hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,734 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.4
Commit Graph

5453 Commits

Author SHA1 Message Date
Ed Minnix
28ad9d00fb Merge both setAllowContentAccess queries into one query 
Previously, the query to detect whether or not access to `content://`
links was done using two queries.

Now they can be merged into one query
 2023-01-03 15:17:07 -05:00
Ed Minnix
35de551f6b Formatting 2022-12-31 17:19:49 -05:00
Ed Minnix
515fa21aad Change notes 2022-12-31 17:18:37 -05:00
Ed Minnix
df1a4d2ed1 Documentation fix: Add state1 and state2 to documentation 2022-12-31 15:25:37 -05:00
Ed Minnix
02f70f3536 Add @security-severity tag 2022-12-31 15:00:28 -05:00
Edward Minnix III
1d345c6101 Refactoring and simplification 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
5265cb4b03 Merge two dataflow configurations into one taint tracking 2022-12-31 15:00:28 -05:00
Ed Minnix
973f649e76 Break dataflow into two steps in order to capture flow from WebView to settings call 2022-12-31 15:00:28 -05:00
Ed Minnix
0e15dd9fa9 Query metadata 2022-12-31 15:00:28 -05:00
Edward Minnix III
778749184b Change id to use android/ instead of prepending android- 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
da25c586e6 Dataflow query for detecting paths that disable content access 
Since the default value is `true`, we need to determine whether or not
the `setAllowContentAccess` method is ever called using dataflow.
 2022-12-31 15:00:28 -05:00
Ed Minnix
8a763015e6 Reduce precision rating to medium 
This query won't always be a security problem, so it should have a lower
precision rating than `high`.
 2022-12-31 15:00:28 -05:00
Ed Minnix
e4e13d38b7 Java: query for Android WebView setAllowContentAccess 2022-12-31 15:00:28 -05:00
Edward Minnix III
597523e65a Merge pull request #11766 from atorralba/atorralba/java/fix-android-query-id 
Java: Fix new Android queries' IDs
 2022-12-21 11:21:12 -05:00
Arthur Baars
98c5b81456 Merge pull request #11723 from aibaars/alert-suppression 
CodeQL alert suppression
 2022-12-21 10:59:57 +01:00
Arthur Baars
035ad65e43 AlertSuppression: move library into util folder 2022-12-21 10:39:57 +01:00
Tony Torralba
345c383acc Fix new Android queries' IDs 2022-12-21 09:36:57 +01:00
Tony Torralba
149cae9603 Merge pull request #10971 from joefarebrother/android-certificate-pinning 
Java: Add Android missing certificate pinning query (CWE-295)
 2022-12-20 11:03:16 +01:00
Tony Torralba
a47ef17a0d Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 
Co-authored-by: Edward Minnix III <egregius313@github.com>
 2022-12-19 18:11:54 +01:00
Edward Minnix III
39a7c7bb12 Merge pull request #11282 from egregius313/egregiu313/webview-addjavascriptinterface 
Java: Query for detecting addJavascriptInterface method calls
 2022-12-19 11:28:45 -05:00
Tony Torralba
624c9ff834 Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 2022-12-19 17:26:41 +01:00
Arthur Baars
a8be5d7274 AlertSuppression: add change notes 2022-12-19 17:02:52 +01:00
Tony Torralba
0c6ace350f Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 16:24:39 +01:00
Arthur Baars
c9739b21cb AlertSuppression: add support for //codeql comments 2022-12-19 16:10:28 +01:00
Arthur Baars
c176606be5 AlertSuppression: allow //lgtm comments to scope over the next line 2022-12-19 16:10:26 +01:00
Arthur Baars
016c7a8ca7 Merge pull request #11719 from aibaars/alert-suppression-shared 
Shared AlertSuppression library
 2022-12-19 16:04:44 +01:00
Tony Torralba
484a16ce1b Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 2022-12-19 12:10:32 +01:00
Arthur Baars
bc646d407e Java: use shared AlertSuppression.qll 2022-12-19 12:07:28 +01:00
Tony Torralba
a880fecc8b Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 11:56:36 +01:00
turbo
1e5426fca2 Create security-experimental suite helper and all language suite implementations 2022-12-18 15:44:08 +01:00
Henry Mercer
30451ee950 Merge pull request #11681 from github/henrymercer/mergeback-3.8 
Merge `rc/3.8` back to `main`
 2022-12-16 17:43:12 +00:00
Michael Nebel
b2856c1f5a Merge pull request #11705 from michaelnebel/dataextensiontests 
C#/Java: Migrate tests to use implicitly loaded extensions.
 2022-12-16 10:50:07 +01:00
Jami
fd63348549 Merge pull request #11585 from jcogs33/jcogs33/mad-metrics-query 
Java: add MaD metrics query
 2022-12-15 19:26:51 -05:00
Jami Cogswell
c33bc63aed Java: remove extraneous parentheses 2022-12-15 15:26:04 -05:00
Jami Cogswell
cfeedb5cb4 Java: add float cast 2022-12-15 15:23:28 -05:00
Jami Cogswell
b68a9a51e2 Java: add coverage, generatedCoverage, and manualCoverage metrics 2022-12-15 15:20:08 -05:00
Jami Cogswell
9d10b719d6 Java: add match metric 2022-12-15 15:10:35 -05:00
Jami Cogswell
1c5d4f8048 Java: rename generatedCoverage and manualCoverage 2022-12-15 15:03:00 -05:00
Michael Nebel
31c60e545e Java: Update the flow test generator to create ext.yml files. 2022-12-15 14:46:20 +01:00
Michael Nebel
a67e02df21 Merge pull request #11691 from michaelnebel/renameextensibles 
C#/Java: Rename externalflow extensible predicates
 2022-12-15 11:05:22 +01:00
Michael Nebel
12c1ebd81c C#/Java: Add change note. 2022-12-15 09:41:14 +01:00
Ed Minnix
72484b9483 Change wording of addJavascriptInterface query description 2022-12-14 16:19:03 -05:00
Jami
359e49044f Merge branch 'main' into jcogs33/mad-metrics-query 2022-12-14 15:33:29 -05:00
Jami
33955ee4ab Merge pull request #11623 from jcogs33/jcogs33/exclude-funcexpr-from-dataflowtargetapi 
Java/C#: exclude `FunctionalExpr`s from `DataFlowTargetApi`
 2022-12-14 12:22:50 -05:00
turbo
4ec401a3f6 Tag all security queries in supported languages' experimental directories with an experimental tag 2022-12-14 17:15:50 +01:00
Jami
b248b44983 Merge pull request #11668 from jcogs33/jcogs33/update-isjdkinternal 
Java: update `isJdkInternal`
 2022-12-14 08:33:18 -05:00
Jami
f61b817751 Merge pull request #11631 from jcogs33/jcogs33/update-externalapi-charpredicate 
Java/C#: add `isUninteresting` to `ExternalApi` characteristic predicate
 2022-12-14 08:25:02 -05:00
Michael Nebel
bc02adb400 Java: Make the corresponding rename in all the data extensions. 2022-12-14 13:48:31 +01:00
Jami Cogswell
c956589945 Java: remove dot before percent 2022-12-13 17:46:20 -05:00
Jami Cogswell
dee251e5d6 Java: update isJdkInternal 2022-12-13 17:46:20 -05:00