Merge branch 'main' into actions/fix/code-injection-privileged-context

Author: owen-mc

.bazelversion

@@ -1 +1 @@
-8.1.1
+8.4.2

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "10.0.0")
+bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")

config/identical-files.json

@@ -276,5 +276,12 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
+  ],
+  "XML discard predicates": [
+    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
+    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
+    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
+    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
+    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll"
   ]
 }

cpp/ql/lib/cpp.qll

@@ -74,3 +74,4 @@ import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
 import DefaultOptions
+private import semmle.code.cpp.internal.Overlay

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -0,0 +1,60 @@
+/**
+ * Defines entity discard predicates for C++ overlay analysis.
+ */
+
+/**
+ * Holds always for the overlay variant and never for the base variant.
+ * This local predicate is used to define local predicates that behave
+ * differently for the base and overlay variant.
+ */
+overlay[local]
+predicate isOverlay() { databaseMetadata("isOverlay", "true") }
+
+overlay[local]
+private string getLocationFilePath(@location_default loc) {
+  exists(@file file | locations_default(loc, file, _, _, _, _) | files(file, result))
+}
+
+/**
+ * Gets the file path for an element with a single location.
+ */
+overlay[local]
+private string getSingleLocationFilePath(@element e) {
+  // @var_decl has a direct location in the var_decls relation
+  exists(@location_default loc | var_decls(e, _, _, _, loc) | result = getLocationFilePath(loc))
+  //TODO: add other kinds of elements with single locations
+}
+
+/**
+ * Gets the file path for an element with potentially multiple locations.
+ */
+overlay[local]
+private string getMultiLocationFilePath(@element e) {
+  // @variable gets its location(s) from its @var_decl(s)
+  exists(@var_decl vd, @location_default loc | var_decls(vd, e, _, _, loc) |
+    result = getLocationFilePath(loc)
+  )
+  //TODO: add other kinds of elements with multiple locations
+}
+
+/**
+ * A local helper predicate that holds in the base variant and never in the
+ * overlay variant.
+ */
+overlay[local]
+private predicate holdsInBase() { not isOverlay() }
+
+/**
+ * Discards an element from the base variant if:
+ * - It has a single location in a changed file, or
+ * - All of its locations are in changed files.
+ */
+overlay[discard_entity]
+private predicate discardElement(@element e) {
+  holdsInBase() and
+  (
+    overlayChangedFiles(getSingleLocationFilePath(e))
+    or
+    forex(string path | path = getMultiLocationFilePath(e) | overlayChangedFiles(path))
+  )
+}

csharp/ql/integration-tests/all-platforms/blazor/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "9.0.304"
+    }
+}

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "9.0.304"
+    }
+}

csharp/ql/integration-tests/all-platforms/blazor_net_8/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "8.0.401"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_10/test.py

@@ -1,5 +1,9 @@
+import pytest
+
+@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test1(codeql, csharp):
     codeql.database.create()
 
+@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test2(codeql, csharp):
     codeql.database.create(build_mode="none")

csharp/ql/integration-tests/all-platforms/standalone_failed/global.json

@@ -0,0 +1,5 @@
+{
+  "sdk": {
+    "version": "9.0.304"
+  }
+}