Sync Upstream Tags

.github/workflows/powershell-pr-check.yml

@@ -0,0 +1,28 @@
+name: PowerShell PR Check
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  powershell-pr-check:
+    name: powershell-pr-check
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ github.token }}
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: release
+      - name: Compile PowerShell Queries
+        run: |
+          codeql query compile --check-only --keep-going powershell/ql/src

.github/workflows/sync-main-tags.yml

@@ -0,0 +1,27 @@
+name: Sync Main Tags
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  sync-main-tags:
+    name: Sync Main Tags
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql' && github.event.pull_request.merged == true && github.event.pull_request.head.ref == 'auto/sync-main-pr'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Push Tags
+        run: |
+          git fetch upstream --tags --force
+          git push --force origin --tags
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}

.github/workflows/sync-main.yml

@@ -0,0 +1,88 @@
+name: Sync Main
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/sync-main.yml
+  schedule:
+    - cron: '55 * * * *'
+
+jobs:
+  sync-main:
+    name: Sync-main
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "dilanbhalla"
+          git config user.email "dilanbhalla@microsoft.com"
+      - name: Git checkout auto/sync-main-pr
+        shell: bash
+        run: |
+          git fetch origin
+          if git ls-remote --exit-code --heads origin auto/sync-main-pr > /dev/null; then
+            echo "Branch exists remotely. Checking it out."
+            git checkout -B auto/sync-main-pr origin/auto/sync-main-pr
+          else
+            echo "Branch does not exist remotely. Creating from main."
+            git checkout -B auto/sync-main-pr origin/main
+            git push -u origin auto/sync-main-pr
+          fi
+      - name: Sync origin/main
+        shell: bash
+        run: |
+          echo "::group::Sync with main branch"
+          git pull origin auto/sync-main-pr; exitCode=$?; if [ $exitCode -ne 0 ]; then exitCode=0; fi
+          git pull origin main --no-rebase
+          git push --force origin auto/sync-main-pr
+          echo "::endgroup::"
+      - name: Sync upstream/codeql-cli/latest
+        shell: bash
+        run: |
+          echo "::group::Set up remote"
+          git remote add upstream https://github.com/github/codeql.git
+          git fetch upstream --tags --force
+          echo "::endgroup::"
+          echo "::group::Merge codeql-cli/latest"
+          set -x
+          git merge codeql-cli/latest
+          set +x
+          echo "::endgroup::"
+      - name: Push sync branch
+        run: |
+          git push origin auto/sync-main-pr
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Create PR if it doesn't exist
+        shell: bash
+        run: |
+          pr_number=$(gh pr list --repo microsoft/codeql --head auto/sync-main-pr --base main --json number --jq '.[0].number')
+          if [ -n "$pr_number" ]; then
+            echo "PR from auto/sync-main-pr to main already exists (PR #$pr_number). Exiting gracefully."
+          else
+            if git fetch origin main auto/sync-main-pr && [ -n "$(git rev-list origin/main..origin/auto/sync-main-pr)" ]; then
+              echo "PR does not exist. Creating one..."
+              gh pr create --repo microsoft/codeql --fill -B main -H auto/sync-main-pr \
+                --label 'autogenerated' \
+                --title 'Sync Main (autogenerated)' \
+                --body "This PR syncs the latest changes from \`codeql-cli/latest\` into \`main\`." \
+                --reviewer 'MathiasVP'
+                --reviewer 'ropwareJB'
+            else
+              echo "No changes to sync from auto/sync-main-pr to main. Exiting gracefully."
+            fi
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}

README.md

@@ -29,3 +29,5 @@ You can install the [CodeQL for Visual Studio Code](https://marketplace.visualst
 ### Tasks
 
 The `.vscode/tasks.json` file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the `Terminal | Run Task...` menu option, and then select the desired task from the dropdown. You can also invoke the `Tasks: Run Task` command from the command palette.
+
+

SECURITY.md

@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->

cpp/ql/lib/change-notes/2023-10-12-additional-call-targets.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll

@@ -115,6 +115,10 @@ private string normalizeFunctionName(Function f, string algType) {
   (result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and
   //rsaz functions deemed to be too low level, and can be ignored
   not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and
+  // SHA false positives
+  (result.matches("SHA") implies not f.getName().toUpperCase().matches("%SHAKE%")) and
+  // CAST false positives
+  (result.matches("CAST") implies not f.getName().toUpperCase().matches(["%UPCAST%", "%DOWNCAST%"])) and
   // General False positives
   // Functions that 'get' do not set an algorithm, and therefore are considered ignorable
   not f.getName().toLowerCase().matches("%get%")

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -26,6 +26,14 @@ private class IteratorTraits extends Class {
   }
 
   Type getIteratorType() { result = this.getTemplateArgument(0) }
+
+  Type getValueType() {
+    exists(TypedefType t |
+      this.getAMember() = t and
+      t.getName() = "value_type" and
+      result = t.getUnderlyingType()
+    )
+  }
 }
 
 /**
@@ -34,16 +42,13 @@ private class IteratorTraits extends Class {
  */
 private class IteratorByTraits extends Iterator {
   IteratorTraits trait;
+  IteratorByTraits() {
+    trait.getIteratorType() = this and
+    not trait.getValueType() = this
+  }
 
-  IteratorByTraits() { trait.getIteratorType() = this }
+  override Type getValueType() { result = trait.getValueType() }
 
-  override Type getValueType() {
-    exists(TypedefType t |
-      trait.getAMember() = t and
-      t.getName() = "value_type" and
-      result = t.getUnderlyingType()
-    )
-  }
 }
 
 /**

cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.qhelp

@@ -11,7 +11,7 @@ It is not safe to assume that a year is 365 days long.</p>
 
 <recommendation>
 <p>Determine whether the time span in question contains a leap day, then perform the calculation using the correct number
-of days.  Alternatively, use an established library routine that already contains correct leap year logic.</p>
+of days. Alternatively, use an established library routine that already contains correct leap year logic.</p>
 </recommendation>
 
 <references>

cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql

@@ -4,20 +4,22 @@
  *              value of 365, it may be a sign that leap years are not taken
  *              into account.
  * @kind problem
- * @problem.severity warning
- * @id cpp/leap-year/adding-365-days-per-year
+ * @problem.severity error
+ * @id cpp/microsoft/public/leap-year/adding-365-days-per-year
  * @precision medium
  * @tags leap-year
  *       correctness
  */
 
 import cpp
 import LeapYear
+import semmle.code.cpp.dataflow.new.DataFlow
 
 from Expr source, Expr sink
 where
   PossibleYearArithmeticOperationCheckFlow::flow(DataFlow::exprNode(source),
     DataFlow::exprNode(sink))
 select sink,
-  "An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios.",
-  source, source.toString()
+  "$@: This arithmetic operation $@ uses a constant value of 365 ends up modifying the date/time located at $@, without considering leap year scenarios.",
+  sink.getEnclosingFunction(), sink.getEnclosingFunction().toString(), source, source.toString(),
+  sink, sink.toString()

cpp/ql/src/Likely Bugs/Leap Year/AntiPattern5InvalidLeapYearCheck.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Leap Year Invalid Check (AntiPattern 5)
+ * @description An expression is used to check a year is presumably a leap year, but the conditions used are insufficient.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/microsoft/public/leap-year/invalid-leap-year-check
+ * @precision medium
+ * @tags leap-year
+ *       correctness
+ */
+
+import cpp
+import LeapYear
+
+from Mod4CheckedExpr exprMod4
+where not exists(ExprCheckLeapYear lyCheck | lyCheck.getAChild*() = exprMod4)
+select exprMod4, "Possible Insufficient Leap Year check (AntiPattern 5)"