hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-04 01:01:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,002 Commits 1,689 Branches 159 Tags
b93c04bb79220f4a3ce3a642e80abb18375dc91c
Commit Graph

32002 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Lerchedahl Petersen
b93c04bb79 python: Add reverse flow in some patterns 
Particularly in value and literal patterns.
This is getting a little bit into the guards aspect of matching.
We could similarly add reverse flow in terms of
sub-patterns storing to a sequence pattern,
a flow step from alternatives to an-or-pattern, etc..
It does not seem too likely that sources are embedded in patterns
to begin with, but for secrets perhaps?

It is illustrated by the literal test. The value test still fails.
I believe we miss flow in general from the static attribute.
 2022-01-27 15:20:23 +01:00
Rasmus Lerchedahl Petersen
cb52ab669e python: address review comments 
The comment about `py_scopes` was simply removed
 2022-01-27 11:17:00 +01:00
yoff
e28669e487 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-01-27 10:31:43 +01:00
Rasmus Lerchedahl Petersen
47af3a69a5 Merge branch 'main' of github.com:github/codeql into python/support-match 2022-01-26 11:39:46 +01:00
Tom Hvitved
477f83cf9e Merge pull request #7746 from hvitved/csharp/remove-legacy-relations 
C#: Remove some unused legacy relations from the DB scheme
 2022-01-26 10:40:55 +01:00
Arthur Baars
948ebe4b4c Merge pull request #7568 from aibaars/ruby-pattern-matching-taint 
Ruby: taint steps for pattern matches
 2022-01-26 10:27:47 +01:00
Stephan Brandauer
b7690e5e6b Merge pull request #7734 from kaeluka/js-add-node-prefix-to-module-import 
js: add support for the 'node:' prefix for importing internal modules
 2022-01-26 10:15:08 +01:00
Tom Hvitved
28e03a8aae Merge pull request #7738 from hvitved/ruby/action-controller-perf 
Ruby: Fix bad join in `ActionControllerHelperMethod`
 2022-01-26 09:48:21 +01:00
Tom Hvitved
2c27a07ead Merge pull request #7726 from hvitved/ruby/any-array-element-content 
Ruby: Introduce `TAnyArrayElementContent`
 2022-01-26 09:48:01 +01:00
Tom Hvitved
51205d6ce5 C#: Add DB downgrade script 2022-01-26 08:44:37 +01:00
Tom Hvitved
83fb822115 C#: Add DB upgrade script 2022-01-26 08:43:24 +01:00
Tom Hvitved
4c16320e28 C#: Remove some unused legacy relations from the DB scheme 2022-01-26 08:35:08 +01:00
Arthur Baars
941f230c94 Merge pull request #7729 from github/hmac/bump-clap 
Ruby extractor: bump clap
 2022-01-26 08:12:47 +01:00
Henry Mercer
15aa09fb7a Merge pull request #7744 from github/henrymercer/js-atm-tweak-query-help 
JS: Move experimental notice to the bottom of the ML-powered query help
 2022-01-25 17:44:27 +00:00
Edoardo Pirovano
662675ebf0 Merge pull request #7739 from github/edoardo/3.4-mergeback 
Merge `rc/3.4` into `main`
 2022-01-25 17:44:13 +00:00
Shati Patel
1c711e05be Merge pull request #7661 from shati-patel/vscode-pack-commands 
Docs: Mention packaging commands in CodeQL extension
 2022-01-25 16:55:37 +00:00
Andrew Eisenberg
e722121be8 Merge pull request #7618 from github/aeisenberg/getting-started-docs 
Docs: Simplify getting started docs
 2022-01-25 08:30:06 -08:00
Edoardo Pirovano
1b539eb4dc Merge branch rc/3.4 into main 2022-01-25 16:22:01 +00:00
Mathias Vorreiter Pedersen
5d0f7efe84 Merge pull request #7743 from jketema/doc-fixes 
CodeQL documentation fixes
 2022-01-25 16:11:08 +00:00
Henry Mercer
70f7535988 JS: Move experimental notice to the bottom of the ML-powered query help 
The Code Scanning UI shows just the first paragraph of the query help
as a summary, until a user chooses to expand the help.
We decided it was more useful to display the standard query help in this
summary compared to the experimental query notice, since there is
already a notice about experimental queries on the alert show page.
 2022-01-25 15:52:09 +00:00
Tom Hvitved
afd6f58fe8 Merge pull request #7741 from hvitved/csharp/compilation-args-exclude-extractor-args 
C#: Exclude extractor arguments from `compilation_args` relation
 2022-01-25 16:31:46 +01:00
Geoffrey White
63ff17b3c1 Merge pull request #7737 from geoffw0/clrtxt5 
C++: Upgrade cpp/cleartext-storage-file
 2022-01-25 15:09:13 +00:00
Jeroen Ketema
082c712843 Replace Block by BlockStmt in basic C/C++ query documentation 
`Block` has be deprecated in favor of `BlockStmt`.
 2022-01-25 15:21:34 +01:00
Jeroen Ketema
1cfd222770 Remove redundant can 2022-01-25 15:21:06 +01:00
Tom Hvitved
d7a91fdbe6 C#: Exclude extractor arguments from compilation_args relation 2022-01-25 15:09:29 +01:00
Stephan Brandauer
4ee290acd3 update test for 'node:' prefix 2022-01-25 14:25:44 +01:00
Stephan Brandauer
20ea825e4a test for 'node:' prefix for importing node modules 2022-01-25 13:43:16 +01:00
shati-patel
1462565810 Clarify "download packs" usage 2022-01-25 12:37:17 +00:00
Erik Krogh Kristensen
cc527bdecd Merge pull request #7721 from erik-krogh/CWE-1275 
JS: add a js/samesite-none-cookie cookie
 2022-01-25 13:28:08 +01:00
Shati Patel
9e1e2ba442 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-25 12:27:00 +00:00
Tom Hvitved
49488fa0a0 Ruby: Fix bad join in ActionControllerHelperMethod 
```
[2022-01-25 12:35:14] (234s) Tuple counts for ActionController::ActionControllerHelperMethod#class#ff/2@ef816fil after 1.5s:
                      7685     ~0%     {3} r1 = JOIN ActionController::ActionControllerContextCall#ff#shared WITH Method::Method::getName_dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'controllerClass', Lhs.0 'this'
                      13198    ~0%     {3} r2 = JOIN r1 WITH Constant::ConstantValue::getStringOrSymbol_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'controllerClass', Lhs.2 'this', Rhs.1
                      15835365 ~4%     {5} r3 = JOIN r2 WITH AST::AstNode::getEnclosingModule_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, "helper_method", Lhs.0 'controllerClass', Lhs.1 'this', Lhs.2
                      12943    ~1%     {4} r4 = JOIN r3 WITH Call::MethodCall::getMethodName_dispred#ff ON FIRST 2 OUTPUT Lhs.4, Lhs.2 'controllerClass', Lhs.3 'this', Lhs.0
                      1146184  ~0%     {4} r5 = JOIN r4 WITH Expr::Expr::getConstantValue_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.1 'controllerClass', Lhs.2 'this'
                      212      ~0%     {2} r6 = JOIN r5 WITH project#Call::Call::getArgument_dispred#fff ON FIRST 2 OUTPUT Lhs.3 'this', Lhs.2 'controllerClass'
                                       return r6
```

Joining on enclosing module and name simultaneously yields a much better join.
 2022-01-25 13:00:13 +01:00
Erik Krogh Kristensen
caaee5e4e5 make a utility predicate for extracting sameSite values 2022-01-25 12:32:04 +01:00
Erik Krogh Kristensen
9f9dee5d18 apply documentation suggestions 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-25 12:14:16 +01:00
Tom Hvitved
67962cb93d Ruby: Fix bad join in access predicate 
Joining on variable name alone is a bad thing:

```
[2022-01-25 11:13:20] (228s) Tuple counts for Variable::Cached::access#ff#shared/3@868b54tu after 3m37s:
                      112554    ~0%     {3} r1 = JOIN Variable::VariableReal::getNameImpl_dispred#ff WITH Variable::VariableReal::getDeclaringScopeImpl_dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'arg2', Rhs.1 'arg1'
                      561015756 ~1%     {3} r2 = JOIN r1 WITH Variable::variableName#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'arg0', Lhs.2 'arg1', Lhs.1 'arg2'
                                        return r2
```

This change ensures that we join on name and scope simultaneously.
 2022-01-25 11:37:38 +01:00
Michael Nebel
26d9848fca Merge pull request #7730 from michaelnebel/csharp/csharp10-release-notes 
C#: Add change notes for the already implemented C# 10 features.
 2022-01-25 11:31:02 +01:00
Geoffrey White
d70b813949 Merge pull request #7732 from MathiasVP/security-severity-for-return-stack-allocated-memory 
C++: Add security-severity to `cpp/return-stack-allocated-memory`
 2022-01-25 10:13:49 +00:00
Stephan Brandauer
9825136e58 add support for the 'node:' prefix for importing internal modules 2022-01-25 10:55:34 +01:00
Tom Hvitved
0299b4603f Merge pull request #7677 from hvitved/ruby/constant-value 
Ruby: Replace `getValueText` with `getConstantValue`
 2022-01-25 10:31:02 +01:00
Harry Maclean
962d0213b5 Ruby extractor: stop using deprecated function 2022-01-25 22:04:24 +13:00
Tony Torralba
82ad79f55f Merge pull request #7728 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-01-25 09:53:12 +01:00
Mathias Vorreiter Pedersen
72241886bf C++: Add security-severity to 'cpp/return-stack-allocated-memory'. 2022-01-25 08:49:00 +00:00
Michael Nebel
f6a8d50593 C#: Add change notes for the already implemented C# 10 features. 2022-01-25 09:46:57 +01:00
Stephan Brandauer
35cc5ff0e2 Merge pull request #7715 from kaeluka/recognize-fs-extra-path-args 
JS: add a predicate to recognize path arguments in calls to the fs-extra lib
 2022-01-25 09:36:59 +01:00
Tom Hvitved
06776d19ee Merge pull request #4949 from luchua-bc/cs/hash-without-salt 
C#: Query to detect hash without salt
 2022-01-25 09:04:23 +01:00
Tom Hvitved
fdd787b89c Merge pull request #7658 from hvitved/csharp/dataflow/no-negative-positions 
C#: Get rid of negative parameter/argument data-flow positions
 2022-01-25 09:01:44 +01:00
dependabot[bot]
6543b1a3a9 Update clap requirement from 2.33 to 3.0 
Updates the requirements on [clap](https://github.com/clap-rs/clap) to permit the latest version.

Apply this update in both the generator and extractor.
 2022-01-25 16:53:39 +13:00
github-actions[bot]
1c2f4e79ff Add changed framework coverage reports 2022-01-25 00:10:23 +00:00
CodeQL CI
8d1e22bc38 Merge pull request #7632 from erik-krogh/CWE-862 
Approved by esbena, felicitymay
 2022-01-24 12:47:16 -08:00
Erik Krogh Kristensen
d4bac887cf add a js/samesite-none-cookie cookie 2022-01-24 21:39:41 +01:00
yo-h
364f07e3c5 Merge pull request #7725 from github/turbo-go-117-update 
Update supported Go version
 2022-01-24 15:23:00 -05:00