hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 07:36:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,783 Commits 1,703 Branches 162 Tags
25adcc8f4abe65ef57efafe0b9bf896894260f9d
Commit Graph

11455 Commits

Author SHA1 Message Date
Napalys Klicius
1f6b3ad929 Update javascript/ql/src/codeql-suites/javascript-security-and-quality.qls 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2025-05-27 09:38:24 +02:00
Napalys Klicius
e964b175e6 Added maintainability and error-handling tags 2025-05-26 14:23:20 +02:00
Napalys Klicius
37024ade85 JS: Move query suite selector logic to javascript-security-and-quality.qls 2025-05-26 11:00:48 +02:00
Napalys Klicius
000e69fd48 Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules 2025-05-23 13:55:40 +02:00
Napalys Klicius
248f83c4db Added qhelp for UnhandledStreamPipe query 2025-05-23 13:35:36 +02:00
Napalys Klicius
c6db32ed73 Add exceptions for arktype, execa, and highland to prevent them from being flagged by unhandled pipe error query 2025-05-23 12:34:11 +02:00
Napalys Klicius
15ff7cb41a Added more test cases which common js libraries uses .pipe() 2025-05-23 12:30:49 +02:00
Anders Schack-Mulligen
1d30103559 SSA: Distinguish between has and controls branch edge. 2025-05-23 09:56:22 +02:00
Napalys Klicius
b10a9481f3 Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe 2025-05-22 18:50:02 +02:00
Napalys Klicius
e6ae8bbde4 Added test cases where second parameter passed to pipe is a function and some popular library ones 2025-05-22 18:50:01 +02:00
Napalys Klicius
ac24fdd348 Add predicate to detect non-stream-like usage in sources of pipe calls 2025-05-22 18:49:59 +02:00
Napalys Klicius
5b1af0c0bd Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances. 2025-05-22 18:49:53 +02:00
Asger F
9202a1b084 Merge pull request #19516 from asgerf/js/npm-package-name-join 
JS: More efficient nested package naming
 2025-05-22 12:46:43 +02:00
Napalys Klicius
b1048719aa Added UnhandledStreamPipe to javascript-security-and-quality.qls and javascript-code-quality.qls 2025-05-22 12:42:56 +02:00
Napalys Klicius
09220fce84 Fixed issue where pipe calls from rxjs package would been identified as pipe calls on streams 2025-05-22 12:33:36 +02:00
Napalys Klicius
d7f86db76c Enhance PipeCall to exclude non-function and non-object arguments in pipe method detection 2025-05-22 12:31:27 +02:00
Napalys Klicius
4332de464a Eliminate false positives by detecting non-stream objects returned from pipe() calls based on accessed properties 2025-05-22 12:31:26 +02:00
Napalys Klicius
5710f0cf51 Add test cases for non-stream field accesses and methods before and after pipe operations 2025-05-22 12:31:19 +02:00
Napalys Klicius
03d1f9a7d3 Restrict pipe detection to calls with 1-2 arguments 2025-05-21 11:41:22 +02:00
Napalys Klicius
30f2815503 Fixed issue where a custom pipe method which returns non stream would be flagged by the query 2025-05-21 11:41:19 +02:00
Napalys Klicius
ef1bde554a Fixed issue where streams would not be tracked via chainable methods 2025-05-21 11:40:35 +02:00
Napalys Klicius
f39bf62fc6 test: Add edge cases for stream pipe error handling 
Add tests for chained stream methods and non-stream pipe objects
 2025-05-21 11:39:03 +02:00
Napalys Klicius
c27157f021 Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams 2025-05-21 11:38:57 +02:00
Asger F
317e61d370 JS: Update UnresolvableImports to handle nested packages 2025-05-19 12:53:19 +02:00
Asger F
1e8a49f311 JS: More efficient nested package naming 2025-05-19 12:53:18 +02:00
Michael Nebel
dabeddb62d Add change-notes. 2025-05-19 09:26:49 +02:00
Michael Nebel
530025b7ae Update integration tests expected output. 2025-05-19 09:26:47 +02:00
Michael Nebel
03ecd24469 Lower the precision of a range of harcoded password queries to remove them from query suites. 2025-05-19 09:26:45 +02:00
Napalys Klicius
f6a8909bfe Merge pull request #19356 from Napalys/js/merge_classes 
JS: Merge `ES6Class` to `FunctionStyleClass`
 2025-05-16 10:31:33 +02:00
github-actions[bot]
5f9dd75d7d Post-release preparation for codeql-cli-2.21.3 2025-05-13 21:49:43 +00:00
github-actions[bot]
2de4a01c86 Release preparation for version 2.21.3 2025-05-13 21:14:27 +00:00
Asger F
169ae19015 Merge pull request #19391 from asgerf/js/typescript-path-resolution 
JS: Overhaul import resolution
 2025-05-13 15:46:38 +02:00
Asger F
aea676df3c Merge pull request #19445 from asgerf/js/summaries-with-fallback 
JS: Generate flow summaries from summaryModels; only generate steps as a fallback
 2025-05-13 14:49:38 +02:00
Napalys Klicius
d1e769ba54 Merge pull request #19422 from Napalys/js/shelljs 
JS: Modeling of `ShellJS` functions
 2025-05-02 14:18:44 +02:00
Napalys Klicius
30694c11d6 Removed code duplication 2025-05-02 13:44:07 +02:00
Asger F
b8be1bcee8 JS: Avoid duplication with constructor body 2025-05-02 13:44:03 +02:00
Napalys Klicius
871e93d9fe Update javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2025-05-02 13:39:46 +02:00
Asger F
1f308ee47a JS: Explain use of monotonicAggregates 2025-05-02 13:22:27 +02:00
Asger F
5c9218fe5a JS: Add comment about 'path' heuristic 2025-05-02 13:22:25 +02:00
Asger F
f3e0cfd947 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2025-05-02 12:41:29 +02:00
Asger F
16fc8c3d9e JS: Benign test updates 2025-05-02 11:09:19 +02:00
Tamás Vajk
cb1c3736fe Merge pull request #19413 from tamasvajk/quality/query-suite-selector 
Add code quality suite selector and use that in the code quality suites
 2025-05-02 08:18:48 +02:00
Napalys Klicius
c430a36b4c Refactored merge StandardClassNode into ClassNode 2025-05-01 19:12:12 +02:00
Asger F
a44bdf3be2 JS: Generate summaries from summaryModel, and only generate steps as a fallback 2025-05-01 15:22:47 +02:00
Asger F
ca5f8b0c1d JS: Move some code into ModelsAsData.qll 2025-05-01 15:17:07 +02:00
Owen Mansel-Chan
e0549483fd Merge pull request #19429 from owen-mc/fix-cwe-tags-missing-leading-zero 
Fix cwe tags to include leading zero
 2025-05-01 14:09:54 +01:00
Owen Mansel-Chan
0863c87572 Add change notes 2025-05-01 10:33:24 +01:00
Napalys Klicius
68a9dd9f9e Address comments 2025-05-01 11:19:41 +02:00
Napalys Klicius
c7d764f666 Brought back FunctionStyleClass marked as deprecated 2025-05-01 11:16:04 +02:00
Napalys Klicius
d4b5ef6a66 Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource 2025-05-01 11:14:15 +02:00