hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
12,746 Commits 1,741 Branches 165 Tags
c5c3ffaef083d545311b7e399cb4e3cbf23aa7df
Commit Graph

12746 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mathias Vorreiter Pedersen
c5c3ffaef0 C++: Add asPartialDefinition testcases 2020-05-26 13:14:11 +02:00
Tom Hvitved
e9839198f4 Merge pull request #3484 from calumgrant/cs/index-initializers 
C#: Extract indexed initializers correctly
 2020-05-20 09:22:47 +02:00
Tom Hvitved
97080731ad Merge pull request #3486 from h3ku/master 
CSHARP: Add experimental query for tainted WebClient
 2020-05-20 08:17:05 +02:00
Robert Marsh
28c2acabe5 Merge pull request #3505 from dbartol/github/codeql-c-analysis-team/69 
C++/C#: Remove `UnmodeledDefinition` instruction
 2020-05-19 17:17:53 -07:00
semmle-qlci
0a8b3adc25 Merge pull request #3518 from felicitymay/merge-124-master 
Approved by shati-patel
 2020-05-19 19:30:47 +01:00
Felicity Chapman
99d7a21425 Merge branch 'rc/1.24' into merge-124-master 2020-05-19 19:04:44 +01:00
Felicity Chapman
cca3922d00 Merge pull request #3517 from felicitymay/1.24/SD-54-update-contact 
CodeQL 1.24: Update information on support
 2020-05-19 18:57:34 +01:00
Tom Hvitved
f0f833b58f Merge pull request #3512 from jbj/mergeback-2020-05-19 
Mergeback rc/1.24 -> master
 2020-05-19 19:51:36 +02:00
Felicity Chapman
70d642a956 Update information on support 2020-05-19 18:17:17 +01:00
Jonas Jensen
d38700a87c Merge remote-tracking branch 'upstream/master' into mergeback-2020-05-19 
Conflicts:
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
 2020-05-19 17:44:15 +02:00
semmle-qlci
26dfca80f6 Merge pull request #3510 from max-schaefer/cull-boring-queries 
Approved by asgerf, esbena
 2020-05-19 15:41:53 +01:00
Hector Cuesta
66d77a43bd Fix typo in comment and TaintTrackingConfiguration name 2020-05-19 15:15:03 +01:00
Hector Cuesta
e18d8c5234 Remove duplicated CWE in security tag 2020-05-19 15:12:43 +01:00
Hector Cuesta
7d1ef92fbf Remove unnecessary CWE reference. 2020-05-19 15:09:17 +01:00
Mathias Vorreiter Pedersen
f0f7e531d7 Merge pull request #3511 from jbj/simplify-field-conflation-test 
C++: Simplify field conflation test
 2020-05-19 16:04:45 +02:00
yo-h
bfeaeccf60 Merge pull request #3507 from aschackmull/java/cleanup-deprecated-overrides 
Java: Clean up deprecated overrides.
 2020-05-19 09:47:57 -04:00
Max Schaefer
a803120414 Lower precision for a number of queries. 
These queries are currently run by default, but don't have their results displayed.

Looking through results on LGTM.com, they are either false positives (e.g., `BitwiseSignCheck` which flags many perfectly harmless operations and `CompareIdenticalValues` which mostly flags NaN checks) or harmless results that developers are unlikely to care about (e.g., `EmptyArrayInit` or `MisspelledIdentifier`).

With this PR, the only queries that are still run but not displayed are security queries, where different considerations may apply.
 2020-05-19 13:43:17 +01:00
Jonas Jensen
5318d42c4f Merge remote-tracking branch 'upstream/rc/1.24' into mergeback-2020-05-19 2020-05-19 14:42:58 +02:00
Jonas Jensen
486f06ab18 C++: Simplify field conflation test 
It turned out the `memcpy` step was not even necessary.
 2020-05-19 14:12:11 +02:00
Alexander Eyers-Taylor
57dbe5793f Merge pull request #3501 from jbj/dispatch-global-union 
C++: Fix struct field conflation in IR data flow
 2020-05-19 12:29:25 +01:00
Anders Schack-Mulligen
6f03a0bc39 Merge pull request #3487 from luchua-bc/java-sensitive-jboss-logging 
Add JBoss logging
 2020-05-19 11:04:18 +02:00
Anders Schack-Mulligen
c36e6213f1 Merge pull request #3288 from ggolawski/jndi-injection 
CodeQL query to detect JNDI injections
 2020-05-19 11:03:29 +02:00
Anders Schack-Mulligen
9d7329de30 Java: Clean up deprecated overrides. 2020-05-19 10:41:41 +02:00
semmle-qlci
0c081a8e87 Merge pull request #3497 from esbena/js/yield-and-local-objects 
Approved by asgerf, erik-krogh
 2020-05-19 09:02:22 +01:00
semmle-qlci
0d762066f5 Merge pull request #3504 from erik-krogh/unique 
Approved by esbena
 2020-05-19 08:35:08 +01:00
Dave Bartolomeo
d6ef94a4c7 C++: Remove dead comment 2020-05-18 23:05:19 -04:00
Dave Bartolomeo
3758f3c48d C++: Fix syntax-zoo test output 2020-05-18 18:07:52 -04:00
Dave Bartolomeo
01c2f0ce01 C++/C#: Fix formatting 2020-05-18 18:02:00 -04:00
Grzegorz Golawski
73e736b47a Enhanced comments according to the review comment 2020-05-18 23:37:48 +02:00
Grzegorz Goławski
0075d35346 Update java/ql/src/experimental/Security/CWE/CWE-074/JndiInjectionLib.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-05-18 23:18:16 +02:00
Dave Bartolomeo
42c659b8f2 C++/C#: Remove UnmodeledDefinition instruction 2020-05-18 15:08:50 -04:00
semmle-qlci
192bf918c3 Merge pull request #3488 from asger-semmle/js/sql-type-tracking 
Approved by erik-krogh
 2020-05-18 19:57:32 +01:00
Erik Krogh Kristensen
202b8a56b7 apply the unique aggregate where trivially applicable 2020-05-18 20:37:38 +02:00
Asger F
96d6115452 Merge branch 'master' into js/sql-type-tracking 2020-05-18 15:58:42 +01:00
Dave Bartolomeo
35868d4e5b C++/C#: Change dump of unmodeled use to m? 
This is kind of inconsequential on its own, but will make the test diffs easier to understand once the next commit removes `UnmodeledDefinition`.
 2020-05-18 10:47:43 -04:00
Jonas Jensen
76e194c8be C++: Fix struct field conflation in IR data flow 
The virtual-dispatch code for globals was missing any relationship
between the union field access and the global variable, which meant it
propagated function-pointer flow between any two fields of a global
struct. This resulted in false positives from
`cpp/tainted-format-string` on projects using SDL, such as
WohlSoft/PGE-Project.

In addition to fixing that bug, this commit also brings the code up to
date with the new style of modeling flow through global variables:
`DataFlow::Node.asVariable()`.
 2020-05-18 16:24:22 +02:00
Bt2018
69f2525e62 Remove the ending blank lines for auto-format check 2020-05-18 10:02:37 -04:00
Jonas Jensen
f2402c5abb C++: Test virtual dispatch field conflation 
This test demonstrates that IR data flow conflates unrelated fields of a
global struct-typed variable and that this bug is not present in the old
AST-based implementation of `semmle.code.cpp.security.TaintTracking`.
 2020-05-18 15:37:22 +02:00
semmle-qlci
0da1e68462 Merge pull request #3498 from max-schaefer/js/remote-exec 
Approved by esbena
 2020-05-18 14:17:20 +01:00
Asger F
a9983fdb49 Update javascript/ql/src/semmle/javascript/frameworks/SQL.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 13:23:22 +01:00
Max Schaefer
bdd778f989 JavaScript: Add change note. 2020-05-18 12:08:36 +01:00
Max Schaefer
6797fec1a3 JavaScript: Add more models of packages that execute commands over SSH. 2020-05-18 12:08:14 +01:00
Esben Sparre Andreasen
a9ba6ac659 JS: make LocalObjects::isEscape aware of yield 2020-05-18 12:43:46 +02:00
semmle-qlci
14664be467 Merge pull request #3468 from p0/imp/nodejs-vm-sinks 
Approved by esbena
 2020-05-18 11:10:13 +01:00
James Fletcher
bd6d2d899d Merge pull request #3495 from jf205/java-article-fix 
CodeQL docs: remove stray GH variable
 2020-05-18 10:23:22 +01:00
james
06f465bae7 docs: remove gh variable 2020-05-18 10:12:40 +01:00
Jonas Jensen
cc00f0f584 C++: Move identical declarations to shared.h file 
This cleans up the test results, which were confusing because functions
like `sink` had multiple locations.

There are some additional results now involving casts to `const char *`
because previously it varied whether `sink` used `const`, and now it
always does.
 2020-05-18 10:42:52 +02:00
Asger Feldthaus
a18e0b37cf JS: simplify sequelize model 2020-05-18 09:34:17 +01:00
Asger F
f52c827966 Apply suggestions from code review 
Base type of EscapingSanitizer

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 09:31:09 +01:00
Asger F
ffb22c061a Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 09:28:22 +01:00