hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 14:16:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
65,198 Commits 1,673 Branches 157 Tags
a698684fecb4f52e1fc2e57cf3461460eb46c19e
Commit Graph

490 Commits

Author SHA1 Message Date
Owen Mansel-Chan
b8608a1b1c Merge pull request #15946 from owen-mc/java/more-manual-models 
Java: more manual models
 2024-03-19 15:00:27 +00:00
Owen Mansel-Chan
7371f5e508 Provenance should be "df-manual" 2024-03-19 13:33:49 +00:00
Owen Mansel-Chan
764e99bda7 Fix model for java.util.Scanner#findall(String) 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-03-18 16:56:20 +00:00
Owen Mansel-Chan
7fb05f4a76 Fix duplicate "df-" in "df-df-manual" 2024-03-18 11:17:55 +00:00
Owen Mansel-Chan
754d4cd959 Fix model provenance to df-manual 2024-03-17 14:36:47 +00:00
Owen Mansel-Chan
23a58a0835 Add df-manual models related to existing df-manual models 2024-03-17 14:21:05 +00:00
Owen Mansel-Chan
fc367042ef Fix df-manual model with wrong parameter type 2024-03-17 14:21:01 +00:00
Owen Mansel-Chan
8e52483beb Add df-manual models in manually modeled classes 2024-03-15 10:10:23 +00:00
Owen Mansel-Chan
2bd08838d4 Add manual neutral models for java.lang.ClassLoader 2024-03-14 11:40:06 +00:00
Owen Mansel-Chan
5b734c76b6 Add manual neutral models for java.util.Locale and its subclasses 2024-03-14 11:39:59 +00:00
Tony Torralba
eecab9122a Recognize the model generator involvement in the models' provenances 2024-03-14 08:56:23 +01:00
Tony Torralba
5b88b8a3ed A few more neutrals 2024-03-14 08:53:58 +01:00
Tony Torralba
36f6a6fb10 Model more EnumSet methods as neutrals 2024-03-14 08:46:43 +01:00
Tony Torralba
039bea1625 Java: Add more neutral JDK models 
This is similar to https://github.com/github/codeql/pull/15766, in the sense that it adds neutral models to prevent the model generator from generating summaries for them. These models were spotted while evaluating https://github.com/github/codeql/pull/14919.
 2024-03-13 16:59:38 +01:00
Ed Minnix
61dbe26858 Add sinks for android.os.ParcelFileDescriptor 2024-03-11 10:31:51 -04:00
Max Schaefer
52a36ce41c Java: Fix sink type in hudson.model.yml 2024-03-04 11:53:37 +00:00
Owen Mansel-Chan
bf22c6dae0 Merge pull request #15766 from owen-mc/java/add-neutral-models 
Java: add neutral models
 2024-03-02 06:00:33 +00:00
Owen Mansel-Chan
0a8dfbafe4 Accept suggestion to put models under the right heading 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-03-01 16:05:28 +00:00
Owen Mansel-Chan
df64e0bc5f Add neutral summary models for java.security.MessageDigest#digest 2024-03-01 14:08:31 +00:00
Owen Mansel-Chan
f89fedcbaf Add some neutral models for java.util 2024-03-01 14:07:45 +00:00
Owen Mansel-Chan
10f6329b3e Add manual neutral models for java.util.stream 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.util.stream.Collectors#joining(CharSequence)`: cannot be modeled completely without a model for `java.util.stream.Stream#collect(Collector)` as well
   * `java.util.stream.Collectors#toMap(Function,Function)`: specialized collectors flow
   * `java.util.stream.Stream#collect(Collector)`: handled separately on a case-by-case basis as it is too complex for MaD
 2024-03-01 12:32:04 +00:00
Owen Mansel-Chan
f907fd21ad Add manual neutral models for java.text.Format and java.text.MessageFormat 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.text.Format#format(Object)`: similar issue as `Object.toString`; depends on the object being passed as the argument
   * `java.text.MessageFormat#format(String,Object[])`: similar issue as `Object.toString`; depends on the object being passed as the argument
 2024-03-01 12:31:59 +00:00
Owen Mansel-Chan
0e95f41900 Add manual neutral models for java.lang 
See comment in java/ql/src/Metrics/Summaries/TopJdkApis.qll

   * Note: the following top JDK APIs are not modeled with MaD:
   * `java.lang.System#getProperty(String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
   * `java.lang.System#setProperty(String,String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
 2024-03-01 12:31:49 +00:00
Tony Torralba
dd1dbdf4ec Java: Fix provenance of Map.Entry.copyOf models 2024-03-01 09:00:13 +01:00
Owen Mansel-Chan
7b5f51b1e2 Change summary models to neutral models for javax.crypto.Cipher 2024-02-29 16:22:27 +00:00
Owen Mansel-Chan
939d6f973f Add summary models for javax.crypto.Cipher 2024-02-29 12:20:47 +00:00
Owen Mansel-Chan
65bc62c10a Add summary model for Map$Entry#copyOf 2024-02-29 12:20:43 +00:00
Max Schaefer
93990ec9df Merge pull request #15486 from github/java/update-mad-decls-after-triage-2024-01-31T11-16-45 
Java: Update MaD Declarations after Triage
 2024-02-09 11:18:17 +00:00
Tony Torralba
4c0d535cc2 Merge pull request #12886 from atorralba/atorralba/java/path-injection-mad-sinks 
Java: Refactor path injection sinks
 2024-02-09 10:48:49 +01:00
Max Schaefer
fb109672b3 Address more review feedback. 2024-02-09 09:21:30 +00:00
Max Schaefer
082754a3d8 Remove problematic Kotlin model. 2024-02-07 13:21:59 +00:00
Max Schaefer
705a377060 Address review comments. 2024-02-06 12:54:29 +00:00
Anders Schack-Mulligen
49b00f3842 Java: Remove two redundant models implied by CharSequence models. 2024-02-02 13:17:26 +01:00
Max Schaefer
ab6cea14c8 Fix missing quotes. 2024-01-31 11:49:25 +00:00
Max Schaefer
6c6f402fa5 Merge branch 'main' into java/update-mad-decls-after-triage-2024-01-31T11-16-45 2024-01-31 11:29:33 +00:00
Max Schaefer
ad8038bade Update MaD Declarations after Triage 2024-01-31 11:28:10 +00:00
Tony Torralba
e2bf9ea2eb Consider File.exists() et al a path-injection sink 2024-01-30 14:51:36 +01:00
Joe Farebrother
031bd8bd0c Merge pull request #15281 from joefarebrother/android-sensitive-ui-notif 
Java: Add query for exposure of sensitive information to android notifiactions
 2024-01-26 16:42:55 +00:00
Max Schaefer
73130ec665 Merge pull request #15436 from github/max-schaefer-patch-1 
Java: Add models for overloads of DatagramPacket constructor
 2024-01-26 16:13:11 +00:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Tony Torralba
d299971086 Fix code review mistake 2024-01-25 17:42:11 +01:00
Max Schaefer
13f0df3588 Add two more models. 2024-01-25 15:00:22 +00:00
Max Schaefer
5235291919 Add models for overloads of DatagramPacket constructor 2024-01-25 14:49:05 +00:00
Stephan Brandauer
1f9a968774 Java: PR discussion 2024-01-25 13:59:47 +01:00
Stephan Brandauer
5d6ee9c0cb Update java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-01-25 10:00:56 +01:00
Stephan Brandauer
4e63cbc993 Merge branch 'main' into java/update-mad-decls-after-triage-2024-01-24T10-05-04 2024-01-24 14:55:20 +01:00
Stephan Brandauer
d5bcbcddab Update MaD Declarations after Triage 2024-01-24 11:05:07 +01:00
Joe Farebrother
dedba1fc54 Address review comments - add barrierIn and fix a model for a PendingIntent sink 2024-01-23 09:51:42 +00:00
Joe Farebrother
b23bbf93d4 Reorder sink models 2024-01-23 09:51:41 +00:00
Joe Farebrother
d806fcae3d Remove sink models involving PendingIntent; as they do not carry sensitive data (including from the original intent they were created with) 2024-01-23 09:51:39 +00:00