codeql

mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00

Author	SHA1	Message	Date
Owen Mansel-Chan	cf73d96c9d	Update test results (remove SPURIOUS annotations)	2026-02-16 12:03:02 +00:00
Owen Mansel-Chan	9fc95f5171	Expand log injection sanitizers to annotation regex matches	2026-02-16 12:01:13 +00:00
Owen Mansel-Chan	146fc7a8c0	Add failing log injection test for @Pattern validation	2026-02-16 12:01:07 +00:00
Owen Mansel-Chan	8f8f4c2d52	Fix Matcher.matches edge case	2026-02-14 00:28:37 +00:00
Owen Mansel-Chan	90befa0c00	Add failing test for Matcher.matches() edge case	2026-02-14 00:28:34 +00:00
Owen Mansel-Chan	bfe26c1989	Add @Pattern as RegexExecution => SSRF sanitizer	2026-02-12 16:57:11 +00:00
Owen Mansel-Chan	d0999e3abd	Add failing test for @Pattern validation	2026-02-12 16:57:04 +00:00
Anders Schack-Mulligen	6f40ac15b4	Java: Rename ReturnStmt.getResult to getExpr.	2026-02-04 14:43:31 +01:00
Owen Mansel-Chan	516b84b59a	Add test for *Pool exclusion	2026-01-27 15:38:29 +00:00
Owen Mansel-Chan	a5d9cb179a	Merge pull request #20930 from owen-mc/java/spring-rest-template-request-forgery-sinks Java: add more Spring RestTemplate request forgery sinks	2026-01-15 14:23:15 +00:00
Mauro Baluda	5cef0376a9	Update java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>	2026-01-14 11:50:52 +01:00
Mauro Baluda	9efefa6120	Fix test expectations	2026-01-13 22:46:42 +01:00
Mauro Baluda	d335f039ef	Improve model for CWE-089	2026-01-13 21:48:43 +01:00
Mauro Baluda	89f0e79ea1	Fix `SqlTainted` test	2026-01-13 13:55:14 +01:00
Mauro Baluda	dda042f7df	rename change notes	2026-01-13 13:07:14 +01:00
Mauro Baluda	4c8058d97b	Merge branch 'github:main' into couchdb	2026-01-09 17:20:40 +01:00
Mauro Baluda	15ee88ee24	SQLi test case	2025-12-24 20:30:21 +01:00
Mauro Baluda	b22077c371	Hardcoded credentials in CouchBase	2025-12-22 20:22:20 +01:00
yoff	c6240e5a99	java: understand more initializers Whne a fiels is assigned a safe type in a constructor, that field is not exposed.	2025-12-16 10:11:05 +01:00
yoff	a65d385297	java: add tests for thread safe initialisation Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>	2025-12-16 10:11:05 +01:00
Owen Mansel-Chan	a85d0ea8a3	Make tests pass	2025-12-02 17:08:16 +00:00
Owen Mansel-Chan	8fd8fc07b7	Add failing tests for more regex match methods	2025-12-02 17:06:34 +00:00
Owen Mansel-Chan	969b0cf439	Add SSRF sinks for `uriVariables` arguments of more methods on Spring RestTemplate	2025-11-27 23:44:35 +00:00
Owen Mansel-Chan	1a59839f3c	Range library recognises long literals now	2025-11-24 14:10:54 +00:00
Owen Mansel-Chan	ec381e4ec5	Use range analysis and improve tests	2025-11-21 10:31:50 +00:00
aegilops	e904520779	Fixed formatting	2025-11-20 17:34:42 +00:00
aegilops	1e67907516	Merge commit	2025-11-20 12:22:39 +00:00
aegilops	62ee6d3a33	Made changes requested by reviewers - bounded() for range checking, style and better comments	2025-11-20 11:46:42 +00:00
Paul Hodgkinson	7b25e22a37	Merge branch 'main' into java-kotlin-sensitive-logging-substring-barriers	2025-11-17 11:03:39 +00:00
aegilops	fa703e3e60	Test cases for sensitive logging sanitizer	2025-11-14 16:53:46 +00:00
Anders Schack-Mulligen	d6800394fa	Guards: Support disjunctive implications.	2025-11-12 14:14:32 +01:00
Anders Schack-Mulligen	2192d75286	Java: Add test for a known FP.	2025-11-12 14:08:18 +01:00
yoff	4461be180a	Merge pull request #19539 from yoff/java/conflicting-access	2025-10-28 20:37:44 +01:00
yoff	406e48b3bb	java: fix aliasing FP reorganise code, adding `LockField`	2025-10-27 14:30:25 +01:00
yoff	531b994819	java: add test for aliasing found by triage	2025-10-27 14:27:32 +01:00
Tom Hvitved	a4eab484ce	Address review comments	2025-10-24 13:32:39 +02:00
Tom Hvitved	7a9cb64e2e	Java: Treat `x.matches(regexp)` as a sanitizer for request forgery	2025-10-24 09:06:57 +02:00
yoff	9e77e5b046	java: add test with deeper paths also format test files	2025-10-21 14:02:36 +02:00
yoff	f183a7223f	java: add test for `notFullyMonitored`	2025-10-21 13:40:29 +02:00
yoff	de05bfbce3	java: address review comments - do not use `getQualifiedName` - use camelCase - rework alert predicates	2025-10-21 13:25:26 +02:00
yoff	61a3e9630f	java: rewrite conflict detection - favour unary predicates over binary ones (the natural "conflicting access" is binary) - switch to a dual solution to trade recursion through forall for simple existentials. Co-authored-by: Anders Schack-Mulligen <aschackmull@github.com>	2025-10-17 01:43:04 +02:00
Joe Farebrother	d8b37d0cde	Review suggestions - update comments and description	2025-10-14 16:03:40 +01:00
Joe Farebrother	9cb593b020	Update tests	2025-10-13 14:51:37 +01:00
Joe Farebrother	c799f93811	Update tests and add inline expectations	2025-10-13 14:51:04 +01:00
yoff	830f02af1f	java: fixes from the CI bots	2025-10-09 09:37:31 +02:00
yoff	096d5f2a56	java: implement SCC contraction of the call graph Our monitor analysis would be fooled by cycles in the call graph, since it required all edges on a path to a conflicting access to be either - targetting a method where the access is monitored (recursively) or - monitored locally, that is the call is monitored in the calling method For access to be monitored (first case) all outgoing edges (towards an access) need to satisfy this property. For a loop, that is too strong, only edges out of the loop actually need to be protected. This led to FPs.	2025-10-09 09:14:16 +02:00
yoff	5b30153113	java: add Escaping query (P1)	2025-10-09 09:14:16 +02:00
yoff	328b53576a	java: add SafePublication query (P2)	2025-10-09 09:14:16 +02:00
yoff	fe487e8bf0	java: add ThreadSafe query (P3) Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com> Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk> Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>	2025-10-09 09:14:16 +02:00
Chris Smowton	f88daff45f	Java: note that classes with entirely private constructors can't be subclassed	2025-09-30 13:57:44 +01:00

1 2 3 4 5 ...

1320 Commits