hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,258 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.3
Commit Graph

10661 Commits

Author SHA1 Message Date
erik-krogh
6289ae329b fix a race-condition 2022-12-01 15:27:41 +01:00
Asger F
eb9bee23a0 JS: Remove MkAsyncFunctionResult 2022-12-01 15:15:27 +01:00
tiferet
4a6de3e444 Apply suggestion from code review 2022-11-30 17:25:19 -08:00
tiferet
a0a742eb82 Rename predicates to fit style guide: 
- `getEndpoints` → `appliesToEndpoint`
- `getImplications` → `hasImplications`
- `getAlerts` → `hasAlert`
 2022-11-30 17:01:56 -08:00
erik-krogh
cddc9db690 change back to the old order of extracting externs before Xml 2022-11-30 15:46:46 +01:00
erik-krogh
6620ba8cc8 Merge branch 'main' into exit-code 2022-11-30 15:26:31 +01:00
tiferet
b885249d9d Add a boosted version of XssThroughDOM 2022-11-29 17:40:20 -08:00
tiferet
c5184d37e7 Suggestion from code review: 
Name the query configuration e.g. `NosqlInjectionATMConfig` rather than `Configuration`.
 2022-11-29 15:46:05 -08:00
tiferet
6f807e9d43 Doc suggestion from code review 2022-11-29 13:20:47 -08:00
tiferet
75cd7a9ebc Remove code duplication in query .ql files: 
Define the query for finding ATM alerts in the base class `AtmConfig`, and call it from each query's .ql file.
 2022-11-29 13:20:47 -08:00
tiferet
a710b723d1 Move the definition of isSink to the base class: 
Holds if `sink` is a known taint sink or an "effective" sink.
 2022-11-29 13:20:47 -08:00
tiferet
cd24ec88d6 Move the definition of isSource to the base class: 
A long as we're not boosting sources, `isSource` is identical to `isKnownSource`.
 2022-11-29 13:20:47 -08:00
tiferet
50291c7b7c AtmConfig inherits from TaintTracking::Configuration. 
That way the specific configs which inherit from `AtmConfig` also inherit from `TaintTracking::Configuration`.

This removes the need for two separate config classes for each query.
 2022-11-29 13:20:47 -08:00
tiferet
05a943c9b5 Delete StandardEndpointFilters. 
All remaining functionality in `StandardEndpointFilters` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.
 2022-11-29 13:20:47 -08:00
tiferet
5402f047bf Delete CoreKnowledge. 
All remaining functionality in `CoreKnowledge` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.
 2022-11-29 13:20:47 -08:00
tiferet
1d4b2ccab4 Merge branch 'main' into tiferet/complexity-reduction 2022-11-29 12:47:18 -08:00
Tiferet Gazit
f375b0cc1b Merge pull request #11281 from github/tiferet/endpoint-filters 
ATM: Implement the current endpoint filters as EndpointCharacteristics
 2022-11-29 12:38:12 -08:00
erik-krogh
de5ffd5cfa bump extractor version 2022-11-29 21:32:43 +01:00
Erik Krogh Kristensen
d0cf709d2e use proper path construction 
Co-authored-by: Asger F <asgerf@github.com>
 2022-11-29 21:30:50 +01:00
erik-krogh
63a5f8965e fix tests 2022-11-29 14:08:21 +01:00
erik-krogh
136b6db2ad only delete the src/ folder if it was empty 2022-11-29 13:42:27 +01:00
erik-krogh
f3f7a89ef8 make the JS autobuilder consistent with Ruby when no JS code was detected 2022-11-29 13:42:27 +01:00
tiferet
4580b55673 Oops -- forgot to stage one file in the previous commit :) 2022-11-28 11:34:34 -08:00
tiferet
210644e87d Delete StandardEndpointFilters. 
All remaining functionality in `StandardEndpointFilters` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.
 2022-11-28 11:34:34 -08:00
tiferet
15121931b4 Delete CoreKnowledge. 
All remaining functionality in `CoreKnowledge` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.
 2022-11-28 11:34:34 -08:00
tiferet
1c679378e7 FilteringReason is no longer being used and can be deleted 2022-11-28 11:34:33 -08:00
tiferet
99de397a5f Remove redundant code 
`isOtherModeledArgument` and `isArgumentToBuiltinFunction` contained the old logic for selecting negative endpoints for training.

These can now be deleted, and replaced by a single base class that collects all EndpointCharacteristics that are currently used to indicate negative training samples: `OtherModeledArgumentCharacteristic`.

This in turn lets us delete code from `StandardEndpointFilters` that effectively said that endpoints that are high-confidence non-sinks shouldn't be scored at inference time, either.
 2022-11-28 11:34:33 -08:00
tiferet
7b0269c999 Fix British spelling that code scanning didn't like. 
I've been working with Brits for too long :)
 2022-11-28 11:28:08 -08:00
tiferet
963407de4c Update the documentation 2022-11-28 11:16:06 -08:00
Asger F
76afc2dcc3 JS: Fix formatting and rephrase comment 2022-11-28 14:00:43 +01:00
Erik Krogh Kristensen
7a3898168f Update README.md 2022-11-28 12:12:36 +01:00
Asger F
e99571baae Update javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-11-28 11:45:08 +01:00
Henry Mercer
56e5f01ce0 Merge branch 'main' into codeql-ci/atm/release-0.4.2 2022-11-24 14:41:49 +00:00
github-actions[bot]
78d49e44b1 JS: Bump version of ML-powered library and query packs to 0.4.3 2022-11-24 14:22:14 +00:00
github-actions[bot]
8d96bfe973 JS: Bump patch version of ML-powered library and query packs 2022-11-24 14:18:13 +00:00
Erik Krogh Kristensen
1eec067474 Merge pull request #11294 from erik-krogh/fileDoc 
QL: improve the "this block-comment should have been a QLDoc"-query
 2022-11-23 22:23:36 +01:00
Erik Krogh Kristensen
efdfc361be Merge pull request #11396 from erik-krogh/jsTypo 
JS: fix two typos
 2022-11-23 22:18:43 +01:00
tiferet
03b8e649f1 Filter endpoints by confidence 
Select endpoints to score at inference time base purely on their confidence level, and not on whether they fit the historical definition of endpoint filters.
 2022-11-23 10:46:27 -08:00
Asger F
5a51d718c6 Update some comments referring to the package column 2022-11-23 14:44:03 +01:00
erik-krogh
2eb6b1adb3 JS: fix two typos 2022-11-23 14:38:12 +01:00
Henry Mercer
3b69821630 ATM: Add descriptions to ML-powered packs 2022-11-23 10:46:23 +00:00
Asger F
2e3413c9b8 JS: Merge package/type columns 2022-11-23 11:17:42 +01:00
Erik Krogh Kristensen
f67219965e Merge pull request #11082 from erik-krogh/shellArr 
JS: treat arrays that gets executed with shell:true as a sink for `js/shell-command-constructed-from-input`
 2022-11-22 13:03:50 +01:00
Erik Krogh Kristensen
b2267c0e49 Merge pull request #11343 from erik-krogh/redundantAssignment 
QL: add redundant-assignment query
 2022-11-22 13:03:14 +01:00
Erik Krogh Kristensen
06386b2cdd Merge pull request #11072 from erik-krogh/slicing 
JS: poly-redos: don't sanitize calls through substring calls that just remove the start
 2022-11-22 13:02:09 +01:00
erik-krogh
6b5cd9abc3 use RegExpTreeView insteaed of RegexTreeView in JS 2022-11-22 12:55:48 +01:00
erik-krogh
f9b775e4b8 do private imports of the deprecated Dep modules 2022-11-22 12:39:56 +01:00
Edoardo Pirovano
6c33ddcd47 Merge pull request #11349 from github/edoardo/2.11.4-mergeback 
Merge `rc/3.8` into `main`
 2022-11-21 18:08:27 +00:00
erik-krogh
64707f4f7b remove redundant assignments 2022-11-21 17:45:05 +01:00
tiferet
1c9545e49a Address comment from code review: 
Make `SyntacticHeuristics` an explicit import
 2022-11-21 08:00:31 -08:00