codeql

mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00

Author	SHA1	Message	Date
github-actions[bot]	eeaf233c29	Release preparation for version 2.9.0	2022-04-21 14:49:00 +00:00
Tom Hvitved	bd09c61504	Merge pull request #8786 from hvitved/ruby/dataflow/argument-tokens Ruby: Implement `Argument[any]` and `Argument[n..]`	2022-04-21 16:31:24 +02:00
Tom Hvitved	addb92f13b	Ruby: Handle captured variables in `BarrierGuard::getAGuardedNode()`	2022-04-21 13:25:47 +02:00
Tom Hvitved	325b451288	Ruby: Add barrier guards test involving captured variables	2022-04-21 13:25:40 +02:00
Erik Krogh Kristensen	8bd975a6ec	Merge pull request #8785 from hvitved/ruby/api-graph-labels Ruby: Mention `newtype` constructors in API graph label classes	2022-04-20 18:32:09 +02:00
Anders Schack-Mulligen	677c436e99	Merge pull request #8703 from aschackmull/dataflow/revert-state-in-out-barriers Dataflow: Revert support for flow-state based in-/out-barriers	2022-04-20 14:54:02 +02:00
Tom Hvitved	b4542c58c2	Ruby: Implement `Argument[any]` and `Argument[n..]`	2022-04-20 13:55:18 +02:00
Tom Hvitved	501b03149f	Ruby: Mention `newtype` constructors in API graph label classes	2022-04-20 13:37:55 +02:00
Nick Rolfe	9b2a98326c	Ruby: update use of PostUpdateNode now that it's public	2022-04-20 12:08:41 +01:00
Nick Rolfe	9b6e610e24	Merge remote-tracking branch 'origin/main' into nickrolfe/incomplete_sanitization	2022-04-20 12:05:22 +01:00
Nick Rolfe	f1b8af1db9	Ruby: rename PostUpdateNode::Range to PostUpdateNodeImpl	2022-04-20 10:35:40 +01:00
Nick Rolfe	c02670aca2	Ruby: make PostUpdateNode public	2022-04-19 17:12:51 +01:00
Anders Schack-Mulligen	48fbbf2531	Dataflow: Add change notes.	2022-04-19 15:29:35 +02:00
Anders Schack-Mulligen	b521d64156	Dataflow: Sync.	2022-04-19 15:29:35 +02:00
Nick Rolfe	08f6fbbe10	Ruby: make comment about backslash escaping clearer	2022-04-19 14:05:17 +01:00
Nick Rolfe	76c6a521fd	Ruby: add clarifying comment	2022-04-19 13:10:57 +01:00
Nick Rolfe	76587c4144	Ruby: fix capitalisation of String in qhelp	2022-04-19 11:42:31 +01:00
Nick Rolfe	468c718da0	Ruby: simplify predicate	2022-04-19 11:32:26 +01:00
Nick Rolfe	ac805f0cdc	Ruby: simplify predicate by using DataFlow::CallNode	2022-04-19 11:27:33 +01:00
Nick Rolfe	ca4dc0583d	Ruby: fix comment typos	2022-04-19 11:15:34 +01:00
Nick Rolfe	14de91ce94	Ruby: make StringSubstitutionCal extend DataFlow::CallNode	2022-04-19 10:52:14 +01:00
Mathias Vorreiter Pedersen	91b413d59f	Dataflow: Sync identical files.	2022-04-19 09:57:21 +01:00
Harry Maclean	c3f1fba985	Merge pull request #8598 from hmac/hmac/insecure-dep-resolution Ruby: Add rb/insecure-dependency query	2022-04-14 02:09:44 +02:00
Nick Rolfe	a1a7d2c088	Ruby: add changenote for rb/incomplete-sanitization	2022-04-13 17:32:38 +01:00
Nick Rolfe	fdca896614	Ruby: improve handling of [g]sub! rb/incomplete-sanitization has a few cases where we find flow from one one string substitution call to another, e.g. a.sub(...).sub(...) But this didn't find typical chained uses of the destructive variants, e.g. a.sub!(...) a.sub!(...) We now handle those cases by tracking flow from the post-update node for the receiver of the first call.	2022-04-13 17:19:25 +01:00
Nick Rolfe	bbb8177176	Ruby: add rc/incomplete-sanitization query	2022-04-13 16:48:43 +01:00
Dave Bartolomeo	9f074cd8fd	Bump a few more versions Also fixes up some dependency declarations that should have been "*" because they refer to packs in the same workspace.	2022-04-08 13:01:41 -04:00
Edoardo Pirovano	f25618eed6	Bump minor version of all packs	2022-04-08 15:38:58 +01:00
Edoardo Pirovano	ce82c54b94	Merge branch 'main' into edoardo/3.5-mergeback	2022-04-08 15:30:58 +01:00
Anders Schack-Mulligen	7beed570f2	Dataflow: Sync.	2022-04-07 13:53:48 +02:00
Michael Nebel	72d4c97463	Merge pull request #8628 from michaelnebel/csharp/generatedkind C#: Introduce generated flag as a part of the kind column for flow summaries	2022-04-07 08:43:30 +02:00
Tom Hvitved	4099d1318f	Data flow: Tweak two join-orders Before ``` [2022-04-06 13:19:29] (96s) Tuple counts for DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff/2@i14#aa10f2wi after 4.4s: 10681 ~0% {2} r1 = SCAN DataFlowImpl2::Stage1::revFlow#7ad53399#fff#prev_delta OUTPUT In.0, In.2 'config' 982 ~1% {3} r2 = JOIN r1 WITH DataFlowImpl2::readSet#7ad53399#ffff_2301#join_rhs ON FIRST 2 OUTPUT Rhs.3, Lhs.1 'config', Rhs.2 83691528 ~2% {3} r3 = JOIN r2 WITH DataFlowPublic::ContentSet::getAReadContent#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'config', Lhs.2, Rhs.1 'c' 83581763 ~2% {3} r4 = r3 AND NOT DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff#prev(Lhs.2 'c', Lhs.0 'config') 83581763 ~0% {3} r5 = SCAN r4 OUTPUT In.2 'c', In.0 'config', In.1 0 ~0% {3} r6 = JOIN r5 WITH DataFlowImpl2::Stage1::fwdFlowConsCand#7ad53399#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.1 'config', Lhs.0 'c' 0 ~0% {2} r7 = JOIN r6 WITH DataFlowImpl2::Stage1::fwdFlow#7ad53399#2#fff_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'c', Lhs.1 'config' return r7 ``` After ``` [2022-04-06 13:44:38] (6s) Tuple counts for DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff/2@i14#5abbf2wn after 6ms: 10681 ~0% {2} r1 = SCAN DataFlowImpl2::Stage1::revFlow#7ad53399#fff#prev_delta OUTPUT In.0, In.2 'config' 982 ~1% {3} r2 = JOIN r1 WITH DataFlowImpl2::readSet#7ad53399#ffff_2301#join_rhs ON FIRST 2 OUTPUT Rhs.3, Lhs.1 'config', Rhs.2 109765 ~0% {3} r3 = JOIN r2 WITH DataFlowImpl2::Stage1::fwdFlowConsCandSet#7ad53399#fff#reorder_0_2_1 ON FIRST 2 OUTPUT Lhs.1 'config', Lhs.2, Rhs.2 'c' 0 ~0% {3} r4 = r3 AND NOT DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff#prev(Lhs.2 'c', Lhs.0 'config') 0 ~0% {3} r5 = SCAN r4 OUTPUT In.1, In.0 'config', In.2 'c' 0 ~0% {2} r6 = JOIN r5 WITH DataFlowImpl2::Stage1::fwdFlow#7ad53399#2#fff_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'c', Lhs.1 'config' return r6 ```	2022-04-06 13:52:30 +02:00
Alex Ford	ccd7bb5e70	Merge pull request #8421 from alexrford/ruby/weak-cryptographic-algorithm Ruby: Add `rb/weak-cryptographic-algorithm` query	2022-04-05 14:34:45 +01:00
Michael Nebel	784327c183	Java/Ruby: Hardcode generated flag to false.	2022-04-05 08:55:12 +02:00
Michael Nebel	de76df3988	C#: Only use generated summaries, if no handwritten model exist for a particular dataflow callable.	2022-04-05 08:55:12 +02:00
Harry Maclean	8f3578c92a	Ruby: Include query results in test	2022-04-05 10:20:02 +12:00
Michael Nebel	3fe941aae2	C#: Add missing empty ext column in generated summaries.	2022-04-04 15:58:35 +02:00
Tom Hvitved	725d76e934	Ruby: Implement `ContentSet`	2022-04-04 13:51:44 +02:00
Tom Hvitved	c4fbc618a9	Data flow: Sync files	2022-04-04 13:51:44 +02:00
Tom Hvitved	309fd937c1	Data flow: Introduce `ContentSet`	2022-04-04 13:51:43 +02:00
Tom Hvitved	a5040fd0ce	Ruby: Add data-flow test for reverse array stores	2022-04-04 13:51:43 +02:00
Tom Hvitved	50dc3820c6	Merge pull request #8589 from hvitved/regex/speedup-concretise	2022-04-03 17:56:07 +02:00
github-actions[bot]	6af568b16d	Post-release preparation for codeql-cli-2.8.5	2022-04-01 16:22:14 +00:00
Chris Smowton	28fa49dcd6	dataflow -> data-flow	2022-04-01 13:22:58 +01:00
github-actions[bot]	ee746d20df	Release preparation for version 2.8.5	2022-04-01 10:39:31 +00:00
Chris Smowton	3b0bd3bc0f	Improve wording	2022-04-01 11:31:31 +01:00
Chris Smowton	99026a6071	Improve wording of isAdditionalFlow/TaintStep qldoc	2022-04-01 11:07:27 +01:00
Harry Maclean	ae60d40511	Ruby: Fix typo in rb/insecure-dependency qhelp Co-authored-by: Nick Rolfe <nickrolfe@github.com>	2022-04-01 15:35:53 +13:00
Harry Maclean	5814db19d5	Ruby: Fix bug in rb/insecure-dependency query Only look at the first component of strings for the prefix. Co-authored-by: Nick Rolfe <nickrolfe@github.com>	2022-04-01 15:35:21 +13:00
Harry Maclean	3d96c5e6db	Ruby: Add test case for rb/insecure-dependency This tests that we recognise kwargs in hashrocket style: gem "foo", "1.2.3", :git => "..." as well as the modern style: gem "foo", "1.2.3", git: "..."	2022-04-01 15:30:07 +13:00

... 71 72 73 74 75 ...

4624 Commits