hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-28 18:28:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,368 Commits 1,723 Branches 164 Tags
codeql-cli/v2.24.0
Commit Graph

85368 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Eisenberg
42f6dbe0b1 Merge pull request #15288 from github/aeisenberg/problem.severity 
Update query-metadata-style-guide.md clarify problem.severity
 2024-01-11 12:53:13 -08:00
Asger F
59c9ac735a Merge pull request #15295 from asgerf/js/type-model-export 
JS: Include sink nodes as base-case when resolving types
 2024-01-11 20:47:32 +01:00
Tony Torralba
12c5b46a0a Reduce FPs 
* Restrict allowed types in the flow step

* Discard more non-crypto-related TLS APIs
 2024-01-11 16:20:46 +01:00
Michael Nebel
0fa2067c3f C#: Update expected test output. 2024-01-11 16:19:24 +01:00
Michael Nebel
b03eecb5ab C#: Add support for named arguments in getRuntimeArgumentForParameter. 2024-01-11 16:19:24 +01:00
Michael Nebel
85f0ad623b C#: Add testexample of using named arguments when calling a delegate. 2024-01-11 16:19:24 +01:00
Michael Nebel
8b464fbc4a Merge pull request #15249 from michaelnebel/csharp/lambdadefaultparams 
C# 12: Support for lambda `param` parameter and parameter defaults.
 2024-01-11 16:18:03 +01:00
Owen Mansel-Chan
5e9ddd8c63 Apply suggestions from code review on change notes 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2024-01-11 15:15:21 +00:00
Michael Nebel
ef73fc3a6f C#: Add a test for type alias. 2024-01-11 16:13:35 +01:00
Owen Mansel-Chan
3c369f88bb Add change notes 2024-01-11 14:00:17 +00:00
Erik Krogh Kristensen
d782bd9b1f Merge pull request #13624 from jorgectf/seclab/dotjs 
JS: Add `dot.js` support
 2024-01-11 14:57:19 +01:00
Owen Mansel-Chan
def957e814 Accept review suggestion fixing a comment 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2024-01-11 13:56:27 +00:00
Tom Hvitved
a1036c81ee Merge pull request #15273 from hvitved/ruby/captured-yield 
Ruby: Handle captured `yield` calls
 2024-01-11 14:34:34 +01:00
Owen Mansel-Chan
2f01688319 Merge pull request #15280 from owen-mc/java/add-manual-models-for-df-generation 
Java: improve models for some important JDK methods
 2024-01-11 12:47:37 +00:00
Asger F
82cee61999 JS: Include sink nodes as base-case when resolving types 2024-01-11 13:41:21 +01:00
Max Schaefer
6e9c90a6bb Properly distinguish negative source and sink characteristics. 
In particular, `IsSanitizerCharacteristic` is a negative _source_ characteristic (not a negative sink characteristic), while `NeutralModelCharacteristic` is both.

This eliminates the erroneous test results.
 2024-01-11 12:36:48 +00:00
Max Schaefer
ff4555ac5b Get rid of negative sink types. 
Instead of positively implying the negative sink type, negative sink characteristics now negatively imply all sink types (but not source types). This is simpler and sice we will never have a huge number of sink types it doesn't impact performance either.

Changes to test results:

- The call to `createDirectories` at `Test.java:87` is now correctly classified as a source candidate, having previously been erroneously excluded by a negative _sink_ characteristic.
- The call to `compareTo` at `Test.java:48` is now erroneously classified as a source candidate; it should be suppressed by `IsSanitizerCharacteristic`, which is a negative sink characteristic, but should really be a negative source characteristic.
- In framework mode, several endpoints are now erroneously classified as source candidates even though they have neutral models, because `NeutralModelCharacteristic` is currently only a negative sink characteristic and not a negative source characteristic.
 2024-01-11 12:19:53 +00:00
Max Schaefer
bcf4f4febd Drop a conjunct which is now spurious. 2024-01-11 11:56:59 +00:00
Max Schaefer
03ca244df2 Associate endpoints with their potential endpoint types and check these when determining candidates. 
This prevents us from associating a sink candidate with a source type and vice versa.

However, this does not fix the problem of negative characteristics for sink types excluding source candidates.
 2024-01-11 11:44:14 +00:00
Max Schaefer
a6d996b478 Add an example of a missed source candidate. 
`Files.list` has a taint step from its first argument to its result, so that first argument should not be considered a sink candidate (and it is not). However, due to a bug in `IsMaDTaintStepCharacteristic` it is also not considered a source candidate, which is wrong: as the example shows, if that argument is a call we do very much want to consider it as a source candidate.
 2024-01-11 11:27:34 +00:00
Max Schaefer
8e429bd399 Rename isSinkCandidate (and a related predicate) to isCandidate. 
This reflects the fact that these predicates also deal with source candidates.
 2024-01-11 11:20:51 +00:00
Tony Torralba
05b487e3a6 Go: Recognize unsafe candidate selection in go/insecure-randomness 2024-01-11 11:58:12 +01:00
Max Schaefer
dba2e06a1d Merge pull request #15283 from github/max-schaefer/release-automodel-query-pack 
Release automodel extraction queries v0.0.12.
 2024-01-11 10:28:55 +00:00
Tony Torralba
8ccacafb59 Merge pull request #15289 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2024-01-11 10:15:34 +01:00
Michael Nebel
1770beea25 C#: Update QL doc for getRuntimeArgumentForParameter. 2024-01-11 09:07:15 +01:00
Michael Nebel
4c1e84b992 C#: Address review comments. 2024-01-11 09:07:15 +01:00
Michael Nebel
4dedc454ae C#: Add change-note. 2024-01-11 09:07:15 +01:00
Michael Nebel
e18534e748 C#: Force population of compiler generated delegates used for lambdas. 2024-01-11 09:07:15 +01:00
Michael Nebel
9a64e2a9b0 C#: Add test for lambda default parameters. 2024-01-11 09:07:15 +01:00
Michael Nebel
71c996a0be C#: Update lambdaArgument expected output. 2024-01-11 09:07:14 +01:00
Michael Nebel
b2faf3618c C#: Add support for params parameters in getRuntimeArgumentForParameter. 2024-01-11 09:07:14 +01:00
Michael Nebel
f0852c89bc C#: Add test for lambda arguments. 2024-01-11 09:07:14 +01:00
Paolo Tranquilli
482b5f3b29 Merge pull request #15265 from github/redsun82/def-to-non-header-include-exceptions 
C++: add `.def` to exceptions to AV rule 32
 2024-01-11 08:34:43 +01:00
github-actions[bot]
7db46b6ab6 Add changed framework coverage reports 2024-01-11 00:16:44 +00:00
Andrew Eisenberg
2f190d6552 Update docs/query-metadata-style-guide.md 
Co-authored-by: Angela P Wen <angelapwen@github.com>
 2024-01-10 14:27:00 -08:00
Owen Mansel-Chan
3767348dec Update test expectations 2024-01-10 22:25:08 +00:00
Owen Mansel-Chan
7824e60acd Manual neutral summaries should block generated summaries 2024-01-10 22:25:06 +00:00
Owen Mansel-Chan
52563b01b7 Factor logic out into interpretNeutral 2024-01-10 22:25:04 +00:00
Owen Mansel-Chan
370a32da8b Test summary models and neutral models, manual and generated 2024-01-10 22:25:02 +00:00
Andrew Eisenberg
303272d0d4 Update query-metadata-style-guide.md clarify problem.severity 2024-01-10 13:47:35 -08:00
Erik Krogh Kristensen
51fe477ed1 Merge pull request #15271 from erik-krogh/fastTS 
JS: faster TypeScript extraction
 2024-01-10 21:02:34 +01:00
Owen Mansel-Chan
9e2e01ff89 Update Top JDK APIs test expectation 2024-01-10 17:07:33 +00:00
Ian Lynagh
5d3166cfef Kotlin: Tweak code formatting 2024-01-10 16:39:49 +00:00
Ian Lynagh
80163c5aac Kotlin 2: Just accept the remaining comment differences for now 2024-01-10 16:39:47 +00:00
Ian Lynagh
ce4253c17f Kotlin 2: Remove an expected diagnostic match 
It is only generated when using the PSI comment extractor.
 2024-01-10 16:39:04 +00:00
Ian Lynagh
20254fd71e Kotlin: Accept a location change 2024-01-10 16:39:04 +00:00
Ian Lynagh
b3f8167973 Kotlin: Don't warn if we can't find a label for a fake owner 
The fake owner probably just wasn't extracted
 2024-01-10 16:39:02 +00:00
Owen Mansel-Chan
33030417b4 Add change note 2024-01-10 15:48:28 +00:00
Tony Torralba
52d3e3da31 Merge pull request #15268 from atorralba/atorralba/go/cleartext-logging-src-and-sink-improvs 
Go: Adds sources and sinks to `go/clear-text-logging`
 2024-01-10 15:52:40 +01:00
Tom Hvitved
ad75562b55 CPP: Update expected test output 2024-01-10 15:27:22 +01:00