hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,611 Commits 1,673 Branches 157 Tags
ea4c2e432100cb15e4ad5448d02c36153a6f9f95
Commit Graph

116 Commits

Author SHA1 Message Date
Owen Mansel-Chan
71aeeee7c8 Accept trivial change to test output 
In the `subpaths` section, the last node is now printed without its type
if it is the sink of the path.

This comes from the commit "Dataflow: Bugfix: include subpaths ending at
a sink. " in https://github.com/github/codeql/pull/7526
 2022-11-17 14:27:06 +00:00
Owen Mansel-Chan
f2e2c02db6 Rename predicates to avoid clashes 2022-11-17 14:27:06 +00:00
Owen Mansel-Chan
83a3af2fff Go: Summarized Callable 
Corresponds to https://github.com/github/codeql/pull/9270
 2022-11-17 14:27:04 +00:00
Owen Mansel-Chan
10ed4ad3df Go: Split summaryThroughStep into two predicates 
Cf. https://github.com/github/codeql/pull/9195
 2022-11-17 14:27:04 +00:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Arthur Baars
aba87a139d Merge pull request #10668 from aibaars/ruby-deps 
Ruby: update dependencies
 2022-11-01 13:55:42 +01:00
erik-krogh
84a7fddd95 remove explicit versions in lock files, as the dependencies are all installed locally 2022-11-01 09:09:26 +01:00
Chris Smowton
3573e211cc Correct test expectations 2022-10-29 11:40:58 +01:00
Chris Smowton
5c66d87ed6 gofmt 2022-10-29 11:40:57 +01:00
Chris Smowton
0c6c135967 Go: exclude protobuf read steps from cleartext-logging query 
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.

However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.

On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
 2022-10-29 11:40:57 +01:00
Rasmus Wriedt Larsen
8628ff5e52 Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Rasmus Wriedt Larsen
fc7eb5b4fc InlineExpectationsTest: sync 2022-10-27 09:02:28 +02:00
Henry Mercer
c1984ea35f Go: Update expected output 2022-10-26 19:11:21 +01:00
Rasmus Wriedt Larsen
5e9897d150 InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
Josh Soref
b1052992fe spelling: against 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
erik-krogh
d5c45056bd fix some more style-guide violations in the alert-messages 2022-10-07 11:21:01 +02:00
Chris Smowton
812a5e5c74 Autoformat test.go 2022-10-06 14:08:56 +01:00
gregxsunday
9960d11042 added RequestBody source to Beego framework 2022-10-06 13:23:56 +02:00
erik-krogh
175d3acf4d reword alert-message go/user-controlled-bypass to avoid using "here" 2022-09-20 22:51:35 +02:00
erik-krogh
83bedc0320 be more specific about what the source is in go/suspicious-character-in-regex, which also avoids using "here" in the alert-message 2022-09-20 22:51:35 +02:00
erik-krogh
1be14962a0 use "depends to" for a taint-tracking query 2022-09-20 22:51:35 +02:00
erik-krogh
c241185c21 avoid more instances of "this location" and "here" in alert-messages 2022-09-20 22:51:35 +02:00
erik-krogh
2602a38d94 update expected test output 2022-09-20 22:51:35 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
Erik Krogh Kristensen
06afe9c0f4 Merge pull request #9816 from erik-krogh/msgConsis 
Make alert messages consistent across languages
 2022-08-25 15:20:01 +02:00
Ian Lynagh
b9a4b5ab9a Make *.qlref non-executable 2022-08-24 16:53:16 +01:00
erik-krogh
1c0f2251e2 Merge branch 'main' into msgConsis 2022-08-24 14:38:57 +02:00
Michael Nebel
2e273f2273 C#: Re-arange the import order, such that CsvValidation follows ExternalFlow directly. 2022-08-24 09:58:54 +02:00
Michael Nebel
37976d56bc C#/Java/Go/Swift: Move CsvValidation back into ExternalFlow. 2022-08-24 09:58:53 +02:00
Michael Nebel
37f01fe10e Go: Re-factor CSV validation into separate file. 2022-08-24 09:58:52 +02:00
erik-krogh
7e0bd5bde4 update expected output of tests 2022-08-22 21:41:47 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Chris Smowton
25195bb0ba Merge pull request #10103 from smowton/smowton/feature/golang-1.19-support 
Go: support go 1.19
 2022-08-22 16:49:11 +01:00
Chris Smowton
f3ef8510d3 Merge pull request #10093 from smowton/smowton/feature/java-singular-locations 
Java: pick an arbitrary representative location when an entity has many candidate locations.
 2022-08-22 09:32:43 +01:00
Chris Smowton
259b942fac Indent blocks that gofmt would mistake for markdown 
As of go 1.19 it will try to format markdown nicely, but in both these cases the formatting isn't supposed to be interpreted this way, so indent it to make it a preformatted block.
 2022-08-19 19:06:21 +01:00
Chris Smowton
8d20b9cf52 Use hasLocationInfo to match several Location fields at once 2022-08-19 19:03:17 +01:00
Chris Smowton
1ea7caf559 Fix join ordering in inline-expectations test 2022-08-19 18:17:22 +01:00
Chris Smowton
e2afc80aff Autoformat go 2022-08-19 10:29:45 +01:00
Chris Smowton
45f922b3f2 Add models for Go 1.19's new url.JoinPath and URL.JoinPath functions 2022-08-19 10:29:45 +01:00
Chris Smowton
6068f63e9e Add taint models for go 1.19's new fmt.Append functions 2022-08-19 10:29:45 +01:00
Chris Smowton
d2055283de Add models for go 1.19's new atomic pointer typex 2022-08-18 17:47:13 +01:00
Erik Krogh Kristensen
4f93f2b9ba Merge pull request #10076 from erik-krogh/ql-for-ql-fixes 
various QL-for-QL fixes
 2022-08-18 15:46:48 +02:00
Chris Smowton
3802deab70 Adjust test expectations re: reformatting 2022-08-17 17:31:27 +01:00
Chris Smowton
e33ddbdcfd Format go 2022-08-17 16:42:06 +01:00
Chris Smowton
077bae55fe Go: don't use WriteNode for channel writes 
I overlooked the fact that this has a WriteInstruction, which wasn't bound in the channel-write case, but somehow the evaluator discarded the implied cartesian product until last night's performance evaluation.

Rather than try to cram channel writes into WriteInstruction, just handle them as their own beast.
 2022-08-17 14:27:16 +01:00
erik-krogh
8066e39d07 delete some redundant imports 2022-08-17 13:50:04 +02:00
Chris Smowton
bf24d7886a Accept test changes 2022-08-10 18:10:02 +01:00
Anders Schack-Mulligen
df6d68b215 Merge pull request #9618 from aschackmull/dataflow/deprecate-barrierguard-class 
Dataflow: Deprecate BarrierGuard class
 2022-06-22 10:44:08 +02:00
Anders Schack-Mulligen
406f5b525b Go: Deprecate and replace BarrierGuard class 2022-06-20 15:46:27 +02:00
Rasmus Wriedt Larsen
b65a10d1ef Inline Expectation Tests: sync 2022-06-17 17:38:19 +02:00