hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 12:48:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,684 Commits 1,723 Branches 164 Tags
b595a70384d4e118dd5fdb94afbb73e27474fb40
Commit Graph

4882 Commits

Author SHA1 Message Date
Kaixuan Li
b595a70384 Update java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-29 11:45:27 +08:00
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Owen Mansel-Chan
2b8558706f Add sentence to change note. 2026-03-28 16:39:16 +00:00
Owen Mansel-Chan
ea9b99f67c Rephrase change note 2026-03-28 16:36:39 +00:00
MarkLee131
0c5e89a68e Exclude bounds-check arithmetic from tainted-arithmetic sinks 
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.

Add test cases for bounds-checking patterns that should not be flagged.
 2026-03-28 17:39:40 +08:00
MarkLee131
da4a2238bc Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs 
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
 2026-03-28 16:53:46 +08:00
MarkLee131
a9449cc991 Add EC to secure algorithm whitelist for Java CWE-327 query 2026-03-28 16:48:58 +08:00
github-actions[bot]
e3dbf5b022 Post-release preparation for codeql-cli-2.25.0 2026-03-16 16:03:22 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Anders Schack-Mulligen
6a6bb5ebf9 Merge pull request #21441 from aschackmull/cfg/switch-sharing 
Cfg: Share more code for switch statements.
 2026-03-10 13:50:21 +01:00
Anders Schack-Mulligen
77d4f5a2dc Cfg: Update fallsThrough default. 2026-03-10 11:10:24 +01:00
Anders Schack-Mulligen
edf88b34da Cfg: Move Case.getBodyElement to shared code. 2026-03-10 11:02:58 +01:00
Anders Schack-Mulligen
35ac66d3aa Cfg: Move getCaseControlFlowOrder to shared code. 2026-03-10 10:39:32 +01:00
Owen Mansel-Chan
d8007a85e6 Java: Make corresponding predicate private 2026-03-09 13:44:50 +00:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Owen Mansel-Chan
e96ba4806b Merge pull request #21415 from owen-mc/java/validate-constructor-summary-models 
Java: validate constructor summary models
 2026-03-06 09:09:18 +00:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment 
Java: Make Assignment extend BinaryExpr.
 2026-03-05 13:19:45 +01:00
Owen Mansel-Chan
579c871b69 Fix incorrect constructor summary models 2026-03-05 12:03:21 +00:00
Owen Mansel-Chan
63c71b418c Add model validation for constructor summary models 2026-03-05 12:02:37 +00:00
Owen Mansel-Chan
c82f75604a Add change notes 2026-03-05 10:34:30 +00:00
Anders Schack-Mulligen
ea77c0d86c Java: Add change note. 2026-03-05 11:32:00 +01:00
Anders Schack-Mulligen
ec1d034ee0 Java: Make Assignment extend BinaryExpr. 2026-03-05 11:31:59 +01:00
Anders Schack-Mulligen
3c129fcd23 Java: Align BinaryExpr.getOp() with AssignOp.getOp(). 2026-03-04 13:46:04 +01:00
Anders Schack-Mulligen
fe032a5834 Java: Update dbscheme to make @assignment a @binaryexpr. 2026-03-03 15:15:35 +01:00
github-actions[bot]
e152f08468 Post-release preparation for codeql-cli-2.24.3 2026-03-02 22:51:27 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Anders Schack-Mulligen
ab94524328 Cfg: Address review comments. 2026-02-27 16:35:25 +01:00
Anders Schack-Mulligen
bdbbd45909 Java: Handle missing throws clauses. 2026-02-23 15:10:02 +01:00
Anders Schack-Mulligen
0d0711f2a7 Java: Add change note. 2026-02-23 15:10:02 +01:00
Anders Schack-Mulligen
eb37c413f2 Java: Accept revised CFG. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
b798bc2c8f Java: Fix enhancedForEarlyExit implementation. 2026-02-23 15:09:58 +01:00
Anders Schack-Mulligen
fc8b7c04cf Java: Exclude ExprStmt consistent with SwitchCase.getRuleExpression(). 2026-02-23 15:09:55 +01:00
Anders Schack-Mulligen
ccd28ff66a Java: Fix instanceof-disjunction. 2026-02-23 15:09:55 +01:00
Anders Schack-Mulligen
12b9999289 Java: Adjust BasicBlock-based qltests. 2026-02-23 15:09:52 +01:00
Anders Schack-Mulligen
7871cd74f6 Java: Fix switchcase guards. 2026-02-23 15:09:52 +01:00
Anders Schack-Mulligen
1e9dcea88b Java: Fix RangeAnalysis/ModulusAnalysis. 2026-02-23 15:09:51 +01:00
Anders Schack-Mulligen
6fbdb2c52b Java: Fix Cyclomatic complexity calculation. 2026-02-23 15:09:51 +01:00
Anders Schack-Mulligen
48e3724299 Java/Cfg: Introduce new shared CFG library and replace the Java CFG. 2026-02-23 15:09:50 +01:00
Anders Schack-Mulligen
4a97a449fc Java: Replace ControlFlowNode.asCall with Call.getControlFlowNode. 2026-02-23 15:09:49 +01:00
Anders Schack-Mulligen
2e987343dd Java: Preparatory tweaks. 2026-02-23 15:09:48 +01:00
Owen Mansel-Chan
94e3d86f6a Merge pull request #21319 from owen-mc/java/javax-jakarta 
Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages
 2026-02-17 08:31:52 +00:00
github-actions[bot]
b5898c5a30 Post-release preparation for codeql-cli-2.24.2 2026-02-16 17:07:45 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
Owen Mansel-Chan
597be6a1c0 Add change note 2026-02-16 12:01:15 +00:00
Owen Mansel-Chan
94f1d94a2b Rename MethodCall ma to mc 2026-02-16 12:01:14 +00:00
Owen Mansel-Chan
9fc95f5171 Expand log injection sanitizers to annotation regex matches 2026-02-16 12:01:13 +00:00
Owen Mansel-Chan
924bb92d91 Expand log injection sanitizer guards to non-annotation regex matches 2026-02-16 12:01:11 +00:00
Owen Mansel-Chan
60e58f8219 Refactor logInjectionGuard part 2 2026-02-16 12:01:10 +00:00
Owen Mansel-Chan
6c0c1d558e Refactor logInjectionGuard part 1 2026-02-16 12:01:08 +00:00
Owen Mansel-Chan
91c731f68d Fix new usage that was introduced 2026-02-16 11:03:27 +00:00