hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 02:13:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

5817 Commits

Author SHA1 Message Date
Tony Torralba
ce600367df Java: Add support for Kotlin's apply to java/android/unsafe-android-webview-fetch 2023-07-10 17:40:16 +02:00
github-actions[bot]
13cf054a9d Post-release preparation for codeql-cli-2.14.0 2023-07-07 14:55:41 +00:00
github-actions[bot]
6484ee106e Release preparation for version 2.14.0 2023-07-07 08:22:14 +00:00
Taus
f666260cd8 Java: Add meta query for metrics gathering 
Exposes the same information as the existing queries through two query
predicates instead. This makes the downstream data gathering a bit more
convenient to implement.
 2023-07-06 16:59:15 +02:00
Taus
36c6c7235c Java: Move instance counting logic into utility library 2023-07-06 16:59:15 +02:00
Dave Bartolomeo
9631e9f2f1 Bump minor version numbers post-GHES 2023-07-06 10:10:01 -04:00
Dave Bartolomeo
2bb9adfbf1 Merge remote-tracking branch 'origin/main' into dbartol/mergeback-3.10 2023-07-06 10:00:46 -04:00
Taus
97610d2cac Java: Add query for counting sink model instances 
Also adds a more sensible ordering to the existing queries.
 2023-07-04 14:24:52 +02:00
Taus
b7e4bd290d Java: Use an IPA type instead of a string 
While the string representation is useful for quickly modifying queries, it's
a bit clunky when the data needs to be further parsed. Instead, the two queries
now select all of the columns of the sinkmodel separately (which makes it easy
to pull them out of the relevant output later on).
 2023-07-03 23:17:55 +02:00
Michael Nebel
23a119b8c2 Java/C#: Reduce the amount of telemetry being produced. 2023-07-03 16:54:07 +02:00
Taus
6f24d939f6 Java: Also select query id 2023-07-01 15:04:06 +02:00
Taus
dca227389d Java: Add metric queries for counting sinks coming from models 
Adds two queries for gathering metrics on the number of alerts (for a selection of queries)
that arise from models with the `ai-generated` provenance.
 2023-06-30 15:07:13 +02:00
github-actions[bot]
668aaa2dc8 Post-release preparation for codeql-cli-2.13.5 2023-06-30 08:51:48 +00:00
Koen Vlaswinkel
6806b8750d Java: Use getSourceDeclaration to handle generic types 2023-06-29 11:49:16 +02:00
github-actions[bot]
9d7987f822 Release preparation for version 2.13.5 2023-06-29 09:26:18 +00:00
Paul Hodgkinson
bfbb77a796 Merge branch 'main' into java/experimental/command-injection 2023-06-29 09:51:14 +01:00
aegilops
01798f63f8 Switched to new dataflow and added a test (but it doesn't produce results yet) 2023-06-28 17:14:39 +01:00
Koen Vlaswinkel
fcb2f1082c Java: Fix external API name for nested types 
This fixes the name of reported external APIs for nested types.
The `toString()` method of `getSourceDeclaration()` would report the
name of a type, but not the name of the enclosing type. This results
in missing information in the `UnsupportedExternalAPIs.ql` query.

For example, previously it would report:

```
org.zapodot.junit.db.Builder#build()
```

However, the `Builder` class does not exist in the package and is only
a nested type within `EmbeddedDatabaseRule`. The correct name should be:

```
org.zapodot.junit.db.EmbeddedDatabaseRule$Builder#build()
```

This name also matches the format of MaD.
 2023-06-27 15:23:55 +02:00
Tony Torralba
a7c2a25cac Merge pull request #12879 from atorralba/atorralba/java/command-injection-mad-sinks 
Java: Convert all command injection sinks to MaD format
 2023-06-27 14:06:45 +02:00
Tony Torralba
3c3b53001f Merge pull request #13550 from jorgectf/jorgectf/lang2-models 
Java: Add models for `org.apache.commons.lang`
 2023-06-27 11:20:59 +02:00
amammad
45499b03d2 change qury file name same as qhelp name 2023-06-26 21:23:22 +10:00
amammad
21b5571bff V1.1 add additional steps for read methods which I can summarize every single declared sanitizer on the sink whitin isSink predicate 2023-06-25 00:35:37 +10:00
amammad
7354db873a V1 Bombs 2023-06-24 08:57:57 +10:00
jorgectf
2dc4f23dbb Add models for org.apache.commons.lang 2023-06-23 19:34:21 +02:00
Jorge
7d0b880bf7 Merge branch 'main' into jorgectf/deserialization-lookahead 2023-06-23 18:24:39 +02:00
jorgectf
b6e4ba6f9d Add SerialKiller model 2023-06-23 18:19:43 +02:00
Henry Mercer
5afdaf8fe1 Merge pull request #13525 from github/rc/3.10 
Merge `rc/3.10` back to `main`
 2023-06-21 17:13:36 +01:00
github-actions[bot]
18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
aegilops
23bf8470ce Removed .md and made class change 2023-06-19 17:29:17 +01:00
Jeroen Ketema
9c774ac97f Merge pull request #13426 from jketema/inline-3 
Update inline flow tests to use parameterized module
 2023-06-19 17:39:29 +02:00
Jean Helie
423336310c Merge pull request #13480 from github/jhelie/clean-up-mad-kinds-use 
Java: clean up mad kinds use
 2023-06-19 16:21:20 +02:00
aegilops
8c9ccab9c9 Autoformat 2023-06-19 11:53:53 +01:00
aegilops
2112d73a6a Autoformat 2023-06-19 11:50:54 +01:00
aegilops
1a108fb1c9 Changed to for constant string 2023-06-19 11:46:08 +01:00
aegilops
7c235e3786 Fixed linting issues. Will not fix instanceof, that is necessary 2023-06-19 11:41:23 +01:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
433fc680ec Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2023-06-19 10:17:40 +02:00
aegilops
8c73fbeabe Formatted 2023-06-16 17:33:21 +01:00
aegilops
55eeb00309 Added experimental tag 2023-06-16 17:27:01 +01:00
aegilops
b6c35dd88c Added experimental version of Java Command Injection query, to be more sensitive to unusual code constructs 2023-06-16 17:12:53 +01:00
Jean Helie
baf6b74945 use new sink mad kinds and simplify isKnownKind predicate 2023-06-16 13:58:23 +02:00
Jean Helie
daf2743143 only use neutral models of kind "sink" 2023-06-16 13:58:23 +02:00
Tony Torralba
c97868f774 Add change notes 2023-06-16 09:01:02 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Jeroen Ketema
742eb8dd12 Java: Rewrite InlineFlowTest as a parameterized module 2023-06-15 10:52:10 +02:00
Jean Helie
209f3e26d4 Merge pull request #13239 from github/tausbn/automodel-application-mode 
Java: Add QL support for automodel application mode
 2023-06-14 11:42:26 +02:00
Tony Torralba
ffe67689ec Merge branch 'main' into atorralba/java/command-injection-mad-sinks 2023-06-13 09:27:33 +02:00
Stephan Brandauer
b38bc52019 Java: fix bug in ExcludedFromModeling Characteristic 2023-06-09 14:57:56 +02:00
Anders Schack-Mulligen
a0a9d30286 Java: Fix qltests. 2023-06-09 08:37:35 +02:00