hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

3351 Commits

Author SHA1 Message Date
Owen Mansel-Chan
dae60c9deb Update data flow libraries to 55e052af26 2022-11-17 14:27:02 +00:00
Gustav Munkby
a293239bd5 Accelerating go-extractor by using 'go list -deps' 
Resurrect https://github.com/github/codeql-go/pull/554, but behind an environment variable as to avoid the broken builds noted in https://github.com/github/codeql/issues/9304, but still allowing some people to opt in to the much faster approach.
 2022-11-15 10:30:56 +01:00
Gustav Munkby
279ba60eb1 Refactor package path extraction 
In preparation for pulling all package information at once.
 2022-11-15 10:10:39 +01:00
Gustav
3514694cdf Fix direct access to trap.Writer from trap.Labeler 2022-11-11 18:39:25 +01:00
Gustav
fea4b816af Fix double close 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-11-11 17:12:13 +01:00
Gustav
f659ee3e0b Go: Optimize trap.Writer by buffering gzip writes 
The TRAP writer already buffers writes before emitting to file, but running gzip compression is also fairly costly (especially if you only do it a couple of bytes at a time). Thus, this injects another buffer that collects the emitted tuples in string form, and only triggers gzip compression once the buffer is full. In my local testing, this buffering was actually more beneficial than the one between gzip and file (likely because the gzip writer already emits data in chunks), but that one is still beneficial.
 2022-11-11 13:07:30 +01:00
github-actions[bot]
fca754bddd Post-release preparation for codeql-cli-2.11.3 2022-11-05 14:30:48 +00:00
github-actions[bot]
508327235a Release preparation for version 2.11.3 2022-11-04 20:16:23 +00:00
erik-krogh
f9195d194b go: make sure the source/sink have the same type as the edges relation 2022-11-03 11:20:15 +01:00
erik-krogh
c9fcef2608 go: add a precision tag to go/examples/deferinloop 2022-11-03 11:20:15 +01:00
erik-krogh
1ec204987d go: remove precision from metric queries 2022-11-03 11:20:15 +01:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Arthur Baars
aba87a139d Merge pull request #10668 from aibaars/ruby-deps 
Ruby: update dependencies
 2022-11-01 13:55:42 +01:00
erik-krogh
84a7fddd95 remove explicit versions in lock files, as the dependencies are all installed locally 2022-11-01 09:09:26 +01:00
Chris Smowton
3573e211cc Correct test expectations 2022-10-29 11:40:58 +01:00
Chris Smowton
b6e4f472d1 Remove unnecessary import 2022-10-29 11:40:57 +01:00
Chris Smowton
6d321e0151 Add change note 2022-10-29 11:40:57 +01:00
Chris Smowton
5c66d87ed6 gofmt 2022-10-29 11:40:57 +01:00
Chris Smowton
0c6c135967 Go: exclude protobuf read steps from cleartext-logging query 
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.

However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.

On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
 2022-10-29 11:40:57 +01:00
Chris Smowton
f9e811bddf Legacy support qlpacks: continue using libraryPathDependencies; add a comment noting this is obsolete. 2022-10-28 16:47:30 +01:00
Chris Smowton
ee63e60bb7 qlpacks: libraryPathDependencies -> dependencies 2022-10-28 16:07:36 +01:00
Rasmus Wriedt Larsen
8628ff5e52 Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Henry Mercer
19b7e9ebc7 Merge pull request #10997 from github/henrymercer/go-extract-file-locations 
Go: Extract locations of successfully extracted files
 2022-10-27 16:12:15 +01:00
Rasmus Wriedt Larsen
adf109b624 Merge branch 'main' into inline-fail-tag 2022-10-27 13:42:32 +02:00
Jeroen Ketema
1d7efd8e82 Merge pull request #10905 from jsoref/spelling-code-scanning-product 
Spelling code scanning product
 2022-10-27 12:55:37 +02:00
Rasmus Wriedt Larsen
fc7eb5b4fc InlineExpectationsTest: sync 2022-10-27 09:02:28 +02:00
Henry Mercer
c1984ea35f Go: Update expected output 2022-10-26 19:11:21 +01:00
Rasmus Wriedt Larsen
5e9897d150 InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
Henry Mercer
b0b321a16f Go: Standardise formatting 2022-10-26 16:31:08 +01:00
Henry Mercer
4bc8529490 Go: Extract locations of successfully extracted files 
Switch the successfully extracted files query to the `location, message` results format so that we get rich location information when exporting the results of this query to SARIF.  Previously the query used the `message` results format, which meant the interpreted results lacked a location.
 2022-10-26 16:28:02 +01:00
github-actions[bot]
be7693283b Post-release preparation for codeql-cli-2.11.2 2022-10-21 08:07:17 +00:00
Arthur Baars
c59c6f6eb6 Update go/ql/src/CHANGELOG.md 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-10-20 15:22:54 +02:00
Arthur Baars
45c9a0d0b1 Apply suggestions from code review 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-10-20 15:22:29 +02:00
Josh Soref
6767554e19 spelling: recognition 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-20 08:21:02 -04:00
Josh Soref
ff1b3208ae spelling: official 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-20 08:18:23 -04:00
github-actions[bot]
9a0848bbc4 Release preparation for version 2.11.2 2022-10-20 11:05:19 +00:00
Josh Soref
0a4c724b69 spelling: implementation 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
e6998d40c3 spelling: cryptographically 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
9b372f3db4 spelling: characters 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
b1052992fe spelling: against 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
Dave Bartolomeo
5ee7986649 Merge pull request #10736 from github/post-release-prep/codeql-cli-2.11.1 
Post-release preparation for codeql-cli-2.11.1
 2022-10-07 14:23:31 -04:00
github-actions[bot]
b8ef9e0ddc Post-release preparation for codeql-cli-2.11.1 2022-10-07 15:59:45 +00:00
erik-krogh
99b7c77abc add change-note 2022-10-07 13:44:36 +02:00
erik-krogh
d5c45056bd fix some more style-guide violations in the alert-messages 2022-10-07 11:21:01 +02:00
github-actions[bot]
a02dcdc5e1 Release preparation for version 2.11.1 2022-10-07 02:20:28 +00:00
Chris Smowton
28fa06ab9c Merge pull request #10709 from gregxsunday/main 
add BeegoInput.RequestBody source to Beego framework
 2022-10-06 16:04:04 +01:00
Chris Smowton
812a5e5c74 Autoformat test.go 2022-10-06 14:08:56 +01:00
Chris Smowton
4e161c867e Rename 2022-10-06-beego- to 2022-10-06-beego-request-body-source.md 2022-10-06 14:01:36 +01:00
Chris Smowton
7d98b74eec Create 2022-10-06-beego- 2022-10-06 14:00:52 +01:00
gregxsunday
9960d11042 added RequestBody source to Beego framework 2022-10-06 13:23:56 +02:00