hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
993 Commits 1,684 Branches 159 Tags
2134757ebffedab138f50f6102ccece8df8326c8
Commit Graph

993 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Schaefer
2134757ebf Merge pull request #261 from smowton/smowton/admin/cleanup-cwe-322 
Polish CWE-322: detect and exclude cases where host-checking is optional
 2020-07-30 10:38:57 +01:00
Chris Smowton
d7c0671ea1 Add test using SSH host-key checker factory knownhosts.New 
This produces a secure host-key checker; we assume by default that an opaque function not otherwise specified returns an acceptable checker, but we need to particularly cope with its multiple return values to handle this factory function.
 2020-07-29 16:30:51 +01:00
Chris Smowton
d0e86f787d SSH host checking: Expand definition of a host-key checking function to include calls with multiple return types 
For example, https://godoc.org/golang.org/x/crypto/ssh/knownhosts#New returns a host-key checker and an error value, and we previously didn't consider the first return value a candidate checker function.
 2020-07-29 16:06:38 +01:00
Chris Smowton
f162a5be94 Promote CWE-322 out of experimental status 2020-07-29 14:43:47 +01:00
Chris Smowton
99f08750f3 Polish CWE-322: detect and exclude cases where host-checking is optional 2020-07-29 14:43:47 +01:00
Max Schaefer
2831ffdad0 Merge pull request #270 from smowton/smowton/cleanup/ricterz-libraries 
Add support for Gorm, Gorestful, Sqlx and Json-iterator
 2020-07-29 14:21:41 +01:00
Max Schaefer
f8b8af5ac5 Merge pull request #269 from aibaars/lgtm-suites 
CodeQL: complete LGTM suites
 2020-07-29 07:19:41 +01:00
Arthur Baars
0db8ba881b CodeQL: complete LGTM suites 2020-07-28 20:36:53 +02:00
Chris Smowton
026dc5c97f Add changelog notes regarding added library support 2020-07-28 14:57:14 +01:00
Chris Smowton
0e6feb923c Add test for json-iterator package, and support more of its API 
Specifically the top-level functions Unmarshal and UnmarshalFromString are just convenience wrappers around the type API, which is the usual documented way to use the library.
 2020-07-28 14:52:10 +01:00
Chris Smowton
e19f476341 Add test for Sqlx 2020-07-28 14:52:10 +01:00
Chris Smowton
f5caf7e9e2 Add test for Gorm 2020-07-28 14:52:10 +01:00
Chris Smowton
a813607a76 go-restful model: Add support for ReadEntity method 2020-07-28 14:52:10 +01:00
Chris Smowton
3c4a1b90fe Add test for Go-restful 2020-07-28 14:52:10 +01:00
Chris Smowton
b96546b0f8 Improve style of library models 2020-07-28 14:40:48 +01:00
Max Schaefer
e9ae697d0d Merge pull request #251 from gagliardetto/standard-lib-pt-1 
Add taint-tracking for archive/tar and archive/zip
 2020-07-28 14:27:02 +01:00
Chris Smowton
75d69efb15 Merge pull request #267 from smowton/smowton/feature/print-ast-label-package-node 
PrintAst: Label File nodes' package-name children, and ensure that child comes before all declarations
 2020-07-24 13:30:12 +01:00
Chris Smowton
b4e15fb17a Merge pull request #268 from smowton/smowton/admin/downgrade-checkout-action 
Downgrade to checkout@v1 to work around https://github.com/actions/checkout/issues/237
 2020-07-24 13:28:06 +01:00
Chris Smowton
8aaa7c8925 Downgrade to checkout@v1 to work around https://github.com/actions/checkout/issues/237 2020-07-24 11:24:51 +01:00
Chris Smowton
454993fe64 PrintAst: Label File nodes' package-name children, and ensure that child comes before all declarations 2020-07-24 11:08:57 +01:00
Ricter Z
bb2d5ea6b5 add some sinks in commonly-used SQL libraries 2020-07-23 16:19:42 +01:00
Chris Smowton
b9e61115f3 Merge pull request #266 from sauyon/query-tags 
Add correctness tag to MistypedExponentiation
 2020-07-22 15:27:46 +01:00
Chris Smowton
6c4a1d0a34 Merge pull request #264 from smowton/smowton/feature/printast-restrict-files 
PrintAst: improve support for restricting subsets of the AST to print
 2020-07-22 15:20:14 +01:00
Chris Smowton
f8d141f7ff PrintAst: Sort root File nodes by relative path. 
This should make graphtext output deterministic, rather than depending on the order the results interpretation step happens to see the nodes.
 2020-07-22 13:43:34 +01:00
Sauyon Lee
c9df4d81b4 Add correctness tag to MistypedExponentiation 2020-07-22 04:26:56 -07:00
Chris Smowton
c30d198f3d Switch to using top-level function declarations to filter PrintAst 
This means it's no longer possible to ask for the AST of a function literal, but this is hopefully a niche use-case that we can add if and when there is demand.
 2020-07-22 10:40:41 +01:00
Owen Mansel-Chan
3018874f69 Merge pull request #259 from gagliardetto/oauth2-fixed-state 
CWE-352: Use of constant `state` in Oauth2 flow
 2020-07-21 17:11:46 +01:00
Chris Smowton
09990f9764 Configure plugin AST printer to ignore comments and only print one file 2020-07-21 17:01:07 +01:00
Chris Smowton
b8c4004c59 PrintAst: support excluding comments 2020-07-21 17:01:07 +01:00
Chris Smowton
e0aa59ced1 PrintAst: improve support for restricting subsets of the AST to print 
* Exclude function definitions, not just their children, when excluded by configuration
* Allow excluding files
* Test both features
 2020-07-21 17:00:28 +01:00
Chris Smowton
a625a4c7d5 Merge pull request #263 from smowton/smowton/feature/order-functypeexpr-children 
PrintAst: order parameter and result declarations
 2020-07-21 15:47:26 +01:00
Andrew Eisenberg
f35343e618 Merge pull request #262 from aeisenberg/aeisenberg/print-ast 
Add the printAst contextual query
 2020-07-20 11:11:42 -07:00
Slavomir
02b5fce67e Add go.mod to CWE-352 test folder 2020-07-20 17:46:12 +03:00
Chris Smowton
ce0cc31b03 PrintAst: order parameter and result declarations 
This adds support for generally overriding the default AstNode child ordering, and uses it to sort parameter and result declarations in the context of a FuncTypeExpr in left-to-right textual order.
 2020-07-20 14:32:42 +01:00
Andrew Eisenberg
0ae1330c02 Add the printAst contextual query 
This is similar to the cpp query for printing the AST in the
context of VS Code.

This PR also includes a small refactoring to extract the
`getEncodedFile` predicate to a new `qll` file.
 2020-07-17 10:12:48 -07:00
Slavomir
27f62b0b3a Fix examples 2020-07-17 13:12:18 +03:00
Slavomir
ee2804dfb1 Improve comments 2020-07-17 11:01:25 +03:00
Slavomir
ee4356501a Apply suggestions from code review 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-07-16 18:36:40 +03:00
Slavomir
fb78818db7 Fix .expected 2020-07-16 18:33:35 +03:00
Slavomir
ef7198c0cb Improve query scenarios 2020-07-16 18:29:15 +03:00
Slavomir
282f7af6d9 Improve comments, naming, docs 2020-07-16 12:52:41 +03:00
Slavomir
8cc8b8ef47 Add CWE-352: CSRF because of constant oauth2 state value 2020-07-16 12:38:08 +03:00
Slavomir
437f4b7eab Fix go autoformat 2020-07-15 19:12:33 +03:00
Slavomir
9cd86f9be8 Generated Go files: add what they were generated with 2020-07-15 19:05:12 +03:00
Slavomir
f7a03c0862 Update main.go 2020-07-15 19:05:12 +03:00
Slavomir
19348d2773 Simplify tests 2020-07-15 19:05:12 +03:00
Slavomir
1591ed3440 Implement code review feedback 2020-07-15 19:05:12 +03:00
Slavomir
5b63228690 Add StdlibTaintFlow.expected 2020-07-15 19:05:12 +03:00
Slavomir
19287fb5ff Add taint-tracking for archive/tar and archive/zip 2020-07-15 19:05:12 +03:00
Chris Smowton
830f83f21a Merge pull request #257 from smowton/smowton/fix/go-mod-comment-group-indices 
Extractor: assign unique indices to comment-groups in go.mod files
 2020-07-13 15:40:14 +01:00