hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,482 Commits 1,671 Branches 157 Tags
move-cors-query-from-experimental2
Commit Graph

3115 Commits

Author SHA1 Message Date
idrissrio
ac52a1b123 Java: Move extractorInformationSkipKey predicate to library pack 2025-07-29 09:45:18 +02:00
Nora Dimitrijević
fbee6bbe21 Merge pull request #20077 from d10c/d10c/diff-informed-phase-3-java 
Java: Diff-informed queries: phase 3 (non-trivial locations)
 2025-07-21 11:23:12 +02:00
Anders Schack-Mulligen
937e3dc469 Merge pull request #20091 from aschackmull/java/fix-cfg-cp-assert 
Java: Fix accidental CP in CFG for asserts.
 2025-07-21 09:07:19 +02:00
Anders Schack-Mulligen
d64a9368d2 Merge pull request #20088 from aschackmull/java/joinorders1 
Java: Improve several join-orders
 2025-07-18 14:54:26 +02:00
Anders Schack-Mulligen
bc2e7d4e0d Java: Fix accidental CP in CFG for asserts. 2025-07-18 13:53:15 +02:00
Anders Schack-Mulligen
d9f47bdec9 Java: Improve join-order by properly annotating haveIntersection. 2025-07-18 11:48:50 +02:00
Anders Schack-Mulligen
12732525b5 Java: Allow 2-column join on delta to improve join-order. 2025-07-18 11:45:45 +02:00
Nora Dimitrijević
24c28ed873 [DIFF-INFORMED] Java: UnsafeCertTrust 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql#L21
 2025-07-17 19:02:13 +02:00
Nora Dimitrijević
ea4af8323c [DIFF-INFORMED] Java: TrustBoundaryViolation 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql#L18
 2025-07-17 19:02:09 +02:00
Nora Dimitrijević
7888dcbce2 [DIFF-INFORMED] Java: TempDirLocalInformationDisclosure 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql#L56
 2025-07-17 19:02:07 +02:00
Nora Dimitrijević
3785dbec9e [DIFF-INFORMED] Java: TaintedEnvironmentVariable 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql#L22
 2025-07-17 19:02:05 +02:00
Nora Dimitrijević
b3b139bb02 [DIFF-INFORMED] Java: SqlConcatenated 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql#L27
 2025-07-17 19:02:04 +02:00
Nora Dimitrijević
45b627df1d [DIFF-INFORMED] Java: SensitiveLogging 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql#L20
 2025-07-17 19:02:02 +02:00
Nora Dimitrijević
bc0b383595 [DIFF-INFORMED] Java: MaybeBrokenCryptoAlgorithm 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql#L25
 2025-07-17 19:02:00 +02:00
Nora Dimitrijević
b688df9dec [DIFF-INFORMED] Java: LogInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-117/LogInjection.ql#L20
 2025-07-17 19:01:58 +02:00
Nora Dimitrijević
2d734056b1 [DIFF-INFORMED] Java: InsecureLdapAuth 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql#L21
 2025-07-17 19:01:56 +02:00
Nora Dimitrijević
74b37e71a0 [DIFF-INFORMED] Java: InsecureCookie 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql#L21
 2025-07-17 19:01:52 +02:00
Nora Dimitrijević
19e5c3d805 [DIFF-INFORMED] Java: ImproperValidationOfArray… 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql#L48
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql#L28
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql#L26
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql#L24
 2025-07-17 19:01:50 +02:00
Nora Dimitrijević
1c6ecf1216 [DIFF-INFORMED] Java: UntrustedDataToExternalAPI 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql#L20
 2025-07-17 18:59:15 +02:00
Nora Dimitrijević
0cf1195678 [DIFF-INFORMED] Java: ConditionalBypass 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql#L26
 2025-07-17 18:59:14 +02:00
Nora Dimitrijević
0bcdb421ed [DIFF-INFORMED] Java: ArithmeticUncontrolled 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql#L36
 2025-07-17 18:59:11 +02:00
Nora Dimitrijević
54546f6e99 [DIFF-INFORMED] Java: ArithmeticTainted 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql#L35
 2025-07-17 18:59:09 +02:00
Nora Dimitrijević
8353fdd041 [DIFF-INFORMED] Java: (Android)SensitiveCommunication 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql#L20
 2025-07-17 18:59:06 +02:00
Anders Schack-Mulligen
996de78a66 Java: Prune PathGraph for CsrfUnprotectedRequestType.ql 2025-07-17 15:06:38 +02:00
Anders Schack-Mulligen
1485d7072d Merge pull request #19885 from aschackmull/java/annotated-exit-cfg 
Java: Add AnnotatedExitNodes to the CFG.
 2025-07-17 15:02:24 +02:00
Owen Mansel-Chan
af977e9ac7 Merge pull request #20067 from owen-mc/java/unsafe-deserialization-mad-sinks 
Java: allow the definition of `java/unsafe-deserialization` sinks using data extensions
 2025-07-17 13:42:31 +01:00
Owen Mansel-Chan
6629bd8279 No need to deprecate classes when module is deprecated 2025-07-17 11:52:31 +01:00
Owen Mansel-Chan
b361f76643 Delete unused private class 2025-07-17 11:36:06 +01:00
Anders Schack-Mulligen
54775e0958 Java: Adjust Paths.qll 2025-07-17 11:21:26 +02:00
Anders Schack-Mulligen
fbe79e8a52 Java: Add AnnotatedExitNodes to the CFG. 2025-07-17 11:21:26 +02:00
Owen Mansel-Chan
fdd1e3fefe Use MaD models for unsafe deserialization sinks when possible 
Many of the unsafe deserialization sinks have to stay defined in QL
because they have custom logic that cannot be expressed in MaD models.
 2025-07-16 14:42:07 +01:00
Kasper Svendsen
9c3e275e66 Merge pull request #20011 from kaspersv/kaspersv/discard-xml 
Overlay: Add XML and Java property discarding
 2025-07-15 16:13:38 +02:00
Kasper Svendsen
f84a3084f0 Address review comment about ignored QL variable 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-07-15 15:34:08 +02:00
Nick Rolfe
c199d0cbbe Java: use overlayChangedFiles in discard prediactes 2025-07-15 10:10:32 +01:00
Owen Mansel-Chan
03e8865933 Merge pull request #20025 from owen-mc/java/unsafe-deserialization 
Java: add extra sink for `java/unsafe-deserialization`
 2025-07-11 23:59:22 +01:00
Owen Mansel-Chan
8e4bd1a102 Add sink for ObjectInput.readObject to make test pass 2025-07-11 11:05:38 +01:00
Owen Mansel-Chan
006d77ffdd Refactor QL to make type check more concise 2025-07-11 06:13:01 +01:00
Kasper Svendsen
0739c03d03 Overlay: Add discarding of base XML locatables for Java 2025-07-10 12:31:16 +02:00
Kasper Svendsen
d7094a96b5 Overlay: Add discarding of all Java base properties 2025-07-10 12:31:15 +02:00
Jonas Jensen
5a1246a586 Merge remote-tracking branch 'upstream/main' into approximate-related-location 2025-07-09 10:10:20 +02:00
Kasper Svendsen
785e0273f2 Merge pull request #19968 from kaspersv/kaspersv/overlay-java-getastrictancestor-caller 
Overlay: Mark `RefType.getAStrictAncestor`` overlay[caller?]`
 2025-07-04 09:38:02 +02:00
Kasper Svendsen
dd8af3baf7 Overlay: Mark RefType.getAStrictAncestor overlay[caller?] 2025-07-03 12:23:20 +02:00
Kasper Svendsen
649091c0ed Fix java/local-temp-file-or-directory-information-disclosure overlay compilation regression 2025-07-03 10:47:33 +02:00
Asger F
4a2d795076 Shared: Make approximate location filtering the default behaviour 2025-07-02 14:41:02 +02:00
Asger F
82d190f4bf Java: use approximate related sink locations in polynomial redos 2025-07-02 14:40:56 +02:00
Kasper Svendsen
3d7343273e Merge pull request #19813 from github/kaspersv/overlay-java-discarding 
Overlay: Add manual Java overlay annotations & discard predicates
 2025-06-30 11:17:31 +02:00
Kasper Svendsen
c7194a4012 Overlay: Add missing QLDoc 2025-06-30 08:40:46 +02:00
Kasper Svendsen
e02affd327 Merge pull request #19901 from github/kaspersv/overlay-guards-inline 
Overlay: Add missing `overlay[caller?]` annotation
 2025-06-27 15:13:09 +02:00
Kasper Svendsen
5096ce405f Overlay: Add missing overlay[caller?] annotation 2025-06-27 10:50:28 +02:00
Jonas Jensen
b446fe74c2 Merge pull request #19846 from jbj/diff-informed-CleartextStorageCookie 
Java: Diff-informed CleartextStorageCookie.ql
 2025-06-27 08:45:11 +02:00