hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-05 17:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
54,887 Commits 1,689 Branches 160 Tags
codeql-cli/v2.13.3
Commit Graph

54887 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
github-actions[bot]
fe4d27e8cc Release preparation for version 2.12.5 2023-03-16 12:58:50 +00:00
Geoffrey White
170fde5bc0 Swift: Add some more test cases. 2023-03-16 12:53:06 +00:00
Michael Nebel
a9e5b34ad6 Merge pull request #12200 from michaelnebel/csharp/viablestatic 
C#: Support for virtual dispatch for operators.
 2023-03-16 13:36:00 +01:00
erik-krogh
f718d78a9a avoid redundant sources 2023-03-16 13:34:01 +01:00
Mathias Vorreiter Pedersen
d02a50a504 Merge pull request #10817 from github/mathiasvp/replace-ast-with-ir-use-usedataflow 
C++: Replace AST with IR use-use dataflow
 2023-03-16 12:31:01 +00:00
Rasmus Lerchedahl Petersen
f9bffb5454 python: add change note 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
4713ba1e12 python: more results no longer missing 
Adjusted `tracked.ql`
- no need to annotate results on line 0
  this could happen for global SSA variables
- no need to annotate scope entry definitons
  they look a bit weird, as the annotation goes on the
  line of the function definition.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
2318752c14 python: add reads of captured variables to 
type tracking and the API graph.

- In `TypeTrackerSpecific.qll` we add a jump step
  - to every scope entry definition
  - from the value of any defining `DefinitionNode`
    (In our example, the definition is the class name, `Users`,
     while the assigned value is the class definition, and it is
     the latter which receives flow in this case.)
- In `LocalSources.qll` we allow scope entry definitions as local sources.
  - This feels natural enough, as they are a local source for the value, they represent.
    It is perhaps a bit funne to see an Ssa variable here,
    rather than a control flow node.
 - This is necessary in order for type tracking to see the local flow
    from the scope entry definition.
- In `ApiGraphs.qll` we no longer restrict the result of `trackUseNode`
  to be an `ExprNode`. To keep the positive formulation, we do not
  prohibit module variable nodes. Instead we restrict to the new
  `LocalSourceNodeNotModule` which avoids those cases.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
7e003f63b9 python: add test for flask example 
This is a condensed versio of the user reported example
found [here](eb377d5918/app.py (L278))
The `MISSING` annotation indicates where our API graph falls short.
 2023-03-16 12:53:40 +01:00
erik-krogh
b208988675 Py: add test for problematic regex 2023-03-16 12:21:00 +01:00
erik-krogh
54ec047433 ReDoS: put an artificial limitation on the analysis in polynomial-redos for large regular expressions 2023-03-16 12:20:53 +01:00
Tom Hvitved
1d0b3d4112 Ruby: Ssa::WriteDefinition::getWriteAccess should return a CFG node 2023-03-16 11:28:24 +01:00
Chris Smowton
3ff60e076c Merge pull request #12548 from github/dependabot/github_actions/actions/setup-go-4 
Bump actions/setup-go from 3 to 4
 2023-03-16 10:21:51 +00:00
erik-krogh
8bc8342c7c Py:don't parse regular expressions in system-code 2023-03-16 10:41:30 +01:00
Erik Krogh Kristensen
be8f04a997 Merge pull request #12525 from github/dependabot/cargo/ql/serde-1.0.156 
Bump serde from 1.0.155 to 1.0.156 in /ql
 2023-03-16 10:36:11 +01:00
Erik Krogh Kristensen
48f889b055 Merge pull request #12496 from github/dependabot/cargo/ql/chrono-0.4.24 
Bump chrono from 0.4.23 to 0.4.24 in /ql
 2023-03-16 10:35:59 +01:00
Jeroen Ketema
8aa9207281 Merge remote-tracking branch 'upstream/main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2023-03-16 10:28:44 +01:00
Tom Hvitved
a13b6ed230 Merge pull request #12536 from hvitved/dataflow/call-enclosing-callable-consistency-check 
Data flow: Add consistency check for `DataFlowCall::getEnclosingCallable`
 2023-03-16 10:19:42 +01:00
Geoffrey White
7feab09ea9 Swift: Specialize the additional taint step a bit more. 2023-03-16 08:57:31 +00:00
Rasmus Wriedt Larsen
b3a49ab143 Merge pull request #12467 from RasmusWL/kwargs-parameter-position-fixup 
Python/Ruby: Use new parameter position for synthetic hash-splat instead
 2023-03-16 09:52:46 +01:00
Mathias Vorreiter Pedersen
eec1e9ffcd C++: Fix change note. 2023-03-16 08:01:07 +00:00
Mathias Vorreiter Pedersen
7585a3862f Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2023-03-16 07:57:20 +00:00
Mathias Vorreiter Pedersen
58602927bd C++: Add change note. 2023-03-16 07:57:03 +00:00
Tom Hvitved
404ead8a18 Python: Update expected test output 2023-03-16 08:40:53 +01:00
Tom Hvitved
b3ef1e9372 C++: Update expected test output 2023-03-16 08:40:53 +01:00
Tom Hvitved
64f13fa08f C#: Exclude call inside static field initializers from consistency check 2023-03-16 08:40:53 +01:00
Tom Hvitved
9f798902bd Data flow: Add consistency check for DataFlowCall::getEnclosingCallable 2023-03-16 08:40:53 +01:00
dependabot[bot]
e999d33332 Bump actions/setup-go from 3 to 4 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-16 04:00:39 +00:00
Harry Maclean
0eb0c26b72 Ruby: Add some documentation 
This is primarily to bust the build cache.
 2023-03-16 12:24:47 +13:00
Harry Maclean
7b81fe3109 Ruby: fix conditional use of cross in build 2023-03-16 12:11:12 +13:00
Harry Maclean
e7ead76fe9 Ruby: Build extractor via cargo-cross on linux 2023-03-16 12:04:33 +13:00
Harry Maclean
907fbeaae8 Ruby: Update build instructions for new extractor 2023-03-16 11:54:47 +13:00
Harry Maclean
01a85164ee Ruby: Bump rust toolchain to 1.68 2023-03-16 11:54:47 +13:00
Henry Mercer
720eed398b Merge pull request #12523 from github/henrymercer/polish-diagnostics 
Polish diagnostic messages
 2023-03-15 15:06:52 +00:00
Robert Marsh
45fdf69461 C++: add SemLocation so SemBound is copy-shareable 2023-03-15 10:38:47 -04:00
Mathias Vorreiter Pedersen
3376d2aa12 Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2023-03-15 14:12:01 +00:00
Mathias Vorreiter Pedersen
dffde8f8b8 Merge pull request #12532 from MathiasVP/local-flow-for-getAdditionalFlowIntoCallNodeTerm 
C++: Use local flow instead of GVN in `getAdditionalFlowIntoCallNodeTerm`
 2023-03-15 14:10:49 +00:00
Mathias Vorreiter Pedersen
08419b77af C++: Respond to PR reviews. 2023-03-15 14:07:04 +00:00
Anders Schack-Mulligen
bc9942eb75 Merge pull request #12530 from aschackmull/java/refactor-dataflow-queries-3 
Java: Refactor more dataflow queries to the new API (take 3)
 2023-03-15 14:57:29 +01:00
Tony Torralba
5bc606753e org.openjdk.jmh.runner.options tests 2023-03-15 14:47:27 +01:00
Tony Torralba
3b4980ba2f org.kohsuke.stapler.model tests 2023-03-15 14:36:45 +01:00
Tom Hvitved
a6e9d111a5 Merge pull request #12534 from hvitved/swift/summary-call-encl-callable 
Swift: Fix `SummaryCall::getEnclosingCallable`
 2023-03-15 14:35:00 +01:00
Tom Hvitved
96639c594f Swift: Fix SummaryCall::getEnclosingCallable 2023-03-15 13:58:12 +01:00
Arthur Baars
fe34ec1378 Ruby: fix formatting errors 2023-03-15 13:45:06 +01:00
Henry Mercer
5de0eae992 Ruby: Update diagnostic source names for consistency 2023-03-15 12:05:09 +00:00
Henry Mercer
a90f4915a7 C#: Add new lines before call to action 2023-03-15 12:00:47 +00:00
Henry Mercer
0de4259bff Revert "Ruby: Use rb prefix in diagnostic IDs for consistency with queries" 
This reverts commit a6509c7a37.
 2023-03-15 12:00:47 +00:00
Tony Torralba
c5a1905302 Fix stubs 2023-03-15 12:43:45 +01:00
Anders Schack-Mulligen
ecf5591bc6 Merge pull request #12527 from aschackmull/java/remove-dataflow-for-serializability 
Java: Delete `DataFlowForSerializability` and `DataFlowForOnActivityResult`
 2023-03-15 12:37:17 +01:00
Mathias Vorreiter Pedersen
913ff201f1 Merge branch 'mathiasvp/replace-ast-with-ir-use-usedataflow' into local-flow-for-getAdditionalFlowIntoCallNodeTerm 2023-03-15 11:15:16 +00:00