hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-24 16:17:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,520 Commits 1,758 Branches 168 Tags
0f3c9ab483ac58f437a7329544d8a06d9ca346ba
Commit Graph

14443 Commits

Author SHA1 Message Date
copilot-swe-agent[bot]
0f3c9ab483 Fix remaining macOS bash 3.2 portability issues in update script (step 5) 2026-05-21 12:07:45 +00:00
copilot-swe-agent[bot]
8170c207bd Fix macOS bash 3.2 heredoc-in-$() portability issue in update script 2026-05-21 09:57:10 +00:00
copilot-swe-agent[bot]
38a2101e11 update-ferstl-depgraph-dependencies.sh: address review feedback 
- Use BUILD_REPO/DIST_REPO split so zip contains only runtime deps
  (build-lifecycle plugins, test jars, etc. stay in throwaway BUILD_REPO)
- Minimal inline stub pom.xml (no deps) instead of archetype:generate
  to avoid polluting DIST_REPO with stub project's own dependencies
- Replace grep -oP (PCRE, unavailable on macOS BSD grep) with Python re
- Use version-aware Python version_key() for max POM version selection
  (lexicographic sort fails for e.g. 2.18.10 vs 2.18.6; release > snapshot)
- Write zip to caller's working directory; keep cleanup trap active;
  remove `trap - EXIT` which was leaving WORK_DIR behind
 2026-05-21 09:41:57 +00:00
Óscar San José
b9bf81e463 Merge branch 'main' into copilot/bump-jackson-core-to-2150 2026-05-20 13:09:04 +02:00
Jack Nørskov Jørgensen
aa136a3282 Add change note entry 2026-05-19 16:09:05 +02:00
Óscar San José
8b799f84ed Do not remove zip file if the process succeeds 2026-05-19 14:30:50 +02:00
copilot-swe-agent[bot]
b1615312b8 Bump jackson-core to 2.18.6 in ferstl-depgraph-dependencies (CVE-2025-52999) 
- Update 3 maven-fetches.expected files: jackson 2.14.1→2.18.6,
  jackson-parent 2.14→2.18.4, oss-parent 48→69,
  plugin version 4.0.3-CodeQL→4.0.3-CodeQL-2
- Update 2 diagnostics.expected files: plugin version reference
  4.0.3-CodeQL→4.0.3-CodeQL-2
- Add update-ferstl-depgraph-dependencies.sh auto-update script
 2026-05-19 11:52:46 +00:00
Jack Nørskov Jørgensen
3119ef6c1a Add MaDs for Apache Avro 2026-05-19 09:27:32 +02:00
github-actions[bot]
b0e23a73d2 Add changed framework coverage reports 2026-05-13 00:50:12 +00:00
Owen Mansel-Chan
0b808e1170 Merge pull request #21807 from owen-mc/java/improve-qhelp-unsafe-deserialization 
Shared: improve qhelp for unsafe deserialization queries
 2026-05-12 22:22:49 +01:00
Owen Mansel-Chan
ec8ff6ff68 Use all path injection sinks when generating docs 2026-05-11 09:56:02 +01:00
Owen Mansel-Chan
a5ef036465 Note that common standard library types can be vulnerable to gadget-chain attacks 2026-05-08 14:18:54 +01:00
Owen Mansel-Chan
36554d160c Merge pull request #21741 from MarkLee131/fix/path-injection-read-subkind 
Fix/path injection read subkind
 2026-05-08 12:38:16 +01:00
Anders Schack-Mulligen
81e1ab7aab Merge pull request #21808 from aschackmull/cfg/switch-pattern-eval 
Cfg: Rework CFG for switch case patterns.
 2026-05-08 12:48:44 +02:00
MarkLee131
26af52897d Merge branch 'main' into fix/path-injection-read-subkind 2026-05-07 23:48:42 +08:00
Owen Mansel-Chan
f9240e7058 Fix QL formatting 2026-05-07 15:57:33 +01:00
Anders Schack-Mulligen
6b6df374fa C#/Java: Accept test changes. 2026-05-07 15:07:31 +02:00
Anders Schack-Mulligen
072166ba88 C#/Java: Adjust Guards instantiations. 2026-05-07 13:46:52 +02:00
Anders Schack-Mulligen
48785a0a76 Cfg: Rework CFG for switch case patterns. 2026-05-07 13:07:07 +02:00
Owen Mansel-Chan
33035dbfc8 Fix yaml formatting 2026-05-07 11:06:43 +01:00
Owen Mansel-Chan
f2ea3b98d8 Do not make such a strong security claim 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-07 10:58:35 +01:00
Owen Mansel-Chan
427b73ec9d Clarify that deserialization that follows a schema is safe 2026-05-07 10:51:20 +01:00
Owen Mansel-Chan
7aa3fd859a Remove double spaces from qhelp 2026-05-07 10:42:50 +01:00
github-actions[bot]
7610277199 Post-release preparation for codeql-cli-2.25.4 2026-05-05 10:10:06 +00:00
github-actions[bot]
88e1d86c27 Release preparation for version 2.25.4 2026-05-05 09:34:30 +00:00
MarkLee131
467394123c Merge branch 'main' into fix/path-injection-read-subkind 2026-05-04 18:56:12 +08:00
Anders Schack-Mulligen
f663eccf66 Merge pull request #21781 from aschackmull/java/rm-deprecated 
Java: Delete old deprecated code.
 2026-05-04 11:35:09 +02:00
Anders Schack-Mulligen
c7904b12c8 Java: Fix reference in deprecated code. 2026-05-04 10:52:27 +02:00
Anders Schack-Mulligen
17fded4aa5 Java: Delete old deprecated code. 2026-05-04 10:52:27 +02:00
MarkLee131
49e5886a06 Update java/ql/lib/ext/org.apache.commons.io.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-04 12:56:11 +08:00
MarkLee131
c10a05f26a Update java/ql/lib/ext/org.apache.commons.io.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:14:48 +08:00
MarkLee131
8710e63011 Update java/ql/lib/ext/javax.servlet.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:14:15 +08:00
MarkLee131
dbc9d0de4a Update java/ql/lib/ext/org.apache.commons.io.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:14:07 +08:00
MarkLee131
9194cdad9c Update java/ql/lib/ext/java.nio.file.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:08:31 +08:00
MarkLee131
7050241a54 Update java/ql/lib/ext/java.nio.file.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:08:21 +08:00
MarkLee131
62a0a3e384 Update java/ql/lib/ext/java.nio.file.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:08:12 +08:00
MarkLee131
3ad2d8ca3d Update java/ql/lib/ext/java.nio.file.model.yml 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-05-03 14:04:35 +08:00
MarkLee131
bafa892116 Merge branch 'main' into fix/path-injection-read-subkind 2026-05-01 16:06:35 +08:00
MarkLee131
119994b59f Java: move File inspection methods to path-injection[read] 
Per review feedback on #21741: File.canRead/canWrite/canExecute,
exists/isDirectory/isFile/isHidden only inspect a path, so move them
under the path-injection[read] sub-kind. Update TaintedPath.expected
and the experimental CWE-073 expected to match.
 2026-05-01 16:04:29 +08:00
Owen Mansel-Chan
87c35e6401 Merge pull request #21654 from MarkLee131/fix/sensitive-log-hash-sanitizer 
Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
 2026-04-30 13:21:03 +01:00
MarkLee131
936f0c650c Address review comments on path-injection[read] sub-kind 
- shared/mad/codeql/mad/ModelValidation.qll: shorten the comment
  for `path-injection[%]` to `// Java-only currently`, matching the
  style of other language-scoped entries and dropping API examples
  and the java/zipslip reference.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: replace
  the `File.exists` example in the QLDoc with `FileReader`, since
  `File.exists` is still labelled plain `path-injection`, not
  `path-injection[read]`.
 2026-04-30 19:06:04 +08:00
MarkLee131
90741b15e2 Merge branch 'main' into fix/path-injection-read-subkind 2026-04-30 18:37:12 +08:00
Tom Hvitved
a473fdb709 Merge pull request #21759 from hvitved/csharp/cfg-params 
C#: Include parameters and their defaults in the CFG
 2026-04-30 11:31:06 +02:00
MarkLee131
28a6ff208c Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer 
# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java
 2026-04-29 20:59:59 +08:00
MarkLee131
51e2a5418b Java: move EncryptedSensitiveMethodCall into Sanitizers.qll 
Address review feedback by moving the shared method-name-based encryption/hash/digest
check into Sanitizers.qll, and reference it from both CleartextStorageQuery.qll and
SensitiveLoggingQuery.qll instead of duplicating the definition.
 2026-04-29 20:56:36 +08:00
MarkLee131
75162bb9eb Update java/ql/test/query-tests/security/CWE-532/Test.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-04-29 20:53:58 +08:00
MarkLee131
49d014cbac Merge branch 'main' into fix/trust-boundary-regexp-barrier 2026-04-29 20:48:22 +08:00
MarkLee131
d27ee86242 Java: refactor trust-boundary sanitizers into TrustBoundaryValidationSanitizer subclasses 
Address review feedback by introducing dedicated subclasses of
TrustBoundaryValidationSanitizer for SimpleTypeSanitizer, RegexpCheckBarrier,
and the HttpServletSession type check, so isBarrier only references the
abstract class.
 2026-04-29 20:46:11 +08:00
Jack Nørskov Jørgensen
0192ffab07 Merge pull request #21751 from github/jacknojo/move_java_generated_mads 
Move generated MaDs into modelgenerator/
 2026-04-29 14:33:58 +02:00
Tom Hvitved
99b5cecb18 Java: Adapt to changes in shared CFG library 2026-04-29 14:03:06 +02:00