hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,514 Commits 1,672 Branches 157 Tags
codeql-cli-2.22.3
Commit Graph

13529 Commits

Author SHA1 Message Date
Tony Torralba
e43fff2d30 Use InlineExpectationsTest 2022-01-19 16:42:02 +01:00
Tony Torralba
02d0fa9188 Minor changes in QLDocs and a sanitizer's type 2022-01-19 16:42:01 +01:00
Tony Torralba
4313baf622 Big refactor: 
- Move classes and predicates to appropriate libraries
- Overhaul the endpoint identification algorithm logic to use taint tracking
- Adapt tests
 2022-01-19 16:42:00 +01:00
Tony Torralba
e0f4c73aed Move from experimental 2022-01-19 16:42:00 +01:00
Tony Torralba
6096080156 Use all possible packages for Fragment classes 
Also fix stub
 2022-01-19 16:23:11 +01:00
Benjamin Muskalla
52406dc8df Exclude logging sinks 
Those sinks are too coarse grained to be exposed as sinks on any model.
 2022-01-19 16:11:59 +01:00
Benjamin Muskalla
25d251c24f Exclude main methods from models 2022-01-19 16:11:59 +01:00
Tony Torralba
3c9fac0c6e Sync DataFlowImplForOnActivityResult.qll 2022-01-19 16:11:51 +01:00
Tony Torralba
6a4d2ee850 Apply code review suggestions 2022-01-19 16:08:31 +01:00
Tony Torralba
57ff13dd19 Sync DataFlowImplForOnActivityResult to latest changes 2022-01-19 16:08:31 +01:00
Tony Torralba
37916a8368 Fix previous merge 2022-01-19 16:08:31 +01:00
Tony Torralba
d9d9ad7d63 Use dedicated instance of DataFlow 2022-01-19 16:08:31 +01:00
Tony Torralba
aef63f69b0 Formatting 2022-01-19 16:08:30 +01:00
Tony Torralba
4b3029564c Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-19 16:08:29 +01:00
Tony Torralba
c675028537 Add Fragment and Activity edge case 2022-01-19 16:08:28 +01:00
Tony Torralba
9ae1f1cf85 QLDoc 2022-01-19 16:08:27 +01:00
Tony Torralba
211cb9370f Add the Intent parameter of onActivityResult as a source 2022-01-19 16:08:25 +01:00
Tony Torralba
520d8f5ec5 Add stubs 2022-01-19 16:06:23 +01:00
Chris Smowton
162b3822dd Merge pull request #7613 from github/smowton/admin/tag-random-used-once 
Remove security-severity tag to java/random-used-once
 2022-01-19 14:43:08 +00:00
Chris Smowton
c63fcb2c69 Add change note 2022-01-19 14:13:45 +00:00
Chris Smowton
f0645a34b9 Remove security-severity tag instead 
This leaves the Java query in the same state as its C# cousin.
 2022-01-19 14:06:40 +00:00
github-actions[bot]
f7240be136 Add changed framework coverage reports 2022-01-19 00:09:52 +00:00
Chris Smowton
84097468cc Merge pull request #7286 from luchua-bc/java/unsafe-url-forward-dispatch 
Java: CWE-552 Query to detect unsafe request dispatcher usage
 2022-01-18 18:19:20 +00:00
Chris Smowton
1e32514600 Avoid using this for a non-extending supertype, and remove needless casts 2022-01-18 17:20:40 +00:00
Benjamin Muskalla
9e91b805d6 Sort Lang3 models 2022-01-18 18:10:37 +01:00
Benjamin Muskalla
e6800c877c Merge Lang3 rows 2022-01-18 18:10:37 +01:00
Benjamin Muskalla
736e68820c Split out Lang3 models 2022-01-18 18:10:37 +01:00
Benjamin Muskalla
67b60dcf78 Sort Lang2 rows 2022-01-18 18:10:36 +01:00
Benjamin Muskalla
82bda6d573 Merge Lang2 summary models 2022-01-18 18:10:36 +01:00
Benjamin Muskalla
8eb6743586 Split out Lang2 rows 2022-01-18 18:10:33 +01:00
Chris Smowton
d744cf9053 Clean up guard logic: 
* Always sanitize after the second guard, not the first
* Only check basic-block dominance in one place
* One BarrierGuard extension per final guard
 2022-01-18 17:10:06 +00:00
Chris Smowton
748008ad51 Remove dangling reference to UnsafeRequestPath.java 2022-01-18 17:08:38 +00:00
luchua-bc
a3d65a8ed0 Update recommendation in qldoc and make examples more comprehendible 2022-01-18 17:01:26 +00:00
Tony Torralba
b16b0270d2 Merge pull request #6779 from atorralba/atorralba/android-implicit-pending-intents 
Java: CWE-927 - Query to detect the use of implicit PendingIntents
 2022-01-18 12:14:47 +01:00
Chris Smowton
9819752bdd Merge pull request #7526 from smowton/smowton/fix/restore-nodes-edges-consistency 
Don't include arg -> param edges in PathGraph::edges where arg is not reachable
 2022-01-18 11:05:47 +00:00
Benjamin Muskalla
7e215a5193 Merge pull request #7599 from bmuskalla/modelWriter 
Java: Model Appenable and Writer
 2022-01-18 11:55:27 +01:00
Tony Torralba
f103d45340 Merge branch 'main' into atorralba/android-implicit-pending-intents 2022-01-18 10:50:49 +01:00
Tony Torralba
3ff7710a18 Improve ExplicitIntent's QLDoc 2022-01-18 10:43:52 +01:00
Tony Torralba
fe2755c4a0 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-18 10:41:19 +01:00
Benjamin Muskalla
365a8d9bbd Fix flow for fluent appendable api 2022-01-18 10:41:00 +01:00
Benjamin Muskalla
8e6a15640f Model basic channel APIs 2022-01-18 10:40:39 +01:00
Anders Schack-Mulligen
fff3b5c5b4 Dataflow: Add qldoc. 2022-01-18 10:39:55 +01:00
Anders Schack-Mulligen
aa9912a699 Java: Fix expected output 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
71e39353ca Dataflow: Sync. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
b22c4e3c56 Dataflow: Bugfix: include subpaths ending at a sink. 2022-01-18 10:34:14 +01:00
Anders Schack-Mulligen
dfa79f6119 Dataflow: Sync. 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
46736a137c Dataflow: Don't include subpaths that can't reach a sink. 2022-01-18 10:30:09 +01:00
Chris Smowton
2c37885f6e Sync dataflow 2022-01-18 10:30:09 +01:00
Chris Smowton
7c9b44b4cb Don't include arg -> param edges in PathGraph::edges whose arg is not reachable 
This avoids lots of missing-node warnings from `codeql bqrs interpret` as it discards the nodes that occur in the `edges` relation but not `nodes`. The problem arises because subpaths introduced two variants of `reach`, one of which is more restrictive than simply `reach(succ) and succ = pred.getASuccessor()`, so it no longer suffices to just check that the successor is reachable.
 2022-01-18 10:30:09 +01:00
github-actions[bot]
b8959f7bdb Add changed framework coverage reports 2022-01-18 00:10:52 +00:00