github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add combined changelogs for 2.15.3 and backfill historic versions

This commit is contained in:
Pierre 2023-11-22 15:05:17 +01:00 коммит произвёл Felicity Chapman
Родитель 483f4c3ce9
Коммит cedb91ba0d
76 изменённых файлов: 8547 добавлений и 6 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

178
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst Normal file
Просмотреть файл

@ -0,0 +1,178 @@
.. _codeql-cli-2.10.0:
==========================
CodeQL 2.10.0 (2022-06-27)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.10.0 runs a total of 339 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The :code:`--format=stats` option of :code:`codeql generate log-summary` has been renamed to :code:`--format=overall`. It now produces a richer JSON object that, in addition to the previous statistics about the run (which can be found in the :code:`stats` property) also records the most expensive predicates in the evaluation run.
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :code:`codeql resolve ml-model` command now requires one or more query specifications as command line arguments in order to determine the set of starting packs from which to initiate the resolution process. The command will locate all ML models in any qlpack that is a transitive dependency of any of the starting packs. Also, the output of the command has been expanded to include for each model the containing package's name, version, and path.
* The :code:`buildMetadata` inside of compiled CodeQL packs no longer contains a :code:`creationTime` property. This was removed in order to ensure that the content of a CodeQL pack is identical when it is re-compiled.
* The :code:`codeql pack download` command, when used with the :code:`--dir` option,
now downloads requested packs in directories corresponding to their version numbers. Previously,
:code:`codeql pack download --dir ./somewhere codeql/java-queries@0.1.2` would download the pack into the :code:`./somewhere/codeql/java-queries` directory. Now, it will download the pack into the
:code:`./somewhere/codeql/java-queries/0.1.2` directory. This allows you to download multiple versions of the same pack using a single command.
Bug Fixes
~~~~~~~~~
* Fixed a bug where :code:`codeql pack download`, when used with the :code:`--dir` option, would not download a pack that is in the global package cache.
* Fixed a bug where some versions of a CodeQL package could not be downloaded if there are more than 100 versions of this package in the package registry.
* Fixed a bug where the :code:`--also-match` option for :code:`codeql resolve files` and :code:`codeql database index-files` does not work with relative paths.
* Fixed a bug that caused :code:`codeql query decompile` to ignore the
:code:`--output` option when producing bytecode output (:code:`--kind=bytecode`),
writing only to :code:`stdout`.
New Features
~~~~~~~~~~~~
* You can now include diagnostic messages in the summary produced by the :code:`--print-diagnostics-summary` option of the
:code:`codeql database interpret-results` and :code:`codeql database analyze` commands by running these commands at high verbosity levels.
Query Packs
-----------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Improved library modeling for the query "Request without certificate validation" (:code:`py/request-without-cert-validation`), so it now also covers :code:`httpx`, :code:`aiohttp.client`, and :code:`urllib3`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
* All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
Java
""""
* The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/resource-exhaustion` query no longer treats the 3-argument version of :code:`Buffer.from` as a sink,
since it does not allocate a new buffer.
Python
""""""
* The query "Use of a broken or weak cryptographic algorithm" (:code:`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
Ruby
""""
* The query "Use of a broken or weak cryptographic algorithm" (:code:`rb/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
New Queries
~~~~~~~~~~~
Ruby
""""
* Added a new query, :code:`rb/improper-memoization`. The query finds cases where the parameter of a memoization method is not used in the memoization key.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The :code:`kind` query metadata was changed to :code:`diagnostic` on :code:`cs/compilation-error`, :code:`cs/compilation-message`, :code:`cs/extraction-error`, and :code:`cs/extraction-message`.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* :code:`UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a :code:`class`, :code:`struct`, or :code:`union`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 4.7.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
JavaScript/TypeScript
"""""""""""""""""""""
* All new ECMAScript 2022 features are now supported.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
C#
""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
Golang
""""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
Java
""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
Python
""""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
Ruby
""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.

132
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst Normal file
Просмотреть файл

@ -0,0 +1,132 @@
.. _codeql-cli-2.10.1:
==========================
CodeQL 2.10.1 (2022-07-19)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.10.1 runs a total of 340 security queries when configured with the Default suite (covering 143 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* Improved error message from :code:`codeql database analyze` when a query is missing :code:`@id` or :code:`@kind` query metadata.
Query Packs
-----------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/cpp-all` package.
C#
""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
Java
""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
JavaScript/TypeScript
"""""""""""""""""""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/javascript-all` package.
Python
""""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
Ruby
""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/ruby-all` package.
New Queries
~~~~~~~~~~~
Java
""""
* A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
Java
""""
* Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
* Added :code:`Modifier.isInline()`.
* Removed Kotlin-specific database and QL structures for loops and :code:`break`\ /\ :code:`continue` statements. The Kotlin extractor was changed to reuse the Java structures for these constructs.
* Added additional flow sources for uses of external storage on Android.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`chownr` library is now modeled as a sink for the :code:`js/path-injection` query.
* Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
* The :code:`gray-matter` library is now modeled as a sink for the :code:`js/code-injection` query.
Python
""""""
* Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
Ruby
""""
* Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
* The :code:`spawn`, :code:`fspawn`, :code:`popen4`, :code:`pspawn`, :code:`system`, :code:`_pspawn` methods and the backtick operator from the :code:`POSIX::spawn` gem.
* The :code:`execute_command`, :code:`rake`, :code:`rails_command`, and :code:`git` methods in :code:`Rails::Generation::Actions`.
* Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
Deprecated APIs
~~~~~~~~~~~~~~~
Python
""""""
* The documentation of API graphs (the :code:`API` module) has been expanded, and some of the members predicates of :code:`API::Node` have been renamed as follows:
* :code:`getAnImmediateUse` -> :code:`asSource`
* :code:`getARhs` -> :code:`asSink`
* :code:`getAUse` -> :code:`getAValueReachableFromSource`
* :code:`getAValueReachingRhs` -> :code:`getAValueReachingSink`
New Features
~~~~~~~~~~~~
Java
""""
* Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.

105
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst Normal file
Просмотреть файл

@ -0,0 +1,105 @@
.. _codeql-cli-2.10.2:
==========================
CodeQL 2.10.2 (2022-08-02)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The option :code:`--compiler-spec` to :code:`codeql database create` (and
:code:`codeql database trace-command`) no longer works. It is replaced by
:code:`--extra-tracing-config`, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. See
:code:`tools/tracer/base.lua` for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in https://github.com/github/codeql-cli-binaries,
or open a private ticket with GitHub support and request an escalation to engineering.
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.
Deprecations
~~~~~~~~~~~~
* The experimental :code:`codeql resolve ml-models` command has been deprecated. Advanced users calling this command should use the new
:code:`codeql resolve extensions` command instead.
New Features
~~~~~~~~~~~~
* The :code:`codeql github upload-results` command now supports a :code:`--merge` option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended *only* for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.
Query Packs
-----------
Breaking Changes
~~~~~~~~~~~~~~~~
Python
""""""
* Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
New Queries
~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* A new query "Case-sensitive middleware path" (:code:`js/case-sensitive-middleware-path`) has been added.
It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
Ruby
""""
* Added a new experimental query, :code:`rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
* Added a new experimental query, :code:`rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* Under certain circumstances a variable declaration that is not also a definition could be associated with a :code:`Variable` that did not have the definition as a :code:`VariableDeclarationEntry`. This is now fixed, and a unique :code:`Variable` will exist that has both the declaration and the definition as a :code:`VariableDeclarationEntry`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
* Added data flow models for :code:`java.util.Scanner`.
Ruby
""""
* Calls to :code:`Arel.sql` are now recognised as propagating taint from their argument.
* Calls to :code:`ActiveRecord::Relation#annotate` are now recognized as :code:`SqlExecution`\ s so that it will be considered as a sink for queries like rb/sql-injection.
New Features
~~~~~~~~~~~~
Java
""""
* The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.

111
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst Normal file
Просмотреть файл

@ -0,0 +1,111 @@
.. _codeql-cli-2.10.3:
==========================
CodeQL 2.10.3 (2022-08-15)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.10.3 runs a total of 342 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* When called with :code:`--start-tracing`, the :code:`codeql database init` command now accepts extractor options for the indirect tracing environment via
:code:`--extractor-option`. Users should continue to specify extractor options for direct tracing environments by passing them to
:code:`codeql database trace-command` invocations.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
Query Packs
-----------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The query :code:`java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The query :code:`cpp/bad-strncpy-size` now covers more :code:`strncpy`\ -like functions than before, including :code:`strxfrm`(:code:`_l`), :code:`wcsxfrm`(:code:`_l`), and :code:`stpncpy`. Users of this query may see an increase in results.
Golang
""""""
* The query :code:`go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
Java
""""
* The query :code:`java/path-injection` now recognises vulnerable APIs defined using the :code:`SinkModelCsv` class with the :code:`create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
New Queries
~~~~~~~~~~~
Java
""""
* A new query "Android :code:`WebView` that accepts all certificates" (:code:`java/improper-webview-certificate-validation`) has been added. This query finds implementations of :code:`WebViewClient`\ s that accept all certificates in the case of an SSL error.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Improved analysis of the Android class :code:`AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
* Added a data-flow model for the :code:`setProperty` method of :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
Python
""""""
* Change :code:`.getASubclass()` on :code:`API::Node` so it allows to follow subclasses even if the class has a class decorator.
Ruby
""""
* Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as :code:`rb/sql-injection` and :code:`rb/stored-xss`.
* Calls to :code:`ActiveRecord::Base.create` and :code:`ActiveRecord::Base.update` are now recognised as write accesses.
* Arguments to :code:`Mime::Type#match?` and :code:`Mime::Type#=~` are now recognised as regular expression sources.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a predicate :code:`getValueConstant` to :code:`AttributeArgument` that yields the argument value as an :code:`Expr` when the value is a constant expression.
* A new class predicate :code:`MustFlowConfiguration::allowInterproceduralFlow` has been added to the :code:`semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
* Added subclasses of :code:`BuiltInOperations` for :code:`__builtin_bit_cast`, :code:`__builtin_shuffle`, :code:`__has_unique_object_representations`, :code:`__is_aggregate`, and :code:`__is_assignable`.

216
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst Normal file
Просмотреть файл

@ -0,0 +1,216 @@
.. _codeql-cli-2.10.4:
==========================
CodeQL 2.10.4 (2022-08-31)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.10.4 runs a total of 352 security queries when configured with the Default suite (covering 146 CWE). The Extended suite enables an additional 106 queries (covering 30 more CWE). 12 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.
C#
""
* Parameters of delegates passed to routing endpoint calls like :code:`MapGet` in ASP.NET Core are now considered remote flow sources.
* The query :code:`cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of :code:`JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings.
* Added better support for the SQLite framework in the SQL injection query.
* File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
Java
""""
* The query :code:`java/static-initialization-vector` no longer requires a :code:`Cipher` object to be initialized with :code:`ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
* Improved sanitizers for :code:`java/sensitive-log`, which removes some false positives and improves performance a bit.
New Queries
~~~~~~~~~~~
Java
""""
* Added a new query, :code:`java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest.
* A new query "Use of RSA algorithm without OAEP" (:code:`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
* Added a new query, :code:`java/android/debuggable-attribute-enabled`, to detect if the :code:`android:debuggable` attribute is enabled in the Android manifest.
* The query "Using a static initialization vector for encryption" (:code:`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @artem-smotrakov <https://github.com/github/codeql/pull/6357>`__.
* A new query :code:`java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using
:code:`String#startsWith` to compare canonical paths.
* Added a new query, :code:`java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
too many characters.
JavaScript/TypeScript
"""""""""""""""""""""
* Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
too many characters.
Python
""""""
* Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
too many characters.
Ruby
""""
* Added a new query, :code:`rb/log-injection`, to detect cases where a malicious user may be able to forge log entries.
* Added a new query, :code:`rb/incomplete-multi-character-sanitization`. The query finds string transformations that do not replace all occurrences of a multi-character substring.
* Added a new query, :code:`rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
too many characters.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The queries :code:`java/redos` and :code:`java/polynomial-redos` now have a tag for CWE-1333.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed that top-level :code:`for await` statements would produce a syntax error. These statements are now parsed correctly.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
C#
""
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Golang
""""""
* Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.
* Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
* Fixed data-flow to captured variable references.
* We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
Java
""""
* Added new flow steps for the classes :code:`java.nio.file.Path` and :code:`java.nio.file.Paths`.
* The class :code:`AndroidFragment` now also models the Android Jetpack version of the :code:`Fragment` class (:code:`androidx.fragment.app.Fragment`).
* Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of :code:`javac`.
* Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their :code:`getLocation` and :code:`hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication.
* The query :code:`java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects.
JavaScript/TypeScript
"""""""""""""""""""""
* Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Python
""""""
* Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Ruby
""""
* Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
* Calls to :code:`render` in Rails controllers and views are now recognized as HTTP response bodies.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
C#
""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
* The utility files previously in the :code:`semmle.code.java.security.performance` package have been moved to the :code:`semmle.code.java.security.regexp` package.
The previous files still exist as deprecated aliases.
JavaScript/TypeScript
"""""""""""""""""""""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
* The utility files previously in the :code:`semmle.javascript.security.performance` package have been moved to the :code:`semmle.javascript.security.regexp` package.
The previous files still exist as deprecated aliases.
Python
""""""
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
* The utility files previously in the :code:`semmle.python.security.performance` package have been moved to the :code:`semmle.python.security.regexp` package.
The previous files still exist as deprecated aliases.
Ruby
""""
* The utility files previously in the :code:`codeql.ruby.security.performance` package have been moved to the :code:`codeql.ruby.security.regexp` package.
The previous files still exist as deprecated aliases.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added support for getting the link targets of global and namespace variables.
* Added a :code:`BlockAssignExpr` class, which models a :code:`memcpy`\ -like operation used in compiler generated copy/move constructors and assignment operations.
Java
""""
* Added a new predicate, :code:`requiresPermissions`, in the :code:`AndroidComponentXmlElement` and :code:`AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its :code:`android:permission` attribute.
* Added a new predicate, :code:`hasAnIntentFilterElement`, in the :code:`AndroidComponentXmlElement` class to detect if a component contains an intent filter element.
* Added a new predicate, :code:`hasExportedAttribute`, in the :code:`AndroidComponentXmlElement` class to detect if a component has an :code:`android:exported` attribute.
* Added a new class, :code:`AndroidCategoryXmlElement`, to represent a category element in an Android manifest file.
* Added a new predicate, :code:`getACategoryElement`, in the :code:`AndroidIntentFilterXmlElement` class to get a category element of an intent filter.
* Added a new predicate, :code:`isInBuildDirectory`, in the :code:`AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory.
* Added a new predicate, :code:`isDebuggable`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element has its :code:`android:debuggable` attribute enabled.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.5.rst Normal file
Просмотреть файл

@ -0,0 +1,20 @@
.. _codeql-cli-2.10.5:
==========================
CodeQL 2.10.5 (2022-09-13)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* You can now define which registries should be used for downloading and publishing CodeQL packs on a per-workspace basis by creating a :code:`codeql-workspace.yml` file and adding a :code:`registries` block. For more infomation, see `About CodeQL Workspaces <https://codeql.github.com/docs/codeql-cli/about-codeql-workspaces/>`__.

365
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.0.rst Normal file
Просмотреть файл

@ -0,0 +1,365 @@
.. _codeql-cli-2.11.0:
==========================
CodeQL 2.11.0 (2022-09-28)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.11.0 runs a total of 353 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Deprecations
~~~~~~~~~~~~
* The CodeQL CLI now uses Python 3 to extract both Python 2 and Python 3 databases. Correspondingly, support for using Python 2 to extract Python databases is now deprecated. Starting with version 2.11.3, you will need to install Python 3 to extract Python databases.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug in the :code:`js/type-confusion-through-parameter-tampering` query that would cause it to ignore sanitizers in branching conditions. The query should now report fewer false positives.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Modernizations from "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) have been ported to the "Cleartext storage of sensitive information in file" (:code:`cpp/cleartext-storage-file`), "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) and "Cleartext storage of sensitive information in an SQLite database" (:code:`cpp/cleartext-storage-database`) queries. These changes may result in more correct results and fewer false positive results from these queries.
* The alert message of many queries have been changed to make the message consistent with other languages.
C#
""
* A new extractor option has been introduced for disabling CIL extraction. Either pass :code:`-Ocil=false` to the :code:`codeql` CLI or set the environment variable :code:`CODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false`.
* The alert message of many queries have been changed to make the message consistent with other languages.
Golang
""""""
* The alert message of many queries have been changed to make the message consistent with other languages.
Java
""""
* The Java extractor now populates the :code:`Method` relating to a :code:`MethodAccess` consistently for calls using an explicit and implicit :code:`this` qualifier. Previously if the method :code:`foo` was inherited from a specialised generic type :code:`ParentType<String>`, then an explicit call :code:`this.foo()` would yield a :code:`MethodAccess` whose :code:`getMethod()` accessor returned the bound method :code:`ParentType<String>.foo`, whereas an implicitly-qualified :code:`foo()` :code:`MethodAccess`\ 's :code:`getMethod()` would return the unbound method :code:`ParentType.foo`. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result of :code:`MethodAccess.getMethod()` may need to tolerate bound generic methods in more circumstances. The queries :code:`java/iterator-remove-failure`, :code:`java/non-static-nested-class`, :code:`java/internal-representation-exposure`, :code:`java/subtle-inherited-call` and :code:`java/deprecated-call` have been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-\ :code:`this` case as well.
* Added taint model for arguments of :code:`java.net.URI` constructors to the queries :code:`java/path-injection` and :code:`java/path-injection-local`.
* Added new sinks related to Android's :code:`AlarmManager` to the query :code:`java/android/implicit-pendingintents`.
* The alert message of many queries have been changed to make the message consistent with other languages.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.- The :code:`js/regexp/always-matches` query will no longer report an empty regular expression as always matching, as this is often the intended behavior.
* The alert message of many queries have been changed to make the message consistent with other languages.
Python
""""""
* The alert message of many queries have been changed to make the message consistent with other languages.
Ruby
""""
* The :code:`rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to :code:`Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
* The alert message of many queries have been changed to make the message consistent with other languages.
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new medium-precision query, :code:`cpp/missing-check-scanf`, which detects :code:`scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an `experimental query by @ihsinme <https://github.com/github/codeql/pull/8246>`__.
Java
""""
* The query "Server-side template injection" (:code:`java/server-side-template-injection`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/5935>`__.
* Added a new query, :code:`java/android/backup-enabled`, to detect if Android applications allow backups.
Ruby
""""
* Added a new query, :code:`rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Added the :code:`security-severity` tag and CWE tag to the :code:`go/insecure-hostkeycallback` query.
Java
""""
* Removed the :code:`@security-severity` tag from several queries not in the :code:`Security/` folder that also had missing :code:`security` tags.
Python
""""""
* Added the :code:`security-severity` tag the :code:`py/redos`, :code:`py/polynomial-redos`, and :code:`py/regex-injection` queries.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
C#
""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Java
""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Python
""""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Ruby
""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
* The :code:`Member.getQualifiedName()` predicate result now includes the qualified name of the declaring type.
JavaScript/TypeScript
"""""""""""""""""""""
* Many library models have been rewritten to use dataflow nodes instead of the AST.
The types of some classes have been changed, and these changes may break existing code.
Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
* The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break.
The fix to these breakages is usually to use :code:`asExpr()` to get an expression from a dataflow node, or to use :code:`.flow()` to get a dataflow node from an expression.
* DOM.qll#WebStorageWrite
* CryptoLibraries.qll#CryptographicOperation
* Express.qll#Express::RequestBodyAccess
* HTTP.qll#HTTP::ResponseBody
* HTTP.qll#HTTP::CookieDefinition
* HTTP.qll#HTTP::ServerDefinition
* HTTP.qll#HTTP::RouteSetup
* NoSQL.qll#NoSql::Query
* SQL.qll#SQL::SqlString
* SQL.qll#SQL::SqlSanitizer
* HTTP.qll#ResponseBody
* HTTP.qll#CookieDefinition
* HTTP.qll#ServerDefinition
* HTTP.qll#RouteSetup
* HTTP.qll#HTTP::RedirectInvocation
* HTTP.qll#RedirectInvocation
* Express.qll#Express::RouterDefinition
* AngularJSCore.qll#LinkFunction
* Connect.qll#Connect::StandardRouteHandler
* CryptoLibraries.qll#CryptographicKeyCredentialsExpr
* AWS.qll#AWS::Credentials
* Azure.qll#Azure::Credentials
* Connect.qll#Connect::Credentials
* DigitalOcean.qll#DigitalOcean::Credentials
* Express.qll#Express::Credentials
* NodeJSLib.qll#NodeJSLib::Credentials
* PkgCloud.qll#PkgCloud::Credentials
* Request.qll#Request::Credentials
* ServiceDefinitions.qll#InjectableFunctionServiceRequest
* SensitiveActions.qll#SensitiveVariableAccess
* SensitiveActions.qll#CleartextPasswordExpr
* Connect.qll#Connect::ServerDefinition
* Restify.qll#Restify::ServerDefinition
* Connect.qll#Connect::RouteSetup
* Express.qll#Express::RouteSetup
* Fastify.qll#Fastify::RouteSetup
* Hapi.qll#Hapi::RouteSetup
* Koa.qll#Koa::RouteSetup
* Restify.qll#Restify::RouteSetup
* NodeJSLib.qll#NodeJSLib::RouteSetup
* Express.qll#Express::StandardRouteHandler
* Express.qll#Express::SetCookie
* Hapi.qll#Hapi::RouteHandler
* HTTP.qll#HTTP::Servers::StandardHeaderDefinition
* HTTP.qll#Servers::StandardHeaderDefinition
* Hapi.qll#Hapi::ServerDefinition
* Koa.qll#Koa::AppDefinition
* SensitiveActions.qll#SensitiveCall
Ruby
""""
* :code:`import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module :code:`Ast` into scope, which must be imported. Alternatively, it is also possible to import :code:`codeql.ruby.AST`.
* Changed the :code:`HTTP::Client::Request` concept from using :code:`MethodCall` as base class, to using :code:`DataFlow::Node` as base class. Any class that extends :code:`HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of :code:`HTTP::Client::Request`, no changes are required.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The virtual dispatch relation used in data flow now favors summary models over source code for dispatch to interface methods from :code:`java.util` unless there is evidence that a specific source implementation is reachable. This should provide increased precision for any projects that include, for example, custom :code:`List` or :code:`Map` implementations.
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 4.8.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added new sinks to the query :code:`java/android/implicit-pendingintents` to take into account the classes :code:`androidx.core.app.NotificationManagerCompat` and :code:`androidx.core.app.AlarmManagerCompat`.
* Added new flow steps for :code:`androidx.core.app.NotificationCompat` and its inner classes.
* Added flow sinks, sources and summaries for the Kotlin standard library.
* Added flow summary for :code:`org.springframework.data.repository.CrudRepository.save()`.
* Added new flow steps for the following Android classes:
* :code:`android.content.ContentResolver`
* :code:`android.content.ContentProviderClient`
* :code:`android.content.ContentProviderOperation`
* :code:`android.content.ContentProviderOperation$Builder`
* :code:`android.content.ContentProviderResult`
* :code:`android.database.Cursor`
* Added taint flow models for the :code:`java.lang.String.(charAt|getBytes)` methods.
* Improved taint flow models for the :code:`java.lang.String.(replace|replaceFirst|replaceAll)` methods. Additional results may be found where users do not properly sanitize their inputs.
JavaScript/TypeScript
"""""""""""""""""""""
* A model for the :code:`mermaid` library has been added. XSS queries can now detect flow through the :code:`render` method of the :code:`mermaid` library.
Python
""""""
* Changed :code:`CallNode.getArgByName` such that it has results for keyword arguments given after a dictionary unpacking argument, as the :code:`bar=2` argument in :code:`func(foo=1, **kwargs, bar=2)`.
* :code:`getStarArg` member-predicate on :code:`Call` and :code:`CallNode` has been changed for calls that have multiple :code:`*args` arguments (for example :code:`func(42, *my_args, *other_args)`): Instead of producing no results, it will always have a result for the *first* such :code:`*args` argument.
* Reads of global/non-local variables (without annotations) inside functions defined on classes now works properly in the case where the class had an attribute defined with the same name as the non-local variable.
Ruby
""""
* Uses of :code:`ActionView::FileSystemResolver` are now recognized as filesystem accesses.
* Accesses of ActiveResource models are now recognized as HTTP requests.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
C#
""
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Golang
""""""
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
* The predicate :code:`Annotation.getAValue()` has been deprecated because it might lead to obtaining the value of the wrong annotation element by accident. :code:`getValue(string)` (or one of the value type specific predicates) should be used to explicitly specify the name of the annotation element.
* The predicate :code:`Annotation.getAValue(string)` has been renamed to :code:`getAnArrayValue(string)`.
* The predicate :code:`SuppressWarningsAnnotation.getASuppressedWarningLiteral()` has been deprecated because it unnecessarily restricts the result type; :code:`getASuppressedWarning()` should be used instead.
* The predicates :code:`TargetAnnotation.getATargetExpression()` and :code:`RetentionAnnotation.getRetentionPolicyExpression()` have been deprecated because getting the enum constant read expression is rarely useful, instead the corresponding predicates for getting the name of the referenced enum constants should be used.
JavaScript/TypeScript
"""""""""""""""""""""
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Python
""""""
* Some unused predicates in :code:`SsaDefinitions.qll`, :code:`TObject.qll`, :code:`protocols.qll`, and the :code:`pointsto/` folder have been deprecated.
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Ruby
""""
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added subclasses of :code:`BuiltInOperations` for :code:`__is_same`, :code:`__is_function`, :code:`__is_layout_compatible`, :code:`__is_pointer_interconvertible_base_of`, :code:`__is_array`, :code:`__array_rank`, :code:`__array_extent`, :code:`__is_arithmetic`, :code:`__is_complete_type`, :code:`__is_compound`, :code:`__is_const`, :code:`__is_floating_point`, :code:`__is_fundamental`, :code:`__is_integral`, :code:`__is_lvalue_reference`, :code:`__is_member_function_pointer`, :code:`__is_member_object_pointer`, :code:`__is_member_pointer`, :code:`__is_object`, :code:`__is_pointer`, :code:`__is_reference`, :code:`__is_rvalue_reference`, :code:`__is_scalar`, :code:`__is_signed`, :code:`__is_unsigned`, :code:`__is_void`, and :code:`__is_volatile`.
Java
""""
* Added a new predicate, :code:`allowsBackup`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the :code:`android:allowBackup` attribute.
* The predicates of the CodeQL class :code:`Annotation` have been improved:
* Convenience value type specific predicates have been added, such as :code:`getEnumConstantValue(string)` or :code:`getStringValue(string)`.
* Convenience predicates for elements with array values have been added, such as :code:`getAnEnumConstantArrayValue(string)`. While the behavior of the existing predicates has not changed, usage of them should be reviewed (or replaced with the newly added predicate) to make sure they work correctly for elements with array values.
* Some internal CodeQL usage of the :code:`Annotation` predicates has been adjusted and corrected; this might affect the results of some queries.
* New predicates have been added to the CodeQL class :code:`Annotatable` to support getting declared and associated annotations. As part of that, :code:`hasAnnotation()` has been changed to also consider inherited annotations, to be consistent with :code:`hasAnnotation(string, string)` and :code:`getAnAnnotation()`. The newly added predicate :code:`hasDeclaredAnnotation()` can be used as replacement for the old functionality.
* New predicates have been added to the CodeQL class :code:`AnnotationType` to simplify getting information about usage of JDK meta-annotations, such as :code:`@Retention`.
Shared Libraries
----------------
Initial Release
~~~~~~~~~~~~~~~
Static Single Assignment (SSA)
""""""""""""""""""""""""""""""
* Initial release. Extracted common SSA code into a library pack to share code between languages.
Database of Common Typographical Errors
"""""""""""""""""""""""""""""""""""""""
* Initial release. Share the database of common typographical errors between languages.

145
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.1.rst Normal file
Просмотреть файл

@ -0,0 +1,145 @@
.. _codeql-cli-2.11.1:
==========================
CodeQL 2.11.1 (2022-10-11)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.11.1 runs a total of 354 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* Pack installation using the CodeQL Packaging beta will now fail if a compatible version cannot be found. This replaces the previous behavior where :code:`codeql pack download` and related commands would instead install the latest version of the pack in this situation.
Bug Fixes
~~~~~~~~~
* It is no longer an error to call :code:`codeql pack create <path>` with a :code:`<path>` option pointing to a file name. The CLI will walk up the directory tree and run the command in the first directory containing the :code:`qlpack.yml` or :code:`codeql-pack.yml` file.
* Fixed a concurrency error observed when using :code:`codeql database import` or
:code:`codeql database finalize` with multiple threads and multiple additional databases on a C++ codebase.
Deprecations
~~~~~~~~~~~~
* The :code:`--[no-]count-lines` option to :code:`codeql database create` and related commands is now deprecated and will be removed in a future release of the CodeQL CLI (earliest 2.12.0). It is replaced by
:code:`--[no-]calculate-baseline` to reflect the additional baseline information that is now captured as of this release.
New Features
~~~~~~~~~~~~
* Subcommands that compile QL accept a new :code:`--no-release-compatibility` option. It does nothing for now, but in the future it will be used to control a trade-off between query performance and compatibility with older/newer releases of the QL evaluator.
* :code:`codeql database analyze` and related commands now support absolute paths containing the :code:`@` or :code:`:` characters when specifying which queries to run. To reference a query file, directory, or suite whose path contains a literal :code:`@` or :code:`:`, prefix the query specifier with :code:`path:`, for example:
.. code-block:: shell
codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
C#
""
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
Java
""""
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
* :code:`PathSanitizer.qll` has been promoted from experimental to the main query pack. This sanitizer was originally `submitted as part of an experimental query by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
* The queries :code:`java/path-injection`, :code:`java/path-injection-local` and :code:`java/zipslip` now use the sanitizers provided by :code:`PathSanitizer.qll`.
Ruby
""""
* The :code:`rb/xxe` query has been updated to add the following sinks for XML external entity expansion:
#. Calls to parse XML using :code:`LibXML` when its :code:`default_substitute_entities` option is enabled.
#. Uses of the Rails methods :code:`ActiveSupport::XmlMini.parse`, :code:`Hash.from_xml`, and :code:`Hash.from_trusted_xml` when :code:`ActiveSupport::XmlMini` is configured to use :code:`LibXML` as its backend, and its :code:`default_substitute_entities` option is enabled.
New Queries
~~~~~~~~~~~
Java
""""
* Added a new query, :code:`java/android/webview-debugging-enabled`, to detect instances of WebView debugging being enabled in production builds.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* :code:`DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
Golang
""""""
* Added support for :code:`BeegoInput.RequestBody` as a source of untrusted data.
Java
""""
* Added external flow sources for the intents received in exported Android services.
JavaScript/TypeScript
"""""""""""""""""""""
* Several of the SQL and NoSQL library models have improved, leading to more results for the :code:`js/sql-injection` query,
and in some cases the :code:`js/missing-rate-limiting` query.
Python
""""""
* Added the ability to refer to subscript operations in the API graph. It is now possible to write :code:`response().getMember("cookies").getASubscript()` to find code like :code:`resp.cookies["key"]` (assuming :code:`response` returns an API node for response objects).
* Added modeling of creating Flask responses with :code:`flask.jsonify`.
Ruby
""""
* The following classes have been moved from :code:`codeql.ruby.frameworks.ActionController` to :code:`codeql.ruby.frameworks.Rails`\ :
* :code:`ParamsCall`, now accessed as :code:`Rails::ParamsCall`.
* :code:`CookieCall`, now accessed as :code:`Rails::CookieCall`.
* The following classes have been moved from :code:`codeql.ruby.frameworks.ActionView` to :code:`codeql.ruby.frameworks.Rails`\ :
* :code:`HtmlSafeCall`, now accessed as :code:`Rails::HtmlSafeCall`.
* :code:`HtmlEscapeCall`, now accessed as :code:`Rails::HtmlEscapeCall`.
* :code:`RenderCall`, now accessed as :code:`Rails::RenderCall`.
* :code:`RenderToCall`, now accessed as :code:`Rails::RenderToCall`.
* Subclasses of :code:`ActionController::Metal` are now recognised as controllers.
* :code:`ActionController::DataStreaming::send_file` is now recognized as a
:code:`FileSystemAccess`.
* Various XSS sinks in the ActionView library are now recognized.
* Calls to :code:`ActiveRecord::Base.create` are now recognized as model instantiations.
* Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
* :code:`MethodBase` now has two new predicates related to visibility: :code:`isPublic` and
:code:`isProtected`. These hold, respectively, if the method is public or protected.

175
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.2.rst Normal file
Просмотреть файл

@ -0,0 +1,175 @@
.. _codeql-cli-2.11.2:
==========================
CodeQL 2.11.2 (2022-10-25)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.11.2 runs a total of 357 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 5 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack,
then you must explicitly include it using the :code:`include` property in the top-level :code:`qlpack.yml` file.
For example, if your package structure looks like this:
.. code-block:: text
qlpack.yml
nested-pack
∟ qlpack.yml
query.ql
then the contents of :code:`nested-pack` will not be included by default within the published package. To include :code:`nested-pack`, add an entry like this to the top level :code:`qlpack.yml` file:
.. code-block:: yaml
include:
- nested-pack/**
Bug Fixes
~~~~~~~~~
* Using the :code:`--codescanning-config=<file>` option in
:code:`codeql database init` will now correctly process the :code:`paths` and
:code:`pathsIgnore` properties of the configuration file in a way that is identical to the behavior of the :code:`codeql-action`. Previously, :code:`paths` or :code:`pathsIgnore` entries that end in :code:`/**` or start with :code:`/` were incorrectly rejected by the CLI.
* Fixed a bug where the :code:`--compilation-cache` option to
:code:`codeql pack publish` and :code:`codeql pack create` was being ignored when creating a query pack. Now, the indicated cache is used when pre-compiling the queries in it.
* Fixed a bug that would make the "Show DIL" command in the VSCode extension display nothing.
Miscellaneous
~~~~~~~~~~~~~
* Emit a detailed warning if package resolution fails, the legacy
:code:`--search-path` option is provided, *and* there is at least one referenced pack that does not use legacy package resolution.
In this case, :code:`--additional-packs` should be used to extend the search to additional directories, instead of :code:`--search-path`.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
Python
""""""
* Fixed how :code:`flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as :code:`from flask import request`, will now be shown as the first step in a path explanation.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Unterminated variadic call" (:code:`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results.
* Fixed false positives from the "Unused static function" (:code:`cpp/unused-static-function`) query in files that had errors during compilation.
Golang
""""""
* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
JavaScript/TypeScript
"""""""""""""""""""""
* Removed some false positives from the :code:`js/file-system-race` query by requiring that the file-check dominates the file-access.
* Improved taint tracking through :code:`JSON.stringify` in cases where a tainted value is stored somewhere in the input object.
Python
""""""
* Added model of :code:`cx_Oracle`, :code:`oracledb`, :code:`phonenixdb` and :code:`pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
* Added model of :code:`executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for :code:`py/sql-injection`.
* Added model of :code:`pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
Ruby
""""
* HTTP response header and body writes via :code:`ActionDispatch::Response` are now recognized.
* The :code:`rb/path-injection` query now treats the :code:`file:` argument of the Rails :code:`render` method as a sink.
* The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new medium-precision query, :code:`cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.
Java
""""
* Added a new query, :code:`java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions.
* A new query "Uncontrolled data used in content resolution" (:code:`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's :code:`ContentResolver` without previous validation or sanitization.
Ruby
""""
* Added a new query, :code:`rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values.
* Added a new query, :code:`rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP :code:`GET` request.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added support for common patterns involving :code:`Stream.collect` and common collectors like :code:`Collectors.toList()`.
* The class :code:`TypeVariable` now also extends :code:`Modifiable`.
* Added data flow steps for tainted Android intents that are sent to services and receivers.
* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.
Python
""""""
* Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by :code:`getMember` rather than :code:`getASubscript`.
* Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if :code:`foo` is matched by API node :code:`A`, then :code:`"key"` in :code:`foo["key"]` will be matched by the API node :code:`A.getIndex()`. This can be used to track the origin of the index.
* Added member predicate :code:`getSubscriptAt(API::Node index)` to :code:`API::Node`. Like :code:`getASubscript()`, this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the :code:`index` parameter.
* Added convenience predicate :code:`getSubscript("key")` to obtain a subscript at a specific index, when the index happens to be a statically known string.
Ruby
""""
* The hashing algorithms from :code:`Digest` and :code:`OpenSSL::Digest` are now recognized and can be flagged by the :code:`rb/weak-cryptographic-algorithm` query.
* More sources of remote input arising from methods on :code:`ActionDispatch::Request` are now recognized.
* The response value returned by the :code:`Faraday#run_request` method is now also considered a source of remote input.
* :code:`ActiveJob::Serializers.deserialize` is considered to be a code execution sink.
* Calls to :code:`params` in :code:`ActionMailer` classes are now treated as sources of remote user input.
* Taint flow through :code:`ActionController::Parameters` is tracked more accurately.
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
* Deprecated :code:`ContextStartActivityMethod`. Use :code:`StartActivityMethod` instead.
New Features
~~~~~~~~~~~~
Java
""""
* Added a new predicate, :code:`hasIncompletePermissions`, in the :code:`AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions.

107
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.3.rst Normal file
Просмотреть файл

@ -0,0 +1,107 @@
.. _codeql-cli-2.11.3:
==========================
CodeQL 2.11.3 (2022-11-11)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.11.3 runs a total of 358 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The :code:`codeql pack ls --format json` deep plumbing command now returns only the :code:`name` and :code:`version` properties for each found pack.
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :code:`codeql pack download`, :code:`codeql pack install`, and :code:`codeql pack add` will ignore CodeQL packs with pre-release versions, unless the
:code:`--allow-prerelease` option is passed to the command. This brings these commands into alignment with :code:`codeql pack publish` that will avoid publishing CodeQL packs with pre-release versions unless the
:code:`--allow-prerelease` option is specified. Pre-release versions have the following format: :code:`X.Y.Z-qualifier` where :code:`X`, :code:`Y`, and :code:`Z` are respectively the major, minor, and patch number. :code:`qualifier` is the pre-release version. For more information about pre-releases, see the
\ `Semantic Versioning specification <https://semver.org/#spec-item-9>`__.
Deprecations
~~~~~~~~~~~~
* The :code:`--[no-]fast-compilation` option to :code:`codeql query compile` is now deprecated.
New Features
~~~~~~~~~~~~
* :code:`codeql resolve files` and :code:`codeql database index-files` have a new
:code:`--find-any` option, which finds at most one match.
Miscellaneous
~~~~~~~~~~~~~
* The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the :code:`StringSubstitutor` class that the recently disclosed
\ `CVE-2022-42889 <https://github.com/advisories/GHSA-599f-7c49-w659>`__ vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability.
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Fixed a bug in :code:`cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
Golang
""""""
* Query :code:`go/clear-text-logging` now excludes :code:`GetX` methods of protobuf :code:`Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
JavaScript/TypeScript
"""""""""""""""""""""
* Added sources for user defined path and query parameters in :code:`Next.js`.
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
Ruby
""""
* The :code:`rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as :code:`MD5` and :code:`SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
New Queries
~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added a new query, :code:`js/second-order-command-line-injection`, to detect shell commands that may execute arbitrary code when the user has control over
the arguments to a command-line program.
This currently flags up unsafe invocations of git and hg.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Fixed bugs in the :code:`FormatLiteral` class that were causing :code:`getMaxConvertedLength` and related predicates to return no results when the format literal was :code:`%e`, :code:`%f` or :code:`%g` and an explicit precision was specified.
Ruby
""""
* There was a bug in :code:`TaintTracking::localTaint` and :code:`TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
* Instantiations using :code:`Faraday::Connection.new` are now recognized as part of :code:`FaradayHttpRequest`\ s, meaning they will be considered as sinks for queries such as :code:`rb/request-forgery`.
* Taint flow is now tracked through extension methods on :code:`Hash`, :code:`String` and
:code:`Object` provided by :code:`ActiveSupport`.

147
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.4.rst Normal file
Просмотреть файл

@ -0,0 +1,147 @@
.. _codeql-cli-2.11.4:
==========================
CodeQL 2.11.4 (2022-11-24)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.11.4 runs a total of 361 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 112 queries (covering 32 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* CodeQL 2.11.1 to 2.11.3 contained a bug in `indirect build tracing <https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#using-indirect-build-tracing>`__ on Windows when using :code:`codeql database init` with the |link-code-trace-process-level-1|_ flag.
In these versions, when :code:`--trace-process-level` was set to a value greater than zero,
(or left at the default value of 1), CodeQL attempted to inject its build tracer at a higher level in the process tree than the requested process level.
This could lead to errors of the form "No source code found" or
"Process tree ended before reaching required level".
From 2.11.4 onwards, the CodeQL build tracer is injected at the requested process level.
Deprecations
~~~~~~~~~~~~
* The :code:`--[no-]fast-compilation` option to :code:`codeql test run` is now deprecated.
New Features
~~~~~~~~~~~~
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug that would cause the extractor to crash when an :code:`import` type is used in the :code:`extends` clause of an :code:`interface`.
* Fixed an issue with multi-line strings in YAML files being associated with an invalid location,
causing alerts related to such strings to appear at the top of the YAML file.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for :code:`@hapi/glue` and Hapi plugins to the :code:`frameworks/Hapi.qll` library.
Ruby
""""
* The :code:`rb/sql-injection` query now considers consider SQL constructions, such as calls to :code:`Arel.sql`, as sinks.
New Queries
~~~~~~~~~~~
Java
""""
* The query :code:`java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4926>`__.
* Added a new query, :code:`java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
Ruby
""""
* Added a new query, :code:`rb/shell-command-constructed-from-input`, to detect libraries that unsafely construct shell commands from their inputs.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 4.9.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The :code:`[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
Java
""""
* The ReDoS libraries in :code:`semmle.code.java.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
* Added data flow summaries for tainted Android intents sent to activities via :code:`Activity.startActivities`.
Python
""""""
* The ReDoS libraries in :code:`semmle.code.python.security.regexp` have been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
Ruby
""""
* Data flow through the :code:`ActiveSupport` extension :code:`Enumerable#index_by` is now modeled.
* The :code:`codeql.ruby.Concepts` library now has a :code:`SqlConstruction` class, in addition to the existing :code:`SqlExecution` class.
* Calls to :code:`Arel.sql` are now modeled as instances of the new :code:`SqlConstruction` concept.
* Arguments to RPC endpoints (public methods) on subclasses of :code:`ActionCable::Channel::Base` are now recognized as sources of remote user input.
* Taint flow through the :code:`ActiveSupport` extensions :code:`Hash#reverse_merge` and :code:`Hash:reverse_merge!`, and their aliases, is now modeled more generally, where previously it was only modeled in the context of :code:`ActionController` parameters.
* Calls to :code:`logger` in :code:`ActiveSupport` actions are now recognised as logger instances.
* Calls to :code:`send_data` in :code:`ActiveSupport` actions are recognised as HTTP responses.
* Calls to :code:`body_stream` in :code:`ActiveSupport` actions are recognised as HTTP request accesses.
* The :code:`ActiveSupport` extensions :code:`Object#try` and :code:`Object#try!` are now recognised as code executions.
New Features
~~~~~~~~~~~~
Java
""""
* Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
* The new :code:`string Compilation.getInfo(string)` predicate provides access to some information about compilations.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regular Expression Analysis
"""""""""""""""""""""""""""
* Initial release. Extracted common regex related code, including the ReDoS analysis, into a library pack to share code between languages.
.. |link-code-trace-process-level-1| replace:: :code:`--trace-process-level`\
.. _link-code-trace-process-level-1: https://codeql.github.com/docs/codeql-cli/manual/database-init/#cmdoption-codeql-database-init-trace-process-level

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.5.rst Normal file
Просмотреть файл

@ -0,0 +1,20 @@
.. _codeql-cli-2.11.5:
==========================
CodeQL 2.11.5 (2022-12-07)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug that could cause log summary generation to fail in vscode.

39
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.6.rst Normal file
Просмотреть файл

@ -0,0 +1,39 @@
.. _codeql-cli-2.11.6:
==========================
CodeQL 2.11.6 (2022-12-13)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* Java and Kotlin analyses in this release of the CLI and all earlier releases are incompatible with Kotlin 1.7.30 and later. To prevent code scanning alerts being spuriously dismissed, Java and Kotlin analyses will now fail when using Kotlin 1.7.30 or later.
If you are unable to use Kotlin 1.7.29 or earlier, you can disable Kotlin support by setting
:code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
Bug Fixes
~~~~~~~~~
* Fixed a bug where it was not possible to run queries in CodeQL query packs for C# that use the legacy :code:`libraryPathDependencies` property in their :code:`qlpack.yml` file. The associated error message complained about undefined extensional predicates.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Kotlin extraction will now fail if the Kotlin version in use is at least 1.7.30. This is to ensure using an as-yet-unsupported version is noticable, rather than silently failing to extract Kotlin code and therefore producing false-negative results.

325
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.0.rst Normal file
Просмотреть файл

@ -0,0 +1,325 @@
.. _codeql-cli-2.12.0:
==========================
CodeQL 2.12.0 (2023-01-10)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.0 runs a total of 365 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 116 queries (covering 32 more CWE). 8 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The :code:`--[no-]count-lines` option to :code:`codeql database create` and related commands that was deprecated in 2.11.1 has been removed. Users of this option should instead pass
:code:`--[no-]calculate-baseline`.
Bug Fixes
~~~~~~~~~
* Fixed a bug where the :code:`codeql pack install` command would fail if a `CodeQL configuration file <https://codeql.github.com/docs/codeql-cli/specifying-command-options-in-a-codeql-configuration-file/#using-a-codeql-configuration-file>`__ is used and the :code:`--additional-packs` option is specified.
New Features
~~~~~~~~~~~~
* Query packs created by :code:`codeql pack create`, :code:`codeql pack bundle`, and :code:`codeql pack release` now contain precompiled queries in a new format that aims to be compatible with future (and, to a certain extent, past) releases of the CodeQL CLI. Previously the precompiled queries were in a format specific to each CLI release, and all other releases would need to re-compile queries.
Published packs contain precompiled queries in files with a :code:`.qlx` extension located next to each query's :code:`.ql` source file. In case of differences between the :code:`.ql` and :code:`.qlx` files, the :code:`.qlx` file takes priority when evaluating queries from the command line, so if you need to modify a published pack, be sure to delete the :code:`.qlx` files first.
A new :code:`--precompile` flag to :code:`codeql query compile` can be used to construct :code:`*.qlx` file explicitly, but in all usual cases it should be enough to rely on :code:`codeql pack create` doing the right thing.
* The :code:`codeql database init` command now accepts a PAT that allows you to download queries from external, private repositories when using the :code:`--codescanning-config <config-file>` option. For example, you can specify the following queries block in the config file, which will checkout the main branch of the :code:`codeql-test/my-private-repository` repository and evaluate any queries found in that repository:
.. code-block:: yaml
queries:
- codeql-test/my-private-repository@main
If the repository is private, you can add a :code:`--external-repository-token-stdin` option and supply a PAT with appropriate permissions via standard input. For more information on queries and external repositories in Code Scanning, see `Using queries in QL packs <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs>`__.
* The baseline information produced by :code:`codeql database init` and
:code:`codeql database create` now accounts for
|link-code-paths-and-code-paths-ignore-configuration-1|_.
* In the VS Code extension, recursive calls will be marked with inlay hints. These can be disabled with the global inlay hints setting
(:code:`editor.inlayHints.enabled`). If you just want to disable them for
codeql the settings can be scoped to just codeql files (language id is :code:`ql`).
See `Language Specific Editor Settings <https://code.visualstudio.com/docs/getstarted/settings#_language-specific-editor-settings>`__ in the VS Code documentation for more information.
* The CLI now gives a more helpful error message when asked to run queries on a database that has not been finalized.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C#
""
* Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
* The :code:`cpp/missing-check-scanf` query no longer reports the free'ing of :code:`scanf` output variables as potential reads.
C#
""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
* The extensible predicates for Models as Data have been renamed (the :code:`ext` prefix has been removed). As an example, :code:`extSummaryModel` has been renamed to :code:`summaryModel`.
Golang
""""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
Java
""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
* The extensible predicates for Models as Data have been renamed (the :code:`ext` prefix has been removed). As an example, :code:`extSummaryModel` has been renamed to :code:`summaryModel`.
* The query :code:`java/misnamed-type` is now enabled for Kotlin.
* The query :code:`java/non-serializable-field` is now enabled for Kotlin.
* Fixed an issue in the query :code:`java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
* The query :code:`java/maven/non-https-url` no longer alerts about disabled repositories.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
Python
""""""
* The :code:`analysis/AlertSuppression.ql` query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new :code:`# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`# lgtm` and :code:`# lgtm[query-id]` comments can now also be placed on the line before an alert.
* Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the *Use of weak cryptographic key* (:code:`py/weak-crypto-key`) query.
* Added modeling of :code:`getpass.getpass` as a source of passwords, which will be an additional source for :code:`py/clear-text-logging-sensitive-data`, :code:`py/clear-text-storage-sensitive-data`, and :code:`py/weak-sensitive-data-hashing`.
Ruby
""""
* The :code:`AlertSuppression.ql` query has been updated to support the new :code:`# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`# lgtm` and :code:`# lgtm[query-id]` comments can now also be placed on the line before an alert.
* Extended the :code:`rb/kernel-open` query with following sinks: :code:`IO.write`, :code:`IO.binread`, :code:`IO.binwrite`, :code:`IO.foreach`, :code:`IO.readlines`, and :code:`URI.open`.
New Queries
~~~~~~~~~~~
C#
""
* Added a new query, :code:`csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
Java
""""
* Added a new query, :code:`java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
* Added a new query, :code:`java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
* Added a new query, :code:`java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.
* Added a new query, :code:`java/android-webview-addjavascriptinterface`, to detect the use of :code:`addJavascriptInterface`, which can lead to cross-site scripting.
* Added a new query, :code:`java/android-websettings-file-access`, to detect configurations that enable file system access in Android WebViews.
* Added a new query, :code:`java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
* The query :code:`java/regex-injection` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @edvraa <https://github.com/github/codeql/pull/5704>`__.
Ruby
""""
* Added a new query, :code:`rb/stack-trace-exposure`, to detect exposure of stack-traces to users via HTTP responses.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Golang
""""""
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Java
""""
* We now correctly handle empty block comments, like :code:`/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.
Python
""""""
* :code:`except*` is now supported.
* The result of :code:`Try.getAHandler` and :code:`Try.getHandler(<index>)` is no longer of type :code:`ExceptStmt`, as handlers may also be :code:`ExceptGroupStmt`\ s (After Python 3.11 introduced PEP 654). Instead, it is of the new type :code:`ExceptionHandler` of which :code:`ExceptStmt` and :code:`ExceptGroupStmt` are subtypes. To support selecting only one type of handler, :code:`Try.getANormalHandler` and :code:`Try.getAGroupHandler` have been added. Existing uses of :code:`Try.getAHandler` for which it is important to select only normal handlers, will need to be updated to :code:`Try.getANormalHandler`.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The predicates in the :code:`MustFlow::Configuration` class used by the :code:`MustFlow` library (:code:`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
Golang
""""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* The *PAM authorization bypass due to incorrect usage* (:code:`py/pam-auth-bypass`) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
Ruby
""""
* Flow through :code:`initialize` constructors is now taken into account. For example, in
.. code-block:: rb
class C
def initialize(x)
@field = x
end
end
C.new(y)
there will be flow from :code:`y` to the field :code:`@field` on the constructed :code:`C` object.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`ArgvSource` flow source now uses the second parameter of :code:`main` as its source instead of the uses of this parameter.
* The :code:`ArgvSource` flow source has been generalized to handle cases where the argument vector of :code:`main` is not named :code:`argv`.
* The :code:`getaddrinfo` function is now recognized as a flow source.
* The :code:`secure_getenv` and :code:`_wgetenv` functions are now recognized as local flow sources.
* The :code:`scanf` and :code:`fscanf` functions and their variants are now recognized as flow sources.
* Deleted the deprecated :code:`getName` and :code:`getShortName` predicates from the :code:`Folder` class.
C#
""
* C# 11: Added support for list- and slice patterns in the extractor.
* Deleted the deprecated :code:`getNameWithoutBrackets` predicate from the :code:`ValueOrRefType` class in :code:`Type.qll`.
* :code:`Element::hasQualifiedName/1` has been deprecated. Use :code:`hasQualifiedName/2` or :code:`hasQualifiedName/3` instead.
* Added TCP/UDP sockets as taint sources.
Golang
""""""
* The predicate :code:`getNumParameter` on :code:`FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. :code:`getNumParameterDecl` has been introduced to preserve this functionality.
* The definition of :code:`mayHaveSideEffects` for :code:`ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances :code:`globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
* Queries that care about SQL, such as :code:`go/sql-injection`, now recognise SQL-consuming functions belonging to the :code:`gorqlite` and :code:`GoFrame` packages.
* :code:`rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
Java
""""
* Added more dataflow models for frequently-used JDK APIs.
* The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The :code:`ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.
* The query :code:`java/insecure-cookie` now uses global dataflow to track secure cookies being set to the HTTP response object.
* The library :code:`PathSanitizer.qll` has been improved to detect more path validation patterns in Kotlin.
* Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the :code:`lib/ext` folder.
* Added a taint model for the method :code:`java.nio.file.Path.getParent`.
* Fixed a problem in the taint model for the method :code:`java.nio.file.Paths.get`.
* Deleted the deprecated :code:`LocalClassDeclStmtNode` and :code:`LocalClassDeclStmt` classes from :code:`PrintAst.qll` and :code:`Statement.qll` respectively.
* Deleted the deprecated :code:`getLocalClass` predicate from :code:`LocalTypeDeclStmt`, and the deprecated :code:`getLocalClassDeclStmt` predicate from :code:`LocalClassOrInterface`.
* Added support for Android Manifest :code:`<activity-aliases>` elements in data flow sources.
JavaScript/TypeScript
"""""""""""""""""""""
* Deleted the deprecated :code:`Instance` class from the :code:`Vue` module.
* Deleted the deprecated :code:`VHtmlSourceWrite` class from :code:`DomBasedXssQuery.qll`.
* Deleted all the deprecated :code:`[QueryName].qll` files from the :code:`javascript/ql/lib/semmle/javascript/security/dataflow` folder, use the corresponding :code:`[QueryName]Query.qll` files instead.
* The ReDoS libraries in :code:`semmle.code.javascript.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
Python
""""""
* Added :code:`subprocess.getoutput` and :code:`subprocess.getoutputstatus` as new command injection sinks for the StdLib.
* The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
* Deleted the deprecated :code:`importNode` predicate from the :code:`DataFlowUtil.qll` file.
* Deleted the deprecated features from :code:`PEP249.qll` that were not inside the :code:`PEP249` module.
* Deleted the deprecated :code:`werkzeug` from the :code:`Werkzeug` module in :code:`Werkzeug.qll`.
* Deleted the deprecated :code:`methodResult` predicate from :code:`PEP249::Cursor`.
Ruby
""""
* Calls to :code:`Kernel.load`, :code:`Kernel.require`, :code:`Kernel.autoload` are now modeled as sinks for path injection.
* Calls to :code:`mail` and :code:`inbound_mail` in :code:`ActionMailbox` controllers are now considered sources of remote input.
* Calls to :code:`GlobalID::Locator.locate` and its variants are now recognized as instances of :code:`OrmInstantiation`.
* Data flow through the :code:`ActiveSupport` extensions :code:`Enumerable#index_with`, :code:`Enumerable#pick`, :code:`Enumerable#pluck` and :code:`Enumerable#sole` are now modeled.
* When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
* Taint flow is now tracked through many common JSON parsing and generation methods.
* The ReDoS libraries in :code:`codeql.ruby.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
* String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* Deprecated :code:`semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use :code:`semmle.code.cpp.ir.dataflow.TaintTracking`.
* Deprecated :code:`semmle.code.cpp.security.TaintTrackingImpl`. Use :code:`semmle.code.cpp.ir.dataflow.TaintTracking`.
* Deprecated :code:`semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use :code:`semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
Golang
""""""
* The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
New Features
~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Improved support for `Restify <http://restify.com/>`__ framework, leading to more results when scanning applications developed with this framework.
* Added support for the `Spife <https://github.com/npm/spife>`__ framework.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Type Trackers
"""""""""""""
* Initial release. Includes a parameterized module implementing type-trackers.
QL Detective Tutorial
"""""""""""""""""""""
* Initial release. Contains the library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries.
Utility Classes
"""""""""""""""
* Initial release. Includes common utility classes and modules: Unit, Boolean, and Option.
.. |link-code-paths-and-code-paths-ignore-configuration-1| replace:: :code:`paths` and :code:`paths-ignore` configuration
.. _link-code-paths-and-code-paths-ignore-configuration-1: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#specifying-directories-to-scan

99
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.1.rst Normal file
Просмотреть файл

@ -0,0 +1,99 @@
.. _codeql-cli-2.12.1:
==========================
CodeQL 2.12.1 (2023-01-23)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.1 runs a total of 384 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 120 queries (covering 31 more CWE). 23 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* Added a new command-line flag :code:`--expect-discarded-cache`, which gives a hint to the evaluator that the evaluation cache will be discarded after analysis completes. This allows it to avoid some unnecessary writes to the cache, for predicates that aren't needed by the query/suite being evaluated.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/no-space-for-terminator` and :code:`cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.
Golang
""""""
* Replacing "\r" or "\n" using the functions :code:`strings.ReplaceAll`, :code:`strings.Replace`, :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` has been added as a sanitizer for the queries "Log entries created from user input".
* The functions :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` have been added as sanitizers for the query "Potentially unsafe quoting".
Java
""""
* The name, description and alert message for the query :code:`java/concatenated-sql-query` have been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query's files have been renamed from :code:`SqlUnescaped.ql` and :code:`SqlUnescapedLib.qll` to :code:`SqlConcatenated.ql` and :code:`SqlConcatenatedLib.qll` respectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remains :code:`java/concatenated-sql-query`, so alerts should not be re-raised as a result of this change.
Ruby
""""
* The :code:`rb/unsafe-deserialization` query now recognizes input from STDIN as a source.
New Queries
~~~~~~~~~~~
Java
""""
* Added a new query :code:`java/android/websettings-allow-content-access` to detect Android WebViews which do not disable access to :code:`content://` urls.
Ruby
""""
* Added a new query, :code:`rb/unsafe-code-construction`, to detect libraries that unsafely construct code from their inputs.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Added library support for generic attributes (also for CIL extracted attributes).
* :code:`cil.ConstructedType::getName` was changed to include printing of the type arguments.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Attributes on methods in CIL are now extracted (Bugfix).
* Support for :code:`static virtual` and :code:`static abstract` interface members.
* Support for *operators* in interface definitions.
* C# 11: Added support for the unsigned right shift :code:`>>>` and unsigned right shift assignment :code:`>>>=` operators.
* Query id's have been aligned such that they are prefixed with :code:`cs` instead of :code:`csharp`.
Java
""""
* Added sink models for the constructors of :code:`org.springframework.jdbc.object.MappingSqlQuery` and :code:`org.springframework.jdbc.object.MappingSqlQueryWithParameters`.
* Added more dataflow models for frequently-used JDK APIs.
* Removed summary model for :code:`java.lang.String#endsWith(String)` and added neutral model for this API.
* Added additional taint step for :code:`java.lang.String#endsWith(String)` to :code:`ConditionalBypassFlowConfig`.
* Added :code:`AllowContentAccessMethod` to represent the :code:`setAllowContentAccess` method of the :code:`android.webkit.WebSettings` class.
* Added an external flow source for the parameters of methods annotated with :code:`android.webkit.JavascriptInterface`.

92
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.2.rst Normal file
Просмотреть файл

@ -0,0 +1,92 @@
.. _codeql-cli-2.12.2:
==========================
CodeQL 2.12.2 (2023-02-07)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.2 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 121 queries (covering 31 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a QL evaluator bug introduced in release 2.12.1 which could in certain rare cases lead to wrong analysis results.
* Fixed handling of :code:`-Xclang <arg>` arguments passed to the :code:`clang` compiler which could cause missing extractions for C++ code bases.
* Fixed a bug where the :code:`--overwrite` option was failing for database clusters.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.6.
Query Packs
-----------
New Queries
~~~~~~~~~~~
Java
""""
* Added a new query, :code:`java/android/sensitive-result-receiver`, to find instances of sensitive data being leaked to an untrusted :code:`ResultReceiver`.
Ruby
""""
* Added a new query, :code:`rb/html-constructed-from-input`, to detect libraries that unsafely construct HTML from their inputs.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Add extractor and library support for UTF-8 encoded strings.
* The :code:`StringLiteral` class includes UTF-8 encoded strings.
* In the DB Scheme :code:`@string_literal_expr` is renamed to :code:`@utf16_string_literal_expr`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* C# 11: Added extractor support for :code:`ref` fields in :code:`ref struct` declarations.
Java
""""
* Added sink models for the :code:`createQuery`, :code:`createNativeQuery`, and :code:`createSQLQuery` methods of the :code:`org.hibernate.query.QueryProducer` interface.
JavaScript/TypeScript
"""""""""""""""""""""
* Added sinks from the |link-code-node-pty-1|_ library to the :code:`js/code-injection` query.
Ruby
""""
* Data flowing from the :code:`locals` argument of a Rails :code:`render` call is now tracked to uses of that data in an associated view.
* Access to headers stored in the :code:`env` of Rack requests is now recognized as a source of remote input.
* Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
.. |link-code-node-pty-1| replace:: :code:`node-pty`\
.. _link-code-node-pty-1: https://www.npmjs.com/package/node-pty

132
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.3.rst Normal file
Просмотреть файл

@ -0,0 +1,132 @@
.. _codeql-cli-2.12.3:
==========================
CodeQL 2.12.3 (2023-02-23)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.3 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 122 queries (covering 31 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug where the CLI would refuse to complete database creation if the OS reports less than about 1.5 GB of physical memory. Now an attempt will be made even on low-memory systems (but it might still run out of memory unless there's swap space available).
New Features
~~~~~~~~~~~~
* The CodeQL compiler now produces better error messages when it is unable to find a QL library that the query being evaluated depends on.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The :code:`java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
Ruby
""""
* The :code:`rb/polynomial-redos` query now considers the entrypoints of the API of a gem as sources.
New Queries
~~~~~~~~~~~
Golang
""""""
* Added a new query, :code:`go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
Java
""""
* Added a new query, :code:`java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
Ruby
""""
* Added a new query, :code:`rb/regex/badly-anchored-regexp`, to detect regular expression validators that use :code:`^` and :code:`$` as anchors and therefore might match only a single line of a multi-line string.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The precision of the :code:`go/log-injection` query was decreased from :code:`high` to :code:`medium`, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
Python
""""""
* Python 2 is no longer supported for extracting databases using the CodeQL CLI. As a consequence,
the previously deprecated support for :code:`pyxl` and :code:`spitfire` templates has also been removed. When extracting Python 2 code, having Python 2 installed is still recommended, as this ensures the correct version of the Python standard library is extracted.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* C# 11: Added extractor support for the :code:`scoped` modifier annotation on parameters and local variables.
Golang
""""""
* Support for the Twirp framework has been added.
Java
""""
* Removed the first argument of :code:`java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
* Added the first argument of :code:`java.nio.file.Files#copy` as a "read-file" sink for the :code:`java/path-injection` query.
* The data flow library now disregards flow through code that is dead based on some basic constant propagation, for example, guards like :code:`if (1+1>3)`.
JavaScript/TypeScript
"""""""""""""""""""""
* Added dataflow sources for the `express-ws <https://www.npmjs.com/package/express-ws>`__ library.
Python
""""""
* Fixed module resolution so we properly recognize that in :code:`from <pkg> import *`, where :code:`<pkg>` is a package, the actual imports are made from the :code:`<pkg>/__init__.py` file.
Ruby
""""
* Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named :code:`TestPattern` (:code:`expr in pattern`) and :code:`MatchPattern` (:code:`expr => pattern`).
New Features
~~~~~~~~~~~~
Golang
""""""
* Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of :code:`implementsComparable` has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
Java
""""
* Kotlin versions up to 1.8.20 are now supported.

115
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.4.rst Normal file
Просмотреть файл

@ -0,0 +1,115 @@
.. _codeql-cli-2.12.4:
==========================
CodeQL 2.12.4 (2023-03-09)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The default value of the :code:`--mode` switch to :code:`codeql pack install` has changed. The default is now :code:`--mode minimal-update`.
Previously, it was :code:`use-lock`.
Deprecations
~~~~~~~~~~~~
* The :code:`--freeze` switch for :code:`codeql pack create`, :code:`codeql pack bundle`, and :code:`codeql pack publish` is now deprecated and ignored, as there is no longer a cache within a pack.
* The :code:`--mode update` switch to :code:`codeql pack resolve-dependencies` is now deprecated. Instead, use the new :code:`--mode upgrade` switch, which has identical behavior.
* The :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
* Instead of :code:`--mode update`, use :code:`codeql pack upgrade`.
* Instead of :code:`--mode verify`, use :code:`codeql pack ci`.
New Features
~~~~~~~~~~~~
* The per-pack compilation cache has been replaced with a global compilation cache found within :code:`~/.codeql`.
* :code:`codeql pack install` now uses a new algorithm to determine which versions of the pack's dependencies to use, based on the `PubGrub <https://nex3.medium.com/pubgrub-2fb6470504f>`__ algorithm. The new algorithm is able to find a solution for many cases that the previous algorithm would fail to solve. When the new algorithm is unable to find a valid solution, it generates a detailed error message explaining why there is no valid solution.
* Added a new command, :code:`codeql pack upgrade`. This command is similar to :code:`codeql pack install`,
except that it ignores any existing lock file, installs the latest compatible version of each dependency, and writes a new lock file. This is equivalent to :code:`codeql pack install --mode update`.
Note that the :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
* Added a new command, :code:`codeql pack ci`. This command is similar to :code:`codeql pack install`,
except if the existing lock file is missing, or if it conflicts with the version constraints in the :code:`qlpack.yml` file, the command generates an error. This is equivalent to
:code:`codeql pack install --mode verify`. Note that the :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The query :code:`go/incorrect-integer-conversion` now correctly recognizes guards of the form :code:`if val <= x` to protect a conversion :code:`uintX(val)` when :code:`x` is in the range :code:`(math.MaxIntX, math.MaxUintX]`.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/regex-injection` query now recognizes environment variables and command-line arguments as sources.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`CryptographicOperation` concept has been changed to use a range pattern. This is a breaking change and existing implementations of :code:`CryptographicOperation` will need to be updated in order to compile. These implementations can be updated by:
#. Extending :code:`CryptographicOperation::Range` rather than :code:`CryptographicOperation`
#. Renaming the :code:`getInput()` member predicate as :code:`getAnInput()`
#. Implementing the :code:`BlockMode getBlockMode()` member predicate. The implementation for this can be :code:`none()` if the operation is a hashing operation or an encryption operation using a stream cipher.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* We use a new analysis for the call-graph (determining which function is called). This can lead to changed results. In most cases this is much more accurate than the old call-graph that was based on points-to, but we do lose a few valid edges in the call-graph, especially around methods that are not defined inside its class.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The query :code:`cs/static-field-written-by-instance` is updated to handle properties.
* C# 11: Support for explicit interface member implementation of operators.
* The extraction of member modifiers has been generalized, which could lead to the extraction of more modifiers.
* C# 11: Added extractor and library support for :code:`file` scoped types.
* C# 11: Added extractor support for :code:`required` fields and properties.
* C# 11: Added library support for :code:`checked` operators.
Java
""""
* Added new sinks for :code:`java/hardcoded-credential-api-call` to identify the use of hardcoded secrets in the creation and verification of JWT tokens using :code:`com.auth0.jwt`. These sinks are from `an experimental query submitted by @luchua <https://github.com/github/codeql/pull/9036>`__.
* The Java extractor now supports builds against JDK 20.
* The query :code:`java/hardcoded-credential-api-call` now recognizes methods that accept user and password from the SQLServerDataSource class of the Microsoft JDBC Driver for SQL Server.
Python
""""""
* Fixed module resolution so we properly recognize definitions made within if-then-else statements.
* Added modeling of cryptographic operations in the :code:`hmac` library.
Ruby
""""
* Flow is now tracked between ActionController :code:`before_filter` and :code:`after_filter` callbacks and their associated action methods.
* Calls to :code:`ApplicationController#render` and :code:`ApplicationController::Renderer#render` are recognized as Rails rendering calls.
* Support for `Twirp framework <https://twitchtv.github.io/twirp/docs/intro.html>`__.

238
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.5.rst Normal file
Просмотреть файл

@ -0,0 +1,238 @@
.. _codeql-cli-2.12.5:
==========================
CodeQL 2.12.5 (2023-03-21)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.5 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fix a bug in :code:`codeql query run` where queries whose path contain colons cannot be run.
New Features
~~~~~~~~~~~~
* The :code:`codeql pack install` command now accepts a :code:`--additional-packs` option. This option takes a list of directories to search for locally available packs when resolving which packs to install. Any pack that is found locally through :code:`--additional-packs` will override any other version of a pack found in the package registry.
Locally resolved packs are not added to the lock file.
Because the use of :code:`--additional-packs` when running
:code:`codeql pack install` makes running queries dependent on the local state of the machine initially invoking :code:`codeql pack install`, a warning is emitted if any pack is found outside of the package registry. This warning can be suppressed by using the
:code:`--no-strict-mode` option.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The following queries now recognize HTML sanitizers as propagating taint: :code:`js/sql-injection`,
:code:`js/path-injection`, :code:`js/server-side-unvalidated-url-redirection`, :code:`js/client-side-unvalidated-url-redirection`,
and :code:`js/request-forgery`.
Deprecated Queries
~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`NetworkToBufferSizeConfiguration` and :code:`UntrustedDataToExternalApiConfig` dataflow configurations have been deprecated. Please use :code:`NetworkToBufferSizeFlow` and :code:`UntrustedDataToExternalApiFlow`.
* The :code:`LeapYearCheckConfiguration`, :code:`FiletimeYearArithmeticOperationCheckConfiguration`, and :code:`PossibleYearArithmeticOperationCheckConfiguration` dataflow configurations have been deprecated. Please use :code:`LeapYearCheckFlow`, :code:`FiletimeYearArithmeticOperationCheckFlow` and :code:`PossibleYearArithmeticOperationCheckFlow`.
New Queries
~~~~~~~~~~~
Java
""""
* Added a new query, :code:`java/android/arbitrary-apk-installation`, to detect installation of APKs from untrusted sources.
Python
""""""
* Added a new query, :code:`py/shell-command-constructed-from-input`, to detect libraries that unsafely construct shell commands from their inputs.
Ruby
""""
* Added a new query, :code:`rb/zip-slip`, to detect arbitrary file writes during extraction of zip/tar archives.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`semmle.code.cpp.commons.Buffer` and :code:`semmle.code.cpp.commons.NullTermination` libraries no longer expose :code:`semmle.code.cpp.dataflow.DataFlow`. Please import :code:`semmle.code.cpp.dataflow.DataFlow` directly.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* A new C/C++ dataflow library (:code:`semmle.code.cpp.dataflow.new.DataFlow`) has been added.
The new library behaves much more like the dataflow library of other CodeQL supported languages by following use-use dataflow paths instead of def-use dataflow paths.
The new library also better supports dataflow through indirections, and new predicates such as :code:`Node::asIndirectExpr` have been added to facilitate working with indirections.
The :code:`semmle.code.cpp.ir.dataflow.DataFlow` library is now identical to the new
:code:`semmle.code.cpp.dataflow.new.DataFlow` library.
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
C#
""
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Golang
""""""
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Java
""""
* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom :code:`List.contains` implementations when the best inferrable type at the call site is simply :code:`List`.
* Added more sink and summary dataflow models for the following packages:
* :code:`java.io`
* :code:`java.lang`
* :code:`java.sql`
* :code:`javafx.scene.web`
* :code:`org.apache.commons.compress.archivers.tar`
* :code:`org.apache.http.client.utils`
* :code:`org.codehaus.cargo.container.installer`
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Python
""""""
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Ruby
""""
* The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`hasGeneratedCopyConstructor` and :code:`hasGeneratedCopyAssignmentOperator` predicates from the :code:`Folder` class.
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
* Deleted the deprecated :code:`getMustlockFunction`, :code:`getTrylockFunction`, :code:`getLockFunction`, and :code:`getUnlockFunction` predicates from the :code:`MutexType` class.
* Deleted the deprecated :code:`getPosInBasicBlock` predicate from the :code:`SubBasicBlock` class.
* Deleted the deprecated :code:`getExpr` predicate from the :code:`PointerDereferenceExpr` class.
* Deleted the deprecated :code:`getUseInstruction` and :code:`getDefinitionInstruction` predicates from the :code:`Operand` class.
* Deleted the deprecated :code:`isInParameter`, :code:`isInParameterPointer`, and :code:`isInQualifier` predicates from the :code:`FunctionInput` class.
* Deleted the deprecated :code:`isOutParameterPointer`, :code:`isOutQualifier`, :code:`isOutReturnValue`, and :code:`isOutReturnPointer` predicate from the :code:`FunctionOutput` class.
* Deleted the deprecated 3-argument :code:`isGuardPhi` predicate from the :code:`RangeSsaDefinition` class.
C#
""
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
* Deleted the deprecated :code:`getAssertionIndex`, and :code:`getAssertedParameter` predicates from the :code:`AssertMethod` class.
* Deleted the deprecated :code:`OverridableMethod` and :code:`OverridableAccessor` classes.
* The :code:`unsafe` predicate for :code:`Modifiable` has been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant for :code:`unsafe` declarations extracted from assemblies.
Java
""""
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
* Deleted the deprecated :code:`getRepresentedString` predicate from the :code:`StringLiteral` class.
* Deleted the deprecated :code:`ServletWriterSource` class.
* Deleted the deprecated :code:`getGroupID`, :code:`getArtefactID`, and :code:`artefactMatches` predicates from the :code:`MavenRepoJar` class.
JavaScript/TypeScript
"""""""""""""""""""""
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
* Deleted the deprecated :code:`getId` from the :code:`Function`, :code:`NamespaceDefinition`, and :code:`ImportEqualsDeclaration` classes.
* Deleted the deprecated :code:`flowsTo` predicate from the :code:`HTTP::Servers::RequestSource` and :code:`HTTP::Servers::ResponseSource` class.
* Deleted the deprecated :code:`getEventName` predicate from the :code:`SocketIO::ReceiveNode`, :code:`SocketIO::SendNode`, :code:`SocketIOClient::SendNode` classes.
* Deleted the deprecated :code:`RateLimitedRouteHandlerExpr` and :code:`RouteHandlerExpressionWithRateLimiter` classes.
* \ `Import assertions <https://github.com/tc39/proposal-import-assertions>`__ are now supported.
Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.
Python
""""""
* Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
Ruby
""""
* Data flow through :code:`initialize` methods is now taken into account also when the receiver of a :code:`new` call is an (implicit or explicit) :code:`self`.
* The Active Record query methods :code:`reorder` and :code:`count_by_sql` are now recognized as SQL executions.
* Calls to :code:`ActiveRecord::Connection#execute`, including those via subclasses, are now recognized as SQL executions.
* Data flow through :code:`ActionController::Parameters#require` is now tracked properly.
* The severity of parse errors was reduced to warning (previously error).
* Deleted the deprecated :code:`getQualifiedName` predicate from the :code:`ConstantWriteAccess` class.
* Deleted the deprecated :code:`getWhenBranch` and :code:`getAWhenBranch` predicates from the :code:`CaseExpr` class.
* Deleted the deprecated :code:`Self`, :code:`PatternParameter`, :code:`Pattern`, :code:`VariablePattern`, :code:`TuplePattern`, and :code:`TuplePatternParameter` classes.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`WriteConfig` taint tracking configuration has been deprecated. Please use :code:`WriteFlow`.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
C#
""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
Golang
""""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
Java
""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
Python
""""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
Ruby
""""
* Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.

57
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.6.rst Normal file
Просмотреть файл

@ -0,0 +1,57 @@
.. _codeql-cli-2.12.6:
==========================
CodeQL 2.12.6 (2023-04-04)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.12.6 runs a total of 386 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug in :code:`codeql database analyze` and related commands where the :code:`--max-paths` option was not respected correctly when multiple alerts with the same primary code location were grouped together.
(This grouping is the default behavior unless the :code:`--no-group-alerts` option is passed.)
This bug caused some SARIF files produced by CodeQL to exceed the limits on the number of paths (:code:`threadFlows`) accepted by code scanning,
leading to errors when uploading results.
New Features
~~~~~~~~~~~~
* Several experimental subcommands have been added in support of the new `code scanning tool status page <https://github.blog/changelog/2023-03-28-code-scanning-shows-the-health-of-tools-enabled-on-a-repository/>`__.
These include :code:`codeql database add-diagnostic`,
:code:`codeql database export-diagnostics`, and the
:code:`codeql diagnostic add` and :code:`codeql diagnostic export` plumbing subcommands.
Known Issues
~~~~~~~~~~~~
* We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1.
This issue occurs when uploading certain kinds of diagnostic information and causes the subcommand to fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`.
Customers who wish to use CodeQL 2.12.6 or 2.13.0 can
work around the problem by passing :code:`--no-sarif-include-diagnostics` to any invocations of :code:`codeql database analyze` or :code:`codeql database interpret-results`.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* :code:`rb/sensitive-get-query` no longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.7.rst Normal file
Просмотреть файл

@ -0,0 +1,20 @@
.. _codeql-cli-2.12.7:
==========================
CodeQL 2.12.7 (2023-04-18)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug in :code:`codeql database upload-results` where the subcommand would fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`. This issue occurred when the SARIF file contained certain kinds of diagnostic information.

322
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.0.rst Normal file
Просмотреть файл

@ -0,0 +1,322 @@
.. _codeql-cli-2.13.0:
==========================
CodeQL 2.13.0 (2023-04-20)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.13.0 runs a total of 388 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 124 queries (covering 30 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* In :code:`codeql pack add`, the dependency that is added to the :code:`qlpack.yml` file will now allow any version of the pack that is compatible with the specified version (:code:`^version`) in the following cases:
* When no version is specified (:code:`codeql pack add codeql/cpp-all`).
* When the version is specified as :code:`latest` (:code:`codeql pack add codeql/cpp-all@latest`).
* When a single version is specified (:code:`codeql pack add codeql/cpp-all@1.0.0`).
The :code:`^version` dependency allows any version of that pack with no breaking changes since :code:`version`.
For example, :code:`^1.2.3` would allow versions :code:`1.2.3`, :code:`1.2.5`, and :code:`1.4.0`, but not :code:`2.0.0`, because changing the major version number to :code:`2` indicates a breaking change.
Using :code:`^version` ensures that the added pack is not needlessly constrained to an exact version by default.
* Upper-case variable names are no longer accepted by the QL compiler.
Such variable names have produced a deprecation warning since release 2.9.2 (released 2022-05-16), so QL code that compiles without warnings with a recent release of the CLI should still work.
Deprecations
~~~~~~~~~~~~
* The possibility to omit :code:`override` annotations on class member predicates that override a base class predicate has been deprecated.
This is to avoid confusion with shadowing behaviour in the presence of final member predicates.
.. code-block:: ql
class Foo extends Base {
final predicate foo() { ... }
predicate bar() { ... }
predicate baz() { ... }
}
class Bar extends Foo {
// This method shadows Foo::foo.
predicate foo() { ... }
// This used to override Foo::bar with a warning, is now deprecated.
predicate bar() { ... }
// This correctly overrides Foo::baz
override predicate baz() { ... }
}
New Features
~~~~~~~~~~~~
* :code:`codeql database analyze` and related commands now export file coverage information by default. GHAS customers using CodeQL in third-party CI systems will now see file coverage information on the
\ `tool status page <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page>`__ without needing to modify their CI workflows.
Known Issues
~~~~~~~~~~~~
* We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1. For more information, see the
"Known issues" section for CodeQL 2.12.6.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug where a destructuring pattern could not be parsed if it had a property named :code:`get` or :code:`set` with a default value.
Python
""""""
* Nonlocal variables are excluded from alerts.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The query :code:`cpp/tainted-arithmetic` now also flags possible overflows in arithmetic assignment operations.
C#
""
* The query :code:`cs/web/debug-binary` now disregards the :code:`debug` attribute in case there is a transformation that removes it.
Golang
""""""
* The receiver arguments of :code:`net/http.Header.Set` and :code:`.Del` are no longer flagged by query :code:`go/untrusted-data-to-external-api`.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`DisablingCertificateValidation.ql` query has been updated to check :code:`createServer` from :code:`https` for disabled certificate validation.
* Improved the model of jQuery to account for XSS sinks where the HTML string is provided via a callback. This may lead to more results for the :code:`js/xss` query.
* The :code:`js/weak-cryptographic-algorithm` query now flags cryptograhic operations using a weak block mode,
such as AES-ECB.
New Queries
~~~~~~~~~~~
C/C++
"""""
* The query :code:`cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
Java
""""
* The query :code:`java/insecure-ldap-auth` has been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4854>`__
Ruby
""""
* Added a new experimental query, :code:`rb/server-side-template-injection`, to detect cases where user input may be embedded into a template's code in an unsafe manner.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
C#
""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Golang
""""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Java
""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Python
""""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular, :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Ruby
""""
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The internal :code:`SsaConsistency` module has been moved from :code:`SSAConstruction` to :code:`SSAConsitency`, and the deprecated :code:`SSAConsistency` module has been removed.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 5.0.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`BufferAccess` library (:code:`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside :code:`sizeof` or :code:`decltype` expressions). As a result, queries using this library may see fewer false positives.
Java
""""
* Fixed a bug in the regular expression used to identify sensitive information in :code:`SensitiveActions::getCommonSensitiveInfoRegex`. This may affect the results of the queries :code:`java/android/sensitive-communication`, :code:`java/android/sensitive-keyboard-cache`, and :code:`java/sensitive-log`.
* Added a summary model for the :code:`java.lang.UnsupportedOperationException(String)` constructor.
* The filenames embedded in :code:`Compilation.toString()` now use :code:`/` as the path separator on all platforms.
* Added models for the following packages:
* :code:`java.lang`
* :code:`java.net`
* :code:`java.nio.file`
* :code:`java.io`
* :code:`java.lang.module`
* :code:`org.apache.commons.httpclient.util`
* :code:`org.apache.commons.io`
* :code:`org.apache.http.client`
* :code:`org.eclipse.jetty.client`
* :code:`com.google.common.io`
* :code:`kotlin.io`
* Added the :code:`TaintedPathQuery.qll` library to provide the :code:`TaintedPathFlow` and :code:`TaintedPathLocalFlow` taint-tracking modules to reason about tainted path vulnerabilities.
* Added the :code:`ZipSlipQuery.qll` library to provide the :code:`ZipSlipFlow` taint-tracking module to reason about zip-slip vulnerabilities.
* Added the :code:`InsecureBeanValidationQuery.qll` library to provide the :code:`BeanValidationFlow` taint-tracking module to reason about bean validation vulnerabilities.
* Added the :code:`XssQuery.qll` library to provide the :code:`XssFlow` taint-tracking module to reason about cross site scripting vulnerabilities.
* Added the :code:`LdapInjectionQuery.qll` library to provide the :code:`LdapInjectionFlow` taint-tracking module to reason about LDAP injection vulnerabilities.
* Added the :code:`ResponseSplittingQuery.qll` library to provide the :code:`ResponseSplittingFlow` taint-tracking module to reason about response splitting vulnerabilities.
* Added the :code:`ExternallyControlledFormatStringQuery.qll` library to provide the :code:`ExternallyControlledFormatStringFlow` taint-tracking module to reason about externally controlled format string vulnerabilities.
* Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by :code:`java/index-out-of-bounds` and :code:`java/constant-comparison`.
* A new models as data sink kind :code:`command-injection` has been added.
* The queries :code:`java/command-line-injection` and :code:`java/concatenated-command-line` now can be extended using the :code:`command-injection` models as data sink kind.
* Added more sink and summary dataflow models for the following packages:
* :code:`java.net`
* :code:`java.nio.file`
* :code:`javax.imageio.stream`
* :code:`javax.naming`
* :code:`javax.servlet`
* :code:`org.geogebra.web.full.main`
* :code:`hudson`
* :code:`hudson.cli`
* :code:`hudson.lifecycle`
* :code:`hudson.model`
* :code:`hudson.scm`
* :code:`hudson.util`
* :code:`hudson.util.io`
* Added the extensible abstract class :code:`JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the :code:`java/jndi-injection` query.
* Added a summary model for the :code:`nativeSQL` method of the :code:`java.sql.Connection` interface.
* Added sink and summary dataflow models for the Jenkins and Netty frameworks.
* The Models as Data syntax for selecting the qualifier has been changed from :code:`-1` to :code:`this` (e.g. :code:`Argument[-1]` is now written as :code:`Argument[this]`).
* Added sources and flow step models for the Netty framework up to version 4.1.
* Added more dataflow models for frequently-used JDK APIs.
JavaScript/TypeScript
"""""""""""""""""""""
* :code:`router.push` and :code:`router.replace` in :code:`Next.js` are now considered as XSS sink.
* The crypto-js module in :code:`CryptoLibraries.qll` now supports progressive hashing with algo.update().
Python
""""""
* Added modeling of SQL execution in the packages :code:`sqlite3.dbapi2`, :code:`cassandra-driver`, :code:`aiosqlite`, and the functions :code:`sqlite3.Connection.executescript`\ /\ :code:`sqlite3.Cursor.executescript` and :code:`asyncpg.connection.connect()`.
* Fixed module resolution so we allow imports of definitions that have had an attribute assigned to it, such as :code:`class Foo; Foo.bar = 42`.
Ruby
""""
* Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby
3.1 and 3.2.
* The clear-text storage (:code:`rb/clear-text-storage-sensitive-data`) and logging (:code:`rb/clear-text-logging-sensitive-data`) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.
* Accesses of :code:`params` in Sinatra applications are now recognized as HTTP input accesses.
* Data flow is tracked from Sinatra route handlers to ERB files.
* Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The single-parameter predicates :code:`ArrayOrVectorAggregateLiteral.getElementExpr` and :code:`ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of :code:`ArrayOrVectorAggregateLiteral.getAnElementExpr` and :code:`ClassAggregateLiteral.getAFieldExpr`.
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
* The :code:`SslContextCallAbstractConfig`, :code:`SslContextCallConfig`, :code:`SslContextCallBannedProtocolConfig`, :code:`SslContextCallTls12ProtocolConfig`, :code:`SslContextCallTls13ProtocolConfig`, :code:`SslContextCallTlsProtocolConfig`, :code:`SslContextFlowsToSetOptionConfig`, :code:`SslOptionConfig` dataflow configurations from :code:`BoostorgAsio` have been deprecated. Please use :code:`SslContextCallConfigSig`, :code:`SslContextCallGlobal`, :code:`SslContextCallFlow`, :code:`SslContextCallBannedProtocolFlow`, :code:`SslContextCallTls12ProtocolFlow`, :code:`SslContextCallTls13ProtocolFlow`, :code:`SslContextCallTlsProtocolFlow`, :code:`SslContextFlowsToSetOptionFlow`.
C#
""
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
Golang
""""""
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
Java
""""
* The :code:`execTainted` predicate in :code:`CommandLineQuery.qll` has been deprecated and replaced with the predicate :code:`execIsTainted`.
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
* The :code:`WebViewDubuggingQuery` library has been renamed to :code:`WebViewDebuggingQuery` to fix the typo in the file name. :code:`WebViewDubuggingQuery` is now deprecated.
Python
""""""
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
Ruby
""""
* The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added overridable predicates :code:`getSizeExpr` and :code:`getSizeMult` to the :code:`BufferAccess` class (:code:`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
Java
""""
* Predicates :code:`Compilation.getExpandedArgument` and :code:`Compilation.getAnExpandedArgument` has been added.

118
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.1.rst Normal file
Просмотреть файл

@ -0,0 +1,118 @@
.. _codeql-cli-2.13.1:
==========================
CodeQL 2.13.1 (2023-05-03)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.13.1 runs a total of 389 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug in :code:`codeql database upload-results` where the subcommand would fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`. This issue occurred when the SARIF file contained certain kinds of diagnostic information.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.7.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixes an issue that would cause TypeScript extraction to hang in rare cases when extracting code containing recursive generic type aliases.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Additional sinks modelling writes to unencrypted local files have been added to :code:`ExternalLocationSink`, used by the :code:`cs/cleartext-storage` and :code:`cs/exposure-of-sensitive-information` queries.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved the call graph to better handle the case where a function is stored on a plain object and subsequently copied to a new host object via an :code:`extend` call.
New Queries
~~~~~~~~~~~
C/C++
"""""
* A new query :code:`cpp/double-free` has been added. The query finds possible cases of deallocating the same pointer twice. The precision of the query has been set to "medium".
* The query :code:`cpp/use-after-free` has been modernized and assigned the precision "medium". The query finds cases of where a pointer is dereferenced after its memory has been deallocated.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The Yaml.qll library was moved into a shared library pack named :code:`codeql/yaml` to make it possible for other languages to re-use it. This change should be backwards compatible for existing JavaScript queries.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Taking a slice is now considered a sanitizer for :code:`SafeUrlFlow`.
Java
""""
* Changed some models of Spring's :code:`FileCopyUtils.copy` to be path injection sinks instead of summaries.
* Added models for the following packages:
* java.nio.file
* Added models for `Apache HttpComponents <https://hc.apache.org/>`__ versions 4 and 5.
* Added sanitizers that recognize line breaks to the query :code:`java/log-injection`.
* Added new flow steps for :code:`java.util.StringJoiner`.
Python
""""""
* Added support for querying the contents of YAML files.
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
* The :code:`sensitiveResultReceiver` predicate in :code:`SensitiveResultReceiverQuery.qll` has been deprecated and replaced with :code:`isSensitiveResultReceiver` in order to use the new dataflow API.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
YAML Data Analysis
""""""""""""""""""
* Initial release. Extracted YAML related code into a library pack to share code between languages.

202
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.3.rst Normal file
Просмотреть файл

@ -0,0 +1,202 @@
.. _codeql-cli-2.13.3:
==========================
CodeQL 2.13.3 (2023-05-31)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug that could cause the compiler to infer incorrect binding sets for non-direct calls to overriding member predicates that have stronger binding sets than their root definitions.
* Fixed a bug that could have caused the compiler to incorrectly infer that a class matched a type signature. The bug only affected classes with overriding member predicates that had stronger binding sets than their root definitions.
* Fixed a bug where a query could not be run from VS Code when there were packs nested within sibling directories
of the query.
New Features
~~~~~~~~~~~~
* This release enhances our preliminary Swift support, setting the stage for the upcoming public beta.
* The :code:`codeql database bundle` command now supports the :code:`--[no]-include-temp` option. When enabled, this option will include the :code:`temp` folder of the database directory in the zip file of the bundled database. This folder includes generated packages and queries, and query suites.
* The structured log produced by :code:`codeql generate log-summary` now includes a Boolean :code:`isCached` field for predicate events, where a :code:`true` value indicates the predicate is a wrapper implementing the :code:`cached` annotation on another predicate. The wrapper depends on the underlying predicate that the annotation was found on, and will usually have the same name, but it has a separate :code:`raHash`.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a spurious diagnostic warning about comments in JSON files being illegal.
Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added taint sources from the :code:`@actions/core` and :code:`@actions/github` packages.
* Added command-injection sinks from the :code:`@actions/exec` package.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The query :code:`java/groovy-injection` now recognizes :code:`groovy.text.TemplateEngine.createTemplate` as a sink.
* The queries :code:`java/xxe` and :code:`java/xxe-local` now recognize the second argument of calls to :code:`XPath.evaluate` as a sink.
* Experimental sinks for the query "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) have been promoted to the main query pack. These sinks were originally `submitted as part of an experimental query by @haby0 <https://github.com/github/codeql/pull/6564>`__.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/indirect-command-line-injection` query no longer flags command arguments that cannot be interpreted as a shell string.
* The :code:`js/unsafe-deserialization` query no longer flags deserialization through the :code:`js-yaml` library, except when it is used with an unsafe schema.
* The Forge module in :code:`CryptoLibraries.qll` now correctly classifies SHA-512/224,
SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`StdNamespace` class now also includes all inline namespaces that are children of :code:`std` namespace.
* The new dataflow (:code:`semmle.code.cpp.dataflow.new.DataFlow`) and taint-tracking libraries (:code:`semmle.code.cpp.dataflow.new.TaintTracking`) now support tracking flow through static local variables.
C#
""
* The :code:`cs/log-forging`, :code:`cs/cleartext-storage`, and :code:`cs/exposure-of-sensitive-information` queries now correctly handle unsanitized arguments to :code:`ILogger` extension methods.
* Updated the :code:`neutralModel` extensible predicate to include a :code:`kind` column.
Golang
""""""
* Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by :code:`CallNode.getArgument(int i)` and :code:`CallNode.getAnArgument()`, and hence aren't :code:`ArgumentNode`\ s. They now have one result, which is an :code:`ImplicitVarargsSlice` node. For example, a call :code:`f(a, b, c)` to a function :code:`f(T...)` is treated like :code:`f([]T{a, b, c})`. The old behaviour is preserved by :code:`CallNode.getSyntacticArgument(int i)` and :code:`CallNode.getASyntacticArgument()`. :code:`CallExpr.getArgument(int i)` and :code:`CallExpr.getAnArgument()` are unchanged, and will still have three results in the example given.
Java
""""
* Added SQL injection sinks for Spring JDBC's :code:`NamedParameterJdbcOperations`.
* Added models for the following packages:
* org.apache.hadoop.fs
* Added the :code:`ArithmeticCommon.qll` library to provide predicates for reasoning about arithmetic operations.
* Added the :code:`ArithmeticTaintedLocalQuery.qll` library to provide the :code:`ArithmeticTaintedLocalOverflowFlow` and :code:`ArithmeticTaintedLocalUnderflowFlow` taint-tracking modules to reason about arithmetic with unvalidated user input.
* Added the :code:`ArithmeticTaintedQuery.qll` library to provide the :code:`RemoteUserInputOverflow` and :code:`RemoteUserInputUnderflow` taint-tracking modules to reason about arithmetic with unvalidated user input.
* Added the :code:`ArithmeticUncontrolledQuery.qll` library to provide the :code:`ArithmeticUncontrolledOverflowFlow` and :code:`ArithmeticUncontrolledUnderflowFlow` taint-tracking modules to reason about arithmetic with uncontrolled user input.
* Added the :code:`ArithmeticWithExtremeValuesQuery.qll` library to provide the :code:`MaxValueFlow` and :code:`MinValueFlow` dataflow modules to reason about arithmetic with extreme values.
* Added the :code:`BrokenCryptoAlgorithmQuery.qll` library to provide the :code:`InsecureCryptoFlow` taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
* Added the :code:`ExecTaintedLocalQuery.qll` library to provide the :code:`LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
* Added the :code:`ExternallyControlledFormatStringLocalQuery.qll` library to provide the :code:`ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
* Added the :code:`ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll` library to provide the :code:`BoundedFlowSourceFlow` dataflow module to reason about improper validation of code-specified sizes used for array construction.
* Added the :code:`ImproperValidationOfArrayConstructionLocalQuery.qll` library to provide the :code:`ImproperValidationOfArrayConstructionLocalFlow` taint-tracking module to reason about improper validation of local user-provided sizes used for array construction caused by local data flow.
* Added the :code:`ImproperValidationOfArrayConstructionQuery.qll` library to provide the :code:`ImproperValidationOfArrayConstructionFlow` taint-tracking module to reason about improper validation of user-provided size used for array construction.
* Added the :code:`ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll` library to provide the :code:`BoundedFlowSourceFlow` data flow module to reason about about improper validation of code-specified array index.
* Added the :code:`ImproperValidationOfArrayIndexLocalQuery.qll` library to provide the :code:`ImproperValidationOfArrayIndexLocalFlow` taint-tracking module to reason about improper validation of a local user-provided array index.
* Added the :code:`ImproperValidationOfArrayIndexQuery.qll` library to provide the :code:`ImproperValidationOfArrayIndexFlow` taint-tracking module to reason about improper validation of user-provided array index.
* Added the :code:`InsecureCookieQuery.qll` library to provide the :code:`SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
* Added the :code:`MaybeBrokenCryptoAlgorithmQuery.qll` library to provide the :code:`InsecureCryptoFlow` taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
* Added the :code:`NumericCastTaintedQuery.qll` library to provide the :code:`NumericCastTaintedFlow` taint-tracking module to reason about numeric cast vulnerabilities.
* Added the :code:`ResponseSplittingLocalQuery.qll` library to provide the :code:`ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
* Added the :code:`SqlConcatenatedQuery.qll` library to provide the :code:`UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
* Added the :code:`SqlTaintedLocalQuery.qll` library to provide the :code:`LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
* Added the :code:`StackTraceExposureQuery.qll` library to provide the :code:`printsStackExternally`, :code:`stringifiedStackFlowsExternally`, and :code:`getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
* Added the :code:`TaintedPermissionQuery.qll` library to provide the :code:`TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
* Added the :code:`TempDirLocalInformationDisclosureQuery.qll` library to provide the :code:`TempDirSystemGetPropertyToCreate` taint-tracking module to reason about local information disclosure vulnerabilities caused by local data flow.
* Added the :code:`UnsafeHostnameVerificationQuery.qll` library to provide the :code:`TrustAllHostnameVerifierFlow` taint-tracking module to reason about insecure hostname verification vulnerabilities.
* Added the :code:`UrlRedirectLocalQuery.qll` library to provide the :code:`UrlRedirectLocalFlow` taint-tracking module to reason about URL redirection vulnerabilities caused by local data flow.
* Added the :code:`UrlRedirectQuery.qll` library to provide the :code:`UrlRedirectFlow` taint-tracking module to reason about URL redirection vulnerabilities.
* Added the :code:`XPathInjectionQuery.qll` library to provide the :code:`XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
* Added the :code:`XssLocalQuery.qll` library to provide the :code:`XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
* Moved the :code:`url-open-stream` sink models to experimental and removed :code:`url-open-stream` as a sink option from the `Customizing Library Models for Java <https://github.com/github/codeql/blob/733a00039efdb39c3dd76ddffad5e6d6c85e6774/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst#customizing-library-models-for-java>`__ documentation.
* Added models for the Apache Commons Net library.
* Updated the :code:`neutralModel` extensible predicate to include a :code:`kind` column.
* Added models for the :code:`io.jsonwebtoken` library.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved the queries for injection vulnerabilities in GitHub Actions workflows (:code:`js/actions/command-injection` and :code:`js/actions/pull-request-target`) and the associated library :code:`semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in :code:`actions/github-script`. It also detects simple injections from user controlled :code:`${{ env.name }}`. Additionally to the :code:`yml` extension now it also supports workflows with the :code:`yaml` extension.
Python
""""""
* Type tracking is now aware of reads of captured variables (variables defined in an outer scope). This leads to a richer API graph, and may lead to more results in some queries.
* Added more content-flow/field-flow for dictionaries, by adding support for reads through :code:`mydict.get("key")` and :code:`mydict.setdefault("key", value)`, and store steps through :code:`dict["key"] = value` and :code:`mydict.setdefault("key", value)`.
Ruby
""""
* Support for the :code:`sqlite3` gem has been added. Method calls that execute queries against an SQLite3 database that may be vulnerable to injection attacks will now be recognized.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added an AST-based interface (:code:`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.
* A new predicate :code:`BarrierGuard::getAnIndirectBarrierNode` has been added to the new dataflow library (:code:`semmle.code.cpp.dataflow.new.DataFlow`) to mark indirect expressions as barrier nodes using the :code:`BarrierGuard` API.

245
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.4.rst Normal file
Просмотреть файл

@ -0,0 +1,245 @@
.. _codeql-cli-2.13.4:
==========================
CodeQL 2.13.4 (2023-06-19)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.13.4 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed an issue where indirect build tracing did not work in Azure DevOps pipeline jobs in Windows containers. To use indirect build tracing in such environments, ensure both the :code:`--begin-tracing` and
:code:`--trace-process-name=CExecSvc.exe` arguments are passed to
:code:`codeql database init`.
* Improved the error message for the :code:`codeql pack create` command when the pack being published has a dependency with no scope in its name.
New Features
~~~~~~~~~~~~
* Temporary files and folders created by the CodeQL CLI will now be cleaned up when each CLI command (and its internal JVM) shuts down normally.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
Python
""""""
* The display name (:code:`@name`) of the :code:`py/unsafe-deserialization` query has been updated in favor of consistency with other languages.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The :code:`java/summary/lines-of-code` query now only counts lines of Java code. The new :code:`java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed an issue where calls to a method named :code:`search` would lead to false positive alerts related to regular expressions.
This happened when the call was incorrectly seen as a call to :code:`String.prototype.search`, since this function converts its first argument to a regular expression. The analysis is now more restrictive about when to treat :code:`search` calls as regular expression sinks.
Ruby
""""
* Fixed a bug that would occur when an :code:`initialize` method returns :code:`self` or one of its parameters.
In such cases, the corresponding calls to :code:`new` would be associated with an incorrect return type.
This could result in inaccurate call target resolution and cause false positive alerts.
* Fixed an issue where calls to :code:`delete` or :code:`assoc` with a constant-valued argument would be analyzed imprecisely,
as if the argument value was not a known constant.
Swift
"""""
* Fixed some false positive results from the :code:`swift/string-length-conflation` query, caused by imprecise sinks.
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new query, :code:`cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Swift
"""""
* Fixed a number of inconsistencies in the abstract syntax tree (AST) and in the control-flow graph (CFG). This may lead to more results in queries that use these libraries, or libraries that depend on them (such as dataflow).
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, :code:`.cshtml` files and their generated :code:`.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 5.1.
Swift
"""""
* Incorporated the cross-language :code:`SensitiveDataHeuristics.qll` heuristics library into the Swift :code:`SensitiveExprs.qll` library. This adds a number of new heuristics enhancing detection from the library.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`hasCopyConstructor` predicate from the :code:`Class` class in :code:`Class.qll`.
* Deleted many deprecated predicates and classes with uppercase :code:`AST`, :code:`SSA`, :code:`CFG`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated :code:`CodeDuplication.qll` file.
C#
""
* C#: Analysis of the :code:`dotnet test` command supplied with a :code:`dll` or :code:`exe` file as argument no longer fails due to the addition of an erroneous :code:`-p:SharedCompilation=false` argument.
* Deleted the deprecated :code:`WebConfigXML`, :code:`ConfigurationXMLElement`, :code:`LocationXMLElement`, :code:`SystemWebXMLElement`, :code:`SystemWebServerXMLElement`, :code:`CustomErrorsXMLElement`, and :code:`HttpRuntimeXMLElement` classes from :code:`WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
* Deleted the deprecated :code:`Record` class from both :code:`Types.qll` and :code:`Type.qll`.
* Deleted the deprecated :code:`StructuralComparisonConfiguration` class from :code:`StructuralComparison.qll`, use :code:`sameGvn` instead.
* Deleted the deprecated :code:`isParameterOf` predicate from the :code:`ParameterNode` class.
* Deleted the deprecated :code:`SafeExternalAPICallable`, :code:`ExternalAPIDataNode`, :code:`UntrustedDataToExternalAPIConfig`, :code:`UntrustedExternalAPIDataNode`, and :code:`ExternalAPIUsedWithUntrustedData` classes from :code:`ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* :code:`code` to :code:`code-injection`
* :code:`sql` to :code:`sql-injection`
* :code:`html` to :code:`html-injection`
* :code:`xss` to :code:`js-injection`
* :code:`remote` to :code:`file-content-store`
Java
""""
* Added flow through the block arguments of :code:`kotlin.io.use` and :code:`kotlin.with`.
* Added models for the following packages:
* com.alibaba.druid.sql
* com.fasterxml.jackson.databind
* com.jcraft.jsch
* io.netty.handler.ssl
* okhttp3
* org.antlr.runtime
* org.fusesource.leveldbjni
* org.influxdb
* org.springframework.core.io
* org.yaml.snakeyaml
* Deleted the deprecated :code:`getRHS` predicate from the :code:`LValue` class, use :code:`getRhs` instead.
* Deleted the deprecated :code:`getCFGNode` predicate from the :code:`SsaVariable` class, use :code:`getCfgNode` instead.
* Deleted many deprecated predicates and classes with uppercase :code:`XML`, :code:`JSON`, :code:`URL`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
* Added models for the following packages:
* java.lang
* java.nio.file
* Added dataflow models for the Gson deserialization library.
* Added models for the following packages:
* okhttp3
* Added more dataflow models for the Play Framework.
* Modified the models related to :code:`java.nio.file.Files.copy` so that generic :code:`[Input|Output]Stream` arguments are not considered file-related sinks.
* Dataflow analysis has a new flow step through constructors of transitive subtypes of :code:`java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of :code:`java.io.InputStream`.
* Path creation sinks modeled in :code:`PathCreation.qll` have been added to the models-as-data sink kind :code:`path-injection`.
* Updated the regular expression in the :code:`HostnameSanitizer` sanitizer in the :code:`semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
* Changed the :code:`android-widget` Java source kind to :code:`remote`. Any custom data extensions that use the :code:`android-widget` source kind will need to be updated accordingly in order to continue working.
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
* :code:`sql` to :code:`sql-injection`
* :code:`url-redirect` to :code:`url-redirection`
* :code:`xpath` to :code:`xpath-injection`
* :code:`ssti` to :code:`template-injection`
* :code:`logging` to :code:`log-injection`
* :code:`groovy` to :code:`groovy-injection`
* :code:`jexl` to :code:`jexl-injection`
* :code:`mvel` to :code:`mvel-injection`
* :code:`xslt` to :code:`xslt-injection`
* :code:`ldap` to :code:`ldap-injection`
* :code:`pending-intent-sent` to :code:`pending-intents`
* :code:`intent-start` to :code:`intent-redirection`
* :code:`set-hostname-verifier` to :code:`hostname-verification`
* :code:`header-splitting` to :code:`response-splitting`
* :code:`xss` to :code:`html-injection` and :code:`js-injection`
* :code:`write-file` to :code:`file-system-store`
* :code:`create-file` and :code:`read-file` to :code:`path-injection`
* :code:`open-url` and :code:`jdbc-url` to :code:`request-forgery`
JavaScript/TypeScript
"""""""""""""""""""""
* Deleted many deprecated predicates and classes with uppercase :code:`XML`, :code:`JSON`, :code:`URL`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated :code:`localTaintStep` predicate from :code:`DataFlow.qll`.
* Deleted the deprecated :code:`stringStep`, and :code:`localTaintStep` predicates from :code:`TaintTracking.qll`.
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
* Deleted the deprecated :code:`HtmlInjectionConfiguration` and :code:`JQueryHtmlOrSelectorInjectionConfiguration` classes from :code:`DomBasedXssQuery.qll`, use :code:`Configuration` instead.
* Deleted the deprecated :code:`DefiningIdentifier` class and the :code:`Definitions.qll` file it was in. Use :code:`SsaDefinition` instead.
* Deleted the deprecated :code:`definitionReaches`, :code:`localDefinitionReaches`, :code:`getAPseudoDefinitionInput`, :code:`nextDefAfter`, and :code:`localDefinitionOverwrites` predicates from :code:`DefUse.qll`.
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* :code:`command-line-injection` to :code:`command-injection`
* :code:`credentials[kind]` to :code:`credentials-kind`
* Added a support of sub modules in :code:`node_modules`.
Ruby
""""
* Deleted many deprecated predicates and classes with uppercase :code:`URL`, :code:`XSS`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated :code:`getValueText` predicate from the :code:`Expr`, :code:`StringComponent`, and :code:`ExprCfgNode` classes. Use :code:`getConstantValue` instead.
* Deleted the deprecated :code:`VariableReferencePattern` class, use :code:`ReferencePattern` instead.
* Deleted all deprecated aliases in :code:`StandardLibrary.qll`, use :code:`codeql.ruby.frameworks.Core` and :code:`codeql.ruby.frameworks.Stdlib` instead.
* Support for the :code:`sequel` gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
* Support for the :code:`mysql2` gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
* Support for the :code:`pg` gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
Swift
"""""
* Some models for the :code:`Data` class have been generalized to :code:`DataProtocol` so that they apply more widely.
New Features
~~~~~~~~~~~~
Java
""""
* Kotlin versions up to 1.9.0 are now supported.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.5.rst Normal file
Просмотреть файл

@ -0,0 +1,20 @@
.. _codeql-cli-2.13.5:
==========================
CodeQL 2.13.5 (2023-07-05)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* The Swift extractor now supports Swift 5.8.1.

269
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.0.rst Normal file
Просмотреть файл

@ -0,0 +1,269 @@
.. _codeql-cli-2.14.0:
==========================
CodeQL 2.14.0 (2023-07-13)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.14.0 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The legacy option :code:`--search-path` will now be used, if provided, when searching for the dependencies of packages that have no lock file.
* CodeQL query packs that specify their dependencies using the legacy
:code:`libraryPathDependencies` property in :code:`qlpack.yml`\ /\ :code:`codeql-pack.yml` files are no longer permitted to contain a :code:`codeql-pack.lock.yml` lock file.
This will lead to a compilation error. This change is intended to prevent confusing behavior arising from a mix of legacy (unversioned) and modern
(versioned) package dependencies. To fix this error, either delete the lock file, or convert :code:`libraryPathDependencies` to :code:`dependencies`.
* CodeQL CLI commands that create packages or update package lock files, such as :code:`codeql pack publish` and :code:`codeql pack create`, will no longer work on query packs that specify their dependencies using the legacy
:code:`libraryPathDependencies` property. To fix this error, convert
:code:`libraryPathDependencies` to :code:`dependencies`.
Bug Fixes
~~~~~~~~~
* Fixed super calls on final base classes (or final aliases) so that they are now dispatched the same way as super calls on instanceof supertypes.
* Fixed a bug where running :code:`codeql database finalize` with a large number of threads would fail due to running out of file descriptors.
* Fixed a bug where :code:`codeql database create --overwrite` would not work with database clusters.
* Fixed a bug where the CodeQL documentation coverage statistics were incorrect.
* Fixed a bug where the generated CodeQL libarary documentation could generate invalid uris on windows.
Deprecations
~~~~~~~~~~~~
* Missing override annotations on class member predicates now raise errors rather than warnings. This is to avoid confusion with the shadowing behaviour in the presence of final member predicates.
.. code-block:: ql
class Foo extends Base {
final predicate foo() { ... }
predicate bar() { ... }
}
class Bar extends Foo {
// This method shadows Foo::foo.
predicate foo() { ... }
// This used to override Foo::bar with a warning, now raises error.
predicate bar() { ... }
}
Improvements
~~~~~~~~~~~~
* Unqualified imports can now be marked as deprecated to indicate that the import may be removed in the future. Usage of names only reachable through deprecated imports will generate deprecation warnings.
* Classes declared inside a parameterized modules can final extend parameters of the module as well as types that are declared outside the parameterized module.
* Fields are fully functional when extending types from within a module instantiation.
* Files with a :code:`.yaml` extension will now be included in compiled CodeQL packs. Previously, files with this extension were excluded even though :code:`.yml` files were included.
* When interpreting results (e.g., using :code:`bqrs interpret` or
:code:`database interpret-results`), extra placeholders in alert messages are treated as normal text. Previously, results with more placeholders than placeholder values were skipped.
* Windows users of the CodeQL extension for VS Code will see faster start times.
* In VS Code, errors in the current file are rechecked when dependencies change.
* In VS Code, autocomplete in large QL files is now faster.
* Member predicates can shadow final member predicates of the same arity even when the signatures are not fully matching.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C#
""
* The query "Arbitrary file write during zip extraction ("Zip Slip")" (:code:`cs/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Golang
""""""
* The query "Arbitrary file write during zip extraction ("zip slip")" (:code:`go/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Java
""""
* The query "Arbitrary file write during archive extraction ("Zip Slip")" (:code:`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
JavaScript/TypeScript
"""""""""""""""""""""
* The query "Arbitrary file write during zip extraction ("Zip Slip")" (:code:`js/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Python
""""""
* The query "Arbitrary file write during archive extraction ("Zip Slip")" (:code:`py/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Ruby
""""
* The experimental query "Arbitrary file write during zipfile/tarfile extraction" (:code:`ruby/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
Swift
"""""
* Functions and methods modeled as flow summaries are no longer shown in the path of :code:`path-problem` queries. This results in more succinct paths for most security queries.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/comparison-with-wider-type` query now correctly handles relational operations on signed operators. As a result the query may find more results.
Java
""""
* New models have been added for :code:`org.apache.commons.lang`.
* The query :code:`java/unsafe-deserialization` has been updated to take into account :code:`SerialKiller`, a library used to prevent deserialization of arbitrary classes.
Ruby
""""
* Fixed a bug in how :code:`map_filter` calls are analyzed. Previously, such calls would appear to the return the receiver of the call, but now the return value of the callback is properly taken into account.
New Queries
~~~~~~~~~~~
C#
""
* Added a new query, :code:`cs/web/missing-function-level-access-control`, to find instances of missing authorization checks.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
Swift
"""""
* The :code:`BraceStmt` AST node's :code:`AstNode getElement(index)` member predicate no longer returns :code:`VarDecl`\ s after the :code:`PatternBindingDecl` that declares them. Instead, a new :code:`VarDecl getVariable(index)` predicate has been introduced for accessing the variables declared in a :code:`BraceStmt`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
Java
""""
* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`getURL` predicate from the :code:`Container`, :code:`Folder`, and :code:`File` classes. Use the :code:`getLocation` predicate instead.
C#
""
* Additional support for :code:`command-injection`, :code:`ldap-injection`, :code:`log-injection`, and :code:`url-redirection` sink kinds for Models as Data.
Golang
""""""
* When a result of path query flows through a function modeled using :code:`DataFlow::FunctionModel` or :code:`TaintTracking::FunctionModel`, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.
Java
""""
* Added automatically-generated dataflow models for :code:`javax.portlet`.
* Added a missing summary model for the method :code:`java.net.URL.toString`.
* Added automatically-generated dataflow models for the following frameworks and libraries:
* :code:`hudson`
* :code:`jenkins`
* :code:`net.sf.json`
* :code:`stapler`
* Added more models for the Hudson framework.
* Added more models for the Stapler framework.
JavaScript/TypeScript
"""""""""""""""""""""
* Added models for the Webix Framework.
Python
""""""
* Deleted many models that used the old dataflow library, the new models can be found in the :code:`python/ql/lib/semmle/python/frameworks` folder.
* More precise modeling of several container functions (such as :code:`sorted`, :code:`reversed`) and methods (such as :code:`set.add`, :code:`list.append`).
* Added modeling of taint flow through the template argument of :code:`flask.render_template_string` and :code:`flask.stream_template_string`.
* Deleted many deprecated predicates and classes with uppercase :code:`API`, :code:`HTTP`, :code:`XSS`, :code:`SQL`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated :code:`getName()` predicate from the :code:`Container` class, use :code:`getAbsolutePath()` instead.
* Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
* Deleted many deprecated predicates in :code:`PointsTo.qll`.
* Deleted many deprecated files from the :code:`semmle.python.security` package.
* Deleted the deprecated :code:`BottleRoutePointToExtension` class from :code:`Extensions.qll`.
* Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
Ruby
""""
* More kinds of rack applications are now recognized.
* Rack::Response instances are now recognized as potential responses from rack applications.
* HTTP redirect responses from Rack applications are now recognized as a potential sink for open redirect alerts.
* Additional sinks for :code:`rb/unsafe-deserialization` have been added. This includes various methods from the :code:`yaml` and :code:`plist` gems, which deserialize YAML and Property List data, respectively.
Swift
"""""
* Added a data flow model for :code:`swap(_:_:)`.
Deprecated APIs
~~~~~~~~~~~~~~~
Golang
""""""
* The :code:`LogInjection::Configuration` taint flow configuration class has been deprecated. Use the :code:`LogInjection::Flow` module instead.
Java
""""
* The :code:`ExecCallable` class in :code:`ExternalProcess.qll` has been deprecated.
Ruby
""""
* The :code:`Configuration` taint flow configuration class from :code:`codeql.ruby.security.InsecureDownloadQuery` has been deprecated. Use the :code:`Flow` module instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* The :code:`ProductFlow::StateConfigSig` signature now includes default predicates for :code:`isBarrier1`, :code:`isBarrier2`, :code:`isAdditionalFlowStep1`, and :code:`isAdditionalFlowStep1`. Hence, it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Python
""""""
* It is now possible to specify flow summaries in the format "MyPkg;Member[list_map];Argument[1].ListElement;Argument[0].Parameter[0];value"
Swift
"""""
* Added new libraries :code:`Regex.qll` and :code:`RegexTreeView.qll` for reasoning about regular expressions in Swift code and places where they are evaluated.

215
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.1.rst Normal file
Просмотреть файл

@ -0,0 +1,215 @@
.. _codeql-cli-2.14.1:
==========================
CodeQL 2.14.1 (2023-07-27)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.14.1 runs a total of 392 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/uninitialized-local` query now excludes uninitialized uses that are explicitly cast to void and are expression statements. As a result, the query will report less false positives.
Java
""""
* The query "Unsafe resource fetching in Android WebView" (:code:`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where :code:`setJavascriptEnabled`, :code:`setAllowFileAccess`, :code:`setAllowUniversalAccessFromFileURLs`, and/or :code:`setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin :code:`apply` function.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`fs/promises` package is now recognised as an alias for :code:`require('fs').promises`.
* The :code:`js/path-injection` query can now track taint through calls to :code:`path.join()` with a spread argument, such as :code:`path.join(baseDir, ...args)`.
Python
""""""
* Fixed modeling of :code:`aiohttp.ClientSession` so we properly handle :code:`async with` uses. This can impact results of server-side request forgery queries (:code:`py/full-ssrf`, :code:`py/partial-ssrf`).
Ruby
""""
* Improved resolution of calls performed on an object created with :code:`Proc.new`.
New Queries
~~~~~~~~~~~
Ruby
""""
* Added a new experimental query, :code:`rb/xpath-injection`, to detect cases where XPath statements are constructed from user input in an unsafe manner.
Swift
"""""
* Added new query "Regular expression injection" (:code:`swift/regex-injection`). The query finds places where user input is used to construct a regular expression without proper escaping.
* Added new query "Inefficient regular expression" (:code:`swift/redos`). This query finds regular expressions that require exponential time to match certain inputs and may make an application vulnerable to denial-of-service attacks.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* The API graph library (:code:`codeql.ruby.ApiGraphs`) has been significantly improved, with better support for inheritance,
and data-flow nodes can now be converted to API nodes by calling :code:`.track()` or :code:`.backtrack()` on the node.
API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base are consumed by a library. See the documentation for :code:`API::Node` for details and examples.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* The :code:`IRGuards` library has improved handling of pointer addition and subtraction operations.
C#
""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
Golang
""""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* Parameter nodes now exist for unused parameters as well as used parameters.
* Add support for v4 of the `Go Micro framework <https://github.com/go-micro/go-micro>`__.
* Support for the `Bun framework <https://bun.uptrace.dev/>`__ has been added.
* Support for `gqlgen <https://github.com/99designs/gqlgen>`__ has been added.
* Support for the `go-pg framework <https://github.com/go-pg/pg>`__ has been improved.
Java
""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* Added models for Apache Commons Lang3 :code:`ToStringBuilder.reflectionToString` method.
* Added support for the Kotlin method :code:`apply`.
* Added models for the following packages:
* java.io
* java.lang
* java.net
* java.nio.channels
* java.nio.file
* java.util.zip
* okhttp3
* org.gradle.api.file
* retrofit2
Python
""""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* Add support for Models as Data for Reflected XSS query
* Parameters with a default value are now considered a :code:`DefinitionNode`. This improvement was motivated by allowing type-tracking and API graphs to follow flow from such a default value to a use by a captured variable.
Ruby
""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* The :code:`'QUERY_STRING'` field of a Rack :code:`env` parameter is now recognized as a source of remote user input.
* Query parameters and cookies from :code:`Rack::Response` objects are recognized as potential sources of remote flow input.
* Calls to :code:`Rack::Utils.parse_query` now propagate taint.
Swift
"""""
* Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
* The regular expression library now understands mode flags specified by :code:`Regex` methods and the :code:`NSRegularExpression` initializer.
* The regular expression library now understands mode flags specified at the beginning of a regular expression (for example :code:`(?is)`).
* Added detail to the taint model for :code:`URL`.
* Added new heuristics to :code:`SensitiveExprs.qll`, enhancing detection from the library.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The library :code:`semmle.code.cpp.dataflow.DataFlow` has been deprecated. Please use :code:`semmle.code.cpp.dataflow.new.DataFlow` instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
C#
""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Golang
""""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Java
""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
* A :code:`Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
Python
""""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Ruby
""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Swift
"""""
* The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
Shared Libraries
----------------
Deprecated APIs
~~~~~~~~~~~~~~~
Utility Classes
"""""""""""""""
* The :code:`InlineExpectationsTest` class has been deprecated. Use :code:`TestSig` and :code:`MakeTest` instead.

159
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.2.rst Normal file
Просмотреть файл

@ -0,0 +1,159 @@
.. _codeql-cli-2.14.2:
==========================
CodeQL 2.14.2 (2023-08-11)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.14.2 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The functionality provided by the :code:`codeql execute query-server` subcommand has been removed. The subcommand now responds to all JSON RPC requests with an error response. Correspondingly, this release is no longer compatible with versions of the CodeQL extension for Visual Studio Code prior to 1.7.6.
This change also breaks third-party CodeQL IDE integrations that still rely on the :code:`codeql execute query-server` subcommand. Maintainers of such CodeQL IDE integrations should migrate to the :code:`codeql execute query-server2` subcommand at the earliest opportunity.
Bug Fixes
~~~~~~~~~
* Fixed bug that made the :code:`--warnings=hide` option do nothing in
:code:`codeql database analyze` and other commands that *evaluate* queries.
Improvements
~~~~~~~~~~~~
* Switched from prefix filtering of autocomplete suggestions in the language server to client-side filtering. This improves autocomplete suggestions in contexts with an autocompletion prefix.
* The CodeQL language server now checks query metadata for errors. This allows Visual Studio Code users to see errors in their query metadata without needing to compile the query.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The sanitizer in :code:`java/potentially-weak-cryptographic-algorithm` has been improved, so the query may yield additional results.
New Queries
~~~~~~~~~~~
Ruby
""""
* Added a new experimental query, :code:`rb/ldap-injection`, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
Swift
"""""
* Added new query "Command injection" (:code:`swift/command-line-injection`). The query finds places where user input is used to execute system commands without proper escaping.
* Added new query "Bad HTML filtering regexp" (:code:`swift/bad-tag-filter`). This query finds regular expressions that match HTML tags in a way that is not robust and can easily lead to security issues.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`shouldPrintFunction` predicate from :code:`PrintAstConfiguration` has been replaced by :code:`shouldPrintDeclaration`. Users should now override :code:`shouldPrintDeclaration` if they want to limit the declarations that should be printed.
* The :code:`shouldPrintFunction` predicate from :code:`PrintIRConfiguration` has been replaced by :code:`shouldPrintDeclaration`. Users should now override :code:`shouldPrintDeclaration` if they want to limit the declarations that should be printed.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`PrintAST` library now also prints global and namespace variables and their initializers.
Swift
"""""
* Added :code:`DataFlow::ArrayContent`, which will provide more accurate flow through arrays.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
Golang
""""""
* Logrus' :code:`WithContext` methods are no longer treated as if they output the values stored in that context to a log message.
Java
""""
* Fixed a typo in the :code:`StdlibRandomSource` class in :code:`RandomDataSource.qll`, which caused the class to improperly model calls to the :code:`nextBytes` method. Queries relying on :code:`StdlibRandomSource` may see an increase in results.
* Improved the precision of virtual dispatch of :code:`java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of :code:`InputStream` if there is a high-confidence alternative (like a models-as-data summary).
* Added more dataflow steps for :code:`java.io.InputStream`\ s that wrap other :code:`java.io.InputStream`\ s.
* Added models for the Struts 2 framework.
* Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.
JavaScript/TypeScript
"""""""""""""""""""""
* Added :code:`log-injection` as a customizable sink kind for log injection.
Swift
"""""
* Flow through forced optional unwrapping (:code:`!`) is modelled more accurately.
* Added flow models for :code:`Sequence.withContiguousStorageIfAvailable`.
* Added taint flow for :code:`NSUserActivity.referrerURL`.
New Features
~~~~~~~~~~~~
Java
""""
* A :code:`Diagnostic.getCompilationInfo()` predicate has been added.
Shared Libraries
----------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Control Flow Analysis
"""""""""""""""""""""
* Initial release. Adds a shared library for control flow analyses.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.
New Features
~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The :code:`StateConfigSig` signature now supports a unary :code:`isSink` predicate that does not specify the :code:`FlowState` for which the given node is a sink. Instead, any :code:`FlowState` is considered a valid :code:`FlowState` for such a sink.

114
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.3.rst Normal file
Просмотреть файл

@ -0,0 +1,114 @@
.. _codeql-cli-2.14.3:
==========================
CodeQL 2.14.3 (2023-08-25)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The :code:`<run>.tool.extensions` property in the SARIF generated by :code:`codeql database analyze` now contains the following packs:
* The containing query pack for each query that was evaluated.
* Each model pack that was specified via the :code:`--model-packs` option, regardless of whether that model pack affected any of the evaluated queries.
Library packs are no longer included in the list.
Previously, this property contained every query and library pack that was available on the search path, regardless of whether that pack was used during the evaluation.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
* When :code:`codeql test` generates :code:`.actual` files, they will in some cases list the query predicates in a different order than past versions.
There is no need to update :code:`.expected` files, as :code:`codeql test` sorts their results accordingly before diffing.
However, when there are genuine changes in expected results, the generated :code:`.actual` file can show additional changes against the
:code:`.expected` due to the reordering.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Python
""""""
* Fixed the computation of locations for imports with aliases in jump-to-definition.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
Swift
"""""
* Added :code:`DataFlow::CollectionContent`, which will enable more accurate flow through collections.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The query library for :code:`cs/hardcoded-credentials` now excludes benign properties such as :code:`UserNameClaimType` and :code:`AllowedUserNameCharacters` from :code:`Microsoft.AspNetCore.Identity` options classes.
Java
""""
* Modified the :code:`getSecureAlgorithmName` predicate in :code:`Encryption.qll` to also include :code:`SHA-256` and :code:`SHA-512`. Previously only the versions of the names without dashes were considered secure.
* Add support for :code:`WithElement` and :code:`WithoutElement` for MaD access paths.
Python
""""""
* Support analyzing packages (folders with python code) that do not have :code:`__init__.py` files, although this is technically required, we see real world projects that don't have this.
* Added modeling of AWS Lambda handlers that can be identified with :code:`AWS::Serverless::Function` in YAML files, where the event parameter is modeled as a remote-flow-source.
* Improvements of the :code:`aiohttp` models including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.
Ruby
""""
* Flow between positional arguments and splat parameters (:code:`*args`) is now tracked more precisely.
* Flow between splat arguments (:code:`*args`) and positional parameters is now tracked more precisely.
Swift
"""""
* Added local flow sources for :code:`UITextInput` and related classes.
* Flow through forced optional unwrapping (:code:`!`) on the left side of assignment now works in most cases.
* :code:`Type.getName` now gets the name of the type alone without any enclosing types. Use :code:`Type.getFullName` for the old behaviour.
Shared Libraries
----------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Initial release. Adds a library to implement flow through captured variables that properly adheres to inter-procedural control flow.
New Features
~~~~~~~~~~~~
YAML Data Analysis
""""""""""""""""""
* Added library for serverless functions. Currently used by JavaScript and Python.

197
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.4.rst Normal file
Просмотреть файл

@ -0,0 +1,197 @@
.. _codeql-cli-2.14.4:
==========================
CodeQL 2.14.4 (2023-09-12)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.14.4 runs a total of 394 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 129 queries (covering 35 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The CodeQL CLI no longer supports the :code:`SEMMLE_JAVA_ARGS` environment variable.
All previous versions of the CodeQL CLI perform command substitution on the
:code:`SEMMLE_JAVA_ARGS` value (for example, replacing :code:`'$(echo foo)'` with :code:`'foo'`)
when starting a new Java virtual machine, which, depending on the execution environment, may have security implications. Users are advised to check their environments for possible :code:`SEMMLE_JAVA_ARGS` misuse.
Bug Fixes
~~~~~~~~~
* :code:`codeql database init` (and :code:`github/codeql-action/init@v2` on GitHub Actions)
should no longer hang or crash for traced languages on 64-bit Windows machines when certain antivirus software is installed.
* During :code:`codeql pack create` and :code:`codeql pack publish`, a source version of a pack coming from :code:`--additional-packs` can explicitly be used to override a requested pack version even if this source version is incompatible with the requested version in the pack file. Previously, this would fail with a confusing error message.
* Fixed a bug where :code:`codeql database interpret-results` hangs when a path query produces a result that has no paths from source to sink.
New Features
~~~~~~~~~~~~
* The Java extractor now supports files that use Lombok.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Comparison where assignment was intended" query (:code:`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
* Some queries that had repeated results corresponding to different levels of indirection for :code:`argv` now only have a single result.
* The :code:`cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
Java
""""
* The queries "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (:code:`java/xxe-local`) now recognize sinks in the MDHT library.
JavaScript/TypeScript
"""""""""""""""""""""
* Files larger than 10 MB are no longer be extracted or analyzed.
* Imports can now be resolved in more cases, where a non-constant string expression is passed to a :code:`require()` call.
Python
""""""
* Improved *Reflected server-side cross-site scripting* (:code:`py/reflective-xss`) query to not alert on data passed to :code:`flask.jsonify`. Since these HTTP responses are returned with mime-type :code:`application/json`, they do not pose a security risk for XSS.
* Updated path explanations for :code:`@kind path-problem` queries to always include left hand side of assignments, making paths easier to understand.
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new query, :code:`cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
Java
""""
* Added the :code:`java/trust-boundary-violation` query to detect trust boundary violations between HTTP requests and the HTTP session. Also added the :code:`trust-boundary-violation` sink kind for sinks which may cross a trust boundary, such as calls to the :code:`HttpSession#setAttribute` method.
Ruby
""""
* Added a new experimental query, :code:`rb/improper-ldap-auth`, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass.
Swift
"""""
* Added new query "Incomplete regular expression for hostnames" (:code:`swift/incomplete-hostname-regexp`). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 5.2.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* :code:`delete` and :code:`delete[]` are now modeled as calls to the relevant :code:`operator delete` in the IR. In the case of a dynamic delete call a new instruction :code:`VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
* Only the 2 level indirection of :code:`argv` (corresponding to :code:`**argv`) is consided for :code:`FlowSource`.
C#
""
* The :code:`--nostdlib` extractor option for the standalone extractor has been removed.
Golang
""""""
* Added `http.Error <https://pkg.go.dev/net/http#Error>`__ to XSS sanitzers.
Java
""""
* Fixed the MaD signature specifications to use proper nested type names.
* Added new sanitizer to Java command injection model
* Added more dataflow models for JAX-RS.
* The predicate :code:`JaxWsEndpoint::getARemoteMethod` no longer requires the result to be annotated with :code:`@WebMethod`. Instead, the requirements listed in the JAX-RPC Specification 1.1 for required parameter and return types are used. Applications using JAX-RS may see an increase in results.
Python
""""""
* Regular expressions containing multiple parse mode flags are now interpretted correctly. For example :code:`"(?is)abc.*"` with both the :code:`i` and :code:`s` flags.
* Added :code:`shlex.quote` as a sanitizer for the :code:`py/shell-command-constructed-from-input` query.
Swift
"""""
* Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library.
* Added flow models of collection :code:`.withContiguous[Mutable]StorageIfAvailable`, :code:`.withUnsafe[Mutable]BufferPointer` and :code:`.withUnsafe[Mutable]Bytes` methods.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* :code:`getAllocatorCall` on :code:`DeleteExpr` and :code:`DeleteArrayExpr` has been deprecated. :code:`getDeallocatorCall` should be used instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added :code:`DeleteOrDeleteArrayExpr` as a super type of :code:`DeleteExpr` and :code:`DeleteArrayExpr`
Java
""""
* Kotlin versions up to 1.9.10 are now supported.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The shared taint-tracking library is now part of the dataflow qlpack.
New Features
~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The various inline flow test libraries have been consolidated as a shared library part in the dataflow qlpack.

20
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.5.rst Normal file
Просмотреть файл

@ -0,0 +1,20 @@
.. _codeql-cli-2.14.5:
==========================
CodeQL 2.14.5 (2023-09-14)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a JavaScript extractor crash that was introduced in 2.14.4.

31
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.6.rst Normal file
Просмотреть файл

@ -0,0 +1,31 @@
.. _codeql-cli-2.14.6:
==========================
CodeQL 2.14.6 (2023-09-26)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* The tracking of RAM usage has been improved. This fixes some cases where CodeQL uses more RAM than requested.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed an extractor crash that could occur in projects containing TypeScript files larger than 10 MB.

224
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.0.rst Normal file
Просмотреть файл

@ -0,0 +1,224 @@
.. _codeql-cli-2.15.0:
==========================
CodeQL 2.15.0 (2023-10-11)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.15.0 runs a total of 397 security queries when configured with the Default suite (covering 157 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed an issue with analyzing Python projects using Python 3.12.
Deprecations
~~~~~~~~~~~~
* :code:`pragma[assume_small_delta]` is now deprecated. The pragma has no effect and should be removed.
* Missing override annotations on class fields now raise errors rather than warnings. This is to avoid confusion with the shadowing behavior in the presence of final fields.
* The CodeQL CLI no longer supports ML-powered alerts. For more information,
including details of our work in the AI-powered security technology space,
see
"\ `CodeQL code scanning deprecates ML-powered alerts <https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/>`__."
New Features
~~~~~~~~~~~~
* The output of :code:`codeql version --format json` now includes a :code:`features` property. Each key in the map identifies a feature of the CodeQL CLI. The value for a key is always :code:`true`. Going forward, whenever a significant new feature is added to the CodeQL CLI, a corresponding entry will be added to the
:code:`features` map. This is intended to make it easier for tools that invoke the CodeQL CLI to know if the particular version of the CLI they are invoking supports a given feature, without having to know exactly what CLI version introduced that feature.
Improvements
~~~~~~~~~~~~
* You can now specify the CodeQL languages C/C++, Java/Kotlin, and JavaScript/TypeScript using :code:`--language c-cpp`, :code:`--language java-kotlin`, and
:code:`--language javascript-typescript` respectively. These new CodeQL language names convey more clearly what languages each CodeQL language will analyze.
You can also reference these CodeQL languages via their secondary language names (C/C++ via :code:`--language c` or :code:`--language cpp`, Java/Kotlin via
:code:`--language java` or :code:`--language kotlin`, and JavaScript/TypeScript via
:code:`--language javascript` or :code:`--language typescript`), however we recommend you refer to them via the new primary CodeQL language names for improved clarity.
* CodeQL now respects custom home directories set by the :code:`$HOME` environment variable on MacOS and Linux and :code:`%USERPROFILE%` on Windows. When set, CodeQL will use the variable's value to change the default location of downloaded packages and the global compilation cache.
* This release improves the quality of
\ `file coverage information <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#using-the-tool-status-page>`__ for repositories that vendor their dependencies. This is currently supported for Go and JavaScript projects.
QL Language
~~~~~~~~~~~
* The QL language now has two new methods :code:`codePointAt` and :code:`codePointCount` on the :code:`string` type. The methods both return integers and act the same as the similarly named Java methods on strings. For example, :code:`"abc".codePointAt(2)` is :code:`99` and :code:`("a" + 128512.toUnicode() + "c").codePointAt(1)` is a :code:`128512`.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The queries :code:`cpp/double-free` and :code:`cpp/use-after-free` find fewer false positives in cases where a non-returning function is called.
* The number of duplicated dataflow paths reported by queries has been significantly reduced.
Python
""""""
* Improved *URL redirection from remote source* (:code:`py/url-redirection`) query to not alert when URL has been checked with :code:`django.utils.http. url_has_allowed_host_and_scheme`.
* Extended the :code:`py/command-line-injection` query with sinks from Python's :code:`asyncio` module.
Ruby
""""
* Built-in Ruby queries now use the new DataFlow API.
Swift
"""""
* Adder barriers for numeric type values to the injection-like queries, to reduce false positive results where the user input that can be injected is constrainted to a numerical value. The queries updated by this change are: "Predicate built from user-controlled sources" (:code:`swift/predicate-injection`), "Database query built from user-controlled sources" (:code:`swift/sql-injection`), "Uncontrolled format string" (:code:`swift/uncontrolled-format-string`), "JavaScript Injection" (:code:`swift/unsafe-js-eval`) and "Regular expression injection" (:code:`swift/regex-injection`).
* Added additional taint steps to the :code:`swift/cleartext-transmission`, :code:`swift/cleartext-logging` and :code:`swift/cleartext-storage-preferences` queries to identify data within sensitive containers. This is similar to an existing additional taint step in the :code:`swift/cleartext-storage-database` query.
* Added new logging sinks to the :code:`swift/cleartext-logging` query.
* Added sqlite3 and SQLite.swift path injection sinks for the :code:`swift/path-injection` query.
New Queries
~~~~~~~~~~~
C#
""
* Added a new query, :code:`cs/web/insecure-direct-object-reference`, to find instances of missing authorization checks for resources selected by an ID parameter.
Python
""""""
* The query :code:`py/nosql-injection` for finding NoSQL injection vulnerabilities is now available in the default security suite.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/double-free` query has been further improved to reduce false positives and its precision has been increased from :code:`medium` to :code:`high`.
* The :code:`cpp/use-after-free` query has been further improved to reduce false positives and its precision has been increased from :code:`medium` to :code:`high`.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Java
""""
* The regular expressions library no longer incorrectly matches mode flag characters against the input.
Python
""""""
* Subterms of regular expressions encoded as single-line string literals now have better source-location information.
Swift
"""""
* The regular expressions library no longer incorrectly matches mode flag characters against the input.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
Swift
"""""
* The predicates :code:`getABaseType`, :code:`getABaseTypeDecl`, :code:`getADerivedType` and :code:`getADerivedTypeDecl` on :code:`Type` and :code:`TypeDecl` now behave more usefully and consistently. They now explore through type aliases used in base class declarations, and include protocols added in extensions.To examine base class declarations at a low level without these enhancements, use :code:`TypeDecl.getInheritedType`.
* Modelled varargs function in :code:`NSString` more accurately.
* Modelled :code:`CustomStringConvertible.description` and :code:`CustomDebugStringConvertible.debugDescription`, replacing ad-hoc models of these properties on derived classes.
* The regular expressions library now accepts a wider range of mode flags in a regular expression mode flag group (such as :code:`(?u)`). The :code:`(?w`) flag has been renamed from "UNICODE" to "UNICODEBOUNDARY", and the :code:`(?u)` flag is called "UNICODE" in the libraries.
* Renamed :code:`TypeDecl.getBaseType/1` to :code:`getInheritedType`.
* Flow through writes via keypaths is now supported by the data flow library.
* Added flow through variadic arguments, and the :code:`getVaList` function.
* Added flow steps through :code:`Dictionary` keys and values.
* Added taint models for :code:`Numeric` conversions.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Functions that do not return due to calling functions that don't return (e.g. :code:`exit`) are now detected as non-returning in the IR and dataflow.
* Treat functions that reach the end of the function as returning in the IR.
They used to be treated as unreachable but it is allowed in C.
* The :code:`DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at :code:`1` instead of :code:`2`. Queries that depend on the single-parameter version of :code:`DataFlow::asDefiningArgument` should have their arguments updated accordingly.
Golang
""""""
* Added Numeric and Boolean types to SQL injection sanitzers.
Java
""""
* Fixed a control-flow bug where case rule statements would incorrectly include a fall-through edge.
* Added support for default cases as proper guards in switch expressions to match switch statements.
* Improved the class :code:`ArithExpr` of the :code:`Overflow.qll` module to also include compound operators. Because of this, new alerts may be raised in queries related to overflows/underflows.
* Added new dataflow models for the Apache CXF framework.
* Regular expressions containing multiple parse mode flags are now interpretted correctly. For example :code:`"(?is)abc.*"` with both the :code:`i` and :code:`s` flags.
Python
""""""
* Django Rest Framework better handles custom :code:`ModelViewSet` classes functions
* Regular expression fragments residing inside implicitly concatenated strings now have better location information.
Deprecated APIs
~~~~~~~~~~~~~~~
Swift
"""""
* The :code:`ArrayContent` type in the data flow library has been deprecated and made an alias for the :code:`CollectionContent` type, to better reflect the hierarchy of the Swift standard library. Uses of :code:`ArrayElement` in model files will be interpreted as referring to :code:`CollectionContent`.
New Features
~~~~~~~~~~~~
Java
""""
* Kotlin versions up to 1.9.20 are now supported.
Shared Libraries
----------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Added support for type-based call edge pruning. This removes data flow call edges that are incompatible with the set of flow paths that reach it based on type information. This improves dispatch precision for constructs like lambdas, :code:`Object.toString()` calls, and the visitor pattern. For now this is only enabled for Java and C#.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The :code:`isBarrierIn` and :code:`isBarrierOut` predicates in :code:`DataFlow::StateConfigSig` now have overloaded variants that block a specific :code:`FlowState`.

215
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.1.rst Normal file
Просмотреть файл

@ -0,0 +1,215 @@
.. _codeql-cli-2.15.1:
==========================
CodeQL 2.15.1 (2023-10-19)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.15.1 runs a total of 398 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The query server's :code:`evaluation/trimCache` command was previously equivalent to the :code:`codeql database cleanup --mode=gentle` CLI command, but is now equivalent to using :code:`--mode=normal`. The new meaning of the command is to clear the entire evaluation cache of a database except for predicates annotated with the :code:`cached` keyword.
Bug Fixes
~~~~~~~~~
* Fixed a bug where the :code:`$CODEQL_JAVA_HOME` environment variable was erroneously ignored for certain subsidiary Java processes started by
:code:`codeql`.
* Fixed a bug in the CodeQL build tracer on Apple Silicon machines that prevented database creation if System Integrity Protection was disabled.
Deprecations
~~~~~~~~~~~~
* The accepted values of the :code:`--mode` option for :code:`codeql database cleanup` have been renamed to bring them in line with what they are called in the VSCode extension and the query server:
* :code:`--mode=brutal` is now :code:`--mode=clear`.
* :code:`--mode=normal` is now :code:`--mode=trim`.
* :code:`--mode=light` is now :code:`--mode=fit`.
* The old names are deprecated, but will be accepted for backwards-compatibility reasons until further notice.
Improvements
~~~~~~~~~~~~
* The list of failed tests at the end of a :code:`codeql test run` is now sorted lexicographically.
* The syntax of DIL now more closely resembles the QL source code that it is compiled from. In particular, conjunctions and disjunctions now use the familiar :code:`and` and :code:`or` keywords, and clauses are enclosed in curly braces.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The :code:`cs/web/insecure-direct-object-reference` and :code:`cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
Golang
""""""
* The query "Incorrect conversion between integer types" (:code:`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like :code:`uint32`) and converting it to the signed integer type of the same size (like :code:`int32`), which may lead to more results. It also treats :code:`int` and :code:`uint` more carefully, which may lead to more results or fewer incorrect results.
Java
""""
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
JavaScript/TypeScript
"""""""""""""""""""""
* Added the :code:`AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD :code:`define` function.
Swift
"""""
* Added more new logging sinks to the :code:`swift/cleartext-logging` query.
* Added sinks for the GRDB database library to the :code:`swift/hardcoded-key` query.
* Added sqlite3 and SQLite.swift sinks and flow summaries for the :code:`swift/hardcoded-key` query.
* Added sqlite3 and SQLite.swift sinks and flow summaries for the :code:`swift/cleartext-storage-database` query.
New Queries
~~~~~~~~~~~
C/C++
"""""
* The query :code:`cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
Ruby
""""
* Added a new experimental query, :code:`rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
* Added a new experimental query, :code:`rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`AnalysedString` class, use the new name :code:`AnalyzedString`.
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
C#
""
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
Golang
""""""
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
* Support has been added for file system access sinks in the following libraries: \ `net/http <https://pkg.go.dev/net/http>`__, `Afero <https://github.com/spf13/afero>`__, `beego <https://pkg.go.dev/github.com/astaxie/beego>`__, `Echo <https://pkg.go.dev/github.com/labstack/echo>`__, `Fiber <https://github.com/kataras/iris>`__, `Gin <https://pkg.go.dev/github.com/gin-gonic/gin>`__, `Iris <https://github.com/kataras/iris>`__.
* Added :code:`GoKit.qll` to :code:`go.qll` enabling the GoKit framework by default
Java
""""
* The :code:`isBarrier`, :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the :code:`ArithmeticTaintedLocalQuery`, :code:`ExternallyControlledFormatStringLocalQuery`, :code:`ImproperValidationOfArrayIndexQuery`, :code:`NumericCastTaintedQuery`, :code:`ResponseSplittingLocalQuery`, :code:`SqlTaintedLocalQuery`, and :code:`XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
* Deleted the deprecated :code:`getAValue` predicate from the :code:`Annotation` class.
* Deleted the deprecated alias :code:`FloatingPointLiteral`, use :code:`FloatLiteral` instead.
* Deleted the deprecated :code:`getASuppressedWarningLiteral` predicate from the :code:`SuppressWarningsAnnotation` class.
* Deleted the deprecated :code:`getATargetExpression` predicate form the :code:`TargetAnnotation` class.
* Deleted the deprecated :code:`getRetentionPolicyExpression` predicate from the :code:`RetentionAnnotation` class.
* Deleted the deprecated :code:`conditionCheck` predicate from :code:`Preconditions.qll`.
* Deleted the deprecated :code:`semmle.code.java.security.performance` folder, use :code:`semmle.code.java.security.regexp` instead.
* Deleted the deprecated :code:`ExternalAPI` class from :code:`ExternalApi.qll`, use :code:`ExternalApi` instead.
* Modified the :code:`EnvInput` class in :code:`semmle.code.java.dataflow.FlowSources` to include :code:`environment` and :code:`file` source nodes.
There are no changes to results unless you add source models using the :code:`environment` or :code:`file` source kinds.
* Added :code:`environment` source models for the following methods:
* :code:`java.lang.System#getenv`
* :code:`java.lang.System#getProperties`
* :code:`java.lang.System#getProperty`
* :code:`java.util.Properties#get`
* :code:`java.util.Properties#getProperty`
* Added :code:`file` source models for the following methods:
* the :code:`java.io.FileInputStream` constructor
* :code:`hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
* :code:`hudson.FilePath#openInputStream`
* :code:`hudson.FilePath#read`
* :code:`hudson.FilePath#readFromOffset`
* :code:`hudson.FilePath#readToString`
* Modified the :code:`DatabaseInput` class in :code:`semmle.code.java.dataflow.FlowSources` to include :code:`database` source nodes.
There are no changes to results unless you add source models using the :code:`database` source kind.
* Added :code:`database` source models for the following method:
* :code:`java.sql.ResultSet#getString`
JavaScript/TypeScript
"""""""""""""""""""""
* The contents of :code:`.jsp` files are now extracted, and any :code:`<script>` tags inside these files will be parsed as JavaScript.
* \ `Import attributes <https://github.com/tc39/proposal-import-attributes>`__ are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named :code:`getImportAttributes()` that should be used in favor of the now deprecated :code:`getImportAssertion()`\ ;
in addition, the :code:`getImportAttributes()` method of the :code:`DynamicImportExpr` has been renamed to :code:`getImportOptions()`.
* Deleted the deprecated :code:`getAnImmediateUse`, :code:`getAUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from the :code:`API::Node` class.
* Deleted the deprecated :code:`mayReferToParameter` predicate from :code:`DataFlow::Node`.
* Deleted the deprecated :code:`getStaticMethod` and :code:`getAStaticMethod` predicates from :code:`DataFlow::ClassNode`.
* Deleted the deprecated :code:`isLibaryFile` predicate from :code:`ClassifyFiles.qll`, use :code:`isLibraryFile` instead.
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
* Deleted the deprecated :code:`semmle.javascript.security.performance` folder, use :code:`semmle.javascript.security.regexp` instead.
* Tagged template literals have been added to :code:`DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
and the arguments to a tagged template literal are part of the API-graph in :code:`ApiGraphs.qll`.
Python
""""""
* Added better support for API graphs when encountering :code:`from ... import *`. For example in the code :code:`from foo import *; Bar()`, we will now find a result for :code:`API::moduleImport("foo").getMember("Bar").getACall()`
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
* Deleted the deprecated :code:`getAUse`, :code:`getAnImmediateUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from the :code:`API::Node` class.
* Deleted the deprecated :code:`fullyQualifiedToAPIGraphPath` class from :code:`SubclassFinder.qll`, use :code:`fullyQualifiedToApiGraphPath` instead.
* Deleted the deprecated :code:`Paths.qll` file.
* Deleted the deprecated :code:`semmle.python.security.performance` folder, use :code:`semmle.python.security.regexp` instead.
* Deleted the deprecated :code:`semmle.python.security.strings` and :code:`semmle.python.web` folders.
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the *Deserializing untrusted input* query (:code:`py/unsafe-deserialization`). Added support for :code:`pandas.read_pickle`, :code:`numpy.load` and :code:`joblib.load`.
Ruby
""""
* Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
* Deleted the deprecated :code:`isWeak` predicate from the :code:`CryptographicOperation` class.
* Deleted the deprecated :code:`getStringOrSymbol` and :code:`isStringOrSymbol` predicates from the :code:`ConstantValue` class.
* Deleted the deprecated :code:`getAPI` from the :code:`IOOrFileMethodCall` class.
* Deleted the deprecated :code:`codeql.ruby.security.performance` folder, use :code:`codeql.ruby.security.regexp` instead.
* GraphQL enums are no longer considered remote flow sources.
Swift
"""""
* Improved taint models for :code:`Numeric` types and :code:`RangeReplaceableCollection`\ s.
* The nil-coalescing operator :code:`??` is now supported by the CFG construction and dataflow libraries.
* The data flow library now supports flow to the loop variable of for-in loops.
* The methods :code:`getIteratorVar` and :code:`getNextCall` have been added to the :code:`ForEachStmt` class.
New Features
~~~~~~~~~~~~
Java
""""
* Added predicate :code:`MemberRefExpr::getReceiverExpr`\

167
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.2.rst Normal file
Просмотреть файл

@ -0,0 +1,167 @@
.. _codeql-cli-2.15.2:
==========================
CodeQL 2.15.2 (2023-11-13)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.15.2 runs a total of 399 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* C++ extraction has been updated to output more accurate C++ value categories.
This may cause unexpected alerts on databases extracted with an up-to-date CodeQL when the queries are part of a query pack that was compiled with an earlier CodeQL.
To resolve this, please recompile the query pack with the latest CodeQL.
Bug Fixes
~~~~~~~~~
* Fixed a bug where :code:`codeql github upload-results` would report a 403 error when attempting to upload to a GitHub Enterprise Server instance.
* Fixed a bug in Python extraction where UTF-8 characters would cause logging to fail on systems with non-UTF-8 default system encoding (for example, Windows systems).
* The :code:`resolve qlpacks --kind extension` command no longer resolves extensions packs from the search path. This matches the behavior of
:code:`resolve extensions-by-pack` and will ensure that extensions which are resolved by :code:`resolve qlpacks --kind extension` can also be resolved by
:code:`resolve extensions-by-pack`.
New Features
~~~~~~~~~~~~
* :code:`codeql database analyze` and :code:`codeql database interpret-results` can now output human-readable analysis summaries in a new format. This format provides file coverage information and improves the way that diagnostic messages are displayed. The new format also includes a link to the tool status page when the :code:`GITHUB_SERVER_URL` and :code:`GITHUB_REPOSITORY` environment variables are set. Note that that page only exists on GitHub.com, or in GitHub Enterprise Server version 3.9.0 or later. To enable this new format, pass the :code:`--analysis-summary-v2` flag.
* CodeQL now supports distinguishing file coverage information between related languages C and C++, Java and Kotlin,
and JavaScript and TypeScript. By default, file coverage information for each of these pairs of languages is grouped together. To enable specific file coverage information for these languages, pass the
:code:`--sublanguage-file-coverage` flag when initializing the database (with :code:`codeql database create` or :code:`codeql database init`) and when analyzing the database (with :code:`codeql database analyze` or :code:`codeql database interpret-results`). If you are uploading results to a GitHub instance, this flag requires GitHub.com or GitHub Enterprise Server version 3.12 or later.
* All CLI commands now support :code:`--common-caches`, which controls the location of the cached data that is persisted between several runs of the CLI, such as downloaded QL packs and compiled query plans.
Improvements
~~~~~~~~~~~~
* Model packs that are used in an analysis will now be included in an output SARIF results file. All model packs now include the :code:`isCodeQLModelPack: true` property in their tool component property bag.
* The default formatting of DIL now more closely resembles equivalent QL code.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The query :code:`go/incorrect-integer-conversion` now correctly recognizes more guards of the form :code:`if val <= x` to protect a conversion :code:`uintX(val)`.
Java
""""
* java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged :code:`lines-of-code`. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts.
* The query :code:`java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring.
JavaScript/TypeScript
"""""""""""""""""""""
* Added modeling for importing :code:`express-rate-limit` using a named import.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Golang
""""""
* Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing :code:`Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`Container` and :code:`Folder` classes now derive from :code:`ElementBase` instead of :code:`Locatable`, and no longer expose the :code:`getLocation` predicate. Use :code:`getURL` instead.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* More field accesses are identified as :code:`ImplicitThisFieldAccess`.
* Added support for new floating-point types in C23 and C++23.
Golang
""""""
* Added `Request.Cookie <https://pkg.go.dev/net/http#Request.Cookie>`__ to reflected XSS sanitizers.
Java
""""
* Java classes :code:`MethodAccess`, :code:`LValue` and :code:`RValue` were renamed to :code:`MethodCall`, :code:`VarWrite` and :code:`VarRead` respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced.
* New class :code:`NewClassExpr` was added to represent specifically an explicit :code:`new ClassName(...)` invocation, in contrast to :code:`ClassInstanceExpr` which also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference.
* Added up to date models related to Spring Framework 6's :code:`org.springframework.http.ResponseEntity`.
* Added models for the following packages:
* com.alibaba.fastjson2
* javax.management
* org.apache.http.client.utils
Python
""""""
* Added support for functions decorated with :code:`contextlib.contextmanager`.
* Namespace packages in the form of regular packages with missing :code:`__init__.py`\ -files are now allowed. This enables the analysis to resolve modules and functions inside such packages.
Swift
"""""
* Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
* Added children of :code:`UnspecifiedElement`, which will be present only in certain downgraded databases.
* Collection content is now automatically read at taint flow sinks. This removes the need to define an :code:`allowImplicitRead` predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now.
* Added taint models for :code:`StringProtocol.appendingFormat` and :code:`String.decodeCString`.
* Added taint flow models for members of :code:`Substring`.
* Added taint flow models for :code:`RawRepresentable`.
* The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries.
* Added models of :code:`StringProtocol` and :code:`NSString` methods that evaluate regular expressions.
* Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a new class :code:`AdditionalCallTarget` for specifying additional call targets.
Shared Libraries
----------------
Bug Fixes
~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* The API for debugging flow using partial flow has changed slightly. Instead of using :code:`module Partial = FlowExploration<limit/0>` and choosing between :code:`Partial::partialFlow` and :code:`Partial::partialFlowRev`, you now choose between :code:`module Partial = FlowExplorationFwd<limit/0>` and :code:`module Partial = FlowExplorationRev<limit/0>`, and then always use :code:`Partial::partialFlow`.
New Features
~~~~~~~~~~~~
Utility Classes
"""""""""""""""
* Added :code:`FilePath` API for normalizing filepaths.

199
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.3.rst Normal file
Просмотреть файл

@ -0,0 +1,199 @@
.. _codeql-cli-2.15.3:
==========================
CodeQL 2.15.3 (2023-11-22)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.15.3 runs a total of 401 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed an internal error in the compiler when arguments to the :code:`codePointCount` string primitive were not bound.
* Fixed a bug where :code:`codeql database finalize` would fail if a database under construction was moved between machines between
:code:`codeql database init` and :code:`codeql database finalize`. This should now work, as long as both commands are run by the same *release* of the CodeQL CLI and the extractors used are the ones bundled with the CLI.
* Fixed a bug where :code:`codeql database run-queries` would fail in some circumstances when the database path included an :code:`@`.
New Features
~~~~~~~~~~~~
* A new compilation flag (:code:`--fail-on-ambiguous-relation-name`) has been added to specify that compilation should fail if the compiler generates an ambiguous relation name.
* The new (advanced) command-line option :code:`--[no-]linkage-aware-import` disables the linkage-awareness phase of :code:`codeql dataset import`, as a quick fix (at the expense of database completeness) for C++ projects where this part of database creation consumes too much memory. This option is available in the commands :code:`database create`,
:code:`database finalize`, :code:`database import`, :code:`dataset import`, :code:`test extract`, and
:code:`test run`.
* The CodeQL language server now provides basic support for Rename, and you can now use the Rename Symbol functionality in Visual Studio Code for CodeQL. The current Rename support is less a refactoring tool and more a labor-saving device. You may have to perform some manual edits after using Rename, but it should still be faster and less work than renaming a symbol manually.
* :code:`codeql database analyze` now defaults to include markdown query help for all custom queries with help files available. To change the default behaviour you can pass the new flag :code:`--sarif-include-query-help`, which provides the options :code:`always` (which includes query help for all queries), :code:`custom_queries_only` (the default) and :code:`never` (which does not include query help for any query). The existing flag
:code:`--sarif-add-query-help` has been deprecated and will be removed in a future release.
Improvements
~~~~~~~~~~~~
* The Find References feature in the CodeQL language server now supports all CodeQL identifiers and offers improved performance compared to CodeQL CLI 2.14 releases.
* The compiler generates shorter human-readable DIL and RA relation names. Due to use of an extended character set, full VS Code support for short relation names requires VS Code extension 1.9.4 or newer.
* :code:`codeql database create` and :code:`codeql database finalize` now log more diagnostic information during database finalization, including the size of each relation, their total size, and the rate at which they were written to disk.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/uninitialized-local` query has been improved to produce fewer false positives.
C#
""
* CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the :code:`cil` extractor option to :code:`true` or by setting the environment variable :code:`$CODEQL_EXTRACTOR_CSHARP_OPTION_CIL` to :code:`true`. This is the first step towards sun-setting the CIL extractor entirely.
Java
""""
* The query :code:`java/unsafe-deserialization` has been improved to detect insecure calls to :code:`ObjectMessage.getObject` in JMS.
Python
""""""
* Added modeling of more :code:`FileSystemAccess` in packages :code:`cherrypy`, :code:`aiofile`, :code:`aiofiles`, :code:`anyio`, :code:`sanic`, :code:`starlette`, :code:`baize`, and :code:`io`. This will mainly affect the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
Swift
"""""
* Added additional sinks for the "Uncontrolled data used in path expression" (:code:`swift/path-injection`) query. Some of these sinks are heuristic (imprecise) in nature.
* Fixed an issue where some Realm database sinks were not being recognized for the :code:`swift/cleartext-storage-database` query.
New Queries
~~~~~~~~~~~
Swift
"""""
* Added new query "System command built from user-controlled sources" (:code:`swift/command-line-injection`) for Swift. This query detects system commands built from user-controlled sources without sufficient validation. The query was previously `contributed to the 'experimental' directory by @maikypedia <https://github.com/github/codeql/pull/13726>`__ but will now run by default for all code scanning users.
* Added a nw query "Missing regular expression anchor" (:code:`swift/missing-regexp-anchor`) for Swift. This query detects regular expressions without anchors that can be vulnerable to bypassing.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Lower the severity of log-injection to medium.
* Increase the severity of XSS to high.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Golang
""""""
* A bug has been fixed that meant that value flow through an array was not tracked correctly in some circumstances. Taint flow was tracked correctly.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The expressions :code:`AssignPointerAddExpr` and :code:`AssignPointerSubExpr` are no longer subtypes of :code:`AssignBitwiseOperation`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Swift
"""""
* Added Swift 5.9.1 support
* New AST node is extracted: :code:`SingleValueStmtExpr`
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Returning stack-allocated memory" (:code:`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to :code:`alloca`, :code:`strdupa`, and :code:`strndupa`.
* Added models for :code:`strlcpy` and :code:`strlcat`.
* Added models for the :code:`sprintf` variants from the :code:`StrSafe.h` header.
* Added SQL API models for :code:`ODBC`.
* Added taint models for :code:`realloc` and related functions.
C#
""
* The predicate :code:`UnboundGeneric::getName` now prints the number of type parameters as a :code:` `N` suffix, instead of a :code:`<,...,>` suffix. For example, the unbound generic type
:code:`System.Collections.Generic.IList<T>` is printed as :code:`IList`1` instead of :code:`IList<>`.
* The predicates :code:`hasQualifiedName`, :code:`getQualifiedName`, and :code:`getQualifiedNameWithTypes` have been deprecated, and are instead replaced by :code:`hasFullyQualifiedName`, :code:`getFullyQualifiedName`, and :code:`getFullyQualifiedNameWithTypes`, respectively. The new predicates use the same format for unbound generic types as mentioned above.
* These changes also affect models-as-data rows that refer to a field or a property belonging to a generic type. For example, instead of writing
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
* The models-as-data format for types and methods with type parameters has been changed to include the names of the type parameters. For example, instead of writing
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "IList<>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Linq", "Enumerable", False, "Select<,>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
Golang
""""""
* Added the `gin cors <https://github.com/gin-contrib/cors>`__ library to the CorsMisconfiguration.ql query
Java
""""
* The types :code:`java.util.SequencedCollection`, :code:`SequencedSet` and :code:`SequencedMap`, as well as the related :code:`Collections.unmodifiableSequenced*` methods are now modelled. This means alerts may be raised relating to data flow through these types and methods.
Python
""""""
* Added basic flow for attributes defined on classes, when the attribute lookup is on a direct reference to that class (so not instance, cls parameter, or self parameter). Example: class definition :code:`class Foo: my_tuples = (dangerous, safe)` and usage :code:`SINK(Foo.my_tuples[0])`.
Swift
"""""
* AST and types related to parameter packs are now extracted
* Added taint flow models for the :code:`NSString.enumerate*` methods.
* Generalized the data flow model for subscript writes (:code:`a[index] = b`) so that it applies to subscripts on all kinds of objects, not just arrays.
* Fixed a bug where some flow sinks at field accesses were not being correctly identified.
* Added indexed :code:`getVariable` to :code:`CaptureListExpr`, improving its AST printing and data flow.
* Added flow models for :code:`String` methods involving closures such as :code:`String.withUTF8(_:)`.
* AST and types related to move semantics (:code:`copy`, :code:`consume`, :code:`_borrow`) are now extracted
Deprecated APIs
~~~~~~~~~~~~~~~
Java
""""
* In :code:`SensitiveApi.qll`, :code:`javaApiCallablePasswordParam`, :code:`javaApiCallableUsernameParam`, :code:`javaApiCallableCryptoKeyParam`, and :code:`otherApiCallableCredentialParam` predicates have been deprecated. They have been replaced with a new class :code:`CredentialsSinkNode` and its child classes :code:`PasswordSink`, :code:`UsernameSink`, and :code:`CryptoKeySink`. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.

37
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.1.rst Normal file
Просмотреть файл

@ -0,0 +1,37 @@
.. _codeql-cli-2.4.1:
=========================
CodeQL 2.4.1 (2020-12-19)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.4.1 runs a total of 231 security queries when configured with the Default suite (covering 105 CWE). The Extended suite enables an additional 77 queries (covering 26 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* :code:`codeql query format` now checks all files rather than stopping after the first failure when the :code:`--check-only` option is given.
* :code:`codeql resolve database` will produce a :code:`languages` key giving the language the database was created for. This can be useful in IDEs to help describe the database and suggest default actions or queries.
For databases created by earlier versions, the result will be a best-effort guess.
* :code:`codeql database interpret-results` can now produce Graphviz :code:`.dot` files from queries with :code:`@kind graph`.
Removed Features
~~~~~~~~~~~~~~~~
* :code:`codeql test run` had some special compatibility support for running unit tests for the "code duplication" extractor features of certain discontinued Semmle products. Those tests have since been removed from the `public QL repository <https://github.com/github/codeql>`__,
so the compatibility support for them has been removed. This should not affect any external users (since the extractor feature in question was never supported by :code:`codeql database create` anyway),
but if you run :code:`codeql test run` against the unit tests belonging to an *old* checkout of the repository, you may now see some failures among :code:`Metrics` tests.

22
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.2.rst Normal file
Просмотреть файл

@ -0,0 +1,22 @@
.. _codeql-cli-2.4.2:
=========================
CodeQL 2.4.2 (2021-01-22)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.4.2 runs a total of 233 security queries when configured with the Default suite (covering 106 CWE). The Extended suite enables an additional 78 queries (covering 26 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.3.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.4.3:
=========================
CodeQL 2.4.3 (2021-01-29)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

44
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.4.rst Normal file
Просмотреть файл

@ -0,0 +1,44 @@
.. _codeql-cli-2.4.4:
=========================
CodeQL 2.4.4 (2021-02-12)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.4.4 runs a total of 235 security queries when configured with the Default suite (covering 106 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :code:`name` property in :code:`qlpack.yml` must now meet the following requirements:
* Only lowercase ASCII letters, ASCII digits, and hyphens (:code:`-`) are allowed.
* A hyphen is not allowed as the first or last character of the name.
* The name must be at least one character long, and no longer than 128 characters.
Bug Fixes
~~~~~~~~~
* The default value of the :code:`--working-dir` options for the
:code:`index-files` and :code:`trace-command` subcommands of :code:`codeql database` has been fixed to match the documentation; previously, it would erroneously use the process' current working directory rather than the database source root.
* :code:`codeql test run` will not crash if database extraction in a test directory fails. Instead only the tests in that directory will be marked as failing, and tests in other directories will continue executing.
New Features
~~~~~~~~~~~~
* Alert and path queries can now give a score to each alert they produce. You can incorporate alert scores in an alert or path query by first adding the :code:`@scored` property to the query metadata. You can then introduce a new numeric column at the end of the :code:`select` statement structure to represent the score of each alert.
Alert scores are exposed in the SARIF output of commands like
:code:`codeql database analyze` as the :code:`score` property in the property bags of result objects.

22
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.5.rst Normal file
Просмотреть файл

@ -0,0 +1,22 @@
.. _codeql-cli-2.4.5:
=========================
CodeQL 2.4.5 (2021-03-08)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.4.5 runs a total of 237 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.6.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.4.6:
=========================
CodeQL 2.4.6 (2021-03-19)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

39
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.0.rst Normal file
Просмотреть файл

@ -0,0 +1,39 @@
.. _codeql-cli-2.5.0:
=========================
CodeQL 2.5.0 (2021-03-26)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.5.0 runs a total of 239 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* By default, :code:`codeql test` now performs additional compiler checks when extracting test code written in Java.
Existing Java tests that previously passed may therefore fail due to this change, if they do not compile using the :code:`javac` compiler.
To allow time to migrate existing tests, the new behavior can be disabled by setting the environment variable
:code:`CODEQL_EXTRACTOR_JAVA_FLOW_CHECKS=false`.
New Features
~~~~~~~~~~~~
* Log files that contain output from build processes will now prefix it with :code:`[build-stdout]` and :code:`[build-stderr]` instead of :code:`[build]` and :code:`[build-err]`. In particular the latter sometimes caused confusion.
QL Language
~~~~~~~~~~~
* The QL language now recognizes new :code:`pragma[only_bind_into](...)` and
:code:`pragma[only_bind_out](...)` annotations on expressions. Advanced users may use these annotations to provide hints to the compiler to influence binding behavior and thus indirectly performance.

47
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.1.rst Normal file
Просмотреть файл

@ -0,0 +1,47 @@
.. _codeql-cli-2.5.1:
=========================
CodeQL 2.5.1 (2021-04-19)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The QL compiler will now reject queries where the query metadata (if present) at the top of the :code:`.ql` file is inconsistent with the output format of the query. This check can be disabled by giving the :code:`--no-metadata-verification` flag. (The flag already existed but has not had any effect until now.)
Bug Fixes
~~~~~~~~~
* Environment variables required for Java extraction are now propagated by the tracer. This may resolve issues with tracing and extraction in the context of certain build systems such as Bazel.
* A number of :code:`--check-CONDITION` options to :code:`codeql database finalize` and :code:`codeql dataset import` designed to look for consistency errors in the intermediate "TRAP" output from extractors erroneously did nothing. They will now actually print warnings if errors are found. The warnings become fatal errors if the new
:code:`--fail-on-trap-errors` option is also given.
New Features
~~~~~~~~~~~~
* :code:`codeql resolve qlref` is a new command that takes in a :code:`.qlref` file for a CodeQL test case and returns the path of the :code:`.ql` file it references.
* :code:`codeql database analyze` and :code:`codeql database interpret-results` have a new :code:`--sarif-group-rules-by-pack` option which will place the SARIF rule object for each query underneath its corresponding query pack in :code:`runs[].tool.extensions`.
* :code:`codeql database finalize` and :code:`codeql dataset import` have a new
:code:`--fail-on-trap-errors` option that will make database creation fail if extractors produce ill-formatted "TRAP" data for inclusion into a database. This is not enabled by default because some of the existing extractors have minor output bugs that cause the check to fail.
* :code:`codeql database finalize` and :code:`codeql dataset import` have a new
:code:`--check-undefined-labels` option that enables stricter consistency checks on the "TRAP" output from extractors.
QL Language
~~~~~~~~~~~
* :code:`super` may now be used unqualified, e.g. :code:`super.predicateName()`,
when the declaring class has multiple super types, as long as the call itself is unambiguous.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.2.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.5.2:
=========================
CodeQL 2.5.2 (2021-04-21)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

44
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.3.rst Normal file
Просмотреть файл

@ -0,0 +1,44 @@
.. _codeql-cli-2.5.3:
=========================
CodeQL 2.5.3 (2021-04-30)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Ensure the correct URL is generated during :code:`codeql github upload-results` for GitHub Enterprise Server.
New Features
~~~~~~~~~~~~
* When tracing a C/C++ build, the C compiler entries in compiler-settings must now specify :code:`order compiler,extractor`. The default configuration already does this, so no change is necessary if using the default configuration.
* :code:`codeql database analyze` and :code:`codeql database interpret-results` now report the results of summary metric queries in the
:code:`<run>.properties.metricResults` property of the SARIF output.
Summary metric queries describe metrics about the code analyzed by CodeQL. They are identified by the query metadata :code:`@kind metric` and
:code:`@tag summary`.
For example, see the `lines of code summary metric query for C++ <https://github.com/github/codeql/blob/main/cpp/ql/src/Summary/LinesOfCode.ql>`__.
* :code:`codeql database analyze` and :code:`codeql database interpret-results` now calculate an
\ `automation ID <https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012482>`__ and add it to the resulting SARIF. In SARIF v2.1.0, this field is
:code:`runs[].automationDetails.id`. In SARIF v2, this field is
:code:`runs[].automationLogicalId`. In SARIF v1, this field is
:code:`runs[].automationId`. By default, this automation ID will be derived from the database language and the operating system of the machine that performed the run. It can be set explicitly using a new
:code:`--sarif-category` option.
* In query metadata, :code:`@kind alert` and :code:`@kind path-alert` are now recognized as (more accurate) synonyms of :code:`@kind problem` and
:code:`@kind path-problem`, respectively.
* Diagnostic queries are now permitted by the metadata verifier. They are identified by :code:`@kind diagnostic` metadata. Currently the result patterns of diagnostic queries are not verified. This will change in a future CLI release.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.4.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.5.4:
=========================
CodeQL 2.5.4 (2021-05-03)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

44
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.5.rst Normal file
Просмотреть файл

@ -0,0 +1,44 @@
.. _codeql-cli-2.5.5:
=========================
CodeQL 2.5.5 (2021-05-17)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.5.5 runs a total of 248 security queries when configured with the Default suite (covering 112 CWE). The Extended suite enables an additional 72 queries (covering 26 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* When scanning the disk for QL packs and extractors, directories of the form :code:`.../SOMETHING/SOMETHING.testproj` (where the two
:code:`SOMETHING` are identical) will now be ignored. Names of this form are used by :code:`codeql test run` for ephemeral test databases, which can sometimes contain files that confuse QL compilations.
Bug Fixes
~~~~~~~~~
* When using the :code:`--sarif-group-rules-by-pack` flag to place the SARIF rule object for each query underneath its corresponding query pack in :code:`runs[].tool.extensions`, the :code:`rule` property of result objects can now be used to look up the rule within the :code:`rules` property of the appropriate query pack in :code:`runs[].tool.extensions`. Previously,
rule lookup for result objects in the SARIF output was not well-defined when the :code:`--sarif-group-rules-by-pack` flag was passed.
New Features
~~~~~~~~~~~~
* Query writers can now optionally use :code:`@severity` in place of
:code:`@problem.severity` in the metadata for alert queries. SARIF consumers should continue to consume this severity information using the :code:`rule.defaultConfiguration.level` property for SARIF v2.1.0, and corresponding properties for other versions of SARIF. They should not depend on the value stored in the :code:`rule.properties` property bag, since this will contain either :code:`@problem.severity` or
:code:`@severity` based on exactly what was written in the query metadata.
* When exporting analysis results to SARIF v2.1.0, results and metric results now contain a `reporting descriptor reference object <https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541300>`__ that specifies the rule that produced them. For metric results, this new property replaces the :code:`metric` property.
* :code:`codeql database analyze` now outputs a table that summarizes the results of metric queries that were part of the analysis. This can be suppressed by passing the :code:`--no-print-metrics-summary` flag.

56
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.6.rst Normal file
Просмотреть файл

@ -0,0 +1,56 @@
.. _codeql-cli-2.5.6:
=========================
CodeQL 2.5.6 (2021-06-22)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.5.6 runs a total of 266 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 57 queries (covering 28 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* :code:`codeql database create` (and the plumbing commands it comprises)
now supports creating databases for a source tree with several languages while tracing a single build. This is enabled by a new
:code:`--db-cluster` option. Once created, the multiple databases must be
*analyzed* one by one.
* :code:`codeql database create` and :code:`codeql database init` now accept an
:code:`--overwrite` argument which will lead existing CodeQL databases to be overwritten.
* :code:`codeql database analyze` now supports "diagnostic" queries (tagged
:code:`@kind diagnostic`), which are intended to report information about the analysis process itself rather than problems with the analyzed code. The results of these queries will be summarized in a table printed to the terminal when :code:`codeql database analyze` finishes.
They are also included in the analysis results in SARIF output formats as `notification objects <https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317894>`__ so they can be displayed by subsequent tooling such as the Code Scanning user interface.
* For SARIF v2.1.0, a reporting descriptor object for each diagnostic query is output to output to
:code:`runs[].tool.driver.notifications`, or
:code:`runs[].tool.extensions[].notifications` if running with
:code:`--sarif-group-rules-by-pack`. A rule object for each diagnostic query is output to :code:`runs[].resources[].rules` for SARIF v2, or to
:code:`runs[].rules` for SARIF v1.
* Results of diagnostic queries are exported to the
:code:`runs[].invocations[].toolExecutionNotifications` property in SARIF v2.1.0, the :code:`runs[].invocations[].toolNotifications` property in SARIF v2, and the :code:`runs[].toolNotifications` property in SARIF v1.
SARIF v2.1.0 output will now also contain version information for query packs in :code:`runs[].tool.extensions[].semanticVersion`, if the Git commit the queries come from is known.
* :code:`codeql github upload-results` has a :code:`--checkout-path` option which will attempt to automatically configure upload target parameters.
When this is given, the :code:`--commit` option will be taken from the HEAD of the checkout Git repository, and if there is precisely one remote configured in the local repository, the :code:`--repository` and
:code:`--github-url` options will also be automatically configured.
* The CodeQL C++ extractor includes beta support for C++20.
This is only available when building codebases with GCC on Linux.
C++20 modules are **not** supported.

37
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.7.rst Normal file
Просмотреть файл

@ -0,0 +1,37 @@
.. _codeql-cli-2.5.7:
=========================
CodeQL 2.5.7 (2021-07-02)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.5.7 runs a total of 268 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 56 queries (covering 28 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* :code:`codeql database create` and :code:`codeql database init` can now automatically recognise the languages present in checkouts of GitHub repositories by making an API call to the GitHub server. This requires a PAT token to either be set in the :code:`GITHUB_TOKEN` environment variable, or passed by stdin with the
:code:`--github-auth-stdin` argument.
* Operations that make outgoing HTTP calls (that is, :code:`codeql github upload-results` and the language-detection feature described above)
now support the use of HTTP proxies. To use a proxy, specify an
:code:`$https_proxy` environment variable for HTTPS requests or a
:code:`$http_proxy` environment variable for HTTP requests. If the
:code:`$no_proxy` variable is also set, these variables will be ignored and requests will be made without a proxy.
QL Language
~~~~~~~~~~~
* The QL language now has a new method :code:`toUnicode` on the :code:`int` type. This method converts Unicode codepoint to a one-character string. For example, :code:`65.toUnicode() = "A"`, :code:`128512.toUnicode()` results in a smiley, and :code:`any(int i | i.toUnicode() = "A") = 65`.

37
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.8.rst Normal file
Просмотреть файл

@ -0,0 +1,37 @@
.. _codeql-cli-2.5.8:
=========================
CodeQL 2.5.8 (2021-07-26)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.5.8 runs a total of 268 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 79 queries (covering 28 more CWE). 23 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The QL compiler now verifies that :code:`@security-severity` query metadata is numeric. You can disable this verification by passing the :code:`--no-metadata-verification` flag.
New Features
~~~~~~~~~~~~
* The :code:`database index-files` and :code:`database trace-command` CLI commands now support :code:`--threads` and :code:`--ram` options, which are passed to extractors as suggestions.
* The :code:`database finalize` CLI command now supports the :code:`--ram` option,
which controls memory usage for finalization.
* The :code:`database create` CLI command now supports the :code:`--ram` option,
which controls memory usage for database creation. - The :code:`generate query-help` CLI command now support rendering query help in SARIF format.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.9.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.5.9:
=========================
CodeQL 2.5.9 (2021-08-09)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

64
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.0.rst Normal file
Просмотреть файл

@ -0,0 +1,64 @@
.. _codeql-cli-2.6.0:
=========================
CodeQL 2.6.0 (2021-08-24)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.6.0 runs a total of 275 security queries when configured with the Default suite (covering 119 CWE). The Extended suite enables an additional 78 queries (covering 27 more CWE). 6 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* The :code:`physicalLocation.artifactLocation.uri` fields in SARIF output are now properly encoded as specified by RFC 3986.
* The :code:`--include-extension` option to the :code:`codeql database index-files` command no longer includes directories that are named with the provided extension. For example, if the option
:code:`--include-extension=.rb` is provided, then a directory named
:code:`foo.rb/` will be excluded from the indexing.
New Features
~~~~~~~~~~~~
* A new :code:`codeql database unbundle` subcommand performs the reverse of
:code:`codeql database bundle` and extracts a CodeQL database from an archive.
* The CLI now understands per-codebase configuration files in `the format already supported by the CodeQL Action <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#example-configuration-files>`__. The configuration file must be given in a :code:`--codescanning-config` option to :code:`codeql database create` or :code:`codeql database init`. For some languages, this configuration can contain pathname filters that control which parts of the codebase is analysed; the configuration file is the only way this functionality is exposed. The configuration file can also control which queries are run, including custom queries from repositories that must first be downloaded. To actually use those queries, run :code:`codeql database analyze` without any query-selection arguments.
* The CLI now supports the "sandwiched tracing" feature that has previously only been offered through the separate CodeQL Runner.
This feature is intended for use with CI systems that cannot be configured to wrap build actions with :code:`codeql database trace-command`. Instead the CI system must be able to set custom environment variables for each build action; the required environment variables are output by :code:`codeql database init` when given a :code:`--begin-tracing` argument.
On Windows, :code:`codeql database init --begin-tracing` will also inject build-tracing code into the calling process or an ancestor; there are additional options to control this.
* This version contains *beta* support for a new packaging and publishing system for third-party QL queries and libraries. It comprises the following new commands:
* :code:`codeql pack init`\ : Creates an empty CodeQL pack from a template.
* :code:`codeql pack add`\ : Adds a dependency to a CodeQL pack.
* :code:`codeql pack install`\ : Installs all pack dependencies specified in the :code:`qlpack.yml` file.
* :code:`codeql pack download`\ : Downloads one or more pack dependencies into the global package cache.
* :code:`codeql pack publish`\ : Publishes a package to the GitHub Container Registry.
* (Plumbing) :code:`codeql pack bundle`\ : Builds a :code:`.zip` file for a CodeQL query or library pack from sources. Used by :code:`codeql pack publish`.
* (Plumbing) :code:`codeql pack create`\ : Creates a compiled CodeQL query or library pack from sources. Used by :code:`codeql pack bundle`.
* (Plumbing) :code:`codeql pack packlist`\ : Lists all files in a local CodeQL pack that will be included in the pack's bundle. Used by
:code:`codeql pack create`.
* (Plumbing) :code:`codeql pack resolve-dependencies`\ : Resolves all transitive dependencies of a local CodeQL pack. Used by :code:`codeql pack install`.

96
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.1.rst Normal file
Просмотреть файл

@ -0,0 +1,96 @@
.. _codeql-cli-2.6.1:
=========================
CodeQL 2.6.1 (2021-09-07)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.6.1 runs a total of 274 security queries when configured with the Default suite (covering 119 CWE). The Extended suite enables an additional 80 queries (covering 27 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :code:`codeql resolve qlref` command will now throw an error when the target is ambiguous.
The qlref resolution rules are now as follows:
#. If the target of a qlref is in the same qlpack, then that target is always returned.
#. If multiple targets of the qlref are found in dependent packs, this is an error.
Previously, the command would have arbitrarily chosen one of the targets and ignored any ambiguities.
* The :code:`qlpack` directive in query suites has its semantics changed.
Previously, this directive would return all queries in the qlpack. Now, the directive returns only those queries matched by the
:code:`defaultSuite` directive in the query pack. Here is an example:
Consider a :code:`qlpack.yml` like the following:
.. code-block:: yaml
name: codeql/my-qlpack
version: 0.0.1
defaultSuite:
queries: standard
And the directory structure is the following:
.. code-block:: text
qlpack.yml
standard/
a.ql
experimental/
b.ql
A query suite :code:`suite.qls` like this:
.. code-block:: yaml
- qlpack: codeql/my-qlpack
Previously, would return all the queries in all subdirectories (i.e,
:code:`standard/a.ql` and :code:`experimental/b.ql`). Now, it only returns
:code:`standard/a.ql`, since that is the only query matched by its default suite.
If you want to have the same behavior as before, you must update your query suites to use the :code:`queries` directive with a :code:`from` attribute,
like this:
.. code-block:: yaml
- queries: .
from: codeql/my-qlpack
New Features
~~~~~~~~~~~~
* Commands that evaluate CodeQL queries now support an additional option :code:`--evaluator-log=path/to/log.json` that will result in the evaluator producing a structured log (in JSON format) of events that occurred during evaluation in order to aid debugging of query performance. The format of these logs will be subject to change with no notice as we make modifications to the evaluator.
There is also a new CLI command :code:`codeql generate log-summary` that will produce a summary of the predicates that were evaluated from these event logs. We will aim to keep this summary format more stable, although it is also subject to change. Unless you have a good reason to use the event logs directly, it is strongly recommended you use this command to produce summary logs and use these instead.
For further information on these new logs and additional options to configure their format and verbosity, please refer to the CLI documentation.
QL Language
~~~~~~~~~~~
* QL classes can now be non-extending subtypes via the :code:`instanceof` keyword, allowing for a form of private subtyping that is not visible externally. Methods of the supertype are accessible from within a non-extending subtype class through extended semantics of the :code:`super` keyword.
.. code-block:: text
class Foo instanceof int {
Foo() { this in [1 .. 10] }
string toString() { result = "foo" + super.toString() }
}

52
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.2.rst Normal file
Просмотреть файл

@ -0,0 +1,52 @@
.. _codeql-cli-2.6.2:
=========================
CodeQL 2.6.2 (2021-09-21)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.6.2 runs a total of 274 security queries when configured with the Default suite (covering 120 CWE). The Extended suite enables an additional 81 queries (covering 28 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* A bug where :code:`codeql generate log-summary` would sometimes crash with a :code:`JsonMappingException` has been fixed.
Documentation
~~~~~~~~~~~~~
* Documentation has been added detailing how to use the "indirect build tracing" feature, which is enabled by using the
:code:`--begin-tracing` flag provided by :code:`codeql database init`. The new documentation can be found `here <https://aka.ms/codeql-docs/indirect-tracing>`__. This feature was temporarily described as "sandwiched tracing" in the 2.6.0 release notes.
New Features
~~~~~~~~~~~~
* The CodeQL CLI now counts the lines of code found under
:code:`--source-root` when :code:`codeql database init` or :code:`codeql database create` is called. This information can be viewed later by either the new :code:`codeql database print-baseline` command or the new
:code:`--print-baseline-loc` argument to :code:`codeql database interpret-results`.
* :code:`qlpack.yml` files now support an additional field :code:`include` in which glob patterns of additional files that should be included (or excluded) when creating a given CodeQL pack can be specified.
* QL packs created by the experimental :code:`codeql pack create` command will now include some information about the build in a new
:code:`buildMetadata` field of their :code:`qlpack.yml` file.
* :code:`codeql database create` now supports the same flags as :code:`codeql database init` for automatically recognizing the languages present in checkouts of GitHub repositories:
* :code:`--github-url` accepts the URL of a custom GitHub instance
(previously only :code:`github.com` was supported).
* :code:`--github-auth-stdin` allows a personal access token to be provided through standard input (previously only the
:code:`GITHUB_TOKEN` environment variable was supported).

58
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.3.rst Normal file
Просмотреть файл

@ -0,0 +1,58 @@
.. _codeql-cli-2.6.3:
=========================
CodeQL 2.6.3 (2021-10-06)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The option :code:`--compiler-spec` accepted by some subcommands of :code:`codeql database` is deprecated. It will be removed in a later version
(earliest 2.7.0). If you need this option, please file a public issue in https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub support and request an escalation to engineering.
* By default, databases created using the CodeQL CLI will now have their underlying datasets finalized, meaning that no further data can be subsequently imported into them. This change should not affect most users.
* The :code:`codeql resolve qlref` command will now throw an error when the target is ambiguous. The qlref resolution rules are now as follows:
#. If the target of a qlref is in the same qlpack, then that target is always returned.
#. If multiple targets of the qlref are found in dependent packs,
this is an error.
Previously, the command would have arbitrarily chosen one of the targets and ignored any ambiguities.
Bug Fixes
~~~~~~~~~
* Linux/MacOS: When tracing a build that involves an
:code:`execvp`\ /\ :code:`execvpe` (Linux-only)/\ :code:`posix_spawnp` syscall where :code:`PATH` was not set in the environment, CodeQL sometimes would break the build. Now, CodeQL uses the correct, platform-specific fallback for
:code:`PATH` instead.
* Linux/MacOS: When tracing a build that involves an :code:`execvpe` (Linux-only)/\ :code:`posix_spawnp` syscall, the :code:`PATH` lookup of the executable wrongly took place in the environment provided via
:code:`envp`, instead of the environment of the process calling
:code:`execvpe`\ /\ :code:`posix_spawnp`. Now, the correct environment is used for the :code:`PATH` lookup.
* A bug where query compilation would sometimes fail with a
:code:`StackOverflowError` when compiling a query that uses :code:`instanceof` has now been fixed.
New Features
~~~~~~~~~~~~
* The :code:`codeql query compile` command now accepts a :code:`--keep-going` or
:code:`-k` option, which indicates that the compiler should continue compiling queries even if one of the queries has a compile error in it.
* CLI commands now run default queries if none are specified. If no queries are specified, the :code:`codeql database analyze`, :code:`codeql database run-queries`, and :code:`codeql database interpret-results` commands will now run the default suite for the language being analyzed.
* :code:`codeql pack publish` now copies the published package to the local package cache. In addition to publishing to a remote repository, the
:code:`codeql pack publish` command will also copy the published package to the local package cache.

25
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.0.rst Normal file
Просмотреть файл

@ -0,0 +1,25 @@
.. _codeql-cli-2.7.0:
=========================
CodeQL 2.7.0 (2021-10-27)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.7.0 runs a total of 268 security queries when configured with the Default suite (covering 117 CWE). The Extended suite enables an additional 80 queries (covering 28 more CWE).
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug where indirect tracing would sometimes not manage to observe build processes if certain environment variables were unset during the build.

136
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.1.rst Normal file
Просмотреть файл

@ -0,0 +1,136 @@
.. _codeql-cli-2.7.1:
=========================
CodeQL 2.7.1 (2021-11-15)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.7.1 runs a total of 276 security queries when configured with the Default suite (covering 120 CWE). The Extended suite enables an additional 82 queries (covering 31 more CWE). 10 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Previously, :code:`codeql test run` would fall back to looking for an accompanying :code:`queries.xml` file if it found a :code:`qlpack.yml` that did not declare an extractor to use when extracting a test database.
This has been removed because the internal use case that neccessitated the fallback are now removed. If you suddenly encounter errors that complain of missing extractor declarations,
check whether you had a :code:`queries.xml` you were inadvertently relying on.
* When queries are specified by naming a directory to scan for :code:`*.ql` files, subdirectories named :code:`.codeql` will now be ignored. The new QL packaging support uses subdirectories with this name of various scratch and caching purposes, so they may contain :code:`*.ql` files that are not intended to be directly user-visible.
* When copying dependencies for CodeQL packages into a query pack bundle, :code:`*.ql` files in these dependencies will now be included inside of the query pack's :code:`.codeql` directory.
* The tables printed by :code:`codeql database analyze` to summarize the results of diagnostic and metric queries that were part of the analysis have a new format and contains less (but hopefully more pertinent) information. We recommend against attempting to parse this human-readable output programmatically. Instead, use the
:code:`runs[].tool.driver.invocations[].toolExecutionNotifications` property in the SARIF output.
* The experimental plumbing command :code:`codeql pack packlist` has a new format for its JSON results. Previously, the results were a list of paths. Now, the results are an object with a single property :code:`paths` that contains the list of paths.
* The internal :code:`qlpacks` directory of the CodeQL bundle available on the
\ `CodeQL Action releases page <https://github.com/github/codeql-action/releases/>`__ has a new structure. This directory is internal to the CLI and can change without notice in future releases.
The currently-shipped :code:`qlpacks` directory mirrors the structure of `CodeQL package <https://github.blog/changelog/2021-07-28-introducing-the-codeql-package-manager-public-beta/>`__ caches and looks like this:
.. code-block:: text
qlpacks
- codeql
- {lang}-all
- {version}
- qlpack contents
- {lang}-examples
- {version}
- qlpack contents
- {lang}-queries
- {version}
- qlpack contents
- {lang}-upgrades
- {version}
- qlpack contents
- ... and so on for all languages
Bug Fixes
~~~~~~~~~
* Fixed a bug where the :code:`paths` and :code:`paths-ignore` properties of a Code Scanning config file specified using :code:`--codescanning-config` were being interpreted the wrong way around.
* Fixed a bug where queries specified using the
:code:`--codescanning-config` option could not be run after an explicit call to :code:`codeql database finalize`.
* Fixed a bug where :code:`-J` options would erroneously be recognized even after :code:`--` on the command line.
* When running :code:`codeql database analyze` and :code:`codeql database interpret-results` without the :code:`--sarif-group-rules-by-pack` flag,
the SARIF output did not include baseline lines-of-code counts. This is now fixed.
* Fixed a bug where expansion of query suites would sometimes fail if a query suite in a compiled query pack referenced that pack itself explicitly.
Deprecations
~~~~~~~~~~~~
* The output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) have been deprecated. They will be removed in a later version (earliest 2.8.0). If you need this functionality, please file a public issue against https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub Support and request an escalation to engineering.
* The :code:`qlpack:` instruction in query suite definitions has been deprecated due to uncertainty about whether it is intended to include *all* the :code:`*.ql` files in the named pack, or only the pack's
"default query suite". The behavior of the instruction is determined by whether the named pack declares any default query suite, but this means that a pack *starting* to declare such a suite may break the behavior of existing query suites that reference the pack from outside.
We recommend replacing :code:`qlpack:` by one of
.. code-block:: yaml
- queries: '.' # import all *.ql files
from: some/pack-name
version: 1.2.3 # optional
or
.. code-block:: yaml
- import: path/to/actual/suite.ql # just that suite
from: some/pack-name
version: 1.2.3 # optional
A warning will now be printed when a :code:`qlpack:` instruction resolves to a default suite, because that is the case where the effect may not be what the query suite author intended.
New Features
~~~~~~~~~~~~
* Beta support for database creation on Apple Silicon has been added.
It depends on the following requirements:
* \ `Rosetta 2 <https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment>`__ needs to be installed
* Developer tools need to be installed. CodeQL requires the :code:`lipo`,
:code:`codesign`, and :code:`install_name_tool` tools to be present.
* Build systems invoking :code:`csh` may experience `intermittent crashes <https://openradar.appspot.com/radar?id=4936797431791616>`__.
* :code:`codeql database analyze` can now include query-specific help texts for alerts in the SARIF output (for SARIF v2.1.0 or later). The help text must be located in an :code:`.md` file next to (and with the same basename as) the :code:`.ql` file for each query. Since this can significantly increase SARIF file size, the feature is not enabled by default; give a :code:`--sarif-add-query-help` option to enable it.
* The query metadata validator now knows about queries that produce alert scores, so these queries no longer need to be run with a
:code:`--no-metadata-verification` flag.
* :code:`codeql database create` and :code:`codeql-finalize` have a new flag
:code:`--skip-empty` that will cause a language with no extracted source code to be ignored with a warning instead of treated like a fatal error. This can be useful with :code:`--db-cluster` where not all of the languages may exist in the source tree. It will not be possible to run queries against the skipped database.
* :code:`codeql resolve extractor` and :code:`codeql resolve languages` now support an extended output format :code:`--format=betterjson` wich includes information about each extractor's language-specific options.
* This release introduces rudimentary support for parallelizing database creation by importing unfinished databases (or database clusters) into another unfinished database (or cluster) under creation. This is implemented by the new flag :code:`--additional-dbs` for
:code:`codeql database finalize`, or the new plumbing command :code:`codeql database import`.
* :code:`codeql database create`, :code:`codeql database index-files`, and :code:`codeql database trace-command` support a `unified syntax for passing language-specific options <https://codeql.github.com/docs/codeql-cli/extractor-options>`__ to the extractor with the new
:code:`--extractor-option` and :code:`--extractor-options-file` options.
(The extractors do not make use of this yet, though).
QL Language
~~~~~~~~~~~
* \ `Set literal expressions <https://codeql.github.com/docs/ql-language-reference/expressions/#set-literal-expressions>`__ can now optionally contain a trailing comma after the last element.

46
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.2.rst Normal file
Просмотреть файл

@ -0,0 +1,46 @@
.. _codeql-cli-2.7.2:
=========================
CodeQL 2.7.2 (2021-11-22)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.7.2 runs a total of 278 security queries when configured with the Default suite (covering 124 CWE). The Extended suite enables an additional 85 queries (covering 31 more CWE). 5 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The Java extractor now defaults to extracting all XML documents under 10MB in size, a change from the previous default of only extracting documents with particular well-known names (e.g. :code:`pom.xml`). However,
if the source tree contains more than 50MB of XML in total, it prints a warning and falls back to the old default behaviour.
Set the environment variable :code:`LGTM_INDEX_XML_MODE` to :code:`byname` to get the old default behaviour, or :code:`all` to extract all documents under 10MB regardless of total size.
* The experimental command-line option :code:`--native-library-path` that was introduced to support internal experiments has been removed.
* The beta :code:`codeql pack publish` command will now prevent accidental publishing of packages with pre-release version qualifiers. Prerelease versions are those that include a :code:`-` after the major, minor, and patch versions such as :code:`1.2.3-dev`. To avoid this change, use the
:code:`--allow-prerelease` option.
Bug Fixes
~~~~~~~~~
* Fixed an issue when using the :code:`--evaluator-log` option where a
:code:`NullPointerException` could sometimes occur non-deterministically.
* Fixed bugs observed when using indirect build tracing using a CodeQL distribution unpacked to a path containing spaces or on Arch Linux.
New Features
~~~~~~~~~~~~
* CodeQL databases now contain metadata about how and when they were created. This can be found in the :code:`creationMetadata` field of the
:code:`codeql-database.yml` file within the CodeQL database directory. More information may be added to this field in future releases.

120
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.3.rst Normal file
Просмотреть файл

@ -0,0 +1,120 @@
.. _codeql-cli-2.7.3:
=========================
CodeQL 2.7.3 (2021-12-06)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.7.3 runs a total of 288 security queries when configured with the Default suite (covering 124 CWE). The Extended suite enables an additional 85 queries (covering 32 more CWE). 10 security queries have been added with this release.
CodeQL CLI
----------
Potentially Breaking Changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The experimental command-line option :code:`--ml-model-path` that was introduced to support internal experiments has been removed.
Bug Fixes
~~~~~~~~~
* Editing support (content assist, code navigation, etc.) in files under the :code:`.github` directory will now work properly. This is because files under the :code:`.github` directory will now be indexed and processed by the CodeQL language server. Other hidden directories that start with :code:`.` will remain un-indexed. This affects the vscode-codeql extension and any other IDE extension that uses the CodeQL language server.
* Fixed authentication with GitHub package registries via the
:code:`GITHUB_TOKEN` environment variable and the :code:`--github-auth-stdin` flag when downloading and publishing packs.
* Fixed an incompatibility with glibc version 2.34 on Linux, where build tracing failed with an error message.
* Fixed a bug where :code:`codeql generate log-summary` could sometimes fail with a :code:`JsonMappingException`.
New Features
~~~~~~~~~~~~
* The CodeQL CLI for Mac OS now ships with a native Java virtual machine for M1 Macs,
and this will be used by default where applicable to run the CodeQL engine, thus improving performance.
\ `Rosetta 2 <https://support.apple.com/en-us/HT211861>`__ is still required as not all components of the CodeQL CLI are natively compiled.
* Commands that execute queries will now exit with status code 34 if certain errors that prevent the evaluation of one or more individual queries are detected. Previously some of these errors would crash the evaluator and exit with status code 100.
(This is currently used for "external predicate not found" errors).
Query Packs
-----------
New Queries
~~~~~~~~~~~
C/C++
"""""
* A new query :code:`cpp/non-https-url` has been added for C/C++. The query flags uses of :code:`http` URLs that might be better replaced with :code:`https`.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/sensitive-get-query` query has been added. It highlights GET requests that read sensitive information from the query string.
* The :code:`js/insufficient-key-size` query has been added. It highlights the creation of cryptographic keys with a short key size.
* The :code:`js/session-fixation` query has been added. It highlights servers that reuse a session after a user has logged in.
Ruby
""""
* A new query (:code:`rb/request-forgery`) has been added. The query finds HTTP requests made with user-controlled URLs.
* A new query (:code:`rb/csrf-protection-disabled`) has been added. The query finds cases where cross-site forgery protection is explicitly disabled.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Fixed the query ids of two queries that are meant for manual exploration: :code:`python/count-untrusted-data-external-api` and :code:`python/untrusted-data-to-external-api` have been changed to :code:`py/count-untrusted-data-external-api` and :code:`py/untrusted-data-to-external-api`.
Ruby
""""
* The precision of "Hard-coded credentials" (:code:`rb/hardcoded-credentials`) has been decreased from "high" to "medium". This query will no longer be run and displayed by default on Code Scanning and LGTM.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Java
""""
* :code:`CharacterLiteral`\ 's :code:`getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The :code:`RangeAnalysis` module and the :code:`java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
* The predicate :code:`Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects :code:`Method.overridesOrInstantiates(Method)` and :code:`Method.getASourceOverriddenMethod()`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Added modeling of :code:`os.stat`, :code:`os.lstat`, :code:`os.statvfs`, :code:`os.fstat`, and :code:`os.fstatvfs`, which are new sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Added modeling of the :code:`posixpath`, :code:`ntpath`, and :code:`genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Added modeling of :code:`wsgiref.simple_server` applications, leading to new remote flow sources.
* Added modeling of :code:`aiopg` for sinks executing SQL.
* Added modeling of HTTP requests and responses when using :code:`flask_admin` (:code:`Flask-Admin` PyPI package), which leads to additional remote flow sources.
* Added modeling of the PyPI package :code:`toml`, which provides encoding/decoding of TOML documents, leading to new taint-tracking steps.
New Features
~~~~~~~~~~~~
C/C++
"""""
* The QL library :code:`semmle.code.cpp.commons.Exclusions` now contains a predicate
:code:`isFromSystemMacroDefinition` for identifying code that originates from a macro outside the project being analyzed.

152
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.5.rst Normal file
Просмотреть файл

@ -0,0 +1,152 @@
.. _codeql-cli-2.7.5:
=========================
CodeQL 2.7.5 (2022-01-17)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.7.5 runs a total of 289 security queries when configured with the Default suite (covering 127 CWE). The Extended suite enables an additional 88 queries (covering 31 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Deprecations
~~~~~~~~~~~~
* The CodeQL Action versions up to and including version 1.0.22 are now deprecated for use with CodeQL CLI 2.7.5 and later. The CLI will emit a warning if it detects that it is being used by a deprecated version of the codeql-action. This warning will become a fatal error with version 2.8.0 of the CLI.
Documentation
~~~~~~~~~~~~~
* The documentation for the :code:`--trace-process-level` flag of :code:`codeql database init` (which is used with indirect build tracing on Windows) was erroneous.
The help text previously claimed that :code:`--trace-process-level=1` would inject CodeQL's build tracer into the calling process. This is actually what :code:`--trace-process-level=0` achieves. The help text has now been corrected to match the actual (unchanged) behavior.
Also, some log messages incorrectly stated which process CodeQL was injected into. These have also been corrected.
New Features
~~~~~~~~~~~~
* The :code:`codeql github upload-results` command will now print the API response body in JSON format if a :code:`--format=json` flag is given. Otherwise the command will print the URL of the SARIF upload. This URL can be used to get status information for the upload.
See also: https://docs.github.com/en/rest/reference/code-scanning
Miscellaneous
~~~~~~~~~~~~~
* For commands that run queries, the :code:`--timeout` option now controls the maximal time it may take to evaluate a "layer" of a query rather than a "stage". There are usually many "layers" in each "stage",
but it is usually a single one of the layers in a stage that uses most of the time, so there is no need to reduce existing timeout values as a result of this change.
Query Packs
-----------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* TypeScript 4.5 is now supported.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The :code:`java/constant-comparison` query no longer raises false alerts regarding comparisons with Unicode surrogate character literals.
JavaScript/TypeScript
"""""""""""""""""""""
* Support for handlebars templates has improved. Raw interpolation tags of the form :code:`{{&amp; ... }}` are now recognized,
as well as whitespace-trimming tags like :code:`{{~ ... }}`.
* Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are :code:`express` and :code:`fastify`.
* :code:`js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.
Python
""""""
* Added modeling of many functions from the :code:`os` module that uses file system paths, such as :code:`os.stat`, :code:`os.chdir`, :code:`os.mkdir`, and so on. All of these are new sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Added modeling of the :code:`tempfile` module for creating temporary files and directories, such as the functions :code:`tempfile.NamedTemporaryFile` and :code:`tempfile.TemporaryDirectory`. The :code:`suffix`, :code:`prefix`, and :code:`dir` arguments are all vulnerable to path-injection, and these are new sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Extended the modeling of FastAPI such that :code:`fastapi.responses.FileResponse` are considered :code:`FileSystemAccess`, making them sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Added modeling of the :code:`posixpath`, :code:`ntpath`, and :code:`genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks for the *Uncontrolled data used in path expression* (:code:`py/path-injection`) query.
* Added modeling of :code:`wsgiref.simple_server` applications, leading to new remote flow sources.
* To support the new SSRF queries, the PyPI package :code:`requests` has been modeled, along with :code:`http.client.HTTP[S]Connection` from the standard library.
New Queries
~~~~~~~~~~~
C/C++
"""""
* A new query :code:`cpp/certificate-not-checked` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
* A new query :code:`cpp/certificate-result-conflation` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
Python
""""""
* Two new queries have been added for detecting Server-side request forgery (SSRF). *Full server-side request forgery* (:code:`py/full-ssrf`) will only alert when the URL is fully user-controlled, and *Partial server-side request forgery* (:code:`py/partial-ssrf`) will alert when any part of the URL is user-controlled. Only :code:`py/full-ssrf` will be run by default.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Java
""""
* :code:`CharacterLiteral`\ 's :code:`getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The :code:`RangeAnalysis` module now properly handles comparisons with Unicode surrogate character literals.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Data flow now propagates taint from remote source :code:`Parameter` types to read steps of their fields (e.g. :code:`tainted.publicField` or :code:`tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Added modeling of many functions from the :code:`os` module that uses file system paths, such as :code:`os.stat`, :code:`os.chdir`, :code:`os.mkdir`, and so on.
* Added modeling of the :code:`tempfile` module for creating temporary files and directories, such as the functions :code:`tempfile.NamedTemporaryFile` and :code:`tempfile.TemporaryDirectory`.
* Extended the modeling of FastAPI such that custom subclasses of :code:`fastapi.APIRouter` are recognized.
* Extended the modeling of FastAPI such that :code:`fastapi.responses.FileResponse` are considered :code:`FileSystemAccess`.
* Added modeling of the :code:`posixpath`, :code:`ntpath`, and :code:`genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks.
* Added modeling of :code:`wsgiref.simple_server` applications, leading to new remote flow sources.
Deprecated APIs
~~~~~~~~~~~~~~~
Ruby
""""
* :code:`ConstantWriteAccess.getQualifiedName()` has been deprecated in favor of :code:`getAQualifiedName()` which can return multiple possible qualified names for a given constant write access.
New Features
~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* TypeScript 4.5 is now supported.
Ruby
""""
* A new library, :code:`Customizations.qll`, has been added, which allows for global customizations that affect all queries.

26
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.7.6.rst Normal file
Просмотреть файл

@ -0,0 +1,26 @@
.. _codeql-cli-2.7.6:
=========================
CodeQL 2.7.6 (2022-01-24)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* A bug where creation of a CodeQL database could sometimes fail with a :code:`NegativeArraySizeException` has now been fixed.
New Features
~~~~~~~~~~~~
* The CLI and evaluator contain a number of new features in support of internal machine learning experiments. This includes an experimental
:code:`resolve ml-models` subcommand and new :code:`mlModels` metadata in pack definition files. As these new features are not yet ready for general use, they should be ignored by external CodeQL users.

173
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.0.rst Normal file
Просмотреть файл

@ -0,0 +1,173 @@
.. _codeql-cli-2.8.0:
=========================
CodeQL 2.8.0 (2022-02-04)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.8.0 runs a total of 298 security queries when configured with the Default suite (covering 136 CWE). The Extended suite enables an additional 93 queries (covering 30 more CWE). 14 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The CodeQL Action versions up to and including version 1.0.22 are not compatible with the CodeQL CLI 2.8.0 and later. The CLI will emit an error if it detects that it is being used by an incompatible version of the codeql-action.
Bug Fixes
~~~~~~~~~
* Fixed a bug where :code:`codeql resolve upgrades` ignores the
:code:`--target-dbscheme` option.
New Features
~~~~~~~~~~~~
* A new extractor option has been added to the Java extractor. The flag :code:`--extractor-option exclude='<glob>'` allows specifying a glob that describes which paths need to be excluded from extraction but still need to be compiled. This is useful when some files are necessary for a successful build but are uninteresting for analysis.
See also: https://codeql.github.com/docs/codeql-cli/extractor-options/
* Summary metrics can now associate messages with their results, for instance to report the name and number of uses of a particular API endpoint within a repository. To associate messages with summary metrics, define a query with :code:`@kind metric` and :code:`@tags summary` metadata and use either the :code:`location, message, value` or the :code:`message, value` results pattern.
Query Packs
-----------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* User names and other account information is no longer considered to be sensitive data for the queries :code:`py/clear-text-logging-sensitive-data` and :code:`py/clear-text-storage-sensitive-data`, since this lead to many false positives.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Fix an issue with the :code:`cpp/declaration-hides-variable` query where it would report variables that are unnamed in a database.
* The :code:`cpp/cleartext-storage-file` query has been upgraded with non-local taint flow and has been converted to a :code:`path-problem` query.
* The :code:`cpp/return-stack-allocated-memory` query has been improved to produce fewer false positives. The query has also been converted to a :code:`path-problem` query.
* The "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) query has been improved in several ways to reduce false positive results.
* The "Potential improper null termination" (:code:`cpp/improper-null-termination`) query now produces fewer false positive results around control flow branches and loops.
* Added exception for GLib's gboolean to cpp/ambiguously-signed-bit-field.
This change reduces the number of false positives in the query.
Ruby
""""
* The query :code:`rb/csrf-protection-disabled` has been extended to find calls to the Rails method :code:`protect_from_forgery` that may weaken CSRF protection.
New Queries
~~~~~~~~~~~
C/C++
"""""
* The :code:`security` tag has been added to the :code:`cpp/return-stack-allocated-memory` query. As a result, its results will now appear by default.
* The "Uncontrolled data in arithmetic expression" (cpp/uncontrolled-arithmetic) query has been enhanced to reduce false positive results and its @precision increased to high.
* A new :code:`cpp/very-likely-overrunning-write` query has been added to the default query suite for C/C++. The query reports some results that were formerly flagged by :code:`cpp/overrunning-write`.
Java
""""
* A new query "Use of implicit PendingIntents" (:code:`java/android/pending-intents`) has been added.
This query finds implicit and mutable :code:`PendingIntents` sent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects.
* Two new queries, "Android fragment injection" (:code:`java/android/fragment-injection`) and "Android fragment injection in PreferenceActivity" (:code:`java/android/fragment-injection-preference-activity`) have been added.
These queries find exported Android activities that instantiate and host fragments created from user-provided data. Such activities are vulnerable to access control bypass and expose the Android application to unintended effects.
* The query "\ :code:`TrustManager` that accepts all certificates" (:code:`java/insecure-trustmanager`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @intrigus-lgtm <https://github.com/github/codeql/pull/4879>`__.
* The query "Log Injection" (:code:`java/log-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally `submitted as an experimental query by @porcupineyhairs and @dellalibera <https://github.com/github/codeql/pull/5099>`__.
* A new query "Intent URI permission manipulation" (:code:`java/android/intent-uri-permission-manipulation`) has been added.
This query finds Android components that return unmodified, received Intents to the calling applications, which can provide unintended access to internal content providers of the victim application.
* A new query "Cleartext storage of sensitive information in the Android filesystem" (:code:`java/android/cleartext-storage-filesystem`) has been added. This query finds instances of sensitive data being stored in local files without encryption, which may expose it to attackers or malicious applications.
* The query "Cleartext storage of sensitive information using :code:`SharedPreferences` on Android" (:code:`java/android/cleartext-storage-shared-prefs`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4675>`__.
* The query "Unsafe certificate trust" (:code:`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/3550>`__.
JavaScript/TypeScript
"""""""""""""""""""""
* A new query :code:`js/samesite-none-cookie` has been added. The query detects when the SameSite attribute is set to None on a sensitive cookie.
* A new query :code:`js/empty-password-in-configuration-file` has been added. The query detects empty passwords in configuration files. The query is not run by default.
Ruby
""""
* Added a new query, :code:`rb/weak-cookie-configuration`. The query finds cases where cookie configuration options are set to values that may make an application more vulnerable to certain attacks.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* The "Random used only once" (:code:`java/random-used-once`) query no longer has a :code:`security-severity` score. This has been causing some tools to categorise it as a security query, when it is more useful as a code-quality query.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Added support for the following C# 10 features.* \ `Record structs <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#record-structs>`__.
* \ `Improvements of structure types <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#improvements-of-structure-types>`__.
* Instance parameterless constructor in a structure type.
* Enhance :code:`WithExpr` in QL to support :code:`structs` and anonymous classes.
* \ `Global using directives <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#global-using-directives>`__.
* \ `File-scoped namespace declaration <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#file-scoped-namespace-declaration>`__.
* \ `Enhanced #line pragma <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#enhanced-line-pragma>`__.
* The query :code:`cs/local-shadows-member` no longer highlights parameters of :code:`record` types.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* :code:`FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a more accurate length for integers formatted with :code:`%x`
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/cpp-all` CodeQL pack.
C#
""
* The :code:`codeql/csharp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/csharp-all` CodeQL pack.
Java
""""
* The :code:`codeql/java-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/java-all` CodeQL pack.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`codeql/javascript-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/javascript-all` CodeQL pack.
Python
""""""
* Moved the files defining regex injection configuration and customization, instead of :code:`import semmle.python.security.injection.RegexInjection` please use :code:`import semmle.python.security.dataflow.RegexInjection` (the same for :code:`RegexInjectionCustomizations`).
* The :code:`codeql/python-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the :code:`codeql/python-all` CodeQL pack.

137
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.1.rst Normal file
Просмотреть файл

@ -0,0 +1,137 @@
.. _codeql-cli-2.8.1:
=========================
CodeQL 2.8.1 (2022-02-15)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.8.1 runs a total of 306 security queries when configured with the Default suite (covering 137 CWE). The Extended suite enables an additional 95 queries (covering 30 more CWE). 10 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug that would sometimes lead to query evaluation on M1-based Macs to crash with :code:`Did not preallocate enough memory` error.
New Features
~~~~~~~~~~~~
* Commands that find or run queries now allow you to refer to queries within a named CodeQL pack. For example:
.. code-block:: sh
# Analyze a database using all queries in the experimental/Security folder within the codeql/cpp-queries
# CodeQL query pack.
codeql database analyze --format=sarif-latest --output=results <db> \
codeql/cpp-queries:experimental/Security
# Analyse using only the RedundantNullCheckParam.ql query in the codeql/cpp-queries CodeQL query pack.
codeql database analyze --format=sarif-latest --output=results <db> \
'codeql/cpp-queries:experimental/Likely Bugs/RedundantNullCheckParam.ql'
# Analyse using the cpp-security-and-quality.qls query suite in the codeql/cpp-queries CodeQL query pack.
codeql database analyze --format=sarif-latest --output=results <db> \
'codeql/cpp-queries:codeql-suites/cpp-security-and-quality.qls'
# Analyse using the cpp-security-and-quality.qls query suite from a version of the codeql/cpp-queries pack
# that is >= 0.0.3 and < 0.1.0 (the highest compatible version will be chosen).
# All valid semver ranges are allowed. See https://docs.npmjs.com/cli/v6/using-npm/semver#ranges
codeql database analyze --format=sarif-latest --output=results <db> \
'codeql/cpp-queries@~0.0.3:codeql-suites/cpp-security-and-quality.qls'
The complete way to specify a set of queries is in the form
:code:`scope/name@range:path`, where:
* :code:`scope/name` is the qualified name of a CodeQL pack.
* :code:`range` is a `semver range <https://docs.npmjs.com/cli/v6/using-npm/semver#ranges>`__.
* :code:`path` is a file system path
If a :code:`scope/name` is specified, the :code:`range` and :code:`path` are optional. A missing :code:`range` implies the latest version of the specified pack. A missing :code:`path` implies the default query suite of the specified pack.
The :code:`path` can be one of a :code:`*.ql` query file, a directory containing one or more queries, or a :code:`.qls` query suite file. If there is no pack name specified, then a :code:`path` must be provided,
and will be interpreted relative to the current working directory of the current process.
If a :code:`scope/name` and :code:`path` are specified, then the :code:`path` cannot be absolute. It is considered relative to the root of the CodeQL pack.
The relevant commands are:
* :code:`codeql database analyze`
* :code:`codeql database run-queries`
* :code:`codeql execute queries`
* :code:`codeql resolve queries`
Query Packs
-----------
Bug Fixes
~~~~~~~~~
Python
""""""
* The `View AST functionality <https://codeql.github.com/docs/codeql-for-visual-studio-code/exploring-the-structure-of-your-source-code/>`__ no longer prints detailed information about regular expressions, greatly improving performance.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) query has been further improved to reduce false positive results, and upgraded from :code:`medium` to :code:`high` precision.
* The "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) query now finds more results, where a password is stored in a struct field or class member variable.
* The :code:`cpp/cleartext-storage-file` query has been improved, removing false positives where data is written to a standard output stream.
* The :code:`cpp/cleartext-storage-buffer` query has been updated to use the :code:`semmle.code.cpp.dataflow.TaintTracking` library.
* The :code:`cpp/world-writable-file-creation` query now only detects :code:`open` and :code:`openat` calls with the :code:`O_CREAT` or :code:`O_TMPFILE` flag.
New Queries
~~~~~~~~~~~
C/C++
"""""
* Added a new query, :code:`cpp/open-call-with-mode-argument`, to detect when :code:`open` or :code:`openat` is called with the :code:`O_CREAT` or :code:`O_TMPFILE` flag but when the :code:`mode` argument is omitted.
Java
""""
* A new query "Cleartext storage of sensitive information using a local database on Android" (:code:`java/android/cleartext-storage-database`) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.
JavaScript/TypeScript
"""""""""""""""""""""
* A new query, :code:`js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
The query is not run by default.
* A new query :code:`js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
* A new query :code:`js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.
* The :code:`js/insecure-dependency` query has been added. It detects dependencies that are downloaded using an unencrypted connection.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* Added support for C# 10 lambda improvements
* Explicit return types on lambda expressions.
* Lambda expression can be tagged with method and return value attributes.
* Added support for C# 10 `Extended property patterns <https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#extended-property-patterns>`__.
* Return value attributes are extracted.
* The QL :code:`Attribute` class now has subclasses for each kind of attribute.

147
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.2.rst Normal file
Просмотреть файл

@ -0,0 +1,147 @@
.. _codeql-cli-2.8.2:
=========================
CodeQL 2.8.2 (2022-02-28)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.8.2 runs a total of 308 security queries when configured with the Default suite (covering 139 CWE). The Extended suite enables an additional 99 queries (covering 30 more CWE). 6 security queries have been added with this release.
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The support for the output formats SARIF v1.0.0 and SARIF v2.0.0
(Committee Specification Draft 1) that were deprecated in 2.7.1 has been removed. If you need this functionality, please file a public issue against https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub Support and request an escalation to engineering.
New Features
~~~~~~~~~~~~
* The CodeQL CLI is now compatible with Windows 11 and Windows Server 2022, including building databases for compiled languages.
Query Packs
-----------
Breaking Changes
~~~~~~~~~~~~~~~~
Java
""""
* Add more classes to Netty request/response splitting. Change identification to :code:`java/netty-http-request-or-response-splitting`.
Identify request splitting differently from response splitting in query results.
Support additional classes:
* :code:`io.netty.handler.codec.http.CombinedHttpHeaders`
* :code:`io.netty.handler.codec.http.DefaultHttpRequest`
* :code:`io.netty.handler.codec.http.DefaultFullHttpRequest`
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added dataflow through the |link-code-snapdragon-1|_ library.
New Queries
~~~~~~~~~~~
Java
""""
* A new query titled "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) has been added.
This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory.
This query was originally `submitted as query by @JLLeitschuh <https://github.com/github/codeql/pull/4388>`__.
JavaScript/TypeScript
"""""""""""""""""""""
* A new query, :code:`js/functionality-from-untrusted-source`, has been added to the query suite. It finds DOM elements that load functionality from untrusted sources, like :code:`script` or :code:`iframe` elements using :code:`http` links.
The query is run by default.
Python
""""""
* The query "LDAP query built from user-controlled sources" (:code:`py/ldap-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @jorgectf <https://github.com/github/codeql/pull/5443>`__.
* The query "Log Injection" (:code:`py/log-injection`) has been promoted from experimental to the main query pack. Its results will now appear when :code:`security-extended` is used. This query was originally `submitted as an experimental query by @haby0 <https://github.com/github/codeql/pull/6182>`__.
Ruby
""""
* Added a new query, :code:`rb/clear-text-logging-sensitive-data`. The query finds cases where sensitive information, such as user credentials, are logged as cleartext.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The precision of hardcoded credentials queries (:code:`cs/hardcoded-credentials` and
:code:`cs/hardcoded-connection-string-credentials`) have been downgraded to medium.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/request-forgery` query previously flagged both server-side and client-side request forgery,
but these are now handled by two different queries:
* :code:`js/request-forgery` is now specific to server-side request forgery. Its precision has been raised to
:code:`high` and is now shown by default (it was previously in the :code:`security-extended` suite).
* :code:`js/client-side-request-forgery` is specific to client-side request forgery. This is technically a new query but simply flags a subset of what the old query did.
This has precision :code:`medium` and is part of the :code:`security-extended` suite.
Deprecated Classes
~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`CodeDuplication.Copy`, :code:`CodeDuplication.DuplicateBlock`, and :code:`CodeDuplication.SimilarBlock` classes have been deprecated.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* Added :code:`FileSystemWriteAccess` concept to model data written to the filesystem.
Deprecated APIs
~~~~~~~~~~~~~~~
Python
""""""
* The old points-to based modeling has been deprecated. Use the new type-tracking/API-graphs based modeling instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a :code:`isStructuredBinding` predicate to the :code:`Variable` class which holds when the variable is declared as part of a structured binding declaration.
Java
""""
* Added predicates :code:`ClassOrInterface.getAPermittedSubtype` and :code:`isSealed` exposing information about sealed classes.
.. |link-code-snapdragon-1| replace:: :code:`snapdragon`\
.. _link-code-snapdragon-1: https://npmjs.com/package/snapdragon

164
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.3.rst Normal file
Просмотреть файл

@ -0,0 +1,164 @@
.. _codeql-cli-2.8.3:
=========================
CodeQL 2.8.3 (2022-03-14)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.8.3 runs a total of 312 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 99 queries (covering 29 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* Executable binaries for Windows are now digitally signed by a GitHub certificate.
Miscellaneous
~~~~~~~~~~~~~
* The evaluator logs produced by :code:`--evaluator-log` now default to the maximum verbosity level and will therefore contain more information
(and, accordingly, grow larger). The verbosity level can still be configured with :code:`--evaluator-log-level`. In particular,
:code:`--evaluator-log-level=1` will restore the previous default behavior.
Query Packs
-----------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The deprecated queries :code:`cpp/duplicate-block`, :code:`cpp/duplicate-function`, :code:`cpp/duplicate-class`, :code:`cpp/duplicate-file`, :code:`cpp/mostly-duplicate-function`,:code:`cpp/similar-file`, :code:`cpp/duplicated-lines-in-files` have been removed.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Failure to use HTTPS URLs" (:code:`cpp/non-https-url`) has been improved reducing false positive results, and its precision has been increased to 'high'.
* The :code:`cpp/system-data-exposure` query has been modernized and has converted to a :code:`path-problem` query. There are now fewer false positive results.
C#
""
* Casts to :code:`dynamic` are excluded from the useless upcasts check (:code:`cs/useless-upcast`).
* The C# extractor now accepts an extractor option :code:`buildless`, which is used to decide what type of extraction that should be performed. If :code:`true` then buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default).
The option is added via :code:`codeql database create --language=csharp -Obuildless=true ...`.
* The C# extractor now accepts an extractor option :code:`trap.compression`, which is used to decide the compression format for TRAP files. The legal values are :code:`brotli` (default), :code:`gzip` or :code:`none`.
The option is added via :code:`codeql database create --language=csharp -Otrap.compression=value ...`.
New Queries
~~~~~~~~~~~
C/C++
"""""
* A new query titled "Use of expired stack-address" (:code:`cpp/using-expired-stack-address`) has been added.
This query finds accesses to expired stack-allocated memory that escaped via a global variable.
* A new :code:`cpp/insufficient-key-size` query has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.
Python
""""""
* The query "XPath query built from user-controlled sources" (:code:`py/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/6331>`__.
Deprecated Predicates and Classes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The predicates and classes in the :code:`CodeDuplication` library have been deprecated.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
C#
""
* The C# extractor no longer supports the following legacy environment variables:
.. code-block:: text
ODASA_BUILD_ERROR_DIR
ODASA_CSHARP_LAYOUT
ODASA_SNAPSHOT
SEMMLE_DIST
SEMMLE_EXTRACTOR_OPTIONS
SEMMLE_PLATFORM_TOOLS
SEMMLE_PRESERVE_SYMLINKS
SOURCE_ARCHIVE
TRAP_FOLDER
* :code:`codeql test run` now extracts source code recursively from sub folders. This may break existing tests that have other tests in nested sub folders, as those will now get the nested test code included.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 4.6.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
Java
""""
* Add support for :code:`CharacterLiteral` in :code:`CompileTimeConstantExpr.getStringValue()`
JavaScript/TypeScript
"""""""""""""""""""""
* Added sources from the |link-code-jszip-1|_ library to the :code:`js/zipslip` query.
Python
""""""
* Added new SSRF sinks for :code:`httpx`, :code:`pycurl`, :code:`urllib`, :code:`urllib2`, :code:`urllib3`, and :code:`libtaxii`. This improvement was `submitted by @haby0 <https://github.com/github/codeql/pull/8275>`__.
* The regular expression parser now groups sequences of normal characters. This reduces the number of instances of :code:`RegExpNormalChar`.
* Fixed taint propagation for attribute assignment. In the assignment :code:`x.foo = tainted` we no longer treat the entire object :code:`x` as tainted, just because the attribute :code:`foo` contains tainted data. This leads to slightly fewer false positives.
* Improved analysis of attributes for data-flow and taint tracking queries, so :code:`getattr`\ /\ :code:`setattr` are supported, and a write to an attribute properly stops flow for the old value in that attribute.
* Added post-update nodes (:code:`DataFlow::PostUpdateNode`) for arguments in calls that can't be resolved.
Ruby
""""
* The :code:`Regex` class is now an abstract class that extends :code:`StringlikeLiteral` with implementations for :code:`RegExpLiteral` and string literals that 'flow' into functions that are known to interpret string arguments as regular expressions such as :code:`Regex.new` and :code:`String.match`.
* The regular expression parser now groups sequences of normal characters. This reduces the number of instances of :code:`RegExpNormalChar`.
New Features
~~~~~~~~~~~~
Java
""""
* Added :code:`hasDescendant(RefType anc, Type sub)`
* Added :code:`RefType.getADescendant()`
* Added :code:`RefType.getAStrictAncestor()`
.. |link-code-jszip-1| replace:: :code:`jszip`\
.. _link-code-jszip-1: https://www.npmjs.com/package/jszip

209
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.4.rst Normal file
Просмотреть файл

@ -0,0 +1,209 @@
.. _codeql-cli-2.8.4:
=========================
CodeQL 2.8.4 (2022-03-29)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.8.4 runs a total of 315 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 99 queries (covering 29 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed an error where running out of memory during query evaluation would cause :code:`codeql` to exit with status 34 instead of the 99 that is documented for this condition.
* Fixed a bug in our handling of Clang's header maps, which caused missing files for Xcode-based projects on macOS (e.g. WebKit).
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/overflow-destination`, :code:`cpp/unclear-array-index-validation`, and :code:`cpp/uncontrolled-allocation-size` queries have been modernized and converted to :code:`path-problem` queries and provide more true positive results.
* The :code:`cpp/system-data-exposure` query has been increased from :code:`medium` to :code:`high` precision, following a number of improvements to the query logic.
Java
""""
* Updated "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed an issue that would sometimes prevent the data-flow analysis from finding flow paths through a function that stores its result on an object.
This may lead to more results for the security queries.
New Queries
~~~~~~~~~~~
Java
""""
* The query "Insertion of sensitive information into log files" (:code:`java/sensitive-logging`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/3090>`__.
Ruby
""""
* Added a new query, :code:`rb/clear-text-storage-sensitive-data`. The query finds cases where sensitive information, such as user credentials, are stored as cleartext.
* Added a new query, :code:`rb/incomplete-hostname-regexp`. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.
Language Libraries
------------------
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
C#
""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
Java
""""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
Python
""""""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
Ruby
""""
* The flow state variants of :code:`isBarrier` and :code:`isAdditionalFlowStep` are no longer exposed in the taint tracking library. The :code:`isSanitizer` and :code:`isAdditionalTaintStep` predicates should be used instead.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* :code:`DefaultOptions::exits` now holds for C11 functions with the :code:`_Noreturn` or :code:`noreturn` specifier.
* :code:`hasImplicitCopyConstructor` and :code:`hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
C#
""
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Java
""""
* Added new guards :code:`IsWindowsGuard`, :code:`IsSpecificWindowsVariant`, :code:`IsUnixGuard`, and :code:`IsSpecificUnixVariant` to detect OS specific guards.
* Added a new predicate :code:`getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc.).
* Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (:code:`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC.
* Re-removed support for :code:`CharacterLiteral` from :code:`CompileTimeConstantExpr.getStringValue()` to restore the convention that that predicate only applies to :code:`String`\ -typed constants.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
JavaScript/TypeScript
"""""""""""""""""""""
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Python
""""""
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Ruby
""""
* :code:`getConstantValue()` now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal :code:`"\n"`, :code:`getConstantValue().getString()` previously returned a QL string with two characters, a backslash followed by :code:`n`\ ; now it returns the single-character string "\n" (U+000A, known as newline).
* :code:`getConstantValue().getInt()` previously returned incorrect values for integers larger than 2\ :sup:`31`-1 (the largest value that can be represented by the QL :code:`int` type). It now returns no result in those cases.
* Added :code:`OrmWriteAccess` concept to model data written to a database using an object-relational mapping (ORM) library.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
C#
""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Java
""""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
JavaScript/TypeScript
"""""""""""""""""""""
* Some predicates from :code:`DefUse.qll`, :code:`DataFlow.qll`, :code:`TaintTracking.qll`, :code:`DOM.qll`, :code:`Definitions.qll` that weren't used by any query have been deprecated.
The documentation for each predicate points to an alternative.
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Python
""""""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
Ruby
""""
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
New Features
~~~~~~~~~~~~
C/C++
"""""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.
C#
""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.
Java
""""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.
Python
""""""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.
Ruby
""""
* The data flow and taint tracking libraries have been extended with versions of :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isBarrierGuard`, respectively :code:`isSanitizerIn`, :code:`isSanitizerOut`, and :code:`isSanitizerGuard`, that support flow states.

17
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.5.rst Normal file
Просмотреть файл

@ -0,0 +1,17 @@
.. _codeql-cli-2.8.5:
=========================
CodeQL 2.8.5 (2022-04-07)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.

198
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.0.rst Normal file
Просмотреть файл

@ -0,0 +1,198 @@
.. _codeql-cli-2.9.0:
=========================
CodeQL 2.9.0 (2022-04-26)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.9.0 runs a total of 325 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 102 queries (covering 29 more CWE). 13 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug that would prevent resolution of a query suite in a published CodeQL query pack that has a reference to the pack itself.
* Fixed inaccurate documentation of what the :code:`--include-extension` option to :code:`codeql resolve files` and :code:`codeql database index-files` does. The actual behavior is unchanged.
New Features
~~~~~~~~~~~~
* :code:`codeql database create` now supports the :code:`--[no-]-count-lines` option, which was previously only available with :code:`codeql database init`.
* :code:`codeql resolve files` and :code:`codeql database index-files` has a new
:code:`--also-match` option, which allows users to specify glob patterns that are applied in conjunction with the existing :code:`--include` option.
QL Language
~~~~~~~~~~~
* This release introduces experimental support for parameterized QL modules. This language feature is still subject to change and should not be used in production yet.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
* The :code:`cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
* The :code:`cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (:code:`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (:code:`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
Java
""""
* Fixed "Local information disclosure in a temporary directory" (:code:`java/local-temp-file-or-directory-information-disclosure`) to resolve false-negatives when OS isn't properly used as logical guard.
* The :code:`SwitchCase.getRuleExpression()` predicate now gets expressions for case rules with an expression on the right-hand side of the arrow belonging to both :code:`SwitchStmt` and :code:`SwitchExpr`, and the corresponding :code:`getRuleStatement()` no longer returns an :code:`ExprStmt` in either case. Previously :code:`SwitchStmt` and :code:`SwitchExpr` behaved differently in
this respect.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved handling of custom DOM elements, potentially leading to more alerts for the XSS queries.
* Improved taint tracking through calls to the :code:`Array.prototype.reduce` function.
New Queries
~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/resource-exhaustion` query has been added. It highlights locations where an attacker can cause a large amount of resources to be consumed.
The query previously existed as an experimental query.
Ruby
""""
* Added a new query, :code:`rb/insecure-dependency`. The query finds cases where Ruby gems may be downloaded over an insecure communication channel.
* Added a new query, :code:`rb/weak-cryptographic-algorithm`. The query finds uses of cryptographic algorithms that are known to be weak, such as DES.
* Added a new query, :code:`rb/http-tainted-format-string`. The query finds cases where data from remote user input is used in a string formatting method in a way that allows arbitrary format specifiers to be inserted.
* Added a new query, :code:`rb/http-to-file-access`. The query finds cases where data from remote user input is written to a file.
* Added a new query, :code:`rb/incomplete-url-substring-sanitization`. The query finds instances where a URL is incompletely sanitized due to insufficient checks.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added the :code:`security-severity` tag to several queries.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The following predicates on :code:`API::Node` have been changed so as not to include the receiver. The receiver should now only be accessed via :code:`getReceiver()`.
* :code:`getParameter(int i)` previously included the receiver when :code:`i = -1`
* :code:`getAParameter()` previously included the receiver
* :code:`getLastParameter()` previously included the receiver for calls with no arguments
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
C#
""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
Java
""""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
* The :code:`getUrl` predicate of :code:`DeclaredRepository` in :code:`MavenPom.qll` has been renamed to :code:`getRepositoryUrl`.
Python
""""""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
Ruby
""""
* The recently added flow-state versions of :code:`isBarrierIn`, :code:`isBarrierOut`, :code:`isSanitizerIn`, and :code:`isSanitizerOut` in the data flow and taint tracking libraries have been removed.
* The :code:`getURL` member-predicates of the :code:`HTTP::Client::Request` and :code:`HTTP::Client::Request::Range` classes from :code:`Concepts.qll` have been renamed to :code:`getAUrlPart`.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python
""""""
* Added data-flow for Django ORM models that are saved in a database (no :code:`models.ForeignKey` support).
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
Java
""""
* Added guard precondition support for assertion methods for popular testing libraries (e.g. Junit 4, Junit 5, TestNG).
Python
""""""
* Improved modeling of Flask :code:`Response` objects, so passing a response body with the keyword argument :code:`response` is now recognized.
Ruby
""""
* Whereas :code:`ConstantValue::getString()` previously returned both string and regular-expression values, it now returns only string values. The same applies to :code:`ConstantValue::isString(value)`.
* Regular-expression values can now be accessed with the new predicates :code:`ConstantValue::getRegExp()`, :code:`ConstantValue::isRegExp(value)`, and :code:`ConstantValue::isRegExpWithFlags(value, flags)`.
* The :code:`ParseRegExp` and :code:`RegExpTreeView` modules are now "internal" modules. Users should use :code:`codeql.ruby.Regexp` instead.
Deprecated APIs
~~~~~~~~~~~~~~~
Python
""""""
* Queries importing a data-flow configuration from :code:`semmle.python.security.dataflow` should ensure that the imported file ends with :code:`Query`, and only import its top-level module. For example, a query that used :code:`CommandInjection::Configuration` from
:code:`semmle.python.security.dataflow.CommandInjection` should from now use :code:`Configuration` from :code:`semmle.python.security.dataflow.CommandInjectionQuery` instead.
Ruby
""""
* :code:`ConstantValue::getStringOrSymbol` and :code:`ConstantValue::isStringOrSymbol`, which return/hold for all string-like values (strings, symbols, and regular expressions), have been renamed to :code:`ConstantValue::getStringlikeValue` and :code:`ConstantValue::isStringlikeValue`, respectively. The old names have been marked as :code:`deprecated`.
New Features
~~~~~~~~~~~~
C/C++
"""""
* A new library :code:`semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
Java
""""
* There are now QL classes ErrorExpr and ErrorStmt. These may be generated by upgrade or downgrade scripts when databases cannot be fully converted.

113
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.1.rst Normal file
Просмотреть файл

@ -0,0 +1,113 @@
.. _codeql-cli-2.9.1:
=========================
CodeQL 2.9.1 (2022-05-05)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.9.1 runs a total of 327 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 103 queries (covering 29 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Query :code:`java/insecure-cookie` no longer produces a false positive if :code:`cookie.setSecure(...)` is called passing a constant that always equals :code:`true`.
JavaScript/TypeScript
"""""""""""""""""""""
* The call graph now deals more precisely with calls to accessors (getters and setters).
Previously, calls to static accessors were not resolved, and some method calls were incorrectly seen as calls to an accessor. Both issues have been fixed.
New Queries
~~~~~~~~~~~
C/C++
"""""
* An new query :code:`cpp/external-entity-expansion` has been added. The query detects XML objects that are vulnerable to external entity expansion (XXE) attacks.
Ruby
""""
* Added a new query, :code:`rb/insecure-download`. The query finds cases where executables and other sensitive files are downloaded over an insecure connection, which may allow for man-in-the-middle attacks.
* Added a new query, :code:`rb/regex/missing-regexp-anchor`, which finds regular expressions which are improperly anchored. Validations using such expressions are at risk of being bypassed.
* Added a new query, :code:`rb/incomplete-sanitization`. The query finds string transformations that do not replace or escape all occurrences of a meta-character.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Java
""""
* The QL class :code:`JumpStmt` has been made the superclass of :code:`BreakStmt`, :code:`ContinueStmt` and :code:`YieldStmt`. This allows directly using its inherited predicates without having to explicitly cast to :code:`JumpStmt` first.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
C#
""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Java
""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Python
""""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Ruby
""""
* The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* More Windows pool allocation functions are now detected as :code:`AllocationFunction`\ s.
* The :code:`semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
Java
""""
* Improved the data flow support for the Android class :code:`SharedPreferences$Editor`. Specifically, the fluent logic of some of its methods is now taken into account when calculating data flow.
* Added flow sources and steps for JMS versions 1 and 2.
* Added flow sources and steps for RabbitMQ.
* Added flow steps for :code:`java.io.DataInput` and :code:`java.io.ObjectInput` implementations.
* Added data-flow models for the Spring Framework component :code:`spring-beans`.

220
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.2.rst Normal file
Просмотреть файл

@ -0,0 +1,220 @@
.. _codeql-cli-2.9.2:
=========================
CodeQL 2.9.2 (2022-05-16)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.9.2 runs a total of 330 security queries when configured with the Default suite (covering 141 CWE). The Extended suite enables an additional 104 queries (covering 29 more CWE). 4 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug that could make it unpredictable whether the QL compiler reports problems about query metadata tags, and thereby make :code:`codeql test run` fail spuriously in some cases.
New Features
~~~~~~~~~~~~
* The tables produced by :code:`codeql database analyze` summarizing the results of any diagnostic and metric queries that were run now exclude the results of queries tagged :code:`telemetry`.
* Uploading SARIF results using the :code:`codeql github upload-results` command now has a timeout of 5 minutes.
* Downloading CodeQL packs using the :code:`codeql pack download`,
:code:`codeql pack install` and related commands now have a timeout of 5 minutes and will retry 3 times before failing. Similar behavior has been added to the :code:`codeql pack publish` command.
* The :code:`codeql generate log-summary` command will now print progress updates to :code:`stderr`.
Removed Features
~~~~~~~~~~~~~~~~
* The table printed by :code:`codeql database analyze` to summarize the results of metric queries that were part of the analysis now reports a single row per metric name independently of the verbosity level of the command. Previously, at higher verbosity levels, this table would contain multiple rows for metric names with multiple values.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "XML external entity expansion" (:code:`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces.
Java
""""
* Query :code:`java/insecure-cookie` now tolerates setting a cookie's secure flag to :code:`request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
* The query :code:`java/non-https-urls` has been simplified and no longer requires its sinks to be :code:`MethodAccess`\ es.
* The logic to detect :code:`WebView`\ s with JavaScript (and optionally file access) enabled in the query :code:`java/android/unsafe-android-webview-fetch` has been improved.
New Queries
~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event.
The query previously existed as the experimental :code:`js/missing-postmessageorigin-verification` query.
Python
""""""
* "XML external entity expansion" (:code:`py/xxe`). Results will appear by default. This query was based on `an experimental query by @jorgectf <https://github.com/github/codeql/pull/6112>`__.
* "XML internal entity expansion" (:code:`py/xml-bomb`). Results will appear by default. This query was based on `an experimental query by @jorgectf <https://github.com/github/codeql/pull/6112>`__.
* The query "CSRF protection weakened or disabled" (:code:`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Query :code:`java/predictable-seed` now has a tag for CWE-337.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Ruby
""""
* The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
Breaking Changes
~~~~~~~~~~~~~~~~
Python
""""""
* The imports made available from :code:`import python` are no longer exposed under :code:`DataFlow::` after doing :code:`import semmle.python.dataflow.new.DataFlow`, for example using :code:`DataFlow::Add` will now cause a compile error.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Added models for the libraries OkHttp and Retrofit.
* Add taint models for the following :code:`File` methods:
* :code:`File::getAbsoluteFile`
* :code:`File::getCanonicalFile`
* :code:`File::getAbsolutePath`
* :code:`File::getCanonicalPath`
* Added a flow step for :code:`toString` calls on tainted :code:`android.text.Editable` objects.
* Added a data flow step for tainted Android intents that are sent to other activities and accessed there via :code:`getIntent()`.
* Added modeling of MyBatis (:code:`org.apache.ibatis`) Providers, resulting in additional sinks for the queries :code:`java/ognl-injection`, :code:`java/sql-injection`, :code:`java/sql-injection-local` and :code:`java/concatenated-sql-query`.
JavaScript/TypeScript
"""""""""""""""""""""
* The `cash <https://github.com/fabiospampinato/cash>`__ library is now modelled as an alias for JQuery.
Sinks and sources from cash should now be handled by all XSS queries.
* Added the :code:`Selection` api as a DOM text source in the :code:`js/xss-through-dom` query.
* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
Python
""""""
* The modeling of :code:`request.files` in Flask has been fixed, so we now properly handle assignments to local variables (such as :code:`files = request.files; files['key'].filename`).
* Added taint propagation for :code:`io.StringIO` and :code:`io.BytesIO`. This addition was originally `submitted as part of an experimental query by @jorgectf <https://github.com/github/codeql/pull/6112>`__.
Deprecated APIs
~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`ReflectedXss`, :code:`StoredXss`, :code:`XssThroughDom`, and :code:`ExceptionXss` modules from :code:`Xss.qll` have been deprecated.
Use the :code:`Customizations.qll` file belonging to the query instead.
New Features
~~~~~~~~~~~~
Java
""""
* A number of new classes and methods related to the upcoming Kotlin support have been added. These are not yet stable, as Kotlin support is still under development.
* :code:`File::isSourceFile`
* :code:`File::isJavaSourceFile`
* :code:`File::isKotlinSourceFile`
* :code:`Member::getKotlinType`
* :code:`Element::isCompilerGenerated`
* :code:`Expr::getKotlinType`
* :code:`LambdaExpr::isKotlinFunctionN`
* :code:`Callable::getReturnKotlinType`
* :code:`Callable::getParameterKotlinType`
* :code:`Method::isLocal`
* :code:`Method::getKotlinName`
* :code:`Field::getKotlinType`
* :code:`Modifiable::isSealedKotlin`
* :code:`Modifiable::isInternal`
* :code:`Variable::getKotlinType`
* :code:`LocalVariableDecl::getKotlinType`
* :code:`Parameter::getKotlinType`
* :code:`Parameter::isExtensionParameter`
* :code:`Compilation` class
* :code:`Diagnostic` class
* :code:`KtInitializerAssignExpr` class
* :code:`ValueEQExpr` class
* :code:`ValueNEExpr` class
* :code:`ValueOrReferenceEqualsExpr` class
* :code:`ValueOrReferenceNotEqualsExpr` class
* :code:`ReferenceEqualityTest` class
* :code:`CastingExpr` class
* :code:`SafeCastExpr` class
* :code:`ImplicitCastExpr` class
* :code:`ImplicitNotNullExpr` class
* :code:`ImplicitCoercionToUnitExpr` class
* :code:`UnsafeCoerceExpr` class
* :code:`PropertyRefExpr` class
* :code:`NotInstanceOfExpr` class
* :code:`ExtensionReceiverAccess` class
* :code:`WhenExpr` class
* :code:`WhenBranch` class
* :code:`ClassExpr` class
* :code:`StmtExpr` class
* :code:`StringTemplateExpr` class
* :code:`NotNullExpr` class
* :code:`TypeNullPointerException` class
* :code:`KtComment` class
* :code:`KtCommentSection` class
* :code:`KotlinType` class
* :code:`KotlinNullableType` class
* :code:`KotlinNotnullType` class
* :code:`KotlinTypeAlias` class
* :code:`Property` class
* :code:`DelegatedProperty` class
* :code:`ExtensionMethod` class
* :code:`KtInitializerNode` class
* :code:`KtLoopStmt` class
* :code:`KtBreakContinueStmt` class
* :code:`KtBreakStmt` class
* :code:`KtContinueStmt` class
* :code:`ClassObject` class
* :code:`CompanionObject` class
* :code:`LiveLiteral` class
* :code:`LiveLiteralMethod` class
* :code:`CastConversionContext` renamed to :code:`CastingConversionContext`
* The QL class :code:`ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.

194
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.3.rst Normal file
Просмотреть файл

@ -0,0 +1,194 @@
.. _codeql-cli-2.9.3:
=========================
CodeQL 2.9.3 (2022-05-31)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.9.3 runs a total of 335 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 5 security queries have been added with this release.
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug where precompiled CodeQL packages in the CodeQL bundle were being recompiled if they were in a read-only directory.
* Fixed a bug where new versions of the VS Code extension wouldn't run two queries in parallel against one database.
New Features
~~~~~~~~~~~~
* Users can now use CodeQL Packaging Beta to publish and download CodeQL packs on GitHub Enterprise Server (GHES) versions 3.6 and later.
To authenticate to a package registry on GHES 3.6+, first create a
:code:`~/.codeql/qlconfig.yml` file. For example, the following file specifies that all CodeQL packages should be uploaded to the GHES instance with the hostname :code:`GHE_HOSTNAME`\ :
.. code-block:: yaml
registries:
- packages: '*'
url: https://containers.GHE_HOSTNAME/v2/
You can now download public packages from GHES using
:code:`codeql pack download`.
To publish any package or download private packages, authenticate to GHES by specifying registry/token pairs in the
:code:`CODEQL_REGISTRIES_AUTH` environment variable. You can authenticate using either a GitHub Apps token or a personal access token. For example,
:code:`https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2` will authenticate the CLI to the :code:`GHEHOSTNAME1` and :code:`GHEHOSTNAME2` GHES instances.
Query Packs
-----------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The query "Incorrect conversion between integer types" has been improved to treat :code:`math.MaxUint` and :code:`math.MaxInt` as the values they would be on a 32-bit architecture. This should lead to fewer false positive results.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "XML external entity expansion" (:code:`cpp/external-entity-expansion`) query precision has been increased to :code:`high`.
* The :code:`cpp/unused-local-variable` no longer ignores functions that include :code:`if` and :code:`switch` statements with C++17-style initializers.
Golang
""""""
* Fixed sanitization by calls to :code:`strings.Replace` and :code:`strings.ReplaceAll` in queries :code:`go/log-injection` and :code:`go/unsafe-quoting`.
Java
""""
* Query :code:`java/sensitive-log` has received several improvements.
* It no longer considers usernames as sensitive information.
* The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
* A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
New Queries
~~~~~~~~~~~
Golang
""""""
* A new query "Log entries created from user input" (:code:`go/log-injection`) has been added. The query reports user-provided data reaching calls to logging methods.
* A new query *Log entries created from user input* (:code:`go/log-injection`) has been added. The query reports user-provided data reaching calls to logging methods.
* Added a new query, :code:`go/unexpected-nil-value`, to find calls to :code:`Wrap` from :code:`pkg/errors` where the error argument is always nil.
Java
""""
* Two new queries "Inefficient regular expression" (:code:`java/redos`) and "Polynomial regular expression used on uncontrolled data" (:code:`java/polynomial-redos`) have been added.
These queries help find instances of Regular Expression Denial of Service vulnerabilities.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/actions/command-injection` query has been added. It highlights GitHub Actions workflows that may allow an
attacker to execute arbitrary code in the workflow.
The query previously existed an experimental query.
* A new query :code:`js/insecure-temporary-file` has been added. The query detects the creation of temporary files that may be accessible by others users. The query is not run by default.
Python
""""""
* The query "PAM authorization bypass due to incorrect usage" (:code:`py/pam-auth-bypass`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/8595>`__.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Golang
""""""
* :code:`Function`\ 's predicate :code:`getACall` now returns more results in some situations. It now always returns callers that may call a method indirectly via an interface method that it implements. Previously this only happened if the method was in the source code being analysed.
Breaking Changes
~~~~~~~~~~~~~~~~
Python
""""""
* :code:`API::moduleImport` no longer has any results for dotted names, such as :code:`API::moduleImport("foo.bar")`. Using :code:`API::moduleImport("foo.bar").getMember("baz").getACall()` previously worked if the Python code was :code:`from foo.bar import baz; baz()`, but not if the code was :code:`import foo.bar; foo.bar.baz()` -- we are making this change to ensure the approach that can handle all cases is always used.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* Added data-flow support for `hashes <https://docs.ruby-lang.org/en/3.1/Hash.html>`__.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.
* The method predicate :code:`getACalleeIncludingExternals` on :code:`DataFlow::CallNode` and the function :code:`viableCallable` in :code:`DataFlowDispatch` now also work for calls to functions via a variable, where the function can be determined using local flow.
Java
""""
* Fixed a sanitizer of the query :code:`java/android/intent-redirection`. Now, for an intent to be considered safe against intent redirection, both its package name and class name must be checked.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`isLibaryFile` predicate from :code:`ClassifyFiles.qll` has been renamed to :code:`isLibraryFile` to fix a typo.
Ruby
""""
* Support for data flow through instance variables has been added.
* Support of the safe navigation operator (:code:`&amp;.`) has been added; there is a new predicate :code:`MethodCall.isSafeNavigation()`.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`AnalysedString` class in the :code:`StringAnalysis` module has been replaced with :code:`AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
Golang
""""""
* The :code:`codeql/go-upgrades` CodeQL pack has been removed. All database upgrade scripts have been merged into the :code:`codeql/go-all` CodeQL pack.
Java
""""
* The QL class :code:`FloatingPointLiteral` has been renamed to :code:`FloatLiteral`.
New Features
~~~~~~~~~~~~
C/C++
"""""
* A :code:`getInitialization` predicate was added to the :code:`ConstexprIfStmt`, :code:`IfStmt`, and :code:`SwitchStmt` classes that yields the C++17-style initializer of the :code:`if` or :code:`switch` statement when it exists.
Golang
""""""
* Go 1.18 generics are now extracted and can be explored using the new CodeQL classes :code:`TypeParamDecl`, :code:`GenericFunctionInstantiationExpr`, :code:`GenericTypeInstantiationExpr`, :code:`TypeSetTerm`, and :code:`TypeSetLiteralType`, as well as using new predicates defined on the existing :code:`InterfaceType`. Class- and predicate-level documentation can be found in the `Go CodeQL library reference <https://codeql.github.com/codeql-standard-libraries/go/>`__.

40
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.9.4.rst Normal file
Просмотреть файл

@ -0,0 +1,40 @@
.. _codeql-cli-2.9.4:
=========================
CodeQL 2.9.4 (2022-06-20)
=========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* Users of CodeQL Packaging Beta can now optionally authenticate to Container registries on GitHub Enterprise Server (GHES) versions 3.6 and later using standard input instead of the :code:`CODEQL_REGISTRIES_AUTH` environment variable. To authenticate via standard input, pass
:code:`--registries-auth-stdin`. The value you provide will override the value of the :code:`CODEQL_REGISTRIES_AUTH` environment variable.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruby
""""
* Calls to :code:`Zip::File.open` and :code:`Zip::File.new` have been added as :code:`FileSystemAccess` sinks. As a result queries like :code:`rb/path-injection` now flag up cases where users may access arbitrary archive files.
New Features
~~~~~~~~~~~~
C/C++
"""""
* An :code:`isBraced` predicate was added to the :code:`Initializer` class which holds when a C++ braced initializer was used in the initialization.

85
docs/codeql/codeql-overview/codeql-changelog/index.rst Normal file
Просмотреть файл

@ -0,0 +1,85 @@
.. _codeql-changes:
==================
CodeQL change logs
==================
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
.. toctree::
:maxdepth: 1
codeql-cli-2.15.3
codeql-cli-2.15.2
codeql-cli-2.15.1
codeql-cli-2.15.0
codeql-cli-2.14.6
codeql-cli-2.14.5
codeql-cli-2.14.4
codeql-cli-2.14.3
codeql-cli-2.14.2
codeql-cli-2.14.1
codeql-cli-2.14.0
codeql-cli-2.13.5
codeql-cli-2.13.4
codeql-cli-2.13.3
codeql-cli-2.13.1
codeql-cli-2.13.0
codeql-cli-2.12.7
codeql-cli-2.12.6
codeql-cli-2.12.5
codeql-cli-2.12.4
codeql-cli-2.12.3
codeql-cli-2.12.2
codeql-cli-2.12.1
codeql-cli-2.12.0
codeql-cli-2.11.6
codeql-cli-2.11.5
codeql-cli-2.11.4
codeql-cli-2.11.3
codeql-cli-2.11.2
codeql-cli-2.11.1
codeql-cli-2.11.0
codeql-cli-2.10.5
codeql-cli-2.10.4
codeql-cli-2.10.3
codeql-cli-2.10.2
codeql-cli-2.10.1
codeql-cli-2.10.0
codeql-cli-2.9.4
codeql-cli-2.9.3
codeql-cli-2.9.2
codeql-cli-2.9.1
codeql-cli-2.9.0
codeql-cli-2.8.5
codeql-cli-2.8.4
codeql-cli-2.8.3
codeql-cli-2.8.2
codeql-cli-2.8.1
codeql-cli-2.8.0
codeql-cli-2.7.6
codeql-cli-2.7.5
codeql-cli-2.7.3
codeql-cli-2.7.2
codeql-cli-2.7.1
codeql-cli-2.7.0
codeql-cli-2.6.3
codeql-cli-2.6.2
codeql-cli-2.6.1
codeql-cli-2.6.0
codeql-cli-2.5.9
codeql-cli-2.5.8
codeql-cli-2.5.7
codeql-cli-2.5.6
codeql-cli-2.5.5
codeql-cli-2.5.4
codeql-cli-2.5.3
codeql-cli-2.5.2
codeql-cli-2.5.1
codeql-cli-2.5.0
codeql-cli-2.4.6
codeql-cli-2.4.5
codeql-cli-2.4.4
codeql-cli-2.4.3
codeql-cli-2.4.2
codeql-cli-2.4.1

12
docs/codeql/codeql-overview/index.rst
Просмотреть файл

@ -5,25 +5,25 @@ CodeQL overview
Learn more about how CodeQL works, the languages and libraries supported by CodeQL analysis, and the tools you can use to run CodeQL on open source projects.
- :doc:`About CodeQL <about-codeql>`: CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis.
- :doc:`About CodeQL <about-codeql>`: CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis.
- :doc:`Supported languages and frameworks <supported-languages-and-frameworks>`: View the languages, libraries, and frameworks supported in the latest version of CodeQL.
- :doc:`System requirements <system-requirements>`: View the system requirements for running the latest version of CodeQL.
- :doc:`CodeQL change logs <codeql-changelog/index>`: Display a list of the CodeQL change logs.
- :doc:`CodeQL tools <codeql-tools>`: GitHub provides the CodeQL command-line interface and CodeQL for Visual Studio Code for performing CodeQL analysis on open source codebases.
- :doc:`CodeQL glossary <codeql-glossary>`: An overview of the technical terms and concepts in CodeQL.
- :doc:`CodeQL glossary <codeql-glossary>`: An overview of the technical terms and concepts in CodeQL.
.. toctree::
.. toctree::
:maxdepth: 1
:hidden:
about-codeql
supported-languages-and-frameworks
system-requirements
codeql-changelog/index
codeql-tools
codeql-glossary