hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,612 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.7
Commit Graph

4195 Commits

Author SHA1 Message Date
Chuan-kai Lin
ff78bebf19 Shared support for alert filtering 2024-09-11 13:18:26 -07:00
Rasmus Wriedt Larsen
038bc832a7 Go/Java/C#: Rename to ActiveThreatModelSource 
As part of adding support for threat-models to Python/JS (see
https://github.com/github/codeql/pull/17203), we ran into some trouble
with name clashes.

Naming in existing languages supporting threat-models:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and we had to come up with new names.

Initially I used `ThreatModelSource` for the "QL only modeling", but
that meant that we needed a new name to represent the active sources
coming from either QL or data-extensions... for this I came up with
`ActiveThreatModelSource`, and I really liked it. To me, it's much
clearer that this class only contains the currently active threat
model sources.

So to align languages, I got approval from @michaelnebel to rename the
existing classes.
 2024-09-10 14:46:15 +02:00
github-actions[bot]
97edff3f70 Post-release preparation for codeql-cli-2.18.4 2024-09-09 18:45:46 +00:00
github-actions[bot]
91537cdf9a Release preparation for version 2.18.4 2024-09-09 16:08:48 +00:00
Michael Nebel
a5b462292f Merge pull request #17330 from michaelnebel/java/modelgenfieldbased 
Java/C#: Field based model generator (Experimental).
 2024-09-06 11:11:46 +02:00
erik-krogh
e2b16bd8f9 add some change-notes 2024-09-03 22:06:07 +02:00
erik-krogh
846882d22c delete imports to a deleted file 2024-09-03 20:31:00 +02:00
erik-krogh
20dfdc9661 delete some deprecated files 2024-09-03 20:30:59 +02:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Michael Nebel
4bdf21b022 Java: Add Content Flow module. 2024-09-03 09:45:07 +02:00
Henry Mercer
3490067316 Merge branch 'main' into henrymercer/rc-3.15-mergeback 2024-08-29 19:48:01 +01:00
Michael Nebel
bd5529cefa Java: Update the Byte- and CharBuffer models and add models for set- and getParameters on LogRecord. 2024-08-28 16:15:09 +02:00
Michael Nebel
e8595e28e9 Update java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-08-28 15:04:38 +02:00
Michael Nebel
8f734ad1b2 Java: Tighten the criteria for when we disregard generated models. 2024-08-27 14:48:11 +02:00
Michael Nebel
43b52a0921 Java: Add change note. 2024-08-27 13:28:18 +02:00
Michael Nebel
d79aa294ec Java: Move some neutrals into the model.yml file (they have previosly been ignored due to wrong file extension). 2024-08-27 13:28:09 +02:00
Michael Nebel
db51604f46 Java: Promote some generated models and add some manual neutrals. 2024-08-27 13:28:05 +02:00
Michael Nebel
fe6693739a Java: Make more finegrained dataflow dispatch viable callable heuristic. 2024-08-27 13:27:52 +02:00
github-actions[bot]
0724fd7ce2 Post-release preparation for codeql-cli-2.18.3 2024-08-21 18:25:54 +00:00
github-actions[bot]
17cd9624fb Release preparation for version 2.18.3 2024-08-21 17:13:52 +00:00
Chris Smowton
15989ce213 Merge pull request #14089 from am0o0/amammad-java-JWT 
Java: JWT decoding without verification
 2024-08-21 14:14:08 +01:00
Anders Schack-Mulligen
993bfee096 Merge pull request #17259 from aschackmull/dataflow/remove-srcsink-grouping 
Dataflow: Remove src/sink grouping feature
 2024-08-20 14:42:33 +02:00
Anders Schack-Mulligen
8470e91c16 Legacy Dataflow: Sync. 2024-08-20 10:07:57 +02:00
am0o0
d88b310b0e add getCredentials method of AuthenticationToken as a remote source 2024-08-16 15:41:19 +02:00
Rasmus Wriedt Larsen
1e7eae58f4 Java: Add change-note 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen
1e12c11adc Java: Model System.in as stdin threat-model 2024-08-15 15:37:35 +02:00
Chris Smowton
3450e509fe Merge pull request #17228 from smowton/smowton/admin/missing-change-notes 
Java: add change notes for three recent buildless fixes
 2024-08-15 10:56:22 +01:00
Chris Smowton
b4a42de7f4 Java: add change notes for three recent buildless fixes 2024-08-14 18:34:25 +01:00
Michael Nebel
f0817dc07c C#/Java: Use a parameterized module for making the source and sink callable classes. 2024-08-14 09:50:38 +02:00
Michael Nebel
4a5c9f0ec4 Merge pull request #17007 from michaelnebel/shared/neutralimplementation 
C#/Java/Go: Neutrals are split into separate classes.
 2024-08-12 13:58:12 +02:00
Alexander Eyers-Taylor
ffd811a55d Merge pull request #17182 from github/post-release-prep/codeql-cli-2.18.2 
Post-release preparation for codeql-cli-2.18.2
 2024-08-08 16:28:03 +01:00
github-actions[bot]
cc6d87c276 Post-release preparation for codeql-cli-2.18.2 2024-08-08 12:56:21 +00:00
github-actions[bot]
019da8c287 Release preparation for version 2.18.2 2024-08-07 14:02:38 +00:00
Alexander Eyers-Taylor
46577b585e Revert "Release preparation for version 2.18.2" 2024-08-07 14:24:37 +01:00
Tom Hvitved
d9ff4ef567 Merge pull request #17155 from hvitved/java/array-ref-bad-join 
Java: Fix bad join
 2024-08-07 12:39:40 +02:00
github-actions[bot]
c14ba0e4bd Release preparation for version 2.18.2 2024-08-06 12:46:15 +00:00
Tom Hvitved
a7410e4a16 Java: Fix bad join 
Before
```
[2024-08-06 10:37:59] Evaluated non-recursive predicate BoundingChecks::arrayReference/1#754911ba@0628dahn in 20981ms (size: 2009682526).
Evaluated relational algebra for predicate BoundingChecks::arrayReference/1#754911ba@0628dahn with tuple counts:
             94480   ~0%    {2} r1 = SCAN `Expr::ArrayAccess.getArray/0#dispred#b90c658a` OUTPUT In.1, In.0

                32   ~0%    {2} r2 = JOIN r1 WITH `Expr::MethodCall.getMethod/0#dispred#41989dc9` ON FIRST 1 OUTPUT Rhs.1, Lhs.1
              1013   ~1%    {2}    | JOIN WITH `Expr::MethodCall.getMethod/0#dispred#41989dc9_10#join_rhs` ON FIRST 1 OUTPUT Lhs.1, Rhs.1

             92091   ~4%    {2} r3 = JOIN r1 WITH variableBinding ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        2009681513   ~0%    {2}    | JOIN WITH variableBinding_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1

        2009682526   ~0%    {2} r4 = r2 UNION r3
                            return r4

[2024-08-06 10:38:02] Evaluated non-recursive predicate BoundingChecks::lessthanLength/1#48b5e1b7@2885308n in 0ms (size: 108).
Evaluated relational algebra for predicate BoundingChecks::lessthanLength/1#48b5e1b7@2885308n with tuple counts:
        1518  ~0%    {2} r1 = JOIN `Expr::ComparisonExpr.isStrict/0#dispred#fd8c6ddb` WITH `Expr::ComparisonExpr.getGreaterOperand/0#dispred#e8df4b14` ON FIRST 1 OUTPUT Rhs.1, Lhs.0
         455  ~2%    {2}    | JOIN WITH Expr::FieldAccess#2b664c37 ON FIRST 1 OUTPUT Lhs.1, Lhs.0
         455  ~1%    {3}    | JOIN WITH `Expr::ComparisonExpr.getLesserOperand/0#dispred#d7744bc2` ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Rhs.1
         455  ~0%    {5}    | JOIN WITH `Expr::FieldAccess.getField/0#dispred#29ef4aa0` ON FIRST 1 OUTPUT Rhs.1, _, Lhs.1, Lhs.0, Lhs.2
         455  ~0%    {5}    | REWRITE WITH Out.1 := "length"
         116  ~0%    {3}    | JOIN WITH `Element::Element.hasName/1#dispred#8acbbbde` ON FIRST 2 OUTPUT Lhs.4, Lhs.2, Lhs.3
          93  ~0%    {3}    | JOIN WITH variableBinding ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
          93  ~1%    {3}    | JOIN WITH `Expr::VarAccess.getQualifier/0#dispred#2b0f1cd1` ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
         484  ~2%    {3}    | JOIN WITH variableBinding_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Lhs.2
         277  ~3%    {2}    | JOIN WITH `BoundingChecks::conditionHolds/2#fa0354b9#bb` ON FIRST 2 OUTPUT Lhs.1, Lhs.2
         166  ~5%    {2}    | JOIN WITH `Expr::ArrayAccess.getIndexExpr/0#dispred#345f6cf4_10#join_rhs` ON FIRST 1 OUTPUT Rhs.1, Lhs.1
         110  ~0%    {1}    | JOIN WITH `BoundingChecks::arrayReference/1#754911ba` ON FIRST 2 OUTPUT Lhs.0
                     return r1
```

After
```
[2024-08-06 13:29:50] Evaluated non-recursive predicate BoundingChecks::lengthAccess/2#54b10eff@719e68tb in 0ms (size: 309).
Evaluated relational algebra for predicate BoundingChecks::lengthAccess/2#54b10eff@719e68tb with tuple counts:
        6241  ~0%    {2} r1 = JOIN `BoundingChecks::getAnAccess/1#152ad44e_10#join_rhs` WITH `Expr::VarAccess.getQualifier/0#dispred#2b0f1cd1_10#join_rhs` ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        6240  ~0%    {4}    | JOIN WITH `Expr::FieldAccess.getField/0#dispred#29ef4aa0` ON FIRST 1 OUTPUT Rhs.1, _, Lhs.1, Lhs.0
        6240  ~0%    {4}    | REWRITE WITH Out.1 := "length"
         309  ~2%    {2}    | JOIN WITH `Element::Element.hasName/1#dispred#8acbbbde` ON FIRST 2 OUTPUT Lhs.3, Lhs.2
                     return r1

[2024-08-06 13:29:50] Evaluated non-recursive predicate BoundingChecks::lessthanLength/1#48b5e1b7@0fcac509 in 1ms (size: 108).
Evaluated relational algebra for predicate BoundingChecks::lessthanLength/1#48b5e1b7@0fcac509 with tuple counts:
        94480  ~0%    {3} r1 = JOIN `Expr::ArrayAccess.getArray/0#dispred#b90c658a` WITH `Expr::ArrayAccess.getIndexExpr/0#dispred#345f6cf4` ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1
          648  ~4%    {4}    | JOIN WITH variableBinding ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0, Rhs.1
          621  ~1%    {4}    | JOIN WITH `BoundingChecks::getAnAccess/1#152ad44e_10#join_rhs` ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.3, Rhs.1
          344  ~0%    {4}    | JOIN WITH `BoundingChecks::conditionHolds/2#fa0354b9#bb_10#join_rhs` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3
          341  ~0%    {4}    | JOIN WITH `Expr::ComparisonExpr.isStrict/0#dispred#fd8c6ddb` ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3
          341  ~0%    {5}    | JOIN WITH `Expr::ComparisonExpr.getGreaterOperand/0#dispred#e8df4b14` ON FIRST 1 OUTPUT Rhs.1, Lhs.3, Lhs.1, Lhs.2, Lhs.0
          110  ~2%    {3}    | JOIN WITH `BoundingChecks::lengthAccess/2#54b10eff` ON FIRST 2 OUTPUT Lhs.4, Lhs.2, Lhs.3
          110  ~0%    {3}    | JOIN WITH `Expr::ComparisonExpr.getLesserOperand/0#dispred#d7744bc2` ON FIRST 1 OUTPUT Rhs.1, Lhs.2, Lhs.1
          110  ~0%    {1}    | JOIN WITH variableBinding ON FIRST 2 OUTPUT Lhs.2
                      return r1
```
 2024-08-06 13:30:19 +02:00
Chris Smowton
95e504a5ff Merge branch 'main' into am0o0-java-PathInjection 2024-08-05 11:41:25 +01:00
Chris Smowton
be945f14f6 Merge pull request #17135 from github/smowton/admin/build-mode-none-ga 
Announce Java build-mode: none GA
 2024-08-02 12:05:39 +01:00
Anders Schack-Mulligen
4d023f14a6 Merge pull request #17075 from RobbingDaHood/17052-second-try-do-not-expose-error-message 
Java: 17052 Second try: do not expose error message
 2024-08-02 12:44:27 +02:00
Chris Smowton
c299d8ddc1 Move change note to lib directory 2024-08-02 11:22:10 +01:00
Jami
4fb29c4473 Merge branch 'main' into jcogs33/java/add-apache-ant-path-inj-sinks 2024-07-31 08:15:07 -04:00
Owen Mansel-Chan
e259b25428 Add "tokenizer" to sensitive variable name FPs 2024-07-30 15:38:32 +01:00
Owen Mansel-Chan
0704946324 Factor out matching sensitive variable name FPs 2024-07-30 15:37:54 +01:00
Anders Schack-Mulligen
5073f4f7dd Merge pull request #17096 from aschackmull/java/pp-experimental-models 
Java: Pretty-print experimental models for qltest.
 2024-07-30 13:31:15 +02:00
Anders Schack-Mulligen
da5250d3a7 Java: Pretty-print experimental models for qltest. 2024-07-30 11:43:44 +02:00
Ian Lynagh
1530037eae Merge pull request #17071 from igfoo/igfoo/dep_env 
Java/Kotlin: Remove support for deprecated SOURCE_ARCHIVE and TRAP_FOLDER
 2024-07-29 14:55:50 +01:00
Jami
0ba5a74f6a Merge pull request #17074 from jcogs33/jcogs33/java/fix-regex-use-comments 
Java: fix comments about use of sink kind `regex-use`
 2024-07-26 08:57:39 -04:00
Jami
ff9093f2de Merge branch 'main' into jcogs33/java/add-apache-ant-path-inj-sinks 2024-07-26 08:54:27 -04:00
RobbingDaHood
feb31d2006 Merge branch 'main' into 17052-second-try-do-not-expose-error-message 2024-07-25 18:13:49 +02:00