hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,058 Commits 1,759 Branches 167 Tags
f912731cd4880aab09a3fb236ec7c558785f126e
Commit Graph

87058 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Anders Schack-Mulligen
f912731cd4 Merge pull request #21565 from aschackmull/csharp/cfg2 
C#: Replace CFG with the shared implementation
 2026-04-21 15:50:38 +02:00
Owen Mansel-Chan
6efb21314a Merge pull request #21523 from owen-mc/docs/mad/barriers 
Document models-as-data barriers and barrier guards and add change notes
 2026-04-21 13:49:19 +01:00
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex 
Java: reduce false positives in sensitive-log
 2026-04-21 13:48:32 +01:00
Anders Schack-Mulligen
67c0515d3c Cfg: Undo consistency check change. 2026-04-21 13:10:03 +02:00
Michael B. Gale
58e9bad0a0 Merge pull request #21737 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-21 11:48:30 +02:00
Anders Schack-Mulligen
a2a4e8288e C#: Deprecate ControlFlowElement.getAControlFlowNode and remove some splitting quantification. 2026-04-21 11:14:05 +02:00
Anders Schack-Mulligen
9de02b7ae6 Cfg: Use consistent casing in additional node tags. 2026-04-21 10:56:10 +02:00
Jeroen Ketema
7f2a13bc7a Merge pull request #21728 from jketema/jketema/swift-6.3.1 
Swift: Update to Swift 6.3.1
 2026-04-20 19:33:08 +02:00
Jeroen Ketema
abd08440a1 Swift: Update to Swift 6.3.1 2026-04-20 16:30:29 +02:00
Jeroen Ketema
d5ded932d3 Merge pull request #21723 from jketema/swift-fixed-array 
Swift: Expose the generic arguments of `BuiltinFixedArrayType`s
 2026-04-20 16:17:41 +02:00
Taus
b108e173a5 Merge pull request #21695 from github/tausbn/python-add-support-for-pep-798 
Python: Add support for PEP-798
 2026-04-20 15:01:01 +02:00
Anders Schack-Mulligen
b6f50f5992 C#: Simplify. 2026-04-20 14:43:28 +02:00
Anders Schack-Mulligen
3ceb96a45f C#: Eliminate Completion.qll. 2026-04-20 14:43:28 +02:00
Anders Schack-Mulligen
e928c224ae C#/Cfg: Some simple review fixes. 2026-04-20 14:43:27 +02:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal 
Java: fix bug in partial path traversal
 2026-04-20 11:52:55 +01:00
Michael B. Gale
a73f7cb79d Merge pull request #21736 from github/release-prep/2.25.3 
Release preparation for version 2.25.3
 2026-04-20 12:29:07 +02:00
Michael B. Gale
abf374433b Merge changelog entries for cpp/implicit-function-declaration 2026-04-20 12:24:05 +02:00
Michael B. Gale
34b5dcfd5f Improve wording of actions note 2026-04-20 11:40:32 +02:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
MarkLee131
92d205d1a8 Use set literal for getCommonSensitiveInfoFPRegex 
Replace the five-way result = ... or result = ... disjunction with a
single equality on a set literal. Addresses the CodeQL style alert
"Use a set literal in place of or" reported by the self-scan on this
PR. Pure refactor, no semantic change.
 2026-04-19 23:29:07 -04:00
Owen Mansel-Chan
c6f641eac4 Add change note 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:18:48 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Owen Mansel-Chan
2764580cdf Merge pull request #21718 from chmodxxx/java/woodstox-xxe 
Java: Add XXE sink model for Woodstox WstxInputFactory
 2026-04-17 17:25:15 +01:00
Salah Baddou
fb2d53e72a Address review: inline Woodstox into XmlParsers, move changelog to lib 2026-04-17 18:46:51 +04:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Taus
ac23e16786 Python: Move Python 3.15 data-flow tests to a separate file 
We won't be able to run these tests until Python 3.15 is actually out
(and our CI is using it), so it seemed easiest to just put them in their
own test directory.
 2026-04-17 13:16:46 +00:00
Owen Mansel-Chan
29b07d5d07 Merge pull request #21721 from owen-mc/go/remove-global-function-jump-step-from-local-flow 
Go: Remove global function step from local flow
 2026-04-17 14:09:16 +01:00
Tom Hvitved
14bdb62cf8 Merge pull request #21726 from hvitved/csharp/useless-to-string-fps 
C#: Fix FPs in `RedundantToStringCall.ql`
 2026-04-17 14:59:22 +02:00
Jeroen Ketema
3073c1c94c Merge pull request #21725 from github/jeongsoolee09/add-aligned-alloc-model 
Add models of various `aligned_alloc`s
 2026-04-17 14:31:25 +02:00
Owen Mansel-Chan
bc28e1726c Refactor to get rid of duplication 2026-04-17 13:24:16 +01:00
Taus
dc36609743 Python: Add data-flow tests 
Alas, all these demonstrate is that we already don't fully support the
desugared `yield from` form.
 2026-04-17 12:15:04 +00:00
Tom Hvitved
7bfdfbefa9 Add change note 2026-04-17 13:57:08 +02:00
Tom Hvitved
0235df8758 C#: Improve alert message for RedundantToStringCall.ql 2026-04-17 13:55:00 +02:00
Jeroen Ketema
e3b88cbad3 Swift: Fix change note 2026-04-17 13:29:24 +02:00
Jeroen Ketema
dd2440086f Swift: Add change note 2026-04-17 13:24:17 +02:00
Jeongsoo Lee
abec00cd34 Update cpp/ql/src/change-notes/2026-04-16-add-model-for-aligned-alloc.md 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2026-04-17 07:08:38 -04:00
Owen Mansel-Chan
9f4fd7fab0 Remove a data flow consistency exclusion 
This is no longer needed.
 2026-04-17 11:27:36 +01:00
Paolo Tranquilli
5342cc79fb Merge pull request #21574 from github/redsun82/actions/remove-harden-runner-false-positive 
Remove false positive injection sink models for `docker/build-push-action` and `step-security/harden-runner`
 2026-04-17 09:43:45 +02:00
Tom Hvitved
426962e348 C#: Fix FPs in RedundantToStringCall.ql 2026-04-17 09:37:19 +02:00
Tom Hvitved
33e9c02079 C#: Add more tests for RedundantToStringCall.ql 2026-04-17 09:33:13 +02:00
jeongsoolee09
553ed103c3 Add a change note 2026-04-16 21:31:55 -04:00
jeongsoolee09
d2d594a8ff Add models of ::aligned_alloc, std::aligned_alloc, and bsl::aligned_alloc 2026-04-16 21:21:09 -04:00
Taus
6c675fcede Python: Consolidate duplicated code 2026-04-16 21:14:42 +00:00
Jeroen Ketema
efddfab564 Swift: Expose the generic arguments of BuiltinFixedArrays 2026-04-16 17:07:20 +02:00
Owen Mansel-Chan
73cc54c10d Use monospace instead of bold for quoted code 2026-04-16 12:35:38 +01:00
Owen Mansel-Chan
69c150d5f6 Use monospace instead of bold for predicate signatures 2026-04-16 12:34:47 +01:00