hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,080 Commits 1,758 Branches 167 Tags
083909ee3bba9063db1120f63f6cf0acfc63ec7f
Commit Graph

4451 Commits

Author SHA1 Message Date
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks 
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 10:04:52 +00:00
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex 
Java: reduce false positives in sensitive-log
 2026-04-21 13:48:32 +01:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal 
Java: fix bug in partial path traversal
 2026-04-20 11:52:55 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
idrissrio
5a6eb79470 Java: Pin CWE-676 test to --release 25 
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
 2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a Java: Accept new test results after JDK 26 extractor upgrade 2026-04-07 09:28:20 +02:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list 
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
 2026-04-04 21:58:32 +08:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
 2026-04-04 21:33:35 +08:00
MarkLee131
e6adfbca77 Address review: update QLDoc comment and fix expected test output 
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
  comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
 2026-03-29 11:53:06 +08:00
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Kaixuan Li
f5cfc5e282 Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-03-29 10:25:10 +08:00
MarkLee131
0c5e89a68e Exclude bounds-check arithmetic from tainted-arithmetic sinks 
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.

Add test cases for bounds-checking patterns that should not be flagged.
 2026-03-28 17:39:40 +08:00
MarkLee131
da4a2238bc Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs 
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
 2026-03-28 16:53:46 +08:00
MarkLee131
a9449cc991 Add EC to secure algorithm whitelist for Java CWE-327 query 2026-03-28 16:48:58 +08:00
Owen Mansel-Chan
e96ba4806b Merge pull request #21415 from owen-mc/java/validate-constructor-summary-models 
Java: validate constructor summary models
 2026-03-06 09:09:18 +00:00
Owen Mansel-Chan
92a719092a Update models in test output 2026-03-05 13:32:52 +00:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment 
Java: Make Assignment extend BinaryExpr.
 2026-03-05 13:19:45 +01:00
Owen Mansel-Chan
579c871b69 Fix incorrect constructor summary models 2026-03-05 12:03:21 +00:00
Owen Mansel-Chan
63c71b418c Add model validation for constructor summary models 2026-03-05 12:02:37 +00:00
Anders Schack-Mulligen
ec1d034ee0 Java: Make Assignment extend BinaryExpr. 2026-03-05 11:31:59 +01:00
Owen Mansel-Chan
2b3111441d Add space before $ in xml test file 2026-03-04 15:03:24 +00:00
Owen Mansel-Chan
aa28c94562 Remove double space after $ in inline expectations tests 2026-03-04 14:12:42 +00:00
Owen Mansel-Chan
f41c30e335 java: Inline expectation should have space before $ 2026-03-04 13:11:33 +00:00
Anders Schack-Mulligen
3c129fcd23 Java: Align BinaryExpr.getOp() with AssignOp.getOp(). 2026-03-04 13:46:04 +01:00
Owen Mansel-Chan
05a77a2005 Java: Update test expectations 2026-03-04 12:44:56 +00:00
Owen Mansel-Chan
ef345a3279 Java: Inline expectation should have space after $ 
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
 2026-03-04 12:44:54 +00:00
Anders Schack-Mulligen
daefd5988e Java: Accept CFG diff. 2026-03-03 14:18:10 +01:00
Anders Schack-Mulligen
2b8e719034 Java: Add nullness test covering known FP. 2026-02-23 15:10:03 +01:00
Anders Schack-Mulligen
d4873dd35e Java: Adjust switch case guards test. 2026-02-23 15:10:01 +01:00
Anders Schack-Mulligen
352b3711f6 Java: Remove obsolete tests - false successors are no longer special. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
eb37c413f2 Java: Accept revised CFG. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
d84e0e262d Java: Accept removal of spurious reason (the alert stays). 2026-02-23 15:09:59 +01:00
Anders Schack-Mulligen
8b0dd7b866 Java: Accept new TP in NullMaybe. 2026-02-23 15:09:58 +01:00
Anders Schack-Mulligen
a72cf56a05 Java: Accept dispatch precision improvement. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
4d9c0e0c26 Java: Accept new locations for SSA definitions. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
a6ee1df567 Java: Remove test. Flexible constructors need AST-based tests, which are already in place, not CFG tests. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
581679d27d Java: Fix reference to entry node. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
a844d60174 Java: Accept new CFG nodes. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
6ac8c4f544 Java: Accept test changes due to pruned CFG, after-nodes, and reduced exception precision. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
e0eb653dcc Java: Accept guards test changes for revised switch CFG. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
fb2799bd47 Java: Adjust idominance tests. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
12b9999289 Java: Adjust BasicBlock-based qltests. 2026-02-23 15:09:52 +01:00
Anders Schack-Mulligen
48e3724299 Java/Cfg: Introduce new shared CFG library and replace the Java CFG. 2026-02-23 15:09:50 +01:00
Anders Schack-Mulligen
0c9931ff8a Java: Replace idominance tests. 2026-02-23 15:09:50 +01:00
Owen Mansel-Chan
cf73d96c9d Update test results (remove SPURIOUS annotations) 2026-02-16 12:03:02 +00:00