Merge branch 'main' into openssl-signatures

Author: GrosQuildu

cpp/ql/lib/change-notes/2025-05-28-using-template.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -9,7 +9,7 @@ private import EVPHashInitializer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 class EVP_Digest_Update_Call extends EVPUpdate {
-  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] }
+  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() = "EVP_DigestUpdate" }
 
   override Expr getInputArg() { result = this.(Call).getArgument(1) }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -7,14 +7,12 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgor
  */
 class OpenSSLCall extends Call { }
 
-/**
- * All OpenSSL operations.
+ * A class for all OpenSSL operations.
  */
-abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof OpenSSLCall {
+abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
   /**
    * Expression that specifies the algorithm for the operation.
-   * Will be an argument of the operation in the simplest case
-   * and EVPPKeyAlgorithmConsumer's valueArgExpr in more complex cases.
+   * Will be an argument of the operation in the simplest case.
    */
   abstract Expr getAlgorithmArg();
 
@@ -37,12 +35,12 @@ abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Ope
  */
 abstract class EVPInitialize extends OpenSSLCall {
   /**
-   * The context argument that ties together initialization, updates and/or final calls.
+   * Gets the context argument that ties together initialization, updates and/or final calls.
    */
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
   /**
-   * The type of key operation, none if not applicable.
+   * Gets the type of key operation, none if not applicable.
    */
   Crypto::KeyOperationSubtype getKeyOperationSubtype() { none() }
 
@@ -54,12 +52,12 @@ abstract class EVPInitialize extends OpenSSLCall {
   Expr getAlgorithmArg() { none() }
 
   /**
-   * The key for the operation, none if not applicable.
+   * Gets the key for the operation, none if not applicable.
    */
   Expr getKeyArg() { none() }
 
   /**
-   * The IV/nonce, none if not applicable.
+   * Gets the IV/nonce, none if not applicable.
    */
   Expr getIVArg() { none() }
 }
@@ -69,9 +67,10 @@ abstract class EVPInitialize extends OpenSSLCall {
  * These are not operations in the sense of Crypto::OperationInstance,
  * but they are used to update the context for the operation.
  */
+
 abstract class EVPUpdate extends OpenSSLCall {
   /**
-   * The context argument that ties together initialization, updates and/or final calls.
+   * Gets the context argument that ties together initialization, updates and/or final calls.
    */
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
@@ -108,7 +107,7 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu
  */
 abstract class EVPOperation extends OpenSSLOperation {
   /**
-   * The context argument that ties together initialization, updates and/or final calls.
+   * Gets the context argument that ties together initialization, updates and/or final calls.
    */
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
@@ -126,17 +125,15 @@ abstract class EVPOperation extends OpenSSLOperation {
   /**
    * Overwrite with an explicitly specified algorithm or leave base implementation to find it in the initialization call.
    */
-  override Expr getAlgorithmArg() {
-    if exists(this.getInitCall()) then result = this.getInitCall().getAlgorithmArg() else none()
-  }
+  override Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
 
   /**
    * Finds the initialization call, may be none.
    */
   EVPInitialize getInitCall() {
     CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
-
+  
   Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
     result = DataFlow::exprNode(this.getOutputArg())
   }
@@ -165,14 +162,15 @@ abstract class EVPFinal extends EVPOperation {
   }
 
   /**
-   * The input data was provided to all update calls.
+   * Gets the input data was provided to all update calls.
    * If more input data was provided in the final call, override the method.
    */
   override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
 
   /**
-   * The output data was provided to all update calls.
+   * Gets the output data was provided to all update calls.
    * If more output data was provided in the final call, override the method.
    */
   override Expr getOutputArg() { result = this.getUpdateCalls().getOutputArg() }
 }
+

cpp/ql/lib/semmle/code/cpp/Namespace.qll

@@ -174,7 +174,27 @@ class UsingDeclarationEntry extends UsingEntry {
    */
   Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
 
-  override string toString() { result = "using " + this.getDeclaration().getDescription() }
+  /**
+   * Gets the member that is referenced by this using declaration, where the member depends on a
+   * type template parameter.
+   *
+   * For example:
+   * ```
+   * template <typename T>
+   * class A {
+   *   using T::m;
+   * };
+   * ```
+   * Here, `getReferencedMember()` yields the member `m` of `T`. Observe that,
+   * as `T` is not instantiated, `m` is represented by a `Literal` and not
+   * a `Declaration`.
+   */
+  Literal getReferencedMember() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+
+  override string toString() {
+    result = "using " + this.getDeclaration().getDescription() or
+    result = "using " + this.getReferencedMember()
+  }
 }
 
 /**

cpp/ql/test/library-tests/comments/binding/commentBinding.expected

@@ -9,3 +9,6 @@
 | multi.c:5:27:5:36 | // Multi 3 | declaration of multi3 |
 | templates.cpp:3:3:3:8 | // Foo | declaration of foo |
 | templates.cpp:7:3:7:8 | // Bar | definition of bar |
+| templates.cpp:16:3:16:20 | // using T::member | using member |
+| templates.cpp:19:3:19:28 | // using T::nested::member | using member |
+| templates.cpp:25:3:25:20 | // using T::member | using member |

cpp/ql/test/library-tests/comments/binding/templates.cpp

@@ -10,3 +10,18 @@ class Cl {
   }
 };
 
+
+template <typename T>
+class Derived : public T {
+  // using T::member
+  using T::member;
+
+  // using T::nested::member
+  using T::nested::member;
+};
+
+template <typename T>
+class Base {
+  // using T::member
+  using T::member;
+};

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.4.rst

@@ -0,0 +1,187 @@
+.. _codeql-cli-2.21.4:
+
+==========================
+CodeQL 2.21.4 (2025-06-02)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.21.4 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`clang_vector_types`, :code:`clang_attributes`, and :code:`flax-vector-conversions` command line options have been removed from the C/C++ extractor. These options were introduced as workarounds to frontend limitations in earlier versions of the extractor and are no longer needed when calling the extractor directly.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.7.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added flow model for the :code:`SQLite` and :code:`OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+
+C#
+""
+
+*   The precision of the query :code:`cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
+*   The queries :code:`cs/password-in-configuration`, :code:`cs/hardcoded-credentials` and :code:`cs/hardcoded-connection-string-credentials` have been removed from all query suites.
+*   The precision of the query :code:`cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant :code:`e1.Equals(e2)` implies :code:`e1.GetHashCode() == e2.GetHashCode()` are taken into account.
+*   The precision of the query :code:`cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to :code:`System.Text.CompositeFormat.Parse` are now considered a format like method call.
+
+Golang
+""""""
+
+*   The query :code:`go/hardcoded-credentials` has been removed from all query suites.
+
+Java/Kotlin
+"""""""""""
+
+*   The query :code:`java/hardcoded-credential-api-call` has been removed from all query suites.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The queries :code:`js/hardcoded-credentials` and :code:`js/password-in-configuration-file` have been removed from all query suites.
+
+Python
+""""""
+
+*   The query :code:`py/hardcoded-credentials` has been removed from all query suites.
+
+Ruby
+""""
+
+*   The query :code:`rb/hardcoded-credentials` has been removed from all query suites.
+
+Swift
+"""""
+
+*   The queries :code:`swift/hardcoded-key` and :code:`swift/constant-password` have been removed from all query suites.
+
+GitHub Actions
+""""""""""""""
+
+*   The query :code:`actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions :code:`deploy-pages`, :code:`delete-package-versions`, :code:`ai-inference`. This should lead to better alert messages and better fix suggestions.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ArrayAggregateLiteral`\ s.
+*   Fixed a problem where :code:`asExpr()` on :code:`DataFlow::Node` would never return :code:`ClassAggregateLiteral`\ s.
+
+Ruby
+""""
+
+*   Bug Fixes
+*   The Ruby printAst.qll library now orders AST nodes slightly differently: child nodes that do not literally appear in the source code, but whose parent nodes do, are assigned a deterministic order based on a combination of source location and logical order within the parent. This fixes the non-deterministic ordering that sometimes occurred depending on evaluation order. The effect may also be visible in downstream uses of the printAst library, such as the AST view in the VSCode extension.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deleted the deprecated :code:`userInputArgument` predicate and its convenience accessor from the :code:`Security.qll`.
+*   Deleted the deprecated :code:`userInputReturned` predicate and its convenience accessor from the :code:`Security.qll`.
+*   Deleted the deprecated :code:`userInputReturn` predicate from the :code:`Security.qll`.
+*   Deleted the deprecated :code:`isUserInput` predicate and its convenience accessor from the :code:`Security.qll`.
+*   Deleted the deprecated :code:`userInputArgument` predicate from the :code:`SecurityOptions.qll`.
+*   Deleted the deprecated :code:`userInputReturned` predicate from the :code:`SecurityOptions.qll`.
+
+Swift
+"""""
+
+*   Deleted the deprecated :code:`parseContent` predicate from the :code:`ExternalFlow.qll`.
+*   Deleted the deprecated :code:`hasLocationInfo` predicate from the :code:`DataFlowPublic.qll`.
+*   Deleted the deprecated :code:`SummaryComponent` class from the :code:`FlowSummary.qll`.
+*   Deleted the deprecated :code:`SummaryComponentStack` class from the :code:`FlowSummary.qll`.
+*   Deleted the deprecated :code:`SummaryComponent` module from the :code:`FlowSummary.qll`.
+*   Deleted the deprecated :code:`SummaryComponentStack` module from the :code:`FlowSummary.qll`.
+*   Deleted the deprecated :code:`RequiredSummaryComponentStack` class from the :code:`FlowSummary.qll`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved analysis for :code:`ES6 classes` mixed with :code:`function prototypes`, leading to more accurate call graph resolution.
+
+Python
+""""""
+
+*   The Python extractor now extracts files in hidden directories by default. If you would like to skip files in hidden directories, add :code:`paths-ignore: ["**/.*/**"]` to your `Code Scanning config <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan>`__. If you would like to skip all hidden files, you can use :code:`paths-ignore: ["**/.*"]`. When using the CodeQL CLI for extraction, specify the configuration (creating the configuration file if necessary) using the :code:`--codescanning-config` option.
+
+Ruby
+""""
+
+*   Captured variables are currently considered live when the capturing function exits normally. Now they are also considered live when the capturing function exits via an exception.
+
+Swift
+"""""
+
+*   Updated to allow analysis of Swift 6.1.1.
+*   :code:`TypeValueExpr` experimental AST leaf is now implemented in the control flow library
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   The predicate :code:`getValue()` on :code:`SpringRequestMappingMethod` is now deprecated. Use :code:`getAValue()` instead.
+*   Java now uses the shared :code:`BasicBlock` library. This means that the names of several member predicates have been changed to align with the names used in other languages. The old predicates have been deprecated. The :code:`BasicBlock` class itself no longer extends :code:`ControlFlowNode` - the predicate :code:`getFirstNode` can be used to fix any QL code that somehow relied on this.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added local flow source models for :code:`ReadFile`, :code:`ReadFileEx`, :code:`MapViewOfFile`, :code:`MapViewOfFile2`, :code:`MapViewOfFile3`, :code:`MapViewOfFile3FromApp`, :code:`MapViewOfFileEx`, :code:`MapViewOfFileFromApp`, :code:`MapViewOfFileNuma2`, and :code:`NtReadFile`.
+*   Added the :code:`pCmdLine` arguments of :code:`WinMain` and :code:`wWinMain` as local flow sources.
+*   Added source models for :code:`GetCommandLineA`, :code:`GetCommandLineW`, :code:`GetEnvironmentStringsA`, :code:`GetEnvironmentStringsW`, :code:`GetEnvironmentVariableA`, and :code:`GetEnvironmentVariableW`.
+*   Added summary models for :code:`CommandLineToArgvA` and :code:`CommandLineToArgvW`.
+*   Added support for :code:`wmain` as part of the ArgvSource model.
+
+Shared Libraries
+----------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Static Single Assignment (SSA)
+""""""""""""""""""""""""""""""
+
+*   Adjusted the Guards interface in the SSA data flow integration to distinguish :code:`hasBranchEdge` from :code:`controlsBranchEdge`. Any breakage can be fixed by implementing one with the other as a reasonable fallback solution.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.21.4
    codeql-cli-2.21.3
    codeql-cli-2.21.2
    codeql-cli-2.21.1