hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,734 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.0
Commit Graph

4237 Commits

Author SHA1 Message Date
Owen Mansel-Chan
bf22c6dae0 Merge pull request #15766 from owen-mc/java/add-neutral-models 
Java: add neutral models
 2024-03-02 06:00:33 +00:00
Owen Mansel-Chan
0a8dfbafe4 Accept suggestion to put models under the right heading 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-03-01 16:05:28 +00:00
Owen Mansel-Chan
df64e0bc5f Add neutral summary models for java.security.MessageDigest#digest 2024-03-01 14:08:31 +00:00
Owen Mansel-Chan
f89fedcbaf Add some neutral models for java.util 2024-03-01 14:07:45 +00:00
Owen Mansel-Chan
10f6329b3e Add manual neutral models for java.util.stream 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.util.stream.Collectors#joining(CharSequence)`: cannot be modeled completely without a model for `java.util.stream.Stream#collect(Collector)` as well
   * `java.util.stream.Collectors#toMap(Function,Function)`: specialized collectors flow
   * `java.util.stream.Stream#collect(Collector)`: handled separately on a case-by-case basis as it is too complex for MaD
 2024-03-01 12:32:04 +00:00
Owen Mansel-Chan
f907fd21ad Add manual neutral models for java.text.Format and java.text.MessageFormat 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.text.Format#format(Object)`: similar issue as `Object.toString`; depends on the object being passed as the argument
   * `java.text.MessageFormat#format(String,Object[])`: similar issue as `Object.toString`; depends on the object being passed as the argument
 2024-03-01 12:31:59 +00:00
Owen Mansel-Chan
0e95f41900 Add manual neutral models for java.lang 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.lang.System#getProperty(String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
   * `java.lang.System#setProperty(String,String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
 2024-03-01 12:31:49 +00:00
Owen Mansel-Chan
bb97df1d71 do not generate models for lambda flow methods 2024-03-01 12:11:40 +00:00
Owen Mansel-Chan
bbf3fa7506 do not generate models for toString 2024-03-01 09:59:27 +00:00
Tony Torralba
dd1dbdf4ec Java: Fix provenance of Map.Entry.copyOf models 2024-03-01 09:00:13 +01:00
Owen Mansel-Chan
54031a8187 Merge pull request #15767 from owen-mc/java/add-summary-models 
Java: add a few summary models
 2024-02-29 21:21:23 +00:00
Chris Smowton
051d63a5a9 Merge pull request #15740 from smowton/smowton/feature/call-and-type-telemetry 
Java: add extraction quality telemetry; improve stringification of some erroneous expressions
 2024-02-29 16:51:51 +00:00
Tony Torralba
47bf556223 Merge pull request #15709 from atorralba/atorralba/java/enable-widget-taint-steps 
Java: Re-enable Widget.qll flow steps
 2024-02-29 17:33:05 +01:00
Owen Mansel-Chan
7b5f51b1e2 Change summary models to neutral models for javax.crypto.Cipher 2024-02-29 16:22:27 +00:00
Chris Smowton
ef82ea7541 Add change note 2024-02-29 14:59:46 +00:00
Chris Smowton
551006c15e Make predicate private 2024-02-29 14:59:46 +00:00
Chris Smowton
1fd459e8fc Improve stringification of some erroneous expressions 2024-02-29 14:59:45 +00:00
Owen Mansel-Chan
939d6f973f Add summary models for javax.crypto.Cipher 2024-02-29 12:20:47 +00:00
Owen Mansel-Chan
65bc62c10a Add summary model for Map$Entry#copyOf 2024-02-29 12:20:43 +00:00
Chris Smowton
aedd3badf7 Add change note for https://github.com/github/codeql/pull/15646 2024-02-27 15:41:43 +00:00
Anders Schack-Mulligen
df5e753ee0 Merge pull request #15570 from aschackmull/java/cache-interpretelement 
Java: Cache interpretElement.
 2024-02-27 13:39:56 +01:00
erik-krogh
b4b5ae2a2c add some request-forgery sanitizers, inspired from C# 2024-02-27 10:05:26 +01:00
Mathias Vorreiter Pedersen
1d4c889ab8 Java: Use the shared type-flow library. 2024-02-26 17:13:32 +00:00
Tony Torralba
759b74791c Java: Re-enable Widget.qll flow steps 
The library Widget.qll was accidentally removed from the global context when its sources were migrated to models-as-data in #13136. This re-adds it so that its flow steps are enabled again.
 2024-02-23 13:07:35 +01:00
Tom Hvitved
62b16c0fa3 Share getFileBySourceArchiveName implementation 2024-02-23 11:25:49 +01:00
Joe Farebrother
2ebb80b632 Merge pull request #15548 from joefarebrother/android-local-auth-keys 
Java: Add query for insecurely generated keys for local authentication.
 2024-02-22 14:04:17 +00:00
Anders Schack-Mulligen
71f8ccf45f Merge pull request #15654 from aschackmull/java/static-init-vec-query-perf 
Java: Switch helper flow from Global to SimpleGlobal in StaticInitializationVectorQuery.
 2024-02-21 10:51:16 +01:00
github-actions[bot]
37f8fa3413 Post-release preparation for codeql-cli-2.16.3 2024-02-20 16:50:47 +00:00
github-actions[bot]
6d061fbc35 Release preparation for version 2.16.3 2024-02-20 14:26:23 +00:00
Anders Schack-Mulligen
66010b5c96 Java: Switch helper flow from Global to SimpleGlobal in StaticInitializationVectorQuery. 2024-02-19 14:04:43 +01:00
Owen Mansel-Chan
22692b9d55 Simplify definition of source and improve QLDoc 
This is also slightly faster to evaluate (217s instead of 228s on apache/geode on my machine).
 2024-02-16 16:47:41 +00:00
Tony Torralba
90a9d82b9d Java: Expand ExactPathSanitizer to work on the argument of 'equals' too 2024-02-15 10:00:24 +01:00
Anders Schack-Mulligen
fb2d36ddac Merge pull request #15451 from Marcono1234/marcono1234/java-assignment-doc 
Java: Document which assignment type is covered by which class
 2024-02-14 08:59:50 +01:00
Joe Farebrother
2eb93b7a3b Add unit tests 2024-02-12 13:49:45 +00:00
Joe Farebrother
d8985f9f5b Move tests for local auth to a folder 2024-02-12 13:49:45 +00:00
Joe Farebrother
c79a3eb6ae Add query for insecure key generation 2024-02-12 13:49:44 +00:00
Joe Farebrother
75a2b9415c Merge pull request #15481 from joefarebrother/android-local-auth 
Java: Add query for insecure local authentication
 2024-02-12 13:48:53 +00:00
Tony Torralba
cf7091ae5f Merge branch 'main' into atorralba/java/open-redirect-sanitizer 2024-02-12 10:31:52 +01:00
Joe Farebrother
16aed18821 Address reviews - Elaborate on docs and update severity 2024-02-09 13:53:36 +00:00
Tom Hvitved
1ea7717714 Capture flow: Take overwrites in nested scopes into account 2024-02-09 14:49:23 +01:00
Anders Schack-Mulligen
8fc4fae7d2 Java: Cache interpretElement. 2024-02-09 14:43:36 +01:00
Max Schaefer
93990ec9df Merge pull request #15486 from github/java/update-mad-decls-after-triage-2024-01-31T11-16-45 
Java: Update MaD Declarations after Triage
 2024-02-09 11:18:17 +00:00
Tony Torralba
4c0d535cc2 Merge pull request #12886 from atorralba/atorralba/java/path-injection-mad-sinks 
Java: Refactor path injection sinks
 2024-02-09 10:48:49 +01:00
Max Schaefer
fb109672b3 Address more review feedback. 2024-02-09 09:21:30 +00:00
Tony Torralba
34f74869c8 Java: Add extension point and default sanitizer to Open Redirect query 2024-02-09 09:11:07 +01:00
Max Schaefer
082754a3d8 Remove problematic Kotlin model. 2024-02-07 13:21:59 +00:00
github-actions[bot]
b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
Max Schaefer
705a377060 Address review comments. 2024-02-06 12:54:29 +00:00
github-actions[bot]
c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00
Joe Farebrother
525f27173d Merge pull request #15396 from joefarebrother/android-sensitive-ui-text 
Java: Add query for sensitive data exposed in text fields
 2024-02-05 15:47:03 +00:00