Skip to content

Commit 7637ebc

Browse files
committed
Merge remote-tracking branch 'upstream/master' into exceptionFPs
2 parents 6494649 + c4d2163 commit 7637ebc

File tree

663 files changed

+10818
-3436
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

663 files changed

+10818
-3436
lines changed

change-notes/1.24/analysis-cpp.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
88

99
| **Query** | **Tags** | **Purpose** |
1010
|-----------------------------|-----------|--------------------------------------------------------------------|
11+
| Implicit function declarations (`cpp/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql`) | correctness, maintainability | This query finds calls to undeclared functions that are compiled by a C compiler. Results are shown on LGTM by default. |
1112

1213
## Changes to existing queries
1314

@@ -35,7 +36,8 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
3536
about the _name or scope_ of variables should remain unchanged.
3637
* The `LocalScopeVariableReachability` library is deprecated in favor of
3738
`StackVariableReachability`. The functionality is the same.
39+
* The models library models `strlen` in more detail, and includes common variations such as `wcslen`.
3840
* The taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) has had
3941
the following improvements:
4042
* The library now models data flow through `strdup` and similar functions.
41-
43+
* The library now models data flow through formatting functions such as `sprintf`.

change-notes/1.24/analysis-csharp.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,19 @@ The following changes in version 1.24 affect C# analysis in all applications.
66

77
| **Query** | **Tags** | **Purpose** |
88
|-----------------------------|-----------|--------------------------------------------------------------------|
9+
| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. |
910
| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. |
10-
| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could makes the application less secure. |
11+
| Insecure SQL connection (`cs/insecure-sql-connection`) | security, external/cwe/cwe-327 | Finds unencrypted SQL connection strings. |
12+
| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. |
13+
| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. |
14+
| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. |
1115

1216
## Changes to existing queries
1317

1418
| **Query** | **Expected impact** | **Change** |
1519
|------------------------------|------------------------|-----------------------------------|
1620
| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the variable is named `_` in a `foreach` statement. |
21+
| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
1722

1823
## Removal of old queries
1924

@@ -29,4 +34,3 @@ The following changes in version 1.24 affect C# analysis in all applications.
2934
* Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
3035

3136
## Changes to autobuilder
32-

change-notes/1.24/analysis-java.md

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,25 @@ The following changes in version 1.24 affect Java analysis in all applications.
1010

1111
| **Query** | **Tags** | **Purpose** |
1212
|-----------------------------|-----------|--------------------------------------------------------------------|
13+
| Disabled Spring CSRF protection (`java/spring-disabled-csrf-protection`) | security, external/cwe/cwe-352 | Finds disabled Cross-Site Request Forgery (CSRF) protection in Spring. |
1314
| Failure to use HTTPS or SFTP URL in Maven artifact upload/download (`java/maven/non-https-url`) | security, external/cwe/cwe-300, external/cwe/cwe-319, external/cwe/cwe-494, external/cwe/cwe-829 | Finds use of insecure protocols during Maven dependency resolution. Results are shown on LGTM by default. |
15+
| Left shift by more than the type width (`java/lshift-larger-than-type-width`) | correctness | Finds left shifts of ints by 32 bits or more and left shifts of longs by 64 bits or more. Results are shown on LGTM by default. |
16+
| Suspicious date format (`java/suspicious-date-format`) | correctness | Finds date format patterns that use placeholders that are likely to be incorrect. |
1417

1518
## Changes to existing queries
1619

1720
| **Query** | **Expected impact** | **Change** |
1821
|------------------------------|------------------------|-----------------------------------|
1922
| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Final fields with a non-null initializer are no longer reported. |
20-
| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positives | Expressions of the form `0 * x` are usually intended and no longer reported. |
23+
| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positives | Expressions of the form `0 * x` are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query `java/lshift-larger-than-type-width`. |
2124
| Useless null check (`java/useless-null-check`) | More true positives | Useless checks on final fields with a non-null initializer are now reported. |
2225

2326
## Changes to libraries
2427

28+
* Identification of test classes has been improved. Previously, one of the
29+
match conditions would classify any class with a name containing the string
30+
"Test" as a test class, but now this matching has been replaced with one that
31+
looks for the occurrence of actual unit-test annotations. This affects the
32+
general file classification mechanism and thus suppression of alerts, and
33+
also any security queries using taint tracking, as test classes act as
34+
default barriers stopping taint flow.

change-notes/1.24/analysis-javascript.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@
1313
- [react](https://www.npmjs.com/package/react)
1414
- [typeahead.js](https://www.npmjs.com/package/typeahead.js)
1515
- [Handlebars](https://www.npmjs.com/package/handlebars)
16+
- [Electron](https://electronjs.org/)
17+
- [Node.js](https://nodejs.org/)
18+
- [Socket.IO](https://socket.io/)
19+
- [ws](https://github.com/websockets/ws)
20+
- [WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API)
1621

1722
## New queries
1823

@@ -33,7 +38,9 @@
3338
| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. |
3439
| Expression has no effect (`js/useless-expression`) | Fewer false positive results | The query now recognizes block-level flow type annotations and ignores the first statement of a try block. |
3540
| Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. |
41+
| Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
3642

3743
## Changes to libraries
3844

3945
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
46+
* An extensible model of the `EventEmitter` pattern has been implemented.

config/identical-files.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,14 @@
8282
"cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
8383
"csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
8484
],
85+
"IR IRConfiguration": [
86+
"cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
87+
"csharp/ql/src/semmle/code/csharp/ir/implementation/IRConfiguration.qll"
88+
],
89+
"IR UseSoundEscapeAnalysis": [
90+
"cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
91+
"csharp/ql/src/semmle/code/csharp/ir/implementation/UseSoundEscapeAnalysis.qll"
92+
],
8593
"IR Operand Tag": [
8694
"cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
8795
"csharp/ql/src/semmle/code/csharp/ir/implementation/internal/OperandTag.qll"

cpp/config/suites/c/correctness

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
1919
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
2020
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
21+
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql: /Correctness/Common Errors
2122
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
2223
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
2324
+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

cpp/config/suites/cpp/correctness

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
2020
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
2121
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
22+
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql: /Correctness/Common Errors
2223
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
2324
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
2425
+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

cpp/ql/src/Architecture/FeatureEnvy.ql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@ predicate functionUsesFunction(Function source, Function f, File target) {
2525
}
2626

2727
predicate dependencyCount(Function source, File target, int res) {
28-
res = strictcount(Declaration d |
28+
res =
29+
strictcount(Declaration d |
2930
functionUsesVariable(source, d, target) or
3031
functionUsesFunction(source, d, target)
3132
)

cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,16 @@ where
3838
n = count(Function f | f.fromSource()).toString()
3939
or
4040
l = "Number of Lines Of Code" and
41-
n = sum(File f, int toSum |
41+
n =
42+
sum(File f, int toSum |
4243
f.fromSource() and toSum = f.getMetrics().getNumberOfLinesOfCode()
4344
|
4445
toSum
4546
).toString()
4647
or
4748
l = "Self-Containedness" and
48-
n = (
49+
n =
50+
(
4951
100 * sum(Class c | c.fromSource() | c.getMetrics().getEfferentSourceCoupling()) /
5052
sum(Class c | c.fromSource() | c.getMetrics().getEfferentCoupling())
5153
).toString() + "%"

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -80,11 +80,8 @@ class VariableDeclarationLine extends TVariableDeclarationInfo {
8080
* (that is, the first is 0, the second is 1 and so on).
8181
*/
8282
private int getRank() {
83-
line = rank[result](VariableDeclarationLine vdl, int l |
84-
vdl = TVariableDeclarationLine(c, f, l)
85-
|
86-
l
87-
)
83+
line =
84+
rank[result](VariableDeclarationLine vdl, int l | vdl = TVariableDeclarationLine(c, f, l) | l)
8885
}
8986

9087
/**
@@ -133,7 +130,8 @@ class VariableDeclarationGroup extends VariableDeclarationLine {
133130
* Gets the number of uniquely named `VariableDeclarationEntry`s in this group.
134131
*/
135132
int getCount() {
136-
result = count(VariableDeclarationLine l |
133+
result =
134+
count(VariableDeclarationLine l |
137135
l = getProximateNext*()
138136
|
139137
l.getAVDE().getVariable().getName()
@@ -166,7 +164,8 @@ class ExtClass extends Class {
166164

167165
from ExtClass c, int n, VariableDeclarationGroup vdg, string suffix
168166
where
169-
n = strictcount(string fieldName |
167+
n =
168+
strictcount(string fieldName |
170169
exists(Field f |
171170
f.getDeclaringType() = c and
172171
fieldName = f.getName() and

0 commit comments

Comments
 (0)