hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-21 14:47:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
51,324 Commits 1,758 Branches 167 Tags
ec5425d952cfdb41b39875a014d242cefc3ee3ab
Commit Graph

8914 Commits

Author SHA1 Message Date
tiferet
ec5425d952 When extracting positive and negative examples for the Java prompt, extract the data used in the MaD extensible predicate. 
This will enable the codex prompt to optionally use this data in additional columns.
 2023-03-14 12:49:28 -07:00
tiferet
7666843316 Resolve two TODO items 2023-03-14 12:49:28 -07:00
tiferet
e06bcc3112 Exclude negative examples that are type access nodes. 
These will never be on a flow path so they're not useful negative examples.
 2023-03-14 12:49:28 -07:00
tiferet
3229b37436 Increase diversity of negative prompt examples by creating finer sub-types 2023-03-14 12:49:28 -07:00
tiferet
559570419d If a node satisfies the logic for both isSink and isSanitizer, don't include it as a positive or negative example in the prompt, because it's too ambiguous and will confuse the model. 2023-03-14 12:49:28 -07:00
tiferet
844171a28e Simplify the definition of ExtractPositiveExamples.ql 2023-03-14 12:49:28 -07:00
tiferet
ecf4d4dc02 Avoid accidentally extracting positive prompt examples when there is a codex-generated data extension file in java/ql/lib/ext 2023-03-14 12:49:28 -07:00
tiferet
0d4e85ff93 Add a predicate that finds endpoints with logically-inconsistent characteristics, and exclude such endpoints from both positive and negative examples extracted for the codex prompt. 2023-03-14 12:49:28 -07:00
tiferet
1211197914 Fix codeql-pack.lock.yml so it's not looking for an ML model 2023-03-14 12:49:28 -07:00
tiferet
41df8df182 Typo fix 2023-03-14 12:49:28 -07:00
tiferet
125245aa62 Delete TODO items that are done 2023-03-14 12:49:28 -07:00
tiferet
8bb2b2eaea Have each EndpointType keep track of the sink/source kind for this endpoint type as used in Models as Data 2023-03-14 12:49:28 -07:00
tiferet
27efe524da Fix the extraction of data for the data extension YML file. 2023-03-14 12:49:28 -07:00
tiferet
ae4668c488 Add data needed for the data extension YML file to ExtractSinkCandidatesWithFlow.ql: first pass. 2023-03-14 12:49:28 -07:00
tiferet
3987d8d374 Small update to SafeExternalApiMethodCharacteristic 2023-03-14 12:49:28 -07:00
tiferet
fd75952c1e Improvements to ExtractSinkCandidatesWithFlow.ql 2023-03-14 12:49:28 -07:00
tiferet
4db0dec82e Minor improvement 2023-03-14 12:49:28 -07:00
tiferet
a73b52adef Improvements to ExtractSinkCandidatesWithFlow.ql 2023-03-14 12:49:28 -07:00
tiferet
39a4513fcc Delete the queries the Java team isn't currently interested in boosting 2023-03-14 12:49:28 -07:00
tiferet
3c44332f17 Move isFlowLikelyInBaseQuery to the ATMConfig and delete AdaptiveThreatModeling.qll 2023-03-14 12:49:27 -07:00
tiferet
06c7f1012c Rename request forgery sink to server-side request forgery sink 2023-03-14 12:49:27 -07:00
tiferet
9421ba5303 Add and implementation of request forgery sinks and corresponding positive EndpointCharacteristic in Java 2023-03-14 12:49:27 -07:00
tiferet
f5109be2ac Bug fixes 2023-03-14 12:49:27 -07:00
tiferet
c14a4c4d93 Add an implementation of TaintedPathATM.qll and corresponding positive EndpointCharacteristic in Java 2023-03-14 12:49:27 -07:00
tiferet
4546dbe51b Subsample negative examples to 1% to prevent huge numbers. 2023-03-14 12:49:26 -07:00
tiferet
5d62dc3d2e Add a Java NotASinkCharacteristic safe external API method 2023-03-14 12:49:26 -07:00
tiferet
0acd06a6d3 Add queries to surface high-confidence Java sinks and non-sinks to use as examples in the codex prompt. 2023-03-14 12:49:26 -07:00
tiferet
04abb87fef Rewrite ExtractSinkCandidatesWithFlow.ql as a problem query so we can run it with codeql database analyze to output SARIF results. 2023-03-14 12:49:26 -07:00
tiferet
5dc5c3fb3f Add a couple of endpoint filters for Java 2023-03-14 12:49:26 -07:00
tiferet
653b0128f5 Try implementing SqlInjectionATM.qll in Java 2023-03-14 12:49:26 -07:00
tiferet
c0f58371b4 Start making the additions needed to surface candidate Java sinks for codex classification outside the evaluator. 2023-03-14 12:49:26 -07:00
Anders Schack-Mulligen
30163e4f60 Merge pull request #12515 from aschackmull/java/neutral-dispatch 
Java: Remove low-confidence dispatch to known neutrals.
 2023-03-14 15:35:05 +01:00
Tom Hvitved
c132891669 Merge pull request #12513 from hvitved/dataflow/lambda-flow-no-expects-content 
Data flow: Exclude `expectsContent` nodes from lambda flow
 2023-03-14 15:28:35 +01:00
Ian Lynagh
32e8b130ad Merge pull request #12501 from tamasvajk/java/javadoc_printast 
Java: Fix printAST to handle javadoc belonging to multiple elements
 2023-03-14 13:42:22 +00:00
Anders Schack-Mulligen
a9d2b936af Java: Add qldoc. 2023-03-14 14:15:15 +01:00
Anders Schack-Mulligen
dbfc256f40 Java: Remove low-confidence dispatch to known neutrals. 2023-03-14 11:34:07 +01:00
Edward Minnix III
de1ecf943e Merge pull request #11915 from egregius313/egregius313/arbitrary-apk-installation 
Java: Arbitrary APK installation
 2023-03-14 06:23:51 -04:00
Tom Hvitved
bdd56f1b6e Data flow: Sync files 2023-03-14 10:01:56 +01:00
github-actions[bot]
2c93ab99d8 Add changed framework coverage reports 2023-03-14 00:15:57 +00:00
Anders Schack-Mulligen
5792b4d363 Merge pull request #12503 from aschackmull/java/qltest-callback-instance-sideeffect 
Java: Add a qltest demonstrating side-effect on a callback instance.
 2023-03-13 17:26:12 +01:00
Ian Lynagh
70b85a3e00 Merge pull request #12431 from igfoo/igfoo/double_interception 
Kotlin: Test double interceptions
 2023-03-13 14:30:49 +00:00
Tamas Vajk
c57fcfb8fb Java: Fix printAST to handle javadoc belonging to multiple elements 2023-03-13 14:26:33 +01:00
Tony Torralba
705691b096 Merge pull request #12446 from github/java/update-mad-decls-after-triage-2023-03-08T14-51-59 
Java: Update MaD Declarations after Triage
 2023-03-13 14:07:59 +01:00
Anders Schack-Mulligen
f54b02edb3 Java: Add a qltest demonstrating side-effect on a callback instance. 2023-03-13 13:22:18 +01:00
Anders Schack-Mulligen
0c95ab2cdc Merge pull request #12474 from hvitved/dataflow/call-back-post-update 
Data flow: Synthesize post-update nodes for callback arguments inside summarized callables
 2023-03-13 13:21:52 +01:00
Ian Lynagh
4fbc747f93 Kotlin: Move kotlin_double_interception test to posix_only 
It's failing on Windows
 2023-03-13 11:57:57 +00:00
Ian Lynagh
fd8f7e071b Kotlin: Tweak double_interception test 2023-03-13 11:57:57 +00:00
Ian Lynagh
fae4a8f37b Kotlin: double interception test: Fix for old python versions 2023-03-13 11:57:57 +00:00
Ian Lynagh
8b6047dfd1 Kotlin: Handle double-interceptions without failing 2023-03-13 11:57:57 +00:00
Ian Lynagh
81e71c4669 Kotlin: Add a test for double niterception 2023-03-13 11:57:57 +00:00