hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,671 Branches 157 Tags
ginsbach/OverlayCallerJava
Commit Graph

3040 Commits

Author SHA1 Message Date
Max Schaefer
5b07e14fb3 Merge pull request #16055 from github/max-schaefer/go-open-redirect-qhelp 
Go: Improve QHelp for `go/unvalidated-url-redirection`.
 2024-03-27 13:56:48 +00:00
Henry Mercer
0646744928 Merge branch 'main' into henrymercer/merge-back-rc-3.13 2024-03-26 12:59:12 +00:00
Max Schaefer
d7258f76d3 Go: Improve QHelp for go/unvalidated-url-redirection. 
The example showed a different (and better) fix from what the help claimed, but the suggestion also had a subtle bug that I fixed at the same time.
 2024-03-26 10:57:36 +00:00
Michael B. Gale
f84609dbc4 Go: Add changenote for CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO change 2024-03-26 10:51:57 +00:00
Max Schaefer
ff23f572d0 Merge pull request #16038 from github/max-schaefer/string-break-qhelp 
Go: Improve QHelp for `go/unsafe-quoting`.
 2024-03-25 20:10:02 +00:00
Max Schaefer
5bc710b406 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2024-03-25 19:48:56 +00:00
github-actions[bot]
f67b5f9158 Post-release preparation for codeql-cli-2.16.6 2024-03-25 18:17:15 +00:00
github-actions[bot]
71ab804274 Release preparation for version 2.16.6 2024-03-25 16:58:08 +00:00
Geoffrey White
4a4c77e81d Remove claims about models-as-data that require you to select a parameter from non-Java languages. We believe this is only possible in Java. 2024-03-25 15:41:00 +00:00
Max Schaefer
120fb93c23 Go: Improve QHelp for go/unsafe-quoting. 2024-03-25 13:32:51 +00:00
Max Schaefer
ffbe3e6ed4 Merge pull request #16020 from github/max-schaefer/go-path-injection-qhelp 
Go: Update query help for `go/path-injection` to include example fixes.
 2024-03-25 10:25:36 +00:00
Max Schaefer
034ed17227 Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2024-03-22 15:24:29 +00:00
Max Schaefer
bc9396e0e6 Address suggestions from review. 2024-03-22 13:19:36 +00:00
Max Schaefer
4e4cd52f63 Go: Update query help for go/path-injection to include example fixes. 2024-03-22 11:45:59 +00:00
Arthur Baars
c219b1a3c7 Merge pull request #16013 from github/rc/3.13 
Merge rc/3.13 into main
 2024-03-21 16:04:58 +01:00
Henry Mercer
4e3a6e2140 Merge pull request #15874 from github/henrymercer/mark-loc-as-telemetry 
Show lines of code data in debug mode only
 2024-03-21 12:20:09 +00:00
Michael Nebel
6619be3137 Merge pull request #15940 from michaelnebel/csharp/sourcesinktests 
C#: Source- and sink tests.
 2024-03-21 08:12:16 +01:00
Henry Mercer
a76832f4e0 Mark LOC queries as debug instead 2024-03-20 21:18:55 +00:00
Michael B. Gale
c74d6348f9 Go: Run go with a valid toolchain version if we have found an invalid one 2024-03-20 13:55:37 +00:00
Michael B. Gale
0d527b2f75 Go: Keep track of all installed toolchains that we know of 2024-03-20 13:52:06 +00:00
Michael B. Gale
96a6dd72cd Go: Move go version command construction into its own function 2024-03-20 13:08:59 +00:00
Michael B. Gale
06134467e9 Go: Make CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO true by default 2024-03-20 12:01:49 +00:00
Michael B. Gale
be027e217e Go: Emit diagnostic for invalid toolchain versions 2024-03-19 16:26:06 +00:00
Dave Bartolomeo
311ba8ea1b Merge from main to resolve conflicts 2024-03-19 10:41:31 -04:00
Michael Nebel
70c6744944 Java/Go/Swift: Sync changes. 2024-03-19 14:20:43 +01:00
Tom Hvitved
fc55567d90 Merge pull request #15853 from hvitved/dataflow/get-location 
Data flow: Replace `hasLocationInfo` with `getLocation`
 2024-03-18 20:21:46 +01:00
Michael B. Gale
3649af3f05 Go: Add test for go/autobuilder/invalid-go-toolchain-version diagnostic 2024-03-18 17:56:59 +00:00
github-actions[bot]
aebe9f6992 Post-release preparation for codeql-cli-2.16.5 2024-03-18 12:16:26 +00:00
github-actions[bot]
0a6243d07b Release preparation for version 2.16.5 2024-03-18 10:14:07 +00:00
Max Schaefer
d3e0a90ae5 Go: Mention raw string iterals in QHelp for go/incomplete-hostname-regexp. 2024-03-15 11:22:40 +00:00
Tony Torralba
20691e409c Add change note 2024-03-14 11:56:43 +01:00
Tony Torralba
87b2dcc892 Adjust test expectations 2024-03-14 10:25:04 +01:00
Tony Torralba
d8c0ab8e1f Go: Consider more strings as hardcoded credentials 2024-03-14 10:11:39 +01:00
Tom Hvitved
e4a4c18166 Go: Implement new data flow interface 2024-03-13 14:41:57 +01:00
Tom Hvitved
dddba3228b Merge pull request #15867 from hvitved/dataflow/ap-limit 
Data flow: Add `ConfigSig::accessPathLimit`
 2024-03-12 14:57:51 +01:00
Owen Mansel-Chan
33c17313b4 Add test for not extracting values for intermediate string concatenations 2024-03-12 11:59:10 +00:00
Kevin Stubbings
5acc15bfff fix grammar 2024-03-11 20:13:08 -07:00
Kevin Stubbings
30fe4168e3 Removed filepath.base sanitizer 2024-03-11 15:08:10 -07:00
Kevin Stubbings
c4c0b22bc7 Formattinga and change notes 2024-03-11 14:54:30 -07:00
Kevin Stubbings
c9b49d3760 resolve feedback 2024-03-11 14:54:28 -07:00
Kevin Stubbings
530c76ca8b Add New Sanitizers and Modify Old Ones 2024-03-11 14:53:29 -07:00
Henry Mercer
c325ff8a23 Mark lines of code queries as telemetry queries 
The new file coverage metrics are available in all supported GHES
versions. This PR tags lines of code queries as telemetry queries. Lines
of code information will still be available in the SARIF file, but it
will no longer be displayed in the logging output of the CLI.

The one exception is the metric queries for Java/Kotlin that provides
separate lines of code information for Java and Kotlin. I've kept these
since separate file coverage information for languages like Java and
Kotlin is only available for GHES 3.12 and later.
 2024-03-11 16:40:31 +00:00
Tony Torralba
04436208ab Merge pull request #15843 from atorralba/atorralba/go/uncontrolled-allocation-size 
Go: Promote `go/uncontrolled-allocation-size` from experimental
 2024-03-11 16:12:27 +01:00
Tony Torralba
ff2d78d2c8 Update go/ql/src/Security/CWE-770/UncontrolledAllocationSize.ql 2024-03-11 15:53:40 +01:00
Tom Hvitved
da66281fef Sync files 2024-03-11 13:02:04 +01:00
Owen Mansel-Chan
da8cc13506 go extractor: avoid long string concatenations 
When we see "a" + "b" + "c" + "d", do not add a
row to the constvalues table for the intermiediate
strings "ab" and "abc". We still have entries for
the string literals ("a", "b", "c", and "d") and
the whole string concatenation ("abcd").
 2024-03-11 10:53:26 +00:00
Tony Torralba
a09eb9f4c5 Update go/ql/src/Security/CWE-770/UncontrolledAllocationSize.ql 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2024-03-11 08:58:59 +01:00
Owen Mansel-Chan
820c14577a Merge pull request #13553 from am0o0/amammad-go-bombs 
Go: Decompression Bombs
 2024-03-10 13:48:04 +00:00
am0o0
43df6a2c07 add comments for already implemented io.Read and io.WriteTo Sinks. 
remove some sinks about `"decompressor"` which was added wrongly.
change `GeneralReadIoSink` type from module to class.
separate `KlauspostGzipAndPgzip` `KlauspostPgzip` and `KlauspostGzip`.
 2024-03-08 20:05:46 +04:00
am0o0
66130d208e convert abstract predicate isAdditionalFlowStep to non-abstract 2024-03-08 19:30:41 +04:00