hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-19 03:41:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,904 Commits 1,781 Branches 169 Tags
bc9fa6ba131fab239bffeaefec6d374664fd10bb
Commit Graph

87904 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
bc9fa6ba13 Fix bug in inline expectations test implementation 
This was stopping trailing comments, as in `// $ Alert // some comment`, from working.
 2026-06-15 21:08:08 +01:00
Owen Mansel-Chan
14c72def96 Merge pull request #21983 from owen-mc/java/convert-to-inline-expectation-tests 
Java: Improve inline expectations test comments
 2026-06-15 10:31:56 +01:00
Anders Schack-Mulligen
6934aa0e39 Merge pull request #21980 from aschackmull/cfg/unless-until 
Cfg: Add support for unless and until statements
 2026-06-15 09:58:03 +02:00
Owen Mansel-Chan
359e272577 Merge pull request #21979 from owen-mc/code-owners-rasmuswl 
Remove @RasmusWL from CODEOWNERS
 2026-06-14 23:50:05 +01:00
Owen Mansel-Chan
daefaff969 Merge pull request #21975 from github/dependabot/go_modules/go/extractor/extractor-dependencies-563a210b6d 
Bump golang.org/x/tools from 0.45.0 to 0.46.0 in /go/extractor in the extractor-dependencies group
 2026-06-12 22:04:57 +01:00
Owen Mansel-Chan
4bc083fd7f Remove confusing comments 2026-06-12 21:51:52 +01:00
Owen Mansel-Chan
89c1d66f90 Add SPURIOUS and MISSING alerts based on existing comments 2026-06-12 21:51:50 +01:00
Owen Mansel-Chan
b9670ef831 Merge pull request #21966 from owen-mc/java/convert-to-inline-expectation-tests 
Java: convert all qlref tests to inline expectation tests using postprocessing
 2026-06-12 21:48:49 +01:00
Anders Schack-Mulligen
ff61344afa Cfg: Add support for until-statements. 2026-06-12 13:55:05 +02:00
Anders Schack-Mulligen
fe8c029ac7 Cfg: Add support for unless-statements. 2026-06-12 13:50:41 +02:00
Anders Schack-Mulligen
912dc9c0bd Merge pull request #21955 from aschackmull/cfg/try-body-index 
Cfg: Fold getTryInit into indexed getBody.
 2026-06-12 11:36:25 +02:00
Owen Mansel-Chan
eea406f622 Remove @RasmusWL from CODEOWNERS 
He hasn't worked on CodeQL for a few years now. He
told me that he doesn't remember how these scripts
work.
 2026-06-12 10:33:37 +02:00
Owen Mansel-Chan
de7afcaec3 Merge pull request #21976 from JarLob/patch-1 
Update regex for GitHub hosted runner matching
 2026-06-12 09:09:40 +01:00
Anders Schack-Mulligen
f3ec7087e3 Cfg: Fix type. 2026-06-12 10:02:48 +02:00
Jaroslav Lobačevski
bea5522473 rename change note 2026-06-12 07:52:34 +00:00
Jaroslav Lobačevski
eedef515f7 Updated regex. Added test and change note. 2026-06-12 07:50:02 +00:00
Jaroslav Lobačevski
9078b511c6 Update regex for GitHub hosted runner matching 
Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
 2026-06-12 09:37:18 +03:00
dependabot[bot]
1ac079d066 Bump golang.org/x/tools 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-06-12 03:03:31 +00:00
Owen Mansel-Chan
29b0c286a7 Fix 3 more tests 2026-06-11 23:40:14 +02:00
Asger F
ad18659373 Merge pull request #21796 from mattcosta7/patch-1 
Add UseMemoDirective and UseNoMemoDirective classes
 2026-06-11 23:01:29 +02:00
Owen Mansel-Chan
a4bf2b8f58 Fix 3 tests 2026-06-11 22:59:39 +02:00
Owen Mansel-Chan
a375e186ed Third pass 2026-06-11 21:53:22 +02:00
Matthew Costabile
923fe2dcb9 Merge branch 'main' into patch-1 2026-06-11 15:19:58 -04:00
Jeroen Ketema
642259cd51 Merge pull request #21968 from jketema/jketema/namequalifiers 
C++: Fix `NameQualifyingElement` db inconsistency
 2026-06-11 15:11:51 +02:00
Owen Mansel-Chan
0d984588f9 Merge pull request #21965 from owen-mc/go/convert-to-inline-expectation-tests 
Go: convert all qlref tests to inline expectation tests using postprocessing
 2026-06-11 13:27:06 +01:00
Owen Mansel-Chan
b4a9689341 Convert .qlref test to inline expectations 2026-06-11 07:15:54 +02:00
Owen Mansel-Chan
6a8e20a0c8 Fix pre-existing whitespace issues in go test files 2026-06-11 07:15:09 +02:00
Owen Mansel-Chan
4c411bbcb5 Convert hand-rolled inline expectations test 2026-06-11 07:13:48 +02:00
Asger F
b60bf8c79f Merge pull request #21950 from tonghuaroot/experimental-ssrf-ipv6-transition-js 
Add experimental query: SSRF host guard missing IPv6-transition unwrap (CWE-918/CWE-1389)
 2026-06-10 21:42:54 +02:00
Jeroen Ketema
ef00aa2567 C++: Add upgrade and downgrade scripts 2026-06-10 14:38:15 +02:00
Jeroen Ketema
6d0968744b C++: Fix NameQualifyingElement db inconsistency 2026-06-10 14:35:36 +02:00
Jeroen Ketema
98f147556a C++: Add namequalifier test with inconsistency 
While where the remove the file restriction in QL.
 2026-06-10 14:27:56 +02:00
Owen Mansel-Chan
3693185b6b Second pass 2026-06-10 09:14:47 +02:00
Owen Mansel-Chan
1c1d26453d First pass converting qlref tests to inline expectation with postprocess 2026-06-10 07:46:42 +02:00
tonghuaroot (童话)
4c1a0058bf Add SsrfIpv6TransitionIncompleteGuard.ql to not_included_in_qls.expected 
Fix the JS integration test failure flagged in review by listing the new
experimental CWE-918 query in the expected not-included-in-qls suite, in
sorted order.
 2026-06-10 08:42:42 +08:00
Tom Hvitved
f5919875b7 Merge pull request #21941 from hvitved/python/content-approx 
Python: Implement `ContentApprox`
 2026-06-09 15:46:04 +02:00
Owen Mansel-Chan
8d456df26f Merge pull request #21960 from github/dependabot/go_modules/go/extractor/extractor-dependencies-28a04969f3 
Bump golang.org/x/mod from 0.36.0 to 0.37.0 in /go/extractor in the extractor-dependencies group
 2026-06-09 05:30:45 +01:00
dependabot[bot]
72fcf27d1a Bump golang.org/x/mod 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-06-09 03:03:37 +00:00
yoff
0cea01c22f Merge pull request #21926 from github/yoff/python-simplify-decorator-predicates 
Python: simplify decorator-detection predicates to pure AST match
 2026-06-08 22:04:33 +02:00
Anders Schack-Mulligen
a473565256 Merge pull request #21954 from aschackmull/cfg/consistency-child-idx 
Cfg: Add consistency check for relevant child indices.
 2026-06-08 14:44:20 +02:00
Anders Schack-Mulligen
01173bf383 Cfg: Fold getTryInit into indexed getBody. 2026-06-08 14:03:12 +02:00
Anders Schack-Mulligen
c47135a40b Cfg: Add consistency check for relevant child indices. 2026-06-08 13:40:33 +02:00
Owen Mansel-Chan
3cbc8f0262 Merge pull request #21951 from github/workflow/go-version-update 
Go: Update to 1.26.4
 2026-06-08 11:47:47 +01:00
Tom Hvitved
cc1ea25856 Python: Implement ContentApprox 2026-06-08 08:41:28 +02:00
github-actions[bot]
5a38cbd5d5 Go: Update to 1.26.4 2026-06-08 04:30:10 +00:00
tonghuaroot
e93bc11f6f Add experimental JS query for SSRF guards missing IPv6-transition unwrap 
Add javascript/ssrf-ipv6-transition-incomplete-guard, an experimental
@kind problem query that flags hand-rolled SSRF host guards which reject
private/loopback IPv4 ranges but never unwrap IPv6-transition forms
(IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4 2002::). Such guards can be
bypassed by wrapping an internal IPv4 address in a transition literal.

Includes a .qhelp with good/bad examples, a change note, and a test pack
with two true-positive fixtures (private-ip package guard and a
hand-written RFC 1918 denylist) and two negative-control fixtures
(ipaddr.js range classifier and an explicit ::ffff: unwrap).

Signed-off-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
 2026-06-06 21:47:24 +08:00
Owen Mansel-Chan
cf6d94cf8a Merge pull request #21324 from github/copilot/automate-go-version-updates-again 
Automate Go version updates via scheduled workflow
 2026-06-06 03:03:03 +01:00
Owen Mansel-Chan
292fc8b777 Fix detection of failed text replacement 
I checked and the comment seems to be correct.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-06-06 02:52:21 +01:00
Owen Mansel-Chan
a1759d9834 Use --force-with-lease for slightly improved safety 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-06-06 02:51:36 +01:00
Owen Mansel-Chan
6b74874372 Minor improvement to PR text 2026-06-06 02:32:43 +01:00