hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

5940 Commits

Author SHA1 Message Date
Tamas Vajk
53daa7c436 Java: Migrate LDAP injection sinks to CSV format 2021-04-09 09:15:47 +02:00
luchua-bc
11304b2ae1 Update qldoc and change the wrapper method implementation 2021-04-09 02:21:59 +00:00
Artem Smotrakov
b39a3ab12c Added setVariable() sink 2021-04-08 20:41:43 +03:00
Anders Schack-Mulligen
6109ef5e88 Merge pull request #5475 from Marcono1234/marcono1234/minus-literal 
Java: Improve documentation regarding minus in front of numeric literals
 2021-04-08 16:11:14 +02:00
Anders Schack-Mulligen
d42a01cb3a qldoc fixup 2021-04-08 15:45:21 +02:00
haby0
3f0a3266aa [Java] CWE-348: Use of less trusted source 2021-04-08 17:14:03 +08:00
Tom Hvitved
2faf52b6bd Java: Remove unique wrapper from DataFlow::Node::getEnclosingCallable()` 2021-04-08 10:07:19 +02:00
Artem Smotrakov
a764a79090 Always bind arguments in TaintPropagatingCall 2021-04-07 21:12:21 +03:00
Artem Smotrakov
c13ee0859a LambdaExpression should extend JakartaType 2021-04-07 21:02:21 +03:00
Artem Smotrakov
3d8e173c57 Removed a reference to Apache Commons EL 2021-04-07 20:59:07 +03:00
Artem Smotrakov
80ac2aff26 Fixed typos 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-04-07 20:55:03 +03:00
intrigus
d1462eda1c [Java] Add "missing jwt signature check" query. 2021-04-06 00:59:31 +02:00
luchua-bc
1349bf7b0b Create a .qll file to reuse the code and add check of Spring properties 2021-03-30 11:25:29 +00:00
haby0
0775d35591 update VerificationMethodFlowConfig, add if test 2021-03-29 12:02:37 +08:00
luchua-bc
5ce3f9d6ff Update qldoc and enhance the query 2021-03-28 16:10:35 +00:00
luchua-bc
a53cbc1631 Update qldoc and make the query more readable 2021-03-27 00:11:01 +00:00
luchua-bc
a72b1340eb Add a comment on how to run the query 2021-03-26 16:51:43 +00:00
Chris Smowton
3a274424ab Convert fluent method models to csv and generalise to the three different variants of StrBuilder. 2021-03-26 14:31:36 +00:00
Chris Smowton
851317e34f Add models for StrBuilder's fluent methods 2021-03-26 14:31:36 +00:00
Anders Schack-Mulligen
506c95d098 Merge pull request #5372 from smowton/smowton/feature/commons-lang-models-to-csv 
Java: Convert existing Commons Lang models to CSV
 2021-03-26 10:18:23 +01:00
luchua-bc
d33b04cd96 Query to detect plaintext credentials in Java properties files 2021-03-26 02:33:40 +00:00
Porcuiney Hairs
2ca95166d9 Java : add query to detect insecure loading of Dex File 2021-03-26 01:59:11 +05:30
Chris Smowton
eaa2d4d831 Stop using wildcard Argument 
All instances are replaced with a specific Argument or range.
 2021-03-25 15:42:35 +00:00
Chris Smowton
2f34588770 Constructor models: use Argument[-1] for the result, not ReturnValue 2021-03-25 15:23:08 +00:00
Anders Schack-Mulligen
28fb0edfbe Merge pull request #4920 from luchua-bc/java/hash-without-salt 
Java: Query to detect hash without salt
 2021-03-25 16:13:26 +01:00
Chris Smowton
a5220bf616 Convert StrBuilder models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
25a0e09130 Convert StringUtils models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
1beac06236 Translate ArrayUtils models to CSV 2021-03-25 15:11:51 +00:00
Chris Smowton
7fb5bd0cab Add tests for and slightly expand models of Commons Lang's ArrayUtils class 2021-03-25 15:11:51 +00:00
Anders Schack-Mulligen
344c2d3c3d Update java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql 2021-03-25 15:42:57 +01:00
Anders Schack-Mulligen
75afa011ff Java: Add metadata to several more experimental queries. 2021-03-25 13:09:26 +01:00
luchua-bc
57bd3f3c14 Optimize the taint flow source 2021-03-25 10:44:26 +00:00
Anders Schack-Mulligen
d53c334488 Merge branch 'java/fix-experimental-query-metadata' into java/cleanup 2021-03-25 10:36:36 +01:00
Anders Schack-Mulligen
28ff3f412d Java: Add severity and precision metadata to experimental queries. 2021-03-25 10:29:47 +01:00
Anders Schack-Mulligen
c82b5eb040 Java: Remove code duplication library. 2021-03-25 10:06:10 +01:00
Anders Schack-Mulligen
4b7440d4d5 Java: Remove precision tag from metric queries. 2021-03-25 09:52:05 +01:00
Anders Schack-Mulligen
70824b3f0b Java: Delete filter queries. 2021-03-25 09:47:31 +01:00
luchua-bc
fe0e7f5eac Change method check to taint flow 2021-03-25 01:45:13 +00:00
luchua-bc
08c3bf26d5 Update the query to accommodate more cases 2021-03-24 23:32:27 +00:00
yo-h
72ae902e0d Merge pull request #5371 from aschackmull/java/framework-coverage 
Java: Add query for CSV framework coverage.
 2021-03-24 17:36:13 -04:00
Anders Schack-Mulligen
d3485cac34 Merge pull request #5512 from aschackmull/java/csv-argument-ranges 
Java: Support argument and parameter ranges in CSV models.
 2021-03-24 15:03:22 +01:00
Anders Schack-Mulligen
4955f95f64 Apply suggestions from code review 
Clarify documentation.

Co-authored-by: Chris Smowton <smowton@github.com>
 2021-03-24 14:32:18 +01:00
Anders Schack-Mulligen
63831cc62b Merge pull request #5099 from porcupineyhairs/javaLogInjection 
Java : Add Log Injection Vulnerability
 2021-03-24 14:30:34 +01:00
Anders Schack-Mulligen
a1ccbcdaf1 Merge pull request #5260 from artem-smotrakov/spring-http-invoker 
Java: Query for detecting unsafe deserialization with Spring exporters
 2021-03-24 13:57:17 +01:00
Anders Schack-Mulligen
41168e2b36 Java: Support argument and parameter ranges. 2021-03-24 13:32:30 +01:00
Anders Schack-Mulligen
234f62fd05 Java: Merge packages that likely belong to the same framework. 2021-03-24 13:17:04 +01:00
haby0
3df23eecb6 Merge remote-tracking branch 'upstream/main' into JsonHijacking 2021-03-24 15:52:01 +08:00
Chris Smowton
fa90655dd0 Partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge. 
Previously we would also take a taint edge targeting a result and a value-preserving edge propagating another argument to the result to imply a taint edge targeting that argument.
 2021-03-23 14:35:03 +00:00
Anders Schack-Mulligen
27408fefe2 Merge pull request #5008 from torque59/cwe-346 
Java: Queries to detect remote source flow origins to CORS header.
 2021-03-23 13:54:00 +01:00
Anders Schack-Mulligen
9a56601dd3 Merge pull request #5164 from luchua-bc/java/insecure-ldap-endpoint 
Java: CWE-297 Query to detect insecure LDAP endpoint configuration
 2021-03-23 13:53:51 +01:00