Skip to content

Commit d63cc3d

Browse files
committed
Merge remote-tracking branch 'upstream/master' into infinite-loops-visible
Moved the change note to 1.23.
2 parents 2ea0d54 + f1004b1 commit d63cc3d

File tree

4,026 files changed

+268462
-93569
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

4,026 files changed

+268462
-93569
lines changed

.codeqlmanifest.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
{ "provide": [ "*/ql/src/qlpack.yml",
2+
"misc/legacy-support/*/qlpack.yml",
3+
"misc/suite-helpers/qlpack.yml" ] }
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
---
2+
name: LGTM.com - false positive
3+
about: Tell us about an alert that shouldn't be reported
4+
title: LGTM.com - false positive
5+
labels: false-positive
6+
assignees: ''
7+
8+
---
9+
10+
**Description of the false positive**
11+
12+
<!-- Please explain briefly why you think it shouldn't be included. -->
13+
14+
**URL to the alert on the project page on LGTM.com**
15+
16+
<!--
17+
1. Open the project on LGTM.com.
18+
For example, https://lgtm.com/projects/g/pallets/click/.
19+
2. Switch to the `Alerts` tab. For example, https://lgtm.com/projects/g/pallets/click/alerts/.
20+
3. Scroll to the alert that you would like to report.
21+
4. Click on the right most icon `View this alert within the complete file`.
22+
5. A new browser tab opens. Copy and paste the page URL here.
23+
For example, https://lgtm.com/projects/g/pallets/click/snapshot/719fb7d8322b0767cdd1e5903ba3eb3233ba8dd5/files/click/_winconsole.py#xa08d213ab3289f87:1.
24+
-->
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
---
2+
name: General issue
3+
about: Tell us if you think something is wrong or if you have a question
4+
title: General issue
5+
labels: question
6+
assignees: ''
7+
8+
---
9+
10+
**Description of the issue**
11+
12+
<!-- Please explain briefly what is the problem.
13+
If it is about an LGTM project, please include its URL.-->
14+

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,6 @@
1212
# Visual studio temporaries, except a file used by QL4VS
1313
.vs/*
1414
!.vs/VSWorkspaceSettings.json
15+
16+
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
17+
/codeql/

CODEOWNERS

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,9 @@
22
/java/ @Semmle/java
33
/javascript/ @Semmle/js
44
/cpp/ @Semmle/cpp-analysis
5-
/cpp/**/*.qhelp @semmledocs-ac
5+
/cpp/**/*.qhelp @hubwriter
6+
/csharp/**/*.qhelp @jf205
7+
/java/**/*.qhelp @felicitymay
8+
/javascript/**/*.qhelp @mchammer01
9+
/python/**/*.qhelp @felicitymay
10+
/docs/language/ @shati-patel @jf205

CODE_OF_CONDUCT.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ Our community strives to:
1414
* Posting, or threatening to post, people’s personally identifying information (“doxing”).
1515
* Insults, especially those using discriminatory terms or slurs.
1616
* Behavior that could be perceived as sexual attention.
17-
* Advocating for or encouraging any of the above behaviors.
17+
* Advocating for or encouraging any of the above behaviors.
1818
* Understand disagreements: Disagreements, both social and technical, are useful learning opportunities. Seek to understand others’ viewpoints and resolve differences constructively.
1919

2020
This code is not exhaustive or complete. It serves to capture our common understanding of a productive, collaborative environment. We expect the code to be followed in spirit as much as in the letter.

CONTRIBUTING.md

Lines changed: 43 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,50 @@
11
# Contributing to QL
22

3-
We welcome contributions to our standard library and standard checks, got an idea for a new check, or how to improve an existing query? Then please go ahead an open a Pull Request!
3+
We welcome contributions to our standard library and standard checks. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request!
44

5-
Before we accept your pull request, we will require that you have agreed to our Contributor License Agreement, this is not something that you need to do before you submit your pull request, but until you've done so, we will be unable to accept your contribution.
5+
Before we accept your pull request, we require that you have agreed to our Contributor License Agreement, this is not something that you need to do before you submit your pull request, but until you've done so, we will be unable to accept your contribution.
66

7-
Please read our [QL Style Guide](docs/ql-style-guide.md) for information on how to format QL code in this repository.
7+
## Adding a new query
8+
9+
If you have an idea for a query that you would like to share with other Semmle users, please open a pull request to add it to this repository.
10+
Follow the steps below to help other users understand what your query does, and to ensure that your query is consistent with the other Semmle queries.
11+
12+
1. **Consult the QL documentation for query writers**
13+
14+
There is lots of useful documentation to help you write QL, ranging from information about query file structure to language-specific tutorials. For more information on the documentation available, see [Writing QL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
15+
16+
2. **Format your QL correctly**
17+
18+
All of Semmle's standard QL queries and libraries are uniformly formatted for clarity and consistency, so we strongly recommend that all QL contributions follow the same formatting guidelines. If you use QL for Eclipse, you can auto-format your query in the [QL editor](https://help.semmle.com/ql-for-eclipse/Content/WebHelp/ql-editor.html). For more information, see the [QL style guide](https://github.com/Semmle/ql/blob/master/docs/ql-style-guide.md).
19+
20+
3. **Make sure your query has the correct metadata**
21+
22+
Query metadata is used by Semmle's analysis to identify your query and make sure the query results are displayed properly.
23+
The most important metadata to include are the `@name`, `@description`, and the `@kind`.
24+
Other metadata properties (`@precision`, `@severity`, and `@tags`) are usually added after the query has been reviewed by Semmle staff.
25+
For more information on writing query metadata, see the [Query metadata style guide](https://github.com/Semmle/ql/blob/master/docs/query-metadata-style-guide.md).
26+
27+
4. **Make sure the `select` statement is compatible with the query type**
28+
29+
The `select` statement of your query must be compatible with the query type (determined by the `@kind` metadata property) for alert or path results to be displayed correctly in LGTM and QL for Eclipse.
30+
For more information on `select` statement format, see [Introduction to query files](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
31+
32+
5. **Save your query in a `.ql` file in correct language directory in this repository**
33+
34+
There are five language-specific directories in this repository:
35+
36+
* C/C++: `ql/cpp/ql/src`
37+
* C#: `ql/csharp/ql/src`
38+
* Java: `ql/java/ql/src`
39+
* JavaScript: `ql/javascript/ql/src`
40+
* Python: `ql/python/ql/src`
41+
42+
Each language-specific directory contains further subdirectories that group queries based on their `@tags` properties or purpose. Select the appropriate subdirectory for your new query, or create a new one if necessary.
43+
44+
6. **Write a query help file**
45+
46+
Query help files explain the purpose of your query to other users. Write your query help in a `.qhelp` file and save it in the same directory as your new query.
47+
For more information on writing query help, see the [Query help style guide](https://github.com/Semmle/ql/blob/master/docs/query-help-style-guide.md).
848

949
## Using your personal data
1050

change-notes/1.22/analysis-cpp.md

Lines changed: 29 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,42 @@
11
# Improvements to C/C++ analysis
22

3-
## General improvements
4-
5-
## New queries
6-
7-
| **Query** | **Tags** | **Purpose** |
8-
|-----------------------------|-----------|--------------------------------------------------------------------|
3+
The following changes in version 1.22 affect C/C++ analysis in all applications.
94

105
## Changes to existing queries
116

127
| **Query** | **Expected impact** | **Change** |
138
|----------------------------|------------------------|------------------------------------------------------------------|
14-
| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side effect free, because they could be overridden with a different implementation at link time. |
15-
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positives involving strings that are not null-terminated have been excluded. |
9+
| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | The query no longer highlights code where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. |
10+
| Continue statement that does not continue (`cpp/continue-in-false-loop`) | Fewer false positive results | Analysis is now restricted to `do`-`while` loops. This query is now run and displayed by default on LGTM. |
11+
| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side-effect free, because they could be overridden with a different implementation at link time. |
12+
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positive results for strings that are not null-terminated have been excluded. |
13+
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | The query was rewritten using the taint-tracking library. |
14+
| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive and more true positive results | The query now understands the direction of each comparison, making it more accurate. |
1615
| Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Lower precision | The precision of this query has been reduced to "medium". This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. |
17-
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Rewritten using the taint-tracking library. |
18-
| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
16+
| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positive results for constant variables with the same name in different namespaces have been removed. |
1917

2018
## Changes to QL libraries
2119

20+
- The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the
21+
following improvements, all of which benefit the taint tracking library
22+
(`semmle.code.cpp.dataflow.TaintTracking`) as well.
23+
- This release includes preliminary support for interprocedural flow through
24+
fields (non-static data members). In some cases, data stored in a field in
25+
one function can now flow to a read of the same field in a different
26+
function.
27+
- The possibility of specifying barrier edges using
28+
`isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
29+
configurations has been replaced with the option of specifying in- and
30+
out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
31+
`isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
32+
as it does not require knowledge about the actual edges used internally by
33+
the library.
34+
- The library now models data flow through `std::swap`.
35+
- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
36+
- In the `semmle.code.cpp.dataflow.TaintTracking` library, the second copy of `Configuration` has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
37+
- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
2238
- The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
2339
- The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`". This may improve performance when using `Element.toString()` or its descendants.
24-
- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
25-
- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it.
40+
- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it.
41+
- There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
42+
- C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries.
Lines changed: 41 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,37 @@
11
# Improvements to C# analysis
22

3+
The following changes in version 1.22 affect C# analysis in all applications.
4+
35
## Changes to existing queries
46

57
| **Query** | **Expected impact** | **Change** |
68
|------------------------------|------------------------|-----------------------------------|
7-
| Added lines (`cs/vcs/added-lines-per-file`) | No results | Query has been removed. |
8-
| Churned lines (`cs/vcs/churn-per-file`) | No results | Query has been removed. |
99
| Constant condition (`cs/constant-condition`) | Fewer false positive results | Results have been removed for default cases (`_`) in switch expressions. |
10-
| Defect filter | No results | Query has been removed. |
11-
| Defect from SVN | No results | Query has been removed. |
12-
| Deleted lines (`cs/vcs/deleted-lines-per-file`) | No results | Query has been removed. |
1310
| Dispose may not be called if an exception is thrown during execution (`cs/dispose-not-called-on-throw`) | Fewer false positive results | Results have been removed where an object is disposed both by a `using` statement and a `Dispose` call. |
14-
| Files edited in pairs | No results | Query has been removed. |
15-
| Filter: only files recently edited | No results | Query has been removed. |
16-
| Large files currently edited | No results | Query has been removed. |
17-
| Metric from SVN | No results | Query has been removed. |
18-
| Number of authors (version control) (`cs/vcs/authors-per-file`) | No results | Query has been removed. |
19-
| Number of file-level changes (`cs/vcs/commits-per-file`) | No results | Query has been removed. |
20-
| Number of co-committed files (`cs/vcs/co-commits-per-file`) | No results | Query has been removed. |
21-
| Number of file re-commits (`cs/vcs/recommits-per-file`) | No results | Query has been removed. |
22-
| Number of recent file changes (`cs/vcs/recent-commits-per-file`) | No results | Query has been removed. |
23-
| Number of authors | No results | Query has been removed. |
24-
| Number of commits | No results | Query has been removed. |
25-
| Poorly documented files with many authors | No results | Query has been removed. |
26-
| Recent activity | No results | Query has been removed. |
11+
| Unchecked return value (`cs/unchecked-return-value`) | Fewer false positive results | Method calls that are expression bodies of `void` callables (for example, the call to `Foo` in `void Bar() => Foo()`) are no longer considered to use the return value. |
12+
13+
## Removal of old queries
14+
15+
The following historic queries are no longer available in the distribution:
16+
17+
* Added lines (`cs/vcs/added-lines-per-file`)
18+
* Churned lines (`cs/vcs/churn-per-file`)
19+
* Defect filter
20+
* Defect from SVN
21+
* Deleted lines (`cs/vcs/deleted-lines-per-file`)
22+
* Files edited in pairs
23+
* Filter: only files recently edited
24+
* Large files currently edited
25+
* Metric from SVN
26+
* Number of authors (version control) (`cs/vcs/authors-per-file`)
27+
* Number of file-level changes (`cs/vcs/commits-per-file`)
28+
* Number of co-committed files (`cs/vcs/co-commits-per-file`)
29+
* Number of file re-commits (`cs/vcs/recommits-per-file`)
30+
* Number of recent file changes (`cs/vcs/recent-commits-per-file`)
31+
* Number of authors
32+
* Number of commits
33+
* Poorly documented files with many authors
34+
* Recent activity
2735

2836
## Changes to code extraction
2937

@@ -33,12 +41,18 @@
3341

3442
## Changes to QL libraries
3543

36-
* The new class `AnnotatedType` models types with type annotations, including nullability information, return kinds (`ref` and `readonly ref`), and parameter kinds (`in`, `out`, and `ref`)
37-
- The new predicate `Assignable.getAnnotatedType()` gets the annotated type of an assignable (such as a variable or a property)
38-
- The new predicates `Callable.getAnnotatedReturnType()` and `DelegateType.getAnnotatedReturnType()` get the annotated type of the return value
39-
- The new predicate `ArrayType.getAnnotatedElementType()` gets the annotated type of the array element
40-
- The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument
41-
- The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations
42-
* The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`
43-
44-
## Changes to autobuilder
44+
* The new class `AnnotatedType` models types with type annotations, including nullability information, return kinds (`ref` and `readonly ref`), and parameter kinds (`in`, `out`, and `ref`).
45+
- The new predicate `Assignable.getAnnotatedType()` gets the annotated type of an assignable (such as a variable or a property).
46+
- The new predicates `Callable.getAnnotatedReturnType()` and `DelegateType.getAnnotatedReturnType()` gets the annotated type of the return value.
47+
- The new predicate `ArrayType.getAnnotatedElementType()` gets the annotated type of the array element.
48+
- The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument.
49+
- The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations.
50+
* The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`.
51+
* The data-flow and taint-tracking libraries now support flow through fields. All existing configurations will have field-flow enabled by default, but it can be disabled by adding `override int fieldFlowBranchLimit() { result = 0 }` to the configuration class. Field assignments, `this.Foo = x`, object initializers, `new C() { Foo = x }`, and field initializers `int Foo = 0` are supported.
52+
* The possibility of specifying barrier edges using
53+
`isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
54+
configurations has been replaced with the option of specifying in- and
55+
out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
56+
`isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
57+
as it does not require knowledge about the actual edges used internally by
58+
the library.

0 commit comments

Comments
 (0)