Merge branch 'main' of github.com:github/codeql into SharedDataflow_NestedComprehensions

Author: yoff

.devcontainer/devcontainer.json

@@ -4,6 +4,6 @@
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
-    "codeQL.experimentalBqrsParsing": true
+    "codeQL.runningQueries.memory": 2048
   }
 }

.github/workflows/labeler.yml

@@ -0,0 +1,11 @@
+name: "Pull Request Labeler"
+on:
+- pull_request_target
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v2
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"

README.md

@@ -9,7 +9,7 @@ You can use the [interactive query console](https://lgtm.com/help/lgtm/using-que
 
 ## Contributing
 
-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/master/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
 ## License
 

change-notes/1.25/analysis-javascript.md

@@ -30,7 +30,7 @@
   - [yargs](https://www.npmjs.com/package/yargs)
   - [webpack-dev-server](https://www.npmjs.com/package/webpack-dev-server)
 
-* TypeScript 3.9 is now supported.
+* TypeScript 4.0 is now supported.
 
 * TypeScript code embedded in HTML and Vue files is now extracted and analyzed.
 

change-notes/1.26/analysis-cpp.md

@@ -13,13 +13,16 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Declaration hides parameter (`cpp/declaration-hides-parameter`) | Fewer false positive results | False positives involving template functions have been fixed. |
 | Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
 | Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
 | Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
 
 ## Changes to libraries
 
-* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
+* The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
 * The models library now models many more taint flows through `std::string`.
+* The models library now models some taint flows through `std::ostream`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

change-notes/1.26/analysis-csharp.md

@@ -19,6 +19,12 @@ The following changes in version 1.26 affect C# analysis in all applications.
 ## Changes to code extraction
 
 * Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
+* Inferring the lengths of implicitely sized arrays is fixed. Previously, multidimensional arrays were always extracted with the same length for
+each dimension. With the fix, the array sizes `2` and `1` are extracted for `new int[,]{{1},{2}}`. Previously `2` and `2` were extracted.
+* The extractor is now assembly-insensitive by default. This means that two entities with the same
+  fully-qualified name are now mapped to the same entity in the resulting database, regardless of
+  whether they belong to different assemblies. Assembly sensitivity can be reenabled by passing
+  `--assemblysensitivetrap` to the extractor.
 
 ## Changes to libraries
 

change-notes/1.26/analysis-java.md

@@ -0,0 +1,21 @@
+# Improvements to Java analysis
+
+The following changes in version 1.26 affect Java analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Changes to libraries
+
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.

change-notes/1.26/analysis-javascript.md

@@ -26,7 +26,13 @@
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Potentially unsafe external link (`js/unsafe-external-link`) | Fewer results | This query no longer flags URLs constructed using a template system where only the hash or query part of the URL is dynamic. |
 | Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
+| Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
+| Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
+| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
+| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 
 
 ## Changes to libraries
+* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.

change-notes/1.26/analysis-python.md

@@ -0,0 +1,22 @@
+# Improvements to Python analysis
+
+The following changes in version 1.26 affect Python analysis in all applications.
+
+## General improvements
+
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+
+
+## Changes to libraries
+
+* Added taint tracking support for string formatting through f-strings.

config/identical-files.json

@@ -325,11 +325,60 @@
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
+  "Inline Test Expectations": [
+    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
+  ],
   "XML": [
     "cpp/ql/src/semmle/code/cpp/XML.qll",
     "csharp/ql/src/semmle/code/csharp/XML.qll",
     "java/ql/src/semmle/code/xml/XML.qll",
     "javascript/ql/src/semmle/javascript/XML.qll",
     "python/ql/src/semmle/python/xml/XML.qll"
+  ],
+  "DuplicationProblems.qhelp": [
+    "cpp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
+    "csharp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
+    "javascript/ql/src/Metrics/DuplicationProblems.qhelp",
+    "python/ql/src/Metrics/DuplicationProblems.qhelp"
+  ],
+  "CommentedOutCodeQuery.qhelp": [
+    "cpp/ql/src/Documentation/CommentedOutCodeQuery.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeQuery.qhelp",
+    "csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.qhelp",
+    "java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeQuery.qhelp"
+  ],
+  "FLinesOfCodeReferences.qhelp": [
+    "java/ql/src/Metrics/Files/FLinesOfCodeReferences.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfCodeReferences.qhelp"
+  ],
+  "FCommentRatioCommon.qhelp": [
+    "java/ql/src/Metrics/Files/FCommentRatioCommon.qhelp",
+    "javascript/ql/src/Metrics/FCommentRatioCommon.qhelp"
+  ],
+  "FLinesOfCodeOverview.qhelp": [
+    "java/ql/src/Metrics/Files/FLinesOfCodeOverview.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfCodeOverview.qhelp"
+  ],
+  "CommentedOutCodeMetricOverview.qhelp": [
+    "cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeMetricOverview.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeMetricOverview.qhelp"
+  ],
+  "FLinesOfDuplicatedCodeCommon.qhelp": [
+    "cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
+    "java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp",
+    "python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp"
+  ],
+  "CommentedOutCodeReferences.qhelp": [
+    "cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "java/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeReferences.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeReferences.qhelp"
   ]
 }