hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 20:58:16 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,684 Commits 1,723 Branches 164 Tags
b595a70384d4e118dd5fdb94afbb73e27474fb40
Commit Graph

4437 Commits

Author SHA1 Message Date
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Kaixuan Li
f5cfc5e282 Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-03-29 10:25:10 +08:00
MarkLee131
0c5e89a68e Exclude bounds-check arithmetic from tainted-arithmetic sinks 
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.

Add test cases for bounds-checking patterns that should not be flagged.
 2026-03-28 17:39:40 +08:00
MarkLee131
da4a2238bc Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs 
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
 2026-03-28 16:53:46 +08:00
MarkLee131
a9449cc991 Add EC to secure algorithm whitelist for Java CWE-327 query 2026-03-28 16:48:58 +08:00
Owen Mansel-Chan
e96ba4806b Merge pull request #21415 from owen-mc/java/validate-constructor-summary-models 
Java: validate constructor summary models
 2026-03-06 09:09:18 +00:00
Owen Mansel-Chan
92a719092a Update models in test output 2026-03-05 13:32:52 +00:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment 
Java: Make Assignment extend BinaryExpr.
 2026-03-05 13:19:45 +01:00
Owen Mansel-Chan
579c871b69 Fix incorrect constructor summary models 2026-03-05 12:03:21 +00:00
Owen Mansel-Chan
63c71b418c Add model validation for constructor summary models 2026-03-05 12:02:37 +00:00
Anders Schack-Mulligen
ec1d034ee0 Java: Make Assignment extend BinaryExpr. 2026-03-05 11:31:59 +01:00
Owen Mansel-Chan
2b3111441d Add space before $ in xml test file 2026-03-04 15:03:24 +00:00
Owen Mansel-Chan
aa28c94562 Remove double space after $ in inline expectations tests 2026-03-04 14:12:42 +00:00
Owen Mansel-Chan
f41c30e335 java: Inline expectation should have space before $ 2026-03-04 13:11:33 +00:00
Anders Schack-Mulligen
3c129fcd23 Java: Align BinaryExpr.getOp() with AssignOp.getOp(). 2026-03-04 13:46:04 +01:00
Owen Mansel-Chan
05a77a2005 Java: Update test expectations 2026-03-04 12:44:56 +00:00
Owen Mansel-Chan
ef345a3279 Java: Inline expectation should have space after $ 
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
 2026-03-04 12:44:54 +00:00
Anders Schack-Mulligen
daefd5988e Java: Accept CFG diff. 2026-03-03 14:18:10 +01:00
Anders Schack-Mulligen
2b8e719034 Java: Add nullness test covering known FP. 2026-02-23 15:10:03 +01:00
Anders Schack-Mulligen
d4873dd35e Java: Adjust switch case guards test. 2026-02-23 15:10:01 +01:00
Anders Schack-Mulligen
352b3711f6 Java: Remove obsolete tests - false successors are no longer special. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
eb37c413f2 Java: Accept revised CFG. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
d84e0e262d Java: Accept removal of spurious reason (the alert stays). 2026-02-23 15:09:59 +01:00
Anders Schack-Mulligen
8b0dd7b866 Java: Accept new TP in NullMaybe. 2026-02-23 15:09:58 +01:00
Anders Schack-Mulligen
a72cf56a05 Java: Accept dispatch precision improvement. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
4d9c0e0c26 Java: Accept new locations for SSA definitions. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
a6ee1df567 Java: Remove test. Flexible constructors need AST-based tests, which are already in place, not CFG tests. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
581679d27d Java: Fix reference to entry node. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
a844d60174 Java: Accept new CFG nodes. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
6ac8c4f544 Java: Accept test changes due to pruned CFG, after-nodes, and reduced exception precision. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
e0eb653dcc Java: Accept guards test changes for revised switch CFG. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
fb2799bd47 Java: Adjust idominance tests. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
12b9999289 Java: Adjust BasicBlock-based qltests. 2026-02-23 15:09:52 +01:00
Anders Schack-Mulligen
48e3724299 Java/Cfg: Introduce new shared CFG library and replace the Java CFG. 2026-02-23 15:09:50 +01:00
Anders Schack-Mulligen
0c9931ff8a Java: Replace idominance tests. 2026-02-23 15:09:50 +01:00
Owen Mansel-Chan
cf73d96c9d Update test results (remove SPURIOUS annotations) 2026-02-16 12:03:02 +00:00
Owen Mansel-Chan
9fc95f5171 Expand log injection sanitizers to annotation regex matches 2026-02-16 12:01:13 +00:00
Owen Mansel-Chan
146fc7a8c0 Add failing log injection test for @Pattern validation 2026-02-16 12:01:07 +00:00
Owen Mansel-Chan
47a9f87d9b Merge pull request #21310 from owen-mc/java/regex-execution 
Java: Add RegexMatch concept and recognise `@Pattern` annotation as sanitizer
 2026-02-16 09:11:47 +00:00
Owen Mansel-Chan
8f8f4c2d52 Fix Matcher.matches edge case 2026-02-14 00:28:37 +00:00
Owen Mansel-Chan
90befa0c00 Add failing test for Matcher.matches() edge case 2026-02-14 00:28:34 +00:00
Owen Mansel-Chan
bfe26c1989 Add @Pattern as RegexExecution => SSRF sanitizer 2026-02-12 16:57:11 +00:00
Owen Mansel-Chan
d0999e3abd Add failing test for @Pattern validation 2026-02-12 16:57:04 +00:00
Anders Schack-Mulligen
5c53677051 Java: Deprecate UnreachableBlocks. 2026-02-12 11:06:34 +01:00
Anders Schack-Mulligen
6f40ac15b4 Java: Rename ReturnStmt.getResult to getExpr. 2026-02-04 14:43:31 +01:00
Anders Schack-Mulligen
5e6e64b2b7 Java: Rename UnaryExpr.getExpr to getOperand. 2026-02-04 10:50:49 +01:00
Owen Mansel-Chan
516b84b59a Add test for *Pool exclusion 2026-01-27 15:38:29 +00:00
Tom Hvitved
7024b07dd2 Java: Adapt to changes in FlowSummaryImpl 
Missing manual models were added using the following code added to `FlowSummaryImpl.qll`:

```ql
    private predicate testsummaryElement(
      Input::SummarizedCallableBase c, string namespace, string type, boolean subtypes, string name,
      string signature, string ext, string originalInput, string originalOutput, string kind,
      string provenance, string model, boolean isExact
    ) {
      exists(string input, string output, Callable baseCallable |
        summaryModel(namespace, type, subtypes, name, signature, ext, originalInput, originalOutput,
          kind, provenance, model) and
        baseCallable = interpretElement(namespace, type, subtypes, name, signature, ext, isExact) and
        (
          c.asCallable() = baseCallable and input = originalInput and output = originalOutput
          or
          correspondingKotlinParameterDefaultsArgSpec(baseCallable, c.asCallable(), originalInput,
            input) and
          correspondingKotlinParameterDefaultsArgSpec(baseCallable, c.asCallable(), originalOutput,
            output)
        )
      )
    }

    private predicate testsummaryElement2(
      string namespace, string type, boolean subtypes, string name, string signature, string ext,
      string originalInput, string originalOutput, string kind, string provenance, string model,
      string namespace2, string type2
    ) {
      exists(Input::SummarizedCallableBase c |
        testsummaryElement(c, namespace2, type2, _, _, _, ext, originalInput, originalOutput, kind,
          provenance, model, false) and
        testsummaryElement(c, namespace, type, subtypes, name, _, _, _, _, _, provenance, _, true) and
        signature = paramsString(c.asCallable()) and
        not testsummaryElement(c, _, _, _, _, _, _, originalInput, originalOutput, kind, provenance,
          _, true)
      )
    }

    private string getAMissingManualModel(string namespace2, string type2) {
      exists(
        string namespace, string type, boolean subtypes, string name, string signature, string ext,
        string originalInput, string originalOutput, string kind, string provenance, string model
      |
        testsummaryElement2(namespace, type, subtypes, name, signature, ext, originalInput,
          originalOutput, kind, provenance, model, namespace2, type2) and
        result =
          "- [\"" + namespace + "\", \"" + type + "\", True, \"" + name + "\", \"" + signature +
            "\", \"\", \"" + originalInput + "\", \"" + originalOutput + "\", \"" + kind + "\", \"" +
            provenance + "\"]"
      )
    }
```
 2026-01-26 12:40:15 +01:00
Owen Mansel-Chan
a5d9cb179a Merge pull request #20930 from owen-mc/java/spring-rest-template-request-forgery-sinks 
Java: add more Spring RestTemplate request forgery sinks
 2026-01-15 14:23:15 +00:00
Mauro Baluda
5cef0376a9 Update java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-01-14 11:50:52 +01:00