hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-08 14:42:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,608 Commits 1,776 Branches 169 Tags
codeql-cli/v2.25.6
Commit Graph

87608 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Taus
8d79248ea7 Python: Port ModificationOfLocals.ql 2026-04-07 23:46:03 +02:00
Taus
16683aee0e Merge pull request #21590 from github/tausbn/python-improve-bind-all-interfaces-query 
Python: Improve "bind all interfaces" query
 2026-04-07 17:59:48 +02:00
Jeroen Ketema
e7d3eedc80 Merge pull request #21661 from jketema/autoconf 
C++: Add heuristic for GNU autoconf config files
 2026-04-07 15:38:06 +02:00
Taus
4cb238f1af Merge pull request #21598 from github/tausbn/python-port-should-use-with 
Python: Port ShouldUseWithStatement.ql
 2026-04-07 14:16:41 +02:00
Geoffrey White
b21dba6131 C++: Update code scanning suite .expected. 2026-04-07 13:06:34 +01:00
Geoffrey White
201af3fffc C++: Update code scanning suite .expected. 2026-04-07 12:59:31 +01:00
Geoffrey White
f2292643a3 C++: Update code scanning suite .expected. 2026-04-07 12:53:53 +01:00
Geoffrey White
3769a8a482 C++: Update code scanning suite .expected. 2026-04-07 12:51:56 +01:00
Mathias Vorreiter Pedersen
5e145aa27d Merge pull request #21631 from MathiasVP/expose-fwd-stage-1 
Dataflow: Expose stage 1's `fwdFlow`
 2026-04-07 11:29:56 +01:00
Mathias Vorreiter Pedersen
e06294bcb4 Shared: Respond to review comments. 2026-04-07 11:11:04 +01:00
Idriss Riouak
39f92e992a Merge pull request #21494 from github/idrissrio/java/jdk26 
Java: Accept new test results after JDK 26 extractor upgrade
 2026-04-07 12:03:36 +02:00
Tom Hvitved
0d4524f8f3 Address review comments 2026-04-07 11:40:10 +02:00
Tom Hvitved
1e1a8732a3 Data flow: Add hook for preventing lambda dispatch in source call contexts 2026-04-07 11:40:08 +02:00
Tom Hvitved
eb64fcd208 C#: Add test that shows unintended flow summary generation 2026-04-07 11:40:07 +02:00
Jeroen Ketema
04cfd37f53 C++: Fix comments in tests 2026-04-07 10:52:12 +02:00
Jeroen Ketema
b19c648965 C++: Add heuristic for GNU autoconf config files 2026-04-07 10:43:15 +02:00
Michael Nebel
e259ebe258 Merge pull request #21627 from michaelnebel/csharp/cleanup 
C#: Deprecate get[L|R]Value predicates.
 2026-04-07 10:23:59 +02:00
idrissrio
6f199b90ba Java: Accept new test results for JDK 26 
Accept new ByteOrder.getEntries, List.ofLazy, and Map.ofLazy entries
in kotlin2 test expected files.
 2026-04-07 09:28:25 +02:00
idrissrio
3ccbd8032c Java: Accept new test results for JDK 26 
JDK 26 added ofLazy methods to List, Map, and Set collections.
Update expected test output to include these new methods.
 2026-04-07 09:28:23 +02:00
idrissrio
5a6eb79470 Java: Pin CWE-676 test to --release 25 
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
 2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a Java: Accept new test results after JDK 26 extractor upgrade 2026-04-07 09:28:20 +02:00
Tom Hvitved
7d184d0c7f Merge pull request #21206 from hvitved/rust/type-inference-closure-param-context-typed 
Rust: Infer argument types based on trait bounds on parameters
 2026-04-07 09:17:30 +02:00
github-actions[bot]
242090e0ac Post-release preparation for codeql-cli-2.25.2 2026-04-06 13:49:20 +00:00
Óscar San José
868ccfbb04 Merge pull request #21657 from github/release-prep/2.25.2 
Release preparation for version 2.25.2
codeql-cli/v2.25.2 		2026-04-06 12:50:52 +02:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
MarkLee131
b49c6dcbd4 Add @Pattern annotation test case and javax-validation-constraints stub 
Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
 2026-04-04 22:04:05 +08:00
Kaixuan Li
258a53e146 Update java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-04 22:02:00 +08:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list 
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
 2026-04-04 21:58:32 +08:00
MarkLee131
345b842edc Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers 
The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.

RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
 2026-04-04 21:36:37 +08:00
MarkLee131
f338ded349 Java: treat hash/encrypt/digest methods as sensitive-log sanitizers 
The sensitive-log query (CWE-532) lacked sanitizers for hashed or
encrypted data, while the sibling cleartext-storage query (CWE-312)
already recognized methods with "encrypt", "hash", or "digest" in their
names as sanitizers (CleartextStorageQuery.qll:86).

This adds an EncryptionBarrier to SensitiveLoggingQuery that applies the
same name-based heuristic, making the two queries consistent. Calls like
DigestUtils.sha256Hex(password) or hashPassword(secret) are no longer
flagged when their results are logged.
 2026-04-04 21:35:36 +08:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
 2026-04-04 21:33:35 +08:00
MarkLee131
9ff4ed286f Java: recognize Path.toRealPath() as path normalization sanitizer 
PathNormalizeSanitizer recognized Path.normalize() and
File.getCanonicalPath()/getCanonicalFile(), but not Path.toRealPath().

toRealPath() is strictly stronger than normalize() (resolves symlinks
and verifies file existence in addition to normalizing ".." components),
and is functionally equivalent to File.getCanonicalPath() for the NIO.2
API. CERT FIO16-J and OWASP both recommend it for path traversal defense.

This adds toRealPath to PathNormalizeSanitizer alongside normalize,
reducing false positives for code using idiomatic NIO.2 path handling.
 2026-04-04 20:59:45 +08:00
Mario Campos
fb8b5699f2 Merge pull request #21639 from github/mario-campos/test-go-registries 
Add tests for multiple Git sources and GoProxy servers in registry config parsing
 2026-04-02 11:12:51 -05:00
Kristen Newbury
41714656ec Adjust alert messages actions CWE-829 2026-04-02 11:58:58 -04:00
Kristen Newbury
e69e30aa84 Adjust alert messages CWE-829/ArtifactPoisoning[Critical|Medium] 2026-04-02 11:32:37 -04:00
Mario Campos
fb871cdfb8 Add tests for multiple Git sources and GoProxy servers in registry config parsing 2026-04-02 10:12:48 -05:00
Paolo Tranquilli
cedacc91db Merge pull request #21583 from github/redsun82/update-kotlin-2.3.20 
Kotlin: update to 2.3.20
 2026-04-02 15:58:22 +02:00
Jeroen Ketema
87f9b9581e Actions: Add change note 2026-04-02 15:48:45 +02:00
Jeroen Ketema
47409d1c59 Actions: Update expected test results 2026-04-02 15:43:49 +02:00
Jeroen Ketema
74e6d3474d Actions: Correctly check permissions in actions/missing-workflow-permissions 2026-04-02 15:42:45 +02:00
Jeroen Ketema
5866bcc881 Actions: Add FP test for actions/missing-workflow-permissions 2026-04-02 15:41:41 +02:00
Geoffrey White
cc89b6ea91 C++: Change note. 2026-04-02 11:52:37 +01:00
Geoffrey White
70b72f70e1 C++: Upgrade query precision. 2026-04-02 11:52:36 +01:00
Geoffrey White
56af9a84ab Update cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp 2026-04-02 11:40:51 +01:00
Geoffrey White
9eabfc5fdc Update cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2026-04-02 11:39:45 +01:00
Geoffrey White
e83658ed06 C++: Upgrade query precision. 2026-04-02 11:38:09 +01:00
Geoffrey White
2d02056e5c C++: Second change note. 2026-04-02 11:34:54 +01:00
Geoffrey White
9dbbdef4cb C++: Change note. 2026-04-02 11:30:52 +01:00
Geoffrey White
520e95d92c C++: Upgrade query precision. 2026-04-02 11:30:34 +01:00
Geoffrey White
909b55a40a C++: Change note. 2026-04-02 11:28:34 +01:00