hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 00:16:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
53,770 Commits 1,714 Branches 163 Tags
aa216e653533f9d2aec9c0f59730fe57f027f40a
Commit Graph

53770 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
aa216e6535 Python: Update inline expectations 2023-04-27 12:04:05 +02:00
Rasmus Wriedt Larsen
d73289ac4e Python: Accept .expected changes 2023-04-27 11:54:39 +02:00
Rasmus Wriedt Larsen
d274fa16a1 Python: Hide ModuleVariableNode in data-flow paths 
They just add an extra step, and don't actually contribute any good
information for end-users.
 2023-04-26 16:04:16 +02:00
Rasmus Wriedt Larsen
0c4bcec39e Python: Fix ModuleVariableNode.toString 
In some cases mod.getName() does not have a result, so toString of
ModuleVariableNode would also not have a result, which would cause
data-flow paths that use these as an edge to not be valid :O
 2023-04-26 16:03:21 +02:00
Michael Nebel
bc08d67f19 Merge pull request #12925 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2023-04-26 10:11:15 +02:00
Paolo Tranquilli
9d80a43d6a Merge pull request #12500 from github/redsun82/swift-dispatcher-rework 
Swift: rework fetching and dispatching
 2023-04-26 09:58:19 +02:00
Erik Krogh Kristensen
6110b7aca5 Merge pull request #12926 from github/dependabot/cargo/ql/tracing-0.1.38 
Bump tracing from 0.1.37 to 0.1.38 in /ql
 2023-04-26 09:49:55 +02:00
dependabot[bot]
738e3857e7 Bump tracing from 0.1.37 to 0.1.38 in /ql 
Bumps [tracing](https://github.com/tokio-rs/tracing) from 0.1.37 to 0.1.38.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.38)

---
updated-dependencies:
- dependency-name: tracing
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-26 04:04:15 +00:00
github-actions[bot]
cb82bd62e7 Add changed framework coverage reports 2023-04-26 00:15:23 +00:00
Edward Minnix III
e50f56cc56 Merge pull request #12917 from egregius313/egregius313/java/dataflow/refactor-inline-flow-test 
Java: Refactor `InlineFlowTest` to remove usage of `DataFlow::Configuration` API
 2023-04-25 16:18:56 -04:00
Rasmus Wriedt Larsen
95b8a22529 Merge pull request #12889 from kaspersv/kaspersv/prevent-python-join-order-regression 
Prevent Python join order regression
 2023-04-25 18:02:13 +02:00
Ed Minnix
d98723c35a Fix naming of OkHttpFlowConfig in test 2023-04-25 10:31:27 -04:00
Jami
cff7f63193 Merge pull request #12838 from jcogs33/jcogs33/add-class-for-callables-interesting-for-modeling 
Java: add class that represents callables that are interesting for MaD models
 2023-04-25 09:28:56 -04:00
Alexandre Boulgakov
909f40b6ea Merge pull request #12918 from github/sashabu/absl 
Swift: Fix some TODOs with Abseil.
 2023-04-25 14:05:12 +01:00
Geoffrey White
84ddfe9c3f Merge pull request #12919 from geoffw0/precision2 
Swift: Upgrade two queries to precision high.
 2023-04-25 14:04:52 +01:00
Geoffrey White
b1712d33fe Merge pull request #12837 from geoffw0/flowsources 
Swift: widen swift/predicate-injection sources
 2023-04-25 14:03:58 +01:00
yoff
b35637e1c5 Merge pull request #12858 from RasmusWL/paramiko-modeling 
Python: Expand modeling of `paramiko`
 2023-04-25 14:04:50 +02:00
Tony Torralba
89ee2b9ace Merge pull request #12911 from atorralba/atorralba/java/filecopyutils-file-sinks 
Java: Fix FileCopyUtils.copy models
 2023-04-25 12:06:13 +02:00
Alex Denisov
125aab8107 Swift: rework fetching and dispatching 
* visiting now happens in a later stage than fetching labels. While
  fetching a list of entities to be visited is created, and then acted
  upon in actual extraction. This partially flattens the recursive
  nature of `fetchLabel` into a loop inside `SwiftVisitor::extract`.
  Recursion in `fetchLabel` will only happen on labels fetched while
  naming an entity (calling into `SwiftMangler`).
* The choice whether to name a declaration or type has been moved from
  the translators to `SwiftMangler`. Acting on this choice is contained
  in `SwiftDispatcher::createLabel`.
* The choice whether to emit a body of a declaration has been moved from
  `DeclTranslator` to the dispatcher. This choice is also contained in
  `SwiftDispatcher::createLabel`.
* The simple functionality of the `LabelStore` has been moved to the
  `SwiftDispatcher` as well.
 2023-04-25 11:15:27 +02:00
Joe Farebrother
a9d34458de Merge pull request #12658 from joefarebrother/csharp-sensitive-data 
C#: Add local filesystem writes as External Location sinks
 2023-04-25 10:14:48 +01:00
Geoffrey White
0ebb06e185 Merge branch 'main' into flowsources 2023-04-25 10:08:15 +01:00
Geoffrey White
2c28fae7e3 Merge pull request #12836 from geoffw0/precision 
Swift: Downgrade swift/unsafe-js-eval to precision medium.
 2023-04-25 09:58:11 +01:00
Geoffrey White
b0b2d6e05f Swift: Upgrade two queries to @precision high. 2023-04-25 09:42:49 +01:00
AlexDenisov
fcbd211783 Merge pull request #12910 from github/redsun82/swift-hash-lazy-trap-names 
Swift: use hashing for lazy decl trap file names
 2023-04-25 09:54:46 +02:00
Anders Schack-Mulligen
934a455908 Apply suggestions from code review 
Update qldoc.
 2023-04-25 09:35:26 +02:00
Tom Hvitved
65835cdb92 Merge pull request #12907 from hvitved/ruby/destructured-assign-join 
Ruby: Fix bad join in `DestructuredAssignDesugar`
 2023-04-25 08:50:27 +02:00
Alexandre Boulgakov
c88f9bf818 Swift: Use absl::StrJoin to dump arguments for logging. 
This also removes the TODO about using `absl::StrJoin` to dump the environment because we can't easily get a range from a null-terminated `envp`. It also doesn't suffer from the usual awkwardness around inserting a separator *between* elements but not after the last one, so a for loop is clear enough.
 2023-04-24 22:34:14 +01:00
Alexandre Boulgakov
621761b289 Swift: Use absl::bit_width to calculate TRAP label size. 
It's not much cleaner due to arithmetic to convert truncating division to a ceiling, but has two advantages:
 1. It doesn't suffer from rounding issues with large TRAP labels. This is largely theoretical, but does let us handle `undefined` uniformly.
 2. It should be much faster (using LZCNT/BSR instead of floating point arithmetic). This is probably not a performance bottleneck, so *shrug*.
 2023-04-24 22:31:11 +01:00
Ed Minnix
3af72fa28e Remove legacy code from InlineFlowTest 2023-04-24 17:10:32 -04:00
Ed Minnix
59e59125d6 Refactor tests 2023-04-24 17:10:32 -04:00
Alexandre Boulgakov
36d34f199b Bazel: Add Abseil C++ dependency. 2023-04-24 21:59:57 +01:00
Owen Mansel-Chan
b47c8e8c4c Merge pull request #12912 from owen-mc/go/fix-invalid-semver-version 
Go: Fix invalid SemVer version by adding "v" to the front
 2023-04-24 16:47:28 +01:00
Paolo Tranquilli
14706b42fa Swift: strip parameters from lazy function decl trap names 2023-04-24 17:04:41 +02:00
Joe Farebrother
0ebf529dc4 Add comment + use flowTo 2023-04-24 15:49:05 +01:00
Owen Mansel-Chan
1afe845ed3 Add missing "v" to semver version string 
Because it was missing, that function always returned +1,
so we were doing the wrong thing when the Go version
installed was lower than 1.16.
 2023-04-24 14:31:46 +01:00
Tony Torralba
e3d93c3581 Fix FileCopyUtils models 2023-04-24 15:07:19 +02:00
Paolo Tranquilli
e84bdf5bed Swift: use hashing for lazy decl trap file names 
It turns out mangled names can sometimes be too long. While this code
will eventually be replaced by our own mangling, we need to use hashing
to cut down the names.

Module and decl names are preserved in the trap file names for
debuggability.
 2023-04-24 14:36:36 +02:00
Paolo Tranquilli
feb31612f5 Merge pull request #12908 from github/revert-12760-redsun82/swift-logging-compiler 
Revert "Swift: route compiler diagnostics through our log"
 2023-04-24 14:31:18 +02:00
Paolo Tranquilli
95ef7fb3f1 Revert "Swift: route compiler diagnostics through our log" 2023-04-24 13:57:24 +02:00
Tom Hvitved
71cd973b42 Ruby: Fix bad join in DestructuredAssignDesugar 
```
Evaluated relational algebra for predicate Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff@0c55fb0w on iteration 4 running pipeline order_500000 with tuple counts:
                 0   ~0%    {2} r1 = JOIN Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev_delta WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                 0   ~0%    {2} r2 = JOIN r1 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.0, Lhs.1

                 0   ~0%    {4} r3 = JOIN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.1, false, Rhs.1, Lhs.0
                 0   ~0%    {2} r4 = JOIN r3 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 3 OUTPUT Lhs.3, Rhs.3

                 0   ~0%    {2} r5 = r2 UNION r4

            336618   ~3%    {1} r6 = SCAN Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev_delta OUTPUT In.0
            336618   ~0%    {2} r7 = JOIN r6 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0
                 0   ~0%    {2} r8 = JOIN r7 WITH Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1

                 0   ~0%    {3} r9 = SCAN Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev_delta OUTPUT false, In.1, In.0
                 0   ~0%    {3} r10 = JOIN r9 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev ON FIRST 2 OUTPUT Lhs.2, Rhs.2, Rhs.3
                 0   ~0%    {2} r11 = JOIN r10 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2

              2119   ~2%    {3} r12 = JOIN Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev_delta WITH const_false ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3
        2657005103   ~5%    {3} r13 = JOIN r12 WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#reorder_1_0#prev ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           1184200   ~0%    {2} r14 = JOIN r13 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2

           1184200   ~0%    {2} r15 = r11 UNION r14
           1184200   ~0%    {2} r16 = r8 UNION r15
           1184200   ~0%    {2} r17 = r5 UNION r16
           1184200   ~0%    {2} r18 = r17 AND NOT Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff#prev(Lhs.0, Lhs.1)
                            return r18
```
 2023-04-24 13:44:18 +02:00
Kasper Svendsen
361b15b2c7 Merge branch 'main' into kaspersv/prevent-python-join-order-regression 2023-04-24 13:35:07 +02:00
Kasper Svendsen
bfe5db20a3 Merge pull request #12891 from kaspersv/kaspersv/prevent-ruby-join-regression2 
Prevent Ruby join order regression
 2023-04-24 13:27:33 +02:00
Edward Minnix III
ba4d326768 Merge pull request #12902 from egregius313/egregius313/java/dataflow/refactor-integration-tests 
Java: Refactor Kotlin Integration tests to new DataFlow API
 2023-04-24 06:51:40 -04:00
Michael Nebel
8ade7247a1 Merge pull request #12885 from michaelnebel/mergepathgraph3 
Dataflow: Introduce param module for merging three path graphs.
 2023-04-24 12:49:28 +02:00
Rasmus Wriedt Larsen
bfbbb5277d Merge pull request #12888 from lcartey/mcafee-trojan-fp 
Update `SimpleXmlRpcServer.ql` to avoid incorrect detection as a trojan by Mcafee
 2023-04-24 11:17:52 +02:00
Erik Krogh Kristensen
b0efff0110 Merge pull request #12904 from github/dependabot/cargo/ql/tracing-subscriber-0.3.17 
Bump tracing-subscriber from 0.3.16 to 0.3.17 in /ql
 2023-04-24 11:05:36 +02:00
Erik Krogh Kristensen
b16444dd22 Merge pull request #12903 from github/dependabot/cargo/ql/regex-1.8.1 
Bump regex from 1.8.0 to 1.8.1 in /ql
 2023-04-24 11:05:13 +02:00
dependabot[bot]
5e274c9664 Bump tracing-subscriber from 0.3.16 to 0.3.17 in /ql 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.16 to 0.3.17.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.16...tracing-subscriber-0.3.17)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-24 04:12:25 +00:00
dependabot[bot]
a5e919b6cb Bump regex from 1.8.0 to 1.8.1 in /ql 
Bumps [regex](https://github.com/rust-lang/regex) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/regex/commits/1.8.1)

---
updated-dependencies:
- dependency-name: regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-24 04:12:06 +00:00
Ed Minnix
19e6a9a1d3 Fix version of PathGraph used 2023-04-21 19:08:56 -04:00