C#: Deprecate experimental queries.

csharp/ql/src/change-notes/2024-11-05-experimental-queries.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).

csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql

@@ -15,10 +15,16 @@
  */
 
 import csharp
-import TaintedWebClientLib
-import TaintedWebClient::PathGraph
+deprecated import TaintedWebClientLib
+deprecated import TaintedWebClient::PathGraph
 
-from TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink
-where TaintedWebClient::flowPath(source, sink)
-select sink.getNode(), source, sink, "A method of WebClient depepends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  TaintedWebClient::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "A method of WebClient depepends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import csharp
 import semmle.code.csharp.frameworks.system.Net
 import semmle.code.csharp.frameworks.System

csharp/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -11,10 +11,16 @@
  */
 
 import csharp
-import RequestForgery::RequestForgery
-import RequestForgeryFlow::PathGraph
+deprecated import RequestForgery::RequestForgery
+deprecated import RequestForgeryFlow::PathGraph
 
-from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
-where RequestForgeryFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  RequestForgeryFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "The URL of this request depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

csharp/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import csharp
 
 module RequestForgery {

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

@@ -16,90 +16,92 @@
 import csharp
 import semmle.code.asp.WebConfig
 import semmle.code.csharp.frameworks.system.Web
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
-import experimental.dataflow.flowsources.AuthCookie
+deprecated import experimental.dataflow.flowsources.AuthCookie
 
-from Expr httpOnlySink
-where
-  exists(Assignment a, Expr val |
-    httpOnlySink = a.getRValue() and
-    val.getValue() = "false" and
-    (
-      exists(ObjectCreation oc |
-        getAValueForProp(oc, a, "HttpOnly") = val and
-        (
-          oc.getType() instanceof SystemWebHttpCookie and
-          isCookieWithSensitiveName(oc.getArgument(0))
-          or
-          exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            iResponse.getAppendMethod() = mc.getTarget() and
-            isCookieWithSensitiveName(mc.getArgument(0)) and
-            // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-            not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-            // Passed as third argument to `IResponseCookies.Append`
-            exists(DataFlow::Node creation, DataFlow::Node append |
-              CookieOptionsTracking::flow(creation, append) and
-              creation.asExpr() = oc and
-              append.asExpr() = mc.getArgument(2)
+deprecated query predicate problems(Expr httpOnlySink, string message) {
+  (
+    exists(Assignment a, Expr val |
+      httpOnlySink = a.getRValue() and
+      val.getValue() = "false" and
+      (
+        exists(ObjectCreation oc |
+          getAValueForProp(oc, a, "HttpOnly") = val and
+          (
+            oc.getType() instanceof SystemWebHttpCookie and
+            isCookieWithSensitiveName(oc.getArgument(0))
+            or
+            exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+              iResponse.getAppendMethod() = mc.getTarget() and
+              isCookieWithSensitiveName(mc.getArgument(0)) and
+              // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+              not OnAppendCookieHttpOnlyTracking::flowTo(_) and
+              // Passed as third argument to `IResponseCookies.Append`
+              exists(DataFlow::Node creation, DataFlow::Node append |
+                CookieOptionsTracking::flow(creation, append) and
+                creation.asExpr() = oc and
+                append.asExpr() = mc.getArgument(2)
+              )
             )
           )
         )
-      )
-      or
-      exists(PropertyWrite pw |
-        (
-          pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-          pw.getProperty().getDeclaringType() instanceof
-            MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-        ) and
-        pw.getProperty().getName() = "HttpOnly" and
-        a.getLValue() = pw and
-        DataFlow::localExprFlow(val, a.getRValue())
+        or
+        exists(PropertyWrite pw |
+          (
+            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+            pw.getProperty().getDeclaringType() instanceof
+              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+          ) and
+          pw.getProperty().getName() = "HttpOnly" and
+          a.getLValue() = pw and
+          DataFlow::localExprFlow(val, a.getRValue())
+        )
       )
     )
-  )
-  or
-  exists(Call c |
-    httpOnlySink = c and
-    (
-      exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
-        // default is not configured or is not set to `Always`
-        not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
-        // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-        not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-        iResponse.getAppendMethod() = mc.getTarget() and
-        isCookieWithSensitiveName(mc.getArgument(0)) and
-        (
-          // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-          exists(ObjectCreation oc |
-            oc = c and
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            not isPropertySet(oc, "HttpOnly") and
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
+    or
+    exists(Call c |
+      httpOnlySink = c and
+      (
+        exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
+          // default is not configured or is not set to `Always`
+          not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
+          // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+          not OnAppendCookieHttpOnlyTracking::flowTo(_) and
+          iResponse.getAppendMethod() = mc.getTarget() and
+          isCookieWithSensitiveName(mc.getArgument(0)) and
+          (
+            // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+            exists(ObjectCreation oc |
+              oc = c and
+              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+              not isPropertySet(oc, "HttpOnly") and
+              exists(DataFlow::Node creation |
+                CookieOptionsTracking::flow(creation, _) and
+                creation.asExpr() = oc
+              )
             )
+            or
+            // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+            mc = c and
+            mc.getNumberOfArguments() < 3
           )
-          or
-          // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
-          mc = c and
-          mc.getNumberOfArguments() < 3
         )
-      )
-      or
-      exists(ObjectCreation oc |
-        oc = c and
-        oc.getType() instanceof SystemWebHttpCookie and
-        isCookieWithSensitiveName(oc.getArgument(0)) and
-        // the property wasn't explicitly set, so a default value from config is used
-        not isPropertySet(oc, "HttpOnly") and
-        // the default in config is not set to `true`
-        not exists(XmlElement element |
-          element instanceof HttpCookiesElement and
-          element.(HttpCookiesElement).isHttpOnlyCookies()
+        or
+        exists(ObjectCreation oc |
+          oc = c and
+          oc.getType() instanceof SystemWebHttpCookie and
+          isCookieWithSensitiveName(oc.getArgument(0)) and
+          // the property wasn't explicitly set, so a default value from config is used
+          not isPropertySet(oc, "HttpOnly") and
+          // the default in config is not set to `true`
+          not exists(XmlElement element |
+            element instanceof HttpCookiesElement and
+            element.(HttpCookiesElement).isHttpOnlyCookies()
+          )
         )
       )
     )
-  )
-select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
+  ) and
+  message = "Cookie attribute 'HttpOnly' is not set to true."
+}

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -68,15 +68,14 @@ predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
   )
 }
 
-from Expr e, Class c, Assembly asm
-where
-  asm = c.getLocation() and
-  (
+deprecated query predicate problems(Expr e, string message) {
+  exists(Class c, Assembly asm | asm = c.getLocation() |
     exists(Expr e2 |
       isCreatingAzureClientSideEncryptionObject(e, c, e2) and
       not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
     )
     or
     isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
-  )
-select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."
+  ) and
+  message = "Unsafe usage of v1 version of Azure Storage client-side encryption."
+}