1313 Commits

Author	SHA1	Message	Date
Jami	3675e4bb4f	Merge branch 'main' into jcogs33/java/insecure-spring-actuator-config-promotion	2025-08-26 08:02:17 -04:00
Napalys Klicius	b271f1fcd0	Java: Renamed query java/mocking-all-non-private-methods-means-unit-test-is-too-big to java/excessive-public-method-mocking and changed wording from non-private to public	2025-08-26 08:37:57 +00:00
Napalys Klicius	38f517ecfa	Java: Add lambda-aware test detection to VisibleForTesting query	2025-08-24 10:02:43 +00:00
Napalys Klicius	4149968f33	Java: Remove the hardcoded path filter that excluded CodeQL's own unit tests from the java/visible-for-testing-abuse query.	2025-08-24 09:58:35 +00:00
Anders Schack-Mulligen	02452704b2	Java: Fix bug in nullness	2025-08-22 10:15:22 +02:00
Anders Schack-Mulligen	9fc0793d6a	Java: More nullness qltests, including highlight of FN bug.	2025-08-22 10:12:48 +02:00
Anders Schack-Mulligen	1c724372f2	Java: More nullness qltests.	2025-08-22 10:08:17 +02:00
Anders Schack-Mulligen	ba252cb5cf	Java: Add a couple of difficult condition correlation tests.	2025-08-22 10:08:00 +02:00
Napalys Klicius	4705ad2e32	Java: Added extra test cases for fields	2025-08-22 09:23:49 +02:00
Napalys Klicius	ea831a8352	Java: Fix VisibleForTestingAbuse false positives in annotations	2025-08-22 09:23:49 +02:00
Napalys Klicius	225723bfeb	Java: Exclude @VisibleForTesting-to-@VisibleForTesting access from VisibleForTestingAbuse alerts	2025-08-22 09:23:49 +02:00
Napalys Klicius	e4042402bc	Java: Resolve spurious VisibleForTestingAbuse alerts for inner class access patterns	2025-08-22 09:23:49 +02:00
Napalys Klicius	1e2e6eccd7	Java: Test @VisibleForTesting method accessing @VisibleForTesting members	2025-08-22 09:23:49 +02:00
Napalys Klicius	9dfb4d4301	Java: Enchanced isWithinType to also include lambdas, inner classes etc.	2025-08-22 09:23:49 +02:00
Napalys Klicius	fbf18af076	Java: enchanced check if it is within same package	2025-08-22 09:23:49 +02:00
Napalys Klicius	2a16f4829e	Java: Expanded test suite of java/visible-for-testing-abuse	2025-08-22 09:23:49 +02:00
Napalys Klicius	652e9cba3d	Java: Added inline test expectations for java/visible-for-testing-abuse	2025-08-22 09:23:49 +02:00
Napalys Klicius	0c14d93bc6	Java: Added new query java/visible-for-testing-abuse	2025-08-22 09:23:49 +02:00
Napalys Klicius	eb6e9b8fe6	Java: Fix java/jvm-exit false positives for local nested classes in test methods	2025-08-21 14:20:49 +00:00
Napalys Klicius	41a78a0c3d	Java: Added nested local class test case	2025-08-21 14:10:12 +00:00
Napalys Klicius	53ccc56959	Java: exclude single-method classes from mocking	2025-08-11 13:43:36 +02:00
Napalys Klicius	a9e9a62439	Java: add single-method class test case for mocking rule ... Classes with only one public method should be compliant when mocked.	2025-08-11 13:43:36 +02:00
Napalys Klicius	22caa584ad	Java: Add inline test expectations for MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.qlref	2025-08-11 13:43:36 +02:00
Napalys Klicius	50c7160819	Java: port java/mocking-all-non-private-methods-means-unit-test-is-too-big query	2025-08-11 13:43:36 +02:00
Napalys Klicius	4df613ce37	Java: Improved java/jvm-exit query to remove FP's.	2025-08-11 09:24:01 +02:00
Napalys Klicius	d41a5e3a25	Java: Added basic test cases for java/jvm-exit	2025-08-11 09:24:01 +02:00
Anders Schack-Mulligen	d9cfe14729	Java: Accept qltest change.	2025-08-07 14:51:49 +02:00
Anders Schack-Mulligen	23aac0ac51	Java: document nullness false negative as qltest	2025-08-05 13:49:51 +02:00
Jami Cogswell	c9692a6d10	Java: fix test failures cause by alert msg change	2025-07-19 13:27:09 -04:00
Jami Cogswell	7250265c1f	Java: consider all endpoints except for health and info as sensitive to align with Spring docs	2025-07-18 17:50:18 -04:00
Jami Cogswell	685f68d9d3	Java: support 'management.endpoints.web.expose' property	2025-07-18 17:50:17 -04:00
Jami Cogswell	70d51504a7	Java: rename to align with 'java/spring-boot-exposed-actuators' query	2025-07-18 17:50:12 -04:00
Jami Cogswell	ea35fbbe3b	Java: support version 3.x	2025-07-18 17:50:07 -04:00
Jami Cogswell	0d2a4222fd	Java: add related location to alert message	2025-07-17 19:22:18 -04:00
Jami Cogswell	2bfc4b4ee2	Java: fix test case for version 1.4 ... Need the existence of an ApplicationProperties File, not an ApplicationProperties ConfigPair	2025-07-17 19:22:15 -04:00
Jami Cogswell	3823186dc6	Java: split tests by versions ... splitting is required to properly test each scenario	2025-07-17 19:22:13 -04:00
Jami Cogswell	ed8da5e151	Java: convert tests to inline expectations	2025-07-17 19:22:08 -04:00
Jami Cogswell	fc930d9184	Java: update tests for non-experimental directory	2025-07-17 19:22:06 -04:00
Jami Cogswell	a39cb40177	Java: copy out of experimental	2025-07-17 19:22:01 -04:00
Nora Dimitrijević	b33058c967	[TEST] Java: SensitiveCommunication: convert to qlref	2025-07-17 18:59:05 +02:00
Nora Dimitrijević	44bb5e7220	[TEST] Java: ConditionalBypass: convert to qlref	2025-07-17 18:59:03 +02:00
Nora Dimitrijević	6134518d60	[TEST] Java: SensitiveLogInfo: convert to qlref	2025-07-17 18:59:01 +02:00
Nora Dimitrijević	94386f0550	[TEST] Java: TrustBoundaryViolations: convert test to qlref	2025-07-17 18:58:59 +02:00
Nora Dimitrijević	49e03b4dfd	[TEST] Java: UnsafeCertTrust: convert test to qlref	2025-07-17 18:58:56 +02:00
Nora Dimitrijević	7aced48443	[TEST] Java: LogInjection: convert test to qlref	2025-07-17 18:58:54 +02:00
Nora Dimitrijević	5c2cf79785	[TEST] Java: CWE-020/ExternalAPI: new test based on qhelp	2025-07-17 18:58:52 +02:00
Owen Mansel-Chan	805e31fdb9	Update test expectations	2025-07-16 15:25:45 +01:00
Owen Mansel-Chan	fdd1e3fefe	Use MaD models for unsafe deserialization sinks when possible ... Many of the unsafe deserialization sinks have to stay defined in QL because they have custom logic that cannot be expressed in MaD models.	2025-07-16 14:42:07 +01:00
Owen Mansel-Chan	8e4bd1a102	Add sink for ObjectInput.readObject to make test pass	2025-07-11 11:05:38 +01:00
Owen Mansel-Chan	34fae324a0	Add test for ObjectInput.readObject	2025-07-11 11:03:47 +01:00