Merge branch 'main' into d10c/rtjo-language-tests

d10c · web-flow · commit 8bfe8fa69d70 · 2025-03-24T14:07:37.000+01:00
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
@@ -109,7 +109,7 @@ public HashSet<AssemblyLookupLocation> Restore()
                 if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds))
                 {
                     // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
-                    var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds(explicitFeeds);
+                    var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
                     return unresponsiveMissingPackageLocation is null
                         ? []
                         : [unresponsiveMissingPackageLocation];
@@ -166,11 +166,11 @@ public HashSet<AssemblyLookupLocation> Restore()
                 .ToList();
             assemblyLookupLocations.UnionWith(paths.Select(p => new AssemblyLookupLocation(p)));
 
-            LogAllUnusedPackages(dependencies);
+            var usedPackageNames = GetAllUsedPackageDirNames(dependencies);
 
             var missingPackageLocation = checkNugetFeedResponsiveness
-                ? DownloadMissingPackagesFromSpecificFeeds(explicitFeeds)
-                : DownloadMissingPackages();
+                ? DownloadMissingPackagesFromSpecificFeeds(usedPackageNames, explicitFeeds)
+                : DownloadMissingPackages(usedPackageNames);
 
             if (missingPackageLocation is not null)
             {
@@ -297,21 +297,21 @@ private void RestoreProjects(IEnumerable<string> projects, out ConcurrentBag<Dep
             compilationInfoContainer.CompilationInfos.Add(("Failed project restore with package source error", nugetSourceFailures.ToString()));
         }
 
-        private AssemblyLookupLocation? DownloadMissingPackagesFromSpecificFeeds(HashSet<string>? feedsFromNugetConfigs)
+        private AssemblyLookupLocation? DownloadMissingPackagesFromSpecificFeeds(IEnumerable<string> usedPackageNames, HashSet<string>? feedsFromNugetConfigs)
         {
             var reachableFallbackFeeds = GetReachableFallbackNugetFeeds(feedsFromNugetConfigs);
             if (reachableFallbackFeeds.Count > 0)
             {
-                return DownloadMissingPackages(fallbackNugetFeeds: reachableFallbackFeeds);
+                return DownloadMissingPackages(usedPackageNames, fallbackNugetFeeds: reachableFallbackFeeds);
             }
 
             logger.LogWarning("Skipping download of missing packages from specific feeds as no fallback Nuget feeds are reachable.");
             return null;
         }
 
-        private AssemblyLookupLocation? DownloadMissingPackages(IEnumerable<string>? fallbackNugetFeeds = null)
+        private AssemblyLookupLocation? DownloadMissingPackages(IEnumerable<string> usedPackageNames, IEnumerable<string>? fallbackNugetFeeds = null)
         {
-            var alreadyDownloadedPackages = GetRestoredPackageDirectoryNames(PackageDirectory.DirInfo);
+            var alreadyDownloadedPackages = usedPackageNames.Select(p => p.ToLowerInvariant());
             var alreadyDownloadedLegacyPackages = GetRestoredLegacyPackageNames();
 
             var notYetDownloadedPackages = new HashSet<PackageReference>(fileContent.AllPackages);
@@ -418,17 +418,23 @@ private void RestoreProjects(IEnumerable<string> projects, out ConcurrentBag<Dep
             return nugetConfig;
         }
 
-        private void LogAllUnusedPackages(DependencyContainer dependencies)
+        private IEnumerable<string> GetAllUsedPackageDirNames(DependencyContainer dependencies)
         {
             var allPackageDirectories = GetAllPackageDirectories();
 
             logger.LogInfo($"Restored {allPackageDirectories.Count} packages");
             logger.LogInfo($"Found {dependencies.Packages.Count} packages in project.assets.json files");
 
-            allPackageDirectories
-                .Where(package => !dependencies.Packages.Contains(package))
+            var usage = allPackageDirectories.Select(package => (package, isUsed: dependencies.Packages.Contains(package)));
+
+            usage
+                .Where(package => !package.isUsed)
                 .Order()
-                .ForEach(package => logger.LogDebug($"Unused package: {package}"));
+                .ForEach(package => logger.LogDebug($"Unused package: {package.package}"));
+
+            return usage
+                .Where(package => package.isUsed)
+                .Select(package => package.package);
         }
 
         private ICollection<string> GetAllPackageDirectories()
diff --git a/csharp/ql/src/change-notes/2025-03-21-dependency-fetching.md b/csharp/ql/src/change-notes/2025-03-21-dependency-fetching.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved dependency resolution in `build-mode: none` extraction to handle failing `dotnet restore` processes that managed to download a subset of the dependencies before the failure.
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -23,5 +23,5 @@ where
   sink.getNode().asExpr() = c.getAlgoSpec() and
   InsecureCryptoFlow::flowPath(source, sink)
 select c, source, sink,
-  "Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", source,
+  "Cryptographic algorithm $@ may not be secure. Consider using a different algorithm.", source,
   source.getNode().asExpr().(InsecureAlgorithm).getStringValue()
diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected
@@ -6,7 +6,7 @@ nodes
 | WeakHashing.java:21:56:21:91 | getProperty(...) | semmle.label | getProperty(...) |
 subpaths
 #select
-| Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | foo |
-| WeakHashing.java:15:29:15:84 | getInstance(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:15:55:15:83 | getProperty(...) | MD5 |
-| WeakHashing.java:18:30:18:96 | getInstance(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:18:56:18:95 | getProperty(...) | MD5 |
-| WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:21:56:21:91 | getProperty(...) | MD5 |
+| Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure. Consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | foo |
+| WeakHashing.java:15:29:15:84 | getInstance(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | Cryptographic algorithm $@ may not be secure. Consider using a different algorithm. | WeakHashing.java:15:55:15:83 | getProperty(...) | MD5 |
+| WeakHashing.java:18:30:18:96 | getInstance(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | Cryptographic algorithm $@ may not be secure. Consider using a different algorithm. | WeakHashing.java:18:56:18:95 | getProperty(...) | MD5 |
+| WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ may not be secure. Consider using a different algorithm. | WeakHashing.java:21:56:21:91 | getProperty(...) | MD5 |
diff --git a/rust/ql/lib/codeql/rust/elements/internal/FieldExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/FieldExprImpl.qll
@@ -23,7 +23,7 @@ module Impl {
    */
   class FieldExpr extends Generated::FieldExpr {
     /** Gets the record field that this access references, if any. */
-    StructField getStructField() { result = TypeInference::resolveRecordFieldExpr(this) }
+    StructField getStructField() { result = TypeInference::resolveStructFieldExpr(this) }
 
     /** Gets the tuple field that this access references, if any. */
     TupleField getTupleField() { result = TypeInference::resolveTupleFieldExpr(this) }
diff --git a/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll
@@ -43,6 +43,6 @@ module Impl {
      * Empty structs are considered to use record fields.
      */
     pragma[nomagic]
-    predicate isRecord() { not this.isTuple() }
+    predicate isStruct() { not this.isTuple() }
   }
 }
diff --git a/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll
@@ -38,12 +38,12 @@ module Impl {
     predicate isTuple() { this.getFieldList() instanceof TupleFieldList }
 
     /**
-     * Holds if this variant uses record fields.
+     * Holds if this variant uses struct fields.
      *
-     * Empty variants are considered to use record fields.
+     * Empty variants are considered to use struct fields.
      */
     pragma[nomagic]
-    predicate isRecord() { not this.isTuple() }
+    predicate isStruct() { not this.isTuple() }
 
     /** Gets the enum that this variant belongs to. */
     Enum getEnum() { this = result.getVariantList().getAVariant() }
diff --git a/rust/ql/lib/codeql/rust/internal/Type.qll b/rust/ql/lib/codeql/rust/internal/Type.qll
@@ -29,7 +29,7 @@ abstract class Type extends TType {
   pragma[nomagic]
   abstract Function getMethod(string name);
 
-  /** Gets the record field `name` belonging to this type, if any. */
+  /** Gets the struct field `name` belonging to this type, if any. */
   pragma[nomagic]
   abstract StructField getStructField(string name);
 
diff --git a/rust/ql/lib/codeql/rust/internal/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/TypeInference.qll
@@ -248,24 +248,24 @@ private TypeMention getExplicitTypeArgMention(Path path, TypeParam tp) {
 }
 
 /**
- * A matching configuration for resolving types of record expressions
+ * A matching configuration for resolving types of struct expressions
  * like `Foo { bar = baz }`.
  */
 private module StructExprMatchingInput implements MatchingInputSig {
   private newtype TPos =
     TFieldPos(string name) { exists(any(Declaration decl).getField(name)) } or
-    TRecordPos()
+    TStructPos()
 
   class DeclarationPosition extends TPos {
     string asFieldPos() { this = TFieldPos(result) }
 
-    predicate isRecordPos() { this = TRecordPos() }
+    predicate isStructPos() { this = TStructPos() }
 
     string toString() {
       result = this.asFieldPos()
       or
-      this.isRecordPos() and
-      result = "(record)"
+      this.isStructPos() and
+      result = "(struct)"
     }
   }
 
@@ -286,15 +286,15 @@ private module StructExprMatchingInput implements MatchingInputSig {
         result = tp.resolveTypeAt(path)
       )
       or
-      // type parameter of the record itself
-      dpos.isRecordPos() and
+      // type parameter of the struct itself
+      dpos.isStructPos() and
       result = this.getTypeParameter(_) and
       path = TypePath::singleton(result)
     }
   }
 
-  private class RecordStructDecl extends Declaration, Struct {
-    RecordStructDecl() { this.isRecord() }
+  private class StructDecl extends Declaration, Struct {
+    StructDecl() { this.isStruct() }
 
     override TypeParam getATypeParam() { result = this.getGenericParamList().getATypeParam() }
 
@@ -304,14 +304,14 @@ private module StructExprMatchingInput implements MatchingInputSig {
       result = super.getDeclaredType(dpos, path)
       or
       // type of the struct itself
-      dpos.isRecordPos() and
+      dpos.isStructPos() and
       path.isEmpty() and
       result = TStruct(this)
     }
   }
 
-  private class RecordVariantDecl extends Declaration, Variant {
-    RecordVariantDecl() { this.isRecord() }
+  private class StructVariantDecl extends Declaration, Variant {
+    StructVariantDecl() { this.isStruct() }
 
     Enum getEnum() { result.getVariantList().getAVariant() = this }
 
@@ -325,7 +325,7 @@ private module StructExprMatchingInput implements MatchingInputSig {
       result = super.getDeclaredType(dpos, path)
       or
       // type of the enum itself
-      dpos.isRecordPos() and
+      dpos.isStructPos() and
       path.isEmpty() and
       result = TEnum(this.getEnum())
     }
@@ -342,7 +342,7 @@ private module StructExprMatchingInput implements MatchingInputSig {
       result = this.getFieldExpr(apos.asFieldPos()).getExpr()
       or
       result = this and
-      apos.isRecordPos()
+      apos.isStructPos()
     }
 
     Type getInferredType(AccessPosition apos, TypePath path) {
@@ -360,8 +360,8 @@ private module StructExprMatchingInput implements MatchingInputSig {
 private module StructExprMatching = Matching<StructExprMatchingInput>;
 
 /**
- * Gets the type of `n` at `path`, where `n` is either a record expression or
- * a field expression of a record expression.
+ * Gets the type of `n` at `path`, where `n` is either a struct expression or
+ * a field expression of a struct expression.
  */
 pragma[nomagic]
 private Type inferStructExprType(AstNode n, TypePath path) {
@@ -777,7 +777,7 @@ private module FieldExprMatchingInput implements MatchingInputSig {
 
     Declaration getTarget() {
       // mutual recursion; resolving fields requires resolving types and vice versa
-      result = [resolveRecordFieldExpr(this).(AstNode), resolveTupleFieldExpr(this)]
+      result = [resolveStructFieldExpr(this).(AstNode), resolveTupleFieldExpr(this)]
     }
   }
 
@@ -921,10 +921,10 @@ private module Cached {
   }
 
   /**
-   * Gets the record field that the field expression `fe` resolves to, if any.
+   * Gets the struct field that the field expression `fe` resolves to, if any.
    */
   cached
-  StructField resolveRecordFieldExpr(FieldExpr fe) {
+  StructField resolveStructFieldExpr(FieldExpr fe) {
     exists(string name | result = getFieldExprLookupType(fe, name).getStructField(name))
   }
 
diff --git a/rust/ql/test/library-tests/type-inference/main.rs b/rust/ql/test/library-tests/type-inference/main.rs
@@ -255,8 +255,8 @@ mod type_parameter_bounds {
 
 mod function_trait_bounds {
     #[derive(Debug)]
-    struct MyThing<A> {
-        a: A,
+    struct MyThing<T> {
+        a: T,
     }
 
     #[derive(Debug)]
@@ -387,12 +387,12 @@ mod method_supertraits {
     #[derive(Debug)]
     struct S2;
 
-    trait MyTrait1<A> {
-        fn m1(self) -> A;
+    trait MyTrait1<Tr1> {
+        fn m1(self) -> Tr1;
     }
 
-    trait MyTrait2<A>: MyTrait1<A> {
-        fn m2(self) -> A
+    trait MyTrait2<Tr2>: MyTrait1<Tr2> {
+        fn m2(self) -> Tr2
         where
             Self: Sized,
         {
@@ -404,8 +404,8 @@ mod method_supertraits {
         }
     }
 
-    trait MyTrait3<A>: MyTrait2<MyThing<A>> {
-        fn m3(self) -> A
+    trait MyTrait3<Tr3>: MyTrait2<MyThing<Tr3>> {
+        fn m3(self) -> Tr3
         where
             Self: Sized,
         {
diff --git a/rust/ql/test/library-tests/type-inference/type-inference.expected b/rust/ql/test/library-tests/type-inference/type-inference.expected
diff --git a/rust/ql/test/library-tests/type-inference/type-inference.ql b/rust/ql/test/library-tests/type-inference/type-inference.ql
diff --git a/shared/typeinference/codeql/typeinference/internal/TypeInference.qll b/shared/typeinference/codeql/typeinference/internal/TypeInference.qll

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,6 @@ module Impl {`
`43`	`43`	`* Empty structs are considered to use record fields.`
`44`	`44`	`*/`
`45`	`45`	`pragma[nomagic]`
`46`		`- predicate isRecord() { not this.isTuple() }`
	`46`	`+ predicate isStruct() { not this.isTuple() }`
`47`	`47`	`}`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -255,8 +255,8 @@ mod type_parameter_bounds {`
`255`	`255`
`256`	`256`	`mod function_trait_bounds {`
`257`	`257`	`#[derive(Debug)]`
`258`		`- struct MyThing<A> {`
`259`		`- a: A,`
	`258`	`+ struct MyThing<T> {`
	`259`	`+ a: T,`
`260`	`260`	`}`
`261`	`261`
`262`	`262`	`#[derive(Debug)]`
`@@ -387,12 +387,12 @@ mod method_supertraits {`
`387`	`387`	`#[derive(Debug)]`
`388`	`388`	`struct S2;`
`389`	`389`
`390`		`- trait MyTrait1<A> {`
`391`		`- fn m1(self) -> A;`
	`390`	`+ trait MyTrait1<Tr1> {`
	`391`	`+ fn m1(self) -> Tr1;`
`392`	`392`	`}`
`393`	`393`
`394`		`- trait MyTrait2<A>: MyTrait1<A> {`
`395`		`- fn m2(self) -> A`
	`394`	`+ trait MyTrait2<Tr2>: MyTrait1<Tr2> {`
	`395`	`+ fn m2(self) -> Tr2`
`396`	`396`	`where`
`397`	`397`	`Self: Sized,`
`398`	`398`	`{`
`@@ -404,8 +404,8 @@ mod method_supertraits {`
`404`	`404`	`}`
`405`	`405`	`}`
`406`	`406`
`407`		`- trait MyTrait3<A>: MyTrait2<MyThing<A>> {`
`408`		`- fn m3(self) -> A`
	`407`	`+ trait MyTrait3<Tr3>: MyTrait2<MyThing<Tr3>> {`
	`408`	`+ fn m3(self) -> Tr3`
`409`	`409`	`where`
`410`	`410`	`Self: Sized,`
`411`	`411`	`{`