hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

adding starter files

Browse Source
This commit is contained in:
Jami Cogswell
2022-08-01 23:39:55 -04:00
parent 0ac8b7ce65
commit 3e09d86a4f
7 changed files with 91 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp Normal file
View File

@@ -0,0 +1,38 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>TODO: Replace the following
When a debugger is enabled it could allow for entry points in the application or reveal sensitive information.</p>
</overview>
<recommendation>
<p>TODO: Replace the following
In Android applications either set the <code>android:debuggable</code> attribute to <code>false</code>
or do not include it in the manifest. The default value when not included is <code>false</code>.</p>
</recommendation>
<example>
<p>TODO: Replace the following
In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
<!--<sample src="DebuggableTrue.xml" />-->
<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>
<!--<sample src="DebuggableFalse.xml" />-->
</example>
<references>
<li>
TODO: REPLACE LINKS. Android Developers:
<a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
</li>
</references>
</qhelp>

22
java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql Normal file
View File

@@ -0,0 +1,22 @@
/**
* @name Implicitly imported Android component
* @description TODO after more background reading
* @kind problem (TODO: confirm after more background reading)
* @problem.severity warning (TODO: confirm after more background reading)
* @security-severity 0.1 (TODO: run script)
* @id java/android/implicitly-imported-component
* @tags security
* external/cwe/cwe-926
* @precision TODO after MRVA
*/
import java
import semmle.code.xml.AndroidManifest
// TODO: change query
from AndroidXmlAttribute androidXmlAttr
where
androidXmlAttr.getName() = "debuggable" and
androidXmlAttr.getValue() = "true" and
not androidXmlAttr.getLocation().getFile().getRelativePath().matches("%build%")
select androidXmlAttr, "The 'android:debuggable' attribute is enabled."