5747 Commits

Author	SHA1	Message	Date
Andrew Eisenberg	6a49647a28	Merge pull request #17132 from github/aeisenberg-patch-1 ... Update CHANGELOG.md	2024-08-02 07:55:06 -07:00
Anders Schack-Mulligen	4d023f14a6	Merge pull request #17075 from RobbingDaHood/17052-second-try-do-not-expose-error-message ... Java: 17052 Second try: do not expose error message	2024-08-02 12:44:27 +02:00
Andrew Eisenberg	c8994003c1	Update CHANGELOG.md ... Drive-by fix of a typo.	2024-08-01 16:16:17 -07:00
Owen Mansel-Chan	6280ed2a6b	Merge pull request #13555 from am0o0/amammad-java-bombs ... Java: Decompression Bombs	2024-07-31 14:55:28 +01:00
Owen Mansel-Chan	8901b1fd14	Merge pull request #17100 from owen-mc/java/sensitive-log/ignore-tokenizer ... Java: whitelist variable names containing "tokenizer" for `java/sensitive-log`	2024-07-31 12:16:03 +01:00
am0o0	d560c1ea0f	fix formatting	2024-07-31 11:08:06 +02:00
am0o0	9110df6e80	Merge branch 'amammad-java-JWT' of https://github.com/am0o0/codeql into amammad-java-JWT	2024-07-31 11:04:24 +02:00
am0o0	c6814fcf47	merge duplicate module into a module file	2024-07-31 11:04:03 +02:00
am0o0	701e3d7e53	add same query but with local source support to comply with the CVE-2021-37580	2024-07-31 10:58:22 +02:00
am0o0	40eef25133	use more specefic Classes instead of Call	2024-07-30 18:07:03 +02:00
Owen Mansel-Chan	1cb5f35c56	Add change note	2024-07-30 16:29:38 +01:00
Owen Mansel-Chan	cd0af0fc57	Ignore types with methods which have annotations ... The motivation is test classes in JUnit 4 and 5 are currently FPs for this. They have methods with `@Test`, so this should fix the FPs.	2024-07-30 16:29:35 +01:00
Owen Mansel-Chan	44b6309e07	Add change note	2024-07-30 15:44:00 +01:00
Chris Smowton	8f52b2cd95	Fix link	2024-07-30 12:23:38 +01:00
Chris Smowton	a781522ca0	Copyedit documentation	2024-07-30 12:19:16 +01:00
am0o0	4dc1a10f71	update tests for zip4j, add aditional flow steps for zip4j, remove BombTypeInputStream class since we don't need it anymore, add a predicate which was for testing porpose and was junk	2024-07-29 18:10:04 +02:00
RobbingDaHood	1cb58922a2	Minor changes to formulations for java/error-message-exposure ... Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2024-07-29 16:48:15 +02:00
am0o0	c8749ff82e	Merge branch 'amammad-java-bombs' of https://github.com/am0o0/codeql into amammad-java-bombs	2024-07-28 12:15:23 +02:00
am0o0	0593eaad52	we don't need ConstructorCall for ZipFile anymore since we have a more accurate sink for this	2024-07-28 12:12:07 +02:00
am0o0	cc752113af	we don't need TypeInputStreamConstructorArgumentSink anymore	2024-07-28 12:09:52 +02:00
am0o0	7689db7d42	change apache commons sink	2024-07-28 12:09:33 +02:00
Am	96c142bf0a	Merge branch 'main' into amammad-java-JWT	2024-07-28 13:03:23 +03:30
am0o0	b5e7716579	remove flow states, remove string as sources	2024-07-28 11:26:18 +02:00
am0o0	46ddddc8cf	Merge tag 'codeql-cli/v2.18.1' into amammad-java-JWT ... Compatible with CodeQL CLI 2.18.1	2024-07-28 11:23:20 +02:00
am0o0	85b02b1399	use MethodCall instead of MethodAccess, change query id	2024-07-28 10:42:44 +02:00
am0o0	494f0b709e	Merge branch 'main' into amammad-java-JWT	2024-07-28 10:37:26 +02:00
am0o0	14cf47b906	comply with PascalCase/camelCase, remove redundant import	2024-07-28 10:28:28 +02:00
Daniel Winther Petersen	1c1ba7734f	Now alerts about exposing exception.getMessage() in servlet responses are split out of java/stack-trace-exposure into its own alert java/error-message-exposure because this is a better fit.	2024-07-25 18:12:45 +02:00
Owen Mansel-Chan	4c8da54b64	Merge pull request #17036 from chmodxxx/sbaddou/fix ... Java: Move SensitiveLoggerConfig source to extensible format	2024-07-23 14:55:26 +01:00
Salah Baddou	092de640fe	add change-notes	2024-07-23 11:04:56 +01:00
github-actions[bot]	49cc8f8ff8	Post-release preparation for codeql-cli-2.18.1	2024-07-22 22:00:48 +00:00
github-actions[bot]	368bcb684a	Release preparation for version 2.18.1	2024-07-22 21:30:50 +00:00
Chuan-kai Lin	23320b6e5e	Revert "Release preparation for version 2.18.1"	2024-07-22 13:22:49 -07:00
github-actions[bot]	55935fc123	Release preparation for version 2.18.1	2024-07-22 14:56:15 +00:00
Owen Mansel-Chan	9a66e66d66	Merge branch 'main' into amammad-java-bombs	2024-07-18 21:28:23 +01:00
am0o0	7bb7d83b26	remove duplicate sinks ... replace some RefType with DecompressionBomb::BombTypeInputStream	2024-07-18 20:55:59 +02:00
Owen Mansel-Chan	e6c1ff573a	Merge branch 'main' into max-schaefer-patch-1	2024-07-18 10:39:42 +01:00
Owen Mansel-Chan	e2356d9820	Merge pull request #16914 from owen-mc/java/android-app-detection ... Java: Improve Android app detection	2024-07-16 21:52:43 +01:00
am0o0	025aa77e79	add the snappy missed sink	2024-07-13 11:15:45 +02:00
am0o0	8c106964ec	remove duplicate parts thanks to @owen-mc	2024-07-13 11:11:07 +02:00
am0o0	8ba48e801a	fix examples	2024-07-13 10:28:19 +02:00
am0o0	dd3cc33298	move DecompressionBombsFlow::PathGraph to DecompressionBomb.ql	2024-07-13 10:24:07 +02:00
Am	a3b5d2a28d	Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp ... Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>	2024-07-13 10:20:43 +02:00
Am	4fbf76008e	Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp ... Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>	2024-07-13 10:20:25 +02:00
Max Schaefer	d5d0cf5d90	Java: Tag java/non-https-url with CWE-345	2024-07-11 13:37:09 +01:00
am0o0	7a5838f1a2	MethodAccess => MethodCall	2024-07-09 19:43:22 +02:00
am0o0	e87d2fe922	remove redundent imports	2024-07-09 19:41:06 +02:00
github-actions[bot]	ae3aba061b	Post-release preparation for codeql-cli-2.18.0	2024-07-08 13:30:13 +00:00
Angela P Wen	dc20b0d19e	Merge pull request #16921 from github/release-prep/2.18.0 ... Release preparation for version 2.18.0	2024-07-08 13:12:57 +02:00
Chris Smowton	d9573596c7	Merge pull request #16810 from smowton/smowton/feature/java-low-db-quality-query ... Java: add diagnostic query indicating low database quality	2024-07-08 12:06:42 +01:00