Merge remote-tracking branch 'upstream/main' into constcrypto

Author: geoffw0

.vscode/tasks.json

@@ -50,6 +50,11 @@
                 "${input:name}",
                 "${input:categoryQuery}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r",
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true
@@ -67,6 +72,11 @@
                 "${input:name}",
                 "${input:categoryLibrary}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r"
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true

actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md

@@ -2,6 +2,7 @@
 category: fix
 ---
 * The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
-  Immutable Actions feature is not yet available for customer use. The query remains in the
-  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
-  available, the query will be updated to report alerts again.
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.

actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md renamed to actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.md

@@ -8,6 +8,7 @@
  * @tags security
  *       actions
  *       internal
+ *       experimental
  *       external/cwe/cwe-829
  */
 

actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql renamed to actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql

@@ -1 +1 @@
-Security/CWE-829/UnversionedImmutableAction.ql
+experimental/Security/CWE-829/UnversionedImmutableAction.ql

actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref

@@ -1,7 +1,7 @@
 /**
  * @name Include file resolution status
- * @description A count of successful includes and includes that failed to resolve.
- *                This query is for internal use only and may change without notice.
+ * @description Counts unresolved and resolved #includes.
+ *              This query is for internal use only and may change without notice.
  * @kind table
  * @id cpp/include-resolution-status
  */

cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql

@@ -0,0 +1,3 @@
+import java
+import semmle.code.java.dataflow.internal.SsaImpl
+import Impl::Consistency

java/ql/consistency-queries/SsaConsistency.ql

@@ -168,12 +168,15 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`th of basic block `bb` reads source variable `v`.
    */
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(VarRead use |
-      v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+    hasDominanceInformation(bb) and
+    (
+      exists(VarRead use |
+        v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+      )
+      or
+      variableCapture(v, _, bb, i) and
+      certain = false
     )
-    or
-    variableCapture(v, _, bb, i) and
-    certain = false
   }
 }
 

java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll

@@ -204,12 +204,15 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * This includes implicit reads via calls.
    */
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(VarRead use |
-      v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+    hasDominanceInformation(bb) and
+    (
+      exists(VarRead use |
+        v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+      )
+      or
+      variableCapture(v, _, bb, i) and
+      certain = false
     )
-    or
-    variableCapture(v, _, bb, i) and
-    certain = false
   }
 }
 

java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
-# Creates a change note and opens it in VSCode for editing.
+# Creates a change note and opens it in $EDITOR (or VSCode if the environment
+# variable is not set) for editing.
 
 # Expects to receive the following arguments:
 # - What language the change note is for
@@ -51,5 +52,6 @@
 with open(change_note_file, "w") as f:
     f.write(change_note)
 
-# Open the change note file in VSCode, reusing the existing window if possible
-os.system(f"code -r {change_note_file}")
+editor = os.environ.get('EDITOR', 'code -r')
+
+os.system(f"{editor} {change_note_file}")