hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-07 14:28:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,439 Commits 1,777 Branches 169 Tags
codeql-cli-2.25.0
Commit Graph

86439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
a89c82bf74 Handle matrix jobs in accept changes script 2024-11-04 11:49:35 +01:00
Simon Friis Vindum
6b25bea2e5 Rust: Accept consistency results 2024-11-04 11:28:26 +01:00
Simon Friis Vindum
a3c7d5a469 Merge branch 'main' into rust-data-flow-consistency 2024-11-04 11:10:48 +01:00
Simon Friis Vindum
fb26f7861f Merge pull request #17895 from paldepind/rust-data-flow-consistency-query 
Rust: Add data flow consistency queries
 2024-11-04 11:07:46 +01:00
Simon Friis Vindum
714e2fc2c1 Merge branch 'main' into rust-data-flow-consistency-query 2024-11-04 10:42:53 +01:00
Simon Friis Vindum
2ae721bd54 Merge pull request #17897 from github/redsun82/rust-fix-compilation 
Rust: fix semantic merge conflict about semantics
 2024-11-04 10:35:47 +01:00
Simon Friis Vindum
633bac633c Rust: CFG classes are in expression module iff they correspond to expressions 2024-11-04 10:34:08 +01:00
Simon Friis Vindum
7f344fab78 Rust: Add data flow consistency queries 2024-11-04 10:17:50 +01:00
Alvaro Muñoz
4f62573d17 Bump qlpack versions 2024-11-04 10:11:52 +01:00
Alvaro Muñoz
55476af179 Merge pull request #107 from github/query_if 
query: split if expression is always true query
 2024-11-04 10:11:14 +01:00
Alvaro Muñoz
db6f174b79 query: split if expression is always true query 
critical - if the if statement contains a known control check
high - otherwise
 2024-11-04 10:10:47 +01:00
Paolo Tranquilli
6848a22c65 Rust: fix semantic merge conflict about semantics 2024-11-04 10:04:40 +01:00
Paolo Tranquilli
bde517fcb1 Merge pull request #17849 from github/aibaars/single-semantics 
Rust: try to speed things up a bit
 2024-11-04 09:24:26 +01:00
Tom Hvitved
8b8b721788 Data flow: Order provenance output by textual representation 2024-11-04 08:47:30 +01:00
Jami Cogswell
459d16824e Java: weak crypto: do not report weak hash algorithms 2024-11-03 18:22:06 -05:00
Alvaro Muñoz
80f2b24eeb Bump qlpack versions 2024-11-03 22:29:50 +01:00
Alvaro Muñoz
ea20e9b337 fix: Add versioned python binaries to poisonable steps 2024-11-03 22:29:20 +01:00
Simon Friis Vindum
82076ee0b8 Rust: Propagate data flow through a few expression types 2024-11-03 16:12:59 +01:00
Simon Friis Vindum
2bab29d31b Rust: Add local data flow step tests 2024-11-03 16:12:58 +01:00
Simon Friis Vindum
01141ccdc9 Rust: Integrate SSA into data flow 2024-11-03 16:12:56 +01:00
Tom Hvitved
662a824312 Merge pull request #17865 from hvitved/rust/unused-macro-expansion 2024-11-03 09:17:14 +01:00
Chris Smowton
81ff394533 Be explicit about Kotlin database type 2024-11-01 19:02:28 +00:00
Geoffrey White
24c4e87f44 Swift: Fix stray []. 2024-11-01 16:30:15 +00:00
Geoffrey White
f3ea75d27c Swift: Further modelling updates / gap filling that doesn't seem to affect tests. 2024-11-01 16:19:41 +00:00
Geoffrey White
954fbc44bf Swift: Update prefix / suffix models for Swift 6. 2024-11-01 16:19:39 +00:00
Geoffrey White
be12649838 Swift: Update joined models for Swift 6. 2024-11-01 16:19:36 +00:00
Geoffrey White
6f0f73974a Swift: Update dropFirst / dropLast / reversed models for Swift 6. 2024-11-01 16:19:34 +00:00
Chris Smowton
5d3f723df9 Kotlin extractor: use special <nulltype> for null literals 
This matches the Java extractor's treatment of these literals, and so enables dataflow type-tracking to avoid special-casing Kotlin. Natively, Kotlin would regard this as kotlin.Nothing?, the type that can only contain null (kotlin.Nothing without a ? can take nothing at all), which gets Java-ified as java.lang.Void, and this will continue to be used when a null type has to be "boxed", as in representing substituted generic constraints with no possible type.
 2024-11-01 16:14:10 +00:00
Tom Hvitved
c4adec3010 Address review comment 2024-11-01 15:28:17 +01:00
yoff
cec0544ca5 Merge pull request #17789 from aschackmull/python/resolvecall-refactor 
Python: Refactor references to NormalCall.
 2024-11-01 14:20:34 +01:00
Anders Schack-Mulligen
bae61875cd UniversalFlow: Fixup some qldoc. 2024-11-01 14:04:27 +01:00
Taus
0bb5b4b9dc Merge pull request #17875 from github/tausbn/python-improve-parser-logging-and-timing 
Python: Improve parser logging/timing/customisability
 2024-11-01 12:47:46 +01:00
Taus
2892f0ff48 Merge pull request #17873 from github/tausbn/python-fix-generator-expression-locations 
Python: Even more parser fixes
 2024-11-01 12:47:19 +01:00
Simon Friis Vindum
a36095d85b Rust: Add local data flow test with if expression 2024-11-01 11:28:10 +01:00
Rasmus Wriedt Larsen
c0ad9ba529 Merge branch 'main' into js-threat-models 2024-11-01 10:48:32 +01:00
Rasmus Wriedt Larsen
dc8e645594 JS: Convert remaining queries to use ActiveThreatModelSourceAsSource 2024-11-01 10:47:10 +01:00
Tom Hvitved
03ffaac87a Merge pull request #17880 from hvitved/ruby/symbol-string-key-indifference 
Ruby: Do not distinguish between symbols and strings in hash keys
 2024-11-01 10:43:56 +01:00
Rasmus Wriedt Larsen
19fae76a94 JS: Remove dummy comment 
Co-authored-by: Asger F <asgerf@github.com>
 2024-11-01 10:24:22 +01:00
Paolo Tranquilli
03aef50836 Merge pull request #17883 from github/redsun82/rust-analysis 
Rust: use common config for analysis
 2024-10-31 17:46:15 +01:00
Paolo Tranquilli
c6585b726a Rust: use common config for analysis 
Now that the nightly bundle has the default query set, we don't need a special
inline config.
 2024-10-31 16:44:07 +01:00
Brandon Stewart
0b7de6e86a add rule to detect if default setup would be more appropriate 2024-10-31 15:28:55 +00:00
Jeroen Ketema
03ced1795a Merge pull request #17694 from jketema/multiple-entry-point 
C++: Do not generate IR for functions with multiple entry points
 2024-10-31 16:16:03 +01:00
Paolo Tranquilli
e5a199b821 Rust: accept test changes due to toString implementations 2024-10-31 16:02:56 +01:00
Paolo Tranquilli
1f356078ff Swift: temporarily accept test changes 2024-10-31 15:57:31 +01:00
Rasmus Wriedt Larsen
61e60de969 JS: Model readline as a stdin threat-model source 
Technically not always true, but my assumption is that +90% of the time
that's what it will be used for, so while we could be more precise by
adding a taint-step from the `input` part of the construction, I'm not
sure it's worth it in this case.

Furthermore, doing so would break with the current way we model
threat-model sources, and how sources are generally modeled in JS... so
for a very pretty setup it would require changing all the other `file`
threat-model sources to start at the constructors such as
`fs.createReadStream()` and have taint-propagation steps towards the
actual use (like we do in Python)...

I couldn't see an easy path forwards for doing this while keeping the
Concepts integration, so I opted for the simpler solution here.
 2024-10-31 14:29:30 +01:00
Rasmus Wriedt Larsen
eca8bf5a35 JS: Do simple modeling of process.stdin as threat-model source 2024-10-31 14:26:45 +01:00
Paolo Tranquilli
cee2ed0ec4 Rust: extract some resolved paths 2024-10-31 14:19:15 +01:00
Alvaro Muñoz
230b2ff4d8 Bump qlpack versions 2024-10-31 14:17:44 +01:00
Alvaro Muñoz
c6048a6fa1 tests: Update tests 2024-10-31 14:16:56 +01:00
Rasmus Wriedt Larsen
34b86c39c1 JS: Model fs.promises.readFile as file source 
You could argue that proper modeling be done in the same way as
`NodeJSFileSystemAccessRead` is done for the callback based `fs` API (in
NodeJSLib.qll). However, that work is straying from the core goals I'm
working towards right now, so I'll argue that "perfect is the enemy of
good", and leave this as is for now.
 2024-10-31 14:09:38 +01:00