hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
937 Commits 1,684 Branches 159 Tags
d05657ddff0cbfd41c1cacd40eab3145079eb0bc
Commit Graph

937 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
d05657ddff Make the gofmt CI test actaully fatal 
Turns out gofmt doesn't actually return 1 when it finds problems, only when it finds source files which don't compile (all of which are now excluded).

This also fixes existing overlooked inconsistencies as a result of this mistake.
 2020-07-10 11:02:50 +01:00
Max Schaefer
302eb55d23 Merge pull request #245 from smowton/smowton/feature/missing-error-check-query-conservative 
Add query searching for missing error checks on functions that return a (pointer, error) pair
 2020-07-09 15:37:32 +01:00
Chris Smowton
429a385a20 Add query searching for missing error checks on functions that return a (pointer, error) pair 2020-07-09 13:06:31 +01:00
Max Schaefer
02920abc62 Merge pull request #249 from smowton/smowton/feature/comment-group-ast-node-parents 
Make CommentGroups AST-children of Files
 2020-07-08 19:58:13 +01:00
Chris Smowton
6bf3802b3f Make CommentGroups AST-children of Files 
Previously they were roots, with children hanging off them. Now they are children of Files, and both CommentGroups and Comments can be discovered using AstNode.getAChild.

The PrintAst pass is also adapted to account for their new position.
 2020-07-08 17:49:47 +01:00
Max Schaefer
650cb5e626 Merge pull request #253 from smowton/smowton/admin/gofmt-in-ci 
Add Go autoformatting to the 'autoformat' make target and to CI
 2020-07-08 17:37:17 +01:00
Chris Smowton
ce94c68e0a Add Go autoformatting to the 'autoformat' make target and to CI 
Existing gofmt complaints are fixed, and files that specifically test queries that relate to badly formatting code are tagged as such.
 2020-07-08 14:20:19 +01:00
Max Schaefer
26eeb3c658 Merge pull request #252 from gagliardetto/patch-3 
taint-tracking: String() must return a string type
 2020-07-08 12:01:20 +01:00
Slavomir
59071732a8 taint-tracking: String() must return a string type 
Make sure that the taint-tracking class for the `String()` method checks that the result type is a string.
 2020-07-08 12:34:13 +03:00
Max Schaefer
bc778b5899 Merge pull request #243 from max-schaefer/cve-2019-11250 
Improvements to clear-text logging query
 2020-07-07 16:03:40 +01:00
Max Schaefer
3a897a9dd0 Merge pull request #247 from shati-patel/docs 
Docs: Editorial changes to library modeling topic
 2020-07-07 13:37:51 +01:00
Max Schaefer
b4c56928c4 Merge pull request #248 from max-schaefer/location-doc 
Port Location qldoc update.
 2020-07-07 13:37:36 +01:00
Max Schaefer
47a858610d Merge pull request #239 from smowton/smowton/feature/find-noreturn-user-functions 
Switch from using mustPanic to mayReturnNormally to construct a call-expression's CFG
 2020-07-07 13:37:18 +01:00
Chris Smowton
6e5ee47ade Switch from using mustPanic to mayReturnNormally to construct a call-expression's CFG 
We also use this to note that user-defined functions can only return normally if their CFG normal exit node is reachable, and annotate some well-known functions as noreturn.

For example, this will by fiat declare os.Exit noreturn (never returns normally), and will also notice that a user function `func myExit() { os.Exit(1) }` is also noreturn, because it doesn't have any control-flow edges that reach the normal return node.
 2020-07-07 11:40:06 +01:00
Max Schaefer
842860d7ca Port Location qldoc update. 
cf https://github.com/github/codeql/pull/3907
 2020-07-07 10:58:00 +01:00
Shati Patel
5ddcf92859 Editorial changes to library modeling topic 2020-07-07 10:02:33 +01:00
Max Schaefer
d8ff2d1641 Merge pull request #246 from smowton/smowton/feature/nuisance-dead-code-warnings 
UnreachableStatement: tolerate more harmless unreachable return statements
 2020-07-07 09:26:48 +01:00
Chris Smowton
5b34c05916 UnreachableStatement: tolerate more harmless unreachable return statements 
The Golang compiler isn't particularly good at spotting paths that don't need a return statement due to a dominating noreturn statement (e.g. os.Exit(1)), so dead return statements are common. We already tried to tolerate some instances of this pattern; this additionally allows 'true' and 'false' literals, and anything of type 'error'.

The carte-blanche for error values aims to accommodate the pattern "abort(); return whateverErrorWouldOtherwiseBeAppropriate();", which is probably preferable to "return nil", a misleading no-error indication.
 2020-07-06 17:02:26 +01:00
Max Schaefer
61bc51c133 Merge pull request #242 from max-schaefer/remove-experimental-precision 
Remove `@precision` from experimental query.
 2020-07-03 10:53:18 +01:00
Max Schaefer
5343315ad0 Remove @precision from experimental query. 
We'll add it back when we take it out of experimental status.
 2020-07-03 09:51:24 +01:00
Max Schaefer
570b232836 Merge pull request #235 from gagliardetto/bad-unsafe 
Query to find wrong uses of package "unsafe"
 2020-07-03 09:36:10 +01:00
Slavomir
94c0bc361d Improve comments and alerts 2020-07-02 22:10:17 +03:00
Max Schaefer
534ab94067 Merge pull request #241 from max-schaefer/update-data-flow 
Update shared data-flow libraries
 2020-07-02 14:07:32 +01:00
Max Schaefer
b83076853f Add change note. 2020-07-02 12:03:43 +01:00
Max Schaefer
89e9c6c2da Teach clear-text logging query to ignore dummy passwords. 2020-07-02 12:02:56 +01:00
Max Schaefer
63187a0889 Make clear-text logging sources more precise. 2020-07-02 12:02:56 +01:00
Max Schaefer
7b903dd062 Teach CleartextLogging not to track through error.Error() and fmt.Stringer.String(). 
These two are very heavily overloaded and cause all sorts of false positives.
 2020-07-02 12:02:56 +01:00
Max Schaefer
f807aa8b5e Merge pull request #233 from owen-mc/library-modeling 
Create guide for modeling go libraries
 2020-07-02 12:01:45 +01:00
Max Schaefer
dc5813b159 Data flow: Remove big-step relation in flow-through code 
cf https://github.com/github/codeql/pull/3857
 2020-07-02 11:55:41 +01:00
Max Schaefer
09d2fe391e Data flow: Replace getErasedRepr() and Node::getTypeBound() with getNodeType(). 
cf https://github.com/github/codeql/pull/3854
 2020-07-02 11:55:41 +01:00
Max Schaefer
7925db7911 Merge pull request #240 from max-schaefer/fix-frontend-errors 
Fix frontend errors
 2020-07-02 10:14:39 +01:00
Max Schaefer
25c969d14c Model message components for Fprintf and friends more precisely. 2020-07-02 09:41:03 +01:00
Max Schaefer
c80314a3fb Treat non-sensitive header retrieval as a barrier. 2020-07-02 09:41:03 +01:00
Max Schaefer
29cbac429f Fix stub for crypto/ssh. 2020-07-02 07:51:29 +01:00
Max Schaefer
5ac8ba9cef Fix an error in Types test. 2020-07-02 07:51:16 +01:00
Max Schaefer
eeae713c2f Dataflow: Refactor dispatch with call context. 
cf https://github.com/github/codeql/pull/3804
 2020-07-01 20:02:40 +01:00
Slavomir
b919ee03bf Merge branch 'bad-unsafe' of https://github.com/gagliardetto/codeql-go into bad-unsafe 2020-07-01 17:36:50 +03:00
Slavomir
267057b4b2 Use Nodes instead of Expressions 2020-07-01 17:33:40 +03:00
Owen Mansel-Chan
4a002c3044 Address review comments and delete md file 2020-07-01 15:08:00 +01:00
Max Schaefer
f74a94e382 Merge pull request #170 from sauyon/tracing 
Extract more dependency ASTs
 2020-07-01 14:25:52 +01:00
Owen Mansel-Chan
3a2a33b956 Convert to reStructuredText 
Annoyingly rst won't easily let you make some text monospace inside the
text for a link. The only other things I've changed from pandoc's output
are changing "code::" to "code-block::" and adding whitespace to get the
lists to format correctly.
 2020-07-01 10:43:08 +01:00
Slavomir
62ccceb543 Apply suggestions from code review 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-07-01 12:16:40 +03:00
Slavomir
87c2ac3caf Remove deprecated; plus aesthetic fix 2020-07-01 12:11:41 +03:00
Owen Mansel-Chan
126d214a2d Address review comments 2020-07-01 10:04:55 +01:00
Slavomir
37af579f27 Implement code review feedback 2020-07-01 12:02:12 +03:00
Max Schaefer
05da78d0f2 Merge pull request #238 from owen-mc/tfunctionoutput-receiver-separate-case 
Make receiver a separate case in TFunctionOutput
 2020-07-01 09:53:13 +01:00
Slavomir
7475170ced Fix getBaseType 2020-07-01 11:21:15 +03:00
Slavomir
7f65424556 Fix comments and tests 2020-07-01 10:40:34 +03:00
Slavomir
9421476bea Add IndexExpr logic and example 2020-07-01 10:21:16 +03:00
Slavomir
036a1faffa Remove redundancy 2020-06-30 23:00:19 +03:00