From 1fbf3a39fb61f8c6918df990838e421d8d688f90 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:05:46 +0200 Subject: [PATCH 1/7] Shared: Add a copy of the security-and-quality selector. --- .../security-and-frozen-quality-selectors.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 misc/suite-helpers/security-and-frozen-quality-selectors.yml diff --git a/misc/suite-helpers/security-and-frozen-quality-selectors.yml b/misc/suite-helpers/security-and-frozen-quality-selectors.yml new file mode 100644 index 000000000000..3baa3c75758b --- /dev/null +++ b/misc/suite-helpers/security-and-frozen-quality-selectors.yml @@ -0,0 +1,36 @@ +- description: Selectors for selecting the security-and-quality queries for a language +- include: + kind: + - problem + - path-problem + precision: + - high + - very-high +- include: + kind: + - problem + - path-problem + precision: medium + problem.severity: + - error + - warning +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + - /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator + - 'model-generator' From 3efbed56b0c913482342db984622c9f0e6693b15 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:09:43 +0200 Subject: [PATCH 2/7] Shared: Modify the frozen selector to only include security queries. --- .../suite-helpers/security-and-frozen-quality-selectors.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/misc/suite-helpers/security-and-frozen-quality-selectors.yml b/misc/suite-helpers/security-and-frozen-quality-selectors.yml index 3baa3c75758b..f5a03eaf0772 100644 --- a/misc/suite-helpers/security-and-frozen-quality-selectors.yml +++ b/misc/suite-helpers/security-and-frozen-quality-selectors.yml @@ -1,4 +1,4 @@ -- description: Selectors for selecting the security-and-quality queries for a language +- description: Selectors for selecting the non-quality queries for the security-and-quality queries for a language - include: kind: - problem @@ -6,6 +6,8 @@ precision: - high - very-high + tags contain: + - security - include: kind: - problem @@ -14,6 +16,8 @@ problem.severity: - error - warning + tags contain: + - security - include: kind: - diagnostic From 145ada53f2b0f97548caae593c5bce727842f1a2 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:19:27 +0200 Subject: [PATCH 3/7] C#/Java/JavaScript: Re-factor query suites to use the new selector. --- .../csharp-security-and-quality.qls | 39 +----------------- .../java-security-and-quality.qls | 40 +------------------ .../javascript-security-and-quality.qls | 34 +--------------- 3 files changed, 6 insertions(+), 107 deletions(-) diff --git a/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls b/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls index b224499edce2..21d39db383d3 100644 --- a/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls +++ b/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls @@ -1,24 +1,7 @@ - description: Security-and-quality queries for C# - queries: . -- include: - kind: - - problem - - path-problem - precision: - - high - - very-high - tags contain: - - security -- include: - kind: - - problem - - path-problem - precision: medium - problem.severity: - - error - - warning - tags contain: - - security +- apply: security-and-frozen-quality-selectors.yml + from: codeql/suite-helpers - include: id: - cs/asp/response-write @@ -123,21 +106,3 @@ - cs/wrong-compareto-signature - cs/wrong-equals-signature - cs/xmldoc/missing-summary -- include: - kind: - - diagnostic -- include: - kind: - - metric - tags contain: - - summary -- exclude: - deprecated: // -- exclude: - query path: - - /^experimental\/.*/ - - Metrics/Summaries/FrameworkCoverage.ql -- exclude: - tags contain: - - modeleditor - - modelgenerator diff --git a/java/ql/src/codeql-suites/java-security-and-quality.qls b/java/ql/src/codeql-suites/java-security-and-quality.qls index 91751e6da1ba..011206a105c2 100644 --- a/java/ql/src/codeql-suites/java-security-and-quality.qls +++ b/java/ql/src/codeql-suites/java-security-and-quality.qls @@ -1,24 +1,7 @@ - description: Security-and-quality queries for Java - queries: . -- include: - kind: - - problem - - path-problem - precision: - - high - - very-high - tags contain: - - security -- include: - kind: - - problem - - path-problem - precision: medium - problem.severity: - - error - - warning - tags contain: - - security +- apply: security-and-frozen-quality-selectors.yml + from: codeql/suite-helpers - include: id: - java/abs-of-random @@ -143,22 +126,3 @@ - java/wrong-object-serialization-signature - java/wrong-readresolve-signature - java/wrong-swing-event-adapter-signature -- include: - kind: - - diagnostic -- include: - kind: - - metric - tags contain: - - summary -- exclude: - deprecated: // -- exclude: - query path: - - /^experimental\/.*/ - - Metrics/Summaries/FrameworkCoverage.ql - - /Diagnostics/Internal/.*/ -- exclude: - tags contain: - - modeleditor - - modelgenerator diff --git a/javascript/ql/src/codeql-suites/javascript-security-and-quality.qls b/javascript/ql/src/codeql-suites/javascript-security-and-quality.qls index 38d45ecfbe66..10097f6eaad0 100644 --- a/javascript/ql/src/codeql-suites/javascript-security-and-quality.qls +++ b/javascript/ql/src/codeql-suites/javascript-security-and-quality.qls @@ -1,24 +1,7 @@ - description: Security-and-quality queries for JavaScript - queries: . -- include: - kind: - - problem - - path-problem - precision: - - high - - very-high - tags contain: - - security -- include: - kind: - - problem - - path-problem - precision: medium - problem.severity: - - error - - warning - tags contain: - - security +- apply: security-and-frozen-quality-selectors.yml + from: codeql/suite-helpers - include: id: - js/node/assignment-to-exports-variable @@ -123,16 +106,3 @@ - js/diagnostics/successfully-extracted-files - js/summary/lines-of-code - js/summary/lines-of-user-code -- include: - kind: - - diagnostic -- include: - kind: - - metric - tags contain: - - summary -- exclude: - deprecated: // -- exclude: - query path: - - /^experimental\/.*/ From 7fecf7466fc702d306ef81b06bf725e2579097c7 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:26:28 +0200 Subject: [PATCH 4/7] Ruby: Freeze the quality queries in the security-and-quality suite. --- ruby/ql/src/codeql-suites/ruby-security-and-quality.qls | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ruby/ql/src/codeql-suites/ruby-security-and-quality.qls b/ruby/ql/src/codeql-suites/ruby-security-and-quality.qls index 588a074cb508..dd91109a3ac2 100644 --- a/ruby/ql/src/codeql-suites/ruby-security-and-quality.qls +++ b/ruby/ql/src/codeql-suites/ruby-security-and-quality.qls @@ -1,4 +1,9 @@ - description: Security-and-quality queries for Ruby - queries: . -- apply: security-and-quality-selectors.yml +- apply: security-and-frozen-quality-selectors.yml from: codeql/suite-helpers +- include: + id: + - rb/database-query-in-loop + - rb/uninitialized-local-variable + - rb/useless-assignment-to-local From d926a6a47de424a89f12fa1877694c8911537a86 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:35:21 +0200 Subject: [PATCH 5/7] Go: Freeze the quality queries in the security-and-quality suite. --- .../codeql-suites/go-security-and-quality.qls | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/go/ql/src/codeql-suites/go-security-and-quality.qls b/go/ql/src/codeql-suites/go-security-and-quality.qls index 1043f46b27f4..cb026a7700c9 100644 --- a/go/ql/src/codeql-suites/go-security-and-quality.qls +++ b/go/ql/src/codeql-suites/go-security-and-quality.qls @@ -1,4 +1,28 @@ - description: Security-and-quality queries for Go - queries: . -- apply: security-and-quality-selectors.yml +- apply: security-and-frozen-quality-selectors.yml from: codeql/suite-helpers +- include: + id: + - go/comparison-of-identical-expressions + - go/constant-length-comparison + - go/duplicate-branches + - go/duplicate-condition + - go/duplicate-switch-case + - go/impossible-interface-nil-check + - go/inconsistent-loop-direction + - go/index-out-of-bounds + - go/missing-error-check + - go/mistyped-exponentiation + - go/negative-length-check + - go/redundant-assignment + - go/redundant-operation + - go/redundant-recover + - go/shift-out-of-range + - go/unexpected-nil-value + - go/unhandled-writable-file-close + - go/unreachable-statement + - go/useless-assignment-to-field + - go/useless-assignment-to-local + - go/useless-expression + - go/whitespace-contradicts-precedence From 37b3ca036a0437a24389e3399dda29d2a0fb1007 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 26 Jun 2025 14:45:05 +0200 Subject: [PATCH 6/7] Python: Freeze the quality queries in the security-and-quality suite. --- .../python-security-and-quality.qls | 126 +++++++++++++++++- 1 file changed, 125 insertions(+), 1 deletion(-) diff --git a/python/ql/src/codeql-suites/python-security-and-quality.qls b/python/ql/src/codeql-suites/python-security-and-quality.qls index 2a97a497db0a..557ca61f2b1a 100644 --- a/python/ql/src/codeql-suites/python-security-and-quality.qls +++ b/python/ql/src/codeql-suites/python-security-and-quality.qls @@ -1,4 +1,128 @@ - description: Security-and-quality queries for Python - queries: . -- apply: security-and-quality-selectors.yml +- apply: security-and-frozen-quality-selectors.yml from: codeql/suite-helpers +- include: + id: + - py/asserts-tuple + - py/attribute-shadows-method + - py/call-to-non-callable + - py/call/wrong-arguments + - py/call/wrong-named-argument + - py/call/wrong-named-class-argument + - py/call/wrong-number-class-arguments + - py/catch-base-exception + - py/commented-out-code + - py/comparison-missing-self + - py/comparison-of-constants + - py/comparison-of-identical-expressions + - py/comparison-using-is + - py/conflicting-attributes + - py/constant-conditional-expression + - py/cyclic-import + - py/deprecated-slice-method + - py/duplicate-key-dict-literal + - py/empty-except + - py/encoding-error + - py/equals-hash-mismatch + - py/exit-from-finally + - py/explicit-call-to-delete + - py/explicit-return-in-init + - py/file-not-closed + - py/hash-unhashable-value + - py/illegal-raise + - py/implicit-string-concatenation-in-list + - py/import-and-import-from + - py/import-deprecated-module + - py/import-of-mutable-attribute + - py/import-own-module + - py/imprecise-assert + - py/incomplete-ordering + - py/inconsistent-equality + - py/inconsistent-mro + - py/ineffectual-statement + - py/inheritance/incorrect-overridden-signature + - py/inheritance/incorrect-overriding-signature + - py/inheritance/signature-mismatch + - py/init-calls-subclass + - py/init-method-is-generator + - py/iter-returns-non-iterator + - py/iter-returns-non-self + - py/iteration-string-and-sequence + - py/leaking-list-comprehension + - py/loop-variable-capture + - py/member-test-non-container + - py/mismatched-multiple-assignment + - py/missing-call-to-delete + - py/missing-call-to-init + - py/missing-equals + - py/mixed-returns + - py/mixed-tuple-returns + - py/modification-of-default-value + - py/modification-of-locals + - py/multiple-calls-to-delete + - py/multiple-calls-to-init + - py/multiple-definition + - py/mutable-descriptor + - py/nested-loops-with-same-variable + - py/nested-loops-with-same-variable-reused + - py/non-iterable-in-for-loop + - py/not-named-cls + - py/not-named-self + - py/old-style-octal-literal + - py/overly-complex-delete + - py/overwritten-inherited-attribute + - py/percent-format/not-mapping + - py/percent-format/unsupported-character + - py/percent-format/wrong-arguments + - py/polluting-import + - py/print-during-import + - py/procedure-return-value-used + - py/property-in-old-style-class + - py/pythagorean + - py/raise-not-implemented + - py/raises-tuple + - py/redundant-assignment + - py/redundant-comparison + - py/redundant-else + - py/redundant-global-declaration + - py/regex/backspace-escape + - py/regex/duplicate-in-character-class + - py/regex/incomplete-special-group + - py/regex/unmatchable-caret + - py/regex/unmatchable-dollar + - py/repeated-import + - py/return-or-yield-outside-function + - py/should-use-with + - py/side-effect-in-assert + - py/slots-in-old-style-class + - py/special-method-wrong-signature + - py/str-format/missing-argument + - py/str-format/missing-named-argument + - py/str-format/mixed-fields + - py/str-format/surplus-argument + - py/str-format/surplus-named-argument + - py/super-in-old-style + - py/super-not-enclosing-class + - py/syntax-error + - py/test-equals-none + - py/truncated-division + - py/undefined-export + - py/undefined-placeholder-variable + - py/unexpected-raise-in-special-method + - py/unguarded-next-in-generator + - py/uninitialized-local-variable + - py/unnecessary-delete + - py/unnecessary-lambda + - py/unnecessary-pass + - py/unreachable-except + - py/unreachable-statement + - py/unsafe-cyclic-import + - py/unused-exception-object + - py/unused-global-variable + - py/unused-import + - py/unused-local-variable + - py/unused-loop-variable + - py/use-of-apply + - py/use-of-exit-or-quit + - py/useless-except From 143a91efc4c49d92bd832f5056f2d569f3713cea Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 27 Jun 2025 11:08:08 +0200 Subject: [PATCH 7/7] Re-use the security-extended selector in the security-and-frozen-quality selector. --- .../security-and-frozen-quality-selectors.yml | 37 +------------------ 1 file changed, 1 insertion(+), 36 deletions(-) diff --git a/misc/suite-helpers/security-and-frozen-quality-selectors.yml b/misc/suite-helpers/security-and-frozen-quality-selectors.yml index f5a03eaf0772..f688b5db0466 100644 --- a/misc/suite-helpers/security-and-frozen-quality-selectors.yml +++ b/misc/suite-helpers/security-and-frozen-quality-selectors.yml @@ -1,40 +1,5 @@ - description: Selectors for selecting the non-quality queries for the security-and-quality queries for a language -- include: - kind: - - problem - - path-problem - precision: - - high - - very-high - tags contain: - - security -- include: - kind: - - problem - - path-problem - precision: medium - problem.severity: - - error - - warning - tags contain: - - security -- include: - kind: - - diagnostic -- include: - kind: - - metric - tags contain: - - summary -- exclude: - deprecated: // -- exclude: - query path: - - /^experimental\/.*/ - - Metrics/Summaries/FrameworkCoverage.ql - - /Diagnostics/Internal/.*/ +- apply: security-extended-selectors.yml - exclude: tags contain: - - modeleditor - - modelgenerator - 'model-generator'