Update from 2.15.1/Java 0.8.1 to 2.16.4/Java 0.8.10 (#36)

Co-authored-by: Daniel Beck <[email protected]>
jenkins-infra · Mar 26, 2024 · 5c307d7 · 5c307d7
1 parent e39a4f6
commit 5c307d7
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 36 deletions.
diff --git a/lib/codeql-pack.lock.yml b/lib/codeql-pack.lock.yml
@@ -2,19 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.1
+    version: 0.2.1
   codeql/java-all:
-    version: 0.8.1
+    version: 0.8.10
   codeql/mad:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/rangeanalysis:
+    version: 0.0.9
   codeql/regex:
-    version: 0.2.1
+    version: 0.2.10
   codeql/ssa:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/threat-models:
+    version: 0.0.9
   codeql/tutorial:
-    version: 0.2.1
+    version: 0.2.10
   codeql/typetracking:
-    version: 0.2.1
+    version: 0.2.10
   codeql/util:
-    version: 0.2.1
+    version: 0.2.10
 compiled: false
diff --git a/lib/qlpack.yml b/lib/qlpack.yml
@@ -4,4 +4,4 @@ name: jenkins-infra/jenkins-codeql-lib
 version: 0.0.2-dev
 license: MIT
 dependencies:
-  codeql/java-all: 0.8.1 # https://github.com/github/codeql/blob/main/java/ql/src/CHANGELOG.md
+  codeql/java-all: 0.8.10
diff --git a/run-tests.sh b/run-tests.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+CODEQL_VERSION=2.16.4
+
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -15,7 +17,7 @@ echo "Using temp dir $TMPDIR ..." >&2
 cd "$TMPDIR"
 
 echo "Downloading CodeQL CLI ..." >&2
-curl --location --silent --fail --output codeql.zip "https://github.com/github/codeql-cli-binaries/releases/download/v2.15.1/codeql-${OS}.zip"
+curl --location --silent --fail --output codeql.zip "https://github.com/github/codeql-cli-binaries/releases/download/v$CODEQL_VERSION/codeql-${OS}.zip"
 
 echo "Extracting CodeQL CLI ..." >&2
 unzip -q codeql.zip # Into codeql/ directory

diff --git a/src/FileFromRestOfPath.ql b/src/FileFromRestOfPath.ql
@@ -15,7 +15,7 @@ import semmle.code.java.dataflow.TaintTracking
 
 class RestOfPathSource extends DataFlow::ExprNode {
     RestOfPathSource() {
-        exists(Method m | m = this.asExpr().(MethodAccess).getMethod() |
+        exists(Method m | m = this.asExpr().(MethodCall).getMethod() |
             m.hasName("getRestOfPath")
             //and m.getDeclaringType() instanceof TBD
         )
@@ -30,12 +30,13 @@ class FileSink extends DataFlow::ExprNode {
   }
 }
 
-class RestOfPathToFileConfiguration extends TaintTracking::Configuration {
-  RestOfPathToFileConfiguration() { this = "RestOfPathToFileConfiguration" }
-  override predicate isSource(DataFlow::Node source) { source instanceof RestOfPathSource }
-  override predicate isSink(DataFlow::Node sink) { sink instanceof FileSink }
+module RestOfPathToFile implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RestOfPathSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof FileSink }
 }
 
-from DataFlow::Node source, DataFlow::Node sink, RestOfPathToFileConfiguration config
-where config.hasFlow(source, sink)
+module Flow = TaintTracking::Global<RestOfPathToFile>;
+
+from DataFlow::Node source, DataFlow::Node sink
+where Flow::flow(source, sink)
 select  source, "A file is created from #getRestOfPath, potential path traversal vulnerability $@.", sink, "here"
diff --git a/src/HasPermissionReturnIgnored.ql b/src/HasPermissionReturnIgnored.ql
@@ -11,7 +11,7 @@
 
 import java
 
-from MethodAccess unchecked, Method m
+from MethodCall unchecked, Method m
 where unchecked.getMethod() = m and m.hasName("hasPermission")
   and unchecked.getParent() instanceof ExprStmt
 select unchecked, "The result of the call is ignored"
diff --git a/src/codeql-pack.lock.yml b/src/codeql-pack.lock.yml
@@ -2,19 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.1
+    version: 0.2.1
   codeql/java-all:
-    version: 0.8.1
+    version: 0.8.10
   codeql/mad:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/rangeanalysis:
+    version: 0.0.9
   codeql/regex:
-    version: 0.2.1
+    version: 0.2.10
   codeql/ssa:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/threat-models:
+    version: 0.0.9
   codeql/tutorial:
-    version: 0.2.1
+    version: 0.2.10
   codeql/typetracking:
-    version: 0.2.1
+    version: 0.2.10
   codeql/util:
-    version: 0.2.1
+    version: 0.2.10
 compiled: false
diff --git a/src/qlpack.yml b/src/qlpack.yml
@@ -4,5 +4,5 @@ name: jenkins-infra/jenkins-codeql
 version: 0.0.2-dev
 license: MIT
 dependencies:
-  codeql/java-all: 0.8.1 # https://github.com/github/codeql/blob/main/java/ql/src/CHANGELOG.md
+  codeql/java-all: 0.8.10
   jenkins-infra/jenkins-codeql-lib: '*'
diff --git a/test/codeql-pack.lock.yml b/test/codeql-pack.lock.yml
@@ -2,19 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.1
+    version: 0.2.1
   codeql/java-all:
-    version: 0.8.1
+    version: 0.8.10
   codeql/mad:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/rangeanalysis:
+    version: 0.0.9
   codeql/regex:
-    version: 0.2.1
+    version: 0.2.10
   codeql/ssa:
-    version: 0.2.1
+    version: 0.2.10
+  codeql/threat-models:
+    version: 0.0.9
   codeql/tutorial:
-    version: 0.2.1
+    version: 0.2.10
   codeql/typetracking:
-    version: 0.2.1
+    version: 0.2.10
   codeql/util:
-    version: 0.2.1
+    version: 0.2.10
 compiled: false
diff --git a/test/qlpack.yml b/test/qlpack.yml
@@ -2,7 +2,7 @@ name: jenkins-infra/java-tests
 groups: [java, test]
 license: MIT
 dependencies:
-  codeql/java-all: 0.8.1 # https://github.com/github/codeql/blob/main/java/ql/src/CHANGELOG.md
+  codeql/java-all: 0.8.10
   jenkins-infra/jenkins-codeql-lib: "*"
   jenkins-infra/jenkins-codeql: "*"
 extractor: java