hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
83,673 Commits 1,746 Branches 166 Tags
dc1dff98b0f2cefd93b53240575a42ab81bd71d9
Commit Graph

5902 Commits

Author SHA1 Message Date
REDMOND\brodes
3dedda4233 Merge branch 'santander-java-crypto-check' of https://github.com/bdrodes/codeql into santander-java-crypto-check 2025-10-09 08:18:04 -04:00
REDMOND\brodes
c6cc4fff51 Crypto: Minor fixes to WeakBlockModes, WeakHash to consider SHA3 ok, Added unknown hash. 2025-10-09 08:16:28 -04:00
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
REDMOND\brodes
f524de4afc Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption 2025-10-08 16:27:18 -04:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
8e10e1937d Crypto: Adding query for unknown IV initialization. 2025-10-08 12:49:54 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
143be8cc35 Crypto: Remove redundant queries. 2025-10-08 10:26:05 -04:00
REDMOND\brodes
1b1b333e8b Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues. 2025-10-08 10:21:06 -04:00
REDMOND\brodes
bba541c016 Merge remote-tracking branch 'upstream/java-crypto-check' into santander-java-crypto-check 2025-10-08 09:30:26 -04:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Anders Schack-Mulligen
99f5dcaaa4 Java: Fix bug in ConstantExpAppearsNonConstant. 2025-10-08 10:32:51 +02:00
Mark C
f38ab45e94 removed all @security.severity ratings to keep the main impartial 2025-10-01 17:49:45 +01:00
Mark C
c5cf0ffa75 added java cryptographic check queries 2025-10-01 11:55:51 +01:00
Chris Smowton
f88daff45f Java: note that classes with entirely private constructors can't be subclassed 2025-09-30 13:57:44 +01:00
Idriss Riouak
fa8cbeeb44 Merge pull request #20546 from github/idrissrio/ql-constant 
Java: Fix false positives in evaluation-to-constant query for ErrorType
 2025-09-30 14:24:28 +02:00
idrissrio
63771110a5 Java: Address review comment 2025-09-30 11:46:37 +02:00
github-actions[bot]
a7a4e43991 Post-release preparation for codeql-cli-2.23.2 2025-09-29 15:10:19 +00:00
idrissrio
659afb5f30 Java: Fix false positives in evaluation-to-constant query for ErrorType 2025-09-29 13:37:25 +02:00
github-actions[bot]
d2130a589b Release preparation for version 2.23.2 2025-09-29 10:28:45 +00:00
Ian Lynagh
c653d939d9 Merge pull request #20451 from github/post-release-prep/codeql-cli-2.23.1 
Post-release preparation for codeql-cli-2.23.1
 2025-09-17 13:00:14 +01:00
Michael Nebel
7589d0a18a Merge pull request #20394 from michaelnebel/java/code-quality-extended 
Java: Add most `medium` precision queries to the `code-quality-extended` suite.
 2025-09-17 13:46:24 +02:00
github-actions[bot]
4e8343664f Post-release preparation for codeql-cli-2.23.1 2025-09-17 10:13:40 +00:00
github-actions[bot]
02a1b1efcb Release preparation for version 2.23.1 2025-09-16 14:14:42 +00:00
Anders Schack-Mulligen
b308c5438f Java: Add a change note, and a minor ql comment. 2025-09-15 10:14:26 +02:00
Michael Nebel
8e392cf8de Java: Remove java/undocumented-* queries from the code-quality-extended suite. 2025-09-10 16:13:24 +02:00
Michael Nebel
56802035df Java: Add some medium precision queries to the code-quality-extended suite. 2025-09-10 16:11:20 +02:00
Anders Schack-Mulligen
3815503314 Java: Consolidate Assertions.qll and Preconditions.qll. 2025-09-10 15:42:18 +02:00
Idriss Riouak
dc247e03e0 Merge pull request #20383 from aschackmull/java/fix-more-broken-perf 
Java: Fix more broken performance.
 2025-09-08 14:49:43 +02:00
Anders Schack-Mulligen
4c1fa58367 Java: Fix more broken performance. 2025-09-08 14:12:00 +02:00
Michael Nebel
3f4b2b7cc8 Java: Add change note. 2025-09-08 12:05:38 +02:00
Michael Nebel
b0ef0f06eb Java: Include metrics in the database quality diagnostics and lower threshold. 2025-09-08 12:05:37 +02:00
Anders Schack-Mulligen
c6adc51220 Java: Fix broken performance. 2025-09-08 08:30:07 +02:00
github-actions[bot]
e8a2600a0c Post-release preparation for codeql-cli-2.23.0 2025-09-02 11:46:23 +00:00
github-actions[bot]
0bfa93828b Release preparation for version 2.23.0 2025-09-02 11:09:32 +00:00
Michael Nebel
a732b36fa8 Update java/ql/src/experimental/quantum/Analysis/ArtifactReuse.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-09-02 10:39:37 +02:00
Michael Nebel
77113b2e42 Java: Fix some Ql4Ql violations. 2025-09-01 15:04:08 +02:00
Napalys Klicius
b4d6cb6e5f Merge pull request #20178 from Napalys/java/visible-for-testing-abuse 
Java: Added new query `java/visible-for-testing-abuse`
 2025-08-29 08:38:04 +02:00
Napalys Klicius
6132900e12 Java: add full stops for ql docs 2025-08-29 08:09:03 +02:00
Napalys Klicius
c836104717 Update java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2025-08-28 15:01:53 +02:00
Napalys Klicius
d3be456c5c Update java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2025-08-28 15:01:43 +02:00
Napalys Klicius
1949d9f8f3 Merge branch 'main' into java/mocking-all-non-private-methods-means-unit-test-is-too-big 2025-08-28 14:22:06 +02:00
Napalys Klicius
970167bc62 Java: moved java/mocking-all-non-private-methods-means-unit-test-is-too-big to a more appropriate location, namely Violation of Best Practice/Testing 2025-08-28 14:20:19 +02:00
Napalys Klicius
ad6ca51ef2 Update java/ql/src/Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.ql 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2025-08-28 12:03:56 +02:00
Napalys Klicius
a3aacfb688 Merge pull request #20190 from Napalys/java/jvm-exit-query-promotion 
Java: Enhance `java/jvm-exit` query and add to quality
 2025-08-27 13:23:02 +02:00
Napalys Klicius
b3f90bbdfc Update java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2025-08-26 13:23:24 +00:00
Napalys Klicius
6c51ba80c7 Update java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2025-08-26 15:19:02 +02:00
Jami
3675e4bb4f Merge branch 'main' into jcogs33/java/insecure-spring-actuator-config-promotion 2025-08-26 08:02:17 -04:00
Napalys Klicius
8017fae297 Java: Simplify mock call location check using getEnclosingCallable 2025-08-26 09:44:00 +00:00