hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-15 06:23:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,550 Commits 1,690 Branches 160 Tags
codeql-cli/v2.23.9
Commit Graph

84550 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yoff
1ad239459f java: move shared code into Concurrency.qll 2025-10-09 13:36:35 +02:00
Owen Mansel-Chan
37151791b4 Add change notes 2025-10-09 12:26:32 +01:00
Owen Mansel-Chan
3cbce80d0b Add SimpleTypeSanitizer to go/request-forgery 2025-10-09 12:17:21 +01:00
Owen Mansel-Chan
7599fdd8fa Add request forgery test for numeric type 2025-10-09 12:17:19 +01:00
Owen Mansel-Chan
0c9cd09140 Make NumericOrBooleanSanitizer easier to access and rename it 2025-10-09 12:17:17 +01:00
yoff
f90e9dbb5e java: favour inline_late over inline 
This gives much greater control over the join-order
 2025-10-09 13:01:25 +02:00
yoff
26c1b2f143 java: adjust test expectations; new queries are enabled in extended 2025-10-09 12:29:42 +02:00
Idriss Riouak
f52e3dcb7f Merge pull request #20601 from github/idrissrio/java-localhost 
Java integration test: wait for test servers to come up before running test
 2025-10-09 10:57:11 +02:00
Geoffrey White
a7c166d161 Merge pull request #20599 from geoffw0/rust-ga-change-note 
Rust: Add change note for Rust GA.
 2025-10-09 08:51:44 +01:00
yoff
830f02af1f java: fixes from the CI bots 2025-10-09 09:37:31 +02:00
yoff
93fc287ef1 java: add auto-generated overlay annotations 2025-10-09 09:25:57 +02:00
yoff
a1671ea8af java: small cleanups 
- add missing qldoc
- remove use of `getErasure`
- remove use of `getTypeDescriptor`
- define `ExposedField`
 2025-10-09 09:16:25 +02:00
yoff
821b1de5b3 java: inline char pred 2025-10-09 09:16:25 +02:00
yoff
01ddc11fa7 java: address some review comments 2025-10-09 09:16:25 +02:00
yoff
77734f83d5 java: better detection of thread safe fields. 
Identified by triage of DCA results.
Previously, we did not use the erased type, so would not recgnize `CompletableFuture<R>`.
We now also recognize safe initializers.
 2025-10-09 09:16:25 +02:00
yoff
bf138693a3 java: update expectations for java-code-quality suite 2025-10-09 09:16:07 +02:00
yoff
096d5f2a56 java: implement SCC contraction of the call graph 
Our monitor analysis would be fooled by cycles in the call graph,
since it required all edges on a path to a conflicting access to be either
 - targetting a method where the access is monitored (recursively) or
 - monitored locally, that is the call is monitored in the calling method
For access to be monitored (first case) all outgoing edges (towards an access) need
to satisfy this property. For a loop, that is too strong, only edges out of the loop
actually need to be protected. This led to FPs.
 2025-10-09 09:14:16 +02:00
yoff
5b30153113 java: add Escaping query (P1) 2025-10-09 09:14:16 +02:00
yoff
328b53576a java: add SafePublication query (P2) 2025-10-09 09:14:16 +02:00
yoff
fe487e8bf0 java: add ThreadSafe query (P3) 
Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>
Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk>
Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>
 2025-10-09 09:14:16 +02:00
idrissrio
546d59ff9d Java: Wait for test HTTP servers to be ready before running buildless test 2025-10-09 08:37:54 +02:00
REDMOND\brodes
f524de4afc Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption 2025-10-08 16:27:18 -04:00
REDMOND\brodes
7a57496c54 Crypto: Missing test update. 2025-10-08 14:16:47 -04:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
75b5a9fda8 Crypto: Update general regression test results to account for removal of JCA random source. 2025-10-08 12:55:11 -04:00
REDMOND\brodes
8e10e1937d Crypto: Adding query for unknown IV initialization. 2025-10-08 12:49:54 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
Jon Janego
83519a9fcc Merge pull request #20606 from github/changedocs-2.23.2 
changedocs for 2.23.2
 2025-10-08 11:07:58 -05:00
Jon Janego
4534d67107 Merge branch 'main' into changedocs-2.23.2 2025-10-08 11:00:45 -05:00
Jon Janego
9c610e8bab Update links in CodeQL CLI changelog 2025-10-08 10:57:17 -05:00
Owen Mansel-Chan
2f22acdd06 Remove hashing example when not covered by query 2025-10-08 16:48:57 +01:00
Jon Janego
f8626cd417 changedocs for 2.23.2 2025-10-08 10:42:10 -05:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
143be8cc35 Crypto: Remove redundant queries. 2025-10-08 10:26:05 -04:00
REDMOND\brodes
1b1b333e8b Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues. 2025-10-08 10:21:06 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
REDMOND\brodes
bba541c016 Merge remote-tracking branch 'upstream/java-crypto-check' into santander-java-crypto-check 2025-10-08 09:30:26 -04:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Owen Mansel-Chan
2a1c9d8ec1 Remove erroneous comma 2025-10-08 14:08:36 +01:00
Owen Mansel-Chan
90db349f4b State that ruby broken crypto algo doesn't deal with hashing 2025-10-08 14:05:00 +01:00
Geoffrey White
d39c8d155c Merge pull request #20574 from geoffw0/rustga3 
Rust: Docs updates
 2025-10-08 11:04:29 +01:00
Anders Schack-Mulligen
2d9b249367 Merge pull request #20600 from aschackmull/java/constant-exp-fix 
Java: Fix bug in ConstantExpAppearsNonConstant.
 2025-10-08 11:40:50 +02:00
Michael Nebel
4cc6a07620 Merge pull request #20593 from michaelnebel/csharp/reducetypeparameterandtuplelocations 
C#: Reduce Type Parameter- and Tuple type location extraction.
 2025-10-08 11:36:32 +02:00
Anders Schack-Mulligen
99f5dcaaa4 Java: Fix bug in ConstantExpAppearsNonConstant. 2025-10-08 10:32:51 +02:00
Michael Nebel
cdfa58645a C#: Add change-note. 2025-10-08 10:14:51 +02:00
Idriss Riouak
28fe20e3e4 Merge pull request #20595 from github/idrissrio/java-lambda 
Java: Add integration test for buildless lambda recovery
 2025-10-08 09:53:29 +02:00
Paolo Tranquilli
75a7507017 Merge pull request #20590 from github/redsun82/rust-test-compatibility 
Rust: test with the 1.90 toolchain
 2025-10-08 09:00:30 +02:00
Asger F
10c9b747a5 Merge pull request #20586 from asgerf/js/api-graphs-block-this 
JS: Restrict receiver-flow in API graphs
 2025-10-08 08:41:56 +02:00
Geoffrey White
8a2be0910c Rust: Add change note for Rust GA. 2025-10-07 23:10:31 +01:00
Ian Lynagh
2918d30697 Merge pull request #20597 from github/igfoo/bmn-ga 
C++: Add a changenote for C/C++ BMN GA
 2025-10-07 22:57:32 +01:00