hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
80,404 Commits 1,672 Branches 157 Tags
codeql-cli-2.22.1
Commit Graph

4694 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
0f95992b2f Python: remove NonLibraryDataFlowCallable 
this required managing parameters and their pre-update nodes a bit
 2022-09-12 15:17:29 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
github-actions[bot]
a9d80a5a48 Release preparation for version 2.10.5 2022-09-08 11:35:54 +00:00
Taus
8b8e74cc9a Merge pull request #10314 from RasmusWL/revert-alert-msgs-change 2022-09-08 13:00:47 +02:00
Ahmed Farid
64bb022adf Add www-authenticate to sensitiveheaders() 2022-09-07 11:12:53 +01:00
Rasmus Lerchedahl Petersen
0cfb49102b Python: fix non-US spelling 2022-09-07 09:30:42 +02:00
Rasmus Wriedt Larsen
5f6e3dcc2e Python: Revert changes to sensitive data query alert messages 
This partly reverts the changes from https://github.com/github/codeql/pull/10252

Although consistency is nice, the new messages didn't sound as natural.

New alert message would read

> Insecure hashing algorithm (md5) depends on sensitive data (password). (...)

I'm not sure what it means that a hashing algorithm depends on data. So
for me, the original text below is much easier to understand.

> Sensitive data (password) is used in a hashing algorithm (md5) that is insecure (...)

Same goes for the other sensitive data queries.
 2022-09-06 12:01:24 +02:00
Rasmus Wriedt Larsen
a9e1e72196 Merge branch 'main' into shared-http-client-request 2022-09-06 10:52:27 +02:00
Ahmed Farid
23871b3f5a Update Concepts.qll 2022-09-05 18:26:56 +01:00
Taus
c19574b9a4 Merge pull request #10267 from yoff/python/port-EmptyExcept 
python: Rewrite EmptyExcept from `points-to` to API graph
 2022-09-05 14:11:34 +02:00
Rasmus Lerchedahl Petersen
5fc1bbc8c5 Python: Only alert on Python 2 code 
since
- Python 3 is ok from 3.7 onwards
- support for Python 3.6 was just dropped
- we do not actually know the minor version of the analysed code
  (only of the extractor)
 2022-09-05 13:38:14 +02:00
erik-krogh
0de0325c8e change the alert-message for py/modification-of-default-value 2022-09-05 13:30:56 +02:00
Rasmus Lerchedahl Petersen
afb50212a0 Python: update version check 
doc said 3.5 experience says 3.7
 2022-09-05 10:50:53 +02:00
Ahmed Farid
f84331f5a5 Provides classes for modeling HTTP Header APIs 2022-09-05 00:53:10 +01:00
Ahmed Farid
94b91536f9 Replacing getParameter by getArg and getArgByName 2022-09-03 14:05:07 +01:00
Ahmed Farid
a50c226ca9 Autoformat 2022-09-03 12:10:55 +01:00
erik-krogh
089ce5a8a4 change alert messages of path queries to use the same template 2022-09-02 14:45:40 +02:00
Erik Krogh Kristensen
6cee635cb5 Merge pull request #10180 from erik-krogh/fixTags 
Add missing security tags
 2022-09-02 08:04:57 +02:00
Rasmus Lerchedahl Petersen
0599e8ac35 python: add version check 
and attempt to set version for tests
 2022-09-01 23:47:07 +02:00
Rasmus Lerchedahl Petersen
1d2d28be76 python: replace points-to with API graph 2022-09-01 23:24:10 +02:00
Rasmus Lerchedahl Petersen
d102a84e02 python: replace points-to with API graph 2022-09-01 22:58:46 +02:00
Rasmus Lerchedahl Petersen
163bfc4f71 python: replace points-to with API graph 
- values are identified via `API::builtin`
- `points-to` is approximated by `getAValueReachableFromSource`
 2022-09-01 22:47:32 +02:00
Rasmus Lerchedahl Petersen
93fcaf24c1 python: RaisingTuple.ql to not use poins-to 
Use local dataflow instead and simply check for tuple literals.
 2022-09-01 21:45:57 +02:00
Edoardo Pirovano
8f332714f4 Merge pull request #10260 from github/edoardo/3.7-mergeback 
Merge `rc/3.7` into `main`
 2022-09-01 15:44:17 +01:00
Ahmed Farid
0fd684cde8 Add more source of crypto call 2022-08-31 17:13:43 +01:00
Ahmed Farid
cf83b07aae Add more source of crypto call 2022-08-31 17:04:02 +01:00
Ahmed Farid
daff7775ca Update TimingAttack.qll 2022-08-31 16:09:22 +01:00
Ahmed Farid
a42cb20b86 Update TimingAttack.qll 2022-08-31 16:07:58 +01:00
Ahmed Farid
13d1a4fdc1 Update TimingAttackAgainstHeaderValue.ql 2022-08-31 12:46:17 +01:00
Ahmed Farid
12960fd00f Update TimingAttack.qll 2022-08-31 12:39:46 +01:00
Ahmed Farid
f2688c4a02 Update select statement 2022-08-31 12:39:00 +01:00
Ahmed Farid
275ed0d6e5 Update select statement 2022-08-31 12:37:36 +01:00
Ahmed Farid
740bf716cb Update TimingAttack.qll 2022-08-31 12:22:01 +01:00
Ahmed Farid
ca28d79541 Prevent crosstalk between the configurations 2022-08-31 11:15:39 +01:00
Ahmed Farid
133a3c19f0 Add more source of crypto call 2022-08-31 11:09:24 +01:00
Ahmed Farid
23f268f3b9 Import Django and Flask model 2022-08-30 16:39:40 +01:00
Ahmed Farid
de58d0f024 Update the subclasses of ClientSuppliedSecret class 2022-08-30 16:34:43 +01:00
Ahmed Farid
0177cd810e Update suspicious() 2022-08-30 13:58:54 +01:00
Ahmed Farid
9995e91bb7 Update the name of the class (and its subclasses) 2022-08-29 18:57:56 +01:00
Ahmed Farid
b2551a5581 Update the name of the class (and its subclasses) 2022-08-29 18:30:43 +01:00
Ahmed Farid
baa0fd4148 Convert %UserPass% word to lowercase 2022-08-29 18:25:26 +01:00
Ahmed Farid
141b65fea8 Fix typo 2022-08-29 18:18:19 +01:00
Ahmed Farid
199e3d9462 Rename the query ID 2022-08-29 18:13:45 +01:00
Ahmed Farid
66fb420d00 Update PossibleTimingAttackAgainstHash.ql 2022-08-29 18:08:09 +01:00
erik-krogh
f678c8a967 PY: add python change-note 2022-08-29 13:08:52 +02:00
erik-krogh
4353937bcf PY: add missing security tags on Python queries 2022-08-29 13:08:47 +02:00
github-actions[bot]
3b4ad3c4f1 Post-release preparation for codeql-cli-2.10.4 2022-08-26 09:32:11 +00:00
erik-krogh
cc7a9ef97a rename more acronyms 2022-08-25 20:52:27 +02:00
Erik Krogh Kristensen
06afe9c0f4 Merge pull request #9816 from erik-krogh/msgConsis 
Make alert messages consistent across languages
 2022-08-25 15:20:01 +02:00
github-actions[bot]
0f63bc077f Release preparation for version 2.10.4 2022-08-25 12:52:26 +00:00