codeql

mirror of https://github.com/github/codeql.git synced 2026-03-31 20:58:16 +02:00

Author	SHA1	Message	Date
Taus	434b3973eb	Python: Add change note	2026-03-20 13:30:29 +00:00
Taus	3584ad1905	Python: Port DeprecatedSliceMethod.ql Only trivial test changes.	2026-03-20 13:30:29 +00:00
Taus	50b3b7ee1f	Python: Add `DuckTyping::hasUnreliableMro` Primarily used to filter out false positives in cases where our MRO approximation may be wrong.	2026-03-20 13:30:29 +00:00
Taus	fa8e4f7314	Python: Port DocStrings.ql	2026-03-20 13:28:45 +00:00
Taus	c04b615a07	Python: Extend DuckTyping module Adds `overridesMethod` and `isPropertyAccessor`.	2026-03-20 13:28:45 +00:00
Taus	283231bdbc	Python: Port ShouldBeContextManager.ql Only trivial test changes.	2026-03-20 13:28:45 +00:00
Taus	025a7d0cca	Python: Port UselessClass.ql No test changes.	2026-03-20 13:28:45 +00:00
Taus	8cfdea2001	Python: Port PropertyInOldStyleClass.ql Only trivial test changes.	2026-03-20 13:28:45 +00:00
Taus	e860d706c9	Python: Port SuperInOldStyleClass.ql	2026-03-20 13:28:45 +00:00
Taus	3d20050c0a	Python: Port SlotsInOldStyleClass.ql Only trivial test changes.	2026-03-20 13:28:45 +00:00
Taus	b57e92164c	Python: Add declares/getAttribute API These could arguably be moved to `Class` itself, but for now I'm choosing to limit the changes to the `DuckTyping` module (until we decide on a proper API).	2026-03-20 13:28:45 +00:00
Taus	cd92162920	Python: Add `DuckTyping::isNewStyle` Approximates the behaviour of `Types::isNewStyle` but without depending on points-to	2026-03-20 13:28:45 +00:00
Taus	33ed6034f6	Python: Introduce `DuckTyping` module This module (which for convenience currently resides inside `DataFlowDispatch`, but this may change later) contains convenience predicates for bridging the gap between the data-flow layer and the old points-to analysis.	2026-03-20 13:28:44 +00:00
Taus	1dcc76996d	Python: Port `py/print-during-import` Uses a (perhaps) slightly coarser approximation of what modules are imported, but it's probably fine.	2026-03-20 13:28:44 +00:00
Taus	f4841e1f39	Python: Use API graphs instead of points-to for simple built-ins Also extends the list of known built-ins slightly, to add some that were missing.	2026-03-20 13:28:44 +00:00
Owen Mansel-Chan	5b17d8cf76	Merge pull request #21472 from owen-mc/adjust-severity/xss-log-injection Adjust `@security-severity` metadata for XSS and log injection queries	2026-03-18 16:51:14 +00:00
Taus	a99b3f2c3b	Merge pull request #21459 from github/tausbn/python-fix-missing-relative-imports Python: Fix resolution of relative imports from namespace packages	2026-03-16 14:59:44 +01:00
Taus	92718a98d0	Python: Add test for package inside namespace package	2026-03-16 12:41:09 +00:00
Taus	e70727524a	Python: Rename `prints` tag to `flow` The former was a remnant of copying the setup over from `ql/test/experimental/import-resolution/importflow.ql`.	2026-03-16 12:37:00 +00:00
Owen Mansel-Chan	52809133f5	Add change notes	2026-03-13 11:10:43 +00:00
Owen Mansel-Chan	056aa342fe	Change @security-severity for log injection queries from 7.8 to 6.1	2026-03-13 10:02:01 +00:00
Owen Mansel-Chan	f58a6e5d3a	Change @security-severity for XSS queries from 6.1 to 7.8	2026-03-13 10:01:02 +00:00
Taus	3ee369b710	Python: Add change note	2026-03-12 13:29:24 +00:00
Taus	e16bb226c0	Python: Fix resolution of relative imports from namespace packages The fix may look a bit obscure, so here's what's going on. When we see `from . import helper`, we create an `ImportExpr` with level equal to 1 (corresponding to the number of dots). To resolve such imports, we compute the name of the enclosing package, as part of `ImportExpr.qualifiedTopName()`. For this form of import expression, it is equivalent to `this.getEnclosingModule().getPackageName()`. But `qualifiedTopName` requires that `valid_module_name` holds for its result, and this was _not_ the case for namespace packages. To fix this, we extend `valid_module_name` to include the module names of _any_ folder, not just regular package (which are the ones where there's a `__init__.py` in the folder). Note that this doesn't simply include all folders -- only the ones that result in valid module names in Python.	2026-03-12 13:29:23 +00:00
Taus	48bf4fd82a	Python: Add test for missing relative import in namespace packages	2026-03-12 13:29:19 +00:00
Taus	5a65282241	Merge pull request #21429 from github/tausbn/fix-bad-join-in-method-call-order Python: Fix bad join in method call order computation	2026-03-10 18:17:35 +01:00
Taus	5d74ad5bc6	Merge pull request #21419 from github/tausbn/python-improve-overloaded-method-resolution Python: Improve modelling of overloaded methods	2026-03-09 16:25:05 +01:00
Taus	f2bad1e6e1	Python: Improve docstring and make predicate private	2026-03-09 13:41:38 +00:00
Taus	c5360ba46c	Python: Fix bad join in method call order computation This join had badness 1127 on the project FiacreT/M-moire, producing ~31 million tuples in order to end up with only ~27k tuples later in the pipeline. With the fix, we reduce this by roughly the full 31 million (the new materialised helper predicate accounting for roughly 130k tuples on its own). Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>	2026-03-09 13:09:29 +00:00
Óscar San José	3b9eba2afc	Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21	2026-03-06 16:20:36 +01:00
Taus	66ca10c338	Python: Add change note	2026-03-05 22:20:03 +00:00
Taus	fa61f6f3df	Python: Model `@typing.overload` in method resolution Adds `hasOverloadDecorator` as a predicate on functions. It looks for decorators called `overload` or `something.overload` (usually `typing.overload` or `t.overload`). These are then filtered out in the predicates that (approximate) resolving methods according to the MRO. As the test introduced in the previous commit shows, this removes the spurious resolutions we had before.	2026-03-05 22:20:03 +00:00
Taus	0561a63003	Python: Add test for overloaded `__init__` resolution Adds a test showing that `@typing.overload` stubs are spuriously resolved as call targets alongside the actual `__init__` implementation.	2026-03-05 22:20:03 +00:00
Owen Mansel-Chan	c82f75604a	Add change notes	2026-03-05 10:34:30 +00:00
Owen Mansel-Chan	99a4fe4828	Update expected test output column numbers	2026-03-04 15:02:53 +00:00
Owen Mansel-Chan	aa28c94562	Remove double space after $ in inline expectations tests	2026-03-04 14:12:42 +00:00
Owen Mansel-Chan	91b6801db1	py: Inline expectation should have space before $	2026-03-04 13:11:38 +00:00
Owen Mansel-Chan	5a97348e78	python: Inline expectation should have space after $ This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.	2026-03-04 12:45:05 +00:00
github-actions[bot]	e152f08468	Post-release preparation for codeql-cli-2.24.3	2026-03-02 22:51:27 +00:00
github-actions[bot]	7795badd18	Release preparation for version 2.24.3	2026-03-02 13:23:40 +00:00
yoff	600f585a31	Merge pull request #21296 from yoff/python/bool-comparison-guards Python: Handle guards being compared to boolean literals	2026-02-26 21:13:51 +01:00
yoff	89e5a9bd72	Update python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll Co-authored-by: Taus <tausbn@github.com>	2026-02-26 13:14:26 +01:00
yoff	cfbae50845	Python: convert barrier guard to MaD	2026-02-26 13:12:34 +01:00
yoff	9b9c9304c7	Python: simplify logic, suggested in review	2026-02-25 18:16:38 +01:00
yoff	c4f8748a42	Python: simplify barrier guard	2026-02-25 18:03:40 +01:00
Taus	6bfb1e1fae	Merge pull request #21344 from github/tausbn/python-remove-points-to-from-metrics-libraries Python: Remove points-to from metrics library	2026-02-24 15:55:16 +01:00
Taus	f107235db2	Update change note	2026-02-24 15:08:36 +01:00
yoff	7df44f9418	python: add change note	2026-02-24 10:00:22 +01:00
yoff	7351e82c92	python: handle guards compared to boolean literals	2026-02-24 10:00:22 +01:00
yoff	8488039fb9	python: add tests for guards compared to booleans	2026-02-24 10:00:21 +01:00

1 2 3 4 5 ...

9529 Commits