hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,788 Commits 1,672 Branches 157 Tags
codeql-cli-2.22.4
Commit Graph

5752 Commits

Author SHA1 Message Date
intrigus
1901f6bf55 Java: Make @id @name of query more similar. 2021-01-12 15:36:55 +01:00
intrigus
9b3070ab7c Java: Add JXBrowser disabled certificate query. 2021-01-12 14:48:22 +01:00
intrigus
85286f362c Java: Replace global flow by local flow 2021-01-11 19:02:07 +01:00
intrigus-lgtm
722bd4dafa Java: Revise qhelp 2021-01-11 18:57:24 +01:00
intrigus-lgtm
4cfdb10ddc Java: Improve QLDoc & simplify code 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-01-11 18:50:43 +01:00
luchua-bc
86c04e6971 Detect the scenario of passwords concatenated with a salt to reduce FPs 2021-01-11 16:59:57 +00:00
intrigus
5c1e746c96 Java: Rename to EnvReadMethod 2021-01-11 13:42:08 +01:00
intrigus
1eb2b75389 Java: Further reduce FPs, simply Flag2Guard flow 2021-01-11 13:42:08 +01:00
intrigus
b4692734b2 Java: Add QLDoc improve query message 2021-01-11 13:42:08 +01:00
intrigus-lgtm
f4b912cd8a Apply suggestions from doc review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:08 +01:00
intrigus
e11304a1ca Java: Autoformat 2021-01-11 13:42:08 +01:00
intrigus-lgtm
b8f3e64a0f Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:08 +01:00
intrigus
502e4c39f5 Java: Fix Qhelp 2021-01-11 13:42:08 +01:00
intrigus-lgtm
355cb6eeec Fix Qhelp format 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:07 +01:00
intrigus-lgtm
10fc2cf9f8 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-11 13:42:07 +01:00
intrigus
9e2ef9bd74 Java: Filter results by feature flags. 
This ignores results that are guarded by a feature flag
that suggests an intentionally insecure feature.
Inspired by Go's `InsecureFeatureFlag.qll` and
`DisabledCertificateCheck.ql`.
 2021-01-11 13:42:07 +01:00
intrigus
a62a2e58dd Java: Improve QL-Doc 2021-01-11 13:42:07 +01:00
intrigus
d98b171998 Java: Make EnvTaintedMethod public + QL-Doc 2021-01-11 13:42:07 +01:00
intrigus
e021158b5f Java: Tighter model of HostnameVerifier#verify 
This more tightly models `HostnameVerifier#verify` previously it
was possible to accidentally match other methods called `verify`.
 2021-01-11 13:42:07 +01:00
intrigus
0a9df07df7 Apply suggestions from review. 2021-01-11 13:42:07 +01:00
intrigus
70b0703952 Java: Remove overlapping code 2021-01-11 13:42:07 +01:00
intrigus
3da1cb0879 Java: Add unsafe hostname verification query 2021-01-11 13:42:07 +01:00
intrigus
8df5d77398 Java: Model HostnameVerifier method 
Model `HostnameVerifier#setDefaultHostnameVerifier`
 2021-01-11 13:42:06 +01:00
Anders Schack-Mulligen
3a2dd8f1ed Merge pull request #4867 from RasmusWL/java-externalapis-taint-step 
Java: Fix taint-step handling for untrusted-data-external-api
 2021-01-11 13:36:59 +01:00
Rasmus Wriedt Larsen
00c253a710 Java: Don't ignore local taint steps (fixup) 2021-01-08 15:29:01 +01:00
luchua-bc
39103af718 Remove additional taint step 2021-01-08 13:02:57 +00:00
Anders Schack-Mulligen
e5b4975450 Merge pull request #4675 from luchua-bc/cleartext-storage-shared-prefs 
Java: Query to detect cleartext storage of sensitive information using Android SharedPreferences
 2021-01-08 12:41:34 +01:00
luchua-bc
b56fe2b25f Remove specific method name in additional taint step 2021-01-07 16:31:21 +00:00
luchua-bc
606d0946fc Update qldoc 2021-01-07 14:05:12 +00:00
luchua-bc
19ff00bad4 Enhance the additional step flow and update qldoc 2021-01-07 13:15:30 +00:00
luchua-bc
b54e5b1c49 Revamp the library module 2021-01-07 12:44:59 +00:00
luchua-bc
ce2db21f15 Query to detect hash without salt 2021-01-06 17:30:04 +00:00
Francis Alexander
1f5a466e46 Playframework test cases & review fixes 2021-01-06 22:57:14 +05:30
luchua-bc
f13b8814f5 Update class/method names in the module 2021-01-06 16:49:35 +00:00
luchua-bc
5690bf49f4 Optimize the query 2021-01-06 16:21:26 +00:00
luchua-bc
3d26e5b8a4 Update qldoc 2021-01-06 12:41:00 +00:00
luchua-bc
f1763ae354 Use the sensitive info sink 2021-01-06 01:48:19 +00:00
luchua-bc
367ff99909 Change the source to be the request variable 2021-01-05 17:30:19 +00:00
Chris Smowton
e87fd86e63 Merge pull request #4814 from luchua-bc/java/password-in-configuration 
Java: Password in Java EE configuration files
 2021-01-05 11:42:27 +00:00
Jonathan Leitschuh
ba4a562c9a Update PrintAst.actual with new test output 2021-01-04 23:37:58 -05:00
luchua-bc
195755d687 Revamp the query to be more selective 2021-01-05 00:04:08 +00:00
luchua-bc
496db4b42f Factor isGetServletMethod into the servlet library 2021-01-04 16:14:13 +00:00
Jonathan Leitschuh
028e4756bb Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-01-04 10:13:52 -05:00
luchua-bc
c069a5b4c6 Factor private host regex into the networking library and enhance the query 2021-01-04 14:51:32 +00:00
Jonathan Leitschuh
54950c2f42 Add MethodAccessSystemGetProperty predicate 2021-01-01 20:07:45 -05:00
luchua-bc
ffe9d4a310 Sensitive GET Query 2020-12-26 16:51:30 +00:00
Rasmus Wriedt Larsen
874af7637f Java: Fix taint-step handling for untrusted-data-external-api 
The previous implementation would not handle any `AdditionalTaintStep`
subclasses.
 2020-12-22 11:02:50 +01:00
luchua-bc
4ec78d04f8 Insecure LDAP authentication 2020-12-21 00:15:15 +00:00
luchua-bc
bfb138d415 Update qldoc 2020-12-17 14:42:14 +00:00
luchua-bc
7b44ee50ea Revamp the functions to have a string parameter 2020-12-17 14:26:13 +00:00