Merge branch 'main' into redsun82/rust-turn-off-ra-resolution

Author: redsun82

actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml

@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]

actions/ql/extensions/immutable-actions-list/qlpack.yml

@@ -0,0 +1,14 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: codeql/immutable-actions-list
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml

actions/ql/lib/ext/config/immutable_actions.yml

@@ -2,21 +2,9 @@ extensions:
   - addsTo:
       pack: codeql/actions-all
       extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []

actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -5,4 +5,4 @@ extensions:
     data:      
       - ["actions"]
       - ["github"]
-      - ["advanced-security"]
+      - ["advanced-security"]

actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md

@@ -0,0 +1,7 @@
+---
+category: fix
+---
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.

actions/ql/test/qlpack.yml

@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
   codeql/actions-all: ${workspace}
   codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true

codeql-workspace.yml

@@ -17,7 +17,7 @@ provide:
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
   default:
     requireChangeNotes: true

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "9.0.100"
+    }
+}

go/.gitignore

@@ -0,0 +1,4 @@
+# artifacts of running `make test`
+data/
+lock
+size

go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `database` source models for the `github.com/rqlite/gorqlite` package.

go/ql/lib/change-notes/2025-02-27-go-version-1-24.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Go 1.24 is now supported. This includes the new language feature of generic type aliases.

go/ql/lib/change-notes/2025-02-27-haslocationinfo-deprecated.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead.

go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml

@@ -3,8 +3,21 @@ extensions:
       pack: codeql/go-all
       extensible: packageGrouping
     data:
+      - ["gorqlite", "github.com/kanikanema/gorqlite"]
       - ["gorqlite", "github.com/rqlite/gorqlite"]
       - ["gorqlite", "github.com/raindog308/gorqlite"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["group:gorqlite", "Connection", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: sinkModel
@@ -33,3 +46,9 @@ extensions:
       - ["group:gorqlite", "Connection", True, "WriteOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
       - ["group:gorqlite", "Connection", True, "WriteParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["group:gorqlite", "Connection", True, "WriteParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["group:gorqlite", "QueryResult", True, "Map", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
+      - ["group:gorqlite", "QueryResult", True, "Slice", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]

go/ql/lib/semmle/go/DiagnosticsReporting.qll

@@ -1,7 +1,6 @@
 /** Provides classes for working with errors and warnings recorded during extraction. */
 
 import go
-private import semmle.go.internal.Locations
 
 /** Gets the SARIF severity level that indicates an error. */
 private int getErrorSeverity() { result = 2 }
@@ -20,18 +19,10 @@ private class Diagnostic extends @diagnostic {
   string getMessage() { diagnostics(this, _, _, result, _, _) }
 
   /** Gets the file that this error is associated with, if any. */
-  File getFile() { this.hasLocationInfo(result.getAbsolutePath(), _, _, _, _) }
+  File getFile() { result = this.getLocation().getFile() }
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    getDiagnosticLocation(this).hasLocationInfo(path, sl, sc, el, ec)
-  }
+  /** Gets the location for this error. */
+  Location getLocation() { diagnostics(this, _, _, _, _, result) }
 
   string toString() { result = this.getMessage() }
 }
@@ -68,7 +59,7 @@ predicate reportableDiagnostics(Diagnostic d, string msg, int sev) {
     exists(File f | f = d.getFile() |
       exists(f.getAChild()) and
       msg =
-        "Extraction failed in " + d.getFile().getRelativePath() + " with error " +
+        "Extraction failed in " + f.getRelativePath() + " with error " +
           removeAbsolutePaths(d.getMessage())
     )
     or

go/ql/lib/semmle/go/Locations.qll

@@ -1,7 +1,6 @@
 /** Provides classes for working with locations and program elements that have locations. */
 
 import go
-private import internal.Locations
 
 /**
  * A location as given by a file, a start line, a start column,
@@ -11,21 +10,21 @@ private import internal.Locations
  *
  * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
  */
-class DbLocation extends TDbLocation {
+class Location extends @location {
   /** Gets the file for this location. */
-  File getFile() { dbLocationInfo(this, result, _, _, _, _) }
+  File getFile() { locations_default(this, result, _, _, _, _) }
 
   /** Gets the 1-based line number (inclusive) where this location starts. */
-  int getStartLine() { dbLocationInfo(this, _, result, _, _, _) }
+  int getStartLine() { locations_default(this, _, result, _, _, _) }
 
   /** Gets the 1-based column number (inclusive) where this location starts. */
-  int getStartColumn() { dbLocationInfo(this, _, _, result, _, _) }
+  int getStartColumn() { locations_default(this, _, _, result, _, _) }
 
   /** Gets the 1-based line number (inclusive) where this location ends. */
-  int getEndLine() { dbLocationInfo(this, _, _, _, result, _) }
+  int getEndLine() { locations_default(this, _, _, _, result, _) }
 
   /** Gets the 1-based column number (inclusive) where this location ends. */
-  int getEndColumn() { dbLocationInfo(this, _, _, _, _, result) }
+  int getEndColumn() { locations_default(this, _, _, _, _, result) }
 
   /** Gets the number of lines covered by this location. */
   int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 }
@@ -48,22 +47,22 @@ class DbLocation extends TDbLocation {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    exists(File f |
-      dbLocationInfo(this, f, startline, startcolumn, endline, endcolumn) and
+    exists(File f | locations_default(this, f, startline, startcolumn, endline, endcolumn) |
       filepath = f.getAbsolutePath()
     )
   }
 }
 
-final class Location = LocationImpl;
-
 /** A program element with a location. */
 class Locatable extends @locatable {
   /** Gets the file this program element comes from. */
   File getFile() { result = this.getLocation().getFile() }
 
   /** Gets this element's location. */
-  final DbLocation getLocation() { result = getLocatableLocation(this) }
+  final Location getLocation() {
+    has_location(this, result) or
+    xmllocations(this, result)
+  }
 
   /** Gets the number of lines covered by this element. */
   int getNumLines() { result = this.getLocation().getNumLines() }

go/ql/lib/semmle/go/Scopes.qll

@@ -144,36 +144,34 @@ class Entity extends @object {
   /** Gets a textual representation of this entity. */
   string toString() { result = this.getName() }
 
-  private predicate hasRealLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    // take the location of the declaration if there is one
-    this.getDeclaration().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-    any(CaseClause cc | this = cc.getImplicitlyDeclaredVariable())
-        .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  /** Gets the location of this entity. */
+  Location getLocation() {
+    result = this.getDeclaration().getLocation()
+    or
+    result = any(CaseClause cc | this = cc.getImplicitlyDeclaredVariable()).getLocation()
   }
 
   /**
+   * DEPRECATED: Use `getLocation()` instead.
+   *
    * Holds if this element is at the specified location.
    * The location spans column `startcolumn` of line `startline` to
    * column `endcolumn` of line `endline` in file `filepath`.
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  predicate hasLocationInfo(
+  deprecated predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    // take the location of the declaration if there is one
-    if this.hasRealLocationInfo(_, _, _, _, _)
-    then this.hasRealLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    else (
-      // otherwise fall back on dummy location
-      filepath = "" and
-      startline = 0 and
-      startcolumn = 0 and
-      endline = 0 and
-      endcolumn = 0
-    )
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    or
+    // otherwise fall back on dummy location
+    not exists(this.getLocation()) and
+    filepath = "" and
+    startline = 0 and
+    startcolumn = 0 and
+    endline = 0 and
+    endcolumn = 0
   }
 }
 
@@ -680,16 +678,22 @@ class Callable extends TCallable {
     result = this.asFuncLit().getName()
   }
 
+  /** Gets the location of this callable. */
+  Location getLocation() {
+    result = this.asFunction().getLocation() or result = this.asFuncLit().getLocation()
+  }
+
   /**
+   * DEPRECATED: Use `getLocation()` instead.
+   *
    * Holds if this element is at the specified location.
    * The location spans column `sc` of line `sl` to
    * column `ec` of line `el` in file `fp`.
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  predicate hasLocationInfo(string fp, int sl, int sc, int el, int ec) {
-    this.asFunction().hasLocationInfo(fp, sl, sc, el, ec) or
-    this.asFuncLit().hasLocationInfo(fp, sl, sc, el, ec)
+  deprecated predicate hasLocationInfo(string fp, int sl, int sc, int el, int ec) {
+    this.getLocation().hasLocationInfo(fp, sl, sc, el, ec)
   }
 }
 

go/ql/lib/semmle/go/StringOps.qll

@@ -548,20 +548,25 @@ module StringOps {
         else result = "concatenation element"
     }
 
+    /** Gets the location of this element. */
+    Location getLocation() { result = this.asNode().getLocation() }
+
     /**
+     * DEPRECATED: Use `getLocation()` instead.
+     *
      * Holds if this element is at the specified location.
      * The location spans column `startcolumn` of line `startline` to
      * column `endcolumn` of line `endline` in file `filepath`.
      * For more information, see
      * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
      */
-    predicate hasLocationInfo(
+    deprecated predicate hasLocationInfo(
       string filepath, int startline, int startcolumn, int endline, int endcolumn
     ) {
-      this.asNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+      this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
       or
       // use dummy location for elements that don't have a corresponding node
-      not exists(this.asNode()) and
+      not exists(this.getLocation()) and
       filepath = "" and
       startline = 0 and
       startcolumn = 0 and