Merge branch 'main' into post-release-prep/codeql-cli-2.23.6

redsun82 · web-flow · commit 48ee9dd1496d · 2025-11-18T12:18:09.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/Function.qll b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -171,12 +171,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nth parameter of this function. There is no result for the
    * implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
    */
+  pragma[nomagic]
   Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
 
   /**
    * Gets a parameter of this function. There is no result for the implicit
    * `this` parameter, and there is no `...` varargs pseudo-parameter.
    */
+  pragma[nomagic]
   Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
 
   /**
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs
@@ -360,5 +360,22 @@ private static string Version
                 return versionString.InformationalVersion;
             }
         }
+
+        private static readonly HashSet<string> errorsToIgnore = new HashSet<string>
+        {
+            "CS7027",   // Code signing failure
+            "CS1589",   // XML referencing not supported
+            "CS1569"    // Error writing XML documentation
+        };
+
+        /// <summary>
+        /// Retrieves the diagnostics from the compilation, filtering out those that should be ignored.
+        /// </summary>
+        protected List<Diagnostic> GetFilteredDiagnostics() =>
+            compilation is not null
+                ? compilation.GetDiagnostics()
+                    .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id))
+                    .ToList()
+                : [];
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs
@@ -13,13 +13,22 @@ public StandaloneAnalyser(IProgressMonitor pm, ILogger logger, PathTransformer p
         {
         }
 
+        private void LogDiagnostics()
+        {
+            foreach (var error in GetFilteredDiagnostics())
+            {
+                Logger.LogDebug($"  Compilation error: {error}");
+            }
+        }
+
         public void Initialize(string outputPath, IEnumerable<(string, string)> compilationInfos, CSharpCompilation compilationIn, CommonOptions options)
         {
             compilation = compilationIn;
             ExtractionContext = new ExtractionContext(Directory.GetCurrentDirectory(), [], outputPath, compilationInfos, Logger, PathTransformer, ExtractorMode.Standalone, options.QlTest);
             this.options = options;
             LogExtractorInfo();
             SetReferencePaths();
+            LogDiagnostics();
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs
@@ -136,32 +136,21 @@ internal static string GetOutputName(CSharpCompilation compilation,
 
         private int LogDiagnostics()
         {
-            var filteredDiagnostics = compilation!
-                .GetDiagnostics()
-                .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id))
-                .ToList();
-
+            var filteredDiagnostics = GetFilteredDiagnostics();
             foreach (var error in filteredDiagnostics)
             {
                 Logger.LogError($"  Compilation error: {error}");
             }
 
             if (filteredDiagnostics.Count != 0)
             {
-                foreach (var reference in compilation.References)
+                foreach (var reference in compilation!.References)
                 {
                     Logger.LogInfo($"  Resolved reference {reference.Display}");
                 }
             }
 
             return filteredDiagnostics.Count;
         }
-
-        private static readonly HashSet<string> errorsToIgnore = new HashSet<string>
-        {
-            "CS7027",   // Code signing failure
-            "CS1589",   // XML referencing not supported
-            "CS1569"    // Error writing XML documentation
-        };
     }
 }
diff --git a/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md b/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Compilation errors are now included in the debug log when using build-mode none.
diff --git a/docs/codeql/reusables/rust-further-reading.rst b/docs/codeql/reusables/rust-further-reading.rst
@@ -1,2 +1,3 @@
 - `CodeQL queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/src>`__
+- `Example queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/examples>`__
 - `CodeQL library reference for Rust <https://codeql.github.com/codeql-standard-libraries/rust/>`__
diff --git a/rust/ql/examples/qlpack.lock.yml b/rust/ql/examples/qlpack.lock.yml
@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0
diff --git a/rust/ql/examples/qlpack.yml b/rust/ql/examples/qlpack.yml
@@ -0,0 +1,7 @@
+name: codeql/rust-examples
+groups:
+  - rust
+  - examples
+dependencies:
+  codeql/rust-all: ${workspace}
+warnOnImplicitThis: true
diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Empty 'if' expression
+ * @description Finds 'if' expressions where the "then" branch is empty and no
+ *              "else" branch exists.
+ * @id rust/examples/empty-if
+ * @tags example
+ */
+
+import rust
+
+// find 'if' expressions...
+from IfExpr ifExpr
+where
+  // where the 'then' branch is empty
+  ifExpr.getThen().getStmtList().getNumberOfStmtOrExpr() = 0 and
+  // and no 'else' branch exists
+  not ifExpr.hasElse()
+select ifExpr, "This 'if' expression is redundant."
diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql
@@ -0,0 +1,48 @@
+/**
+ * @name Constant password
+ * @description Finds places where a string literal is used in a function call
+ *              argument that looks like a password.
+ * @id rust/examples/simple-constant-password
+ * @tags example
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+
+/**
+ * A data flow configuration for tracking flow from a string literal to a function
+ * call argument that looks like a password. For example:
+ * ```
+ * fn set_password(password: &str) { ... }
+ *
+ * ...
+ *
+ * let pwd = "123456"; // source
+ * set_password(pwd); // sink (argument 0)
+ * ```
+ */
+module ConstantPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // `node` is a string literal
+    node.asExpr().getExpr() instanceof StringLiteralExpr
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // `node` is an argument whose corresponding parameter name matches the pattern "pass%"
+    exists(CallExpr call, Function target, int argIndex, Variable v |
+      call.getStaticTarget() = target and
+      v.getParameter() = target.getParam(argIndex) and
+      v.getText().matches("pass%") and
+      call.getArg(argIndex) = node.asExpr().getExpr()
+    )
+  }
+}
+
+// instantiate the data flow configuration as a global taint tracking module
+module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
+
+// report flows from sources to sinks
+from DataFlow::Node sourceNode, DataFlow::Node sinkNode
+where ConstantPasswordFlow::flow(sourceNode, sinkNode)
+select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString()
diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql
@@ -0,0 +1,39 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Finds places where a value from a remote or local user input
+ *              is used as the first argument of a call to `sqlx_core::query::query`.
+ * @id rust/examples/simple-sql-injection
+ * @tags example
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.Concepts
+
+/**
+ * A data flow configuration for tracking flow from a user input (threat model
+ * source) to the first argument of a call to `sqlx_core::query::query`.
+ */
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // `node` is a user input (threat model source)
+    node instanceof ActiveThreatModelSource
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // `node` is the first argument of a call to `sqlx_core::query::query`
+    exists(CallExpr call |
+      call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and
+      call.getArg(0) = node.asExpr().getExpr()
+    )
+  }
+}
+
+// instantiate the data flow configuration as a global taint tracking module
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
+
+// report flows from sources to sinks
+from DataFlow::Node sourceNode, DataFlow::Node sinkNode
+where SqlInjectionFlow::flow(sourceNode, sinkNode)
+select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"
diff --git a/rust/ql/src/change-notes/2025-11-07-example-queries.md b/rust/ql/src/change-notes/2025-11-07-example-queries.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added three example queries (`rust/examples/empty-if`, `rust/examples/simple-sql-injection` and `rust/examples/simple-constant-password`) to help developers learn to write CodeQL queries for Rust.

Original file line number	Diff line number	Diff line change
`@@ -360,5 +360,22 @@ private static string Version`
`360`	`360`	`return versionString.InformationalVersion;`
`361`	`361`	`}`
`362`	`362`	`}`
	`363`	`+`
	`364`	`+ private static readonly HashSet<string> errorsToIgnore = new HashSet<string>`
	`365`	`+ {`
	`366`	`+ "CS7027", // Code signing failure`
	`367`	`+ "CS1589", // XML referencing not supported`
	`368`	`+ "CS1569" // Error writing XML documentation`
	`369`	`+ };`
	`370`	`+`
	`371`	`+ /// <summary>`
	`372`	`+ /// Retrieves the diagnostics from the compilation, filtering out those that should be ignored.`
	`373`	`+ /// </summary>`
	`374`	`+ protected List<Diagnostic> GetFilteredDiagnostics() =>`
	`375`	`+ compilation is not null`
	`376`	`+ ? compilation.GetDiagnostics()`
	`377`	`+ .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id))`
	`378`	`+ .ToList()`
	`379`	`+ : [];`
`363`	`380`	`}`
`364`	`381`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,22 @@ public StandaloneAnalyser(IProgressMonitor pm, ILogger logger, PathTransformer p`
`13`	`13`	`{`
`14`	`14`	`}`
`15`	`15`
	`16`	`+ private void LogDiagnostics()`
	`17`	`+ {`
	`18`	`+ foreach (var error in GetFilteredDiagnostics())`
	`19`	`+ {`
	`20`	`+ Logger.LogDebug($" Compilation error: {error}");`
	`21`	`+ }`
	`22`	`+ }`
	`23`	`+`
`16`	`24`	`public void Initialize(string outputPath, IEnumerable<(string, string)> compilationInfos, CSharpCompilation compilationIn, CommonOptions options)`
`17`	`25`	`{`
`18`	`26`	`compilation = compilationIn;`
`19`	`27`	`ExtractionContext = new ExtractionContext(Directory.GetCurrentDirectory(), [], outputPath, compilationInfos, Logger, PathTransformer, ExtractorMode.Standalone, options.QlTest);`
`20`	`28`	`this.options = options;`
`21`	`29`	`LogExtractorInfo();`
`22`	`30`	`SetReferencePaths();`
	`31`	`+ LogDiagnostics();`
`23`	`32`	`}`
`24`	`33`	`}`
`25`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -136,32 +136,21 @@ internal static string GetOutputName(CSharpCompilation compilation,`
`136`	`136`
`137`	`137`	`private int LogDiagnostics()`
`138`	`138`	`{`
`139`		`- var filteredDiagnostics = compilation!`
`140`		`- .GetDiagnostics()`
`141`		`- .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id))`
`142`		`- .ToList();`
`143`		`-`
	`139`	`+ var filteredDiagnostics = GetFilteredDiagnostics();`
`144`	`140`	`foreach (var error in filteredDiagnostics)`
`145`	`141`	`{`
`146`	`142`	`Logger.LogError($" Compilation error: {error}");`
`147`	`143`	`}`
`148`	`144`
`149`	`145`	`if (filteredDiagnostics.Count != 0)`
`150`	`146`	`{`
`151`		`- foreach (var reference in compilation.References)`
	`147`	`+ foreach (var reference in compilation!.References)`
`152`	`148`	`{`
`153`	`149`	`Logger.LogInfo($" Resolved reference {reference.Display}");`
`154`	`150`	`}`
`155`	`151`	`}`
`156`	`152`
`157`	`153`	`return filteredDiagnostics.Count;`
`158`	`154`	`}`
`159`		`-`
`160`		`- private static readonly HashSet<string> errorsToIgnore = new HashSet<string>`
`161`		`- {`
`162`		`- "CS7027", // Code signing failure`
`163`		`- "CS1589", // XML referencing not supported`
`164`		`- "CS1569" // Error writing XML documentation`
`165`		`- };`
`166`	`155`	`}`
`167`	`156`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Compilation errors are now included in the debug log when using build-mode none.
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	- `CodeQL queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/src>`__
	`2`	+- `Example queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/examples>`__
`2`	`3`	- `CodeQL library reference for Rust <https://codeql.github.com/codeql-standard-libraries/rust/>`__