hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 13:11:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,751 Commits 1,689 Branches 160 Tags
fe6b4330de779cc151d9170747544836e130cd0a
Commit Graph

4628 Commits

Author SHA1 Message Date
Owen Mansel-Chan
74dbafa553 Merge branch 'main' into java-mad-test 2025-10-28 13:28:35 +00:00
Nora Dimitrijević
a0975e7e19 Constrain location overrides to actual sources/sinks 2025-10-28 09:42:20 +01:00
Nora Dimitrijević
f24a6f64ab Java/WebviewDebugEnabledQuery 
java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
 2025-10-28 09:40:06 +01:00
Nora Dimitrijević
518c0818a4 Java/UnsafeDeserializationQuery 
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
 2025-10-28 09:40:03 +01:00
Nora Dimitrijević
4439322e88 Java/TempDirLocalInformationDisclosureQuery 
java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
 2025-10-28 09:40:01 +01:00
Nora Dimitrijević
2a889f4f98 Java/TaintedPermissionsCheckQuery 
java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
 2025-10-28 09:39:58 +01:00
Nora Dimitrijević
697f428eae Java/TaintedEnvironmentVariableQuery 
java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
 2025-10-28 09:39:55 +01:00
Nora Dimitrijević
72a97773b1 Java/NumericCastTaintedQuery 
java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
 2025-10-28 09:39:52 +01:00
Nora Dimitrijević
247ae1d23c Java/MaybeBrokenCryptoAlgorithmQuery 
java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
 2025-10-28 09:39:50 +01:00
Nora Dimitrijević
eebff9c282 Java/ImproperValidationOfArrayConstructionFlow 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
 2025-10-28 09:39:47 +01:00
Nora Dimitrijević
9eeeec336e Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
 2025-10-28 09:39:45 +01:00
Nora Dimitrijević
dc1dff98b0 Java/ConditionalBypass 
java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
 2025-10-28 09:39:42 +01:00
Nora Dimitrijević
4482e831d7 Java/CommandLineQuery 
85a4dd0325/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

857b51be58/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

b6e56f26c7/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
 2025-10-28 09:39:39 +01:00
Nora Dimitrijević
b023880a0a Java/BrokenCryptoAlgorithmQuery 
java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
 2025-10-28 09:39:37 +01:00
Nora Dimitrijević
1129230e10 Java/ArithmeticUncontrolledQuery 
java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
 2025-10-28 09:39:34 +01:00
Nora Dimitrijević
a228936c63 Java/ArithmeticTainted 
java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
 2025-10-28 09:39:31 +01:00
Nora Dimitrijević
913550f408 Java/ArbitraryApkInstallationQuery 
java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
 2025-10-28 09:39:29 +01:00
Alexander Eyers-Taylor
227e1fcbde Merge pull request #20598 from github/alexet/overlay-query-libraries 
Java: Make some query libraries local.
 2025-10-27 17:52:27 +00:00
Tom Hvitved
32f21d6d49 Merge pull request #20688 from hvitved/java/request-forgery-matches-sanitizer 
Java: Treat `x.matches(regexp)` as a sanitizer for request forgery
 2025-10-24 14:34:32 +02:00
Tom Hvitved
7a9cb64e2e Java: Treat x.matches(regexp) as a sanitizer for request forgery 2025-10-24 09:06:57 +02:00
Anders Schack-Mulligen
72d83cc966 ControlFlowReachability: Align the SSA signature with the one from shared SSA. 2025-10-23 10:57:21 +02:00
Anders Schack-Mulligen
f257c7a570 Guards: Align the SSA signature with the one from shared SSA. 2025-10-23 10:23:22 +02:00
Anders Schack-Mulligen
20147cdd2b Shared/Java: Rename ControlFlowReachability library. 2025-10-23 09:07:34 +02:00
Anders Schack-Mulligen
8a3f62b9b6 Merge pull request #20558 from aschackmull/csharp/guards3 
C#: Instantiate shared Guards and shared ControlFlowReachability and replace nullness
 2025-10-23 08:43:14 +02:00
REDMOND\brodes
b374ba3d0c Crypto: Updating java 'location' information to be just a location's toString to be more verbose/precise. 2025-10-21 11:48:37 -04:00
REDMOND\brodes
cc436e897d Merge branch 'santander-java-crypto-check' of https://github.com/bdrodes/codeql into santander-java-crypto-check 2025-10-20 15:24:40 -04:00
REDMOND\brodes
354effe829 Crypto: Missing hash algorithms for HMAC operations in jca. 2025-10-20 15:24:18 -04:00
Ben Rodes
2b683c210f Merge branch 'main' into santander-java-crypto-check 2025-10-18 17:56:43 -04:00
REDMOND\brodes
c01c060476 Crypto: more ID renaming to include "examples", fix singleton issues with ql-for-ql, use formatted test for WeakAsymmetricKeyGenSize (add post processing in the qlref), misc expected files updated (test passed locally but on rerun vscode reports failures, known bug with vscode unit tests). 2025-10-17 14:13:53 -04:00
REDMOND\brodes
b4ecb91c83 Crypto: Add missing cipher algorithms to JCA. Update node tests to account for missing cipher algorithms. 2025-10-17 13:38:47 -04:00
REDMOND\brodes
f480d90a68 Crypto: Add missing block mode JCA Models, add block mode unit tests 2025-10-17 13:13:14 -04:00
REDMOND\brodes
b9b0037e07 Crypto: Comment todo for observed missing modeled case. Tests for weak and unknown KDF iteration count. 2025-10-16 14:07:45 -04:00
REDMOND\brodes
a64a24d25d Crypto: Comment in Language.qll 2025-10-16 11:03:49 -04:00
REDMOND\brodes
25599e9b4b crypto: Update JCA model macs to take into consideration update calls (use prior pattern for signatures). Misc. bug fixes. 2025-10-15 16:25:36 -04:00
REDMOND\brodes
9a6aac1300 Crypto: To get unreferenced parameters as general sources for Java, I've included the caveat that if a function is called, all the calls appear to be in test files. 2025-10-15 14:20:16 -04:00
REDMOND\brodes
ee08385e31 Crytpo: Update JCA keyagreement to type conversion, XDH is a type of ECDH. 2025-10-15 08:06:19 -04:00
github-actions[bot]
6dd07790ac Post-release preparation for codeql-cli-2.23.3 2025-10-14 11:16:33 +00:00
github-actions[bot]
33542f7d40 Release preparation for version 2.23.3 2025-10-14 09:30:24 +00:00
REDMOND\brodes
76128ed8dc Crypto: Update InsecureIVorNonce to be a path problem. 2025-10-13 15:29:57 -04:00
REDMOND\brodes
08abdb8c85 Crypto: Adding a "javaConstant" concept to handle config files. 2025-10-13 12:03:41 -04:00
REDMOND\brodes
36673659ad Crypto: Weak asymmetric key gen size fixes and test. 2025-10-10 14:49:35 -04:00
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
Alex Eyers-Taylor
77d4af153d Java: Make some query libraries local. 2025-10-07 18:24:37 +01:00
Alex Eyers-Taylor
542bdf0792 Java: Use Overlay dataflow in java. 2025-10-07 17:52:12 +01:00
Alex Eyers-Taylor
c49e2ab2da DataFlow: Add code to do overlay informed dataflow. 2025-10-07 17:52:12 +01:00
Anders Schack-Mulligen
18e33b193e Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint 
Java: Allow taint-read-steps for array sources.
 2025-10-07 15:04:03 +02:00