Merge branch 'main' into assignment

Author: geoffw0

config/add-overlay-annotations.py

@@ -177,6 +177,12 @@ def insert_overlay_caller_annotations(lines):
         out_lines.append(line)
     return out_lines
 
+explicitly_global = set([
+    "java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll",
+    "java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll",
+    "java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll",
+    "java/ql/lib/semmle/code/java/dispatch/internal/Unification.qll",
+])
 
 def annotate_as_appropriate(filename, lines):
     '''
@@ -196,6 +202,9 @@ def annotate_as_appropriate(filename, lines):
         ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
          any("implements DataFlow::ConfigSig" in line for line in lines))):
         return None
+    elif filename in explicitly_global:
+        # These files are explicitly global and should not be annotated.
+        return None
     elif not any(line for line in lines if line.strip()):
         return None
 

cpp/ql/lib/change-notes/2025-09-02-vla.md

@@ -1,4 +1,4 @@
 ---
 category: feature
 ---
-* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type defined in terms of an other `VlaDeclStmt` via a `typedef`.
+* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/too_many_constants.cpp

@@ -0,0 +1,42 @@
+struct S {
+  int a;
+  int b;
+  int c;
+  unsigned long *d;
+
+  union {
+    struct {
+      const char *e;
+      int f;
+      S *g;
+      const char *h;
+      int i;
+      bool j;
+      bool k;
+      const char *l;
+      char **m;
+    } n;
+
+    struct {
+      bool o;
+      bool p;
+    } q;
+  } r;
+};
+
+int too_many_constants_init(S *s);
+
+char *too_many_constants(const char *h, bool k, int i) {
+  const char *e = "";
+  char l[64] = "";
+  char *m;
+
+  S s[] = {
+      {.a = 0, .c = 0, .d = nullptr, .r = {.n = {.e = e, .f = 1, .g = nullptr, .h = h, .i = i, .j = false, .k = k, .l = l, .m = &m}}},
+      {.a = 0, .c = 0, .d = nullptr, .r = {.q = {.o = true, .p = true}}}
+  };
+
+  too_many_constants_init(s);
+
+  return m; // GOOD - initialized by too_many_constants_init
+}

csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.qhelp

@@ -12,7 +12,7 @@
 <example>
   <p>In this example, we are incrementing/decrementing the current date by one year when creating a new <code>System.DateTime</code> object. This may work most of the time, but on any given February 29th, the resulting value will be invalid.</p>
   <sample src="UnsafeYearConstructionBad.cs" />
-  <p>To fix this bug, we add/substract years to the current date by calling <code>AddYears</code> method on it.</p>
+  <p>To fix this bug, we add/subtract years to the current date by calling <code>AddYears</code> method on it.</p>
   <sample src="UnsafeYearConstructionGood.cs" />
 </example>
 <references>

go/ql/lib/CHANGELOG.md

@@ -4,7 +4,9 @@ No user-facing changes.
 
 ## 4.3.2
 
-No user-facing changes.
+### Minor Analysis Improvements
+
+* Go 1.25 is now supported.
 
 ## 4.3.1
 

go/ql/lib/change-notes/released/4.3.2.md

@@ -1,3 +1,5 @@
 ## 4.3.2
 
-No user-facing changes.
+### Minor Analysis Improvements
+
+* Go 1.25 is now supported.

java/ql/lib/change-notes/2025-09-11-assertions-cfg.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved support for various assertion libraries, in particular JUnit. This affects the control-flow graph slightly, and in turn affects several queries (mainly quality queries). Most queries should see improved precision (new true positives and fewer false positives), in particular `java/constant-comparison`, `java/index-out-of-bounds`, `java/dereferenced-value-may-be-null`, and `java/useless-null-check`. Some medium precision queries like `java/toctou-race-condition` and `java/unreleased-lock` may see mixed result changes (both slight improvements and slight regressions).

java/ql/lib/semmle/code/java/ControlFlowGraph.qll

@@ -365,10 +365,10 @@ private module ControlFlowGraphImpl {
    * Bind `t` to an unchecked exception that may occur in a precondition check or guard wrapper.
    */
   private predicate uncheckedExceptionFromMethod(MethodCall ma, ThrowableType t) {
-    conditionCheckArgument(ma, _, _) and
+    (methodCallChecksArgument(ma) or methodCallUnconditionallyThrows(ma)) and
     (t instanceof TypeError or t instanceof TypeRuntimeException)
     or
-    methodMayThrow(ma.getMethod(), t)
+    methodMayThrow(ma.getMethod().getSourceDeclaration(), t)
   }
 
   /**
@@ -586,6 +586,7 @@ private module ControlFlowGraphImpl {
    * Gets a `MethodCall` that always throws an exception or calls `exit`.
    */
   private MethodCall nonReturningMethodCall() {
+    methodCallUnconditionallyThrows(result) or
     result.getMethod().getSourceDeclaration() = nonReturningMethod() or
     result = likelyNonReturningMethod().getAnAccess()
   }

java/ql/lib/semmle/code/java/controlflow/Guards.qll

@@ -395,11 +395,13 @@ private module LogicInputCommon {
   predicate additionalImpliesStep(
     GuardsImpl::PreGuard g1, GuardValue v1, GuardsImpl::PreGuard g2, GuardValue v2
   ) {
-    exists(MethodCall check, int argIndex |
+    exists(MethodCall check |
       g1 = check and
-      v1.getDualValue().isThrowsException() and
-      conditionCheckArgument(check, argIndex, v2.asBooleanValue()) and
-      g2 = check.getArgument(argIndex)
+      v1.getDualValue().isThrowsException()
+    |
+      methodCallChecksBoolean(check, g2, v2.asBooleanValue())
+      or
+      methodCallChecksNotNull(check, g2) and v2.isNonNullValue()
     )
   }
 }

java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll

@@ -1,5 +1,5 @@
 /**
- * Provides predicates for identifying precondition checks like
+ * Provides predicates for identifying precondition and assertion checks like
  * `com.google.common.base.Preconditions` and
  * `org.apache.commons.lang3.Validate`.
  */
@@ -9,99 +9,150 @@ module;
 import java
 
 /**
- * Holds if `m` is a non-overridable method that checks that its zero-indexed `argument`
- * is equal to `checkTrue` and throws otherwise.
+ * Holds if `m` is a method that checks that its argument at position `arg` is
+ * equal to true and throws otherwise.
  */
-predicate conditionCheckMethodArgument(Method m, int argument, boolean checkTrue) {
-  condtionCheckMethodGooglePreconditions(m, checkTrue) and argument = 0
-  or
-  conditionCheckMethodApacheCommonsLang3Validate(m, checkTrue) and argument = 0
+private predicate methodCheckTrue(Method m, int arg) {
+  arg = 0 and
+  (
+    m.hasQualifiedName("com.google.common.base", "Preconditions", ["checkArgument", "checkState"]) or
+    m.hasQualifiedName("com.google.common.base", "Verify", "verify") or
+    m.hasQualifiedName("org.apache.commons.lang3", "Validate", ["isTrue", "validState"]) or
+    m.hasQualifiedName("org.junit.jupiter.api", "Assertions", "assertTrue") or
+    m.hasQualifiedName("org.junit.jupiter.api", "Assumptions", "assumeTrue") or
+    m.hasQualifiedName("org.testng", "Assert", "assertTrue")
+  )
   or
-  condtionCheckMethodTestingFramework(m, argument, checkTrue)
+  m.getParameter(arg).getType() instanceof BooleanType and
+  (
+    m.hasQualifiedName("org.junit", "Assert", "assertTrue") or
+    m.hasQualifiedName("org.junit", "Assume", "assumeTrue") or
+    m.hasQualifiedName("junit.framework", _, "assertTrue")
+  )
+}
+
+/**
+ * Holds if `m` is a method that checks that its argument at position `arg` is
+ * equal to false and throws otherwise.
+ */
+private predicate methodCheckFalse(Method m, int arg) {
+  arg = 0 and
+  (
+    m.hasQualifiedName("org.junit.jupiter.api", "Assertions", "assertFalse") or
+    m.hasQualifiedName("org.junit.jupiter.api", "Assumptions", "assumeFalse") or
+    m.hasQualifiedName("org.testng", "Assert", "assertFalse")
+  )
   or
-  exists(Parameter p, MethodCall ma, int argIndex, boolean ct, Expr arg |
-    p = m.getParameter(argument) and
-    not m.isOverridable() and
-    m.getBody().getStmt(0).(ExprStmt).getExpr() = ma and
-    conditionCheckArgument(ma, argIndex, ct) and
-    ma.getArgument(argIndex) = arg and
-    (
-      arg.(LogNotExpr).getExpr().(VarAccess).getVariable() = p and
-      checkTrue = ct.booleanNot()
-      or
-      arg.(VarAccess).getVariable() = p and checkTrue = ct
-    )
+  m.getParameter(arg).getType() instanceof BooleanType and
+  (
+    m.hasQualifiedName("org.junit", "Assert", "assertFalse") or
+    m.hasQualifiedName("org.junit", "Assume", "assumeFalse") or
+    m.hasQualifiedName("junit.framework", _, "assertFalse")
+  )
+}
+
+/**
+ * Holds if `m` is a method that checks that its argument at position `arg` is
+ * not null and throws otherwise.
+ */
+private predicate methodCheckNotNull(Method m, int arg) {
+  arg = 0 and
+  (
+    m.hasQualifiedName("com.google.common.base", "Preconditions", "checkNotNull") or
+    m.hasQualifiedName("com.google.common.base", "Verify", "verifyNotNull") or
+    m.hasQualifiedName("org.apache.commons.lang3", "Validate", "notNull") or
+    m.hasQualifiedName("java.util", "Objects", "requireNonNull") or
+    m.hasQualifiedName("org.junit.jupiter.api", "Assertions", "assertNotNull") or
+    m.hasQualifiedName("org.junit", "Assume", "assumeNotNull") or // vararg
+    m.hasQualifiedName("org.testng", "Assert", "assertNotNull")
   )
   or
-  exists(Parameter p, IfStmt ifstmt, Expr cond |
-    p = m.getParameter(argument) and
-    not m.isOverridable() and
-    p.getType() instanceof BooleanType and
-    m.getBody().getStmt(0) = ifstmt and
-    ifstmt.getCondition() = cond and
-    (
-      cond.(LogNotExpr).getExpr().(VarAccess).getVariable() = p and checkTrue = true
-      or
-      cond.(VarAccess).getVariable() = p and checkTrue = false
-    ) and
-    (
-      ifstmt.getThen() instanceof ThrowStmt or
-      ifstmt.getThen().(SingletonBlock).getStmt() instanceof ThrowStmt
-    )
+  arg = m.getNumberOfParameters() - 1 and
+  (
+    m.hasQualifiedName("org.junit", "Assert", "assertNotNull") or
+    m.hasQualifiedName("junit.framework", _, "assertNotNull")
   )
 }
 
-private predicate condtionCheckMethodGooglePreconditions(Method m, boolean checkTrue) {
-  m.getDeclaringType().hasQualifiedName("com.google.common.base", "Preconditions") and
-  checkTrue = true and
-  (m.hasName("checkArgument") or m.hasName("checkState"))
+/**
+ * Holds if `m` is a method that checks that its argument at position `arg`
+ * satisfies a property specified by another argument and throws otherwise.
+ */
+private predicate methodCheckThat(Method m, int arg) {
+  m.getParameter(arg).getType().getErasure() instanceof TypeObject and
+  (
+    m.hasQualifiedName("org.hamcrest", "MatcherAssert", "assertThat") or
+    m.hasQualifiedName("org.junit", "Assert", "assertThat") or
+    m.hasQualifiedName("org.junit", "Assume", "assumeThat")
+  )
 }
 
-private predicate conditionCheckMethodApacheCommonsLang3Validate(Method m, boolean checkTrue) {
-  m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "Validate") and
-  checkTrue = true and
-  (m.hasName("isTrue") or m.hasName("validState"))
+/** Holds if `m` is a method that unconditionally throws. */
+private predicate methodUnconditionallyThrows(Method m) {
+  m.hasQualifiedName("org.junit.jupiter.api", "Assertions", "fail") or
+  m.hasQualifiedName("org.junit", "Assert", "fail") or
+  m.hasQualifiedName("junit.framework", _, "fail") or
+  m.hasQualifiedName("org.testng", "Assert", "fail")
 }
 
 /**
- * Holds if `m` is a non-overridable testing framework method that checks that its first argument
- * is equal to `checkTrue` and throws otherwise.
+ * Holds if `mc` is a call to a method that checks that its argument `arg` is
+ * equal to `checkTrue` and throws otherwise.
  */
-private predicate condtionCheckMethodTestingFramework(Method m, int argument, boolean checkTrue) {
-  argument = 0 and
-  (
-    m.getDeclaringType().hasQualifiedName("org.junit", "Assume") and
-    checkTrue = true and
-    m.hasName("assumeTrue")
+predicate methodCallChecksBoolean(MethodCall mc, Expr arg, boolean checkTrue) {
+  exists(int pos | mc.getArgument(pos) = arg |
+    methodCheckTrue(mc.getMethod().getSourceDeclaration(), pos) and checkTrue = true
     or
-    m.getDeclaringType().hasQualifiedName("org.junit.jupiter.api", "Assertions") and
-    (
-      checkTrue = true and m.hasName("assertTrue")
-      or
-      checkTrue = false and m.hasName("assertFalse")
-    )
-    or
-    m.getDeclaringType().hasQualifiedName("org.junit.jupiter.api", "Assumptions") and
-    (
-      checkTrue = true and m.hasName("assumeTrue")
-      or
-      checkTrue = false and m.hasName("assumeFalse")
-    )
+    methodCheckFalse(mc.getMethod().getSourceDeclaration(), pos) and checkTrue = false
   )
-  or
-  m.getDeclaringType().hasQualifiedName(["org.junit", "org.testng"], "Assert") and
-  m.getParameter(argument).getType() instanceof BooleanType and
-  (
-    checkTrue = true and m.hasName("assertTrue")
+}
+
+/**
+ * Holds if `mc` is a call to a method that checks that its argument `arg` is
+ * not null and throws otherwise.
+ */
+predicate methodCallChecksNotNull(MethodCall mc, Expr arg) {
+  exists(int pos | mc.getArgument(pos) = arg |
+    methodCheckNotNull(mc.getMethod().getSourceDeclaration(), pos)
     or
-    checkTrue = false and m.hasName("assertFalse")
+    methodCheckThat(mc.getMethod().getSourceDeclaration(), pos) and
+    mc.getAnArgument().(MethodCall).getMethod().getName() = "notNullValue"
   )
 }
 
 /**
+ * Holds if `mc` is a call to a method that checks one of its arguments in some
+ * way and possibly throws.
+ */
+predicate methodCallChecksArgument(MethodCall mc) {
+  methodCallChecksBoolean(mc, _, _) or
+  methodCallChecksNotNull(mc, _)
+}
+
+/** Holds if `mc` is a call to a method that unconditionally throws. */
+predicate methodCallUnconditionallyThrows(MethodCall mc) {
+  methodUnconditionallyThrows(mc.getMethod().getSourceDeclaration()) or
+  exists(BooleanLiteral b | methodCallChecksBoolean(mc, b, b.getBooleanValue().booleanNot()))
+}
+
+/**
+ * DEPRECATED: Use `methodCallChecksBoolean` instead.
+ *
+ * Holds if `m` is a non-overridable method that checks that its zero-indexed `argument`
+ * is equal to `checkTrue` and throws otherwise.
+ */
+deprecated predicate conditionCheckMethodArgument(Method m, int argument, boolean checkTrue) {
+  methodCheckTrue(m, argument) and checkTrue = true
+  or
+  methodCheckFalse(m, argument) and checkTrue = false
+}
+
+/**
+ * DEPRECATED: Use `methodCallChecksBoolean` instead.
+ *
  * Holds if `ma` is an access to a non-overridable method that checks that its
  * zero-indexed `argument` is equal to `checkTrue` and throws otherwise.
  */
-predicate conditionCheckArgument(MethodCall ma, int argument, boolean checkTrue) {
+deprecated predicate conditionCheckArgument(MethodCall ma, int argument, boolean checkTrue) {
   conditionCheckMethodArgument(ma.getMethod().getSourceDeclaration(), argument, checkTrue)
 }