Merge branch 'main' into improve_uricheck_java_query

Author: Alvaro Muñoz

README.md

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-cpp-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/cpp.qls
 dependencies:

cpp/lib/github/.gitkeep renamed to cpp/lib/ghsl/.gitkeep

@@ -1,9 +1,25 @@
-- description: "GitHub's Community Packs Ruby Extended Suite"
+- description: "GitHub's Community Packs C/C++ Extended Suite"
 
-- qlpack: github-queries-ruby
+- queries: '.'
+  from: githubsecuritylab/codeql-cpp-queries
 
-- import: codeql-suites/ruby-security-extended.qls
-  from: codeql/ruby-queries
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision:
+    - very-high
+    - high
+    - medium
+    - low
+
+# Remove debugging, and audit queries
+- exclude:
+    tags contain:
+      - debugging
+      - audit
+
+# Remove local testing folders
 - exclude:
-    id:
-      - rb/hardcoded-credentials
+    query path:
+      - /testing\/.*/

cpp/src/qlpack.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

cpp/src/suites/cpp.qls

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

csharp/ext-library-sources/codeql-pack.lock.yml

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-csharp-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/csharp.qls
 dependencies:

csharp/ext/codeql-pack.lock.yml

@@ -14,8 +14,8 @@ import csharp
 private import semmle.code.csharp.frameworks.Moq
 private import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 // import semmle.code.csharp.frameworks.system.security.Cryptography
-private import github.Hardcoded
-private import github.Cryptography
+private import ghsl.Hardcoded
+private import ghsl.Cryptography
 
 module HardcodedSalt {
   abstract class Source extends DataFlow::ExprNode { }

csharp/lib/github/Cryptography.qll renamed to csharp/lib/ghsl/Cryptography.qll

@@ -14,7 +14,7 @@
 
 import csharp
 private import DataFlow::PathGraph
-private import github.HardcodedCredentials
+private import ghsl.HardcodedCredentials
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, LiteralToSecurityKeyConfig config
 where config.hasFlowPath(source, sink)

csharp/lib/github/Hardcoded.qll renamed to csharp/lib/ghsl/Hardcoded.qll

@@ -1,14 +1,12 @@
 - description: "GitHub's Community Packs CSharp Extended Suite"
 
 - queries: '.'
-  from: githubsecuritylab/codeql-csharp
+  from: githubsecuritylab/codeql-csharp-queries
 
 - include:
     kind:
     - problem
     - path-problem
-    - metric
-    - diagnostic
     precision:
     - very-high
     - high

csharp/lib/github/HardcodedCredentials.qll renamed to csharp/lib/ghsl/HardcodedCredentials.qll

@@ -14,7 +14,7 @@
 import go
 import semmle.go.security.SqlInjection
 import DataFlow::PathGraph
-import github.Utils
+import ghsl.Utils
 
 /**
  * A taint-tracking configuration for detecting SQL injection vulnerabilities.

csharp/src/qlpack.yml

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-go-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/go.qls
 dependencies:

csharp/src/security/CWE-760/HardcodedSalt.ql

@@ -13,35 +13,27 @@
 
 import go
 import semmle.go.security.CommandInjection
-import semmle.go.security.CommandInjectionCustomizations::CommandInjection
+import DataFlow::PathGraph
+import semmle.go.security.FlowSources
 
 //Override CommandInjection::Configuration to use the in-use sources
-class InUseAsSource extends Source instanceof UntrustedFlowSource {
-  InUseAsSource() {
+class InUseCommandInjectionConfiguration extends CommandInjection::Configuration {
+  override predicate isSource(DataFlow::Node node) {
     exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
-      source.asExpr() = this.asExpr() and
+      source.asExpr() = node.asExpr() and
+
       source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
       (
         // function is called directly
         callNode.getACallee() = function.getFuncDecl()
-        or
+
         // function is passed to another function to be called
-        callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
-      )
+        or callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
+      )      
     )
   }
 }
 
-module Flow =
-  DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
-    CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
-    CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
-
-import Flow::PathGraph
-
-from Flow::PathNode source, Flow::PathNode sink
-where
-  CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
-  "user-provided value"
+ from InUseCommandInjectionConfiguration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink
+ where (cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink))
+ select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(), "user-provided value"

csharp/src/security/CWE-798/HardcodedCredentialsSymmetricSecurityKey.ql

@@ -1,4 +1,4 @@
 import go
-import github.Utils
+import ghsl.Utils
 
 query predicate dynamicStrings(DataFlow::ExprNode node) { node instanceof DynamicStrings }

csharp/src/suites/csharp.qls

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

go/lib/github/LocalSources.qll renamed to go/lib/ghsl/LocalSources.qll

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

go/lib/github/Utils.qll renamed to go/lib/ghsl/Utils.qll

@@ -11,7 +11,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import Spring4ShellFlow::PathGraph
-import github.BeanManipulation
+import ghsl.BeanManipulation
 
 private module Spring4ShellConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {

go/src/audit/CWE-089/SqlInjectionAudit.ql

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-java-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/java.qls
 dependencies:

go/src/qlpack.yml

@@ -11,7 +11,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class RemoteSource extends Source {
   RemoteSource() { this instanceof RemoteFlowSource }

go/src/security/CWE-078/CommandInjection.ql

@@ -12,7 +12,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class LocalSource extends Source {
   LocalSource() { this instanceof LocalUserInput }

go/test/audit/CWE-089/SQLInjectionAudit.ql

@@ -12,7 +12,7 @@
  *       external/cwe/cwe-078
  */
 
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }

java/ext-library-sources/codeql-pack.lock.yml

@@ -13,7 +13,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }

java/ext/codeql-pack.lock.yml

@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 // import DataFlow::PathGraph
 // Internal
-import github.SensitiveInformation
+import ghsl.SensitiveInformation
 
 class Base64Sinks extends DataFlow::Node {
   Base64Sinks() {

java/lib/github/BeanManipulation.qll renamed to java/lib/ghsl/BeanManipulation.qll

@@ -13,7 +13,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import BeanManipulationFlow::PathGraph
-import github.BeanManipulation
+import ghsl.BeanManipulation
 
 private module BeanManipulationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

java/lib/github/CommandInjectionRuntimeExec.qll renamed to java/lib/ghsl/CommandInjectionRuntimeExec.qll

@@ -17,8 +17,8 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 //import DataFlow::PathGraph
 // Internal
-import github.Logging
-import github.SensitiveInformation
+import ghsl.Logging
+import ghsl.SensitiveInformation
 
 module SensitiveInformationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof SensitiveInformationSources }

java/lib/github/Encoding.qll renamed to java/lib/ghsl/Encoding.qll

@@ -18,7 +18,7 @@ import semmle.code.java.security.XmlParsers
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 //import DataFlow::PathGraph
-import github.LocalSources
+import ghsl.LocalSources
 
 module SafeSAXSourceFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }

java/lib/github/Hardcoded.qll renamed to java/lib/ghsl/Hardcoded.qll

@@ -17,8 +17,8 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
 // Internal
-import github.Encoding
-import github.Hardcoded
+import ghsl.Encoding
+import ghsl.Hardcoded
 
 class HardcodedPasswordBase64 extends TaintTracking::Configuration {
   HardcodedPasswordBase64() { this = "HardcodedPasswordBase64" }

java/lib/github/LocalSources.qll renamed to java/lib/ghsl/LocalSources.qll

@@ -1,11 +1,8 @@
-# https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
-
 - description: "GitHub's Community Packs Java/Kotlin Extended Suite"
 
 - queries: '.'
-  from: githubsecuritylab/java-queries
+  from: githubsecuritylab/codeql-java-queries
 
-# GitHub's Community Packs Java/Kotlin Suite
 - include:
     kind:
     - problem

java/lib/github/Logging.qll renamed to java/lib/ghsl/Logging.qll

@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.security.HardcodedCredentials
-import github.Encoding
-import github.Hardcoded
+import ghsl.Encoding
+import ghsl.Hardcoded
 
 query predicate sources(DataFlow::Node sources) {
   sources instanceof Hardcoded

java/lib/github/SensitiveInformation.qll renamed to java/lib/ghsl/SensitiveInformation.qll

@@ -1,6 +1,6 @@
 import semmle.javascript.dataflow.TaintTracking
 
-import github.CommandLine
+import ghsl.CommandLine
 
 class RandomTaintsSourceConfiguration extends TaintTracking::Configuration {
     RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" }

java/src/CVEs/CVE-2022-22965.ql

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-javascript-queries
-version: 0.0.2
+version: 0.0.4
 suites: suites
 defaultSuiteFile: suites/javascript.qls
 dependencies:

java/src/qlpack.yml

@@ -4,6 +4,7 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 4.0
+ * @precision medium
  * @id githubsecuritylab/weak-hashing
  * @tags security
  *       external/cwe/cwe-328

java/src/security/CWE-078/CommandInjectionRuntimeExec.ql

@@ -16,7 +16,7 @@
 import javascript
 import semmle.javascript.dataflow.TaintTracking
 import DataFlow::PathGraph
-import github.InsecureIV
+import ghsl.InsecureIV
 
 from InsecureIVConfiguration insecurecfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where

java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql

@@ -7,8 +7,6 @@
     kind:
     - problem
     - path-problem
-    - metric
-    - diagnostic
     precision:
     - very-high
     - high

java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql

@@ -8,8 +8,8 @@ private import semmle.python.security.dataflow.ServerSideRequestForgeryCustomiza
 private import semmle.python.security.dataflow.SqlInjectionCustomizations
 private import semmle.python.security.dataflow.UnsafeDeserializationCustomizations
 // Fields Sinks
-private import github.HardcodedSecretSinks
-private import github.MassAssignment
+private import ghsl.HardcodedSecretSinks
+private import ghsl.MassAssignment
 
 // Find Node at Location
 predicate findByLocation(DataFlow::Node node, string relative_path, int linenumber) {

java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql

@@ -5,7 +5,7 @@ import semmle.python.Concepts
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.ApiGraphs
-import github.LocalSources
+import ghsl.LocalSources
 
 module MassAssignment {
   abstract class Sources extends DataFlow::Node { }

java/src/security/CWE-326/Base64Encryption.ql

@@ -6,7 +6,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
 
-private import github.LocalSources
+private import ghsl.LocalSources
 
 class XmlParseStringCall extends DataFlow::CallCfgNode {
   XmlParseStringCall() {