Semmle 1.22
Skip to end of metadata
Go to start of metadata

On this page:

HIDDEN

Analysis in all applications

Version 1.18.0 includes the improvements to JavaScript analysis described below. In addition, the 1.18.1 patch release includes the following changes: reenable queries that were disabled for TypeScript files in 1.18.0, and improve the Bad param tag and JSDoc tag for non-existent parameter queries to work with TypeScript. For more information, see Changes to existing queries below.


Changes to code extraction

  • The extractor now supports TypeScript 2.9 and 3.0 syntax.
  • Files that use require or module.exports inside a try or if statement are now recognized as CommonJS modules.
  • On finding a file whose name starts with a dot and ends with “rc” (such as .eslintrc and .babelrc), the extractor will now examine its contents to determine whether it looks like JSON data. If so, the file is parsed as JSON and added to the snapshot. In particular, this means that ESLint and Babel configuration files are now added to the snapshot automatically.

General improvements

New queries

Query Tags Purpose
Clear-text logging of sensitive information (js/clear-text-logging) security, external/cwe/cwe-312, external/cwe/cwe-315, external/cwe/cwe-359 Highlights logging of sensitive information, indicating a violation of CWE-312. Results are shown on LGTM by default.
Disabling Electron webSecurity (js/disabling-electron-websecurity) security, frameworks/electron Highlights Electron browser objects that are created with the webSecurity property set to false. Results are shown on LGTM by default.
Enabling Electron allowRunningInsecureContent (js/enabling-electron-insecure-content) security, frameworks/electron Highlights Electron browser objects that are created with the allowRunningInsecureContent property set to true. Results are shown on LGTM by default.
Uncontrolled data used in remote request (js/request-forgery) security, external/cwe/cwe-918 Highlights remote requests that are built from unsanitized user input, indicating a violation of CWE-918. Results are hidden on LGTM by default.
Use of externally-controlled format string (js/tainted-format-string) security, external/cwe/cwe-134 Highlights format strings containing user-provided data, indicating a violation of CWE-134. Results are shown on LGTM by default.

 

Changes to existing queries

Query Expected impact Change
Arguments redefined (js/arguments-redefinition) Fewer results This query previously also flagged redefinitions of eval. This was an oversight that is now fixed.
Bad param tag (js/jsdoc/malformed-param-tag More results From 1.18.1 onward, this query highlights problems in TypeScript files.
Comparison between inconvertible types (js/comparison-between-incompatible-types) Fewer results This query now flags fewer comparisons involving parameters. The severity of this query has been revised to “warning”.
CORS misconfiguration for credentials transfer (js/cors-misconfiguration-for-credentials) More true-positive results This query now treats header names case-insensitively.
Hard-coded credentials (js/hardcoded-credentials) More true-positive results This query now recognizes secret cryptographic keys.
Incomplete string escaping or encoding (js/incomplete-sanitization) New name, more true-positive results The “Incomplete sanitization” query has been renamed to more clearly reflect its purpose. It now recognizes incomplete URL encoding and decoding.
Insecure randomness (js/insecure-randomness) More true-positive results This query now recognizes secret cryptographic keys.
JSDoc tag for non-existent parameter (js/jsdoc/unknown-parameter More results From 1.18.1 onward, this query highlights problems in TypeScript files.
Misleading indentation after control statement (js/misleading-indentation-after-control-statement) Fewer results This query ignores TypeScript files in 1.18.0 only. In earlier versions and from 1.18.1 onward, alerts are reported in TypeScript files.
Missing rate limiting (js/missing-rate-limiting) More true-positive results, fewer false-positive results This query now recognizes additional rate limiters and expensive route handlers.
Omitted array element (js/omitted-array-element) Fewer results This query ignores TypeScript files in 1.18.0. In earlier versions and from 1.18.1 onward, alerts are reported in TypeScript files.
Reflected cross-site scripting (js/reflected-xss) Fewer false-positive results This query now treats header names case-insensitively.
Semicolon insertion (js/automatic-semicolon-insertion) Fewer results This query ignores TypeScript files in 1.18.0. In earlier versions and from 1.18.1 onward, alerts are reported in TypeScript files.
Server-side URL redirect (js/server-side-unvalidated-url-redirection) More true-positive results This query now treats header names case-insensitively.
Superfluous trailing arguments (js/superfluous-trailing-arguments) Fewer false-positive results This query now ignores calls to some empty functions.
Type confusion through parameter tampering (js/type-confusion-through-parameter-tampering) Fewer false-positive results This query no longer flags emptiness checks.
Uncontrolled command line (js/command-line-injection) More true-positive results This query now recognizes indirect command injection through sh -c and similar.
Unused variable, import, function or class (js/unused-local-variable) New name, fewer results The “Unused variable” query has been renamed to reflect the fact that it highlights different kinds of unused program elements. In addition, the query no longer highlights class expressions that could be made anonymous. While technically true, these results are not interesting.
Use of incompletely initialized object (js/incomplete-object-initialization) Fewer results This query now highlights the constructor instead of its erroneous this or super expressions.
Useless conditional (js/trivial-conditional) Fewer results This query no longer flags uses of boolean return values and highlights fewer comparisons involving parameters.

Changes to QL libraries

  • HTTP and HTTPS requests made using the Node.js http.request and https.request APIs, and the Electron Electron.net.request and Electron.ClientRequest APIs, are modeled as RemoteFlowSources.
  • HTTP header names are now always normalized to lower case to reflect the fact that they are case insensitive. In particular, the result of HeaderDefinition.getAHeaderName, and the first parameter of HeaderDefinition.defines, ExplicitHeaderDefinition.definesExplicitly, and RouteHandler.getAResponseHeader are now always a lower-case string.
  • New AST nodes have been added for TypeScript 2.9 and 3.0 features.
  • The class JsonParseCall has been deprecated. Update your queries to use JsonParserCall instead.
  • The handling of spread arguments in the data flow library has been changed: DataFlow::InvokeNode.getArgument(i) is now only defined when there is no spread argument at or before argument position i, and similarly InvokeNode.getNumArgument is only defined for invocations without spread arguments.

Additional changes for analysis in QL tools and applications only

The following changes in version 1.18 affect JavaScript analysis only in QL for Eclipse, and the QL command-line tools.


Changes to existing queries

Query Expected impact Change
Missing X-Frame-Options HTTP header (js/missing-x-frame-options) Fewer false-positive results This query now treats header names case-insensitively.

  • No labels