8000 Merge branch 'main' into cklin/check-diff-informed · github/codeql@89ad2b4 · GitHub
[go: up one dir, main page]
Skip to content

Commit 89ad2b4

Browse files
cklincklin
authored
Merge branch 'main' into cklin/check-diff-informed
2 parents 5bc962c + bfe3413 commit 89ad2b4

File tree

1,411 files changed

+147699
-13726
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,411 files changed

+147699
-13726
lines changed

.github/workflows/go-tests-other-os.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,8 @@ jobs:
2626
uses: ./go/actions/test
2727

2828
test-win:
29-
if: github.repository_owner == 'github'
3029
name: Test Windows
31-
runs-on: windows-latest-xl
30+
runs-on: windows-latest
3231
steps:
3332
- name: Check out code
3433
uses: actions/checkout@v4

.github/workflows/mad_modelDiff.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ jobs:
6868
DATABASE=$2
6969
cd codeql-$QL_VARIANT
7070
SHORTNAME=`basename $DATABASE`
71-
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
71+
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
7272
mkdir -p $MODELS/$SHORTNAME
7373
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
7474
cd ..

.github/workflows/swift.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
if: github.repository_owner == 'github'
3333
strategy:
3434
matrix:
35-
runner: [ubuntu-latest, macos-13-xlarge]
35+
runner: [ubuntu-latest, macos-15-xlarge]
3636
fail-fast: false
3737
runs-on: ${{ matrix.runner }}
3838
steps:

.gitignore

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ node_modules/
6262

6363
# Temporary folders for working with generated models
6464
.model-temp
65+
10000 /mad-generation-build
6566

6667
# bazel-built in-tree extractor packs
6768
/*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
7172

7273
# cargo build directory
7374
/target
75+
76+
# some upgrade/downgrade checks create these files
77+
**/upgrades/*/*.dbscheme.stats
78+
**/downgrades/*/*.dbscheme.stats

CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717

1818
# Experimental CodeQL cryptography
1919
**/experimental/quantum/ @github/ps-codeql
20+
/shared/quantum/ @github/ps-codeql
2021

2122
# CodeQL tools and associated docs
2223
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

Cargo.lock

Lines changed: 46 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ members = [
1010
"rust/ast-generator",
1111
"rust/autobuild",
1212
]
13+
exclude = ["mad-generation-build"]
1314

1415
[patch.crates-io]
1516
# patch for build script bug preventing bazel build

MODULE.bazel

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
2424
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
2525
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
2626
bazel_dep(name = "fmt", version = "10.0.0")
27-
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
27+
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
2828
bazel_dep(name = "gazelle", version = "0.40.0")
2929
bazel_dep(name = "rules_dotnet", version = "0.17.4")
3030
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -124,6 +124,7 @@ use_repo(
124124
"vendor_ts__tree-sitter-ruby-0.23.1",
125125
"vendor_ts__triomphe-0.1.14",
126126
"vendor_ts__ungrammar-1.16.1",
127+
"vendor_ts__zstd-0.13.3",
127128
)
128129

129130
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -193,10 +194,6 @@ use_repo(
193194
kotlin_extractor_deps,
194195
"codeql_kotlin_defaults",
195196
"codeql_kotlin_embeddable",
196-
"kotlin-compiler-1.5.0",
197-
"kotlin-compiler-1.5.10",
198-
"kotlin-compiler-1.5.20",
199-
"kotlin-compiler-1.5.30",
200197
"kotlin-compiler-1.6.0",
201198
"kotlin-compiler-1.6.20",
202199
"kotlin-compiler-1.7.0",
@@ -208,10 +205,7 @@ use_repo(
208205
"kotlin-compiler-2.0.20-Beta2",
209206
"kotlin-compiler-2.1.0-Beta1",
210207
"kotlin-compiler-2.1.20-Beta1",
211-
"kotlin-compiler-embeddable-1.5.0",
212-
"kotlin-compiler-embeddable-1.5.10",
213-
"kotlin-compiler-embeddable-1.5.20",
214-
"kotlin-compiler-embeddable-1.5.30",
208+
"kotlin-compiler-2.2.0-Beta1",
215209
"kotlin-compiler-embeddable-1.6.0",
216210
"kotlin-compiler-embeddable-1.6.20",
217211
"kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +217,7 @@ use_repo(
223217
"kotlin-compiler-embeddable-2.0.20-Beta2",
224218
"kotlin-compiler-embeddable-2.1.0-Beta1",
225219
"kotlin-compiler-embeddable-2.1.20-Beta1",
226-
"kotlin-stdlib-1.5.0",
227-
"kotlin-stdlib-1.5.10",
228-
"kotlin-stdlib-1.5.20",
229-
"kotlin-stdlib-1.5.30",
220+
"kotlin-compiler-embeddable-2.2.0-Beta1",
230221
"kotlin-stdlib-1.6.0",
231222
"kotlin-stdlib-1.6.20",
232223
"kotlin-stdlib-1.7.0",
@@ -238,6 +229,7 @@ use_repo(
238229
"kotlin-stdlib-2.0.20-Beta2",
239230
"kotlin-stdlib-2.1.0-Beta1",
240231
"kotlin-stdlib-2.1.20-Beta1",
232+
"kotlin-stdlib-2.2.0-Beta1",
241233
)
242234

243235
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/lib/CHANGELOG.md

Lines changed: 7 additions & 1 deletion

actions/ql/lib/change-notes/released/0.4.7.md

Lines changed: 3 additions & 1 deletion

actions/ql/lib/change-notes/released/0.4.9.md

Lines changed: 3 additions & 0 deletions

actions/ql/lib/codeql-pack.release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.8
2+
lastReleaseVersion: 0.4.9

actions/ql/lib/ext/config/actions_permissions.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,16 +22,21 @@ extensions:
2222
- ["actions/stale", "pull-requests: write"]
2323
- ["actions/attest-build-provenance", "id-token: write"]
2424
- ["actions/attest-build-provenance", "attestations: write"]
25+
- ["actions/deploy-pages", "pages: write"]
26+
- ["actions/deploy-pages", "id-token: write"]
27+
- ["actions/delete-package-versions", "packages: write"]
2528
- ["actions/jekyll-build-pages", "contents: read"]
2629
- ["actions/jekyll-build-pages", "pages: write"]
2730
- ["actions/jekyll-build-pages", "id-token: write"]
2831
- ["actions/publish-action", "contents: write"]
29-
- ["actions/versions-package-tools", "contents: read"]
32+
- ["actions/versions-package-tools", "contents: read"]
3033
- ["actions/versions-package-tools", "actions: read"]
31-
- ["actions/reusable-workflows", "contents: read"]
34+
- ["actions/reusable-workflows", "contents: read"]
3235
- ["actions/reusable-workflows", "actions: read"]
36+
- ["actions/ai-inference", "contents: read"]
37+
- ["actions/ai-inference", "models: read"]
3338
# TODO: Add permissions for actions/download-artifact
3439
# TODO: Add permissions for actions/upload-artifact
40+
# No permissions needed for actions/upload-pages-artifact
3541
# TODO: Add permissions for actions/cache
36-
37-
42+
# No permissions needed for actions/configure-pages

actions/ql/lib/qlpack.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-all
2-
version: 0.4.9-dev
2+
version: 0.4.10-dev
33
library: true
44
warnOnImplicitThis: true
55
dependencies:

actions/ql/src/CHANGELOG.md

Lines changed: 8 additions & 0 deletions

actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md

Lines changed: 4 additions & 0 deletions

actions/ql/src/change-notes/released/0.5.4.md

Lines changed: 4 additions & 0 deletions

actions/ql/src/change-notes/released/0.6.1.md

Lines changed: 3 additions & 0 deletions

actions/ql/src/codeql-pack.release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.6.0
2+
lastReleaseVersion: 0.6.1

actions/ql/src/codeql-suites/actions-code-quality.qls

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,3 @@
1-
[]
1+
- queries: .
2+
- apply: code-quality-selectors.yml
3+
from: codeql/suite-helpers

actions/ql/src/qlpack.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-queries
2-
version: 0.6.1-dev
2+
version: 0.6.2-dev
33
library: false
44
warnOnImplicitThis: true
55
groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
on:
2+
workflow_call:
3+
workflow_dispatch:
4+
5+
jobs:
6+
build:
7+
name: Build and test
8+
runs-on: ubuntu-latest
9+
steps:
10+
- uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
on:
2+
workflow_call:
3+
workflow_dispatch:
4+
5+
jobs:
6+
build:
7+
name: Build and test
8+
runs-on: ubuntu-latest
9+
steps:
10+
- uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
on:
2+
workflow_call:
3+
workflow_dispatch:
4+
5+
jobs:
6+
build:
7+
name: Build and test
8+
runs-on: ubuntu-latest
9+
steps:
10+
- uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,6 @@
33
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
44
| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
55
| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
6+
| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
7+
| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
8+
| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
#include "a.h"
2+
#define FOUR 4

cpp/ql/test/header-variant-tests/clang-pch/a.h renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/a.h

File renamed without changes.

cpp/ql/test/header-variant-tests/clang-pch/b.c renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/b.c

File renamed without changes.

cpp/ql/test/header-variant-tests/clang-pch/b.h renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/b.h

File renamed without changes.

cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
int main() {
2+
return ONE + FOUR;
3+
}

cpp/ql/test/header-variant-tests/clang-pch/clang-pch.expected renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.expected

File renamed without changes.

cpp/ql/test/header-variant-tests/clang-pch/clang-pch.ql renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.ql

File renamed without changes.

cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
#import "d.h"

cpp/ql/test/header-variant-tests/clang-pch/d.h renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/d.h

File renamed without changes.

cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
int main() {
2+
return SEVENTEEN;
3+
}

cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
#if 1
2+
#pragma hdrstop
3+
extern int x;
4+
#define SEEN_F
5+
#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
#ifdef SEEN_F
2+
static int g() {
3+
return 20;
4+
}
5+
#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
#include "h1.h"
2+
#pragma hdrstop
3+
#include "h2.h"
4+
#define SEEN_H

cpp/ql/test/header-variant-tests/clang-pch/h1.h renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/h1.h

File renamed without changes.

cpp/ql/test/header-variant-tests/clang-pch/h2.h renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/h2.h

File renamed without changes.

cpp/ql/test/header-variant-tests/clang-pch/i.c renamed to cpp/ql/integration-tests/header-variant-tests/clang-pch/i.c

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,3 @@ static int h2() {
1313
return 32;
1414
}
1515
#endif
16-
// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/h.pch

0 commit comments

Comments
 (0)
0