intrigus
5c82ff83de
Java: Fix qhelp, fix CWE reference
2021-02-10 13:57:51 +01:00
Anders Schack-Mulligen
3a6fa9d99b
Java: Add support for framework modelling through csv data.
2021-02-10 13:25:03 +01:00
Alvaro Muñoz
645b021845
Add support for the Preconditions Class in the Guava framework
2021-02-10 13:20:29 +01:00
Alvaro Muñoz
0cf3a29429
Add support for Apache Commons Lang ArrayUtils
2021-02-10 13:09:57 +01:00
Alvaro Muñoz
3b4357792b
Remove sanitizing condition which does not prevent
...
vulnerability.
2021-02-10 12:21:48 +01:00
Tom Hvitved
1f9b42f9ab
Data flow: Sync files
2021-02-09 20:10:23 +01:00
yo-h
e5331a4735
Java: accept changes in expected output
2021-02-09 09:17:35 -05:00
yo-h
e194411cfa
Java: fix javac errors in test code
2021-02-09 09:16:57 -05:00
luchua-bc
cb01613aa6
Exclude FP token patterns
2021-02-09 13:53:23 +00:00
haby0
97690b4eb7
Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
...
Co-authored-by: Felicity Chapman <felicitymay@github.com >
2021-02-08 19:15:28 +08:00
intrigus
2e30f2d9ce
Java: Fix QHelp & accept test output
...
Accept test output for changed alert message.
2021-02-08 00:05:02 +01:00
Jonathan Leitschuh
f00b0baaea
Update java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp
...
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com >
2021-02-05 16:31:37 -05:00
Jonathan Leitschuh
bfa9324266
CWE-1104: Maven POM dependence upon Bintray/JCenter
2021-02-05 13:05:51 -05:00
luchua-bc
a183b00166
Query to detect main method in servlets
2021-02-05 03:53:01 +00:00
Francis Alexander
683233333c
test case return statements and feedback
2021-02-04 22:28:10 +05:30
Anders Schack-Mulligen
35e620a19c
Merge pull request #4854 from luchua-bc/java/insecure-ldap-auth
...
Java: Insecure LDAP authentication
2021-02-04 14:56:38 +01:00
luchua-bc
724c3e00e0
Update help file
2021-02-03 16:45:15 +00:00
Anders Schack-Mulligen
40d02e7e32
Merge pull request #4926 from luchua-bc/java/insufficient-key-size
...
Java: Query to detect weak encryption: insufficient key size
2021-02-03 15:16:10 +01:00
Anders Schack-Mulligen
0df7e9fa4e
Merge pull request #4989 from lcartey/lcartey/spring-inheritence-improvements
...
Java: Track taint through Spring Java bean getters on super types
2021-02-03 15:06:03 +01:00
luchua-bc
2ace10fcdf
Use PostUpdateNode for wrapper method calls
2021-02-03 12:21:31 +00:00
luchua-bc
3151aeff48
Enhance the query
2021-02-02 18:26:29 +00:00
luchua-bc
5e3b6fa341
Update qldoc
2021-02-02 16:20:39 +00:00
luchua-bc
50be54385a
Update qldoc
2021-02-02 14:49:50 +00:00
Artem Smotrakov
59f48ecea3
Removed LocalUserInput in JexlInjectionLib.ql
2021-01-29 12:38:51 +01:00
Luke Cartey
76c9b6466e
Reformat TaintTrackingUtil.qll with more recent CodeQL CLI
2021-01-29 11:27:30 +00:00
luchua-bc
ff1ed3a012
Revamp the query to use three configurations to detect password hash without salt
2021-01-29 03:39:02 +00:00
Anders Schack-Mulligen
bbdd7c9b57
Merge pull request #4963 from joefarebrother/guava-collections
...
Java: Add flow steps for Guava collection utilities
2021-01-28 11:01:03 +01:00
luchua-bc
ab7d257569
Add more cases and change EC to 256 bits
2021-01-28 04:06:27 +00:00
luchua-bc
2ac7b4bab4
Update qldoc
2021-01-28 04:06:27 +00:00
luchua-bc
058f3af4b2
Refactor the hasShortSymmetricKey method
2021-01-28 04:06:27 +00:00
luchua-bc
cbaee937d0
Optimize the query
2021-01-28 04:06:27 +00:00
luchua-bc
cfc950f803
Query for weak encryption: Insufficient key size
2021-01-28 03:25:15 +00:00
luchua-bc
6a93099b64
Simplify the query and update qldoc
2021-01-28 03:02:53 +00:00
haby0
81c56b9bed
Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
...
Co-authored-by: Chris Smowton <smowton@github.com >
2021-01-27 19:47:12 +08:00
haby0
31deca016f
Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
...
Co-authored-by: Chris Smowton <smowton@github.com >
2021-01-27 19:46:45 +08:00
haby0
ca2e6587fe
Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
...
Co-authored-by: Chris Smowton <smowton@github.com >
2021-01-27 19:46:15 +08:00
intrigus
d3e6e594b2
Java: Improve QLDoc
2021-01-27 11:57:32 +01:00
intrigus
bdba7e14fe
Java: Switch to data flow
2021-01-27 11:54:40 +01:00
haby0
b5ae417851
*)update CWE-652 qhelp references
2021-01-27 10:19:04 +08:00
haby0
b76854a384
*)add CWE-652 test case
2021-01-27 10:14:33 +08:00
Henning Makholm
54f00de3e0
Add "tests" fields to test qlpacks
...
This will allow `codeql resolve tests --ignore-dubious-cases`
(and thus the VSCode extension) to recognize all `.ql` files in those
packs as test cases, even if they don't have accompanying `.expected`
files.
CLI versions prior to 2.1.0 will choke on this, but it's almost 10
months since that came out.
2021-01-26 18:15:22 +01:00
Francis Alexander
19872e9aed
More Feedback integration
2021-01-26 17:24:17 +05:30
luchua-bc
fee0b94cd4
Use isRequestGetParamMethod as the source
2021-01-26 04:41:44 +00:00
Francis Alexander
985d3d469a
PR feedback integration
2021-01-25 23:26:36 +05:30
Joe Farebrother
d69ecde5c1
Java: Add additional flow steps for guava collection methods and more unit tests
2021-01-25 16:37:40 +00:00
Joe Farebrother
7e11d8ed07
Java: Add modelling for guava Sets
2021-01-25 16:37:40 +00:00
Joe Farebrother
d1427fcd93
Java: Add modelling for Guava's collection classes
2021-01-25 16:37:40 +00:00
Artem Smotrakov
8d701e604a
Simplified JexlInjectionLib.qll
...
- Merged multiple method definitions to DirectJexlEvaluationMethod
- Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig
- Better variable names in JexlEvaluationSink
2021-01-25 14:17:51 +01:00
Chris Smowton
d34233b44f
Rewrite XQuery injection to use an additional taint step instead of multiple configurations.
...
Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.
2021-01-25 11:18:45 +00:00
haby0
16308fe557
Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll
...
Co-authored-by: Chris Smowton <smowton@github.com >
2021-01-25 19:16:18 +08:00
