unary | test.cpp:25:7:25:10 | (B *)... |
|
||||
| test.cpp:25:7:25:10 | this | test.cpp:25:7:25:10 | Unary |
|
||||
| test.cpp:31:3:31:3 | this | test.cpp:31:12:31:15 | Load |
|
||||
| test.cpp:31:11:31:15 | (B)... | test.cpp:31:11:31:15 | Unary |
|
||||
| test.cpp:22:12:22:15 | this | test.cpp:22:12:22:15 | (B *)... |
|
||||
| test.cpp:25:7:25:10 | (B *)... | test.cpp:25:7:25:10 | (A *)... |
|
||||
| test.cpp:25:7:25:10 | this | test.cpp:25:7:25:10 | (B *)... |
|
||||
| test.cpp:31:3:31:3 | D | test.cpp:31:12:31:15 | this |
|
||||
| test.cpp:31:11:31:15 | (B)... | test.cpp:31:11:31:15 | (reference to) |
|
||||
| test.cpp:31:11:31:15 | (reference to) | test.cpp:11:8:11:8 | b |
|
||||
| test.cpp:31:11:31:15 | * ... | test.cpp:31:11:31:15 | Unary |
|
||||
| test.cpp:31:11:31:15 | Unary | test.cpp:31:11:31:15 | (B)... |
|
||||
| test.cpp:31:11:31:15 | Unary | test.cpp:31:11:31:15 | (reference to) |
|
||||
| test.cpp:31:12:31:15 | Load | test.cpp:31:12:31:15 | this |
|
||||
| test.cpp:31:12:31:15 | Unary | test.cpp:31:11:31:15 | * ... |
|
||||
| test.cpp:31:12:31:15 | this | test.cpp:31:12:31:15 | Unary |
|
||||
| test.cpp:34:16:34:16 | x | test.cpp:35:3:35:3 | Load |
|
||||
| test.cpp:35:3:35:3 | Load | test.cpp:35:3:35:3 | x |
|
||||
| test.cpp:35:3:35:3 | Unary | test.cpp:35:3:35:3 | (A *)... |
|
||||
| test.cpp:35:3:35:3 | x | test.cpp:35:3:35:3 | Unary |
|
||||
| test.cpp:47:3:47:3 | this | test.cpp:48:10:48:13 | Load |
|
||||
| test.cpp:48:10:48:13 | (E *)... | test.cpp:48:10:48:13 | Unary |
|
||||
| test.cpp:48:10:48:13 | Load | test.cpp:48:10:48:13 | this |
|
||||
| test.cpp:48:10:48:13 | Unary | test.cpp:48:6:48:13 | (A *)... |
|
||||
| test.cpp:48:10:48:13 | Unary | test.cpp:48:10:48:13 | (E *)... |
|
||||
| test.cpp:48:10:48:13 | this | test.cpp:48:10:48:13 | Unary |
|
||||
| test.cpp:31:11:31:15 | * ... | test.cpp:31:11:31:15 | (B)... |
|
||||
| test.cpp:31:12:31:15 | this | test.cpp:31:11:31:15 | * ... |
|
||||
| test.cpp:34:16:34:16 | x | test.cpp:35:3:35:3 | x |
|
||||
| test.cpp:35:3:35:3 | x | test.cpp:35:3:35:3 | (A *)... |
|
||||
| test.cpp:47:3:47:3 | F | test.cpp:48:10:48:13 | this |
|
||||
| test.cpp:48:10:48:13 | (E *)... | test.cpp:48:6:48:13 | (A *)... |
|
||||
| test.cpp:48:10:48:13 | this | test.cpp:48:10:48:13 | (E *)... |
|
||||
nodes
|
||||
| file://:0:0:0:0 | (A *)... | semmle.label | (A *)... |
|
||||
| test.cpp:7:3:7:3 | this | semmle.label | this |
|
||||
| test.cpp:8:12:8:15 | Load | semmle.label | Load |
|
||||
| test.cpp:7:3:7:3 | B | semmle.label | B |
|
||||
| test.cpp:8:12:8:15 | this | semmle.label | this |
|
||||
| test.cpp:11:8:11:8 | b | semmle.label | b |
|
||||
| test.cpp:12:5:12:5 | (A)... | semmle.label | (A)... |
|
||||
| test.cpp:12:5:12:5 | (reference dereference) | semmle.label | (reference dereference) |
|
||||
| test.cpp:12:5:12:5 | Load | semmle.label | Load |
|
||||
| test.cpp:12:5:12:5 | Unary | semmle.label | Unary |
|
||||
| test.cpp:12:5:12:5 | Unary | semmle.label | Unary |
|
||||
| test.cpp:12:5:12:5 | b | semmle.label | b |
|
||||
| test.cpp:15:3:15:4 | this | semmle.label | this |
|
||||
| test.cpp:16:5:16:5 | Load | semmle.label | Load |
|
||||
| test.cpp:16:5:16:5 | Unary | semmle.label | Unary |
|
||||
| test.cpp:15:3:15:4 | ~B | semmle.label | ~B |
|
||||
| test.cpp:16:5:16:5 | this | semmle.label | this |
|
||||
| test.cpp:21:3:21:3 | Unary | semmle.label | Unary |
|
||||
| test.cpp:21:3:21:3 | this | semmle.label | this |
|
||||
| test.cpp:21:13:21:13 | ConvertToNonVirtualBase | semmle.label | ConvertToNonVirtualBase |
|
||||
| test.cpp:21:3:21:3 | C | semmle.label | C |
|
||||
| test.cpp:21:13:21:13 | call to B | semmle.label | call to B |
|
||||
| test.cpp:22:12:22:15 | (B *)... | semmle.label | (B *)... |
|
||||
| test.cpp:22:12:22:15 | Load | semmle.label | Load |
|
||||
| test.cpp:22:12:22:15 | Unary | semmle.label | Unary |
|
||||
| test.cpp:22:12:22:15 | this | semmle.label | this |
|
||||
| test.cpp:25:7:25:10 | (A *)... | semmle.label | (A *)... |
|
||||
| test.cpp:25:7:25:10 | (B *)... | semmle.label | (B *)... |
|
||||
| test.cpp:25:7:25:10 | Load | semmle.label | Load |
|
||||
| test.cpp:25:7:25:10 | Unary | semmle.label | Unary |
|
||||
| test.cpp:25:7:25:10 | Unary | semmle.label | Unary |
|
||||
| test.cpp:25:7:25:10 | this | semmle.label | this |
|
||||
| test.cpp:31:3:31:3 | this | semmle.label | this |
|
||||
| test.cpp:31:3:31:3 | D | semmle.label | D |
|
||||
| test.cpp:31:11:31:15 | (B)... | semmle.label | (B)... |
|
||||
| test.cpp:31:11:31:15 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:31:11:31:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:31:11:31:15 | Unary | semmle.label | Unary |
|
||||
| test.cpp:31:11:31:15 | Unary | semmle.label | Unary |
|
||||
| test.cpp:31:12:31:15 | Load | semmle.label | Load |
|
||||
| test.cpp:31:12:31:15 | Unary | semmle.label | Unary |
|
||||
| test.cpp:31:12:31:15 | this | semmle.label | this |
|
||||
| test.cpp:34:16:34:16 | x | semmle.label | x |
|
||||
| test.cpp:35:3:35:3 | (A *)... | semmle.label | (A *)... |
|
||||
| test.cpp:35:3:35:3 | Load | semmle.label | Load |
|
||||
| test.cpp:35:3:35:3 | Unary | semmle.label | Unary |
|
||||
| test.cpp:35:3:35:3 | x | semmle.label | x |
|
||||
| test.cpp:47:3:47:3 | this | semmle.label | this |
|
||||
| test.cpp:47:3:47:3 | F | semmle.label | F |
|
||||
| test.cpp:48:6:48:13 | (A *)... | semmle.label | (A *)... |
|
||||
| test.cpp:48:10:48:13 | (E *)... | semmle.label | (E *)... |
|
||||
| test.cpp:48:10:48:13 | Load | semmle.label | Load |
|
||||
| test.cpp:48:10:48:13 | Unary | semmle.label | Unary |
|
||||
| test.cpp:48:10:48:13 | Unary | semmle.label | Unary |
|
||||
| test.cpp:48:10:48:13 | this | semmle.label | this |
|
||||
#select
|
||||
| test.cpp:12:7:12:7 | call to f | test.cpp:31:3:31:3 | this | test.cpp:12:5:12:5 | (A)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:16:5:16:5 | call to f | test.cpp:15:3:15:4 | this | file://:0:0:0:0 | (A *)... | Call to pure virtual function during destruction. |
|
||||
| test.cpp:25:13:25:13 | call to f | test.cpp:21:3:21:3 | this | test.cpp:25:7:25:10 | (A *)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:35:6:35:6 | call to f | test.cpp:7:3:7:3 | this | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:35:6:35:6 | call to f | test.cpp:21:3:21:3 | this | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:12:7:12:7 | call to f | test.cpp:31:3:31:3 | D | test.cpp:12:5:12:5 | (A)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:16:5:16:5 | call to f | test.cpp:15:3:15:4 | ~B | file://:0:0:0:0 | (A *)... | Call to pure virtual function during destruction. |
|
||||
| test.cpp:25:13:25:13 | call to f | test.cpp:21:3:21:3 | C | test.cpp:25:7:25:10 | (A *)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:35:6:35:6 | call to f | test.cpp:7:3:7:3 | B | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
|
||||
| test.cpp:35:6:35:6 | call to f | test.cpp:21:3:21:3 | C | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
|
||||
|
|
|
@ -1,231 +1,117 @@
|
|||
edges
|
||||
| test.cpp:17:9:17:11 | & ... | test.cpp:17:9:17:11 | StoreValue |
|
||||
| test.cpp:17:10:17:11 | Unary | test.cpp:17:9:17:11 | & ... |
|
||||
| test.cpp:17:10:17:11 | mc | test.cpp:17:10:17:11 | Unary |
|
||||
| test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | StoreValue |
|
||||
| test.cpp:23:17:23:19 | Store | test.cpp:25:9:25:11 | Load |
|
||||
| test.cpp:23:17:23:19 | StoreValue | test.cpp:23:17:23:19 | Store |
|
||||
| test.cpp:23:18:23:19 | Unary | test.cpp:23:17:23:19 | & ... |
|
||||
| test.cpp:23:18:23:19 | mc | test.cpp:23:18:23:19 | Unary |
|
||||
| test.cpp:25:9:25:11 | Load | test.cpp:25:9:25:11 | ptr |
|
||||
| test.cpp:25:9:25:11 | ptr | test.cpp:25:9:25:11 | StoreValue |
|
||||
| test.cpp:39:17:39:18 | (reference to) | test.cpp:39:17:39:18 | StoreValue |
|
||||
| test.cpp:39:17:39:18 | Store | test.cpp:41:10:41:12 | Load |
|
||||
| test.cpp:39:17:39:18 | StoreValue | test.cpp:39:17:39:18 | Store |
|
||||
| test.cpp:39:17:39:18 | Unary | test.cpp:39:17:39:18 | (reference to) |
|
||||
| test.cpp:39:17:39:18 | mc | test.cpp:39:17:39:18 | Unary |
|
||||
| test.cpp:41:9:41:12 | & ... | test.cpp:41:9:41:12 | StoreValue |
|
||||
| test.cpp:41:10:41:12 | (reference dereference) | test.cpp:41:10:41:12 | Unary |
|
||||
| test.cpp:41:10:41:12 | Load | test.cpp:41:10:41:12 | ref |
|
||||
| test.cpp:41:10:41:12 | Unary | test.cpp:41:9:41:12 | & ... |
|
||||
| test.cpp:41:10:41:12 | Unary | test.cpp:41:10:41:12 | (reference dereference) |
|
||||
| test.cpp:41:10:41:12 | ref | test.cpp:41:10:41:12 | Unary |
|
||||
| test.cpp:47:9:47:10 | (reference to) | test.cpp:47:9:47:10 | StoreValue |
|
||||
| test.cpp:47:9:47:10 | Unary | test.cpp:47:9:47:10 | (reference to) |
|
||||
| test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | Unary |
|
||||
| test.cpp:54:9:54:15 | & ... | test.cpp:54:9:54:15 | StoreValue |
|
||||
| test.cpp:54:11:54:12 | Unary | test.cpp:54:14:54:14 | a |
|
||||
| test.cpp:54:11:54:12 | mc | test.cpp:54:11:54:12 | Unary |
|
||||
| test.cpp:54:14:54:14 | Unary | test.cpp:54:9:54:15 | & ... |
|
||||
| test.cpp:54:14:54:14 | a | test.cpp:54:14:54:14 | Unary |
|
||||
| test.cpp:89:3:89:11 | Store | test.cpp:92:9:92:11 | Load |
|
||||
| test.cpp:89:9:89:11 | & ... | test.cpp:89:9:89:11 | StoreValue |
|
||||
| test.cpp:89:9:89:11 | StoreValue | test.cpp:89:3:89:11 | Store |
|
||||
| test.cpp:89:10:89:11 | Unary | test.cpp:89:9:89:11 | & ... |
|
||||
| test.cpp:89:10:89:11 | mc | test.cpp:89:10:89:11 | Unary |
|
||||
| test.cpp:92:9:92:11 | Load | test.cpp:92:9:92:11 | ptr |
|
||||
| test.cpp:92:9:92:11 | ptr | test.cpp:92:9:92:11 | StoreValue |
|
||||
| test.cpp:112:9:112:11 | Unary | test.cpp:112:9:112:11 | array to pointer conversion |
|
||||
| test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | Unary |
|
||||
| test.cpp:112:9:112:11 | array to pointer conversion | test.cpp:112:9:112:11 | StoreValue |
|
||||
| test.cpp:119:9:119:18 | & ... | test.cpp:119:9:119:18 | StoreValue |
|
||||
| test.cpp:119:11:119:13 | Left | test.cpp:119:11:119:17 | access to array |
|
||||
| test.cpp:119:11:119:13 | Unary | test.cpp:119:11:119:13 | array to pointer conversion |
|
||||
| test.cpp:119:11:119:13 | arr | test.cpp:119:11:119:13 | Unary |
|
||||
| test.cpp:119:11:119:13 | array to pointer conversion | test.cpp:119:11:119:13 | Left |
|
||||
| test.cpp:119:11:119:17 | Unary | test.cpp:119:9:119:18 | & ... |
|
||||
| test.cpp:119:11:119:17 | access to array | test.cpp:119:11:119:17 | Unary |
|
||||
| test.cpp:134:2:134:14 | Store | test.cpp:135:2:135:4 | Load |
|
||||
| test.cpp:134:8:134:10 | Left | test.cpp:134:8:134:14 | ... + ... |
|
||||
| test.cpp:134:8:134:10 | Unary | test.cpp:134:8:134:10 | array to pointer conversion |
|
||||
| test.cpp:134:8:134:10 | arr | test.cpp:134:8:134:10 | Unary |
|
||||
| test.cpp:134:8:134:10 | array to pointer conversion | test.cpp:134:8:134:10 | Left |
|
||||
| test.cpp:134:8:134:14 | ... + ... | test.cpp:134:8:134:14 | StoreValue |
|
||||
| test.cpp:134:8:134:14 | StoreValue | test.cpp:134:2:134:14 | Store |
|
||||
| test.cpp:135:2:135:4 | Left | test.cpp:135:2:135:6 | PointerAdd |
|
||||
| test.cpp:135:2:135:4 | Load | test.cpp:135:2:135:4 | ptr |
|
||||
| test.cpp:135:2:135:4 | ptr | test.cpp:135:2:135:4 | Left |
|
||||
| test.cpp:135:2:135:6 | PointerAdd | test.cpp:135:2:135:6 | StoreValue |
|
||||
| test.cpp:135:2:135:6 | Store | test.cpp:137:9:137:11 | Load |
|
||||
| test.cpp:135:2:135:6 | StoreValue | test.cpp:135:2:135:6 | Store |
|
||||
| test.cpp:137:9:137:11 | Load | test.cpp:137:9:137:11 | ptr |
|
||||
| test.cpp:137:9:137:11 | ptr | test.cpp:137:9:137:11 | StoreValue |
|
||||
| test.cpp:170:26:170:41 | (void *)... | test.cpp:170:26:170:41 | StoreValue |
|
||||
| test.cpp:170:26:170:41 | Store | test.cpp:171:10:171:23 | Load |
|
||||
| test.cpp:170:26:170:41 | StoreValue | test.cpp:170:26:170:41 | Store |
|
||||
| test.cpp:170:34:170:41 | & ... | test.cpp:170:34:170:41 | Unary |
|
||||
| test.cpp:170:34:170:41 | Unary | test.cpp:170:26:170:41 | (void *)... |
|
||||
| test.cpp:170:35:170:41 | Unary | test.cpp:170:34:170:41 | & ... |
|
||||
| test.cpp:170:35:170:41 | myLocal | test.cpp:170:35:170:41 | Unary |
|
||||
| test.cpp:171:10:171:23 | Load | test.cpp:171:10:171:23 | pointerToLocal |
|
||||
| test.cpp:171:10:171:23 | pointerToLocal | test.cpp:171:10:171:23 | StoreValue |
|
||||
| test.cpp:176:25:176:34 | Store | test.cpp:177:10:177:23 | Load |
|
||||
| test.cpp:176:25:176:34 | StoreValue | test.cpp:176:25:176:34 | Store |
|
||||
| test.cpp:176:25:176:34 | Unary | test.cpp:176:25:176:34 | array to pointer conversion |
|
||||
| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:176:25:176:34 | StoreValue |
|
||||
| test.cpp:176:25:176:34 | localArray | test.cpp:176:25:176:34 | Unary |
|
||||
| test.cpp:177:10:177:23 | (void *)... | test.cpp:177:10:177:23 | StoreValue |
|
||||
| test.cpp:177:10:177:23 | Load | test.cpp:177:10:177:23 | pointerToLocal |
|
||||
| test.cpp:177:10:177:23 | Unary | test.cpp:177:10:177:23 | (void *)... |
|
||||
| test.cpp:177:10:177:23 | pointerToLocal | test.cpp:177:10:177:23 | Unary |
|
||||
| test.cpp:182:21:182:27 | (reference to) | test.cpp:182:21:182:27 | StoreValue |
|
||||
| test.cpp:182:21:182:27 | Store | test.cpp:183:10:183:19 | Load |
|
||||
| test.cpp:182:21:182:27 | StoreValue | test.cpp:182:21:182:27 | Store |
|
||||
| test.cpp:182:21:182:27 | Unary | test.cpp:182:21:182:27 | (reference to) |
|
||||
| test.cpp:182:21:182:27 | myLocal | test.cpp:182:21:182:27 | Unary |
|
||||
| test.cpp:183:10:183:19 | (reference dereference) | test.cpp:183:10:183:19 | Unary |
|
||||
| test.cpp:183:10:183:19 | (reference to) | test.cpp:183:10:183:19 | StoreValue |
|
||||
| test.cpp:183:10:183:19 | Load | test.cpp:183:10:183:19 | refToLocal |
|
||||
| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference dereference) |
|
||||
| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference to) |
|
||||
| test.cpp:183:10:183:19 | refToLocal | test.cpp:183:10:183:19 | Unary |
|
||||
| test.cpp:189:16:189:16 | (reference to) | test.cpp:189:16:189:16 | StoreValue |
|
||||
| test.cpp:189:16:189:16 | Store | test.cpp:190:10:190:13 | Load |
|
||||
| test.cpp:189:16:189:16 | StoreValue | test.cpp:189:16:189:16 | Store |
|
||||
| test.cpp:189:16:189:16 | Unary | test.cpp:189:16:189:16 | (reference to) |
|
||||
| test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | Unary |
|
||||
| test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | Unary |
|
||||
| test.cpp:190:10:190:13 | (reference to) | test.cpp:190:10:190:13 | StoreValue |
|
||||
| test.cpp:190:10:190:13 | Load | test.cpp:190:10:190:13 | pRef |
|
||||
| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference dereference) |
|
||||
| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference to) |
|
||||
| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | Unary |
|
||||
| test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... |
|
||||
| test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | & ... |
|
||||
| test.cpp:23:17:23:19 | & ... | test.cpp:25:9:25:11 | ptr |
|
||||
| test.cpp:23:18:23:19 | mc | test.cpp:23:17:23:19 | & ... |
|
||||
| test.cpp:39:17:39:18 | (reference to) | test.cpp:39:17:39:18 | (reference to) |
|
||||
| test.cpp:39:17:39:18 | (reference to) | test.cpp:41:10:41:12 | ref |
|
||||
| test.cpp:39:17:39:18 | mc | test.cpp:39:17:39:18 | (reference to) |
|
||||
| test.cpp:41:10:41:12 | (reference dereference) | test.cpp:41:9:41:12 | & ... |
|
||||
| test.cpp:41:10:41:12 | ref | test.cpp:41:10:41:12 | (reference dereference) |
|
||||
| test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) |
|
||||
| test.cpp:54:11:54:12 | mc | test.cpp:54:14:54:14 | a |
|
||||
| test.cpp:54:14:54:14 | a | test.cpp:54:9:54:15 | & ... |
|
||||
| test.cpp:89:3:89:11 | ... = ... | test.cpp:92:9:92:11 | ptr |
|
||||
| test.cpp:89:9:89:11 | & ... | test.cpp:89:3:89:11 | ... = ... |
|
||||
| test.cpp:89:10:89:11 | mc | test.cpp:89:9:89:11 | & ... |
|
||||
| test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion |
|
||||
| test.cpp:119:11:119:13 | arr | test.cpp:119:11:119:13 | array to pointer conversion |
|
||||
| test.cpp:119:11:119:13 | array to pointer conversion | test.cpp:119:11:119:17 | access to array |
|
||||
| test.cpp:119:11:119:17 | access to array | test.cpp:119:9:119:18 | & ... |
|
||||
| test.cpp:134:2:134:14 | ... = ... | test.cpp:135:2:135:4 | ptr |
|
||||
| test.cpp:134:8:134:10 | arr | test.cpp:134:8:134:10 | array to pointer conversion |
|
||||
| test.cpp:134:8:134:10 | array to pointer conversion | test.cpp:134:8:134:14 | ... + ... |
|
||||
| test.cpp:134:8:134:14 | ... + ... | test.cpp:134:2:134:14 | ... = ... |
|
||||
| test.cpp:135:2:135:4 | ptr | test.cpp:135:2:135:6 | ... ++ |
|
||||
| test.cpp:135:2:135:6 | ... ++ | test.cpp:135:2:135:6 | ... ++ |
|
||||
| test.cpp:135:2:135:6 | ... ++ | test.cpp:137:9:137:11 | ptr |
|
||||
| test.cpp:170:26:170:41 | (void *)... | test.cpp:170:26:170:41 | (void *)... |
|
||||
| test.cpp:170:26:170:41 | (void *)... | test.cpp:171:10:171:23 | pointerToLocal |
|
||||
| test.cpp:170:34:170:41 | & ... | test.cpp:170:26:170:41 | (void *)... |
|
||||
| test.cpp:170:35:170:41 | myLocal | test.cpp:170:34:170:41 | & ... |
|
||||
| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:176:25:176:34 | array to pointer conversion |
|
||||
| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:177:10:177:23 | pointerToLocal |
|
||||
| test.cpp:176:25:176:34 | localArray | test.cpp:176:25:176:34 | array to pointer conversion |
|
||||
| test.cpp:177:10:177:23 | pointerToLocal | test.cpp:177:10:177:23 | (void *)... |
|
||||
| test.cpp:182:21:182:27 | (reference to) | test.cpp:182:21:182:27 | (reference to) |
|
||||
| test.cpp:182:21:182:27 | (reference to) | test.cpp:183:10:183:19 | refToLocal |
|
||||
| test.cpp:182:21:182:27 | myLocal | test.cpp:182:21:182:27 | (reference to) |
|
||||
| test.cpp:183:10:183:19 | (reference dereference) | test.cpp:183:10:183:19 | (reference to) |
|
||||
| test.cpp:183:10:183:19 | refToLocal | test.cpp:183:10:183:19 | (reference dereference) |
|
||||
| test.cpp:189:16:189:16 | (reference to) | test.cpp:189:16:189:16 | (reference to) |
|
||||
| test.cpp:189:16:189:16 | (reference to) | test.cpp:190:10:190:13 | pRef |
|
||||
| test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | (reference to) |
|
||||
| test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | (reference to) |
|
||||
| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | (reference dereference) |
|
||||
nodes
|
||||
| test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
|
||||
| test.cpp:17:9:17:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:17:10:17:11 | Unary | semmle.label | Unary |
|
||||
| test.cpp:17:10:17:11 | mc | semmle.label | mc |
|
||||
| test.cpp:23:17:23:19 | & ... | semmle.label | & ... |
|
||||
| test.cpp:23:17:23:19 | Store | semmle.label | Store |
|
||||
| test.cpp:23:17:23:19 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:23:18:23:19 | Unary | semmle.label | Unary |
|
||||
| test.cpp:23:17:23:19 | & ... | semmle.label | & ... |
|
||||
| test.cpp:23:18:23:19 | mc | semmle.label | mc |
|
||||
| test.cpp:25:9:25:11 | Load | semmle.label | Load |
|
||||
| test.cpp:25:9:25:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:25:9:25:11 | ptr | semmle.label | ptr |
|
||||
| test.cpp:39:17:39:18 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:39:17:39:18 | Store | semmle.label | Store |
|
||||
| test.cpp:39:17:39:18 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:39:17:39:18 | Unary | semmle.label | Unary |
|
||||
| test.cpp:39:17:39:18 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:39:17:39:18 | mc | semmle.label | mc |
|
||||
| test.cpp:41:9:41:12 | & ... | semmle.label | & ... |
|
||||
| test.cpp:41:9:41:12 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:41:10:41:12 | (reference dereference) | semmle.label | (reference dereference) |
|
||||
| test.cpp:41:10:41:12 | Load | semmle.label | Load |
|
||||
| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
|
||||
| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
|
||||
| test.cpp:41:10:41:12 | ref | semmle.label | ref |
|
||||
| test.cpp:47:9:47:10 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:47:9:47:10 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:47:9:47:10 | Unary | semmle.label | Unary |
|
||||
| test.cpp:47:9:47:10 | mc | semmle.label | mc |
|
||||
| test.cpp:54:9:54:15 | & ... | semmle.label | & ... |
|
||||
| test.cpp:54:9:54:15 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:54:11:54:12 | Unary | semmle.label | Unary |
|
||||
| test.cpp:54:11:54:12 | mc | semmle.label | mc |
|
||||
| test.cpp:54:14:54:14 | Unary | semmle.label | Unary |
|
||||
| test.cpp:54:14:54:14 | a | semmle.label | a |
|
||||
| test.cpp:89:3:89:11 | Store | semmle.label | Store |
|
||||
| test.cpp:89:3:89:11 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:89:9:89:11 | & ... | semmle.label | & ... |
|
||||
| test.cpp:89:9:89:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:89:10:89:11 | Unary | semmle.label | Unary |
|
||||
| test.cpp:89:10:89:11 | mc | semmle.label | mc |
|
||||
| test.cpp:92:9:92:11 | Load | semmle.label | Load |
|
||||
| test.cpp:92:9:92:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:92:9:92:11 | ptr | semmle.label | ptr |
|
||||
| test.cpp:112:9:112:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:112:9:112:11 | Unary | semmle.label | Unary |
|
||||
| test.cpp:112:9:112:11 | arr | semmle.label | arr |
|
||||
| test.cpp:112:9:112:11 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| test.cpp:119:9:119:18 | & ... | semmle.label | & ... |
|
||||
| test.cpp:119:9:119:18 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:119:11:119:13 | Left | semmle.label | Left |
|
||||
| test.cpp:119:11:119:13 | Unary | semmle.label | Unary |
|
||||
| test.cpp:119:11:119:13 | arr | semmle.label | arr |
|
||||
| test.cpp:119:11:119:13 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| test.cpp:119:11:119:17 | Unary | semmle.label | Unary |
|
||||
| test.cpp:119:11:119:17 | access to array | semmle.label | access to array |
|
||||
| test.cpp:134:2:134:14 | Store | semmle.label | Store |
|
||||
| test.cpp:134:8:134:10 | Left | semmle.label | Left |
|
||||
| test.cpp:134:8:134:10 | Unary | semmle.label | Unary |
|
||||
| test.cpp:134:2:134:14 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:134:8:134:10 | arr | semmle.label | arr |
|
||||
| test.cpp:134:8:134:10 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| test.cpp:134:8:134:14 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:134:8:134:14 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:135:2:135:4 | Left | semmle.label | Left |
|
||||
| test.cpp:135:2:135:4 | Load | semmle.label | Load |
|
||||
| test.cpp:135:2:135:4 | ptr | semmle.label | ptr |
|
||||
| test.cpp:135:2:135:6 | PointerAdd | semmle.label | PointerAdd |
|
||||
| test.cpp:135:2:135:6 | Store | semmle.label | Store |
|
||||
| test.cpp:135:2:135:6 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:137:9:137:11 | Load | semmle.label | Load |
|
||||
| test.cpp:137:9:137:11 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:135:2:135:6 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:135:2:135:6 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:137:9:137:11 | ptr | semmle.label | ptr |
|
||||
| test.cpp:170:26:170:41 | (void *)... | semmle.label | (void *)... |
|
||||
| test.cpp:170:26:170:41 | Store | semmle.label | Store |
|
||||
| test.cpp:170:26:170:41 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:170:26:170:41 | (void *)... | semmle.label | (void *)... |
|
||||
| test.cpp:170:34:170:41 | & ... | semmle.label | & ... |
|
||||
| test.cpp:170:34:170:41 | Unary | semmle.label | Unary |
|
||||
| test.cpp:170:35:170:41 | Unary | semmle.label | Unary |
|
||||
| test.cpp:170:35:170:41 | myLocal | semmle.label | myLocal |
|
||||
| test.cpp:171:10:171:23 | Load | semmle.label | Load |
|
||||
| test.cpp:171:10:171:23 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:171:10:171:23 | pointerToLocal | semmle.label | pointerToLocal |
|
||||
| test.cpp:176:25:176:34 | Store | semmle.label | Store |
|
||||
| test.cpp:176:25:176:34 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:176:25:176:34 | Unary | semmle.label | Unary |
|
||||
| test.cpp:176:25:176:34 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| test.cpp:176:25:176:34 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| test.cpp:176:25:176:34 | localArray | semmle.label | localArray |
|
||||
| test.cpp:177:10:177:23 | (void *)... | semmle.label | (void *)... |
|
||||
| test.cpp:177:10:177:23 | Load | semmle.label | Load |
|
||||
| test.cpp:177:10:177:23 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:177:10:177:23 | Unary | semmle.label | Unary |
|
||||
| test.cpp:177:10:177:23 | pointerToLocal | semmle.label | pointerToLocal |
|
||||
| test.cpp:182:21:182:27 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:182:21:182:27 | Store | semmle.label | Store |
|
||||
| test.cpp:182:21:182:27 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:182:21:182:27 | Unary | semmle.label | Unary |
|
||||
| test.cpp:182:21:182:27 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:182:21:182:27 | myLocal | semmle.label | myLocal |
|
||||
| test.cpp:183:10:183:19 | (reference dereference) | semmle.label | (reference dereference) |
|
||||
| test.cpp:183:10:183:19 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:183:10:183:19 | Load | semmle.label | Load |
|
||||
| test.cpp:183:10:183:19 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
|
||||
| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
|
||||
| test.cpp:183:10:183:19 | refToLocal | semmle.label | refToLocal |
|
||||
| test.cpp:189:16:189:16 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:189:16:189:16 | Store | semmle.label | Store |
|
||||
| test.cpp:189:16:189:16 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:189:16:189:16 | Unary | semmle.label | Unary |
|
||||
| test.cpp:189:16:189:16 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:189:16:189:16 | p | semmle.label | p |
|
||||
| test.cpp:190:10:190:13 | (reference dereference) | semmle.label | (reference dereference) |
|
||||
| test.cpp:190:10:190:13 | (reference to) | semmle.label | (reference to) |
|
||||
| test.cpp:190:10:190:13 | Load | semmle.label | Load |
|
||||
| test.cpp:190:10:190:13 | StoreValue | semmle.label | StoreValue |
|
||||
| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
|
||||
| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
|
||||
| test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
|
||||
#select
|
||||
| test.cpp:17:9:17:11 | StoreValue | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
|
||||
| test.cpp:25:9:25:11 | StoreValue | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
|
||||
| test.cpp:41:9:41:12 | StoreValue | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | StoreValue | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc |
|
||||
| test.cpp:47:9:47:10 | StoreValue | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | StoreValue | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
|
||||
| test.cpp:54:9:54:15 | StoreValue | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | StoreValue | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
|
||||
| test.cpp:92:9:92:11 | StoreValue | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
|
||||
| test.cpp:112:9:112:11 | StoreValue | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
|
||||
| test.cpp:119:9:119:18 | StoreValue | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | StoreValue | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
|
||||
| test.cpp:137:9:137:11 | StoreValue | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr |
|
||||
| test.cpp:171:10:171:23 | StoreValue | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
|
||||
| test.cpp:177:10:177:23 | StoreValue | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
|
||||
| test.cpp:183:10:183:19 | StoreValue | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | StoreValue | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
|
||||
| test.cpp:190:10:190:13 | StoreValue | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | StoreValue | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |
|
||||
| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
|
||||
| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
|
||||
| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc |
|
||||
| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
|
||||
| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
|
||||
| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
|
||||
| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
|
||||
| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
|
||||
| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr |
|
||||
| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
|
||||
| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
|
||||
| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
|
||||
| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 1.3.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.3.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 1.3.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 1.3.3
|
||||
lastReleaseVersion: 1.3.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/csharp-solorigate-all
|
||||
version: 1.3.4-dev
|
||||
version: 1.3.5-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 1.3.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.3.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 1.3.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 1.3.3
|
||||
lastReleaseVersion: 1.3.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.3.4-dev
|
||||
version: 1.3.5-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
|
|
@ -1,3 +1,9 @@
|
|||
## 0.4.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getNameWithoutBrackets` predicate from the `ValueOrRefType` class in `Type.qll`.
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
|
||||
## 0.4.4
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/csharp-all
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
|
|
@ -56,13 +56,6 @@ private predicate isObjectClass(Class c) { c instanceof ObjectType }
|
|||
* Either a value type (`ValueType`) or a reference type (`RefType`).
|
||||
*/
|
||||
class ValueOrRefType extends DotNet::ValueOrRefType, Type, Attributable, @value_or_ref_type {
|
||||
/**
|
||||
* DEPRECATED: use `getUndecoratedName()` instead.
|
||||
*
|
||||
* Gets the name of this type without `<...>` brackets, in case it is a generic type.
|
||||
*/
|
||||
deprecated string getNameWithoutBrackets() { types(this, _, result) }
|
||||
|
||||
/**
|
||||
* Holds if this type has the qualified name `qualifier`.`name`.
|
||||
*
|
||||
|
|
|
@ -907,9 +907,13 @@ module TestOutput {
|
|||
|
||||
query predicate edges(RelevantNode pred, RelevantNode succ, string attr, string val) {
|
||||
attr = "semmle.label" and
|
||||
exists(SuccessorType t | succ = getASuccessor(pred, t) |
|
||||
if successorTypeIsSimple(t) then val = "" else val = t.toString()
|
||||
)
|
||||
val =
|
||||
strictconcat(SuccessorType t, string s |
|
||||
succ = getASuccessor(pred, t) and
|
||||
if successorTypeIsSimple(t) then s = "" else s = t.toString()
|
||||
|
|
||||
s, ", " order by s
|
||||
)
|
||||
or
|
||||
attr = "semmle.order" and
|
||||
val =
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/csharp-queries
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
|
|
@ -2775,7 +2775,7 @@ Assert.cs:
|
|||
#-----| true -> access to parameter b2
|
||||
|
||||
# 140| [assertion failure] access to parameter b2
|
||||
#-----| false -> [assertion failure] access to parameter b3
|
||||
#-----| false, true -> [assertion failure] access to parameter b3
|
||||
|
||||
# 140| access to parameter b2
|
||||
#-----| false -> [assertion success] access to parameter b3
|
||||
|
@ -4924,7 +4924,7 @@ ExitMethods.cs:
|
|||
#-----| -> ...;
|
||||
|
||||
# 22| call to method ErrorAlways
|
||||
#-----| exception(Exception) -> exit M3 (abnormal)
|
||||
#-----| exception(ArgumentException), exception(Exception) -> exit M3 (abnormal)
|
||||
|
||||
# 22| ...;
|
||||
#-----| -> true
|
||||
|
|
|
@ -312,7 +312,7 @@ For more information, see "`Using CodeQL query packs in the CodeQL action <https
|
|||
Including query help for custom CodeQL queries in SARIF files
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you use the CodeQL CLI to to run code scanning analyses on third party CI/CD systems,
|
||||
If you use the CodeQL CLI to run code scanning analyses on third party CI/CD systems,
|
||||
you can include the query help for your custom queries in SARIF files generated during an analysis.
|
||||
After uploading the SARIF file to GitHub, the query help is shown in the code scanning UI for any
|
||||
alerts generated by the custom queries.
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
* @name Incomplete switch over enum
|
||||
* @description A switch statement of enum type should explicitly reference each
|
||||
* of the members of that enum.
|
||||
* @severity warning
|
||||
* @kind problem
|
||||
* @id go/examples/incomplete-switch
|
||||
*/
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 0.3.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.3.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 0.3.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.3.3
|
||||
lastReleaseVersion: 0.3.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/go-all
|
||||
version: 0.3.4-dev
|
||||
version: 0.3.5-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
## 0.3.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.3.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
## 0.3.4
|
||||
|
||||
No user-facing changes.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.3.3
|
||||
lastReleaseVersion: 0.3.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/go-queries
|
||||
version: 0.3.4-dev
|
||||
version: 0.3.5-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
|
|
@ -1,130 +1,130 @@
|
|||
package,sink,source,summary,sink:bean-validation,sink:create-file,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-open-stream,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value
|
||||
android.app,24,,103,,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,18,85
|
||||
android.content,24,31,154,,,,,,16,,,,,,,,,,,,,,,,,8,,,,,,,,4,,27,,63,91
|
||||
android.database,59,,39,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,,39,
|
||||
android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
|
||||
android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81
|
||||
android.util,6,16,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,16,,
|
||||
android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,,
|
||||
android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1,
|
||||
androidx.core.app,6,,95,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,12,83
|
||||
androidx.slice,2,5,88,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,5,,27,61
|
||||
cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
com.google.common.base,4,,85,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,,62,23
|
||||
com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
|
||||
com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
|
||||
com.google.common.flogger,29,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.google.common.io,6,,73,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,72,1
|
||||
com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
|
||||
com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
|
||||
com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
|
||||
com.unboundid.ldap.sdk,17,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.zaxxer.hikari,2,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
|
||||
groovy.lang,26,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.util,5,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
|
||||
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
java.io,37,,40,,15,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,40,
|
||||
java.lang,13,,66,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,,54,12
|
||||
java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,,3,7,
|
||||
java.nio,15,,14,,13,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,14,
|
||||
java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
|
||||
java.util,44,,461,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,,36,425
|
||||
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
|
||||
javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
javax.management.remote,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.naming,7,,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,
|
||||
javax.script,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.servlet,4,21,2,,,,3,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,2,
|
||||
javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
|
||||
javax.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
javax.ws.rs.core,3,,149,,,,1,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
javax.xml.transform,1,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6,
|
||||
javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,
|
||||
jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
|
||||
kotlin,12,,1835,,10,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,1828,7
|
||||
net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,
|
||||
ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
|
||||
okhttp3,2,,47,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,22,25
|
||||
org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,542,14
|
||||
org.apache.commons.jexl2,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.jexl3,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
|
||||
org.apache.commons.logging,6,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
|
||||
org.apache.directory.ldap.client.api,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.hc.core5.http,1,2,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,2,39,
|
||||
org.apache.hc.core5.net,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,
|
||||
org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
|
||||
org.apache.http,27,3,70,,,,,,,,,,,,,,25,,,,,,,,,,,,,,,,2,,,,3,62,8
|
||||
org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,57,
|
||||
org.apache.log4j,11,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.logging.log4j,359,,8,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,4,4
|
||||
org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.shiro.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
|
||||
org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
|
||||
org.codehaus.groovy.control,1,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,,
|
||||
org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
|
||||
org.jboss.logging,324,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jdbi.v3.core,6,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,
|
||||
org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
|
||||
org.mvel2,16,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.scijava.log,13,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.slf4j,55,,6,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,2,4
|
||||
org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
|
||||
org.springframework.boot.jdbc,1,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
|
||||
org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
org.springframework.http,14,,70,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,60,10
|
||||
org.springframework.jdbc.core,10,,,,,,,,,,,,,,,,,,,,,,,,,10,,,,,,,,,,,,,
|
||||
org.springframework.jdbc.datasource,4,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,
|
||||
org.springframework.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.ldap,47,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
|
||||
org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
|
||||
org.springframework.util,,,139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,87,52
|
||||
org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
|
||||
org.springframework.web.client,13,3,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,3,,
|
||||
org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
|
||||
org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
|
||||
org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.web.util,,,163,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,138,25
|
||||
org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,2,
|
||||
org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
play.mvc,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,
|
||||
ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
|
||||
ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
retrofit2,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
|
||||
package,sink,source,summary,sink:bean-validation,sink:create-file,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-open-stream,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value
|
||||
android.app,24,,103,,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,18,85
|
||||
android.content,24,31,154,,,,,,16,,,,,,,,,,,,,,,,,,8,,,,,,,,4,,27,,63,91
|
||||
android.database,59,,39,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,,39,
|
||||
android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
|
||||
android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81
|
||||
android.util,6,16,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,16,,
|
||||
android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,,
|
||||
android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1,
|
||||
androidx.core.app,6,,95,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,12,83
|
||||
androidx.slice,2,5,88,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,5,,27,61
|
||||
cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
com.google.common.base,4,,85,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,,62,23
|
||||
com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
|
||||
com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
|
||||
com.google.common.flogger,29,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.google.common.io,6,,73,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,72,1
|
||||
com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
|
||||
com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
|
||||
com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
|
||||
com.unboundid.ldap.sdk,17,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
com.zaxxer.hikari,2,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
|
||||
groovy.lang,26,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
groovy.util,5,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
java.io,37,,40,,15,,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,40,
|
||||
java.lang,13,,66,,,,,,,,,,,8,,,,,,4,,,1,,,,,,,,,,,,,,,,54,12
|
||||
java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,,,3,7,
|
||||
java.nio,15,,16,,13,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,16,
|
||||
java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
|
||||
java.util,44,,461,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,,,,36,425
|
||||
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
|
||||
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
|
||||
javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
javax.management.remote,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.naming,7,,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,
|
||||
javax.script,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.servlet,4,21,2,,,,3,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,2,
|
||||
javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
|
||||
javax.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
javax.ws.rs.core,3,,149,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
|
||||
javax.xml.transform,1,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6,
|
||||
javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,
|
||||
jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
|
||||
kotlin,12,,1835,,10,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,1828,7
|
||||
net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,
|
||||
ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
okhttp3,2,,47,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,22,25
|
||||
org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
|
||||
org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,542,14
|
||||
org.apache.commons.jexl2,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.jexl3,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,293,131
|
||||
org.apache.commons.logging,6,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
|
||||
org.apache.directory.ldap.client.api,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.hc.core5.http,1,2,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,2,39,
|
||||
org.apache.hc.core5.net,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,
|
||||
org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
|
||||
org.apache.http,27,3,70,,,,,,,,,,,,,,25,,,,,,,,,,,,,,,,,2,,,,3,62,8
|
||||
org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,57,
|
||||
org.apache.log4j,11,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.logging.log4j,359,,8,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,,4,4
|
||||
org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.apache.shiro.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
|
||||
org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
|
||||
org.codehaus.groovy.control,1,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,,
|
||||
org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
|
||||
org.jboss.logging,324,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jdbi.v3.core,6,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,
|
||||
org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
|
||||
org.mvel2,16,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.scijava.log,13,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.slf4j,55,,6,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,,2,4
|
||||
org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
|
||||
org.springframework.boot.jdbc,1,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
|
||||
org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
|
||||
org.springframework.http,14,,70,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,,60,10
|
||||
org.springframework.jdbc.core,10,,,,,,,,,,,,,,,,,,,,,,,,,,10,,,,,,,,,,,,,
|
||||
org.springframework.jdbc.datasource,4,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,
|
||||
org.springframework.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.ldap,47,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
|
||||
org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
|
||||
org.springframework.util,,,139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,87,52
|
||||
org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
|
||||
org.springframework.web.client,13,3,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
|
||||
org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
|
||||
org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,
|
||||
org.springframework.web.util,,,163,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,138,25
|
||||
org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,2,
|
||||
org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
|
||||
play.mvc,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,
|
||||
ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
|
||||
ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
|
||||
ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
|
||||
ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
|
||||
retrofit2,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
|
||||
|
|
|
|
@ -11,17 +11,17 @@ Java framework & library support
|
|||
Android extensions,``androidx.*``,5,183,8,,,,,,,
|
||||
`Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1600,,,,,,,,
|
||||
`Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
|
||||
`Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
|
||||
`Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
|
||||
`Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,,
|
||||
`Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
|
||||
`Apache Log4j 2 <https://logging.apache.org/log4j/2.0/>`_,``org.apache.logging.log4j``,,8,359,,,,,,,
|
||||
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
|
||||
JBoss Logging,``org.jboss.logging``,,,324,,,,,,,
|
||||
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
|
||||
Java Standard Library,``java.*``,3,589,130,28,,,7,,,10
|
||||
Java Standard Library,``java.*``,3,591,130,28,,,7,,,10
|
||||
Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
|
||||
Kotlin Standard Library,``kotlin*``,,1835,12,10,,,,,,2
|
||||
`Spring <https://spring.io/>`_,``org.springframework.*``,29,477,101,,,,19,14,,29
|
||||
Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",60,300,269,,,,14,18,,3
|
||||
Totals,,217,8432,1524,129,6,10,107,33,1,86
|
||||
Totals,,217,8434,1530,129,6,10,107,33,1,86
|
||||
|
||||
|
|
|
@ -1,3 +1,15 @@
|
|||
## 0.4.4
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting `CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to `true` in the environment.
|
||||
* The new `string Compilation.getInfo(string)` predicate provides access to some information about compilations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The ReDoS libraries in `semmle.code.java.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
|
||||
* Added data flow summaries for tainted Android intents sent to activities via `Activity.startActivities`.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added data flow summaries for tainted Android intents sent to activities via `Activity.startActivities`.
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The ReDoS libraries in `semmle.code.java.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
category: feature
|
||||
---
|
||||
* The new `string Compilation.getInfo(string)` provides access to some information about compilations.
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
category: feature
|
||||
---
|
||||
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting `CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to `true` in the environment.
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `LocalClassDeclStmtNode` and `LocalClassDeclStmt` classes from `PrintAst.qll` and `Statement.qll` respectively.
|
||||
* Deleted the deprecated `getLocalClass` predicate from `LocalTypeDeclStmt`, and the deprecated `getLocalClassDeclStmt` predicate from `LocalClassOrInterface`.
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added a taint model for the method `java.nio.file.Path.getParent`.
|
||||
* Fixed a problem in the taint model for the method `java.nio.file.Paths.get`.
|
|
@ -0,0 +1,11 @@
|
|||
## 0.4.4
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting `CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to `true` in the environment.
|
||||
* The new `string Compilation.getInfo(string)` predicate provides access to some information about compilations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The ReDoS libraries in `semmle.code.java.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
|
||||
* Added data flow summaries for tainted Android intents sent to activities via `Activity.startActivities`.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/java-all
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
|
|
@ -393,12 +393,6 @@ final class LocalTypeDeclStmtNode extends ExprStmtNode {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Renamed `LocalTypeDeclStmtNode` to reflect the fact that
|
||||
* as of Java 16 interfaces can also be declared locally, not just classes.
|
||||
*/
|
||||
deprecated class LocalClassDeclStmtNode = LocalTypeDeclStmtNode;
|
||||
|
||||
/**
|
||||
* A node representing a `ForStmt`.
|
||||
*/
|
||||
|
|
|
@ -781,12 +781,6 @@ class LocalTypeDeclStmt extends Stmt, @localtypedeclstmt {
|
|||
/** Gets the local type declared by this statement. */
|
||||
LocalClassOrInterface getLocalType() { isLocalClassOrInterface(result, this) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Renamed `getLocalType` to reflect the fact that
|
||||
* as of Java 16 interfaces can also be declared locally, not just classes.
|
||||
*/
|
||||
deprecated LocalClassOrInterface getLocalClass() { result = this.getLocalType() }
|
||||
|
||||
private string getDeclKeyword() {
|
||||
result = "class" and this.getLocalType() instanceof Class
|
||||
or
|
||||
|
@ -802,12 +796,6 @@ class LocalTypeDeclStmt extends Stmt, @localtypedeclstmt {
|
|||
override string getAPrimaryQlClass() { result = "LocalTypeDeclStmt" }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Renamed `LocalTypeDeclStmt` to reflect the fact that
|
||||
* as of Java 16 interfaces can also be declared locally, not just classes.
|
||||
*/
|
||||
deprecated class LocalClassDeclStmt = LocalTypeDeclStmt;
|
||||
|
||||
/** An explicit `this(...)` constructor invocation. */
|
||||
class ThisConstructorInvocationStmt extends Stmt, ConstructorCall, @constructorinvocationstmt {
|
||||
/** Gets an argument of this constructor invocation. */
|
||||
|
|
|
@ -828,12 +828,6 @@ class LocalClassOrInterface extends NestedType, ClassOrInterface {
|
|||
/** Gets the statement that declares this local class. */
|
||||
LocalTypeDeclStmt getLocalTypeDeclStmt() { isLocalClassOrInterface(this, result) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: renamed `getLocalTypeDeclStmt` to reflect the fact that
|
||||
* as of Java 16 interfaces can also be declared locally.
|
||||
*/
|
||||
deprecated LocalTypeDeclStmt getLocalClassDeclStmt() { result = this.getLocalTypeDeclStmt() }
|
||||
|
||||
override string getAPrimaryQlClass() { result = "LocalClassOrInterface" }
|
||||
}
|
||||
|
||||
|
|
|
@ -2,6 +2,27 @@
|
|||
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
/** The class `java.util.regex.Pattern`. */
|
||||
class TypeRegexPattern extends Class {
|
||||
TypeRegexPattern() { this.hasQualifiedName("java.util.regex", "Pattern") }
|
||||
}
|
||||
|
||||
/** The `quote` method of the `java.util.regex.Pattern` class. */
|
||||
class PatternQuoteMethod extends Method {
|
||||
PatternQuoteMethod() {
|
||||
this.getDeclaringType() instanceof TypeRegexPattern and
|
||||
this.hasName("quote")
|
||||
}
|
||||
}
|
||||
|
||||
/** The `LITERAL` field of the `java.util.regex.Pattern` class. */
|
||||
class PatternLiteralField extends Field {
|
||||
PatternLiteralField() {
|
||||
this.getDeclaringType() instanceof TypeRegexPattern and
|
||||
this.hasName("LITERAL")
|
||||
}
|
||||
}
|
||||
|
||||
private class RegexModel extends SummaryModelCsv {
|
||||
override predicate row(string s) {
|
||||
s =
|
||||
|
|
|
@ -27,6 +27,12 @@ private class RegexSinkCsv extends SinkModelCsv {
|
|||
"com.google.common.base;Splitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
|
||||
"com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[-1];regex-use[0];manual",
|
||||
"com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;removeAll;(String,String);;Argument[1];regex-use;manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;removeFirst;(String,String);;Argument[1];regex-use;manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;removePattern;(String,String);;Argument[1];regex-use;manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;replaceAll;(String,String,String);;Argument[1];regex-use;manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;replaceFirst;(String,String,String);;Argument[1];regex-use;manual",
|
||||
"org.apache.commons.lang3;RegExUtils;false;replacePattern;(String,String,String);;Argument[1];regex-use;manual",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -84,13 +84,15 @@ private class FileSummaryModels extends SummaryModelCsv {
|
|||
"java.io;File;true;toPath;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.io;File;true;toString;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.io;File;true;toURI;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;getParent;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;toAbsolutePath;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Path;true;toUri;;;Argument[-1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual",
|
||||
"java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual",
|
||||
"java.nio.file;Paths;true;get;;;Argument[1].ArrayElement;ReturnValue;taint;manual",
|
||||
"java.nio.file;FileSystem;true;getPath;;;Argument[0];ReturnValue;taint;manual",
|
||||
"java.nio.file;FileSystem;true;getRootDirectories;;;Argument[0];ReturnValue;taint;manual"
|
||||
]
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
/** Provides classes and predicates related to regex injection in Java. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.frameworks.Regex
|
||||
private import semmle.code.java.regex.RegexFlowModels
|
||||
|
||||
/** A data flow sink for untrusted user input used to construct regular expressions. */
|
||||
abstract class RegexInjectionSink extends DataFlow::ExprNode { }
|
||||
|
||||
/** A sanitizer for untrusted user input used to construct regular expressions. */
|
||||
abstract class RegexInjectionSanitizer extends DataFlow::ExprNode { }
|
||||
|
||||
/** A method call that takes a regular expression as an argument. */
|
||||
private class DefaultRegexInjectionSink extends RegexInjectionSink {
|
||||
DefaultRegexInjectionSink() {
|
||||
// we only select sinks where there is direct regex creation, not regex uses
|
||||
sinkNode(this, ["regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use"])
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
|
||||
* no special meaning.
|
||||
*/
|
||||
private class PatternQuoteCall extends RegexInjectionSanitizer {
|
||||
PatternQuoteCall() {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
ma.getArgument(0) = this.asExpr() and
|
||||
m instanceof PatternQuoteMethod
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Use of the `Pattern.LITERAL` flag with `Pattern.compile`, which gives metacharacters
|
||||
* or escape sequences no special meaning.
|
||||
*/
|
||||
private class PatternLiteralFlag extends RegexInjectionSanitizer {
|
||||
PatternLiteralFlag() {
|
||||
exists(MethodAccess ma, Method m, PatternLiteralField field | m = ma.getMethod() |
|
||||
ma.getArgument(0) = this.asExpr() and
|
||||
m.getDeclaringType() instanceof TypeRegexPattern and
|
||||
m.hasName("compile") and
|
||||
ma.getArgument(1) = field.getAnAccess()
|
||||
)
|
||||
}
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
/** Provides configurations to be used in queries related to regex injection. */
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.regexp.RegexInjection
|
||||
|
||||
/** A taint-tracking configuration for untrusted user input used to construct regular expressions. */
|
||||
class RegexInjectionConfiguration extends TaintTracking::Configuration {
|
||||
RegexInjectionConfiguration() { this = "RegexInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
|
||||
}
|
|
@ -381,6 +381,15 @@ class DeclaredRepository extends PomElement {
|
|||
* be the string contents of that tag.
|
||||
*/
|
||||
string getRepositoryUrl() { result = this.getAChild("url").(PomElement).getValue() }
|
||||
|
||||
/**
|
||||
* Holds if this repository is disabled in both the `releases` and `snapshots` policies.
|
||||
*/
|
||||
predicate isDisabled() {
|
||||
forex(PomElement policy | policy = this.getAChild(["releases", "snapshots"]) |
|
||||
policy.getAChild("enabled").(PomElement).getValue() = "false"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
## 0.4.4
|
||||
|
||||
### New Queries
|
||||
|
||||
* The query `java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/4926).
|
||||
* Added a new query, `java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
No user-facing changes.
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
import java.util.regex.Pattern;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
public class RegexInjectionDemo extends HttpServlet {
|
||||
|
||||
public boolean badExample(javax.servlet.http.HttpServletRequest request) {
|
||||
String regex = request.getParameter("regex");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
// BAD: Unsanitized user input is used to construct a regular expression
|
||||
return input.matches(regex);
|
||||
}
|
||||
|
||||
public boolean goodExample(javax.servlet.http.HttpServletRequest request) {
|
||||
String regex = request.getParameter("regex");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
// GOOD: User input is sanitized before constructing the regex
|
||||
return input.matches(Pattern.quote(regex));
|
||||
}
|
||||
}
|
|
@ -15,25 +15,25 @@ perform a Denial of Service attack.
|
|||
<recommendation>
|
||||
<p>
|
||||
Before embedding user input into a regular expression, use a sanitization function
|
||||
to escape meta-characters that have special meaning.
|
||||
such as <code>Pattern.quote</code> to escape meta-characters that have special meaning.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
The following example shows a HTTP request parameter that is used to construct a regular expression:
|
||||
The following example shows an HTTP request parameter that is used to construct a regular expression.
|
||||
</p>
|
||||
<sample src="RegexInjection.java" />
|
||||
<p>
|
||||
In the first case the user-provided regex is not escaped.
|
||||
If a malicious user provides a regex that has exponential worst case performance,
|
||||
If a malicious user provides a regex whose worst-case performance is exponential,
|
||||
then this could lead to a Denial of Service.
|
||||
</p>
|
||||
<p>
|
||||
In the second case, the user input is escaped using <code>escapeSpecialRegexChars</code> before being included
|
||||
In the second case, the user input is escaped using <code>Pattern.quote</code> before being included
|
||||
in the regular expression. This ensures that the user cannot insert characters which have a special
|
||||
meaning in regular expressions.
|
||||
</p>
|
||||
<sample src="RegexInjection.java" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
|
@ -44,5 +44,8 @@ OWASP:
|
|||
<li>
|
||||
Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
|
||||
</li>
|
||||
<li>
|
||||
Java API Specification: <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)">Pattern.quote</a>.
|
||||
</li>
|
||||
</references>
|
||||
</qhelp>
|
|
@ -0,0 +1,23 @@
|
|||
/**
|
||||
* @name Regular expression injection
|
||||
* @description User input should not be used in regular expressions without first being escaped,
|
||||
* otherwise a malicious user may be able to provide a regex that could require
|
||||
* exponential time on certain inputs.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id java/regex-injection
|
||||
* @tags security
|
||||
* external/cwe/cwe-730
|
||||
* external/cwe/cwe-400
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.regexp.RegexInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c
|
||||
where c.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
|
||||
source.getNode(), "user-provided value"
|
|
@ -17,7 +17,8 @@ import java
|
|||
import semmle.code.xml.MavenPom
|
||||
|
||||
predicate isInsecureRepositoryUsage(DeclaredRepository repository) {
|
||||
repository.getRepositoryUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
|
||||
repository.getRepositoryUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*") and
|
||||
not repository.isDisabled()
|
||||
}
|
||||
|
||||
from DeclaredRepository repository
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new query, `java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the keyboard cache.
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: newQuery
|
||||
---
|
||||
* The query, `java/regex-injection`, has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @edvraa](https://github.com/github/codeql/pull/5704).
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `java/maven/non-https-url` no longer alerts about disabled repositories.
|
|
@ -1,4 +1,6 @@
|
|||
---
|
||||
category: newQuery
|
||||
---
|
||||
## 0.4.4
|
||||
|
||||
### New Queries
|
||||
|
||||
* The query `java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/4926).
|
||||
* Added a new query, `java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
|
|
@ -1,2 +1,2 @@
|
|||
---
|
||||
lastReleaseVersion: 0.4.3
|
||||
lastReleaseVersion: 0.4.4
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
package com.example.demo;
|
||||
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@RestController
|
||||
public class DemoApplication {
|
||||
|
||||
@GetMapping("/string1")
|
||||
public String string1(@RequestParam(value = "input", defaultValue = "test") String input,
|
||||
@RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
|
||||
// BAD: Unsanitized user input is used to construct a regular expression
|
||||
if (input.matches("^" + pattern + "=.*$"))
|
||||
return "match!";
|
||||
|
||||
return "doesn't match!";
|
||||
}
|
||||
|
||||
@GetMapping("/string2")
|
||||
public String string2(@RequestParam(value = "input", defaultValue = "test") String input,
|
||||
@RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
|
||||
// GOOD: User input is sanitized before constructing the regex
|
||||
if (input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$"))
|
||||
return "match!";
|
||||
|
||||
return "doesn't match!";
|
||||
}
|
||||
|
||||
Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
|
||||
|
||||
String escapeSpecialRegexChars(String str) {
|
||||
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
|
||||
}
|
||||
}
|
|
@ -1,89 +0,0 @@
|
|||
/**
|
||||
* @name Regular expression injection
|
||||
* @description User input should not be used in regular expressions without first being sanitized,
|
||||
* otherwise a malicious user may be able to provide a regex that could require
|
||||
* exponential time on certain inputs.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/regex-injection
|
||||
* @tags security
|
||||
* external/cwe/cwe-730
|
||||
* external/cwe/cwe-400
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import DataFlow::PathGraph
|
||||
|
||||
/**
|
||||
* A data flow sink for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
class RegexSink extends DataFlow::ExprNode {
|
||||
RegexSink() {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
(
|
||||
m.getDeclaringType() instanceof TypeString and
|
||||
(
|
||||
ma.getArgument(0) = this.asExpr() and
|
||||
m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
|
||||
)
|
||||
or
|
||||
m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
|
||||
(
|
||||
ma.getArgument(0) = this.asExpr() and
|
||||
m.hasName(["compile", "matches"])
|
||||
)
|
||||
or
|
||||
m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
|
||||
(
|
||||
ma.getArgument(1) = this.asExpr() and
|
||||
m.getParameterType(1) instanceof TypeString and
|
||||
m.hasName([
|
||||
"removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
|
||||
"replacePattern"
|
||||
])
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
abstract class Sanitizer extends DataFlow::ExprNode { }
|
||||
|
||||
/**
|
||||
* A call to a function whose name suggests that it escapes regular
|
||||
* expression meta-characters.
|
||||
*/
|
||||
class RegExpSanitizationCall extends Sanitizer {
|
||||
RegExpSanitizationCall() {
|
||||
exists(string calleeName, string sanitize, string regexp |
|
||||
calleeName = this.asExpr().(Call).getCallee().getName() and
|
||||
sanitize = "(?:escape|saniti[sz]e)" and
|
||||
regexp = "regexp?"
|
||||
|
|
||||
calleeName
|
||||
.regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
|
||||
".*)")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
class RegexInjectionConfiguration extends TaintTracking::Configuration {
|
||||
RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof RegexSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c
|
||||
where c.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
|
||||
source.getNode(), "user-provided value"
|
|
@ -1,5 +1,5 @@
|
|||
name: codeql/java-queries
|
||||
version: 0.4.4-dev
|
||||
version: 0.4.5-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
|
|
@ -1,73 +0,0 @@
|
|||
edges
|
||||
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... |
|
||||
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern |
|
||||
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern |
|
||||
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern |
|
||||
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern |
|
||||
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern |
|
||||
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern |
|
||||
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
|
||||
| RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
|
||||
| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
|
||||
| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:71:14:71:23 | str : String |
|
||||
| RegexInjection.java:71:14:71:23 | str : String | RegexInjection.java:72:12:72:14 | str : String |
|
||||
| RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... |
|
||||
| RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern |
|
||||
| RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern |
|
||||
| RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern |
|
||||
| RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern |
|
||||
| RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern |
|
||||
| RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern |
|
||||
nodes
|
||||
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
|
||||
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:23:24:23:30 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:30:31:30:37 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:37:29:37:35 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:44:34:44:40 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:54:28:54:34 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:61:28:61:34 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
|
||||
| RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
|
||||
| RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
|
||||
| RegexInjection.java:71:14:71:23 | str : String | semmle.label | str : String |
|
||||
| RegexInjection.java:72:12:72:14 | str : String | semmle.label | str : String |
|
||||
| RegexInjection.java:84:22:84:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:90:26:90:47 | ... + ... | semmle.label | ... + ... |
|
||||
| RegexInjection.java:100:22:100:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:103:40:103:46 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:107:22:107:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:110:42:110:48 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:114:22:114:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:117:44:117:50 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:121:22:121:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:124:41:124:47 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:128:22:128:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:131:43:131:49 | pattern | semmle.label | pattern |
|
||||
| RegexInjection.java:143:22:143:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjection.java:146:45:146:51 | pattern | semmle.label | pattern |
|
||||
subpaths
|
||||
| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:71:14:71:23 | str : String | RegexInjection.java:72:12:72:14 | str : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
|
||||
#select
|
||||
| RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | This regular expression is constructed from a $@. | RegexInjection.java:13:22:13:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:20:22:20:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:30:31:30:37 | pattern | RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:27:22:27:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:37:29:37:35 | pattern | RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:34:22:34:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:44:34:44:40 | pattern | RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:41:22:41:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:51:22:51:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:58:22:58:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | This regular expression is constructed from a $@. | RegexInjection.java:65:22:65:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:90:26:90:47 | ... + ... | RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... | This regular expression is constructed from a $@. | RegexInjection.java:84:22:84:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:103:40:103:46 | pattern | RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:100:22:100:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:110:42:110:48 | pattern | RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:107:22:107:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:117:44:117:50 | pattern | RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:114:22:114:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:124:41:124:47 | pattern | RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:121:22:121:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:131:43:131:49 | pattern | RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:128:22:128:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjection.java:146:45:146:51 | pattern | RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern | This regular expression is constructed from a $@. | RegexInjection.java:143:22:143:52 | getParameter(...) | user-provided value |
|
|
@ -1 +0,0 @@
|
|||
experimental/Security/CWE/CWE-730/RegexInjection.ql
|
|
@ -1 +0,0 @@
|
|||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
|
|
@ -2,6 +2,7 @@ package generatedtest;
|
|||
|
||||
import java.io.File;
|
||||
import java.net.URI;
|
||||
import java.nio.file.FileSystem;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
|
||||
|
@ -13,6 +14,119 @@ public class Test {
|
|||
|
||||
public void test() throws Exception {
|
||||
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
File in = (File)source();
|
||||
out = new File(in, (String)null);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
String in = (String)source();
|
||||
out = new File(in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
String in = (String)source();
|
||||
out = new File(in, (String)null);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
URI in = (URI)source();
|
||||
out = new File(in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
String in = (String)source();
|
||||
out = new File((File)null, in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual"
|
||||
File out = null;
|
||||
String in = (String)source();
|
||||
out = new File((String)null, in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;getAbsoluteFile;;;Argument[-1];ReturnValue;taint;manual"
|
||||
File out = null;
|
||||
File in = (File)source();
|
||||
out = in.getAbsoluteFile();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint;manual"
|
||||
String out = null;
|
||||
File in = (File)source();
|
||||
out = in.getAbsolutePath();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;getCanonicalFile;;;Argument[-1];ReturnValue;taint;manual"
|
||||
File out = null;
|
||||
File in = (File)source();
|
||||
out = in.getCanonicalFile();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;getCanonicalPath;;;Argument[-1];ReturnValue;taint;manual"
|
||||
String out = null;
|
||||
File in = (File)source();
|
||||
out = in.getCanonicalPath();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;toPath;;;Argument[-1];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
File in = (File)source();
|
||||
out = in.toPath();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;toString;;;Argument[-1];ReturnValue;taint;manual"
|
||||
String out = null;
|
||||
File in = (File)source();
|
||||
out = in.toString();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.io;File;true;toURI;;;Argument[-1];ReturnValue;taint;manual"
|
||||
URI out = null;
|
||||
File in = (File)source();
|
||||
out = in.toURI();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;FileSystem;true;getPath;;;Argument[0];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
String in = (String)source();
|
||||
FileSystem instance = null;
|
||||
out = instance.getPath(in, (String[])null);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual"
|
||||
File out = null;
|
||||
Path in = (Path)source();
|
||||
out = in.toFile();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Path;true;getParent;;;Argument[-1];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
Path in = (Path)source();
|
||||
out = in.getParent();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
|
@ -51,10 +165,10 @@ public class Test {
|
|||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Path;true;toFile;;;Argument[-1];ReturnValue;taint;manual"
|
||||
File out = null;
|
||||
// "java.nio.file;Path;true;toAbsolutePath;;;Argument[-1];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
Path in = (Path)source();
|
||||
out = in.toFile();
|
||||
out = in.toAbsolutePath();
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
|
@ -72,26 +186,26 @@ public class Test {
|
|||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
|
||||
// "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
String in = (String)source();
|
||||
out = Paths.get(in, (String[])null);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
String[] in = (String[])source();
|
||||
out = Paths.get((String)null, in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
|
||||
// "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
URI in = (URI)source();
|
||||
out = Paths.get(in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "java.nio.file;Paths;true;get;;;Argument[1].ArrayElement;ReturnValue;taint;manual"
|
||||
Path out = null;
|
||||
String[] in = (String[])new String[]{(String)source()};
|
||||
out = Paths.get((String)null, in);
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -7,128 +7,119 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import javax.servlet.ServletException;
|
||||
|
||||
import org.apache.commons.lang3.RegExUtils;
|
||||
import com.google.common.base.Splitter;
|
||||
|
||||
public class RegexInjection extends HttpServlet {
|
||||
public class RegexInjectionTest extends HttpServlet {
|
||||
public boolean string1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.matches("^" + pattern + "=.*$"); // BAD
|
||||
return input.matches("^" + pattern + "=.*$"); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean string2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.split(pattern).length > 0; // BAD
|
||||
return input.split(pattern).length > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean string3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.replaceFirst(pattern, "").length() > 0; // BAD
|
||||
return input.split(pattern, 0).length > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean string4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.replaceAll(pattern, "").length() > 0; // BAD
|
||||
return input.replaceFirst(pattern, "").length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean string5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.replaceAll(pattern, "").length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean pattern1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
Pattern pt = Pattern.compile(pattern);
|
||||
Pattern pt = Pattern.compile(pattern); // $ hasRegexInjection
|
||||
Matcher matcher = pt.matcher(input);
|
||||
|
||||
return matcher.find(); // BAD
|
||||
return matcher.find();
|
||||
}
|
||||
|
||||
public boolean pattern2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.compile(pattern).matcher(input).matches(); // BAD
|
||||
return Pattern.compile(pattern).matcher(input).matches(); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean pattern3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.matches(pattern, input); // BAD
|
||||
return Pattern.compile(pattern, 0).matcher(input).matches(); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean pattern4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.matches("^" + foo(pattern) + "=.*$"); // BAD
|
||||
}
|
||||
|
||||
String foo(String str) {
|
||||
return str;
|
||||
return Pattern.matches(pattern, input); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
// GOOD: User input is sanitized before constructing the regex
|
||||
return input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$");
|
||||
return input.matches("^" + foo(pattern) + "=.*$"); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean pattern6(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
escapeSpecialRegexChars(pattern);
|
||||
|
||||
// BAD: the pattern is not really sanitized
|
||||
return input.matches("^" + pattern + "=.*$");
|
||||
}
|
||||
|
||||
Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
|
||||
|
||||
String escapeSpecialRegexChars(String str) {
|
||||
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
|
||||
String foo(String str) {
|
||||
return str;
|
||||
}
|
||||
|
||||
public boolean apache1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removeAll(input, pattern).length() > 0; // BAD
|
||||
return RegExUtils.removeAll(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean apache2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removeFirst(input, pattern).length() > 0; // BAD
|
||||
return RegExUtils.removeFirst(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean apache3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removePattern(input, pattern).length() > 0; // BAD
|
||||
return RegExUtils.removePattern(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean apache4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // BAD
|
||||
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean apache5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // BAD
|
||||
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public boolean apache6(javax.servlet.http.HttpServletRequest request) {
|
||||
|
@ -136,13 +127,40 @@ public class RegexInjection extends HttpServlet {
|
|||
String input = request.getParameter("input");
|
||||
|
||||
Pattern pt = (Pattern)(Object) pattern;
|
||||
return RegExUtils.replaceFirst(input, pt, "").length() > 0; // GOOD, Pattern compile is the sink instead
|
||||
return RegExUtils.replaceFirst(input, pt, "").length() > 0; // Safe: Pattern compile is the sink instead
|
||||
}
|
||||
|
||||
public boolean apache7(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // BAD
|
||||
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
}
|
||||
|
||||
// test `Pattern.quote` sanitizer
|
||||
public boolean quoteTest(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.matches(Pattern.quote(pattern)); // Safe
|
||||
}
|
||||
|
||||
// test `Pattern.LITERAL` sanitizer
|
||||
public boolean literalTest(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.compile(pattern, Pattern.LITERAL).matcher(input).matches(); // Safe
|
||||
}
|
||||
|
||||
public Splitter guava1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
return Splitter.onPattern(pattern); // $ hasRegexInjection
|
||||
}
|
||||
|
||||
public Splitter guava2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
// sink is `Pattern.compile`
|
||||
return Splitter.on(Pattern.compile(pattern)); // $ hasRegexInjection
|
||||
}
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
import java
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import semmle.code.java.security.regexp.RegexInjectionQuery
|
||||
|
||||
class RegexInjectionTest extends InlineExpectationsTest {
|
||||
RegexInjectionTest() { this = "RegexInjectionTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasRegexInjection" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasRegexInjection" and
|
||||
exists(DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c |
|
||||
c.hasFlowPath(source, sink)
|
||||
|
|
||||
location = sink.getNode().getLocation() and
|
||||
element = sink.getNode().toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
|
@ -1 +1 @@
|
|||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7
|
||||
|
|
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче