hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-01 13:23:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,600 Commits 1,697 Branches 161 Tags
e7bd435bee47533ffae33913a812667a018f53f7
Commit Graph

4600 Commits

Author SHA1 Message Date
Tom Hvitved
32f21d6d49 Merge pull request #20688 from hvitved/java/request-forgery-matches-sanitizer 
Java: Treat `x.matches(regexp)` as a sanitizer for request forgery
 2025-10-24 14:34:32 +02:00
Tom Hvitved
7a9cb64e2e Java: Treat x.matches(regexp) as a sanitizer for request forgery 2025-10-24 09:06:57 +02:00
Anders Schack-Mulligen
72d83cc966 ControlFlowReachability: Align the SSA signature with the one from shared SSA. 2025-10-23 10:57:21 +02:00
Anders Schack-Mulligen
f257c7a570 Guards: Align the SSA signature with the one from shared SSA. 2025-10-23 10:23:22 +02:00
Anders Schack-Mulligen
20147cdd2b Shared/Java: Rename ControlFlowReachability library. 2025-10-23 09:07:34 +02:00
Anders Schack-Mulligen
8a3f62b9b6 Merge pull request #20558 from aschackmull/csharp/guards3 
C#: Instantiate shared Guards and shared ControlFlowReachability and replace nullness
 2025-10-23 08:43:14 +02:00
REDMOND\brodes
b374ba3d0c Crypto: Updating java 'location' information to be just a location's toString to be more verbose/precise. 2025-10-21 11:48:37 -04:00
REDMOND\brodes
cc436e897d Merge branch 'santander-java-crypto-check' of https://github.com/bdrodes/codeql into santander-java-crypto-check 2025-10-20 15:24:40 -04:00
REDMOND\brodes
354effe829 Crypto: Missing hash algorithms for HMAC operations in jca. 2025-10-20 15:24:18 -04:00
Ben Rodes
2b683c210f Merge branch 'main' into santander-java-crypto-check 2025-10-18 17:56:43 -04:00
REDMOND\brodes
c01c060476 Crypto: more ID renaming to include "examples", fix singleton issues with ql-for-ql, use formatted test for WeakAsymmetricKeyGenSize (add post processing in the qlref), misc expected files updated (test passed locally but on rerun vscode reports failures, known bug with vscode unit tests). 2025-10-17 14:13:53 -04:00
REDMOND\brodes
b4ecb91c83 Crypto: Add missing cipher algorithms to JCA. Update node tests to account for missing cipher algorithms. 2025-10-17 13:38:47 -04:00
REDMOND\brodes
f480d90a68 Crypto: Add missing block mode JCA Models, add block mode unit tests 2025-10-17 13:13:14 -04:00
REDMOND\brodes
b9b0037e07 Crypto: Comment todo for observed missing modeled case. Tests for weak and unknown KDF iteration count. 2025-10-16 14:07:45 -04:00
REDMOND\brodes
a64a24d25d Crypto: Comment in Language.qll 2025-10-16 11:03:49 -04:00
REDMOND\brodes
25599e9b4b crypto: Update JCA model macs to take into consideration update calls (use prior pattern for signatures). Misc. bug fixes. 2025-10-15 16:25:36 -04:00
REDMOND\brodes
9a6aac1300 Crypto: To get unreferenced parameters as general sources for Java, I've included the caveat that if a function is called, all the calls appear to be in test files. 2025-10-15 14:20:16 -04:00
REDMOND\brodes
ee08385e31 Crytpo: Update JCA keyagreement to type conversion, XDH is a type of ECDH. 2025-10-15 08:06:19 -04:00
github-actions[bot]
6dd07790ac Post-release preparation for codeql-cli-2.23.3 2025-10-14 11:16:33 +00:00
github-actions[bot]
33542f7d40 Release preparation for version 2.23.3 2025-10-14 09:30:24 +00:00
REDMOND\brodes
76128ed8dc Crypto: Update InsecureIVorNonce to be a path problem. 2025-10-13 15:29:57 -04:00
REDMOND\brodes
08abdb8c85 Crypto: Adding a "javaConstant" concept to handle config files. 2025-10-13 12:03:41 -04:00
REDMOND\brodes
36673659ad Crypto: Weak asymmetric key gen size fixes and test. 2025-10-10 14:49:35 -04:00
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
Alex Eyers-Taylor
542bdf0792 Java: Use Overlay dataflow in java. 2025-10-07 17:52:12 +01:00
Alex Eyers-Taylor
c49e2ab2da DataFlow: Add code to do overlay informed dataflow. 2025-10-07 17:52:12 +01:00
Anders Schack-Mulligen
18e33b193e Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint 
Java: Allow taint-read-steps for array sources.
 2025-10-07 15:04:03 +02:00
Anders Schack-Mulligen
7dadbc43fb Java: Add change note. 2025-10-07 13:51:49 +02:00
Anders Schack-Mulligen
11665bea0a Java: Allow taint-read-steps for array sources. 2025-10-07 10:10:02 +02:00
Ben Rodes
b32a6407b9 Update java/ql/lib/experimental/quantum/JCA.qll 
Co-authored-by: Nicolas Will <nicolaswill@github.com>
 2025-10-06 09:04:19 -04:00
Nicolas Will
579da1dbd6 Fix QL-for-QL alerts 2025-10-06 14:45:45 +02:00
REDMOND\brodes
9fa30a3884 Crypto: Updating algorithm string literals and key generation algorithm literal sources to include signatures. 2025-10-03 18:09:27 -04:00
REDMOND\brodes
9c5765a48c Crypto: Add missing string constants for signature algorithms. 2025-10-03 17:17:07 -04:00
REDMOND\brodes
f1eb6511a7 Crypto: Add modeling for JCA signatures. Make consistent use of "unknown" or "other" for unrecognized types. 2025-10-03 12:07:37 -04:00
Anders Schack-Mulligen
ca7d56023a ControlFlow: Rename getAPhiInput to getAnInput. 2025-10-03 15:29:31 +02:00
REDMOND\brodes
a46bd4c4ca Crypto: JCA random number generation model. 2025-10-02 15:21:28 -04:00
Nicolas Will
4901cdf929 Crypto: Refactor and change casts to super 2025-10-02 18:43:38 +02:00
REDMOND\brodes
9673b81677 Crypto: Update JCA 'wihHmac" raw name to be the entire raw string, not just "Hmac" 2025-10-02 11:49:23 -04:00
REDMOND\brodes
704a06e1fa Crypto: Update JCA PBKDF2 modeling: 1) add further inheritance structures to make the inheritance decomposition and caveats clearer, and 2) use getConsumer to establish the hash and hmac consumer. Update the Model to expect hash node types specifically for HMAC getHashALgorithmOrUnknown. 2025-10-02 11:45:13 -04:00
REDMOND\brodes
850c1ec12d Crypto: Fix use of a member where a singleton set literal exists 2025-10-02 09:20:40 -04:00
REDMOND\brodes
b08533b322 Crypto: Fix missing output variable 2025-10-02 09:10:50 -04:00
REDMOND\brodes
c37b7c1389 Merge branch 'signature_model_refactor' of https://github.com/bdrodes/codeql into signature_model_refactor 2025-10-02 09:05:09 -04:00
REDMOND\brodes
38421cec94 Crypto: Missing casing fix for JCA classes 2025-10-02 09:04:23 -04:00
Ben Rodes
d251b3f9f7 Merge branch 'main' into signature_model_refactor 2025-10-02 09:02:34 -04:00
REDMOND\brodes
329a7dee1c Crypto: Fixing JCA class naming casing for PBKDF2 classes. 2025-10-02 09:02:17 -04:00
REDMOND\brodes
d49efefefa Crypto: Fix for non-monotonic recursion in JCA 2025-10-01 14:36:26 -04:00