From 8c2654115a5392ebda8af575dfb0441e79974e98 Mon Sep 17 00:00:00 2001 From: Jacob Ronstadt Date: Thu, 17 Jul 2025 13:39:47 -0700 Subject: [PATCH 1/5] add extendeddeprecatedapis.ql to mustfix query suite and add changelog --- CHANGELOG.md | 12 ++++++++++++ src/qlpack.yml | 2 +- src/windows-driver-suites/mustfix.qls | 1 + src/windows-driver-suites/recommended.qls | 1 - 4 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..dd92bd4e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,12 @@ + +# Change Log +All notable changes to this project will be documented in this file. + +## [1.8.0] - 2025-07-17 + +### Added + - CHANGELOG.md +### Changed + - ExtendedDeprecatedApis.ql moved from recommended.qls to mustfix.qls +### Fixed + \ No newline at end of file diff --git a/src/qlpack.yml b/src/qlpack.yml index 9a18ca9e..38debf75 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,7 +2,7 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.7.0 +version: 1.8.0 dependencies: codeql/cpp-all: ^4.2.0 microsoft/cpp-queries: ^0.0.4 diff --git a/src/windows-driver-suites/mustfix.qls b/src/windows-driver-suites/mustfix.qls index bb71ff33..4bb6cc3a 100644 --- a/src/windows-driver-suites/mustfix.qls +++ b/src/windows-driver-suites/mustfix.qls @@ -7,6 +7,7 @@ - include: query path: - drivers/general/queries/WdkDeprecatedApis/wdk-deprecated-api.ql + - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - microsoft/Security/CWE/CWE-704/WcharCharConversionLimited.ql - queries: . from: microsoft/cpp-queries diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls index 93beaa10..0594bc83 100644 --- a/src/windows-driver-suites/recommended.qls +++ b/src/windows-driver-suites/recommended.qls @@ -12,7 +12,6 @@ - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql - drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql - drivers/general/queries/ExaminedValue/ExaminedValue.ql - - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - drivers/general/queries/IRPStackEntryCopy/IRPStackEntryCopy.ql - drivers/general/queries/ImportantFunctionCallOptimizedOut/ImportantFunctionCallOptimizedOut.ql - drivers/general/queries/ImproperNotOperatorOnZero/ImproperNotOperatorOnZero.ql From 30b563912489f35df5842291f883c0aa814834e5 Mon Sep 17 00:00:00 2001 From: Jacob Ronstadt Date: Thu, 17 Jul 2025 15:07:28 -0700 Subject: [PATCH 2/5] update extendeddeprecatedapis.ql to exclude autogenerated .tmh files --- .../queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql b/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql index 63fd8fac..6a16a30a 100644 --- a/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql +++ b/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql @@ -493,4 +493,5 @@ class ExtendedDeprecatedCall extends Element { from ExtendedDeprecatedCall deprecatedCall where not deprecatedCall.getLocation().getFile().toString().matches("%Windows Kits%include%.h") +and not deprecatedCall.getLocation().getFile().toString().matches("%.tmh") // Exclude autogenerated WPP files select deprecatedCall, deprecatedCall.getMessage() From d2ce681142c6db99d2b3fca01943f7713dabcb23 Mon Sep 17 00:00:00 2001 From: Jacob Ronstadt Date: Tue, 22 Jul 2025 12:15:17 -0700 Subject: [PATCH 3/5] update publish to allow prerelease versions --- .github/workflows/publish.yml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a7b9f477..1b89d525 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,12 +1,20 @@ -name: Build and Publish Windows CodeQL queries +name: Publish CodeQL Pack on: workflow_dispatch: inputs: - version: + codeql-version: description: 'CodeQL version to use' required: true type: string + release-type: + description: 'Publish as a pre-release' + required: false + type: choice + options: + - alpha + - beta + jobs: publish: runs-on: windows-latest @@ -26,7 +34,7 @@ jobs: - name: CodeQL Download run: - Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ github.event.inputs.version }}/codeql-win64.zip" -OutFile codeql-win64.zip; + Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ github.event.inputs.codeql-version }}/codeql-win64.zip" -OutFile codeql-win64.zip; Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ @@ -40,5 +48,12 @@ jobs: shell: pwsh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: - .\codeql-cli\codeql.cmd pack publish ./src; + run: | + if ("${{ github.event.inputs.release-type }}" -ne "") { + $version =( Select-String .\src\qlpack.yml -Pattern "version").line; + $new_ver = "$version-${{ github.event.inputs.release-type }}"; + (Get-Content .\src\qlpack.yml).Replace($version, $new_ver) | Set-Content .\src\qlpack.yml; + .\codeql-cli\codeql.cmd pack publish --allow-prerelease ./src; + } else { + .\codeql-cli\codeql.cmd pack publish ./src + } From 80207102dcda9bb9cccfcae68c874ae805ea9c59 Mon Sep 17 00:00:00 2001 From: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com> Date: Tue, 22 Jul 2025 13:30:22 -0700 Subject: [PATCH 4/5] Update codeql-config.yml to use latest minor version Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com> --- config/codeql-config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/codeql-config.yml b/config/codeql-config.yml index 2ec7940a..2f122646 100644 --- a/config/codeql-config.yml +++ b/config/codeql-config.yml @@ -3,7 +3,7 @@ disable-default-queries: true packs: - microsoft/cpp-queries@0.0.2:codeql-suites/cpp-code-scanning.qls - - microsoft/windows-drivers@1.5.0-beta+5:windows-driver-suites/recommended.qls - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationZwViolation1\DriverIsolationZwViolation1.ql - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationZwViolation2\DriverIsolationZwViolation2.ql - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationRtlViolation\DriverIsolationRtlViolation.ql + - microsoft/windows-drivers@1.x:windows-driver-suites/recommended.qls + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation1\DriverIsolationZwViolation1.ql + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation2\DriverIsolationZwViolation2.ql + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationRtlViolation\DriverIsolationRtlViolation.ql From 4ed18e0d66bf97b1bf158804a78180c1733cc50f Mon Sep 17 00:00:00 2001 From: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com> Date: Tue, 22 Jul 2025 13:46:57 -0700 Subject: [PATCH 5/5] Update codeql-config.yml to use correct cpp-queries version Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com> --- config/codeql-config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/codeql-config.yml b/config/codeql-config.yml index 2f122646..ecb3062f 100644 --- a/config/codeql-config.yml +++ b/config/codeql-config.yml @@ -2,7 +2,7 @@ name: "CodeQL config" disable-default-queries: true packs: - - microsoft/cpp-queries@0.0.2:codeql-suites/cpp-code-scanning.qls + - microsoft/cpp-queries@0.0.4:codeql-suites/cpp-code-scanning.qls - microsoft/windows-drivers@1.x:windows-driver-suites/recommended.qls - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation1\DriverIsolationZwViolation1.ql - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation2\DriverIsolationZwViolation2.ql