hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-14 19:44:03 +02:00
Code Issues Packages Projects Releases Wiki Activity
31,634 Commits 1,736 Branches 164 Tags
aee9eb5203c87359bcd72fa17c6674201cfab452
Commit Graph

31634 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Eisenberg
aee9eb5203 Apply docs fixes 
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
 2022-01-21 11:35:15 -08:00
Andrew Eisenberg
534f8999b6 Update docs/codeql/codeql-cli/getting-started-with-the-codeql-cli.rst 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-20 07:09:34 -08:00
Andrew Eisenberg
95355b5854 Docs: Add back removed section on getting started 
Adds a second getting started, specifically for checking out the
codeql repo as a way to get the core queries.

This ensures that people wanting to work in the traditional way still
have the old docs available.
 2022-01-19 13:36:57 -08:00
Andrew Eisenberg
01b5881de6 Docs: Remove reference to checking out main branch 
We are no longer including information about how to check out
github/codeql, so this paragraph doesn't fit any more.
 2022-01-18 15:48:33 -08:00
Andrew Eisenberg
0cd6556964 Docs: Update analyzing databases docs 
Add more information about running packs. Include the `--download` flag.
 2022-01-18 15:03:08 -08:00
Andrew Eisenberg
7fcf567eda Docs: Simplify getting started docs 
It is no longer necessary to check out a version of `github/codeql` as
a sibling directory to the distribution. Instead, users can download
the required packs as needed. using the `pack download` command or
the `--download` option for `codeql database analyze`.
 2022-01-18 15:03:08 -08:00
Chris Smowton
84097468cc Merge pull request #7286 from luchua-bc/java/unsafe-url-forward-dispatch 
Java: CWE-552 Query to detect unsafe request dispatcher usage
 2022-01-18 18:19:20 +00:00
Henry Mercer
63672ca394 Merge pull request #7616 from github/henrymercer/js-atm-add-query-help 
JS: Add query help for ML-powered queries
 2022-01-18 18:11:53 +00:00
Chris Smowton
1e32514600 Avoid using this for a non-extending supertype, and remove needless casts 2022-01-18 17:20:40 +00:00
Chris Smowton
d744cf9053 Clean up guard logic: 
* Always sanitize after the second guard, not the first
* Only check basic-block dominance in one place
* One BarrierGuard extension per final guard
 2022-01-18 17:10:06 +00:00
Chris Smowton
748008ad51 Remove dangling reference to UnsafeRequestPath.java 2022-01-18 17:08:38 +00:00
luchua-bc
a3d65a8ed0 Update recommendation in qldoc and make examples more comprehendible 2022-01-18 17:01:26 +00:00
Robert Marsh
024bd27485 Merge pull request #7578 from MathiasVP/store-dest-should-not-be-use 
C++: Store destinations should not be uses for dataflow SSA
 2022-01-18 11:36:15 -05:00
CodeQL CI
1912c56f82 Merge pull request #7631 from RasmusWL/sqlalchemy-scoped-session 
Approved by tausbn
 2022-01-18 14:31:49 +00:00
Rasmus Wriedt Larsen
95e935e9c1 Python: Support SQLAlchemy scoped_session 2022-01-18 14:34:31 +01:00
Henry Mercer
be0c26f83d Merge pull request #7617 from github/henrymercer/js-atm-update-alert-messages 
JS: Update alert messages for ML-powered queries
 2022-01-18 11:37:02 +00:00
Mathias Vorreiter Pedersen
cb0cc8d859 Merge pull request #7625 from geoffw0/nullterm4 
C++: Fix some code duplication.
 2022-01-18 11:18:06 +00:00
Tony Torralba
b16b0270d2 Merge pull request #6779 from atorralba/atorralba/android-implicit-pending-intents 
Java: CWE-927 - Query to detect the use of implicit PendingIntents
 2022-01-18 12:14:47 +01:00
Chris Smowton
9819752bdd Merge pull request #7526 from smowton/smowton/fix/restore-nodes-edges-consistency 
Don't include arg -> param edges in PathGraph::edges where arg is not reachable
 2022-01-18 11:05:47 +00:00
Benjamin Muskalla
7e215a5193 Merge pull request #7599 from bmuskalla/modelWriter 
Java: Model Appenable and Writer
 2022-01-18 11:55:27 +01:00
Henry Mercer
1893b9f7a9 Merge pull request #7376 from github/henrymercer/js-atm-absent-features-optimization 
JS: Update featurization for absent features optimization
 2022-01-18 10:15:53 +00:00
Tony Torralba
f103d45340 Merge branch 'main' into atorralba/android-implicit-pending-intents 2022-01-18 10:50:49 +01:00
Mathias Vorreiter Pedersen
e1598aba5e C++: Fix spelling. 2022-01-18 09:44:36 +00:00
Tony Torralba
3ff7710a18 Improve ExplicitIntent's QLDoc 2022-01-18 10:43:52 +01:00
Tony Torralba
fe2755c4a0 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-18 10:41:19 +01:00
Benjamin Muskalla
365a8d9bbd Fix flow for fluent appendable api 2022-01-18 10:41:00 +01:00
Benjamin Muskalla
8e6a15640f Model basic channel APIs 2022-01-18 10:40:39 +01:00
Anders Schack-Mulligen
fff3b5c5b4 Dataflow: Add qldoc. 2022-01-18 10:39:55 +01:00
Anders Schack-Mulligen
9479301485 Ruby: Accept qltest expected changes. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
5cfa3c7927 C++: Accept qltest expected changes. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
7b98ca9b0a C#: Adjust qltest expected output. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
aa9912a699 Java: Fix expected output 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
71e39353ca Dataflow: Sync. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
b22c4e3c56 Dataflow: Bugfix: include subpaths ending at a sink. 2022-01-18 10:34:14 +01:00
Chris Smowton
f7d3892320 Update test expectations 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
dfa79f6119 Dataflow: Sync. 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
46736a137c Dataflow: Don't include subpaths that can't reach a sink. 2022-01-18 10:30:09 +01:00
Chris Smowton
2c37885f6e Sync dataflow 2022-01-18 10:30:09 +01:00
Chris Smowton
7c9b44b4cb Don't include arg -> param edges in PathGraph::edges whose arg is not reachable 
This avoids lots of missing-node warnings from `codeql bqrs interpret` as it discards the nodes that occur in the `edges` relation but not `nodes`. The problem arises because subpaths introduced two variants of `reach`, one of which is more restrictive than simply `reach(succ) and succ = pred.getASuccessor()`, so it no longer suffices to just check that the successor is reachable.
 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
c41ec1f8ec Merge pull request #7619 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-01-18 09:17:40 +01:00
github-actions[bot]
b8959f7bdb Add changed framework coverage reports 2022-01-18 00:10:52 +00:00
Erik Krogh Kristensen
d63f4bfd94 Merge pull request #7615 from erik-krogh/super-charpred 
QL: support this.method() calls in the charpred that references non-extending supertypes
 2022-01-17 18:32:10 +01:00
Henry Mercer
ffa4135cbe JS: Update alert messages for ML-powered queries 2022-01-17 17:19:49 +00:00
Erik Krogh Kristensen
a4cfb80b81 QL: update comment 2022-01-17 17:19:15 +00:00
Erik Krogh Kristensen
85c273a413 QL: support this.method() calls in the charpred that references non-extending supertypes 2022-01-17 17:42:35 +01:00
Henry Mercer
e9128466d4 JS: Add query help for ML-powered queries 
Query help is identical to the original query, except for a new
paragraph prepended to the overview explaining that the queries are
experimental.

We add Markdown query help since only Markdown query help is embedded in
SARIF via `--sarif-add-query-help`.
 2022-01-17 16:34:50 +00:00
Henry Mercer
568d37e9b9 JS: Update definition of ATM query suite 
It's simpler to just run all the queries in the pack instead of
specifying the IDs.
 2022-01-17 16:34:50 +00:00
Geoffrey White
d475101286 C++: Fix some code duplication. 2022-01-17 16:26:22 +00:00
Owen Mansel-Chan
065043b311 Merge pull request #7588 from owen-mc/add-specific-needs-reference-predicates 
Dataflow: Add language-specific NeedsReference predicates
 2022-01-17 15:51:34 +00:00
Tony Torralba
e967b8a9be Merge pull request #6576 from atorralba/atorralba/android-cleartext-storage-filesystem 
Java: Create new query Cleartext storage of sensitive information in Android filesystem
 2022-01-17 14:02:38 +01:00