hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,482 Commits 1,672 Branches 157 Tags
move-cors-query-from-experimental2
Commit Graph

13522 Commits

Author SHA1 Message Date
Max Schaefer
ff4555ac5b Get rid of negative sink types. 
Instead of positively implying the negative sink type, negative sink characteristics now negatively imply all sink types (but not source types). This is simpler and sice we will never have a huge number of sink types it doesn't impact performance either.

Changes to test results:

- The call to `createDirectories` at `Test.java:87` is now correctly classified as a source candidate, having previously been erroneously excluded by a negative _sink_ characteristic.
- The call to `compareTo` at `Test.java:48` is now erroneously classified as a source candidate; it should be suppressed by `IsSanitizerCharacteristic`, which is a negative sink characteristic, but should really be a negative source characteristic.
- In framework mode, several endpoints are now erroneously classified as source candidates even though they have neutral models, because `NeutralModelCharacteristic` is currently only a negative sink characteristic and not a negative source characteristic.
 2024-01-11 12:19:53 +00:00
Max Schaefer
bcf4f4febd Drop a conjunct which is now spurious. 2024-01-11 11:56:59 +00:00
Max Schaefer
03ca244df2 Associate endpoints with their potential endpoint types and check these when determining candidates. 
This prevents us from associating a sink candidate with a source type and vice versa.

However, this does not fix the problem of negative characteristics for sink types excluding source candidates.
 2024-01-11 11:44:14 +00:00
Max Schaefer
a6d996b478 Add an example of a missed source candidate. 
`Files.list` has a taint step from its first argument to its result, so that first argument should not be considered a sink candidate (and it is not). However, due to a bug in `IsMaDTaintStepCharacteristic` it is also not considered a source candidate, which is wrong: as the example shows, if that argument is a call we do very much want to consider it as a source candidate.
 2024-01-11 11:27:34 +00:00
Max Schaefer
8e429bd399 Rename isSinkCandidate (and a related predicate) to isCandidate. 
This reflects the fact that these predicates also deal with source candidates.
 2024-01-11 11:20:51 +00:00
Max Schaefer
dba2e06a1d Merge pull request #15283 from github/max-schaefer/release-automodel-query-pack 
Release automodel extraction queries v0.0.12.
 2024-01-11 10:28:55 +00:00
github-actions[bot]
7db46b6ab6 Add changed framework coverage reports 2024-01-11 00:16:44 +00:00
Owen Mansel-Chan
3767348dec Update test expectations 2024-01-10 22:25:08 +00:00
Owen Mansel-Chan
7824e60acd Manual neutral summaries should block generated summaries 2024-01-10 22:25:06 +00:00
Owen Mansel-Chan
370a32da8b Test summary models and neutral models, manual and generated 2024-01-10 22:25:02 +00:00
Owen Mansel-Chan
9e2e01ff89 Update Top JDK APIs test expectation 2024-01-10 17:07:33 +00:00
Ian Lynagh
5d3166cfef Kotlin: Tweak code formatting 2024-01-10 16:39:49 +00:00
Ian Lynagh
80163c5aac Kotlin 2: Just accept the remaining comment differences for now 2024-01-10 16:39:47 +00:00
Ian Lynagh
ce4253c17f Kotlin 2: Remove an expected diagnostic match 
It is only generated when using the PSI comment extractor.
 2024-01-10 16:39:04 +00:00
Ian Lynagh
20254fd71e Kotlin: Accept a location change 2024-01-10 16:39:04 +00:00
Ian Lynagh
b3f8167973 Kotlin: Don't warn if we can't find a label for a fake owner 
The fake owner probably just wasn't extracted
 2024-01-10 16:39:02 +00:00
Owen Mansel-Chan
33030417b4 Add change note 2024-01-10 15:48:28 +00:00
Ian Wright
3534bfca9c Merge pull request #15251 from github/z80coder/dry-run 
Support dry-run of publishing script
 2024-01-10 14:16:10 +00:00
Ian Lynagh
f111fba4b7 Merge pull request #15269 from igfoo/igfoo/ktfmt 
Kotlin: Reformat code
 2024-01-10 13:35:35 +00:00
Ian Wright
75545db97c restore files, whether overriding or not 2024-01-10 11:40:31 +00:00
Max Schaefer
8d56ee4a56 Release automodel extraction queries v0.0.12. 2024-01-10 11:29:36 +00:00
Ian Wright
f793ce1e49 remove temp testing comments 2024-01-10 11:07:06 +00:00
Ian Wright
ed8422a2da remove need for CODEQL_DIST path 2024-01-10 11:07:06 +00:00
Ian Wright
0d2ec2d632 install codeql extension 2024-01-10 11:07:06 +00:00
Ian Wright
62bdaf069b use gh tool to access codeql 2024-01-10 11:07:05 +00:00
Ian Wright
30e5be68c9 temp comment for testing 2024-01-10 11:07:05 +00:00
Ian Wright
9895114e05 temp comment for testing 2024-01-10 11:07:05 +00:00
Ian Wright
0f76fbad36 better processing of args 2024-01-10 11:07:05 +00:00
Ian Wright
749f8b9807 fix help message 2024-01-10 11:07:05 +00:00
Ian Wright
00f4991648 support dry-run 
fix

fix

temp

temp

better support for dry-run

fix

fix

fix

fix

reinstate exits
 2024-01-10 11:07:05 +00:00
Tom Hvitved
c9cf2a899c Merge pull request #15260 from hvitved/dataflow/may-benefit-from-cctx-simplify 
Data flow: Remove column from `mayBenefitFromCallContext`
 2024-01-10 11:43:15 +01:00
Max Schaefer
ac8e92eec5 Merge pull request #15264 from github/max-schaefer/automodel-exclude-generated-calls 
Automodel: Do not generate features for compiler-generated program elements.
 2024-01-10 10:22:00 +00:00
Tony Torralba
d6082f8446 Merge pull request #14926 from ebickle/fix/update-gson-model 
Java: Improve Gson parse, get, and stream models
 2024-01-10 09:11:01 +01:00
Max Schaefer
9b7cfd88cd Clarify relationship of isFromSource and Element::fromSource. 2024-01-09 16:21:36 +00:00
Ian Lynagh
bf611feab3 Kotlin: Reformat code 
Using:
    java -jar ktfmt-0.46-jar-with-dependencies.jar --kotlinlang-style java/kotlin-extractor/**/*.kt
 2024-01-09 15:33:41 +00:00
Max Schaefer
3e8775daaa Automodel: Do not generate features for compiler-generated program elements. 
These have dummy locations, which breaks certain invariants that break downstream processing.
 2024-01-09 13:39:46 +00:00
Ian Lynagh
0bc1463ab0 Merge pull request #14941 from igfoo/igfoo/dff 
Kotlin 2: Accept some location changes
 2024-01-09 12:20:37 +00:00
Ian Lynagh
95f336c05b Merge pull request #14393 from igfoo/igfoo/no1.4 
Kotlin: Remove 1.4 compatibility
 2024-01-09 12:20:15 +00:00
Tom Hvitved
f90201eb56 Data flow: Remove column from mayBenefitFromCallContext 2024-01-09 11:34:43 +01:00
github-actions[bot]
384cf90e8f Add changed framework coverage reports 2024-01-09 00:17:10 +00:00
Eric Bickle
f6fa7120d9 Merge branch 'main' into fix/update-gson-model 2024-01-08 15:46:14 -08:00
Eric Bickle
929ce65af1 Remove zero width space characters. 2024-01-08 13:15:38 -08:00
Edward Minnix III
e9467fe2d6 Merge pull request #14724 from egregius313/egregius313/java/environment-variable-injection 
Java: Environment variable injection query
 2024-01-08 13:06:31 -05:00
Ian Lynagh
d7cdad04dd Merge pull request #14895 from igfoo/igfoo/kt-snap 
Kotlin: Add a 2.0.255 snapshot
 2024-01-08 16:13:03 +00:00
Ed Minnix
55da62e9cf Remove stray comma 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2024-01-08 11:09:11 -05:00
Ed Minnix
b8466b45be Update change note date 2024-01-08 09:39:11 -05:00
Edward Minnix III
2440075402 Remove off-topic reference 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-01-08 09:39:10 -05:00
Edward Minnix III
3816271b3e Remove redundant CWE link 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-01-08 09:39:10 -05:00
Ed Minnix
2eff6b351c Add comment 2024-01-08 09:39:09 -05:00
Ed Minnix
16bb19e176 Add OWASP and CERT references 2024-01-08 09:39:08 -05:00