hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

5817 Commits

Author SHA1 Message Date
Jonathan Leitschuh
3fa11c21c3 [Java] Document fixes for deserialization vulnerabilities by framework 
Related https://github.com/github/codeql/issues/11603
 2023-01-10 11:18:56 -05:00
Tony Torralba
32471d326e Java: Remove omittable exists variables 2023-01-10 13:37:19 +01:00
Ed Minnix
909b1d70d9 Rename files to say "Allow" instead of "Permit" 2023-01-09 10:11:03 -05:00
Ed Minnix
f626d4794a Change wording from "permit" to "allow" in id and name 2023-01-09 10:03:12 -05:00
Ed Minnix
64668883a4 Add good example to documentation 2023-01-09 09:59:38 -05:00
Ed Minnix
2ec73c50f9 Mention WebView in alert message 2023-01-09 09:55:09 -05:00
Chris Smowton
efe23c1da7 Note that alerts should not be re-raised 2023-01-09 10:56:13 +00:00
Chris Smowton
994a46289f Add change note 2023-01-09 10:56:13 +00:00
Chris Smowton
ef27f9fe96 Replace one more mention of escaping 2023-01-09 10:56:13 +00:00
Chris Smowton
45c732a6f9 Java: improve naming and description of SqlUnescaped.ql 
Since the main thing it's objecting to is concatenation not lack of escaping (in particular it doesn't look for escaping sanitizers), rename and re-describe it accordingly.
 2023-01-09 10:56:13 +00:00
github-actions[bot]
cdb8f67601 Post-release preparation for codeql-cli-2.12.0 2023-01-06 10:36:34 +00:00
Nick Rolfe
6e07076151 tweak wording in 2.12 release notes 2023-01-05 16:46:44 +00:00
github-actions[bot]
b6a8193785 Release preparation for version 2.12.0 2023-01-05 16:32:14 +00:00
Ed Minnix
81df89f93e Use proper @id in changenote 2023-01-03 15:19:26 -05:00
Ed Minnix
28ad9d00fb Merge both setAllowContentAccess queries into one query 
Previously, the query to detect whether or not access to `content://`
links was done using two queries.

Now they can be merged into one query
 2023-01-03 15:17:07 -05:00
Ed Minnix
35de551f6b Formatting 2022-12-31 17:19:49 -05:00
Ed Minnix
515fa21aad Change notes 2022-12-31 17:18:37 -05:00
Ed Minnix
df1a4d2ed1 Documentation fix: Add state1 and state2 to documentation 2022-12-31 15:25:37 -05:00
Ed Minnix
02f70f3536 Add @security-severity tag 2022-12-31 15:00:28 -05:00
Edward Minnix III
1d345c6101 Refactoring and simplification 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
5265cb4b03 Merge two dataflow configurations into one taint tracking 2022-12-31 15:00:28 -05:00
Ed Minnix
973f649e76 Break dataflow into two steps in order to capture flow from WebView to settings call 2022-12-31 15:00:28 -05:00
Ed Minnix
0e15dd9fa9 Query metadata 2022-12-31 15:00:28 -05:00
Edward Minnix III
778749184b Change id to use android/ instead of prepending android- 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
da25c586e6 Dataflow query for detecting paths that disable content access 
Since the default value is `true`, we need to determine whether or not
the `setAllowContentAccess` method is ever called using dataflow.
 2022-12-31 15:00:28 -05:00
Ed Minnix
8a763015e6 Reduce precision rating to medium 
This query won't always be a security problem, so it should have a lower
precision rating than `high`.
 2022-12-31 15:00:28 -05:00
Ed Minnix
e4e13d38b7 Java: query for Android WebView setAllowContentAccess 2022-12-31 15:00:28 -05:00
Edward Minnix III
597523e65a Merge pull request #11766 from atorralba/atorralba/java/fix-android-query-id 
Java: Fix new Android queries' IDs
 2022-12-21 11:21:12 -05:00
Arthur Baars
98c5b81456 Merge pull request #11723 from aibaars/alert-suppression 
CodeQL alert suppression
 2022-12-21 10:59:57 +01:00
Arthur Baars
035ad65e43 AlertSuppression: move library into util folder 2022-12-21 10:39:57 +01:00
Tony Torralba
345c383acc Fix new Android queries' IDs 2022-12-21 09:36:57 +01:00
Tony Torralba
149cae9603 Merge pull request #10971 from joefarebrother/android-certificate-pinning 
Java: Add Android missing certificate pinning query (CWE-295)
 2022-12-20 11:03:16 +01:00
Tony Torralba
a47ef17a0d Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 
Co-authored-by: Edward Minnix III <egregius313@github.com>
 2022-12-19 18:11:54 +01:00
Edward Minnix III
39a7c7bb12 Merge pull request #11282 from egregius313/egregiu313/webview-addjavascriptinterface 
Java: Query for detecting addJavascriptInterface method calls
 2022-12-19 11:28:45 -05:00
Tony Torralba
624c9ff834 Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 2022-12-19 17:26:41 +01:00
Arthur Baars
a8be5d7274 AlertSuppression: add change notes 2022-12-19 17:02:52 +01:00
Tony Torralba
0c6ace350f Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 16:24:39 +01:00
Arthur Baars
c9739b21cb AlertSuppression: add support for //codeql comments 2022-12-19 16:10:28 +01:00
Arthur Baars
c176606be5 AlertSuppression: allow //lgtm comments to scope over the next line 2022-12-19 16:10:26 +01:00
Arthur Baars
016c7a8ca7 Merge pull request #11719 from aibaars/alert-suppression-shared 
Shared AlertSuppression library
 2022-12-19 16:04:44 +01:00
Tony Torralba
484a16ce1b Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 2022-12-19 12:10:32 +01:00
Arthur Baars
bc646d407e Java: use shared AlertSuppression.qll 2022-12-19 12:07:28 +01:00
Tony Torralba
a880fecc8b Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 11:56:36 +01:00
turbo
1e5426fca2 Create security-experimental suite helper and all language suite implementations 2022-12-18 15:44:08 +01:00
Henry Mercer
30451ee950 Merge pull request #11681 from github/henrymercer/mergeback-3.8 
Merge `rc/3.8` back to `main`
 2022-12-16 17:43:12 +00:00
Michael Nebel
b2856c1f5a Merge pull request #11705 from michaelnebel/dataextensiontests 
C#/Java: Migrate tests to use implicitly loaded extensions.
 2022-12-16 10:50:07 +01:00
Jami
fd63348549 Merge pull request #11585 from jcogs33/jcogs33/mad-metrics-query 
Java: add MaD metrics query
 2022-12-15 19:26:51 -05:00
Jami Cogswell
c33bc63aed Java: remove extraneous parentheses 2022-12-15 15:26:04 -05:00
Jami Cogswell
cfeedb5cb4 Java: add float cast 2022-12-15 15:23:28 -05:00
Jami Cogswell
b68a9a51e2 Java: add coverage, generatedCoverage, and manualCoverage metrics 2022-12-15 15:20:08 -05:00