hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-22 07:07:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
51,302 Commits 1,759 Branches 167 Tags
f5109be2ac3d00ec1a09dd4e7f332d2bc5b82dea
Commit Graph

51302 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tiferet
f5109be2ac Bug fixes 2023-03-14 12:49:27 -07:00
tiferet
c14a4c4d93 Add an implementation of TaintedPathATM.qll and corresponding positive EndpointCharacteristic in Java 2023-03-14 12:49:27 -07:00
tiferet
4546dbe51b Subsample negative examples to 1% to prevent huge numbers. 2023-03-14 12:49:26 -07:00
tiferet
5d62dc3d2e Add a Java NotASinkCharacteristic safe external API method 2023-03-14 12:49:26 -07:00
tiferet
0acd06a6d3 Add queries to surface high-confidence Java sinks and non-sinks to use as examples in the codex prompt. 2023-03-14 12:49:26 -07:00
tiferet
04abb87fef Rewrite ExtractSinkCandidatesWithFlow.ql as a problem query so we can run it with codeql database analyze to output SARIF results. 2023-03-14 12:49:26 -07:00
tiferet
5dc5c3fb3f Add a couple of endpoint filters for Java 2023-03-14 12:49:26 -07:00
tiferet
653b0128f5 Try implementing SqlInjectionATM.qll in Java 2023-03-14 12:49:26 -07:00
tiferet
c0f58371b4 Start making the additions needed to surface candidate Java sinks for codex classification outside the evaluator. 2023-03-14 12:49:26 -07:00
tiferet
cf289d57e9 Go back to the prompt of https://github.com/github/codeql-dca-main/issues/9475 2023-03-14 12:49:26 -07:00
tiferet
459050151a Give more explicit instructions in the codex prompt, but don't solicit rare sink types. 2023-03-14 12:49:26 -07:00
tiferet
01979aeb62 Give more explicit instructions in the codex prompt. 2023-03-14 12:49:26 -07:00
tiferet
ef95f4c419 Minor prompt improvements: 
- Tell codex explicitly that this is JavaScript code
- Replace "Dataflow node" with "Code snippet"
 2023-03-14 12:49:26 -07:00
tiferet
ac5434b3f3 Minor prompt improvements: 
Remove spaces that break the code syntax or make for strange code styling.
 2023-03-14 12:49:26 -07:00
tiferet
ce17d94f80 In-line predicates that are costing a lot of compute time 2023-03-14 12:49:26 -07:00
tiferet
bcc4cdd376 Add a test that can be used to determine the alerts codex will surface for each query. 2023-03-14 12:49:25 -07:00
tiferet
9aba7a0bca Bug fixes for things that interfere with using the codex model 2023-03-14 12:49:25 -07:00
tiferet
9a21539fca Add a test that can be used to determine how well codex reproduces the manual modeling for each sink type. 2023-03-14 12:49:25 -07:00
tiferet
d76d11bd27 Fix endpointScores 2023-03-14 12:49:25 -07:00
tiferet
4603a66411 Bug fix in selecting a node's location: 
Locations only exist where there are locatable structures in the DB. Thus, select the largest location that contains the node and at most `neighborhoodSize` lines before and after the node.
 2023-03-14 12:49:25 -07:00
tiferet
b130b2e82f Give endpoint types more intuitive names and then use those names directly in composing the codex prompt. 2023-03-14 12:49:25 -07:00
tiferet
94676ed713 Further improve the structure of endpoint scoring 2023-03-14 12:49:25 -07:00
tiferet
4ed57e71db Remove tokens from the prompt that the Java side can't handle 2023-03-14 12:49:25 -07:00
tiferet
12def779e6 Change the prompt to use sink names defined in EndpointType 2023-03-14 12:49:25 -07:00
tiferet
a6c01042eb Improve the structure of endpoint scoring 2023-03-14 12:49:25 -07:00
tiferet
fa36fc838b Pull in the prompt work from branch tiferet/codex-prompt 2023-03-14 12:49:25 -07:00
tiferet
09bf2218d4 Merge in aeisenberg/atm-codex 2023-03-14 12:49:24 -07:00
Harry Maclean
aaeb8a0aa0 Merge pull request #12493 from hmac/ar-sinks 2023-03-15 07:59:07 +13:00
Geoffrey White
959f93a766 Merge pull request #12520 from geoffw0/basetypefix 
Swift: Fix result type of NominalType.getABaseType.
 2023-03-14 18:23:54 +00:00
Geoffrey White
a391c01d36 Swift: Fix result type of NominalType.getABaseType. 2023-03-14 17:36:30 +00:00
Anders Schack-Mulligen
30163e4f60 Merge pull request #12515 from aschackmull/java/neutral-dispatch 
Java: Remove low-confidence dispatch to known neutrals.
 2023-03-14 15:35:05 +01:00
Tom Hvitved
c132891669 Merge pull request #12513 from hvitved/dataflow/lambda-flow-no-expects-content 
Data flow: Exclude `expectsContent` nodes from lambda flow
 2023-03-14 15:28:35 +01:00
Asger F
feb7c49006 Merge pull request #12382 from asgerf/js/import-assertion 
JS: Support import assertions
 2023-03-14 14:56:32 +01:00
Ian Lynagh
32e8b130ad Merge pull request #12501 from tamasvajk/java/javadoc_printast 
Java: Fix printAST to handle javadoc belonging to multiple elements
 2023-03-14 13:42:22 +00:00
Anders Schack-Mulligen
a9d2b936af Java: Add qldoc. 2023-03-14 14:15:15 +01:00
Asger F
d953ad63fe Merge pull request #12445 from asgerf/js/react-forward-ref 
JS: Handle forwardRef in React
 2023-03-14 13:21:16 +01:00
Asger F
d74da30fc7 JS: Include trap test for trailing commas 2023-03-14 13:15:12 +01:00
Asger F
8ab3f39b5e Merge pull request #12423 from asgerf/js/trusted-types-global-flow 
JS: Track trusted types policy callbacks
 2023-03-14 13:09:50 +01:00
Paolo Tranquilli
5ff7a898a6 Merge pull request #12516 from github/redsun82/swift-specialize-generic-decl 
Swift: make `AnyGenericType::getDecl`'s type more specific
 2023-03-14 12:23:02 +01:00
AlexDenisov
decd5c1ae7 Merge pull request #12508 from github/redsun82/swift-deduplication-test 
Swift: add an initial draft for a deduplication test
 2023-03-14 11:56:23 +01:00
Paolo Tranquilli
54b6c6f8f7 Swift: make AnyGenericType::getDecl's type more specific 
As shown by the extractor's code not needing any change, the DB values
already had that more specific type, which is why the upgrade/downgrade
scripts are actually no-ops.
 2023-03-14 11:49:07 +01:00
Anders Schack-Mulligen
dbfc256f40 Java: Remove low-confidence dispatch to known neutrals. 2023-03-14 11:34:07 +01:00
Paolo Tranquilli
91ce88e2d9 Swift: make deduplication test cross-platform 2023-03-14 11:24:03 +01:00
Edward Minnix III
de1ecf943e Merge pull request #11915 from egregius313/egregius313/arbitrary-apk-installation 
Java: Arbitrary APK installation
 2023-03-14 06:23:51 -04:00
Paolo Tranquilli
cc608f764d Swift: add missing include 2023-03-14 11:23:33 +01:00
Tony Torralba
dd0723c36b Merge pull request #12511 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2023-03-14 10:05:32 +01:00
Tom Hvitved
bdd56f1b6e Data flow: Sync files 2023-03-14 10:01:56 +01:00
Tom Hvitved
8dd99b951b Data flow: Exclude expectsContent nodes from lambda flow 2023-03-14 10:01:11 +01:00
Tom Hvitved
08557974ae Merge pull request #12499 from hvitved/ruby/more-constructor-flow 
Ruby: Add missing flow through `self.new` constructor calls
 2023-03-14 09:14:42 +01:00
Erik Krogh Kristensen
04f422ea5d Merge pull request #12047 from erik-krogh/py-shell 
Py: add unsafe-shell-command-construction
 2023-03-14 07:48:38 +01:00