hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,165 Commits 1,759 Branches 167 Tags
80ccdcc6965dd963233951f582a893c0163fa0b7
Commit Graph

87165 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
80ccdcc696 Inline test expectations: Rename tagIsOptional to tagIsIgnored 2026-05-04 11:21:33 +02:00
Josef Svenningsson
68be006a29 Merge pull request #21641 from github/josefs/promptInjectionImprovements 
Improve prompt inject for Python
 2026-04-29 11:23:52 +01:00
Michael Nebel
bfd3683b0b Merge pull request #21372 from michaelnebel/csharp14/usercompoundassignment 
C# 14: User defined compound assignment operators.
 2026-04-29 11:22:35 +02:00
Asger F
c95083b176 Merge pull request #21697 from yearn/js/vercel-node-framework 
JS: Add support for @vercel/node serverless functions
 2026-04-29 10:58:53 +02:00
Jeroen Ketema
c2beef1900 Merge pull request #21765 from jketema/switch 
C++: Fix join-order problem in `getNextSwitchCase`
 2026-04-28 21:57:10 +02:00
Josef Svenningsson
25a8aa97b2 Fix openai prompt injection tests 2026-04-28 18:24:26 +01:00
Josef Svenningsson
691aeb0815 Remove the chat completion create logic. 2026-04-28 18:24:24 +01:00
Josef Svenningsson
a05e191518 Add tests for anthropic prompt injection models 2026-04-28 18:24:22 +01:00
Josef Svenningsson
e069c9c2ee Fix tests 2026-04-28 18:24:19 +01:00
Josef Svenningsson
bb18bb084c Improve prompt inject for Python 2026-04-28 18:24:16 +01:00
murderteeth
6f774470b3 Merge branch 'main' into js/vercel-node-framework 2026-04-28 12:30:27 -04:00
murderteeth
18b06f1cf4 Model res.json and res.jsonp as Vercel response sinks 
Vercel API handlers more often return JSON than HTML, so res.send is
not the only response body sink that matters. Mirror Express's
ResponseJsonCall by also matching res.json(...) and res.jsonp(...) on
the response (direct and chained), and exercise the new behavior in
the library-test fixture.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-28 16:14:53 +00:00
murderteeth
1b87140ce7 Regenerate DatabaseAccesses.expected for new vercel.ts fixture 
The CWE-089/untyped/vercel.ts fixture added in this PR introduces a
conn.query(...) call that DatabaseAccesses.ql reports, so its
.expected baseline needs the corresponding entry. Output produced by
`codeql test accept`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-28 15:57:06 +00:00
Jeroen Ketema
29dd56f83f C++: Make formatting of switch statement examples more uniform 2026-04-28 16:36:54 +02:00
Jeroen Ketema
0bc23c3af1 C++: Match example with text 2026-04-28 16:33:17 +02:00
Jeroen Ketema
f634b328ee C++: Fix join-order problem in getNextSwitchCase 
Before on `neovim`:
```
[2026-04-28 14:54:20] Evaluated non-recursive predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@ac8178o2 in 68ms (size: 20848).
Evaluated relational algebra for predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@ac8178o2 with tuple counts:
           21888  ~0%    {2} r1 = SCAN switch_case OUTPUT In.2, In.0
           21888  ~0%    {4}    | JOIN WITH #switch_caseMerge_21#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, _, Rhs.1
           21888  ~4%    {3}    | REWRITE WITH Tmp.2 := 1, Out.2 := (In.3 - Tmp.2) KEEPING 3
        24091916  ~0%    {3}    | JOIN WITH switch_case ON FIRST 1 OUTPUT Lhs.2, Rhs.2, Lhs.1
           20848  ~2%    {2}    | JOIN WITH #switch_caseMerge_12#join_rhs ON FIRST 2 OUTPUT Lhs.1, Lhs.2
                         return r1
```

After:
```
[2026-04-28 15:30:53] Evaluated non-recursive predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@bf9801oj in 0ms (size: 20848).
Evaluated relational algebra for predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@bf9801oj with tuple counts:
        21888  ~0%    {4} r1 = SCAN switch_case OUTPUT In.0, _, In.2, In.1
        21888  ~1%    {3}    | REWRITE WITH Tmp.1 := 1, Out.1 := (In.3 + Tmp.1) KEEPING 3
        20848  ~2%    {2}    | JOIN WITH switch_case ON FIRST 2 OUTPUT Lhs.2, Rhs.2
                      return r1
```
 2026-04-28 15:44:53 +02:00
Jeroen Ketema
fa8c1d6226 C++: Add a getSwitchCase predicate to SwitchStmt 2026-04-28 15:44:12 +02:00
Mathias Vorreiter Pedersen
1ba9601257 Merge pull request #21764 from github/add-strsafe.h-models 
C++: Add `Strsafe.h` models
 2026-04-28 12:10:26 +01:00
Owen Mansel-Chan
b07d2fb7d7 Merge pull request #21740 from owen-mc/go/overlay-correctness 
Go: improve accuracy of overlay annotations
 2026-04-28 11:35:14 +01:00
Mathias Vorreiter Pedersen
c59d6cb2a7 C++: Accept query test change. 2026-04-28 11:35:08 +01:00
Mathias Vorreiter Pedersen
f28d5d2f59 C++: Add change note. 2026-04-28 10:57:04 +01:00
Mathias Vorreiter Pedersen
86d8e362a1 C++: Accept test changes. 2026-04-28 10:50:50 +01:00
Mathias Vorreiter Pedersen
2805f788ee C++: Add strsafe.h model. 2026-04-28 10:50:48 +01:00
Mathias Vorreiter Pedersen
e29efc7d2c C++: Add tests with missing flow. 2026-04-28 10:50:39 +01:00
Jeroen Ketema
2886127535 Merge pull request #21409 from jketema/jketema/softfloat 
C++: Update expected test results after extractor changes
 2026-04-28 09:47:44 +02:00
Tom Hvitved
81a00134aa Merge pull request #21753 from hvitved/go/most-recent-side-effect-multi-entry 
Go: Avoid combinatorial explosion in `mostRecentSideEffect` when there are multiple entry points
 2026-04-28 09:12:59 +02:00
Michael B. Gale
cafb73a7a0 Merge pull request #21761 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-27 17:23:19 +01:00
Tom Hvitved
2e94b09e6f Address review comments 2026-04-27 14:18:41 +02:00
github-actions[bot]
24edae5e74 Post-release preparation for codeql-cli-2.25.3 2026-04-27 10:27:45 +00:00
Henry Mercer
f1a9637d1f Merge pull request #21571 from github/henrymercer/yaml-regression-test 
JS: Add regression test for YAML extraction
 2026-04-27 11:09:37 +01:00
Michael B. Gale
310c41ed3d Merge pull request #21760 from github/release-prep/2.25.3 
Release preparation for version 2.25.3
codeql-cli/v2.25.3 		2026-04-27 11:05:42 +01:00
Michael B. Gale
f817bd4924 Merge changelog entries for cpp/implicit-function-declaration 2026-04-27 11:03:42 +01:00
Michael B. Gale
03c3b3f4c4 Improve wording of actions note 2026-04-27 11:03:29 +01:00
github-actions[bot]
019ec0caf7 Release preparation for version 2.25.3 2026-04-27 10:01:23 +00:00
Michael B. Gale
6787beb8e7 Merge pull request #21758 from github/revert-21736-release-prep/2.25.3 
Revert "Release preparation for version 2.25.3"
 2026-04-27 09:52:36 +01:00
Michael B. Gale
9f70f718e3 Revert "Release preparation for version 2.25.3" 2026-04-27 09:36:56 +01:00
murderteeth
a6dba9eb25 Merge branch 'main' into js/vercel-node-framework 2026-04-25 14:19:43 -04:00
murderteeth
f15d53f3b9 Update javascript/ql/lib/change-notes/2026-04-12-vercel-node.md 
Co-authored-by: Asger F <asgerf@github.com>
 2026-04-25 14:19:01 -04:00
Owen Mansel-Chan
0daefb778b Merge pull request #21755 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2026-04-25 07:42:44 +01:00
github-actions[bot]
be8c35ad8c Add changed framework coverage reports 2026-04-25 00:39:28 +00:00
Owen Mansel-Chan
710c1ba050 Make getACallee overlay[global] 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-24 12:35:11 +01:00
Tom Hvitved
8e26fa1c81 Go: Avoid combinatorial explosion in mostRecentSideEffect when there are multiple entry points 2026-04-24 13:24:58 +02:00
Tom Hvitved
cbc12324bb Merge pull request #21703 from hvitved/rust/type-inference-sibling 
Rust: Refine `implSiblings`
 2026-04-24 12:36:51 +02:00
Owen Mansel-Chan
9fbe447428 Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests 
Add Hibernate SQL injection sink models and coverage
 2026-04-24 09:36:46 +01:00
Michael Nebel
f3f3ee6e81 C#: Add cs/deferenced-value-is-always-null test example for compound operators. 2026-04-24 08:57:14 +02:00
Michael Nebel
01baa6e3ae C#: Add tests and update expected test output. 2026-04-24 08:57:11 +02:00
Michael Nebel
e2fcaeb46a C#: Handle compound assignment operators in the dispatch logic (and assignable definition). 2026-04-24 08:57:09 +02:00
Michael Nebel
bdf0c8ff5a C#: Add compound assignment operator call classes. 2026-04-24 08:57:06 +02:00
Michael Nebel
43ebcb68f0 C#: Add upgrade- and downgrade scripts. 2026-04-24 08:57:00 +02:00
Michael Nebel
44dd2f008b C#: Update the DB scheme, such that compound assignment operator calls can be considered qualifiable expressions. 2026-04-24 08:56:57 +02:00