codeql

mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00

Author	SHA1	Message	Date
Mathias Vorreiter Pedersen	83d0dec0fb	DataFlow: Sync identical files.	2023-07-06 14:00:00 +01:00
Taus	97610d2cac	Java: Add query for counting sink model instances Also adds a more sensible ordering to the existing queries.	2023-07-04 14:24:52 +02:00
Michael Nebel	3cde59e409	Merge pull request #13651 from michaelnebel/telemetrytop100 Java/C#: Reduce the amount of telemetry being produced.	2023-07-04 08:33:53 +02:00
Michael Nebel	238f390738	Merge pull request #13452 from michaelnebel/refactorstackprinting Re-factor printing of summary component stacks.	2023-07-04 08:29:10 +02:00
Taus	b7e4bd290d	Java: Use an IPA type instead of a string While the string representation is useful for quickly modifying queries, it's a bit clunky when the data needs to be further parsed. Instead, the two queries now select all of the columns of the sinkmodel separately (which makes it easy to pull them out of the relevant output later on).	2023-07-03 23:17:55 +02:00
Michael Nebel	243c592447	Address review comments.	2023-07-03 17:01:08 +02:00
Michael Nebel	23a119b8c2	Java/C#: Reduce the amount of telemetry being produced.	2023-07-03 16:54:07 +02:00
Chuan-kai Lin	6912f7ed3a	Merge pull request #13638 from cklin/remove-pragma-assume-small-delta Remove pragma[assume_small_delta]	2023-07-03 07:00:36 -07:00
Michael Nebel	bddd22f522	Sync files and make language specific adjustments.	2023-07-03 14:36:07 +02:00
Michael Nebel	c18f4b1604	Sync files and make language specific rename.	2023-07-03 14:36:06 +02:00
Taus	6f24d939f6	Java: Also select query id	2023-07-01 15:04:06 +02:00
Ian Lynagh	fcf003ceb5	Revert "Kotlin: Remove a use of ObsoleteDescriptorBasedAPI" This reverts commit `a50d804ad7`.	2023-06-30 19:32:37 +01:00
Chuan-kai Lin	ce464a7d69	Remove pragma[assume_small_delta]	2023-06-30 11:09:29 -07:00
Taus	dca227389d	Java: Add metric queries for counting sinks coming from models Adds two queries for gathering metrics on the number of alerts (for a selection of queries) that arise from models with the `ai-generated` provenance.	2023-06-30 15:07:13 +02:00
github-actions[bot]	668aaa2dc8	Post-release preparation for codeql-cli-2.13.5	2023-06-30 08:51:48 +00:00
github-actions[bot]	cf83baeead	Add changed framework coverage reports	2023-06-30 00:17:47 +00:00
Tony Torralba	b2e8167407	Merge pull request #13587 from github/koesie10/update-java-external-api-name Java: Fix external API name for nested types	2023-06-29 13:23:20 +02:00
Koen Vlaswinkel	6806b8750d	Java: Use getSourceDeclaration to handle generic types	2023-06-29 11:49:16 +02:00
github-actions[bot]	9d7987f822	Release preparation for version 2.13.5	2023-06-29 09:26:18 +00:00
Paul Hodgkinson	bfbb77a796	Merge branch 'main' into java/experimental/command-injection	2023-06-29 09:51:14 +01:00
aegilops	8dbb0a51c0	Rewrote tests to work	2023-06-29 09:47:03 +01:00
aegilops	01798f63f8	Switched to new dataflow and added a test (but it doesn't produce results yet)	2023-06-28 17:14:39 +01:00
jorgectf	9d8ae5039a	Add models for `javax.portlet`	2023-06-28 17:53:56 +02:00
Ian Lynagh	641f186afc	Merge pull request #13600 from igfoo/igfoo/fake_fun Kotlin: Remove a use of ObsoleteDescriptorBasedAPI	2023-06-28 15:50:27 +01:00
Ian Lynagh	a50d804ad7	Kotlin: Remove a use of ObsoleteDescriptorBasedAPI This isn't supported in Kotlin 2 mode, but removing this code doesn't affect any tests.	2023-06-28 13:48:43 +01:00
Kasper Svendsen	7c59f5ac18	Merge pull request #13578 from kaspersv/kaspersv/java-remaining-implicit-this Java: Enable implicit this warnings for remaining packs	2023-06-28 14:27:24 +02:00
Koen Vlaswinkel	51af03d2bc	Java: Add tests for names of nested classes	2023-06-28 09:52:25 +02:00
github-actions[bot]	0749af79d7	Add changed framework coverage reports	2023-06-28 00:18:40 +00:00
Ian Lynagh	4adecf0d15	Merge pull request #13586 from igfoo/igfoo/diag-limit Kotlin: Remove an out-of-date comment	2023-06-27 15:41:47 +01:00
Ian Lynagh	b0d2ca5df4	Merge pull request #13568 from igfoo/igfoo/android_lint Java: Tweak some android tests	2023-06-27 15:41:37 +01:00
Ian Lynagh	4415c364ac	Merge pull request #13542 from igfoo/igfoo/modality_final Kotlin: Remove an expected-no-getter exception	2023-06-27 15:41:27 +01:00
Koen Vlaswinkel	fcb2f1082c	Java: Fix external API name for nested types This fixes the name of reported external APIs for nested types. The `toString()` method of `getSourceDeclaration()` would report the name of a type, but not the name of the enclosing type. This results in missing information in the `UnsupportedExternalAPIs.ql` query. For example, previously it would report: ``` org.zapodot.junit.db.Builder#build() ``` However, the `Builder` class does not exist in the package and is only a nested type within `EmbeddedDatabaseRule`. The correct name should be: ``` org.zapodot.junit.db.EmbeddedDatabaseRule$Builder#build() ``` This name also matches the format of MaD.	2023-06-27 15:23:55 +02:00
Ian Lynagh	d588f52262	Kotlin: Remove an out-of-date comment	2023-06-27 13:33:52 +01:00
Tony Torralba	a7c2a25cac	Merge pull request #12879 from atorralba/atorralba/java/command-injection-mad-sinks Java: Convert all command injection sinks to MaD format	2023-06-27 14:06:45 +02:00
Tony Torralba	6e20bd04e9	Merge pull request #13539 from atorralba/atorralba/java/url-to-string-model Java: Add URL.toString summary	2023-06-27 14:05:47 +02:00
Kasper Svendsen	7fcdefbe70	Java: Enable implicit this warnings for remaining packs	2023-06-27 11:54:20 +02:00
Tony Torralba	3c3b53001f	Merge pull request #13550 from jorgectf/jorgectf/lang2-models Java: Add models for `org.apache.commons.lang`	2023-06-27 11:20:59 +02:00
Tony Torralba	a17c812118	Merge pull request #13358 from jorgectf/jorgectf/deserialization-lookahead Java: Model `SerialKiller`	2023-06-27 09:20:50 +02:00
Ian Lynagh	8a43fc81ee	Java: Tweak some android tests They were all failing for me like: [autobuild] /home/ian/code/dev/target/codeql-java-integration-tests/ql/java/ql/integration-tests/all-platforms/java/android-sample-old-style-no-wrapper/project/src/main/AndroidManifest.xml:5: Error: Main must extend android.app.Activity [Instantiatable] [autobuild] <activity android:name="Main" android:exported="true"> [autobuild] ~~~~ [autobuild] Explanation for issues of type "Instantiatable": [autobuild] Activities, services, broadcast receivers etc. registered in the manifest [autobuild] file (or for custom views, in a layout file) must be "instantiatable" by [autobuild] the system, which means that the class must be public, it must have an [autobuild] empty public constructor, and if it's an inner class, it must be a static [autobuild] inner class. I'm not sure why it works on CI but not locally, but either way this works around the issue.	2023-06-26 15:52:52 +01:00
amammad	45499b03d2	change qury file name same as qhelp name	2023-06-26 21:23:22 +10:00
Ian Lynagh	65dee80b36	Merge pull request #13547 from igfoo/igfoo/dead-code Kotlin: Build: Remove some dead code	2023-06-26 11:50:50 +01:00
Tony Torralba	55280e523a	Update java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll	2023-06-26 11:14:31 +02:00
amammad	21b5571bff	V1.1 add additional steps for read methods which I can summarize every single declared sanitizer on the sink whitin isSink predicate	2023-06-25 00:35:37 +10:00
amammad	7354db873a	V1 Bombs	2023-06-24 08:57:57 +10:00
jorgectf	2dc4f23dbb	Add models for `org.apache.commons.lang`	2023-06-23 19:34:21 +02:00
Jorge	7d0b880bf7	Merge branch 'main' into jorgectf/deserialization-lookahead	2023-06-23 18:24:39 +02:00
jorgectf	b6e4ba6f9d	Add `SerialKiller` model	2023-06-23 18:19:43 +02:00
Ian Lynagh	5da377b46a	Kotlin: Build: Remove some dead code	2023-06-23 13:51:35 +01:00
Ian Lynagh	0d05f50aaa	Kotlin: Remove an expected-no-getter exception We're not sure why it was necessary.	2023-06-22 18:12:13 +01:00
Tony Torralba	d07e2862f9	Java: Add URL.toString summary This adds coverage for CVE-2023-35149.	2023-06-22 17:39:30 +02:00

... 56 57 58 59 60 ...

12870 Commits