hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,993 Commits 1,758 Branches 167 Tags
c91b5b3c2e9443aa892dddbe3056adee79ba3eb1
Commit Graph

824 Commits

Author SHA1 Message Date
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex 
Java: reduce false positives in sensitive-log
 2026-04-21 13:48:32 +01:00
Michael B. Gale
58e9bad0a0 Merge pull request #21737 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-21 11:48:30 +02:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal 
Java: fix bug in partial path traversal
 2026-04-20 11:52:55 +01:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Owen Mansel-Chan
c6f641eac4 Add change note 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:18:48 +01:00
Salah Baddou
fb2d53e72a Address review: inline Woodstox into XmlParsers, move changelog to lib 2026-04-17 18:46:51 +04:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
 2026-04-04 21:33:35 +08:00
Paolo Tranquilli
106d6b91f3 Merge remote-tracking branch 'origin/main' into wild-crest-ql 2026-03-30 14:21:28 +02:00
Paolo Tranquilli
1d028382da Merge branch 'main' into wild-crest-ql 2026-03-30 12:04:16 +02:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
Kaixuan Li
b595a70384 Update java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-29 11:45:27 +08:00
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Owen Mansel-Chan
2b8558706f Add sentence to change note. 2026-03-28 16:39:16 +00:00
Owen Mansel-Chan
ea9b99f67c Rephrase change note 2026-03-28 16:36:39 +00:00
MarkLee131
0c5e89a68e Exclude bounds-check arithmetic from tainted-arithmetic sinks 
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.

Add test cases for bounds-checking patterns that should not be flagged.
 2026-03-28 17:39:40 +08:00
MarkLee131
da4a2238bc Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs 
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
 2026-03-28 16:53:46 +08:00
MarkLee131
a9449cc991 Add EC to secure algorithm whitelist for Java CWE-327 query 2026-03-28 16:48:58 +08:00
Paolo Tranquilli
ded6968558 Kotlin: update to 2.3.20 2026-03-26 11:43:37 +01:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment 
Java: Make Assignment extend BinaryExpr.
 2026-03-05 13:19:45 +01:00
Owen Mansel-Chan
c82f75604a Add change notes 2026-03-05 10:34:30 +00:00
Anders Schack-Mulligen
ea77c0d86c Java: Add change note. 2026-03-05 11:32:00 +01:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Anders Schack-Mulligen
0d0711f2a7 Java: Add change note. 2026-02-23 15:10:02 +01:00
Owen Mansel-Chan
94e3d86f6a Merge pull request #21319 from owen-mc/java/javax-jakarta 
Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages
 2026-02-17 08:31:52 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
Owen Mansel-Chan
597be6a1c0 Add change note 2026-02-16 12:01:15 +00:00
Owen Mansel-Chan
6da3a4557e Add change note 2026-02-16 11:02:17 +00:00
Owen Mansel-Chan
47a9f87d9b Merge pull request #21310 from owen-mc/java/regex-execution 
Java: Add RegexMatch concept and recognise `@Pattern` annotation as sanitizer
 2026-02-16 09:11:47 +00:00
Owen Mansel-Chan
c539c2f4fd Add change note 2026-02-12 16:57:12 +00:00
Anders Schack-Mulligen
5c53677051 Java: Deprecate UnreachableBlocks. 2026-02-12 11:06:34 +01:00
Anders Fugmann
c5179e40c6 Kotlin: Add change note for supporting 2.3.10 2026-02-06 14:59:34 +01:00
Anders Schack-Mulligen
2d02908e7f Java: Add change note. 2026-02-04 14:43:32 +01:00
Henry Mercer
5f1fd57f84 Fix formatting of Kotlin version ranges 2026-02-02 12:22:50 +00:00
Henry Mercer
38fcc61817 Fix formatting in Kotlin changelog 2026-02-02 12:10:15 +00:00
github-actions[bot]
0db542e9f0 Release preparation for version 2.24.1 2026-02-02 12:09:09 +00:00
Anders Peter Fugmann
78495035a6 Merge pull request #20965 from github/andersfugmann/kotlin_2.3.0-beta2 
Kotlin: Support Kotlin 2.3.0
 2026-01-30 11:37:19 +01:00
Owen Mansel-Chan
a35e7b27af Merge pull request #21226 from owen-mc/java/update-qhelp-unrelease-lock 
Java: Improve qhelp for `java/unreleased-lock` and add lock type exclusion
 2026-01-28 09:46:31 +00:00
Anders Fugmann
6d60595d73 Kotlin: Add changenotes for Kotlin 2.3 support and removal of support for Kotlin 1.6 and 1.7 2026-01-28 09:30:21 +01:00
Anders Peter Fugmann
f4edff9452 Merge pull request #21216 from github/andersfugmann/kotlin_extractor_load_last 
Kotlin: Load kotlin extractor last
 2026-01-28 09:22:46 +01:00
Owen Mansel-Chan
a0c35516bd Add change note 2026-01-27 15:48:04 +00:00
Mads Navntoft
b7125a009e Merge pull request #21221 from github/navntoft/struts 
Java: Add support for Struts 7.x package names
 2026-01-27 15:53:26 +01:00
Mads Navntoft
ede05b54ea Java: Add change note for Struts 7.x package name support 2026-01-27 13:00:16 +01:00
Anders Fugmann
73850f1b56 Kotlin: Add changenote 2026-01-26 13:27:34 +01:00
Tom Hvitved
0f6bae0ae1 Add change notes 2026-01-26 12:40:22 +01:00
Michael B. Gale
f76211c64a Merge pull request #21136 from github/mbg/java/maven-plugin-repo-changenote 
Java: Add change note for plugin repo support
 2026-01-26 10:44:51 +00:00