hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-13 00:41:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,901 Commits 1,784 Branches 169 Tags
0dc95deca41b4cc822ee6e666dd312a5021622bb
Commit Graph

87901 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
0dc95deca4 Test changes to investigate 2026-06-12 22:21:05 +01:00
Owen Mansel-Chan
0e902d0fe3 Fix captured variable liveness 
- Extend synthetic uncertain reads to function exits of any function
  that writes a captured variable, not just the declaring function.
  This ensures writes to captured variables inside closures remain
  live (matching the old `v.isCaptured()` liveness shortcut).
- Uncomment toString overrides for SsaExplicitDefinition, SsaVariableCapture,
  SsaPhiNode, and SsaVariable to restore original output formats.
- Revert test expected files to pre-test-changes state matching the
  correct toString formats and capture variable results.

Agent-Logs-Url: https://github.com/github/codeql/sessions/6dbf9d42-b2e2-42a2-984b-8ea31df4e633

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-06-12 22:21:03 +01:00
copilot-swe-agent[bot]
6ccbf16f3c Make Go use the shared SSA library (codeql.ssa.Ssa) 
Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/codeql/sessions/b400ebd5-4095-401e-8811-fb550600b3c4
 2026-06-12 22:21:02 +01:00
Owen Mansel-Chan
7a5219f06e Improve SSA tests for variables in closures 2026-06-12 22:21:00 +01:00
copilot-swe-agent[bot]
7a991e17b8 Initial plan 2026-06-12 22:20:58 +01:00
Owen Mansel-Chan
0b493c30cc Preemptively change toString() for SSA classes 2026-06-12 22:20:51 +01:00
Owen Mansel-Chan
daefaff969 Merge pull request #21975 from github/dependabot/go_modules/go/extractor/extractor-dependencies-563a210b6d 
Bump golang.org/x/tools from 0.45.0 to 0.46.0 in /go/extractor in the extractor-dependencies group
 2026-06-12 22:04:57 +01:00
Owen Mansel-Chan
b9670ef831 Merge pull request #21966 from owen-mc/java/convert-to-inline-expectation-tests 
Java: convert all qlref tests to inline expectation tests using postprocessing
 2026-06-12 21:48:49 +01:00
Anders Schack-Mulligen
912dc9c0bd Merge pull request #21955 from aschackmull/cfg/try-body-index 
Cfg: Fold getTryInit into indexed getBody.
 2026-06-12 11:36:25 +02:00
Owen Mansel-Chan
de7afcaec3 Merge pull request #21976 from JarLob/patch-1 
Update regex for GitHub hosted runner matching
 2026-06-12 09:09:40 +01:00
Anders Schack-Mulligen
f3ec7087e3 Cfg: Fix type. 2026-06-12 10:02:48 +02:00
Jaroslav Lobačevski
bea5522473 rename change note 2026-06-12 07:52:34 +00:00
Jaroslav Lobačevski
eedef515f7 Updated regex. Added test and change note. 2026-06-12 07:50:02 +00:00
Jaroslav Lobačevski
9078b511c6 Update regex for GitHub hosted runner matching 
Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
 2026-06-12 09:37:18 +03:00
dependabot[bot]
1ac079d066 Bump golang.org/x/tools 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-06-12 03:03:31 +00:00
Owen Mansel-Chan
29b0c286a7 Fix 3 more tests 2026-06-11 23:40:14 +02:00
Asger F
ad18659373 Merge pull request #21796 from mattcosta7/patch-1 
Add UseMemoDirective and UseNoMemoDirective classes
 2026-06-11 23:01:29 +02:00
Owen Mansel-Chan
a4bf2b8f58 Fix 3 tests 2026-06-11 22:59:39 +02:00
Owen Mansel-Chan
a375e186ed Third pass 2026-06-11 21:53:22 +02:00
Matthew Costabile
923fe2dcb9 Merge branch 'main' into patch-1 2026-06-11 15:19:58 -04:00
Jeroen Ketema
642259cd51 Merge pull request #21968 from jketema/jketema/namequalifiers 
C++: Fix `NameQualifyingElement` db inconsistency
 2026-06-11 15:11:51 +02:00
Owen Mansel-Chan
0d984588f9 Merge pull request #21965 from owen-mc/go/convert-to-inline-expectation-tests 
Go: convert all qlref tests to inline expectation tests using postprocessing
 2026-06-11 13:27:06 +01:00
Owen Mansel-Chan
b4a9689341 Convert .qlref test to inline expectations 2026-06-11 07:15:54 +02:00
Owen Mansel-Chan
6a8e20a0c8 Fix pre-existing whitespace issues in go test files 2026-06-11 07:15:09 +02:00
Owen Mansel-Chan
4c411bbcb5 Convert hand-rolled inline expectations test 2026-06-11 07:13:48 +02:00
Asger F
b60bf8c79f Merge pull request #21950 from tonghuaroot/experimental-ssrf-ipv6-transition-js 
Add experimental query: SSRF host guard missing IPv6-transition unwrap (CWE-918/CWE-1389)
 2026-06-10 21:42:54 +02:00
Jeroen Ketema
ef00aa2567 C++: Add upgrade and downgrade scripts 2026-06-10 14:38:15 +02:00
Jeroen Ketema
6d0968744b C++: Fix NameQualifyingElement db inconsistency 2026-06-10 14:35:36 +02:00
Jeroen Ketema
98f147556a C++: Add namequalifier test with inconsistency 
While where the remove the file restriction in QL.
 2026-06-10 14:27:56 +02:00
Owen Mansel-Chan
3693185b6b Second pass 2026-06-10 09:14:47 +02:00
Owen Mansel-Chan
1c1d26453d First pass converting qlref tests to inline expectation with postprocess 2026-06-10 07:46:42 +02:00
tonghuaroot (童话)
4c1a0058bf Add SsrfIpv6TransitionIncompleteGuard.ql to not_included_in_qls.expected 
Fix the JS integration test failure flagged in review by listing the new
experimental CWE-918 query in the expected not-included-in-qls suite, in
sorted order.
 2026-06-10 08:42:42 +08:00
Tom Hvitved
f5919875b7 Merge pull request #21941 from hvitved/python/content-approx 
Python: Implement `ContentApprox`
 2026-06-09 15:46:04 +02:00
Owen Mansel-Chan
8d456df26f Merge pull request #21960 from github/dependabot/go_modules/go/extractor/extractor-dependencies-28a04969f3 
Bump golang.org/x/mod from 0.36.0 to 0.37.0 in /go/extractor in the extractor-dependencies group
 2026-06-09 05:30:45 +01:00
dependabot[bot]
72fcf27d1a Bump golang.org/x/mod 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-06-09 03:03:37 +00:00
yoff
0cea01c22f Merge pull request #21926 from github/yoff/python-simplify-decorator-predicates 
Python: simplify decorator-detection predicates to pure AST match
 2026-06-08 22:04:33 +02:00
Anders Schack-Mulligen
a473565256 Merge pull request #21954 from aschackmull/cfg/consistency-child-idx 
Cfg: Add consistency check for relevant child indices.
 2026-06-08 14:44:20 +02:00
Anders Schack-Mulligen
01173bf383 Cfg: Fold getTryInit into indexed getBody. 2026-06-08 14:03:12 +02:00
Anders Schack-Mulligen
c47135a40b Cfg: Add consistency check for relevant child indices. 2026-06-08 13:40:33 +02:00
Owen Mansel-Chan
3cbc8f0262 Merge pull request #21951 from github/workflow/go-version-update 
Go: Update to 1.26.4
 2026-06-08 11:47:47 +01:00
Tom Hvitved
cc1ea25856 Python: Implement ContentApprox 2026-06-08 08:41:28 +02:00
github-actions[bot]
5a38cbd5d5 Go: Update to 1.26.4 2026-06-08 04:30:10 +00:00
tonghuaroot
e93bc11f6f Add experimental JS query for SSRF guards missing IPv6-transition unwrap 
Add javascript/ssrf-ipv6-transition-incomplete-guard, an experimental
@kind problem query that flags hand-rolled SSRF host guards which reject
private/loopback IPv4 ranges but never unwrap IPv6-transition forms
(IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4 2002::). Such guards can be
bypassed by wrapping an internal IPv4 address in a transition literal.

Includes a .qhelp with good/bad examples, a change note, and a test pack
with two true-positive fixtures (private-ip package guard and a
hand-written RFC 1918 denylist) and two negative-control fixtures
(ipaddr.js range classifier and an explicit ::ffff: unwrap).

Signed-off-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
 2026-06-06 21:47:24 +08:00
Owen Mansel-Chan
cf6d94cf8a Merge pull request #21324 from github/copilot/automate-go-version-updates-again 
Automate Go version updates via scheduled workflow
 2026-06-06 03:03:03 +01:00
Owen Mansel-Chan
292fc8b777 Fix detection of failed text replacement 
I checked and the comment seems to be correct.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-06-06 02:52:21 +01:00
Owen Mansel-Chan
a1759d9834 Use --force-with-lease for slightly improved safety 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-06-06 02:51:36 +01:00
Owen Mansel-Chan
6b74874372 Minor improvement to PR text 2026-06-06 02:32:43 +01:00
copilot-swe-agent[bot]
ef29d22c75 Update Go version workflow to include patch numbers in messages 2026-06-06 01:03:44 +00:00
Owen Mansel-Chan
1f91f915c7 Merge pull request #21888 from owen-mc/py/remove-imprecise-container-steps 
Python: Remove imprecise container steps #2
 2026-06-04 22:16:24 +01:00
Jon Janego
ba8eebe2b5 Merge pull request #21948 from github/codeql-spark-run-26974832191 
Update changelog documentation site for codeql-cli-2.25.6
 2026-06-04 14:55:17 -05:00