hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

84161 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
REDMOND\brodes
fba80870a6 Crypto: Example query reorg - moving queries of this PR into 'examples' subdirectories. 2025-10-09 09:03:00 -04:00
REDMOND\brodes
deb43735be Crypto: Minor fixes to WeakSymmetricCipher, change to a singular name for consistency. 2025-10-09 08:39:39 -04:00
yoff
5109babd92 java: add qldoc 
These interfaces were previously in a .ql file.
Also, use the XXAccess variants.
 2025-10-09 14:20:28 +02:00
REDMOND\brodes
3dedda4233 Merge branch 'santander-java-crypto-check' of https://github.com/bdrodes/codeql into santander-java-crypto-check 2025-10-09 08:18:04 -04:00
REDMOND\brodes
c6cc4fff51 Crypto: Minor fixes to WeakBlockModes, WeakHash to consider SHA3 ok, Added unknown hash. 2025-10-09 08:16:28 -04:00
Michael Nebel
89681a49e6 C#: Only extract the unbound locations for constructors, destructors and user defined operators and use this in the QL code. 2025-10-09 14:13:27 +02:00
Michael Nebel
02428fc467 C#: Add some location examples for constructors, destructors and operators. 2025-10-09 14:13:24 +02:00
Michael Nebel
051b83f036 C#: Only extract the unbound location for fields and parameters and use this location in the QL code. 2025-10-09 14:04:13 +02:00
Michael Nebel
f200c3ce85 C#: Add field location example. 2025-10-09 14:04:10 +02:00
Michael Nebel
b9eae31172 C#: Add parameter locations test. 2025-10-09 14:04:08 +02:00
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
yoff
1ad239459f java: move shared code into Concurrency.qll 2025-10-09 13:36:35 +02:00
Owen Mansel-Chan
37151791b4 Add change notes 2025-10-09 12:26:32 +01:00
Owen Mansel-Chan
3cbce80d0b Add SimpleTypeSanitizer to go/request-forgery 2025-10-09 12:17:21 +01:00
Owen Mansel-Chan
7599fdd8fa Add request forgery test for numeric type 2025-10-09 12:17:19 +01:00
Owen Mansel-Chan
0c9cd09140 Make NumericOrBooleanSanitizer easier to access and rename it 2025-10-09 12:17:17 +01:00
yoff
f90e9dbb5e java: favour inline_late over inline 
This gives much greater control over the join-order
 2025-10-09 13:01:25 +02:00
yoff
26c1b2f143 java: adjust test expectations; new queries are enabled in extended 2025-10-09 12:29:42 +02:00
Idriss Riouak
f52e3dcb7f Merge pull request #20601 from github/idrissrio/java-localhost 
Java integration test: wait for test servers to come up before running test
 2025-10-09 10:57:11 +02:00
Geoffrey White
a7c166d161 Merge pull request #20599 from geoffw0/rust-ga-change-note 
Rust: Add change note for Rust GA.
 2025-10-09 08:51:44 +01:00
yoff
830f02af1f java: fixes from the CI bots 2025-10-09 09:37:31 +02:00
yoff
93fc287ef1 java: add auto-generated overlay annotations 2025-10-09 09:25:57 +02:00
yoff
a1671ea8af java: small cleanups 
- add missing qldoc
- remove use of `getErasure`
- remove use of `getTypeDescriptor`
- define `ExposedField`
 2025-10-09 09:16:25 +02:00
yoff
821b1de5b3 java: inline char pred 2025-10-09 09:16:25 +02:00
yoff
01ddc11fa7 java: address some review comments 2025-10-09 09:16:25 +02:00
yoff
77734f83d5 java: better detection of thread safe fields. 
Identified by triage of DCA results.
Previously, we did not use the erased type, so would not recgnize `CompletableFuture<R>`.
We now also recognize safe initializers.
 2025-10-09 09:16:25 +02:00
yoff
bf138693a3 java: update expectations for java-code-quality suite 2025-10-09 09:16:07 +02:00
yoff
096d5f2a56 java: implement SCC contraction of the call graph 
Our monitor analysis would be fooled by cycles in the call graph,
since it required all edges on a path to a conflicting access to be either
 - targetting a method where the access is monitored (recursively) or
 - monitored locally, that is the call is monitored in the calling method
For access to be monitored (first case) all outgoing edges (towards an access) need
to satisfy this property. For a loop, that is too strong, only edges out of the loop
actually need to be protected. This led to FPs.
 2025-10-09 09:14:16 +02:00
yoff
5b30153113 java: add Escaping query (P1) 2025-10-09 09:14:16 +02:00
yoff
328b53576a java: add SafePublication query (P2) 2025-10-09 09:14:16 +02:00
yoff
fe487e8bf0 java: add ThreadSafe query (P3) 
Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>
Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk>
Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>
 2025-10-09 09:14:16 +02:00
idrissrio
546d59ff9d Java: Wait for test HTTP servers to be ready before running buildless test 2025-10-09 08:37:54 +02:00
REDMOND\brodes
f524de4afc Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption 2025-10-08 16:27:18 -04:00
REDMOND\brodes
7a57496c54 Crypto: Missing test update. 2025-10-08 14:16:47 -04:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
75b5a9fda8 Crypto: Update general regression test results to account for removal of JCA random source. 2025-10-08 12:55:11 -04:00
REDMOND\brodes
8e10e1937d Crypto: Adding query for unknown IV initialization. 2025-10-08 12:49:54 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
Jon Janego
83519a9fcc Merge pull request #20606 from github/changedocs-2.23.2 
changedocs for 2.23.2
 2025-10-08 11:07:58 -05:00
Jon Janego
4534d67107 Merge branch 'main' into changedocs-2.23.2 2025-10-08 11:00:45 -05:00
Jon Janego
9c610e8bab Update links in CodeQL CLI changelog 2025-10-08 10:57:17 -05:00
Owen Mansel-Chan
2f22acdd06 Remove hashing example when not covered by query 2025-10-08 16:48:57 +01:00
Jon Janego
f8626cd417 changedocs for 2.23.2 2025-10-08 10:42:10 -05:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
143be8cc35 Crypto: Remove redundant queries. 2025-10-08 10:26:05 -04:00
REDMOND\brodes
1b1b333e8b Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues. 2025-10-08 10:21:06 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
REDMOND\brodes
bba541c016 Merge remote-tracking branch 'upstream/java-crypto-check' into santander-java-crypto-check 2025-10-08 09:30:26 -04:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Owen Mansel-Chan
2a1c9d8ec1 Remove erroneous comma 2025-10-08 14:08:36 +01:00