hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,734 Commits 1,672 Branches 157 Tags
codeql-cli-2.21.0
Commit Graph

4076 Commits

Author SHA1 Message Date
Chris Smowton
6b9aed21df Nullness library: recognise switches with null checks 2023-11-30 11:23:58 +00:00
Chris Smowton
79b77ae805 Add AST test for switch with null case 2023-11-30 11:23:58 +00:00
Chris Smowton
05caffc189 Update printast expectation 2023-11-30 11:23:58 +00:00
Chris Smowton
b21aaa75bc Type-flow: treat pattern-switch on an array index similar to instanceof 2023-11-30 11:23:58 +00:00
Chris Smowton
7dd4030f51 Pattern cases: support type-flow 2023-11-30 11:23:58 +00:00
Chris Smowton
b6622d2f5b usesType: support pattern cases 2023-11-30 11:23:58 +00:00
Chris Smowton
0f434e7f08 Add test for dataflow vs. pattern-switch 2023-11-30 11:23:58 +00:00
Chris Smowton
6c990c2cf6 Add pattern-case support and generally debug switch CFGs 
These were reasonably broken beforehand, due to not taking switch rules into account in enough places, and confusing the expression/statement switch rule distinction with the distinction between switch statements and expressions.

(For example, `switch(x) { 1 -> System.out.println("Hello world") ... }` is a statement, but has a rule expression).
 2023-11-30 11:23:58 +00:00
Chris Smowton
f4b45fa511 Support switch cases with binding patterns 2023-11-30 11:23:58 +00:00
Jami Cogswell
d5fd2db1bd Java update UrlPathHelper tests 2023-11-29 15:23:11 -05:00
Chris Smowton
e110db58f8 Add test for empty argfile 2023-11-29 12:51:22 +00:00
Ian Lynagh
f48cc1a526 Kotlin: Move tests from test/kotlin to test-kotlin1 
Matches test-kotlin2
 2023-11-21 15:28:12 +00:00
Max Schaefer
ca334021ad Merge pull request #14793 from github/max-schaefer/tainted-path-qhelp 
Java: Improve QHelp for `java/path-injection` to mention less disruptive fixes.
 2023-11-16 14:09:55 +00:00
Max Schaefer
a5e7ef424e Revert "Add additional example." 
This reverts commit 947b094387.
 2023-11-16 11:54:16 +00:00
Max Schaefer
947b094387 Add additional example. 2023-11-16 10:06:19 +00:00
Max Schaefer
009d58034f Address suggestions from review. 2023-11-16 10:05:54 +00:00
Max Schaefer
a46a7fadb2 Java: Improve QHelp for java/path-injection to mention less disruptive fixes. 2023-11-15 11:25:13 +00:00
Anders Schack-Mulligen
0d8986cfad Java: Accept test changes. 2023-11-10 14:04:45 +01:00
Anders Schack-Mulligen
657c29f409 Java/C++: Share valueFlowStep. 2023-11-09 20:24:28 +01:00
Chris Smowton
c060827a5d Merge pull request #14699 from smowton/smowton/feature/jdk21-sequenced-collections-models 
Java: model JDK21 SequencedCollection, Set and Map
 2023-11-09 14:15:08 +00:00
Tony Torralba
5442cdb49c Merge pull request #14610 from atorralba/atorralba/java/jms-deserialization 
Java: Add JMS sink to java/unsafe-deserialization
 2023-11-08 09:10:20 +01:00
Chris Smowton
24b4b05be8 Add models for new Collections methods 2023-11-06 16:44:40 +00:00
Chris Smowton
5b72aee3ae Java: model JDK21 SequencedCollection, Set and Map 2023-11-06 16:04:13 +00:00
Ian Lynagh
ceb3d14fe0 Merge pull request #14614 from igfoo/igfoo/enum 
Kotlin: Make the enum test more precise
 2023-10-31 16:18:12 +00:00
Ian Lynagh
e1f7f3cbd4 Kotlin: Add more info to enum test 2023-10-31 12:17:44 +00:00
Ian Lynagh
3c5b9ce0cd Kotlin: Make the enum test more precise 
In Kotlin 2 mode, there are more library classes matching Enum%, so the
output was spuriously different.
 2023-10-27 11:15:12 +01:00
Dave Bartolomeo
d2afb20f3f Merge remote-tracking branch 'origin/main' into dbartol/threat-models-2 2023-10-26 14:05:40 -04:00
Tony Torralba
7af3d239ab Java: Add JMS sink to java/unsafe-deserialization 2023-10-26 16:46:19 +02:00
Anders Schack-Mulligen
35f6e6ebb4 Java: Update tests to new partial flow api 2023-10-26 14:09:03 +02:00
Michael Nebel
b3e5b86f0a Java: Cleanup threat models tests. 2023-10-25 14:02:31 +02:00
Chris Smowton
b849a66c97 Update test expectations 2023-10-24 14:02:30 +01:00
Chris Smowton
e8c9708282 Autoformat 2023-10-24 11:06:19 +01:00
Chris Smowton
ac38d4c9c6 Mass rename L/RValue -> VarWrite/Read 2023-10-24 10:58:29 +01:00
Chris Smowton
f552a15aae Mass-rename MethodAccess -> MethodCall 2023-10-24 10:30:26 +01:00
Dave Bartolomeo
fb1b41b649 Fix formatting 2023-10-19 17:20:38 -04:00
Dave Bartolomeo
bd7de83aab Use extension packs for threat models 2023-10-19 17:07:26 -04:00
Tony Torralba
da44b13fd4 Merge pull request #14515 from atorralba/atorralba/java/spring-csrf-improv 
Java: Improve java/spring-disabled-csrf-protection
 2023-10-18 17:49:10 +02:00
Tony Torralba
4ecda9cccd Add consistency check exception 2023-10-17 10:18:19 +02:00
Chris Smowton
3145c53a19 Accept test changes for JDK21 2023-10-16 22:00:41 +01:00
Chris Smowton
bd77f572f1 Compile collections test for Java 11 2023-10-16 21:54:09 +01:00
Tony Torralba
d08ee76b16 Java: Improve java/spring-disabled-csrf-protection 2023-10-16 16:01:14 +02:00
amammad
59fb479895 update tests 2023-10-14 12:28:58 +02:00
amammad
e34cc42441 fix a mistake 2023-10-14 12:18:13 +02:00
Chris Smowton
7fbba3a659 Java: adapt stub to ExecutorService change in JDK19 2023-10-13 20:30:28 +01:00
Chris Smowton
8f985e0045 Java: restrict test to source classes 2023-10-13 20:30:28 +01:00
Chris Smowton
0510b0c825 Java: restrict test to source methods 
Otherwise it finds standard library methods that depend on stdlib internals as to what happens to get extracted. In particular the extractor bump to JDK21 led to MethodHandles being in scope and a new method being found; seems better to avoid considering the standard library at all.
 2023-10-13 20:30:28 +01:00
Eric Bickle
7a4382fb69 Merge branch 'main' into fix/thread-resource-arithmetic 2023-10-10 09:38:16 -07:00
Michael Nebel
5c44f8bbad Merge pull request #14370 from michaelnebel/java/enablethreatmodels 
Java: Enable threat models for most Java queries.
 2023-10-10 09:25:47 +02:00
Marcono1234
f3e5045259 Java: Add predicate MemberRefExpr::getReceiverExpr 2023-10-07 14:53:07 +02:00
Eric Bickle
000c1f7ec8 Java: Flow taint through ArithExpr for ThreadResourceAbuse 
Ensure that tainted values flow through arithmetic operations when
checking for ThreadResourceAbuse vulnerabilities.

For example, multiplying 'number of seconds' by 1000 as an input
to Thread.Sleep, which accepts milliseconds, is a common scenario.
 2023-10-06 14:24:37 -07:00