- The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change,
.cshtmlfiles and their generated.cshtml.g.cscounterparts are extracted on dotnet 6 and above.
- C#: Analysis of the
dotnet testcommand supplied with adllorexefile as argument no longer fails due to the addition of an erroneous-p:SharedCompilation=falseargument. - Deleted the deprecated
WebConfigXML,ConfigurationXMLElement,LocationXMLElement,SystemWebXMLElement,SystemWebServerXMLElement,CustomErrorsXMLElement, andHttpRuntimeXMLElementclasses fromWebConfig.qll. The non-deprecated names with PascalCased Xml suffixes should be used instead. - Deleted the deprecated
Recordclass from bothTypes.qllandType.qll. - Deleted the deprecated
StructuralComparisonConfigurationclass fromStructuralComparison.qll, usesameGvninstead. - Deleted the deprecated
isParameterOfpredicate from theParameterNodeclass. - Deleted the deprecated
SafeExternalAPICallable,ExternalAPIDataNode,UntrustedDataToExternalAPIConfig,UntrustedExternalAPIDataNode, andExternalAPIUsedWithUntrustedDataclasses fromExternalAPIsQuery.qll. The non-deprecated names with PascalCased Api suffixes should be used instead. - Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
codetocode-injectionsqltosql-injectionhtmltohtml-injectionxsstojs-injectionremotetofile-content-store
- The
cs/log-forging,cs/cleartext-storage, andcs/exposure-of-sensitive-informationqueries now correctly handle unsanitized arguments toILoggerextension methods. - Updated the
neutralModelextensible predicate to include akindcolumn.
No user-facing changes.
- The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
- The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
- Deleted the deprecated
getPathandgetFolderpredicates from theXmlFileclass. - Deleted the deprecated
getAssertionIndex, andgetAssertedParameterpredicates from theAssertMethodclass. - Deleted the deprecated
OverridableMethodandOverridableAccessorclasses. - The
unsafepredicate forModifiablehas been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant forunsafedeclarations extracted from assemblies.
- The query
cs/static-field-written-by-instanceis updated to handle properties. - C# 11: Support for explicit interface member implementation of operators.
- The extraction of member modifiers has been generalized, which could lead to the extraction of more modifiers.
- C# 11: Added extractor and library support for
filescoped types. - C# 11: Added extractor support for
requiredfields and properties. - C# 11: Added library support for
checkedoperators.
- C# 11: Added extractor support for the
scopedmodifier annotation on parameters and local variables.
- Add extractor and library support for UTF-8 encoded strings.
- The
StringLiteralclass includes UTF-8 encoded strings. - In the DB Scheme
@string_literal_expris renamed to@utf16_string_literal_expr.
- C# 11: Added extractor support for
reffields inref structdeclarations.
- Added library support for generic attributes (also for CIL extracted attributes).
cil.ConstructedType::getNamewas changed to include printing of the type arguments.
- Attributes on methods in CIL are now extracted (Bugfix).
- Support for
static virtualandstatic abstractinterface members. - Support for operators in interface definitions.
- C# 11: Added support for the unsigned right shift
>>>and unsigned right shift assignment>>>=operators. - Query id's have been aligned such that they are prefixed with
csinstead ofcsharp.
- C# 11: Added support for list- and slice patterns in the extractor.
- Deleted the deprecated
getNameWithoutBracketspredicate from theValueOrRefTypeclass inType.qll. Element::hasQualifiedName/1has been deprecated. UsehasQualifiedName/2orhasQualifiedName/3instead.- Added TCP/UDP sockets as taint sources.
No user-facing changes.
No user-facing changes.
- The
[Summary|Sink|Source]ModelCsvclasses have been deprecated and Models as Data models are defined as data extensions instead.
No user-facing changes.
No user-facing changes.
DateTimeexpressions are now considered simple type sanitizers. This affects a wide range of security queries.- ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed.
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- The C# extractor no longer supports the following legacy environment variables:
ODASA_BUILD_ERROR_DIR
ODASA_CSHARP_LAYOUT
ODASA_SNAPSHOT
SEMMLE_DIST
SEMMLE_EXTRACTOR_OPTIONS
SEMMLE_PLATFORM_TOOLS
SEMMLE_PRESERVE_SYMLINKS
SOURCE_ARCHIVE
TRAP_FOLDER
codeql test runnow extracts source code recursively from sub folders. This may break existing tests that have other tests in nested sub folders, as those will now get the nested test code included.
- Added support for C# 10 lambda improvements
- Explicit return types on lambda expressions.
- Lambda expression can be tagged with method and return value attributes.
- Added support for C# 10 Extended property patterns.
- Return value attributes are extracted.
- The QL
Attributeclass now has subclasses for each kind of attribute.
- The
codeql/csharp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/csharp-allCodeQL pack.
Added support for the following C# 10 features.
- Record structs.
- Improvements of structure types.
- Instance parameterless constructor in a structure type.
- Enhance
WithExprin QL to supportstructsand anonymous classes.
- Global using directives.
- File-scoped namespace declaration.
- Enhanced #line pragma.
- The query
cs/local-shadows-memberno longer highlights parameters ofrecordtypes.