hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 02:13:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

4227 Commits

Author SHA1 Message Date
Eric Bickle
000c1f7ec8 Java: Flow taint through ArithExpr for ThreadResourceAbuse 
Ensure that tainted values flow through arithmetic operations when
checking for ThreadResourceAbuse vulnerabilities.

For example, multiplying 'number of seconds' by 1000 as an input
to Thread.Sleep, which accepts milliseconds, is a common scenario.
 2023-10-06 14:24:37 -07:00
Michael Nebel
40e63a63e2 Java: Re-factor most queries and tests to use threat models. 2023-10-04 14:01:58 +02:00
Michael Nebel
5b949b19f7 Java: Cleanup threat model taxanomy to align with the EDR. 2023-10-03 09:16:39 +02:00
Michael Nebel
5c700afa27 Java: Add some threat model dataflow tests. 2023-10-03 09:16:39 +02:00
Michael Nebel
537965c0e8 Java: Add some testfiles. 2023-10-03 09:16:39 +02:00
Michael Nebel
9a112dde66 Java: Introduce a class of dataflow nodes for the threat modeling. 2023-10-03 09:16:38 +02:00
Anders Schack-Mulligen
efb49fcd3e Merge pull request #14336 from aschackmull/java/switch-rule-stmt-cfg 
Java: Fix CFG for case rule statements.
 2023-09-29 12:02:48 +02:00
Anders Schack-Mulligen
94556078f1 Java: Add guards logic for SwitchExpr default cases. 2023-09-28 14:21:04 +02:00
Anders Schack-Mulligen
917a15647e Java: Fix CFG for rule statements. 2023-09-28 14:19:36 +02:00
Anders Schack-Mulligen
922a4e8ddf Java: Add failing test 2023-09-28 14:15:56 +02:00
Asger F
0d96ed8aee Merge pull request #14305 from asgerf/shared/flow-state-inout-barriers 
Shared: add in/out barriers with flow state
 2023-09-28 11:07:23 +02:00
Koen Vlaswinkel
10231e99ce Merge pull request #14199 from github/koesie10/add-java-model-editor-queries 
Java: Add VS Code model editor queries
 2023-09-28 10:13:13 +02:00
Asger F
6792592a15 Shared: add late checks for stateful in/out barriers 2023-09-27 14:38:28 +02:00
Asger F
6d6cdf89ce Java: add a failing test for stateful in/out barriers 2023-09-27 14:38:21 +02:00
Anders Schack-Mulligen
e6d832c7e5 Merge pull request #14297 from aschackmull/java/additional-steps-and-nodes 
Java: Add support for additional nodes, read steps, and store steps for QL models and model ThreadLocal.initialValue
 2023-09-26 14:50:37 +02:00
Koen Vlaswinkel
ced95e0f45 Java: Split API name column into separate columns 2023-09-25 10:16:59 +02:00
Ian Lynagh
7b779ca9d0 Merge pull request #14186 from igfoo/igfoo/kotlin-expected 
Kotlin: Regenerate expected test output
 2023-09-22 19:40:26 +01:00
Koen Vlaswinkel
f4522edc95 Java: Remove unnecessary columns 2023-09-22 16:11:30 +02:00
Anders Schack-Mulligen
8ee1f8ae69 Java: Add missing flow step for ThreadLocal.initialValue. 2023-09-22 13:33:45 +02:00
Anders Schack-Mulligen
7e04ac55b7 Merge pull request #14268 from aschackmull/java/xmlparsers-typetrack 
Java/Dataflow: Add new light-weight data flow api and use it in XmlParsers
 2023-09-21 13:33:21 +02:00
Anders Schack-Mulligen
13f7daf71e Merge pull request #13982 from aschackmull/dataflow/typeflow-calledge-pruning 
Dataflow: Add type-based call-edge pruning.
 2023-09-21 13:33:08 +02:00
Koen Vlaswinkel
509b7fe0f8 Java: Add tests for supported framework methods 2023-09-20 14:11:00 +02:00
Koen Vlaswinkel
6adbc406a7 Java: Add tests for private methods 2023-09-20 14:05:28 +02:00
Koen Vlaswinkel
8e55189b84 Java: Add tests for generic interfaces/classes/methods 2023-09-20 14:02:34 +02:00
Koen Vlaswinkel
fe7ce0ae0b Java: Rename queries from fetch methods to endpoints 2023-09-20 13:52:49 +02:00
Anders Schack-Mulligen
5c40d553b4 Java: Switch XmlParsers lib to lightweight data flow. 2023-09-20 10:21:53 +02:00
yoff
4a37c2fc3a Merge pull request #13778 from geoffw0/javaparsemode 
Java: Understand multiple parse mode flags specified in a regular expression string
 2023-09-18 14:22:59 +02:00
Tony Torralba
b08e410f45 Merge pull request #14029 from atorralba/atorralba/apache-cxf-models 
Java: Add new Apache CXF models
 2023-09-18 10:54:05 +02:00
Chris Smowton
c5001a86f6 Fix test expectations 2023-09-14 20:45:54 +01:00
Chris Smowton
5f6a40b9e8 Note Kotlin test no longer has CFG dead-ends if ErrorExpr participates in the CFG 2023-09-14 17:42:00 +01:00
Chris Smowton
d9f7180b5c Add missing diagnostic expectations 2023-09-14 17:42:00 +01:00
Chris Smowton
8f940c311a Update expectations and add expected diagnostics 2023-09-14 17:42:00 +01:00
Chris Smowton
9670f20bd7 Add test for method reference whose LHS has unknown type 
This can happen when imports or source classes are missing.
 2023-09-14 17:42:00 +01:00
Chris Smowton
6ea7b195db Add test for a module declaration made in a file named other than module-info.java 
This triggers a weird corner case in our extractor, which used to throw a null pointer exception.
 2023-09-14 17:42:00 +01:00
Chris Smowton
c47ba000d6 Add test exercising the case of a missing type used as an interface 
This induces the TypeEnter phase to create an ErrorType with a parameter, which in turn used to cause a stack overflow in comparing the TypeWrapper objects involved.

Note the output remains somewhat broken, exposing an <any> type, but at least the overflow is resolved.
 2023-09-14 17:42:00 +01:00
Chris Smowton
4b5651bde9 Add test for Java extracting ErrorType 2023-09-14 17:42:00 +01:00
Chris Smowton
c0f8973749 Add test for extracting a Java AST with an error expression 
Also note that ErrorExpr can occur outside upgrade/downgrade scripts
 2023-09-14 17:42:00 +01:00
Geoffrey White
af3d8c88bb Java: Fix test comment. 2023-09-13 17:58:31 +01:00
Geoffrey White
8c3e778be6 Java: Port regex mode flag character fix from Python. 2023-09-13 17:50:52 +01:00
Anders Schack-Mulligen
e677c1ffe6 Java: Add qltest 2023-09-13 15:43:46 +02:00
Koen Vlaswinkel
7db082f3fd Java: Add VS Code model editor queries 2023-09-13 13:04:26 +02:00
Ian Lynagh
d8a99e6b7d Kotlin: Regenerate expected test output 
It's now in the order generated by the new CLI. This means that
changes in test output are easier to understand.
 2023-09-12 11:13:58 +01:00
Kasper Svendsen
4bc6ca3d84 Java: Delete java test query which fails to compile 2023-09-01 11:21:06 +02:00
Anders Starcke Henriksen
361ae1747e Merge branch 'main' into starcke/automodel-pack 2023-08-30 09:25:28 +02:00
Jean Helie
41726f52a2 Merge pull request #13954 from github/kaeluka/add-provenance-to-metadata 
Java: Automodel: Add Candidates for Regression Testing
 2023-08-29 14:33:02 +01:00
Jean Helie
de76c0749a Java: Automodel Framework Mode: Add Candidates for Regression Testing 2023-08-29 09:53:55 +01:00
Tony Torralba
2448bc8ce2 Java: Add new Apache CXF models 2023-08-25 11:17:51 +02:00
Jeroen Ketema
b550c067a1 Java: Remove redundant inline expectation test imports 2023-08-25 00:18:55 +02:00
Jeroen Ketema
9d573e5544 Consolidate all InlineFlowTest libraries in the dataflow qlpack 2023-08-24 21:38:46 +02:00
Asger F
6c664e93ef Merge pull request #14035 from asgerf/shared/variable-capture-nested 
Variable capture: synchronize with aliases in nested scopes
 2023-08-24 15:39:34 +02:00