hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,514 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.3
Commit Graph

3117 Commits

Author SHA1 Message Date
Jonas Jensen
76440120d1 Merge pull request #18737 from jbj/NumericCastTaintedQuery-selectedLocation 
Java: precise diff-informed NumericCastTainted
 2025-02-11 15:33:28 +01:00
Jonas Jensen
71c078dbdd Java: precise diff-informed NumericCastTainted 
It was discovered by the upcoming support for exact locations matching
in diff-informed testing that this data-flow configuration did not
correspond exactly to the query.
 2025-02-11 13:49:15 +01:00
Tom Hvitved
e5e88435bc Java: Remove ExitBasicBlock from SsaInput 2025-02-11 10:07:18 +01:00
Tom Hvitved
6fbb1e2571 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-02-11 10:06:50 +01:00
Anders Schack-Mulligen
e955f58eb1 Java: Bugfix for samevar in useReaches. 2025-02-11 10:06:49 +01:00
Anders Schack-Mulligen
ed284353ef Java: Bugfix for qualifier-of-qualifier update in hasExplicitQualifierUpdate. 2025-02-11 10:06:47 +01:00
Anders Schack-Mulligen
284e48cfbe Java: Fixup private 2025-02-11 10:06:45 +01:00
Tom Hvitved
75137a0f4c Java: Adopt shared SSA library 2025-02-11 10:06:43 +01:00
Jami Cogswell
d21c8d789b Java: restrict sink to first arg of two-arg constructor call 2025-02-05 21:19:59 -05:00
Jami Cogswell
bd47dcc87d Java: check first arg for taint 2025-02-05 16:56:16 -05:00
Jami Cogswell
e8724ab220 Java: sanitize constructor call instead and update test cases 2025-02-05 15:46:10 -05:00
Jami Cogswell
4a4585a526 Java: move comment 2025-02-05 11:36:58 -05:00
Jami Cogswell
59d454771d Java: add FileConstructorSanitizer and tests 2025-02-04 17:51:23 -05:00
Jonas Jensen
0584aee72a Merge pull request #18636 from jbj/diff-informed-java-location-fixups 
Java: make diff-informed queries exact
 2025-02-03 15:22:43 +01:00
Jonas Jensen
7ad6f13bf5 Java: adjust CommandLineQuery locations 
It turns out these locations need to be precise.
 2025-01-31 11:37:16 +01:00
Jami Cogswell
530103e2d9 Java: narrow query 
remove PUT and DELETE from StaplerCsrfUnprotectedMethod

remove OPTIONS and TRACE from SpringCsrfUnprotectedMethod
 2025-01-30 10:14:31 -05:00
Jami Cogswell
f3721ebccf Java: refactor unprotectedDatabaseUpdate 2025-01-30 10:14:26 -05:00
Jami Cogswell
530a77e5a0 Java: refactor into canTargetDatabaseUpdateMethod 2025-01-30 10:14:24 -05:00
Jami Cogswell
8173fd01b8 Java: use two negations 2025-01-30 10:14:22 -05:00
Jami Cogswell
0462425191 Java: rename getMethod to getMethodValue 2025-01-30 10:14:20 -05:00
Jami Cogswell
20e8eb4323 Java: some clean-up and refactoring 2025-01-30 10:14:18 -05:00
Jami Cogswell
26b7c1a572 Java: qldocs for CallGraph module 2025-01-30 10:14:09 -05:00
Jami Cogswell
48d55ec518 Java: performance fix 2025-01-30 10:14:03 -05:00
Jami Cogswell
48d1fe062b Java: remove exists variable 2025-01-30 10:13:59 -05:00
Jami Cogswell
39ccde0c9d Java: add name-based heuristic 2025-01-30 10:13:54 -05:00
Jami Cogswell
286c655264 Java: add class for Stapler web methods that are not default-protected from CSRF 2025-01-30 10:13:52 -05:00
Jami Cogswell
0f39011122 Java: add taint-tracking config for execute to exclude FPs from non-update queries like select 2025-01-30 10:13:50 -05:00
Jami Cogswell
97aaf4c011 Java: handle MyBatis annotations for insert/update/delete 2025-01-30 10:13:48 -05:00
Jami Cogswell
df77d4914f Java: initial tests 2025-01-30 10:13:45 -05:00
Jami Cogswell
c553e3132e Java: add CallGraph module for displaying call graph paths 2025-01-30 10:13:41 -05:00
Jami Cogswell
87a8746b22 Java: add a class for methods that update a sql database (found using sql-injection nodes) 2025-01-30 10:13:39 -05:00
Jami Cogswell
43a288070c Java: add a class for PreparedStatement methods that update a database 2025-01-30 10:13:37 -05:00
Jami Cogswell
b88731df80 Java: move contents of MyBatisMapperXML.qll in src to MyBatis.qll in lib so importable, and fix experimental files broken by the move 2025-01-30 10:13:27 -05:00
Jami Cogswell
8e9f21dc52 Java: add a class for MyBatis Mapper methods that update a database 2025-01-30 10:01:43 -05:00
Jami Cogswell
506d668289 Java: add class for Spring request mapping methods that are not default-protected from CSRF 2025-01-30 10:01:41 -05:00
Michael Nebel
ee5416f0b1 Merge pull request #18299 from michaelnebel/java/deprecateexperimental 
Java: Deprecate experimental queries.
 2025-01-29 10:41:25 +01:00
Owen Mansel-Chan
0ccf4cecb8 Fix XSS FPs when content type is safe 2025-01-28 15:32:30 +00:00
erik-krogh
c7fc164680 java: remove the 2 from SafeTransformerFactoryFlow, not that the previous naming conflict has been deleted 2025-01-28 09:13:59 +01:00
erik-krogh
34f5f61a10 all: use my script to delete outdated deprecations 2025-01-27 22:16:48 +01:00
Michael Nebel
98d6353f12 Java: Address review comments. 2025-01-27 11:21:44 +01:00
Michael Nebel
cc48cec1c7 Java: Deprecate experimental model activation. 2025-01-27 10:22:17 +01:00
Jonas Jensen
773a98a9eb Merge pull request #18340 from jbj/diff-informed-getASelectedLocation 
Java: make more queries diff-informed with getASelectedLocation
 2025-01-22 14:25:33 +01:00
Anders Schack-Mulligen
5bfd22e60a Merge pull request #18552 from aschackmull/java/xss-regex-perf 
Java: Improve performance of XSS regex.
 2025-01-22 11:28:49 +01:00
Owen Mansel-Chan
b4c8390991 Merge pull request #18137 from owen-mc/java/jax-rs-annotation-inheritance 
Java: Update JAX-RS annotation inheritance
 2025-01-21 15:26:47 +00:00
Anders Schack-Mulligen
0f96e79264 Java: Improve performance of XSS regex. 2025-01-21 14:41:08 +01:00
Jonas Jensen
eacc600b29 Java: annotate a query as not selecting sources 
This is for performance in diff-informed mode but also for avoiding
spurious entries in the code scanning timeline and alert list.
 2025-01-21 12:56:06 +01:00
Owen Mansel-Chan
6fa18be0cc Fix QLDocs 2025-01-20 22:07:01 +00:00
Owen Mansel-Chan
883301938b Merge pull request #18161 from owen-mc/java/weak-crypto-algo-more-informative 
Java: Make `java/weak-cryptographic-algorithm` give  a reason why the algo is insecure
 2025-01-13 23:43:04 +00:00
yoff
599411b440 Merge pull request #17787 from yoff/shared/add-location-to-typetracking-nodes 
shared: Add locations to type tracking nodes
 2025-01-13 23:06:09 +01:00
Tom Hvitved
303b11ec36 Merge pull request #18298 from hvitved/rust/mad-source-sink 
Rust: Add support for MaD sources and sinks with access paths
 2025-01-10 11:49:51 +01:00