hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,240 Commits 1,671 Branches 157 Tags
codeql-cli-2.7.6
Commit Graph

4152 Commits

Author SHA1 Message Date
Benjamin Muskalla
8ce841493c Avoid taint for valueOf(Object) 2021-08-03 14:46:55 +02:00
Anders Schack-Mulligen
c0d76da1a6 Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch 
Java: Promote Unsafe resource loading in Android WebView from experimental
 2021-08-03 14:24:34 +02:00
Tony Torralba
f5cbec4938 Fix tests affected by Jackson stubs changes 2021-08-03 14:22:55 +02:00
Anders Schack-Mulligen
fb9feabe64 Merge pull request #6062 from atorralba/atorralba/promote-groovy-injection 
Java: Promote Groovy Code Injection from experimental
 2021-08-03 14:19:15 +02:00
Tony Torralba
a33e0bce9d Fix tests affected by Jackson stubs changes 2021-08-03 13:15:45 +02:00
Tony Torralba
c44de87503 Fix reference to PostUpdateNode 2021-08-03 12:45:12 +02:00
Chris Smowton
36379146c5 Resync dataflow clone 2021-08-03 11:03:30 +01:00
Joe Farebrother
a4659f4e96 Exclude package protected members 2021-08-03 10:51:39 +01:00
Chris Smowton
afa827829a Make imports private where possible 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-03 10:36:46 +01:00
Chris Smowton
a52c4746bc Improve docs 2021-08-03 10:36:46 +01:00
Chris Smowton
75310a6609 Create a dataflow instance specifically for the Serializability library 
Otherwise because this dataflow instance populates AdditionalTaintStep there is an ever-present danger that a user will stumble into creating a recursive configuration, or at least that by using DataFlow5::Configuration for any other purpose they will needlessly recalculate the Serializability dataflow results.
 2021-08-03 10:36:46 +01:00
Chris Smowton
f83f950be6 Merge pull request #6325 from smowton/smowton/feature/org-json-models 
Java: add models of JSON-java, aka `org.json`
 2021-08-03 10:33:49 +01:00
Tony Torralba
084cda6daa Merge branch 'main' into atorralba/promote-groovy-injection 2021-08-03 09:53:46 +02:00
Tony Torralba
36565802dc Delete unnecesary file 
RequestForgery.expected in experimental was an artifact from a merge that wasn't adequately removed
 2021-08-03 09:48:04 +02:00
Tony Torralba
8852f69d36 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-03 09:46:32 +02:00
github-actions[bot]
cd65baf481 Add changed framework coverage reports 2021-08-03 00:07:34 +00:00
Benjamin Muskalla
60c7003667 Optimize return type check 2021-08-02 17:14:44 +02:00
Benjamin Muskalla
fda394858b Turn external API query into diagnostics query 
* Expose (partial) CSV model for the API
* Rework and simplify predicates
 2021-08-02 17:14:44 +02:00
Benjamin Muskalla
8595ae71f7 Simplify api coverage detection 
Fixes a bug that doesn't take super types into account
when computing the usage of a specific API.
 2021-08-02 17:14:44 +02:00
Benjamin Muskalla
3365634259 Expose csv parameter format predicate 2021-08-02 17:14:44 +02:00
Benjamin Muskalla
aab633eced Reformat 2021-08-02 17:14:43 +02:00
Benjamin Muskalla
2064915d3b Fold JDK API query into external API query 2021-08-02 17:14:43 +02:00
Benjamin Muskalla
0c04c9a2c2 Fix aggregation of jar usages 2021-08-02 17:14:43 +02:00
Benjamin Muskalla
722889e881 Make id unique 2021-08-02 17:14:42 +02:00
Benjamin Muskalla
d9285e78c0 Add query to collect external API calls 2021-08-02 17:14:42 +02:00
Benjamin Muskalla
07303ccbb3 Fix formatting 2021-08-02 17:14:42 +02:00
Benjamin Muskalla
b9f6b60c4d Introduce query to capture external libraries 2021-08-02 17:14:41 +02:00
Benjamin Muskalla
32f52ac30d Improve column names 2021-08-02 17:14:41 +02:00
Benjamin Muskalla
18e3763f90 Expose whether APIs are already supported 2021-08-02 17:14:41 +02:00
Benjamin Muskalla
9b6ae9029f Introduce query for capture JDK API usage 2021-08-02 17:14:40 +02:00
Chris Smowton
fad1622730 Merge pull request #5435 from haby0/DynamicallyLoadedClasses 
Java: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
 2021-08-02 16:04:30 +01:00
Tony Torralba
08bdd1aa7a Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 16:05:38 +02:00
Tony Torralba
8b50b3d00f Add jackson-core to test dependencies 2021-08-02 16:04:49 +02:00
Chris Smowton
09a873138d Add missing qldoc 2021-08-02 14:48:42 +01:00
Chris Smowton
170bb43393 Update java/ql/test/library-tests/frameworks/json-java/test.ql 
Remove unnecessary import

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-02 14:46:38 +01:00
Chris Smowton
8a78075d3d Remove redundant method taint flow specifications 2021-08-02 14:30:31 +01:00
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
f4b78ef3bd Fix stubs 2021-08-02 14:12:05 +02:00
Tony Torralba
9b384d84cc Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 14:06:45 +02:00
Tony Torralba
351a24558d Add tests for JacksonSerializability 
Upgraded jackson stubs to 2.12
 2021-08-02 14:03:30 +02:00
Tony Torralba
632ae747c7 Fix JacksonModel duplicate row 2021-08-02 12:53:30 +02:00
Anders Schack-Mulligen
3b676d432f Merge pull request #5900 from artem-smotrakov/unsafe-jackson-deserialization 
Java: Unsafe deserialization with Jackson
 2021-08-02 12:45:30 +02:00
Anders Schack-Mulligen
6c973b59ac Update java/ql/src/semmle/code/java/frameworks/Jackson.qll 2021-08-02 10:16:42 +02:00
Tony Torralba
9fadb26325 Fix qhelp sample 2021-08-02 10:00:59 +02:00
Tony Torralba
4435853c8a Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-08-02 09:56:40 +02:00
Fosstars
bd7e7b1371 Better qldoc for timing attacks 2021-08-01 10:18:37 +02:00
Fosstars
44e52517ad Removed unsafeMacCheckWithArraysDeepEquals() test 2021-08-01 10:12:38 +02:00
Fosstars
0fc487fb04 Better qhelp for timing attacks 2021-08-01 09:57:14 +02:00
Artem Smotrakov
9b953cf0fc Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-01 09:47:07 +02:00
Fosstars
ad54c9d937 Two queries for timing attacks 2021-08-01 09:47:07 +02:00