hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
57,315 Commits 1,672 Branches 157 Tags
e1a5eba61b8558f55f230d6969027fb33acb51b2
Commit Graph

10164 Commits

Author SHA1 Message Date
Stephan Brandauer
8ed773b240 Java: Framework mode extraction now uses a custom class for endpoints, so we can support both Argument[this] and interface-method parameters 2023-07-28 12:56:39 +02:00
Stephan Brandauer
09c64e8fee Java: Support Argument[this] in framework mode metadata extraction 2023-07-28 12:55:26 +02:00
Ian Lynagh
499bd970d3 Merge pull request #13412 from igfoo/igfoo/json_escape 
Kotlin: Tweak our JSON escaping
 2023-07-28 11:13:51 +01:00
Alvaro Muñoz
c3a2ae2943 Account for public fields/setters 2023-07-28 12:12:07 +02:00
Tony Torralba
c239a4399c Changed Struts2ActionSupportClassFieldReadSource to be a FieldValueNode instead of a field read 2023-07-27 10:39:06 +02:00
Alvaro Muñoz
97a4230d5d add change note 2023-07-27 10:39:06 +02:00
Alvaro Muñoz
f3fc56294e implement field taint inheritance for Struts2 unmarshalled objects 2023-07-27 10:39:06 +02:00
Tony Torralba
9d6bc76dc0 Merge pull request #13817 from atorralba/atorralba/java/non-static-fieldvaluenode-step 
Java: Allow flow out of FieldValueNodes for non-static fields
 2023-07-27 09:14:04 +02:00
Owen Mansel-Chan
9b2b58a823 Sync files 2023-07-26 21:48:10 +01:00
Chris Smowton
c69a9ea032 Merge pull request #13793 from github/post-release-prep/codeql-cli-2.14.1 
Post-release preparation for codeql-cli-2.14.1
 2023-07-26 17:22:05 +01:00
Tony Torralba
8685242c16 Add tests 2023-07-26 14:13:43 +02:00
Stephan Brandauer
24cdc962c2 Merge pull request #13818 from github/kaeluka/fix-erroneous-endpoints-that-are-sinks-and-summary-neutrals 
Java: Automodel Fix, Prevent Some Erroneous Endpoints
 2023-07-26 12:45:29 +02:00
Tony Torralba
602eb43109 Update partial flow test expectations 2023-07-26 09:32:13 +02:00
Ian Lynagh
532552a7ac Merge pull request #13751 from igfoo/igfoo/getCompilationInfo 
Java: Improve the diagnostics consistency query
 2023-07-25 16:54:17 +01:00
Stephan Brandauer
08f5774d13 Java: Automodel extraction fix for application mode 2023-07-25 17:11:07 +02:00
Stephan Brandauer
698b8d3c5c Java: Automodel extraction fix; previously, we treated endpoints that were marked as sinks, as well as summary-neutrals as 'erroneous' 2023-07-25 16:52:27 +02:00
Tony Torralba
b8b38e4bbe Java: Allow flow out of FieldValueNodes for non-static fields 2023-07-25 15:37:41 +02:00
Tony Torralba
c9fc5a54c7 Remove generated sinks and sources 2023-07-25 14:42:32 +02:00
Stephan Brandauer
2582b084f6 Merge pull request #13747 from github/tausbn/exclude-qualifier-argument-for-existing-models 
Java: Exclude qualifier argument for existing models
 2023-07-24 16:26:33 +02:00
Stephan Brandauer
13027a1094 Java: review suggestions from @atorralba 2023-07-24 14:09:10 +02:00
Stephan Brandauer
2f2f507a5d Java: drive-by change: remove obsolete custom queries from application mode characteristics 2023-07-24 13:55:53 +02:00
Tony Torralba
6c0d47f122 Update java/ql/lib/semmle/code/java/frameworks/InputStream.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:37 +02:00
Tony Torralba
4e7438ac5c Make sure that InputStreamWrapperCapturedLocalStep is indeed local 2023-07-24 08:49:37 +02:00
Tony Torralba
d3b3af8ae6 Re-adds jump step 
Note that this causes FP flow in the call context test cases
 2023-07-24 08:49:37 +02:00
Tony Torralba
36ff54b48b Convert jump step into local step 
Note that this has FNs in the test cases where the source is used locally in the nested classes' methods
 2023-07-24 08:49:37 +02:00
Tony Torralba
cc5a404149 Add more test cases 2023-07-24 08:49:36 +02:00
Tony Torralba
226103b246 Add local class test 2023-07-24 08:49:36 +02:00
Tony Torralba
f054f73836 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:36 +02:00
Tony Torralba
1de68457ae Move steps to InputStream.qll 2023-07-24 08:49:36 +02:00
Tony Torralba
0156fcc381 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:36 +02:00
Tony Torralba
3a6665b0ed Add change note 2023-07-24 08:49:36 +02:00
Tony Torralba
5330ce12cc Use new TypeInputStream 2023-07-24 08:49:34 +02:00
Tony Torralba
00e0e5a61a Java: Add taint step for InputStream wrappers 2023-07-24 08:48:04 +02:00
github-actions[bot]
419bbbc9ac Add changed framework coverage reports 2023-07-24 00:17:53 +00:00
github-actions[bot]
f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
Stephan Brandauer
79da723878 Java: only assume that _manual_ MaD sinks have been fully modeled 2023-07-21 10:43:07 +02:00
Tony Torralba
3d515b18df Merge pull request #13769 from atorralba/atorralba/java/avoid-inputstream-low-confidence-dispatch 
Java: Avoid low-confidence dispatch to InputStream methods
 2023-07-21 10:42:34 +02:00
github-actions[bot]
c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Tony Torralba
238cb26624 Add change note 2023-07-19 15:37:33 +02:00
Tony Torralba
29543f5726 Change InputStream.read from neutral to summary 2023-07-19 14:44:18 +02:00
Anders Schack-Mulligen
a9c76d4175 Merge pull request #13717 from aschackmull/dataflow/neverskipadditionalsteps 
Dataflow: Add support for not skipping configuration-specific nodes in big-step
 2023-07-19 14:06:54 +02:00
Stephan Brandauer
5575fc65aa Merge pull request #13636 from github/tausbn/add-sink-alert-metrics-query 
Java: Add metric queries for counting sinks coming from models
 2023-07-19 13:12:32 +02:00
Anders Schack-Mulligen
e72a0b2f8c Dataflow: Add change notes. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
ae24d68b5d C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
95d17045c9 Dataflow: Sync. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
fd83b6afdb Dataflow: Add support for not skipping configuration-specific nodes in big-step. 2023-07-19 11:41:15 +02:00
Tony Torralba
2dbbcc2413 Java: Avoid low-confidence dispatch to InputStream methods 
Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
 2023-07-19 11:30:53 +02:00
Paul Hodgkinson
c7084b6d8e Merge branch 'main' into java/experimental/command-injection 2023-07-18 11:38:44 +01:00
Anders Schack-Mulligen
e72366194b Merge pull request #13754 from aschackmull/java/remotesource-inbarrier 
Java: Exclude source-to-source flow in 5 queries.
 2023-07-18 10:33:44 +02:00
Ian Lynagh
8a0286ec34 Java: Improve the diagnostics consistency query 
Diagnostics can be easier to read if you see them in the order in which
they were generated. By selecting the compilation and indexes, they get
sorted by the testsuite driver.

d.getCompilationInfo(c, f, i) would be a bit more natural as
d = c.getDiagnostic(f, i), but currently we don't import Diagnostic into
the default ('import java') namespace, and I don't think it's worth
changing that for this.
 2023-07-17 15:37:05 +01:00