hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-19 13:48:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,274 Commits 1,760 Branches 167 Tags
codeql-cli-2.25.4
Commit Graph

25 Commits

Author SHA1 Message Date
MarkLee131
28a6ff208c Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer 
# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java
 2026-04-29 20:59:59 +08:00
MarkLee131
75162bb9eb Update java/ql/test/query-tests/security/CWE-532/Test.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-04-29 20:53:58 +08:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list 
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
 2026-04-04 21:58:32 +08:00
MarkLee131
f338ded349 Java: treat hash/encrypt/digest methods as sensitive-log sanitizers 
The sensitive-log query (CWE-532) lacked sanitizers for hashed or
encrypted data, while the sibling cleartext-storage query (CWE-312)
already recognized methods with "encrypt", "hash", or "digest" in their
names as sanitizers (CleartextStorageQuery.qll:86).

This adds an EncryptionBarrier to SensitiveLoggingQuery that applies the
same name-based heuristic, making the two queries consistent. Calls like
DigestUtils.sha256Hex(password) or hashPassword(secret) are no longer
flagged when their results are logged.
 2026-04-04 21:35:36 +08:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
 2026-04-04 21:33:35 +08:00
Owen Mansel-Chan
1a59839f3c Range library recognises long literals now 2025-11-24 14:10:54 +00:00
Owen Mansel-Chan
ec381e4ec5 Use range analysis and improve tests 2025-11-21 10:31:50 +00:00
aegilops
e904520779 Fixed formatting 2025-11-20 17:34:42 +00:00
aegilops
62ee6d3a33 Made changes requested by reviewers - bounded() for range checking, style and better comments 2025-11-20 11:46:42 +00:00
aegilops
fa703e3e60 Test cases for sensitive logging sanitizer 2025-11-14 16:53:46 +00:00
Nora Dimitrijević
6134518d60 [TEST] Java: SensitiveLogInfo: convert to qlref 2025-07-17 18:59:01 +02:00
Michael Nebel
0a1d2d0bbb Java: Update all test util paths to point to the new location. 2024-12-12 13:21:25 +01:00
Owen Mansel-Chan
e259b25428 Add "tokenizer" to sensitive variable name FPs 2024-07-30 15:38:32 +01:00
Owen Mansel-Chan
bdff0fdcc5 Add test for "tokenizer" 2024-07-30 15:37:46 +01:00
Owen Mansel-Chan
0d71072f94 Make test more compact 2024-07-30 15:36:59 +01:00
Owen Mansel-Chan
f4b3bae88b Add test for ParseException use of tokenImage 2024-03-23 23:48:16 +00:00
Owen Mansel-Chan
63a04c056a Add test with tokenImage as used in JavaCC 2024-03-23 21:30:33 +00:00
Owen Mansel-Chan
19ac9e089a Add test 2024-03-03 21:03:41 +00:00
Jeroen Ketema
9d573e5544 Consolidate all InlineFlowTest libraries in the dataflow qlpack 2023-08-24 21:38:46 +02:00
Jeroen Ketema
742eb8dd12 Java: Rewrite InlineFlowTest as a parameterized module 2023-06-15 10:52:10 +02:00
Anders Schack-Mulligen
ec34d44359 Java: Rename references. 2023-03-23 13:06:19 +01:00
Anders Schack-Mulligen
e7f85673e9 Java: Fix tests and make modules private 2023-03-08 13:35:25 +01:00
Anders Schack-Mulligen
46d6f5af7e Java: Update some tests. 2023-02-21 13:14:35 +01:00
Tony Torralba
5db8306fef Stop considering usernames sensitive info 
Require variables to be static to be considered constants
 2022-05-12 11:46:52 +02:00
Joe Farebrother
06f2c03828 Add tests 2022-03-11 17:44:52 +00:00