hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

1290 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
d6800394fa Guards: Support disjunctive implications. 2025-11-12 14:14:32 +01:00
Anders Schack-Mulligen
2192d75286 Java: Add test for a known FP. 2025-11-12 14:08:18 +01:00
yoff
4461be180a Merge pull request #19539 from yoff/java/conflicting-access 2025-10-28 20:37:44 +01:00
yoff
406e48b3bb java: fix aliasing FP 
reorganise code, adding `LockField`
 2025-10-27 14:30:25 +01:00
yoff
531b994819 java: add test for aliasing 
found by triage
 2025-10-27 14:27:32 +01:00
Tom Hvitved
a4eab484ce Address review comments 2025-10-24 13:32:39 +02:00
Tom Hvitved
7a9cb64e2e Java: Treat x.matches(regexp) as a sanitizer for request forgery 2025-10-24 09:06:57 +02:00
yoff
9e77e5b046 java: add test with deeper paths 
also format test files
 2025-10-21 14:02:36 +02:00
yoff
f183a7223f java: add test for notFullyMonitored 2025-10-21 13:40:29 +02:00
yoff
de05bfbce3 java: address review comments 
- do not use `getQualifiedName`
- use camelCase
- rework alert predicates
 2025-10-21 13:25:26 +02:00
yoff
61a3e9630f java: rewrite conflict detection 
- favour unary predicates over binary ones
(the natural "conflicting access" is binary)
- switch to a dual solution to trade recursion through forall for simple existentials.

Co-authored-by: Anders Schack-Mulligen <aschackmull@github.com>
 2025-10-17 01:43:04 +02:00
Joe Farebrother
d8b37d0cde Review suggestions - update comments and description 2025-10-14 16:03:40 +01:00
Joe Farebrother
9cb593b020 Update tests 2025-10-13 14:51:37 +01:00
Joe Farebrother
c799f93811 Update tests and add inline expectations 2025-10-13 14:51:04 +01:00
yoff
830f02af1f java: fixes from the CI bots 2025-10-09 09:37:31 +02:00
yoff
096d5f2a56 java: implement SCC contraction of the call graph 
Our monitor analysis would be fooled by cycles in the call graph,
since it required all edges on a path to a conflicting access to be either
 - targetting a method where the access is monitored (recursively) or
 - monitored locally, that is the call is monitored in the calling method
For access to be monitored (first case) all outgoing edges (towards an access) need
to satisfy this property. For a loop, that is too strong, only edges out of the loop
actually need to be protected. This led to FPs.
 2025-10-09 09:14:16 +02:00
yoff
5b30153113 java: add Escaping query (P1) 2025-10-09 09:14:16 +02:00
yoff
328b53576a java: add SafePublication query (P2) 2025-10-09 09:14:16 +02:00
yoff
fe487e8bf0 java: add ThreadSafe query (P3) 
Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>
Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk>
Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>
 2025-10-09 09:14:16 +02:00
Chris Smowton
f88daff45f Java: note that classes with entirely private constructors can't be subclassed 2025-09-30 13:57:44 +01:00
Anders Schack-Mulligen
e302616135 Java: Accept qltest change. 2025-09-12 15:41:18 +02:00
Anders Schack-Mulligen
03321ff910 Java: Replace nullness implementation. 2025-09-12 15:41:16 +02:00
Anders Schack-Mulligen
452bbf7289 Java: Add some more nullness tests. 2025-09-12 13:38:21 +02:00
Napalys Klicius
b4d6cb6e5f Merge pull request #20178 from Napalys/java/visible-for-testing-abuse 
Java: Added new query `java/visible-for-testing-abuse`
 2025-08-29 08:38:04 +02:00
Napalys Klicius
1949d9f8f3 Merge branch 'main' into java/mocking-all-non-private-methods-means-unit-test-is-too-big 2025-08-28 14:22:06 +02:00
Napalys Klicius
970167bc62 Java: moved java/mocking-all-non-private-methods-means-unit-test-is-too-big to a more appropriate location, namely Violation of Best Practice/Testing 2025-08-28 14:20:19 +02:00
Napalys Klicius
a3aacfb688 Merge pull request #20190 from Napalys/java/jvm-exit-query-promotion 
Java: Enhance `java/jvm-exit` query and add to quality
 2025-08-27 13:23:02 +02:00
Jami
3675e4bb4f Merge branch 'main' into jcogs33/java/insecure-spring-actuator-config-promotion 2025-08-26 08:02:17 -04:00
Napalys Klicius
b271f1fcd0 Java: Renamed query java/mocking-all-non-private-methods-means-unit-test-is-too-big to java/excessive-public-method-mocking and changed wording from non-private to public 2025-08-26 08:37:57 +00:00
Napalys Klicius
38f517ecfa Java: Add lambda-aware test detection to VisibleForTesting query 2025-08-24 10:02:43 +00:00
Napalys Klicius
4149968f33 Java: Remove the hardcoded path filter that excluded CodeQL's own unit tests from the java/visible-for-testing-abuse query. 2025-08-24 09:58:35 +00:00
Anders Schack-Mulligen
02452704b2 Java: Fix bug in nullness 2025-08-22 10:15:22 +02:00
Anders Schack-Mulligen
9fc0793d6a Java: More nullness qltests, including highlight of FN bug. 2025-08-22 10:12:48 +02:00
Anders Schack-Mulligen
1c724372f2 Java: More nullness qltests. 2025-08-22 10:08:17 +02:00
Anders Schack-Mulligen
ba252cb5cf Java: Add a couple of difficult condition correlation tests. 2025-08-22 10:08:00 +02:00
Napalys Klicius
4705ad2e32 Java: Added extra test cases for fields 2025-08-22 09:23:49 +02:00
Napalys Klicius
ea831a8352 Java: Fix VisibleForTestingAbuse false positives in annotations 2025-08-22 09:23:49 +02:00
Napalys Klicius
225723bfeb Java: Exclude @VisibleForTesting-to-@VisibleForTesting access from VisibleForTestingAbuse alerts 2025-08-22 09:23:49 +02:00
Napalys Klicius
e4042402bc Java: Resolve spurious VisibleForTestingAbuse alerts for inner class access patterns 2025-08-22 09:23:49 +02:00
Napalys Klicius
1e2e6eccd7 Java: Test @VisibleForTesting method accessing @VisibleForTesting members 2025-08-22 09:23:49 +02:00
Napalys Klicius
9dfb4d4301 Java: Enchanced isWithinType to also include lambdas, inner classes etc. 2025-08-22 09:23:49 +02:00
Napalys Klicius
fbf18af076 Java: enchanced check if it is within same package 2025-08-22 09:23:49 +02:00
Napalys Klicius
2a16f4829e Java: Expanded test suite of java/visible-for-testing-abuse 2025-08-22 09:23:49 +02:00
Napalys Klicius
652e9cba3d Java: Added inline test expectations for java/visible-for-testing-abuse 2025-08-22 09:23:49 +02:00
Napalys Klicius
0c14d93bc6 Java: Added new query java/visible-for-testing-abuse 2025-08-22 09:23:49 +02:00
Napalys Klicius
eb6e9b8fe6 Java: Fix java/jvm-exit false positives for local nested classes in test methods 2025-08-21 14:20:49 +00:00
Napalys Klicius
41a78a0c3d Java: Added nested local class test case 2025-08-21 14:10:12 +00:00
Napalys Klicius
53ccc56959 Java: exclude single-method classes from mocking 2025-08-11 13:43:36 +02:00
Napalys Klicius
a9e9a62439 Java: add single-method class test case for mocking rule 
Classes with only one public method should be compliant when mocked.
 2025-08-11 13:43:36 +02:00
Napalys Klicius
22caa584ad Java: Add inline test expectations for MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.qlref 2025-08-11 13:43:36 +02:00