hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,874 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.5
Commit Graph

5917 Commits

Author SHA1 Message Date
Anders Starcke Henriksen
7da6da1c93 Merge pull request #13852 from github/starcke/automodel-package-filter 
Add option to filter automodel queries
 2023-08-08 14:59:00 +02:00
github-actions[bot]
79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Stephan Brandauer
3433437034 Java: automodel application mode: only extract the first argument corresponding to a varargs array 2023-08-07 14:15:17 +02:00
Stephan Brandauer
e1a5eba61b Java: automodel application mode: refactor varargs endpoint class to rely on normal argument node for nicer extracted examples 2023-08-07 12:18:52 +02:00
Stephan Brandauer
650ff8db87 Java: automodel comments 2023-08-07 12:18:51 +02:00
Stephan Brandauer
0781cb78e8 Java: automodel application mode: add isVarargsArray metadata value 2023-08-07 12:18:51 +02:00
Stephan Brandauer
5abf7769a7 Java: automodel application mode: use endpoint class like in framework mode 2023-08-07 12:18:51 +02:00
Tony Torralba
586c8803c5 Move the sources back the .ql files 
Otherwise they would both apply at the same time, making both versions of the query identical.
 2023-08-04 10:02:56 +02:00
Tony Torralba
e9bad321b6 Apply suggestions from code review 2023-08-04 09:21:45 +02:00
Paul Hodgkinson
fba37aa7c9 Merge branch 'main' into java/experimental/command-injection 2023-08-03 14:12:38 +01:00
aegilops
fc7f8409be Fix up for code review 2023-08-03 13:50:40 +01:00
Anders Starcke Henriksen
e2abd3ff13 Create separate automodel pack. 2023-08-03 13:55:15 +02:00
Anders Schack-Mulligen
9a4de208ef Java: Fix qltests. 2023-08-03 10:04:05 +02:00
Anders Starcke Henriksen
131ae1aae9 Fix name in predicate. 2023-08-03 09:53:40 +02:00
Anders Starcke Henriksen
1c425a5602 Change from package to endpoint. 2023-08-03 09:50:23 +02:00
Anders Starcke Henriksen
9b8d7df370 Add option to filter automodel queries by package. 2023-08-03 09:50:23 +02:00
Anders Schack-Mulligen
7bc8bf616f Merge pull request #13863 from aschackmull/dataflow/pack4 
Dataflow: Move the shared library to a properly shared qlpack.
 2023-08-02 14:19:49 +02:00
Stephan Brandauer
cb55b10edc Merge pull request #13788 from github/kaeluka/automodel-telemetry-testing 
Java: Tests for Automodel Extraction Queries
 2023-08-01 15:30:26 +02:00
Anders Schack-Mulligen
405a3a73d1 Java: Remove irrelevant import. 2023-08-01 14:31:30 +02:00
Tony Torralba
b5d08ade59 Formatting 2023-08-01 09:35:25 +02:00
Anders Schack-Mulligen
e73e312e10 Java: Add change note. 2023-08-01 09:28:56 +02:00
Stephan Brandauer
621c05dc4b Java: format 2023-08-01 09:19:03 +02:00
Stephan Brandauer
058236877e Java: Drive-by: fix oversight in #13823 
In PR #13823, we had rewritten the endpoints that are being considered for framework mode. We used to use `DataFlow::ParameterNode` as endpoints.
However, `ParameterNode`s do not exist for the implicit `this` parameter; they also do not exist for bodiless interface-methods.

In PR #13823, we forgot to model that `this` only exists for non-static methods and to only consider parameters that we have source code for.
 2023-08-01 09:18:58 +02:00
Stephan Brandauer
37b6b46dbf Java: update extraction query tests after merging PR #13747 2023-08-01 09:18:57 +02:00
Paul Hodgkinson
3bc7cf6ac7 Merge branch 'main' into java/experimental/command-injection 2023-07-31 19:14:55 +01:00
Tony Torralba
2cbb7ed296 Java: Add XXE sinks for MDHT 2023-07-31 11:13:17 +02:00
Stephan Brandauer
8bf960bd44 Java: fix QL-for-QL alert 2023-07-28 14:28:47 +02:00
Stephan Brandauer
021eedfdf1 Java: format 2023-07-28 14:26:34 +02:00
Stephan Brandauer
82fd0e45aa Java: support Argument[this] in NotAModelApiParameter 2023-07-28 14:04:53 +02:00
Stephan Brandauer
a9d2f43538 Java: use a newtype for framework mode candidates 2023-07-28 13:51:25 +02:00
Stephan Brandauer
8ed773b240 Java: Framework mode extraction now uses a custom class for endpoints, so we can support both Argument[this] and interface-method parameters 2023-07-28 12:56:39 +02:00
Stephan Brandauer
09c64e8fee Java: Support Argument[this] in framework mode metadata extraction 2023-07-28 12:55:26 +02:00
Chris Smowton
c69a9ea032 Merge pull request #13793 from github/post-release-prep/codeql-cli-2.14.1 
Post-release preparation for codeql-cli-2.14.1
 2023-07-26 17:22:05 +01:00
Stephan Brandauer
08f5774d13 Java: Automodel extraction fix for application mode 2023-07-25 17:11:07 +02:00
Stephan Brandauer
698b8d3c5c Java: Automodel extraction fix; previously, we treated endpoints that were marked as sinks, as well as summary-neutrals as 'erroneous' 2023-07-25 16:52:27 +02:00
Stephan Brandauer
2582b084f6 Merge pull request #13747 from github/tausbn/exclude-qualifier-argument-for-existing-models 
Java: Exclude qualifier argument for existing models
 2023-07-24 16:26:33 +02:00
Stephan Brandauer
13027a1094 Java: review suggestions from @atorralba 2023-07-24 14:09:10 +02:00
Stephan Brandauer
2f2f507a5d Java: drive-by change: remove obsolete custom queries from application mode characteristics 2023-07-24 13:55:53 +02:00
github-actions[bot]
f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
Stephan Brandauer
79da723878 Java: only assume that _manual_ MaD sinks have been fully modeled 2023-07-21 10:43:07 +02:00
github-actions[bot]
c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Stephan Brandauer
5575fc65aa Merge pull request #13636 from github/tausbn/add-sink-alert-metrics-query 
Java: Add metric queries for counting sinks coming from models
 2023-07-19 13:12:32 +02:00
Paul Hodgkinson
c7084b6d8e Merge branch 'main' into java/experimental/command-injection 2023-07-18 11:38:44 +01:00
Taus
6b425f1395 Java: Revert definition of isNeutral 
Reverts the change made in
daf2743143

With the change in the aforementioned commit, we were extracting candidates for endpoints that
had a neutral _summary_ model. These are bad candidates, as they have already been triaged.
 2023-07-14 14:45:22 +02:00
Taus
6793bc6c6b Java: Exclude qualifier argument for existing models 
Excludes candadites for `Argument[this]` where we already have a model that covers a
different argument of the containing call.
 2023-07-14 14:26:21 +02:00
Taus
895e829eb1 Java: Add QLDoc for query predicates 2023-07-14 14:22:10 +02:00
Taus
c4487673e8 Java: Swap input and ext 2023-07-14 14:21:59 +02:00
Taus
9193de6898 Merge pull request #13730 from github/tausbn/limit-number-of-candidates-in-application-mode 
Java: Limit the number of samples extracted in application mode
 2023-07-14 14:09:59 +02:00
Anders Schack-Mulligen
91de43f918 C#/Java/Ruby: Remove superfluous module members. 2023-07-13 11:38:35 +02:00
Taus
49194a2af7 Java: Limit the number of samples extracted in application mode 
Uses the same trick as for the negative examples, this time with a limit of 7
candidates for each endpoint signature.

As this duplicates some of the logic used in another query, it may be worthwhile
to consider extracting this into a shared parameterized module.
 2023-07-12 15:13:10 +02:00