hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

14033 Commits

Author SHA1 Message Date
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
yoff
1ad239459f java: move shared code into Concurrency.qll 2025-10-09 13:36:35 +02:00
yoff
f90e9dbb5e java: favour inline_late over inline 
This gives much greater control over the join-order
 2025-10-09 13:01:25 +02:00
yoff
26c1b2f143 java: adjust test expectations; new queries are enabled in extended 2025-10-09 12:29:42 +02:00
yoff
830f02af1f java: fixes from the CI bots 2025-10-09 09:37:31 +02:00
yoff
93fc287ef1 java: add auto-generated overlay annotations 2025-10-09 09:25:57 +02:00
yoff
a1671ea8af java: small cleanups 
- add missing qldoc
- remove use of `getErasure`
- remove use of `getTypeDescriptor`
- define `ExposedField`
 2025-10-09 09:16:25 +02:00
yoff
821b1de5b3 java: inline char pred 2025-10-09 09:16:25 +02:00
yoff
01ddc11fa7 java: address some review comments 2025-10-09 09:16:25 +02:00
yoff
77734f83d5 java: better detection of thread safe fields. 
Identified by triage of DCA results.
Previously, we did not use the erased type, so would not recgnize `CompletableFuture<R>`.
We now also recognize safe initializers.
 2025-10-09 09:16:25 +02:00
yoff
bf138693a3 java: update expectations for java-code-quality suite 2025-10-09 09:16:07 +02:00
yoff
096d5f2a56 java: implement SCC contraction of the call graph 
Our monitor analysis would be fooled by cycles in the call graph,
since it required all edges on a path to a conflicting access to be either
 - targetting a method where the access is monitored (recursively) or
 - monitored locally, that is the call is monitored in the calling method
For access to be monitored (first case) all outgoing edges (towards an access) need
to satisfy this property. For a loop, that is too strong, only edges out of the loop
actually need to be protected. This led to FPs.
 2025-10-09 09:14:16 +02:00
yoff
5b30153113 java: add Escaping query (P1) 2025-10-09 09:14:16 +02:00
yoff
328b53576a java: add SafePublication query (P2) 2025-10-09 09:14:16 +02:00
yoff
fe487e8bf0 java: add ThreadSafe query (P3) 
Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>
Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk>
Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>
 2025-10-09 09:14:16 +02:00
idrissrio
546d59ff9d Java: Wait for test HTTP servers to be ready before running buildless test 2025-10-09 08:37:54 +02:00
REDMOND\brodes
f524de4afc Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption 2025-10-08 16:27:18 -04:00
REDMOND\brodes
7a57496c54 Crypto: Missing test update. 2025-10-08 14:16:47 -04:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
75b5a9fda8 Crypto: Update general regression test results to account for removal of JCA random source. 2025-10-08 12:55:11 -04:00
REDMOND\brodes
8e10e1937d Crypto: Adding query for unknown IV initialization. 2025-10-08 12:49:54 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
143be8cc35 Crypto: Remove redundant queries. 2025-10-08 10:26:05 -04:00
REDMOND\brodes
1b1b333e8b Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues. 2025-10-08 10:21:06 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
REDMOND\brodes
bba541c016 Merge remote-tracking branch 'upstream/java-crypto-check' into santander-java-crypto-check 2025-10-08 09:30:26 -04:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Anders Schack-Mulligen
99f5dcaaa4 Java: Fix bug in ConstantExpAppearsNonConstant. 2025-10-08 10:32:51 +02:00
Idriss Riouak
28fe20e3e4 Merge pull request #20595 from github/idrissrio/java-lambda 
Java: Add integration test for buildless lambda recovery
 2025-10-08 09:53:29 +02:00
Alex Eyers-Taylor
77d4af153d Java: Make some query libraries local. 2025-10-07 18:24:37 +01:00
Alex Eyers-Taylor
542bdf0792 Java: Use Overlay dataflow in java. 2025-10-07 17:52:12 +01:00
Alex Eyers-Taylor
c49e2ab2da DataFlow: Add code to do overlay informed dataflow. 2025-10-07 17:52:12 +01:00
idrissrio
f69e5f5ffc Java: Accept new test results after extractor changes 2025-10-07 16:55:53 +02:00
idrissrio
55b15a261a Java: Add integration test for buildless lambda recovery 2025-10-07 16:55:52 +02:00
Anders Schack-Mulligen
18e33b193e Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint 
Java: Allow taint-read-steps for array sources.
 2025-10-07 15:04:03 +02:00
Anders Schack-Mulligen
7dadbc43fb Java: Add change note. 2025-10-07 13:51:49 +02:00
Anders Schack-Mulligen
f0bfd7053e Java: Add test case. 2025-10-07 13:40:44 +02:00
Anders Schack-Mulligen
11665bea0a Java: Allow taint-read-steps for array sources. 2025-10-07 10:10:02 +02:00
idrissrio
5c6d187ef2 Java: Fix buildless test HTTP server binding on macOS26 2025-10-07 09:24:55 +02:00
Nicolas Will
e2a8d58e02 Merge pull request #20583 from bdrodes/jca_signature_extensions 
Crypto: Add JCA signatures, RNG, and unit tests
 2025-10-06 18:51:30 +02:00
REDMOND\brodes
cb812b47ed Crypto: more non-ascii removal. 2025-10-06 11:53:39 -04:00
Nicolas Will
9e278b9fa4 Merge pull request #20258 from bdrodes/java_nonce_reuse_tests 
Crypto: Add reuse nonce test for Java
 2025-10-06 17:42:25 +02:00
REDMOND\brodes
017a956d5e Crypto: more non-ascii removal. 2025-10-06 11:34:45 -04:00
REDMOND\brodes
abeb3141b1 Crypto: Formatting test cases, more removal of non-ascii 2025-10-06 10:46:09 -04:00
Nicolas Will
15e9bb9cc1 Format Test and update .expected 2025-10-06 16:29:25 +02:00
REDMOND\brodes
96f6832a6f Crypto: Updating expected files for unit tests. 2025-10-06 10:07:15 -04:00
REDMOND\brodes
606aef38cb Crypto: Removing non-ascii characters from unit tests 2025-10-06 09:56:14 -04:00
Ben Rodes
b32a6407b9 Update java/ql/lib/experimental/quantum/JCA.qll 
Co-authored-by: Nicolas Will <nicolaswill@github.com>
 2025-10-06 09:04:19 -04:00
Idriss Riouak
4a1157bff9 Merge pull request #20491 from github/idrissrio/java-maven 
Java: Integration tests for Maven 4
 2025-10-06 14:57:22 +02:00