6312 Commits

Author	SHA1	Message	Date
Napalys Klicius	5bb29b6e33	Now flags only .pipe calls which have an error somewhere down the stream, but not on the source stream.	2025-05-28 17:17:43 +02:00
github-actions[bot]	d2c6875eac	Post-release preparation for codeql-cli-2.21.4	2025-05-27 18:16:21 +00:00
github-actions[bot]	bfb91e95e3	Release preparation for version 2.21.4	2025-05-27 17:22:05 +00:00
Napalys Klicius	5214cc0407	Excluded ngrx, datorama, angular, react and langchain from stream pipe query.	2025-05-27 09:45:37 +02:00
Napalys Klicius	1f6b3ad929	Update javascript/ql/src/codeql-suites/javascript-security-and-quality.qls ... Co-authored-by: Michael Nebel <michaelnebel@github.com>	2025-05-27 09:38:24 +02:00
Napalys Klicius	e964b175e6	Added maintainability and error-handling tags	2025-05-26 14:23:20 +02:00
Napalys Klicius	37024ade85	JS: Move query suite selector logic to javascript-security-and-quality.qls	2025-05-26 11:00:48 +02:00
Napalys Klicius	000e69fd48	Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules	2025-05-23 13:55:40 +02:00
Napalys Klicius	248f83c4db	Added qhelp for UnhandledStreamPipe query	2025-05-23 13:35:36 +02:00
Napalys Klicius	b10a9481f3	Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe	2025-05-22 18:50:02 +02:00
Napalys Klicius	ac24fdd348	Add predicate to detect non-stream-like usage in sources of pipe calls	2025-05-22 18:49:59 +02:00
Napalys Klicius	5b1af0c0bd	Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances.	2025-05-22 18:49:53 +02:00
Asger F	9202a1b084	Merge pull request #19516 from asgerf/js/npm-package-name-join ... JS: More efficient nested package naming	2025-05-22 12:46:43 +02:00
Napalys Klicius	09220fce84	Fixed issue where pipe calls from rxjs package would been identified as pipe calls on streams	2025-05-22 12:33:36 +02:00
Napalys Klicius	d7f86db76c	Enhance PipeCall to exclude non-function and non-object arguments in pipe method detection	2025-05-22 12:31:27 +02:00
Napalys Klicius	4332de464a	Eliminate false positives by detecting non-stream objects returned from pipe() calls based on accessed properties	2025-05-22 12:31:26 +02:00
Napalys Klicius	03d1f9a7d3	Restrict pipe detection to calls with 1-2 arguments	2025-05-21 11:41:22 +02:00
Napalys Klicius	30f2815503	Fixed issue where a custom pipe method which returns non stream would be flagged by the query	2025-05-21 11:41:19 +02:00
Napalys Klicius	ef1bde554a	Fixed issue where streams would not be tracked via chainable methods	2025-05-21 11:40:35 +02:00
Napalys Klicius	c27157f021	Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams	2025-05-21 11:38:57 +02:00
Asger F	d644f80921	JS: Remove obsolete meta query	2025-05-20 16:20:49 +02:00
Asger F	6ac35f1c66	JS: Use in MissingAwait	2025-05-20 13:20:13 +02:00
Asger F	5064cd5d94	JS: Exclude externs from CallGraph meta-query	2025-05-20 13:19:48 +02:00
Asger F	317e61d370	JS: Update UnresolvableImports to handle nested packages	2025-05-19 12:53:19 +02:00
Michael Nebel	dabeddb62d	Add change-notes.	2025-05-19 09:26:49 +02:00
Michael Nebel	03ecd24469	Lower the precision of a range of harcoded password queries to remove them from query suites.	2025-05-19 09:26:45 +02:00
github-actions[bot]	5f9dd75d7d	Post-release preparation for codeql-cli-2.21.3	2025-05-13 21:49:43 +00:00
github-actions[bot]	2de4a01c86	Release preparation for version 2.21.3	2025-05-13 21:14:27 +00:00
Asger F	169ae19015	Merge pull request #19391 from asgerf/js/typescript-path-resolution ... JS: Overhaul import resolution	2025-05-13 15:46:38 +02:00
Napalys Klicius	d1e769ba54	Merge pull request #19422 from Napalys/js/shelljs ... JS: Modeling of `ShellJS` functions	2025-05-02 14:18:44 +02:00
Tamás Vajk	cb1c3736fe	Merge pull request #19413 from tamasvajk/quality/query-suite-selector ... Add code quality suite selector and use that in the code quality suites	2025-05-02 08:18:48 +02:00
Owen Mansel-Chan	0863c87572	Add change notes	2025-05-01 10:33:24 +01:00
Napalys Klicius	d4b5ef6a66	Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource	2025-05-01 11:14:15 +02:00
Owen Mansel-Chan	cf614a596d	Fix cwe tags to include leading zero	2025-04-30 16:43:03 +01:00
Asger F	8ebbfb198e	Merge pull request #19412 from asgerf/js/promise-all ... JS: Better type-tracking through Promise.all()	2025-04-30 14:19:12 +02:00
Asger F	da5d799152	JS: Change note	2025-04-30 11:59:47 +02:00
Tamas Vajk	d56c5225f6	Use code-quality-selectors in JS suite	2025-04-29 16:23:08 +02:00
Asger F	ed2a832a55	JS: Deprecate PathExpr and related classes	2025-04-29 13:23:47 +02:00
github-actions[bot]	2e0699ab2b	Post-release preparation for codeql-cli-2.21.2	2025-04-28 14:03:28 +00:00
github-actions[bot]	625354c46e	Release preparation for version 2.21.2	2025-04-28 10:55:22 +00:00
github-actions[bot]	d78736b1bf	Post-release preparation for codeql-cli-2.21.1	2025-04-15 16:33:15 +00:00
github-actions[bot]	b961c5961d	Release preparation for version 2.21.1	2025-04-14 09:53:06 +00:00
Napalys Klicius	d17d29a387	Merge pull request #19218 from Napalys/js/upgrade_websocket ... JS: Refactor `WebSocket` to use `API` graphs	2025-04-11 10:05:54 +02:00
Asger F	eac14b9837	Merge pull request #19200 from asgerf/js/web-response ... JS: Add sinks for calls to 'new Response()'	2025-04-10 14:41:32 +02:00
Asger F	3da1f261f7	JS: Change note	2025-04-10 07:21:48 +02:00
Asger F	da7d6d3346	JS: Change note	2025-04-09 11:28:21 +02:00
Napalys	e16a20e69f	Updated SocketClass to use API Graphs.	2025-04-04 08:47:27 +02:00
Asger F	bb15f30ef6	Merge pull request #19192 from asgerf/js/name-resolution-independent-fixes ... JS: Some preliminary fixes from name resolution branch	2025-04-03 09:36:02 +02:00
Jon Janego	d8ef4fc25d	Update javascript/ql/src/Expressions/ExprHasNoEffect.ql ... Co-authored-by: Napalys Klicius <napalys@github.com>	2025-04-02 10:22:27 -05:00
Asger F	6c3bc941c5	Merge branch 'main' into js/name-resolution-independent-fixes	2025-04-02 14:15:44 +02:00