Merge branch 'github:main' into main-1

Author: krishnprakash

Cargo.lock

@@ -35,9 +35,9 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 
 # Keep edition and version approximately in sync with internal repo.
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
-RUST_EDITION = "2021"
+RUST_EDITION = "2024"
 
-RUST_VERSION = "1.82.0"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,57 +71,57 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor__anyhow-1.0.95",
-    "vendor__argfile-0.2.1",
-    "vendor__chrono-0.4.39",
-    "vendor__clap-4.5.26",
-    "vendor__dunce-1.0.5",
-    "vendor__either-1.13.0",
-    "vendor__encoding-0.2.33",
-    "vendor__figment-0.10.19",
-    "vendor__flate2-1.0.35",
-    "vendor__glob-0.3.2",
-    "vendor__globset-0.4.15",
-    "vendor__itertools-0.14.0",
-    "vendor__lazy_static-1.5.0",
-    "vendor__mustache-0.9.0",
-    "vendor__num-traits-0.2.19",
-    "vendor__num_cpus-1.16.0",
-    "vendor__proc-macro2-1.0.93",
-    "vendor__quote-1.0.38",
-    "vendor__ra_ap_base_db-0.0.258",
-    "vendor__ra_ap_cfg-0.0.258",
-    "vendor__ra_ap_hir-0.0.258",
-    "vendor__ra_ap_hir_def-0.0.258",
-    "vendor__ra_ap_hir_expand-0.0.258",
-    "vendor__ra_ap_ide_db-0.0.258",
-    "vendor__ra_ap_intern-0.0.258",
-    "vendor__ra_ap_load-cargo-0.0.258",
-    "vendor__ra_ap_parser-0.0.258",
-    "vendor__ra_ap_paths-0.0.258",
-    "vendor__ra_ap_project_model-0.0.258",
-    "vendor__ra_ap_span-0.0.258",
-    "vendor__ra_ap_stdx-0.0.258",
-    "vendor__ra_ap_syntax-0.0.258",
-    "vendor__ra_ap_vfs-0.0.258",
-    "vendor__rand-0.8.5",
-    "vendor__rayon-1.10.0",
-    "vendor__regex-1.11.1",
-    "vendor__serde-1.0.217",
-    "vendor__serde_json-1.0.135",
-    "vendor__serde_with-3.12.0",
-    "vendor__syn-2.0.96",
-    "vendor__toml-0.8.19",
-    "vendor__tracing-0.1.41",
-    "vendor__tracing-flame-0.2.0",
-    "vendor__tracing-subscriber-0.3.19",
-    "vendor__tree-sitter-0.24.6",
-    "vendor__tree-sitter-embedded-template-0.23.2",
-    "vendor__tree-sitter-json-0.24.8",
-    "vendor__tree-sitter-ql-0.23.1",
-    "vendor__tree-sitter-ruby-0.23.1",
-    "vendor__triomphe-0.1.14",
-    "vendor__ungrammar-1.16.1",
+    "vendor_ts__anyhow-1.0.96",
+    "vendor_ts__argfile-0.2.1",
+    "vendor_ts__chrono-0.4.39",
+    "vendor_ts__clap-4.5.31",
+    "vendor_ts__dunce-1.0.5",
+    "vendor_ts__either-1.14.0",
+    "vendor_ts__encoding-0.2.33",
+    "vendor_ts__figment-0.10.19",
+    "vendor_ts__flate2-1.1.0",
+    "vendor_ts__glob-0.3.2",
+    "vendor_ts__globset-0.4.15",
+    "vendor_ts__itertools-0.14.0",
+    "vendor_ts__lazy_static-1.5.0",
+    "vendor_ts__mustache-0.9.0",
+    "vendor_ts__num-traits-0.2.19",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.93",
+    "vendor_ts__quote-1.0.38",
+    "vendor_ts__ra_ap_base_db-0.0.266",
+    "vendor_ts__ra_ap_cfg-0.0.266",
+    "vendor_ts__ra_ap_hir-0.0.266",
+    "vendor_ts__ra_ap_hir_def-0.0.266",
+    "vendor_ts__ra_ap_hir_expand-0.0.266",
+    "vendor_ts__ra_ap_ide_db-0.0.266",
+    "vendor_ts__ra_ap_intern-0.0.266",
+    "vendor_ts__ra_ap_load-cargo-0.0.266",
+    "vendor_ts__ra_ap_parser-0.0.266",
+    "vendor_ts__ra_ap_paths-0.0.266",
+    "vendor_ts__ra_ap_project_model-0.0.266",
+    "vendor_ts__ra_ap_span-0.0.266",
+    "vendor_ts__ra_ap_stdx-0.0.266",
+    "vendor_ts__ra_ap_syntax-0.0.266",
+    "vendor_ts__ra_ap_vfs-0.0.266",
+    "vendor_ts__rand-0.9.0",
+    "vendor_ts__rayon-1.10.0",
+    "vendor_ts__regex-1.11.1",
+    "vendor_ts__serde-1.0.218",
+    "vendor_ts__serde_json-1.0.139",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.98",
+    "vendor_ts__toml-0.8.20",
+    "vendor_ts__tracing-0.1.41",
+    "vendor_ts__tracing-flame-0.2.0",
+    "vendor_ts__tracing-subscriber-0.3.19",
+    "vendor_ts__tree-sitter-0.24.6",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
+    "vendor_ts__tree-sitter-json-0.24.8",
+    "vendor_ts__tree-sitter-ql-0.23.1",
+    "vendor_ts__tree-sitter-ruby-0.23.1",
+    "vendor_ts__triomphe-0.1.14",
+    "vendor_ts__ungrammar-1.16.1",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

MODULE.bazel

@@ -5,7 +5,8 @@ codeql_pkg_files(
     srcs = [
         "codeql-extractor.yml",
         "//:LICENSE",
-    ] + glob(["tools/**"]),
+    ],
+    exes = glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],
 )

actions/extractor/BUILD.bazel

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

cpp/ql/lib/change-notes/2025-02-20-getbuffersize.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.

cpp/ql/lib/change-notes/2025-02-25-getbuffersize.md

@@ -71,7 +71,7 @@ private int getSize(VariableAccess va) {
       result = t.getSize()
     )
     or
-    exists(Class c |
+    exists(Class c, int trueSize |
       // Otherwise, we find the "outermost" object and compute the size
       // as the difference between the size of the type of the "outermost
       // object" and the offset of the field relative to that type.
@@ -91,7 +91,9 @@ private int getSize(VariableAccess va) {
       // of `y` relative to the type `S2` (i.e., `4`). So the size of the
       // buffer is `12 - 4 = 8`.
       c = getRootType(va) and
-      result = c.getSize() - v.(Field).getOffsetInClass(c)
+      // we calculate the size based on the last field, to avoid including any padding after it
+      trueSize = max(Field f | | f.getOffsetInClass(c) + f.getUnspecifiedType().getSize()) and
+      result = trueSize - v.(Field).getOffsetInClass(c)
     )
   )
 }
@@ -105,9 +107,16 @@ private int getSize(VariableAccess va) {
 private int isSource(Expr bufferExpr, Element why) {
   exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
     // buffer is a fixed size array
-    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
+    exists(bufferVar.getUnspecifiedType().(ArrayType).getSize()) and
+    result =
+      unique(int size | // more generous than .getSize() itself, when the array is a class field or similar.
+        size = getSize(bufferExpr)
+      |
+        size
+      ) and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
+    not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild*() = bufferExpr) and
     // zero sized arrays are likely to have special usage, for example
     // behaving a bit like a 'union' overlapping other fields.
     not result = 0

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -1520,16 +1520,17 @@ private EdgeKind caseOrDefaultEdge() {
 private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, ParameterNode p) {
   exists(Ssa::SourceVariable sv |
     parameterNodeHasSourceVariable(p, sv) and
-    // Count the number of cases that use the parameter. We do this by finding the phi node
-    // that merges the uses/defs of the parameter. There might be multiple such phi nodes, so
-    // we pick the one with the highest edge count.
+    // Count the number of cases that use the parameter.
     result =
-      max(SsaPhiNode phi |
-        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() =
-          phi.getBasicBlock() and
-        phi.getSourceVariable() = sv
-      |
-        strictcount(phi.getAnInput())
+      strictcount(IRBlock caseblock |
+        exists(IRBlock useblock |
+          switch.getSuccessor(caseOrDefaultEdge()).getBlock() = caseblock and
+          caseblock.dominates(useblock)
+        |
+          exists(Ssa::UseImpl use | use.hasIndexInBlock(useblock, _, sv))
+          or
+          exists(Ssa::DefImpl def | def.hasIndexInBlock(useblock, _, sv))
+        )
       )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -0,0 +1,20 @@
+/**
+ * @name Include file resolution status
+ * @description A count of successful includes and includes that failed to resolve.
+ *                This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/include-resolution-status
+ */
+
+import cpp
+
+/**
+ * A cannot open file error.
+ *
+ * Typically this is due to a missing include.
+ */
+class CannotOpenFileError extends CompilerError {
+  CannotOpenFileError() { this.hasTag(["cannot_open_file", "cannot_open_file_reason"]) }
+}
+
+select count(CannotOpenFileError e) as failed_includes, count(Include i) as successful_includes

cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql

@@ -5,8 +5,9 @@
  *              buffer.
  * @kind problem
  * @id cpp/overflow-buffer
- * @problem.severity recommendation
+ * @problem.severity warning
  * @security-severity 9.3
+ * @precision medium
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.

cpp/ql/src/change-notes/2025-02-20-overflow-buffer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.

cpp/ql/src/change-notes/2025-02-27-static-buffer-overflow.md

@@ -1,13 +1,13 @@
-| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 |
-| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 |
-| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x |
-| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T |
-| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X |
-| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int |
-| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 |
-| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long |
-| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 |
-| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T |
-| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X |
-| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int |
-| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 |
+| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 | 1 |
+| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 | 2 |
+| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x | x |
+| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T | <none> |
+| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X | X |
+| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int | <none> |
+| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 | 2 |
+| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long | <none> |
+| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 | 2 |
+| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T | <none> |
+| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X | X |
+| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int | <none> |
+| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 | 0 |

cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected

@@ -9,6 +9,16 @@ string maybeGetTemplateArgumentKind(Declaration d, int i) {
   i = [0 .. d.getNumberOfTemplateArguments()]
 }
 
+string maybeGetTemplateArgumentValue(Declaration d, int i) {
+  (
+    if exists(d.getTemplateArgument(i).(Expr).getValue())
+    then result = d.getTemplateArgument(i).(Expr).getValue()
+    else result = "<none>"
+  ) and
+  i = [0 .. d.getNumberOfTemplateArguments()]
+}
+
 from Declaration d, int i
 where i >= 0 and i < d.getNumberOfTemplateArguments()
-select d, i, maybeGetTemplateArgumentKind(d, i), d.getTemplateArgument(i)
+select d, i, maybeGetTemplateArgumentKind(d, i), d.getTemplateArgument(i),
+  maybeGetTemplateArgumentValue(d, i)

cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.ql

@@ -1,5 +1,3 @@
-| tests.cpp:45:9:45:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
-| tests.cpp:60:9:60:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
 | tests.cpp:171:9:171:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | destination buffer |
 | tests.cpp:172:9:172:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | array |
 | tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected

@@ -1,2 +0,0 @@
-| tests.cpp:45:51:45:72 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |
-| tests.cpp:60:52:60:74 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.expected

@@ -42,7 +42,7 @@ void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
         /* Print the initial block pointed to by structCharVoid.voidSecond */
         printLine((char *)structCharVoid.voidSecond);
         /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
-        memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));
+        memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid)); // [NOT DETECTED]
         structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
         printLine((char *)structCharVoid.charFirst);
         printLine((char *)structCharVoid.voidSecond);
@@ -57,7 +57,7 @@ void CWE122_Heap_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
         /* Print the initial block pointed to by structCharVoid->voidSecond */
         printLine((char *)structCharVoid->voidSecond);
         /* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */
-        memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));
+        memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid)); // [NOT DETECTED]
         structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
         printLine((char *)structCharVoid->charFirst);
         printLine((char *)structCharVoid->voidSecond);
@@ -292,7 +292,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01
             delete [] data;
         }
     }
-    
+
     static void goodG2B()
 	{
 		wchar_t * data;
@@ -459,7 +459,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad()
 #ifdef _WIN32
 int _snwprintf(wchar_t *buffer, size_t count, const wchar_t *format, ...);
 #define SNPRINTF _snwprintf
-#else 
+#else
 int snprintf(char *s, size_t n, const char *format, ...);
 int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...);
 //#define SNPRINTF snprintf --- original code; using snprintf appears to be a mistake in samate?
@@ -485,14 +485,14 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad()
 }
 
 /* classes used in some test cases as a custom type */
-class TwoIntsClass 
+class TwoIntsClass
 {
     public: // Needed to access variables from label files
         int intOne;
         int intTwo;
 };
 
-class OneIntClass 
+class OneIntClass
 {
     public: // Needed to access variables from label files
         int intOne;
@@ -636,7 +636,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad()
 
 int rand(void);
 
-int globalReturnsTrueOrFalse() 
+int globalReturnsTrueOrFalse()
 {
     return (rand() % 2);
 }

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp

@@ -1,2 +1,4 @@
+| tests.cpp:1055:2:1055:8 | call to strncpy | This 'call to strncpy' operation is limited to 131 bytes but the destination is only 128 bytes. |
+| tests.cpp:1057:2:1057:8 | call to strncpy | This 'call to strncpy' operation is limited to 131 bytes but the destination is only 64 bytes. |
 | var_size_struct.cpp:73:3:73:9 | call to strncpy | This 'call to strncpy' operation is limited to 1025 bytes but the destination is only 1024 bytes. |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'call to strncpy' operation is limited to 129 bytes but the destination is only 128 bytes. |