Skip to content

Master-to-next merge #482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 89 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
89 commits
Select commit Hold shift + click to select a range
b058854
JavaScript: Teach type inference about AMD imports.
Nov 1, 2018
8a444b6
Update qhelp with content and remove autogenerated qhelp files
Nov 8, 2018
3d779dd
Bring qhelp inline with current guidelines
Nov 8, 2018
48a7565
Fix tag error spotted by PR check
Nov 8, 2018
0fb7ddc
C#: Add assertion guard tests
hvitved Oct 26, 2018
5921a9e
C#: Teach guards library about assertions
hvitved Oct 26, 2018
a5dfc10
C#: Add tests for custom null guards
hvitved Nov 6, 2018
e4aa196
C#: Teach guards library about custom null guards
hvitved Nov 6, 2018
29f163f
C#: Fix guards implications logic
hvitved Nov 6, 2018
c14ebac
JavaScript: Port regular expression parser to Java.
Nov 9, 2018
f06cef5
JavaScript: Port JSDoc parser to Java.
Nov 9, 2018
f26d47a
JavaScript: Bump extractor version.
Nov 9, 2018
032ed12
JavaScript: Use in-dist trap cache when extracting externs.
Nov 9, 2018
01b43df
JavaScript: Make in-dist trap cache read-only.
Nov 12, 2018
72ac2e5
Fix typos
Nov 12, 2018
978fc49
Fix syntax errors in qhelp files
Nov 12, 2018
2e8f51a
Update to bring into line with current guidelines
Nov 12, 2018
0593081
Update for feedback
Nov 12, 2018
2847d5e
Replace '&' symbols in URL
Nov 12, 2018
d9d4051
JavaScript: Extract auxiliary method.
Nov 13, 2018
851e71c
JavaScript: Warn about externs trap cache absence/miss.
Nov 13, 2018
a5d50fc
C#: Handle `in` arguments, and add `AssignableAccess::isInArgument()`…
calumgrant Nov 8, 2018
9f04ace
C#: Update change notes.
calumgrant Nov 8, 2018
411891c
Java: Don't inherit methods from co-/contra-variant supertypes.
aschackmull Nov 9, 2018
fe8dfee
Java: Add some this-qualifiers.
aschackmull Nov 13, 2018
c6af799
Update for feedback
Nov 13, 2018
c51cd50
JavaScript: Remove a few unnecessary imports.
Nov 8, 2018
9b4ae9e
JavaScript: Refactor `HostHeaderPoisoningInEmailGeneration` query.
Nov 8, 2018
65bcf0f
JavaScript: Refactor security queries for uniformity.
Nov 8, 2018
60a1357
JavaScript: Make all taint-based security queries have `@kind path-pr…
Nov 8, 2018
4860364
JavaScript: Add explicit `nodes` query predicate in `PathGraph`.
Nov 12, 2018
8d87f55
JavaScript: Add `import DataFlow::PathGraph`.
Nov 8, 2018
11d6259
JavaScript: Move from `Node` to `PathNode`.
Nov 8, 2018
d5af008
JavaScript: Adjust `ConditionalBypass` query.
Nov 8, 2018
e365b72
JavaScript: Select `source` and `sink` in all path queries.
Nov 8, 2018
52ae757
JavaScript: Select `Node`s (instead of `PathNode`s) everywhere.
Nov 8, 2018
d57b5d9
JavaScript: Remove `ReflectdXssPath.ql`, which is now spurious.
Nov 8, 2018
9221b62
JavaScript: Update expectd test output for security path queries to i…
Nov 8, 2018
d6198fc
JavaScript: Introduce two more short-circuiting conjuncts.
Oct 17, 2018
4112af5
JavaScript: Add change note.
Nov 14, 2018
3fcd02a
JavaScript: Rename `hasPathFlow` to `hasFlowPath` for consistency wit…
Nov 14, 2018
a441bfb
JavaScript: Add a convenience method to `AMDModuleDefinition`.
Nov 14, 2018
6f6b3b0
JavaScript: Add a convenience method to `SourceNode` and use it in a …
Nov 14, 2018
a066749
Merge pull request #464 from esben-semmle/js/fixup-suite-master
adityasharad Nov 14, 2018
19b9b85
JavaScript: Add change note.
Nov 14, 2018
77213aa
Merge pull request #462 from xiemaisi/js/security-paths
semmle-qlci Nov 14, 2018
025054e
Merge pull request #461 from xiemaisi/js/bye-bye-rhino
semmle-qlci Nov 14, 2018
5506cec
JavaScript: Remove `esregex`.
Nov 9, 2018
2cd5702
JavaScript: Remove `doctrine`.
Nov 9, 2018
585347f
JavaScript: Remove obsolete Rhino interface classes.
Nov 9, 2018
406511f
JavaScript: Update `.classpath`.
Nov 9, 2018
77ca0cf
Merge pull request #438 from felicity-semmle/cpp/SD-2777-delete-poor-…
geoffw0 Nov 14, 2018
50a905d
Merge pull request #459 from aschackmull/java/inherit-fix
yh-semmle Nov 14, 2018
4a14bef
Merge pull request #466 from xiemaisi/js/more-data-flow-predicates
semmle-qlci Nov 14, 2018
df202ef
Merge pull request #468 from xiemaisi/js/has{Path,Flow}+
asger-semmle Nov 14, 2018
01de416
Merge pull request #453 from felicity-semmle/cpp/SD-2777-cwe-qhelp-2
geoffw0 Nov 14, 2018
6312f31
Remove the duplicate overview tag
Nov 14, 2018
fbf5a05
Remove stray </p> tag
Nov 15, 2018
1776ebd
Fix typo in code tag
Nov 15, 2018
fb19084
Merge pull request #469 from xiemaisi/js/bye-bye-rhino
asger-semmle Nov 15, 2018
185700a
Merge pull request #437 from calumgrant/cs/in-parameters
hvitved Nov 15, 2018
03b8ed6
C#: Fix indentation in change notes.
calumgrant Nov 15, 2018
5f118d4
Merge pull request #477 from calumgrant/cs/indent-change-notes
hvitved Nov 15, 2018
0d7c5ea
Merge pull request #441 from felicity-semmle/cpp/SD-2777-cwe-qhelp
geoffw0 Nov 15, 2018
737ec70
Merge pull request #460 from xiemaisi/js/in-dist-trap-cache
asger-semmle Nov 15, 2018
536f3f3
Merge pull request #428 from hvitved/csharp/more-guards
semmle-qlci Nov 15, 2018
bb49fe1
C# extractor: Handle the type name of `dynamic`.
calumgrant Oct 31, 2018
090e896
C#: Change Property TagStackBehaviour to push a tag, to give the expr…
calumgrant Nov 15, 2018
9eed758
C#: Update change notes.
calumgrant Oct 31, 2018
57bbe02
Merge pull request #393 from calumgrant/cs/extractor/dynamic-type-name
hvitved Nov 16, 2018
0647743
Merge pull request #467 from xiemaisi/js/amd-imports
semmle-qlci Nov 16, 2018
b5d3dd5
TS: do more work in parallel
asger-semmle Nov 12, 2018
6ec13fe
JS: recognize sanitizing slashes in URL redirection queries
asger-semmle Nov 8, 2018
0153a47
JS: add change note
asger-semmle Nov 8, 2018
dd5f485
JS: use original sanitizer for SSRF query
asger-semmle Nov 9, 2018
c06c9a0
JS: fix copy pasta and test output
asger-semmle Nov 12, 2018
437b2c1
Java: Cosmetic changes and missing overrides.
aschackmull Nov 14, 2018
5e03b6f
Java: Convert security queries to path-problems.
aschackmull Nov 14, 2018
deb61d6
Java: Update test output.
aschackmull Nov 15, 2018
918fc90
Java: Add change note.
aschackmull Nov 16, 2018
d839fcd
TS: refactor to fix AutoBuildTest
asger-semmle Nov 16, 2018
a35061e
TS: dont create JSON nodes in convertJsxSelfClosingElement
asger-semmle Nov 14, 2018
84c1ba0
TS: fix the fix
asger-semmle Nov 16, 2018
1aa5e24
C#: Remove duplicate results from cs/use-of-vulnerable-package
calumgrant Nov 16, 2018
47b9218
Merge pull request #480 from aschackmull/java/path-problem-conversion
yh-semmle Nov 19, 2018
128118c
Merge pull request #481 from asger-semmle/typescript-jsx
semmle-qlci Nov 19, 2018
328c86c
Merge pull request #479 from asger-semmle/typescript-extractor-perf1
semmle-qlci Nov 19, 2018
9e4aeb3
Merge pull request #436 from asger-semmle/url-concat
semmle-qlci Nov 19, 2018
dd4c965
Merge pull request #483 from calumgrant/cs/vulnerable-package
hvitved Nov 19, 2018
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions change-notes/1.19/analysis-csharp.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,12 @@
| Cross-site scripting (`cs/web/xss`) | More results | This query now finds cross-site scripting vulnerabilities in ASP.NET Core applications. |
| *@name of query (Query ID)*| *Impact on results* | *How/why the query has changed* |

## Changes to code extraction

* Arguments passed using `in` are now extracted.
* Fix a bug where the `dynamic` type name was not extracted correctly in certain circumstances.

## Changes to QL libraries

* `getArgument()` on `AccessorCall` has been improved so it now takes tuple assignments into account. For example, the argument for the implicit `value` parameter in the setter of property `P` is `0` in `(P, x) = (0, 1)`. Additionally, the argument for the `value` parameter in compound assignments is now only the expanded value, for example, in `P += 7` the argument is `P + 7` and not `7`.
* The predicate `isInArgument()` has been added to the `AssignableAccess` class. This holds for expressions that are passed as arguments using `in`.
2 changes: 2 additions & 0 deletions change-notes/1.19/analysis-java.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## General improvements

* Where applicable, path explanations have been added to the security queries.

## New queries

| **Query** | **Tags** | **Purpose** |
Expand Down
6 changes: 6 additions & 0 deletions change-notes/1.19/analysis-javascript.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,17 @@

* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.

* Support for AMD modules has been improved. This may give additional results for the security queries as well as any queries that use type inference on code bases that use such modules.

* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
- file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby)
- outbound network access, for example through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API)
- the [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries

* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.

* Where applicable, path explanations have been added to the security queries.

## New queries

| **Query** | **Tags** | **Purpose** |
Expand Down Expand Up @@ -45,6 +49,8 @@
| Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
| Useless assignment to local variable | Fewer false-positive results | This rule now recognizes additional ways default values can be set. |
| Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
| Client-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |
| Server-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |

## Changes to QL libraries

Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Class hierarchies
* @description Shows classes and their base classes.
* @description Shows an inheritance hierarchy for classes and their base classes.
* @kind graph
* @id cpp/architecture/class-hierarchies
* @graph.layout organic
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Hub classes
* @description Shows coupling between classes; red, large boxes are hub types that depend on many other classes
* @description Shows coupling between classes. Large, red, boxes are hub types that depend on many other classes
* and are depended on by many other classes.
* @kind treemap
* @id cpp/architecture/hub-classes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,30 @@


<overview>
<p>This query shows the distribution of inheritance depth across all types, i.e. classes. Library types are ignored.</p>
<p>This query shows the distribution of inheritance depth across all types, that is, classes. Library types are ignored.</p>

<p>The result of this query is a line graph showing, for each number <i>n</i>, how many types have an inheritance depth of <i>n</i>, where
the inheritance depth of a type is the length of a longest path in the inheritance hierarchy from top class to the type.</p>

<p>When hovering the mouse pointer over a specific depth value, the number of types having this inheritance depth is displayed.</p>

</overview>
<section title="How to Address the Query Results">

<recommendation>
<p>The depth of a type is an indication of how deeply nested a type is in a given design.
Very deep types can be an indication of over-engineering, whereas a system with predominantly shallow types
may not be exploiting object-orientation to the full.</p>
</recommendation>





</section>
<references>
<li>
Shyam R. Chidamber and Chris F. Kemerer.
<a href="http://www.pitt.edu/~ckemerer/CK%20research%20papers/MetricForOOD_ChidamberKemerer94.pdf">A Metrics Suite for Object Oriented Design
</a>.
Shyam R. Chidamber and Chris F. Kemerer,
<i><a href="http://www.pitt.edu/~ckemerer/CK%20research%20papers/MetricForOOD_ChidamberKemerer94.pdf">A Metrics Suite for Object Oriented Design
</a></i>.
IEEE Transactions on Software Engineering,
20(6), pages 476-493, June 1994.

20(6), pages 476-493, June 1994.</li>


<a href="http://www.dmst.aueb.gr/dds/index.en.html">Diomides D. Spinnelis</a>.
<a href="http://www.spinellis.gr/codequality/">Code Quality: The Open Source Perspective</a>.
Addison-Wesley 2007.



<a href="http://www.dmst.aueb.gr/dds/index.en.html">Diomides D. Spinnelis</a>.
<a href="http://www.spinellis.gr/sw/ckjm/">ckjm - Chidamber and Kemerer Java Metrics</a>.
(implementation of CK metrics), 2006.



</li></references></qhelp>
<li>
Lutz Prechelt, Barbara Unger, Michael Philippsen, and Walter Tich, <i><a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.159.2229&amp;rep=rep1&amp;type=pdf">A Controlled Experiment on Inheritance Depth as a Cost Factor for Code Maintenance
</a></i>.
Journal of Systems and Software, 65 (2):115-126, 2003.
</li>
</references>
</qhelp>
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Inheritance depth distribution
* @description Shows distribution of inheritance depth across all classes.
* @description Shows the distribution of inheritance depth across all classes.
* @kind chart
* @id cpp/architecture/inheritance-depth-distribution
* @chart.type line
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,15 @@
<overview>
<p>This query shows namespaces that cyclically depend
on one another.</p>

<p />

</overview>
<section title="How to Address the Query Results">
<p>If there are cyclic dependencies between packages, they cannot be developed and tested independently. It is thus preferable to
eliminate such cycles from the program.</p>




<recommendation>
<p>If there are cyclic dependencies between packages, they cannot be developed and tested independently.
It is better to eliminate such cycles from the program.</p>
</recommendation>

</section>
<references>
<li>Robert Martin's <a href="https://drive.google.com/file/d/0BwhCYaYDn8EgOGM2ZGFhNmYtNmE4ZS00OGY5LWFkZTYtMjE0ZGNjODQ0MjEx/view">Acyclic Dependencies Principle</a>.
</li></references></qhelp>
</li>
</references>
</qhelp>
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,15 @@


<overview>
<p>This query finds classes that belong to no namespace</p>

<p>This query finds classes that belong to no namespace.</p>
</overview>
<section title="How to Address the Query Results">
<p>If there are too many classes that belong to no namespace, consider creating namespaces to get a better project structure.</p>



<recommendation>
<p>If there are many classes that belong to no namespace, consider defining namespaces to create a better project structure.</p>
</recommendation>


</section>
<references>

<li>C++ reference: <a href="https://en.cppreference.com/w/cpp/language/namespace">Namespaces</a>
</li>
</references>
</qhelp>
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Global namespace classes
* @description Finds classes that belong to no namespace
* @description Finds classes that belong to no namespace.
* @kind table
* @id cpp/architecture/global-namespace-classes
*/
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Namespace dependencies
* @description Shows dependencies between namespaces.
* @description Shows dependencies between namespaces as a hierarchical graph.
* @kind graph
* @id cpp/architecture/namespace-dependencies
* @graph.layout hierarchical
Expand Down
16 changes: 6 additions & 10 deletions cpp/ql/src/Best Practices/RuleOfThree.qhelp
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,13 @@
<p>This query finds classes that define a destructor, a copy constructor, or a copy assignment operator, but not all three of them. The compiler generates default implementations for these functions, and since they deal with similar concerns it is likely that if the default implementation of one of them is not satisfactory, then neither are those of the others.</p>

<p>The query flags any such class with a warning, and also display the list of generated warnings in the result view.</p>

</overview>
<section title="How to Address the Query Results">
<p>Explicitly define the missing functions.</p>




<recommendation>
<p>Explicitly define the missing functions.</p>
</recommendation>

</section>
<references>
<li><a href="http://en.wikipedia.org/wiki/Rule_of_three_(C%2B%2B_programming)">Wikipedia article</a>

</li></references></qhelp>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Rule_of_three_(C%2B%2B_programming)">Rule of three (C++ programming)</a></li>
</references>
</qhelp>
25 changes: 14 additions & 11 deletions cpp/ql/src/Critical/DeadCodeCondition.qhelp
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,26 @@


<overview>
<p>This rule finds branching statements with conditions that always evaluate to the same value.
More likely than not these conditions indicate a defect in the branching condition or are an artifact left behind after debugging.</p>
<p>This query finds branching statements with conditions that always evaluate to the same value.
It is likely that these conditions indicate an error in the branching condition.
Alternatively, the conditions may have been left behind after debugging.</p>

<include src="aliasAnalysisWarning.qhelp" />

</overview>
<recommendation>
<p>Check the branch condition for defects, and verify that it isn't a remnant from debugging.</p>

<recommendation>
<p>Check the branch condition for logic errors. Check whether it is still required.</p>
</recommendation>
<example><sample src="DeadCodeCondition.cpp" />






<example>
<p>This example shows two branch conditions that always evaluate to the same value.
The two conditions and their associated branches should be deleted.
This will simplify the code and make it easier to maintain.</p>

<sample src="DeadCodeCondition.cpp" />
</example>

<references>
<li>SEI CERT C++ Coding Standard <a href="https://wiki.sei.cmu.edu/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">MSC12-C. Detect and remove code that has no effect or is never executed</a>.</li>
</references>
</qhelp>
2 changes: 1 addition & 1 deletion cpp/ql/src/Critical/DeadCodeFunction.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ class C {
public:
void g() {
...
//f() was previously used but is now commented, orphaning f()
//f() was previously used but is now commented-out, orphaning f()
//f();
...
}
Expand Down
25 changes: 14 additions & 11 deletions cpp/ql/src/Critical/DeadCodeFunction.qhelp
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,31 @@
"qhelp.dtd">
<qhelp>


<overview>
<p>This rule finds functions that are non-public, non-virtual and are never called. Dead functions are often deprecated pieces of code, and should be removed
as they may increase object code size, decrease code comprehensibility, and create the possibility of misuse.</p>
<p>This query highlights functions that are non-public, non-virtual, and are never called.
Dead functions are often deprecated pieces of code, and should be removed.
If left in the code base they increase object code size, decrease code comprehensibility, and create the possibility of misuse.</p>

<p>
<code>public</code> and <code>protected</code> functions are not considered by the check, as they could be part of the program's
API and could be used by external programs.
<code>public</code> and <code>protected</code> functions are ignored by this query.
This type of function may be part of the program's API and could be used by external programs.
</p>

<include src="callGraphWarning.qhelp" />

</overview>
<recommendation>
<p>Consider removing the function.</p>

<recommendation>
<p>Verify that the function is genuinely unused and consider removing it.</p>
</recommendation>
<example><sample src="DeadCodeFunction.cpp" />



<example>
<p>The example below includes a function <code>f</code> that is no longer used and should be deleted.</p>
<sample src="DeadCodeFunction.cpp" />
</example>

<references>
<li>SEI CERT C++ Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">MSC12-C. Detect and remove code that has no effect or is never executed</a>.</li>
</references>

</example>
</qhelp>
2 changes: 1 addition & 1 deletion cpp/ql/src/Critical/DeadCodeFunction.ql
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Function is never called
* @description A function is never called, and should be considered for removal. Unused functions may increase object size, decrease readability and create the possibility of misuse.
* @description Unused functions may increase object size, decrease readability, and create the possibility of misuse.
* @kind problem
* @id cpp/dead-code-function
* @problem.severity warning
Expand Down
Loading