Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 235625d

Browse files
author
Esben Sparre Andreasen
authored
Merge branch 'master' into js/vue-support-1
2 parents fb19032 + 09825f2 commit 235625d

474 files changed

Lines changed: 76236 additions & 75812 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

change-notes/1.20/analysis-cpp.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,4 +26,5 @@
2626

2727
## Changes to QL libraries
2828

29-
There is a new `Namespace.isInline()` predicate, which holds if the namespace was declared as `inline namespace`.
29+
* There is a new `Namespace.isInline()` predicate, which holds if the namespace was declared as `inline namespace`.
30+
* The `Expr.isConstant()` predicate now also holds for _address constant expressions_, which are addresses that will be constant after the program has been linked. These address constants do not have a result for `Expr.getValue()`.

change-notes/1.20/analysis-csharp.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,14 @@
1616
| Dereferenced variable may be null (cs/dereferenced-value-may-be-null) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
1717
| SQL query built from user-controlled sources (cs/sql-injection), Improper control of generation of code (cs/code-injection), Uncontrolled format string (cs/uncontrolled-format-string), Clear text storage of sensitive information (cs/cleartext-storage-of-sensitive-information), Exposure of private information (cs/exposure-of-sensitive-information) | More results | Data sources have been added from user controls in `System.Windows.Forms`. |
1818
| Use of default ToString() (cs/call-to-object-tostring) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
19-
19+
| Use of default ToString() (cs/call-to-object-tostring) | Fewer results | Results have been removed when the object is an interface or an abstract class. |
20+
| Unused format argument (cs/format-argument-unused) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. |
21+
2022
## Changes to code extraction
2123

2224
* Fix extraction of `for` statements where the condition declares new variables using `is`.
2325
* Initializers of `stackalloc` arrays are now extracted.
2426

2527
## Changes to QL libraries
2628

27-
* The class `AccessorCall` (and subclasses `PropertyCall`, `IndexerCall`, and `EventCall`) have been redefined, so the expressions they represent are not necessarily the accesses themselves, but rather the expressions that give rise to the accessor calls. For example, in the property assignment `x.Prop = 0`, the call to the setter for `Prop` is no longer represented by the access `x.Prop`, but instead the whole assignment. Consequently, it is no longer safe to cast directly between `AccessorCall`s and `Access`es, and the predicate `AccessorCall::getAccess()` should be used instead.
28-
2929
## Changes to the autobuilder

change-notes/1.20/analysis-java.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,5 +24,8 @@
2424
`semmle.code.java.dataflow.DataFlow`,
2525
`semmle.code.java.dataflow.TaintTracking`, and
2626
`semmle.code.java.dataflow.FlowSources` since 1.16.
27+
* Taint tracking now includes additional default data-flow steps through
28+
collections, maps, and iterators. This affects all security queries, which
29+
can report more results based on such paths.
2730

2831

change-notes/1.20/analysis-javascript.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,16 @@
1010

1111
* The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. This may give more results for the security queries.
1212

13+
* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
14+
15+
* The [Closure-Library](https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.provide) module system is now supported.
16+
1317
## New queries
1418

1519
| **Query** | **Tags** | **Purpose** |
1620
|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
1721
| Arrow method on Vue instance (`js/vue/arrow-method-on-vue-instance`) | reliability, frameworks/vue | Highlights arrow functions that are used as methods on Vue instances. Results are shown on LGTM by default.|
22+
| Cross-window communication with unrestricted target origin (`js/cross-window-information-leak`) | security, external/cwe/201, external/cwe/359 | Highlights code that sends potentially sensitive information to another window without restricting the receiver window's origin, indicating a possible violation of [CWE-201](https://cwe.mitre.org/data/definitions/201.html). Results are shown on LGTM by default. |
1823
| Double escaping or unescaping (`js/double-escaping`) | correctness, security, external/cwe/cwe-116 | Highlights potential double escaping or unescaping of special characters, indicating a possible violation of [CWE-116](https://cwe.mitre.org/data/definitions/116.html). Results are shown on LGTM by default. |
1924
| Incomplete regular expression for hostnames (`js/incomplete-hostname-regexp`) | correctness, security, external/cwe/cwe-020 | Highlights hostname sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default.|
2025
| Incomplete URL substring sanitization | correctness, security, external/cwe/cwe-020 | Highlights URL sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results shown on LGTM by default. |
@@ -28,6 +33,7 @@
2833
| **Query** | **Expected impact** | **Change** |
2934
|--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
3035
| Client-side cross-site scripting | More true-positive results, fewer false-positive results. | This rule now recognizes WinJS functions that are vulnerable to HTML injection, and no longer flags certain safe uses of jQuery. |
36+
| Hard-coded credentials | Fewer false-positive results | This rule no longer flag the empty string as a hardcoded username. |
3137
| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
3238
| Uncontrolled data used in network request | More results | This rule now recognizes host values that are vulnerable to injection. |
3339
| Unused parameter | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |

cpp/ql/src/AlertSuppression.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ class SuppressionScope extends ElementBase {
6464
* The location spans column `startcolumn` of line `startline` to
6565
* column `endcolumn` of line `endline` in file `filepath`.
6666
* For more information, see
67-
* [LGTM locations](https://lgtm.com/help/ql/locations).
67+
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
6868
*/
6969
predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
7070
this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)

cpp/ql/src/Critical/LargeParameter.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,6 @@ int doFoo(Names n) { //wrong: n is passed by value (meaning the entire structure
88
...
99
}
1010

11-
int doBar(Names &n) { //better, only a reference is passed
11+
int doBar(const Names &n) { //better, only a reference is passed
1212
...
1313
}

cpp/ql/src/Critical/LargeParameter.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/**
22
* @name Large object passed by value
3-
* @description An object larger than 64 bytes is passed by value to a function. Passing large objects by value unnecessarily use up scarce stack space, increase the cost of calling a function and can be a security risk. Use a pointer to the object instead.
3+
* @description An object larger than 64 bytes is passed by value to a function. Passing large objects by value unnecessarily use up scarce stack space, increase the cost of calling a function and can be a security risk. Use a const pointer to the object instead.
44
* @kind problem
55
* @problem.severity warning
66
* @precision high
@@ -20,5 +20,5 @@ where f.getAParameter() = p
2020
and not t.getUnderlyingType() instanceof ArrayType
2121
and not f instanceof CopyAssignmentOperator
2222
select
23-
p, "This parameter of type $@ is " + size.toString() + " bytes - consider passing a pointer/reference instead.",
23+
p, "This parameter of type $@ is " + size.toString() + " bytes - consider passing a const pointer/reference instead.",
2424
t, t.toString()

cpp/ql/src/Documentation/CommentedOutCode.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ class CommentBlock extends Comment {
127127
* The location spans column `startcolumn` of line `startline` to
128128
* column `endcolumn` of line `endline` in file `filepath`.
129129
* For more information, see
130-
* [LGTM locations](https://lgtm.com/help/ql/locations).
130+
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
131131
*/
132132
predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
133133
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, _, _) and

cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ string comparisonOnLiterals(ComparisonOperation op) {
4343
simple(op.getLeftOperand()) and
4444
simple(op.getRightOperand()) and
4545
not op.getAnOperand().isInMacroExpansion() and
46-
if op.isConstant()
46+
if exists(op.getValue())
4747
then result = "This comparison involves two literals and is always " + op.getValue() + "."
4848
else result = "This comparison involves two literals and should be simplified."
4949
}

cpp/ql/src/Metrics/Internal/CallableExtents.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ class RangeFunction extends Function {
1717
* The location spans column `startcolumn` of line `startline` to
1818
* column `endcolumn` of line `endline` in file `filepath`.
1919
* For more information, see
20-
* [LGTM locations](https://lgtm.com/help/ql/locations).
20+
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
2121
*/
2222
predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
2323
super.getLocation().hasLocationInfo(path, sl, sc, _, _)

0 commit comments

Comments
 (0)