hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 03:11:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,446 Commits 1,778 Branches 169 Tags
codeql-cli/v2.25.5
Commit Graph

87446 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
1516029cf5 JS: Avoid generating ArrayElement edges for extend-like patterns 2025-03-17 13:48:27 +01:00
Asger F
125e732c4c JS: Fix bad join order 2025-03-17 13:44:33 +01:00
Geoffrey White
07011f7460 Rust: Fix more after merge. 2025-03-17 12:22:09 +00:00
Chris Smowton
0ac0dad49d Merge pull request #19042 from github/release-prep/2.20.7 
Release preparation for version 2.20.7
codeql-cli/v2.20.7 		2025-03-17 12:21:27 +00:00
Simon Friis Vindum
81b28df089 Merge branch 'main' into rust-type-inference-tweaks 2025-03-17 13:18:45 +01:00
github-actions[bot]
2d64a618e6 Release preparation for version 2.20.7 2025-03-17 12:15:54 +00:00
Geoffrey White
f5daec9da0 Rust: Fix after merge. 2025-03-17 12:10:59 +00:00
Geoffrey White
81edb4780d Merge branch 'main' into constcrypto 2025-03-17 12:05:51 +00:00
Napalys
77e1e171e1 Added test cases underscore.string with multiple sources. 2025-03-17 12:58:53 +01:00
Napalys
6b105b2f49 Added modeling underscore.string array to string functions. 2025-03-17 12:55:53 +01:00
Napalys
cd40b6f125 Added test cases underscore.string array to string. 2025-03-17 12:53:53 +01:00
Napalys
30623cd953 Added modeling of underscore.string for str to array. 2025-03-17 12:52:56 +01:00
Napalys
c256b9c336 Added underscore.string test cases for str to array. 2025-03-17 12:51:48 +01:00
Napalys
9bca863e38 Added modeling of underscore.string string to string functions. 2025-03-17 12:50:41 +01:00
Napalys
e8b233f086 Added test cases underscore.string string to string. 2025-03-17 12:48:41 +01:00
Simon Friis Vindum
e9ca43ae94 Merge pull request #19039 from paldepind/rust-cfg-uppercase 
Rust: Assume in the CFG that lowercase identifiers are in fact identifiers
 2025-03-17 12:40:56 +01:00
Óscar San José
258794a57e Add python and npm to Dockerfile.codespaces 2025-03-17 12:37:47 +01:00
Geoffrey White
704b3850f4 Rust: Fix a mistake in the test. 2025-03-17 11:24:58 +00:00
Paolo Tranquilli
a2851f753c Merge pull request #18968 from hvitved/rust/cache-to-string 
Rust/Swift: Cache `Element.toString`
 2025-03-17 12:08:27 +01:00
Tom Hvitved
0e3907b2a8 Merge pull request #19035 from hvitved/rust/type-inference-path-limit 
Rust: Limit `TypePath`s to at most length 10
 2025-03-17 12:01:31 +01:00
Jeroen Ketema
43a03de195 Merge pull request #19030 from MathiasVP/atl-namespace-fix 
C++: Fix ATL models' namespace column
 2025-03-17 11:28:16 +01:00
Napalys Klicius
749a0560b4 Merge pull request #19027 from Napalys/js/escape 
JS: Add support for `escape`
 2025-03-17 10:48:44 +01:00
Paolo Tranquilli
8ca33a907c Merge branch 'main' into reddsun82/swift-ql-test-to-internal 2025-03-17 10:42:39 +01:00
Napalys Klicius
478e32cbe5 Update javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2025-03-17 10:17:39 +01:00
Napalys Klicius
9134f79fd2 Merge pull request #18984 from Napalys/js/extractor_error_handler 
JS: Extractor handle error instead of exiting.
 2025-03-17 10:11:26 +01:00
Simon Friis Vindum
17d6cb626d Rust: Assume in the CFG that lowercase identifiers are in fact identifiers 2025-03-17 08:40:02 +01:00
Simon Friis Vindum
0bf826559c Rust: Apply qhelp suggestions from review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2025-03-17 07:56:37 +01:00
Simon Friis Vindum
75355e9e53 Rust: Revert conjunct reorder 2025-03-17 07:46:54 +01:00
Simon Friis Vindum
1b7f4e4d4b Rust: Add type inference tests and rename modules 2025-03-17 07:41:47 +01:00
Simon Friis Vindum
72346cc392 Merge pull request #19004 from paldepind/rust-data-flow-split 
Rust: Extract data flow node and content into separate files
 2025-03-17 07:02:35 +01:00
Tom Hvitved
dfc39272b4 Rust: Limit TypePaths to at most length 10 2025-03-16 20:35:16 +01:00
Simon Friis Vindum
4c3768f771 Rust: Add comments for type inference 2025-03-15 13:51:15 +01:00
Simon Friis Vindum
422d9e1f93 Rust: Minor refactoring of type inference 2025-03-15 13:47:08 +01:00
Simon Friis Vindum
210b4db908 Rust: Encapsulate type parameter decoding/encoding 2025-03-15 13:41:46 +01:00
Aditya Sharad
996bc47ae8 Merge pull request #19032 from adityasharad/docs/remove-semmle-training-slide-template 
Docs: Remove old CodeQL training slide template
 2025-03-15 06:17:42 +05:30
Aditya Sharad
9e8a3145ac Docs: Remove old CodeQL training slide template 
The slide contents (images and RST) remain.
Remove the HTML/JS/CSS templates since we're not maintaining them,
and this creates unnecessary burden keeping the JS libraries up to date
with security patches.
 2025-03-14 15:16:59 -07:00
Asger F
cd3909245d JS: Bugfix in Array constructor summary 2025-03-14 23:08:22 +01:00
Asger F
fe1bdf2468 JS: Update a test 2025-03-14 23:08:20 +01:00
Asger F
ab74898bbb JS: Deprecate getUnknownMember() and replace its uses with getArrayElement() 
Although they mean slightly different things, every single call site
of getUnknownMember() just used it as a way to get array elements.

Since there is no known use-case for the original meaning of
getUnknownMember() I am deprecating it for now.
 2025-03-14 23:08:19 +01:00
Asger F
4c1c0b79a6 JS: Make API-graphs use Content internally, and use steps from flow summaries 2025-03-14 23:08:16 +01:00
Asger F
cc95c77cbc JS: Add failing test 2025-03-14 23:04:10 +01:00
Owen Mansel-Chan
f0af5af015 Merge pull request #19015 from owen-mc/java/toctou-sync-methods 
Java: Fix FP in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`)
 2025-03-14 21:35:51 +00:00
Mathias Vorreiter Pedersen
a035c9b4d1 C++: Also update source-sink tests. 2025-03-14 20:04:45 +00:00
Tom Hvitved
a56493cbbc Merge pull request #19028 from hvitved/rust/crate-locatable 2025-03-14 20:27:33 +01:00
Mathias Vorreiter Pedersen
b7d1c56372 C++: Add change note. 2025-03-14 18:53:09 +00:00
Mathias Vorreiter Pedersen
636150ea4f C++: Adjust tests and accept test changes. 2025-03-14 18:43:33 +00:00
Mathias Vorreiter Pedersen
78697903fc C++: Move ATL models to ATL namespace. 2025-03-14 18:43:06 +00:00
Aditya Sharad
c5b35b0976 Merge pull request #19022 from adityasharad/actions/paths-ignore-test-dir 
Code scanning config: Exclude actions test directory
 2025-03-14 23:44:16 +05:30
Taus
ef9b229023 Python: Actually get rid of points-to 
Also adds `quality` to the list of tags for the query.
 2025-03-14 16:51:48 +00:00
Taus
c9e9deb41e Python: Adapt to a points-to-less world 
Technically we still depend on points-to in that we still mention
`PythonFunctionValue` and `ClassValue` in the query. However, we
immediately move to working with the corresponding `Function` and
`Class` AST nodes, and so we're not really using points-to. (The reason
for doing things this way is that otherwise the `.toString()` for all of
the alerts would change, which would make the diff hard to interpret.
This way, it should be fairly simple to see which changes are actually
relevant.)

We do lose some precision when moving away from points-to, and this is
reflected in the changes in the `.expected` file. In particular we no
longer do complicated tracking of values, but rather look at the
syntactic structure of the classes in question. This causes us to lose
out on some results where a special method is defined elsewhere, and
causes a single FP where a special method initially has the wrong
signature, but is subsequently overwritten with a function with the
correct signature.

We also lose out on results having to do with default values, as these
are now disabled.

Finally, it was necessary to add special handling of methods marked with
the `staticmethod` decorator, as these expect to receive fewer
arguments. This was motivated by a MRVA run, where e.g. sympy showed a
lot of examples along the lines of
```
@staticmethod
def __abs__():
   return ...
```
 2025-03-14 16:49:33 +00:00