Conversation
This interface works better when defining the DFG edges in the next commit
Adding this directly in the DataFlow module would expose it publicly via the `DataFlow::` prefix which does not seem desirable. We just want to be able to access it ourselves, so I've put it in its own file.
github-actions
bot
added
C#
JS
Java
Ruby
Rust
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| private import codeql.dataflow.PrintDfg | ||
| import MakePrintDfg<Location, JSDataFlow, JSTaintFlow> | ||
|
|
||
| external string selectedSourceFile(); |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| external string selectedSourceFile(); | ||
|
|
||
| private predicate selectedSourceFileAlias = selectedSourceFile/0; |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| private predicate selectedSourceFileAlias = selectedSourceFile/0; | ||
|
|
||
| external int selectedSourceLine(); |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| external int selectedSourceLine(); | ||
|
|
||
| private predicate selectedSourceLineAlias = selectedSourceLine/0; |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| private predicate selectedSourceLineAlias = selectedSourceLine/0; | ||
|
|
||
| external int selectedSourceColumn(); |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| external int selectedSourceColumn(); | ||
|
|
||
| private predicate selectedSourceColumnAlias = selectedSourceColumn/0; |
Check warning
Code scanning / CodeQL
Dead code Warning
javascript/ql/lib/printDfg.ql
Outdated
|
|
||
| private predicate selectedSourceColumnAlias = selectedSourceColumn/0; | ||
|
|
||
| module ViewCfgQueryInput implements ViewGraphQueryInputSig<File> { |
Check warning
Code scanning / CodeQL
Dead code Warning
| predicate selectedSourceColumn = selectedSourceColumnAlias/0; | ||
|
|
||
| predicate cfgScopeSpan( | ||
| predicate callableSpan( |
Check warning
Code scanning / CodeQL
Dead code Warning
|
|
||
| private import codeql.util.Location | ||
| private import codeql.dataflow.DataFlow as DF | ||
| private import codeql.dataflow.TaintTracking as TT |
Check warning
Code scanning / CodeQL
Names only differing by case Warning
…t in expected files
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
…cks (UncheckedLeapYearAfterYearModification). Switch to using 'postprocess' for unit tests.
…ion. Includes new logic for detecting leap year checks, new forms of leap year checks detected, and various heuristics to remove false postives. Move TimeConversionFunction into LeapYear.qll and refactored to separate conversion functions that are expected to be checked for failure from those that auto correct leap year dates if feb 29 is provided on a non-leap year. Increas the set of known TimeConversionFunctions.
…e negative remains.
…auto correct for leap year should be considered.
These were causing the repo `gufolabs/noc` to spend ~30 seconds evaluating `ControlFlowNode.strictlyDominates`. Just in case, I added `overlay[caller] to the other instances of `pragma[inline]` as well.
On `keras-team/keras`, this was producing ~200 million intermediate tuples in order to produce a total of ... 2 tuples. After the refactor, max intermediate tuple count is ~80k for the charpred (and 4 for the new helper predicate).
This caused a ~30x blowup in intermediate tuples, now back to baseline.
Note that some sanitizers had no effect because flow through those functions wasn't modeled.
Note that this will only block flow for queries that use the kind `command-injection`.
Need to do this because the model numbering was changing. At the same time we may as well use inline expectations.
8 participants
Adds the queries called by github/vscode-codeql#4305