hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-15 03:54:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
83,181 Commits 1,736 Branches 164 Tags
fad49ffbfb62ed0d0b5b3f3bbd006b00a818da36
Commit Graph

132 Commits

Author SHA1 Message Date
github-actions[bot]
a7a4e43991 Post-release preparation for codeql-cli-2.23.2 2025-09-29 15:10:19 +00:00
github-actions[bot]
d2130a589b Release preparation for version 2.23.2 2025-09-29 10:28:45 +00:00
github-actions[bot]
4e8343664f Post-release preparation for codeql-cli-2.23.1 2025-09-17 10:13:40 +00:00
github-actions[bot]
02a1b1efcb Release preparation for version 2.23.1 2025-09-16 14:14:42 +00:00
Michael Nebel
a9baf34629 Merge pull request #20324 from michaelnebel/actions/ql4ql 
Actions: Fix some Ql4Ql violations.
 2025-09-03 12:29:06 +02:00
Arthur Baars
0bb7fdccf6 Merge pull request #20347 from github/post-release-prep/codeql-cli-2.23.0 
Post-release preparation for codeql-cli-2.23.0
 2025-09-02 14:14:03 +02:00
github-actions[bot]
e8a2600a0c Post-release preparation for codeql-cli-2.23.0 2025-09-02 11:46:23 +00:00
github-actions[bot]
0bfa93828b Release preparation for version 2.23.0 2025-09-02 11:09:32 +00:00
Michael Nebel
64f9758c29 Actions: Fix some Ql4Ql violations. 2025-09-01 14:45:00 +02:00
Anders Schack-Mulligen
144e34c669 Shared: Use shared SuccessorType in shared Cfg and BasicBlock libs. 2025-09-01 13:43:32 +02:00
Anders Schack-Mulligen
92fcda3cc7 Actions: Use shared SuccessorType. 2025-09-01 12:56:08 +02:00
github-actions[bot]
42e3d31c49 Post-release preparation for codeql-cli-2.22.4 2025-08-18 14:42:42 +00:00
github-actions[bot]
90d29994c8 Release preparation for version 2.22.4 2025-08-18 14:06:09 +00:00
Nora Dimitrijević
126d24a522 [DIFF-INFORMED] Actions: EnvVarInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql#L35
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql#L46
 2025-08-15 11:11:12 +02:00
Nora Dimitrijević
f1445eb52f [DIFF-INFORMED] Actions: EnvPathInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql#L30
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql#L37
 2025-08-15 11:11:07 +02:00
Nora Dimitrijević
f1b995a736 [DIFF-INFORMED] Actions: CommandInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql#L24
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql#L28
 2025-08-15 11:11:03 +02:00
Nora Dimitrijević
418e4b4a3a [DIFF-INFORMED] Actions: CodeInjection 
Query: https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql#L46
 2025-08-15 11:10:58 +02:00
Nora Dimitrijević
bbda2902be [DIFF-INFORMED] Actions: ArtifactPoisoning 
Queries:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql#L26
 2025-08-15 11:10:42 +02:00
Nora Dimitrijević
896819fdf3 [DIFF-INFORMED] Actions: ArgumentInjection 
Query:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql#L27
 2025-08-15 11:10:14 +02:00
github-actions[bot]
fb4b0aac53 Post-release preparation for codeql-cli-2.22.3 2025-08-04 17:18:08 +00:00
github-actions[bot]
fd82aeb1f8 Release preparation for version 2.22.3 2025-08-04 15:47:57 +00:00
github-actions[bot]
37cc78255a Post-release preparation for codeql-cli-2.22.2 2025-07-22 14:22:20 +00:00
Nick Rolfe
43d14c28c2 Tweak changenotes 2025-07-22 15:06:09 +01:00
github-actions[bot]
997547b8ef Release preparation for version 2.22.2 2025-07-22 14:04:14 +00:00
Nick Rolfe
825c813095 Revert "Release preparation for version 2.22.2" 2025-07-22 14:33:45 +01:00
Nick Rolfe
74cd982aca Tweak changenotes 2025-07-22 09:51:52 +01:00
github-actions[bot]
c8632b70b7 Release preparation for version 2.22.2 2025-07-21 16:45:45 +00:00
Nick Rolfe
ad9b637bec Revert "Merge pull request #19994 from github/post-release-prep/codeql-cli-2.22.2" 
This reverts commit e5b4a15e35, reversing
changes made to 33e63109bb.
 2025-07-21 15:18:59 +01:00
AdnaneKhan
6ac0f0e031 Fix change note filename. 2025-07-11 12:11:58 -04:00
Adnan Khan
7be938c6c3 Handle multiple whitespaces in runner temp regex. 
Co-authored-by: Napalys Klicius <napalys@github.com>
 2025-07-10 12:22:14 -04:00
Adnan Khan
db954d6d9f Merge branch 'main' into patch-1 2025-07-08 23:31:35 -07:00
Jaroslav Lobačevski
9393181c4e Add tests and path normalization fix to handle $ expansion 2025-07-08 16:18:12 +00:00
AdnaneKhan
5d6a5d5cbb Add change notes and test workflow file. 2025-07-08 10:35:39 -04:00
Adnan Khan
f4f919635a Correctly specify regex. 
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
 2025-07-08 10:17:29 -04:00
github-actions[bot]
24a0ac1223 Post-release preparation for codeql-cli-2.22.2 2025-07-07 18:15:04 +00:00
github-actions[bot]
f12daefabe Release preparation for version 2.22.2 2025-07-07 14:00:26 +00:00
github-actions[bot]
6972c7a872 Post-release preparation for codeql-cli-2.22.1 2025-06-24 12:55:14 +00:00
github-actions[bot]
3e074b2425 Release preparation for version 2.22.1 2025-06-24 08:55:31 +00:00
Nora Dimitrijević
fc61910df1 Actions: mass-add none() location overrides 2025-06-17 17:00:19 +02:00
Nora Dimitrijević
f2bd454e99 Actions: mass enable diff-informed data flow 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on https://github.com/github/codeql/pull/18346 and https://github.com/github/codeql-patch/pull/88
 2025-06-11 19:10:11 +02:00
Aditya Sharad
d659d40d58 Merge pull request #19701 from adityasharad/actions/bash-parsing-ranking-performance 
Actions: Improve Bash parsing performance on command and string interpolations
 2025-06-11 00:59:19 +05:30
github-actions[bot]
21463a9653 Post-release preparation for codeql-cli-2.22.0 2025-06-09 18:50:20 +00:00
github-actions[bot]
88ba02edf8 Release preparation for version 2.22.0 2025-06-09 18:14:51 +00:00
Aditya Sharad
e48a7da827 Actions: Add change note for Bash parsing fixes 2025-06-09 09:56:41 -07:00
Aditya Sharad
848064e95a Actions: Order quoted strings by their ID, not text 
In the Bash parser, we compute a mostly-unique ID for each
quoted string within a shell script block.
Quoted strings are then ranked and referred to individually.

Avoid a performance bottleneck by ranking quoted strings by their
ID, not by their source text.
I think this was the original intent of the code.

Ranking by their original text ends up evaluating multiple
possible orderings, which is slow on workflows that contain
multiple complex quoted strings, such as JSON payloads.
 2025-06-09 09:15:45 -07:00
Aditya Sharad
fbe11cfca6 Actions: Refactor logic for identifying quoted strings 
Add some doc comments and meaningful variable names.
 2025-06-09 09:15:45 -07:00
Aditya Sharad
321513c89b Actions: Order command substitutions by their ID, not text 
In the Bash parser, we compute a mostly-unique ID for each
command substitution within a shell script block.
Commands are then ranked and referred to individually.

Avoid a performance bottleneck by ranking commands by their
ID, not by their source text.
I think this was the original intent of the code.
Ranking by their original text ends up evaluating multiple
possible orderings, which is slow on workflows that contain
multiple complex command substitutions.
 2025-06-09 08:39:58 -07:00
Aditya Sharad
39e710e805 Actions: Refactor logic for identifying command substitution 
Extract helper predicates for `$(...)` command interpolation
and backtick-quoted commands.
Add some doc comments and meaningful variable names.
 2025-06-09 08:37:40 -07:00
Chuan-kai Lin
631502e129 Merge branch 'main' into cklin/rc-3.18-mergeback 2025-06-09 07:19:40 -07:00
Chris Smowton
338d3834c4 Actions: Make Env non-abstract 
`class Env` was previously abstract with no concrete descendants, so user queries like `any(Env e | ...)` would never produce results.

In the JS library the corresponding class derived from `YamlNode` and has concrete descendants representing workflow-, job- and step-level `env` nodes. However these are dubiously useful since you can always just use `any(Step s).getEnv()` to achieve the same result. Since `EnvImpl` already fully characterises an `env` node, I simply make the class concrete.
 2025-06-05 10:21:24 +01:00