hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,920 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.2
Commit Graph

13744 Commits

Author SHA1 Message Date
Nora Dimitrijević
05df1d3cb9 [DIFF-INFORMED] Java: AndroidWebViewSettingsAllowsContentAccess 2025-07-17 19:02:15 +02:00
Nora Dimitrijević
24c28ed873 [DIFF-INFORMED] Java: UnsafeCertTrust 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql#L21
 2025-07-17 19:02:13 +02:00
Nora Dimitrijević
ea4af8323c [DIFF-INFORMED] Java: TrustBoundaryViolation 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql#L18
 2025-07-17 19:02:09 +02:00
Nora Dimitrijević
7888dcbce2 [DIFF-INFORMED] Java: TempDirLocalInformationDisclosure 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql#L56
 2025-07-17 19:02:07 +02:00
Nora Dimitrijević
3785dbec9e [DIFF-INFORMED] Java: TaintedEnvironmentVariable 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql#L22
 2025-07-17 19:02:05 +02:00
Nora Dimitrijević
b3b139bb02 [DIFF-INFORMED] Java: SqlConcatenated 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql#L27
 2025-07-17 19:02:04 +02:00
Nora Dimitrijević
45b627df1d [DIFF-INFORMED] Java: SensitiveLogging 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql#L20
 2025-07-17 19:02:02 +02:00
Nora Dimitrijević
bc0b383595 [DIFF-INFORMED] Java: MaybeBrokenCryptoAlgorithm 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql#L25
 2025-07-17 19:02:00 +02:00
Nora Dimitrijević
b688df9dec [DIFF-INFORMED] Java: LogInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-117/LogInjection.ql#L20
 2025-07-17 19:01:58 +02:00
Nora Dimitrijević
2d734056b1 [DIFF-INFORMED] Java: InsecureLdapAuth 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql#L21
 2025-07-17 19:01:56 +02:00
Nora Dimitrijević
74b37e71a0 [DIFF-INFORMED] Java: InsecureCookie 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql#L21
 2025-07-17 19:01:52 +02:00
Nora Dimitrijević
19e5c3d805 [DIFF-INFORMED] Java: ImproperValidationOfArray… 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql#L48
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql#L28
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql#L26
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql#L24
 2025-07-17 19:01:50 +02:00
Nora Dimitrijević
1c6ecf1216 [DIFF-INFORMED] Java: UntrustedDataToExternalAPI 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql#L20
 2025-07-17 18:59:15 +02:00
Nora Dimitrijević
0cf1195678 [DIFF-INFORMED] Java: ConditionalBypass 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql#L26
 2025-07-17 18:59:14 +02:00
Nora Dimitrijević
0bcdb421ed [DIFF-INFORMED] Java: ArithmeticUncontrolled 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql#L36
 2025-07-17 18:59:11 +02:00
Nora Dimitrijević
54546f6e99 [DIFF-INFORMED] Java: ArithmeticTainted 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql#L35
 2025-07-17 18:59:09 +02:00
Nora Dimitrijević
8353fdd041 [DIFF-INFORMED] Java: (Android)SensitiveCommunication 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql#L20
 2025-07-17 18:59:06 +02:00
Nora Dimitrijević
b33058c967 [TEST] Java: SensitiveCommunication: convert to qlref 2025-07-17 18:59:05 +02:00
Nora Dimitrijević
44bb5e7220 [TEST] Java: ConditionalBypass: convert to qlref 2025-07-17 18:59:03 +02:00
Nora Dimitrijević
6134518d60 [TEST] Java: SensitiveLogInfo: convert to qlref 2025-07-17 18:59:01 +02:00
Nora Dimitrijević
94386f0550 [TEST] Java: TrustBoundaryViolations: convert test to qlref 2025-07-17 18:58:59 +02:00
Nora Dimitrijević
49e03b4dfd [TEST] Java: UnsafeCertTrust: convert test to qlref 2025-07-17 18:58:56 +02:00
Nora Dimitrijević
7aced48443 [TEST] Java: LogInjection: convert test to qlref 2025-07-17 18:58:54 +02:00
Nora Dimitrijević
5c2cf79785 [TEST] Java: CWE-020/ExternalAPI: new test based on qhelp 2025-07-17 18:58:52 +02:00
Anders Schack-Mulligen
996de78a66 Java: Prune PathGraph for CsrfUnprotectedRequestType.ql 2025-07-17 15:06:38 +02:00
Anders Schack-Mulligen
1485d7072d Merge pull request #19885 from aschackmull/java/annotated-exit-cfg 
Java: Add AnnotatedExitNodes to the CFG.
 2025-07-17 15:02:24 +02:00
Michael Nebel
2f29459cda Merge pull request #19931 from michaelnebel/ql4ql/qualitytagcheck 
Ql4ql: Quality query tagging.
 2025-07-17 14:53:14 +02:00
Idriss Riouak
36ebe99f2f Merge pull request #19707 from microsoft/lwsimpkins/fix-qhelp-upstream 
fix qhelp files
 2025-07-17 14:51:01 +02:00
Owen Mansel-Chan
af977e9ac7 Merge pull request #20067 from owen-mc/java/unsafe-deserialization-mad-sinks 
Java: allow the definition of `java/unsafe-deserialization` sinks using data extensions
 2025-07-17 13:42:31 +01:00
Owen Mansel-Chan
6629bd8279 No need to deprecate classes when module is deprecated 2025-07-17 11:52:31 +01:00
Owen Mansel-Chan
b361f76643 Delete unused private class 2025-07-17 11:36:06 +01:00
Anders Schack-Mulligen
448cc82ef9 Kotlin: Accept more test changes. 2025-07-17 11:21:27 +02:00
Anders Schack-Mulligen
54775e0958 Java: Adjust Paths.qll 2025-07-17 11:21:26 +02:00
Anders Schack-Mulligen
e7a6259bd7 Java: Accept test changes. 2025-07-17 11:21:26 +02:00
Anders Schack-Mulligen
fbe79e8a52 Java: Add AnnotatedExitNodes to the CFG. 2025-07-17 11:21:26 +02:00
Owen Mansel-Chan
805e31fdb9 Update test expectations 2025-07-16 15:25:45 +01:00
Owen Mansel-Chan
7d4a70cc1d Add change notes 2025-07-16 14:44:24 +01:00
Owen Mansel-Chan
fdd1e3fefe Use MaD models for unsafe deserialization sinks when possible 
Many of the unsafe deserialization sinks have to stay defined in QL
because they have custom logic that cannot be expressed in MaD models.
 2025-07-16 14:42:07 +01:00
Owen Mansel-Chan
9ef22fff8e Update SnakeYaml reference to note that it is outdated 2025-07-15 15:27:01 +01:00
Kasper Svendsen
10a678dcbd Java lib qlpack: Enable overlay compilation 2025-07-15 16:23:40 +02:00
Kasper Svendsen
9c3e275e66 Merge pull request #20011 from kaspersv/kaspersv/discard-xml 
Overlay: Add XML and Java property discarding
 2025-07-15 16:13:38 +02:00
Kasper Svendsen
f84a3084f0 Address review comment about ignored QL variable 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-07-15 15:34:08 +02:00
Anders Schack-Mulligen
9e87095bed Java: Restrict results to source literals. 2025-07-15 14:54:02 +02:00
Nick Rolfe
16e9e8e836 Merge pull request #20049 from github/nickrolfe/java-deleted-files 
Java: use `overlayChangedFiles` in discard prediactes
 2025-07-15 07:42:54 -04:00
Nick Rolfe
c199d0cbbe Java: use overlayChangedFiles in discard prediactes 2025-07-15 10:10:32 +01:00
Paolo Tranquilli
31d0897f74 Kotlin: disable bazel cache in plugin test 2025-07-14 15:30:11 +02:00
Paolo Tranquilli
77cab9d068 Kotlin: tweak plugin test 
Put less emphasis on plugin build isolation, to get a better DevEx out
of it. The crux of the test is the database extraction part, not the
plugin build.
 2025-07-14 13:52:22 +02:00
Ian Lynagh
86ebf3d9f6 Merge pull request #20034 from github/igfoo/fix_regex_in_dbscheme_parser 
Kotlin: Update regex patterns to use raw string notation
 2025-07-14 10:43:45 +01:00
Ian Lynagh
a6701ced8d Kotlin: Update regex patterns to use raw string notation 
Fixes warnings like
SyntaxWarning: invalid escape sequence '\S'
 2025-07-13 23:42:50 +01:00
Owen Mansel-Chan
03e8865933 Merge pull request #20025 from owen-mc/java/unsafe-deserialization 
Java: add extra sink for `java/unsafe-deserialization`
 2025-07-11 23:59:22 +01:00