hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-21 10:24:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
49,367 Commits 1,684 Branches 158 Tags
codeql-cli/v2.12.1
Commit Graph

49367 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nora Dimitrijević
6eac4f52d9 C++: Accept Test Output 
Some tricky FPs are preserved in there.
 2022-09-30 00:13:23 +02:00
Nora Dimitrijević
a124dcf436 C++: Update QLDoc 
Arguably warning, not just recommendation; it may be a logic error.

TODO: What CWE/CVEs should I tag this with?
 2022-09-30 00:06:53 +02:00
Nora Dimitrijević
981a9798b8 C++: Update .qhelp with precision disclaimer. 2022-09-29 23:59:22 +02:00
Nora Dimitrijević
68b473377a C++: Fix QL-on-QL Redundant Cast warning 2022-09-29 23:19:49 +02:00
Nora Dimitrijević
2a046352ce C++: Simplify 2022-09-29 23:06:17 +02:00
erik-krogh
9f2d7dfb29 update expected output 2022-09-29 22:48:41 +02:00
Ed Minnix
2a2878fc7b Move text into paragraph tag 2022-09-29 16:33:22 -04:00
Ed Minnix
e3c0e6f52a Remove location link from alert message 
Follow the style suggestion from the github-code-scanning bot and remove
provider element from alert link
 2022-09-29 16:20:48 -04:00
Ed Minnix
90590429e3 Added change note for ContentProvider query 2022-09-29 16:17:52 -04:00
Robert Marsh
f17b563692 C++: handle interprocedural flows 
This currently copy-pastes some predicates from InvalidPointerDeref.ql.
Those should be moved to a library file in a followup
 2022-09-29 16:09:48 -04:00
Ed Minnix
29e34ac970 ContentProvider Incomplete Permissions Test Cases 2022-09-29 16:07:54 -04:00
erik-krogh
0a5ff1b79a recognize another kind of dummy passwords to fix an FP in hardcoded-credentials 2022-09-29 21:25:40 +02:00
yoff
8ab5617b51 Merge pull request #10539 from yoff/python/improve-API-graphs 
Python: add subscript to API graphs
 2022-09-29 21:05:22 +02:00
Mathias Vorreiter Pedersen
2a514d60d4 C++: Add 'isBarrierIn' to prevent path duplication. 2022-09-29 19:55:58 +01:00
Mathias Vorreiter Pedersen
d12a76559a C++: Use the new class in 'cpp/invalid-pointer-deref'. 2022-09-29 19:54:03 +01:00
Mathias Vorreiter Pedersen
a9710453f4 C++: Add class with heuristics to detect allocations. 2022-09-29 19:54:03 +01:00
Ed Minnix
f2bda1525a Revert "Android ContentProvider.openFile does not check mode initital commit" 
This reverts commit e37f62bb5e.

The MisconfiguedContentProviderUse.ql file provided a sample query which
will be useful in future checks for CVE-2021-41166, but is not needed
for the current manifest-focused check
 2022-09-29 14:43:18 -04:00
Rasmus Lerchedahl Petersen
84ab860600 python: rewrite type tracker for ldap operations 
There are several other clean ups I would like to do in this file,
but this can wait until we promote the query.
 2022-09-29 20:32:19 +02:00
Rasmus Lerchedahl Petersen
0654e39e72 python: rewrite type tracker for compiled regexes 
we have the option to use `regex.getAValueReachingSink`
rather than `regex.asSink`, but it will likely be used as a
sink for data flow.
 2022-09-29 20:30:29 +02:00
James Fletcher
7ffbc738fb Merge pull request #10632 from jf205/lgtm-updates 
Remove a mentions of LGTM.com from the README and style guides
 2022-09-29 19:29:32 +01:00
Ed Minnix
e72963986f Moved Android manifest incomplete permission logic into library 2022-09-29 14:06:18 -04:00
Ed Minnix
dedd29e1b3 Incomplete Android content provider permissions documentation 2022-09-29 14:05:18 -04:00
Robert Marsh
99d7512881 C++: tests for constant-size off-by-one query 2022-09-29 13:33:13 -04:00
Ian Lynagh
f1f205555a Kotlin: Add a ministdlib test 
This should make it easier to diagnose certain kinds of problems.
 2022-09-29 18:19:50 +01:00
Henry Mercer
35e9e7d233 Merge pull request #10613 from github/henrymercer/atm-update-expected-output 
ATM: Update expected test output
 2022-09-29 17:57:51 +01:00
Nora Dimitrijević
891bc342be C++: Fix another implicit/explicit this FP 2022-09-29 18:42:23 +02:00
James Fletcher
8f6de12785 Merge branch 'main' into lgtm-updates 2022-09-29 17:37:54 +01:00
james
d75b1e399d remove a few mentions of LGTM.com 2022-09-29 17:29:03 +01:00
Rasmus Wriedt Larsen
ea27f4e20f Python: Remove last -p ../lib/ in options files 
These were only needed for points-to.

If they only contained `--max-import-depth`, I've removed the `options`
file entirely.
 2022-09-29 18:05:51 +02:00
Ian Lynagh
66a8bc5a96 Kotlin: Make newerThan symmetric 
"0.0 last-modified 0" and "0.0 last-modified 123" were giving
different comparisons depending on which way round they were.
 2022-09-29 16:55:03 +01:00
Rasmus Wriedt Larsen
0cb8e121e9 Python: Fix flask request modeling 
This takes us part of the way. We still get multiple paths for the same
alert, but that will be fixed in a different PR.
 2022-09-29 17:41:21 +02:00
Nora Dimitrijević
28bd591107 C++: Fix explicit this-> FP. 2022-09-29 17:04:11 +02:00
Robert Marsh
447c11cd07 C++: move ConstantSizeArrayOffByOne.ql to CWE-193 2022-09-29 10:56:29 -04:00
Robert Marsh
e46b215c9d C++: fix metadata and result format 2022-09-29 10:53:29 -04:00
Nora Dimitrijević
29d7c0e21b C++: Exclude commas in if-conditions. 2022-09-29 16:29:57 +02:00
Robert Marsh
9b03e1c0b1 Merge pull request #10609 from MathiasVP/overrun-write-only-flag-overrunning-write 
C++: Make `OverrunWriteProductFlow` raise alerts on overflows
 2022-09-29 10:03:05 -04:00
Tom Hvitved
a5fbe751f1 Ruby: Reduce size of input predicate for non-linear recursion 
Before, we would be recursive in all of `MethodCall::getMethodName`:

```
Evaluated named local Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi in 9803ms on iteration 14 (size: 31006941).
Evaluated relational algebra for predicate Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi on iteration 14 running pipeline main with tuple counts:
          256419  ~1%    {2} r1 = SCAN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta OUTPUT In.1, In.0
        31006941  ~8%    {4} r2 = JOIN r1 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Rhs.2, Rhs.3
                         return r2
```

Now, we have restricted that to only the relevant method names.
 2022-09-29 15:59:11 +02:00
Asger F
ed36f1983b Python: sync TypeTracker.qll 2022-09-29 15:57:09 +02:00
Asger F
ae60b0ae6d Ruby: ensure pruning works with startInContent 2022-09-29 15:54:51 +02:00
Nora Dimitrijević
64903336f7 C++: Exclude all parenthesized CommaExprs. 2022-09-29 15:49:29 +02:00
Henti Smith
700eaf5e41 Added JobRunson 2022-09-29 14:19:02 +01:00
Mathias Vorreiter Pedersen
4e3b445515 C++: Accept test changes. 2022-09-29 13:35:23 +01:00
Mathias Vorreiter Pedersen
70837dbd93 C++: Use range analysis to properly deduce the initial 'state2' instead of traversing the AST. Also fix state-passing related to negative states. 2022-09-29 13:32:39 +01:00
Mathias Vorreiter Pedersen
6537c817ef C++: Add more CWE-199 tests that allocates memory based on the result of a SubExpr. 2022-09-29 13:31:34 +01:00
Tamas Vajk
b79c10c419 Kotlin: find java-kotlin equivalent functions by erased parameter types 2022-09-29 14:29:22 +02:00
Tamas Vajk
64c953bee0 Kotlin: add test for not found equivalent of MutableList.remove 2022-09-29 14:24:09 +02:00
Michael Nebel
dd0f19d0b0 Ruby: Update expected test output. 2022-09-29 14:12:20 +02:00
Michael Nebel
999eb19c3d Ruby: Support postupdate notes for assignment expressions. 2022-09-29 14:12:20 +02:00
Asger F
f1de5a2ffd Ruby: Restrict summaries and type trackers to relevant contents 2022-09-29 14:10:09 +02:00
Tom Hvitved
1fcd22b0f6 Merge pull request #10621 from hvitved/ruby/fix-bad-join 
Ruby: Fix bad join-order
 2022-09-29 13:56:18 +02:00