hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,907 Commits 1,671 Branches 157 Tags
codeql-cli-2.8.2
Commit Graph

4548 Commits

Author SHA1 Message Date
Chris Smowton
748008ad51 Remove dangling reference to UnsafeRequestPath.java 2022-01-18 17:08:38 +00:00
luchua-bc
a3d65a8ed0 Update recommendation in qldoc and make examples more comprehendible 2022-01-18 17:01:26 +00:00
Tony Torralba
b16b0270d2 Merge pull request #6779 from atorralba/atorralba/android-implicit-pending-intents 
Java: CWE-927 - Query to detect the use of implicit PendingIntents
 2022-01-18 12:14:47 +01:00
Chris Smowton
9819752bdd Merge pull request #7526 from smowton/smowton/fix/restore-nodes-edges-consistency 
Don't include arg -> param edges in PathGraph::edges where arg is not reachable
 2022-01-18 11:05:47 +00:00
Benjamin Muskalla
7e215a5193 Merge pull request #7599 from bmuskalla/modelWriter 
Java: Model Appenable and Writer
 2022-01-18 11:55:27 +01:00
Tony Torralba
f103d45340 Merge branch 'main' into atorralba/android-implicit-pending-intents 2022-01-18 10:50:49 +01:00
Tony Torralba
3ff7710a18 Improve ExplicitIntent's QLDoc 2022-01-18 10:43:52 +01:00
Tony Torralba
fe2755c4a0 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-18 10:41:19 +01:00
Benjamin Muskalla
365a8d9bbd Fix flow for fluent appendable api 2022-01-18 10:41:00 +01:00
Benjamin Muskalla
8e6a15640f Model basic channel APIs 2022-01-18 10:40:39 +01:00
Anders Schack-Mulligen
fff3b5c5b4 Dataflow: Add qldoc. 2022-01-18 10:39:55 +01:00
Anders Schack-Mulligen
aa9912a699 Java: Fix expected output 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
71e39353ca Dataflow: Sync. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
b22c4e3c56 Dataflow: Bugfix: include subpaths ending at a sink. 2022-01-18 10:34:14 +01:00
Anders Schack-Mulligen
dfa79f6119 Dataflow: Sync. 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
46736a137c Dataflow: Don't include subpaths that can't reach a sink. 2022-01-18 10:30:09 +01:00
Chris Smowton
2c37885f6e Sync dataflow 2022-01-18 10:30:09 +01:00
Chris Smowton
7c9b44b4cb Don't include arg -> param edges in PathGraph::edges whose arg is not reachable 
This avoids lots of missing-node warnings from `codeql bqrs interpret` as it discards the nodes that occur in the `edges` relation but not `nodes`. The problem arises because subpaths introduced two variants of `reach`, one of which is more restrictive than simply `reach(succ) and succ = pred.getASuccessor()`, so it no longer suffices to just check that the successor is reachable.
 2022-01-18 10:30:09 +01:00
github-actions[bot]
b8959f7bdb Add changed framework coverage reports 2022-01-18 00:10:52 +00:00
Owen Mansel-Chan
065043b311 Merge pull request #7588 from owen-mc/add-specific-needs-reference-predicates 
Dataflow: Add language-specific NeedsReference predicates
 2022-01-17 15:51:34 +00:00
Tony Torralba
e967b8a9be Merge pull request #6576 from atorralba/atorralba/android-cleartext-storage-filesystem 
Java: Create new query Cleartext storage of sensitive information in Android filesystem
 2022-01-17 14:02:38 +01:00
Tony Torralba
227929508f Merge pull request #6923 from atorralba/atorralba/android-fragment-injection 
Java: CWE-470  - Queries to detect Fragment Injection in Android applications
 2022-01-17 14:02:15 +01:00
Tony Torralba
7beab7cb59 Apply code review suggestions 2022-01-17 12:02:27 +01:00
Chris Smowton
16aa53a928 Add security tag to java/random-used-once 
Raised in https://github.com/github/codeql/issues/7601, this is one of the only .ql files that has a security-severity score but not the tag "security", including many other queries that live outside the `Security/` subdirectory.

Besides this the only other files with this security-severity-but-no-security-tag combination are:

```
java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
```

Given their location I'm assuming these queries are disabled by default and likely shouldn't changed?
 2022-01-17 10:35:34 +00:00
Tony Torralba
a23b8a4a43 Update java/ql/src/Security/CWE/CWE-470/FragmentInjection.inc.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-17 11:20:39 +01:00
Tony Torralba
ba3a4fb717 Rename filesystemStore predicate after d9e6e5aa04 2022-01-17 11:13:41 +01:00
Tony Torralba
500deac12d Change query description 2022-01-17 11:11:05 +01:00
Tony Torralba
d9e6e5aa04 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-17 11:11:05 +01:00
Tony Torralba
22aad17d0e Apply review suggestions 
Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
 2022-01-17 11:11:04 +01:00
Tony Torralba
9bbba3c96f Adjust UnsupportedExternalAPIs test 2022-01-17 11:11:04 +01:00
Tony Torralba
1e4840e071 Fix predicate name 2022-01-17 11:11:03 +01:00
Tony Torralba
79ddbd6fe4 Fix QLDoc and the qhelp example 2022-01-17 11:11:03 +01:00
Tony Torralba
c1ac09a063 Added query for Cleartext Storage in Android Filesystem 2022-01-17 11:11:00 +01:00
Artem Smotrakov
825fe1797a Fixed another false-positive in CWE-297/IgnoredHostnameVerification.ql 2022-01-16 18:55:49 +00:00
Artem Smotrakov
6dad0e21d9 Ignore wrapped HostnameVerifier.vefify() calls 2022-01-16 18:29:30 +00:00
Artem Smotrakov
dcf251bb93 Fixed typos in IgnoredHostnameVerification.qhelp 2022-01-16 18:27:49 +00:00
Fosstars
2b33265d0f Added a query for ignored hostname verification 
- Added IgnoredHostnameVerification.ql
- Added a qhelp file with examples
- Added tests
 2022-01-16 18:27:49 +00:00
Artem Smotrakov
f78002bc02 Fixed a false-positive in CWE-297/IgnoredHostnameVerification.ql 2022-01-16 18:25:18 +00:00
Fosstars
e11cb943a6 Added a query for ignored hostname verification 
- Added IgnoredHostnameVerification.ql
- Added a qhelp file with examples
- Added tests
 2022-01-16 18:25:18 +00:00
luchua-bc
4797fce48a Update use cases and qldoc 2022-01-16 01:15:29 +00:00
luchua-bc
978ef1570a Update method names 2022-01-16 01:11:25 +00:00
Andrew Eisenberg
fbb5d7196f Merge branch 'main' into post-release-prep/codeql-cli-2.7.5 2022-01-14 08:23:43 -08:00
Tony Torralba
a2c98baf29 Reordering 2022-01-14 17:17:57 +01:00
Tony Torralba
eb1806c0a9 Split PathMatchGuard into three guards 2022-01-14 17:14:18 +01:00
Ian Lynagh
22dc24629f Fix a couple of typos: clases / clasess 2022-01-14 14:28:29 +00:00
Tony Torralba
fb1287d577 Use dominance instead of getParent 
Add clarification comments to PathMatchGuard
 2022-01-14 15:28:02 +01:00
Tony Torralba
136fefbab5 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-14 13:38:17 +01:00
luchua-bc
877c52981f Remove the deprecated library keyword 2022-01-14 12:13:41 +00:00
Tony Torralba
cde7a35c1f QLDoc 2022-01-14 13:12:30 +01:00
Tony Torralba
6aac848015 Fix imports 2022-01-14 12:43:08 +01:00