Merge branch 'main' into models1

Author: geoffw0

cpp/ql/src/CHANGELOG.md

@@ -11,7 +11,7 @@
 
 ### Minor Analysis Improvements
 
-* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow models for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2`, `nghttp2/nghttp2`, `libuv/libuv`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
 
 ## 1.4.2
 
@@ -21,7 +21,7 @@ No user-facing changes.
 
 ### Minor Analysis Improvements
 
-* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow models for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
 
 ## 1.4.0
 

cpp/ql/src/change-notes/released/1.4.1.md

@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow models for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.

cpp/ql/src/change-notes/released/1.4.3.md

@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow models for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2`, `nghttp2/nghttp2`, `libuv/libuv`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.

docs/codeql/reusables/download-github-database.rst

@@ -3,12 +3,12 @@ GitHub stores CodeQL databases for over 200,000 repos on GitHub.com, which you c
 You can check if a repository has any CodeQL databases available for download using the ``/repos/<owner>/<repo>/code-scanning/codeql/databases`` endpoint.
 For example, to check for CodeQL databases using the `GitHub CLI <https://cli.github.com/manual/gh_api>`__ you would run::
 
-   gh api /repos/<owner>/<repo>/code-scanning/codeql/databases
+   gh api repos/<owner>/<repo>/code-scanning/codeql/databases
 
 This command returns information about any CodeQL databases that are available for a repository, including the language the database represents, and when the database was last updated. If no CodeQL databases are available, the response is empty.
 
 When you have confirmed that a CodeQL database exists for the language you are interested in, you can download it using the following command::
 
-   gh api /repos/<owner>/<repo>/code-scanning/codeql/databases/<language> -H 'Accept: application/zip' > path/to/local/database.zip
+   gh api repos/<owner>/<repo>/code-scanning/codeql/databases/<language> -H 'Accept: application/zip' > path/to/local/database.zip
 
 For more information, see the documentation for the `Get CodeQL database <https://docs.github.com/en/rest/code-scanning#get-a-codeql-database-for-a-repository>`__ endpoint in the GitHub REST API documentation.

go/extractor/go.mod

@@ -9,7 +9,7 @@ toolchain go1.24.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.25.0
+	golang.org/x/mod v0.26.0
 	golang.org/x/tools v0.34.0
 )
 

go/extractor/go.sum

@@ -1,7 +1,7 @@
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=

java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected

@@ -6,6 +6,7 @@ ql/java/ql/src/Compatibility/JDK9/UnderscoreIdentifier.ql
 ql/java/ql/src/DeadCode/UselessParameter.ql
 ql/java/ql/src/Language Abuse/EmptyMethod.ql
 ql/java/ql/src/Language Abuse/IterableIterator.ql
+ql/java/ql/src/Language Abuse/LabelInSwitch.ql
 ql/java/ql/src/Language Abuse/TypeVariableHidesType.ql
 ql/java/ql/src/Language Abuse/UselessNullCheck.ql
 ql/java/ql/src/Language Abuse/UselessTypeTest.ql

java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected

@@ -5,6 +5,7 @@ ql/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql
 ql/java/ql/src/Compatibility/JDK9/UnderscoreIdentifier.ql
 ql/java/ql/src/DeadCode/UselessParameter.ql
 ql/java/ql/src/Language Abuse/IterableIterator.ql
+ql/java/ql/src/Language Abuse/LabelInSwitch.ql
 ql/java/ql/src/Language Abuse/UselessNullCheck.ql
 ql/java/ql/src/Language Abuse/UselessTypeTest.ql
 ql/java/ql/src/Language Abuse/WrappedIterator.ql

java/ql/src/Language Abuse/LabelInSwitch.md

@@ -0,0 +1,33 @@
+## Overview
+
+Java allows to freely mix `case` labels and ordinary statement labels in the body of
+a `switch` statement. However, this is confusing to read and may be the result of a typo.
+
+## Recommendation
+
+Examine the non-`case` labels to see whether they were meant to be `case` labels. If not, consider placing the non-`case` label headed code into a function, and use a function call inline in the `switch` body instead.
+
+## Example
+
+```java
+public class Test {
+    void test_noncase_label_in_switch(int p) {
+        switch (p) {
+            case 1: // Compliant
+            case2:  // Non-compliant, likely a typo
+            break;
+            case 3:
+                notcaselabel: // Non-compliant, confusing to read
+                for (;;) {
+                    break notcaselabel;
+                }
+        }
+    }
+}
+```
+
+In the example, `case2` is most likely a typo and should be fixed. For the intentional `notcaselabel`, placing the labelled code into a function and then calling that function is more readable.
+
+## References
+
+CodeQL query help for JavaScript and TypeScript - [Non-case label in switch statement](https://codeql.github.com/codeql-query-help/javascript/js-label-in-switch/).

java/ql/src/Language Abuse/LabelInSwitch.ql

@@ -0,0 +1,25 @@
+/**
+ * @id java/label-in-switch
+ * @name Non-case label in switch statement
+ * @description A non-case label appearing in a switch statement
+ *              is confusing to read or may even indicate a bug.
+ * @previous-id java/label-in-case
+ * @kind problem
+ * @precision very-high
+ * @problem.severity recommendation
+ * @tags quality
+ *       maintainability
+ *       readability
+ */
+
+import java
+
+from LabeledStmt l, SwitchStmt s, string alert
+where
+  l = s.getAStmt+() and
+  if exists(JumpStmt jump | jump.getTargetLabel() = l)
+  then alert = "Confusing non-case label in switch statement."
+  else
+    alert =
+      "Possibly erroneous non-case label in switch statement. The case keyword might be missing."
+select l, alert