hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,000 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.3
Commit Graph

3063 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
c20f12fa6c Add qldoc. 2024-10-16 14:35:23 +02:00
Anders Schack-Mulligen
fae71756eb Go: Add tentative support for speculative taint flow. 2024-10-16 14:35:21 +02:00
Anders Schack-Mulligen
c80627a3d3 Dataflow: add plumbing for adding provenance to state-steps. 2024-10-16 14:35:18 +02:00
Kevin Stubbings
374b13e1bb Remove path sanitizer 2024-10-15 14:34:11 -07:00
Kevin Stubbings
1287f1befc Address feedback 2024-10-15 14:01:14 -07:00
Owen Mansel-Chan
5efb88ed1f Merge pull request #17737 from owen-mc/go/extractor/objecttypes-consistency-generics-2 
Go: extractor/objecttypes consistency generics (second try)
 2024-10-15 15:50:45 +01:00
github-actions[bot]
079ab77a38 Post-release preparation for codeql-cli-2.19.2 2024-10-15 12:16:59 +00:00
github-actions[bot]
255f55cf1a Release preparation for version 2.19.2 2024-10-15 10:29:25 +00:00
Owen Mansel-Chan
1626af0ae1 Merge pull request #17748 from owen-mc/go/join-order-fix/data-flow-node-gettype 
Go: Fix bad join order in `SummarizedParameterNode.gettype`
 2024-10-15 10:14:38 +01:00
Kevin Stubbings
d195273bf4 Add mux.Vars() and url.Path sanitizers 2024-10-14 19:49:29 -07:00
Edward Minnix III
ade5686e52 Merge pull request #17335 from egregius313/egregius313/go/dataflow/models/stdin 
Go: Implement `stdin` models
 2024-10-14 10:38:27 -04:00
Owen Mansel-Chan
1456ec2119 Fix bad join order in SummarizedParameterNode.gettype 
Specifically the disjunct for this.getPos() != -1. Running on
uber/aresdb, before we had this:

   2403   ~1%    {3} r6 = JOIN `DataFlowUtil::SummarizedParameterNode.getPos/0#dispred#70a2aab4` WITH `DataFlowPrivate::FlowSummaryNode.getSummarizedCallable/0#dispred#e79ea9be` ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Rhs.1
9149774   ~5%    {4}    | JOIN WITH `Types::SignatureType.getParameterType/1#dispred#2c11bb7b_102#join_rhs` ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.1, Rhs.2
    923   ~9%    {2}    | JOIN WITH `Scopes::Callable.getType/0#dispred#55a0e6a2` ON FIRST 2 OUTPUT Lhs.2, Lhs.3

We add a binding pragma to make it not bind on this.getPos() until
necessary. After we have this:

   2403   ~0%    {3} r6 = JOIN `DataFlowUtil::SummarizedParameterNode.getPos/0#dispred#70a2aab4` WITH `DataFlowPrivate::FlowSummaryNode.getSummarizedCallable/0#dispred#e79ea9be` ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1
   2373   ~0%    {3}    | JOIN WITH `Scopes::Callable.getType/0#dispred#55a0e6a2` ON FIRST 1 OUTPUT Rhs.1, Lhs.2, Lhs.1
    923   ~9%    {2}    | JOIN WITH `Types::SignatureType.getParameterType/1#dispred#2c11bb7b` ON FIRST 2 OUTPUT Lhs.2, Rhs.2
 2024-10-13 14:27:51 +01:00
Owen Mansel-Chan
9381dda4a9 Use un-specialized field when extracting struct types 2024-10-11 11:30:02 +01:00
Owen Mansel-Chan
6bf6ed6f48 Add check for object for specialized named type 2024-10-11 11:30:00 +01:00
Owen Mansel-Chan
a810309160 Add check for specialized objects 2024-10-11 11:29:58 +01:00
Owen Mansel-Chan
45710e23c6 Always use generic method object 2024-10-11 11:29:57 +01:00
Owen Mansel-Chan
d013c8940d Revert "Go: extractor/objecttypes consistency generics" 2024-10-10 21:37:44 +01:00
Owen Mansel-Chan
513efe222d Add check for object for specialized named type 2024-10-10 13:59:51 +01:00
Owen Mansel-Chan
6f6b4a0bfe Add check for specialized objects 2024-10-10 13:59:49 +01:00
Owen Mansel-Chan
d295cac697 Always use generic method object 2024-10-10 13:59:47 +01:00
Edward Minnix III
0abc0d1a67 Fix: ActiveThreatModelSource 2024-10-09 11:35:07 -04:00
Owen Mansel-Chan
500992c499 Update qhelp to explain possible source of FPs 2024-10-09 15:08:48 +01:00
Chris Smowton
58fd1a2241 Merge pull request #17357 from smowton/smowton/feature/go-indistinguishable-types 
Go: extract and expose struct tags, interface method IDs
 2024-10-09 11:06:02 +01:00
Chris Smowton
837387aeae Re-optimise isSensitive routine 2024-10-08 19:23:31 +01:00
Chris Smowton
629a7a601d Further optimise guardingFunction: remove redundant condition, and order guard -> guardFunction case to work backwards from interesting return sites, allowing us to go backwards not forwards through BasicBlock::dominates 2024-10-08 19:23:30 +01:00
Chris Smowton
d401891d30 copyedit 2024-10-08 19:23:29 +01:00
Chris Smowton
c79da8b2b5 Avoid pathological case where getExampleMethodName picks a very common method name 2024-10-08 19:23:28 +01:00
Chris Smowton
ed9a6bd820 Further join order optimisations 2024-10-08 19:23:27 +01:00
Chris Smowton
bf5ba33c2e Improve join orders for top 5 perf regressions in QA 2024-10-08 19:23:26 +01:00
Chris Smowton
365ccf4903 autoformat 2024-10-08 19:23:25 +01:00
Chris Smowton
36a031833f Further optimisation 2024-10-08 19:23:24 +01:00
Chris Smowton
ab99509a11 Rework interface for querying private interface method ids 2024-10-08 19:23:22 +01:00
Chris Smowton
0f95a8d724 Clarify doc 2024-10-08 19:23:21 +01:00
Chris Smowton
288e0ec565 component_tags -> struct_tags 2024-10-08 19:23:20 +01:00
Chris Smowton
c1a1edf24e Autoformat 2024-10-08 19:23:19 +01:00
Chris Smowton
74cba9056b Optimise join orders 2024-10-08 19:23:18 +01:00
Chris Smowton
d04a0f4b87 Add note explaining how to regenerate dbscheme 2024-10-08 19:23:17 +01:00
Chris Smowton
1511927a2b Remove unnecessary table population on upgrade 2024-10-08 19:23:15 +01:00
Chris Smowton
fd615fb7a3 Prevent bad magic 2024-10-08 19:23:14 +01:00
Chris Smowton
442e58188b Update stats 2024-10-08 19:23:13 +01:00
Chris Smowton
e1963a5fcd autoformat 2024-10-08 19:23:12 +01:00
Chris Smowton
7a7ff4a91e Apply review comments 2024-10-08 19:23:11 +01:00
Chris Smowton
5d14070cd4 Fix test file 2024-10-08 19:23:10 +01:00
Chris Smowton
22ed2f9ae3 Autoformat CodeQL 2024-10-08 19:23:09 +01:00
Chris Smowton
9bb2a4bfce Change note 2024-10-08 19:23:07 +01:00
Chris Smowton
dcbb66d366 Go: extract and expose struct tags, interface method IDs 
This enables us to distinguish all database types in QL. Previously structs with the same field names and types but differing tags, and interface types with matching method names and at least one non-exported method but declared in differing packages, were impossible or only sometimes possible to distinguish in QL. With this change these types can be distinguished, as well as permitting queries to examine struct field tags, e.g. to read JSON field name associations.
 2024-10-08 19:23:06 +01:00
dependabot[bot]
26f8e64a35 Bump golang.org/x/tools 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.25.0 to 0.26.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.25.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-07 09:26:56 +00:00
Tom Hvitved
16feaf15e2 Go: Update expected test output 2024-10-07 09:23:39 +02:00
Chris Smowton
05d2e16de3 autoformat 2024-10-02 15:25:36 +01:00
Ed Minnix
f8335e6163 Fix formatting 2024-10-01 15:58:07 -04:00