hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 03:09:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,969 Commits 1,759 Branches 167 Tags
310c41ed3de8488d018ff37fbd9efe3326c775b1
Commit Graph

86969 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael B. Gale
310c41ed3d Merge pull request #21760 from github/release-prep/2.25.3 
Release preparation for version 2.25.3
codeql-cli/v2.25.3 		2026-04-27 11:05:42 +01:00
Michael B. Gale
f817bd4924 Merge changelog entries for cpp/implicit-function-declaration 2026-04-27 11:03:42 +01:00
Michael B. Gale
03c3b3f4c4 Improve wording of actions note 2026-04-27 11:03:29 +01:00
github-actions[bot]
019ec0caf7 Release preparation for version 2.25.3 2026-04-27 10:01:23 +00:00
Michael B. Gale
6787beb8e7 Merge pull request #21758 from github/revert-21736-release-prep/2.25.3 
Revert "Release preparation for version 2.25.3"
 2026-04-27 09:52:36 +01:00
Michael B. Gale
9f70f718e3 Revert "Release preparation for version 2.25.3" 2026-04-27 09:36:56 +01:00
Michael B. Gale
a73f7cb79d Merge pull request #21736 from github/release-prep/2.25.3 
Release preparation for version 2.25.3
 2026-04-20 12:29:07 +02:00
Michael B. Gale
abf374433b Merge changelog entries for cpp/implicit-function-declaration 2026-04-20 12:24:05 +02:00
Michael B. Gale
34b5dcfd5f Improve wording of actions note 2026-04-20 11:40:32 +02:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Owen Mansel-Chan
2764580cdf Merge pull request #21718 from chmodxxx/java/woodstox-xxe 
Java: Add XXE sink model for Woodstox WstxInputFactory
 2026-04-17 17:25:15 +01:00
Salah Baddou
fb2d53e72a Address review: inline Woodstox into XmlParsers, move changelog to lib 2026-04-17 18:46:51 +04:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Owen Mansel-Chan
29b07d5d07 Merge pull request #21721 from owen-mc/go/remove-global-function-jump-step-from-local-flow 
Go: Remove global function step from local flow
 2026-04-17 14:09:16 +01:00
Tom Hvitved
14bdb62cf8 Merge pull request #21726 from hvitved/csharp/useless-to-string-fps 
C#: Fix FPs in `RedundantToStringCall.ql`
 2026-04-17 14:59:22 +02:00
Jeroen Ketema
3073c1c94c Merge pull request #21725 from github/jeongsoolee09/add-aligned-alloc-model 
Add models of various `aligned_alloc`s
 2026-04-17 14:31:25 +02:00
Owen Mansel-Chan
bc28e1726c Refactor to get rid of duplication 2026-04-17 13:24:16 +01:00
Tom Hvitved
7bfdfbefa9 Add change note 2026-04-17 13:57:08 +02:00
Tom Hvitved
0235df8758 C#: Improve alert message for RedundantToStringCall.ql 2026-04-17 13:55:00 +02:00
Jeongsoo Lee
abec00cd34 Update cpp/ql/src/change-notes/2026-04-16-add-model-for-aligned-alloc.md 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2026-04-17 07:08:38 -04:00
Owen Mansel-Chan
9f4fd7fab0 Remove a data flow consistency exclusion 
This is no longer needed.
 2026-04-17 11:27:36 +01:00
Paolo Tranquilli
5342cc79fb Merge pull request #21574 from github/redsun82/actions/remove-harden-runner-false-positive 
Remove false positive injection sink models for `docker/build-push-action` and `step-security/harden-runner`
 2026-04-17 09:43:45 +02:00
Tom Hvitved
426962e348 C#: Fix FPs in RedundantToStringCall.ql 2026-04-17 09:37:19 +02:00
Tom Hvitved
33e9c02079 C#: Add more tests for RedundantToStringCall.ql 2026-04-17 09:33:13 +02:00
jeongsoolee09
553ed103c3 Add a change note 2026-04-16 21:31:55 -04:00
jeongsoolee09
d2d594a8ff Add models of ::aligned_alloc, std::aligned_alloc, and bsl::aligned_alloc 2026-04-16 21:21:09 -04:00
Owen Mansel-Chan
f6135b70ea Remove global function step from local flow 2026-04-16 11:15:01 +01:00
Tom Hvitved
ee34e3353d Merge pull request #21698 from hvitved/rust/type-inference-index-expr 
Rust: Replace special handling of index expressions in type inference
 2026-04-16 09:03:06 +02:00
Jon Janego
f95ee129df Merge pull request #21713 from github/codeql-spark-run-24459914636 
Update changelog documentation site for codeql-cli-2.25.2
 2026-04-15 09:55:53 -05:00
github-actions[bot]
d24fb29ff4 update codeql documentation 2026-04-15 14:23:47 +00:00
Jeroen Ketema
97d8993fc5 Merge pull request #21667 from jketema/jketema/swift-6.3 
Swift: Update to Swift 6.3
 2026-04-15 14:07:23 +02:00
Jeroen Ketema
7d1c62daa6 Swift: Address review comment 2026-04-15 13:37:15 +02:00
Tom Hvitved
597d81038a Merge pull request #21708 from github/copilot/fix-missed-opportunity-to-use-select 
Fix false positive in `MissedSelectOpportunity` when foreach body uses `await`
 2026-04-15 11:32:02 +02:00
Tom Hvitved
069431941e Merge pull request #21596 from hvitved/rust/data-flow-closure-type 
Rust: Track closure types in data flow
 2026-04-15 10:32:05 +02:00
Tom Hvitved
609621f638 Merge pull request #21679 from hvitved/rust/type-inference-forall-checks 
Rust: Replace recursion through `forall` with ranked recursion
 2026-04-15 09:43:37 +02:00
Jeroen Ketema
ae2226345e Merge pull request #21709 from jketema/depr 
C++: Remove deprecated code deprecated more than a year ago
 2026-04-14 17:04:48 +02:00
Owen Mansel-Chan
6e0bee7471 Merge pull request #21691 from github/dependabot/go_modules/go/extractor/extractor-dependencies-2d1b0e128d 
Bump the extractor-dependencies group across 1 directory with 2 updates
 2026-04-14 15:26:00 +01:00
Henry Mercer
cb1fd76a4c Merge pull request #21658 from github/post-release-prep/codeql-cli-2.25.2 
Post-release preparation for codeql-cli-2.25.2
 2026-04-14 15:24:13 +01:00
Tom Hvitved
467933bbb1 Rust: Also add specialized IndexMut implementations 2026-04-14 15:45:14 +02:00
Henry Mercer
43c9b95e6f Merge branch 'main' into post-release-prep/codeql-cli-2.25.2 2026-04-14 13:56:52 +01:00
Tom Hvitved
878cfd720c C#: Use inline test expectations 2026-04-14 14:41:28 +02:00
Geoffrey White
666c8bf87a Merge pull request #21635 from geoffw0/suspicioussizeof2 
C++: Upgrade cpp/suspicious-add-sizeof to high precision
 2026-04-14 13:04:24 +01:00
Jeroen Ketema
07b02942db Merge remote-tracking branch 'upstream/main' into jketema/swift-6.3 2026-04-14 13:54:16 +02:00
Jeroen Ketema
9ef088d423 C++: Add change note 2026-04-14 13:46:43 +02:00
Taus
c748fdf8ee Merge pull request #21694 from github/tausbn/python-add-support-for-pep-810 
Python: Add support for PEP 810
 2026-04-14 13:27:08 +02:00
Tom Hvitved
b749ad645a Merge pull request #21706 from hvitved/rust/type-inference-perf-fixes 
Rust: Improve performance of two type inference predicates
 2026-04-14 13:06:26 +02:00
Jeroen Ketema
12868e5140 C++: Remove deprecated code added more than a year ago 2026-04-14 13:03:10 +02:00
Geoffrey White
fe7e8480b2 Merge branch 'main' into suspicioussizeof2 2026-04-14 10:52:00 +01:00
Anders Schack-Mulligen
e0952948ba Merge pull request #21701 from aschackmull/csharp/intvalue 
C#: Introduce Expr.getIntValue.
 2026-04-14 11:23:29 +02:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00