hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-09 19:51:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,689 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sebastian Bauersfeld
f651bc3668 Adjust locations of results in JSP files. This is necessary due to known limitations in VSCode which cause locations with zero character indices to be mapped to invalid ranges. This is hopefully a temporary workaround until this problem has been properly addressed. 2021-10-07 12:45:21 +07:00
Dave Bartolomeo
d8d9073bc2 Merge pull request #6826 from github/aeisenberg/add-library 2021-10-06 20:18:39 -04:00
Andrew Eisenberg
e2b1f6ac50 Packaging: Add library flag to upgrades packs 
This flag was missing. It should be there. Otherwise, this
pack cannot be built.
 2021-10-06 14:29:55 -07:00
Nick Rolfe
ffda527da9 Tidy up 2021-10-06 18:07:29 +01:00
Dave Bartolomeo
0452512de2 Merge pull request #6820 from github/aeisenberg/gitignore 
Ignore .codeql folder
 2021-10-06 12:59:45 -04:00
Chris Smowton
f88c8a64a1 Copyedit 2021-10-06 17:37:21 +01:00
Chris Smowton
b33daa3d3a Update Intent model tests, and fix models where required 2021-10-06 17:09:47 +01:00
Chris Smowton
4be2347a30 Adapt to use the new shared Intent models 2021-10-06 16:15:18 +01:00
Henry Mercer
83cbc86f50 JS: Move ClassifyFiles.qll to library pack 
This allows us to use this library in packs that depend on the
`codeql/javascript-all` library pack.
 2021-10-06 16:08:06 +01:00
Andrew Eisenberg
c9c45808b4 Merge pull request #6819 from github/aeisenberg/javascript/fix-compile-errors 
Fixes compile errors by moving files
 2021-10-06 07:59:50 -07:00
Tom Hvitved
953821c443 Avoid potential tuple explosion in reverse type tracking 2021-10-06 15:21:43 +02:00
Tom Hvitved
fdf1cd38fd Data flow: Add a synthetic return node 2021-10-06 15:21:43 +02:00
Nick Rolfe
1ce458fa33 Add query to find HTTP requests that disable SSL validation 2021-10-06 14:06:09 +01:00
Chris Smowton
91d8b3da23 Sort Intent models 2021-10-06 12:30:40 +01:00
Chris Smowton
f24e310ace Update test expectation details 2021-10-06 12:25:23 +01:00
Chris Smowton
ffdfc0549a Update comment 2021-10-06 12:17:49 +01:00
luchua-bc
987bfa6ca7 Update condition check and qldoc 2021-10-06 12:17:49 +01:00
luchua-bc
8c2fddb297 Update the condition check and use DataFlow in the ql file 2021-10-06 12:17:49 +01:00
Chris Smowton
b0e652a3af Remove AsyncTask models 2021-10-06 12:17:49 +01:00
Chris Smowton
9e0cf5a2fd Update test expectations to include subpaths 2021-10-06 12:17:49 +01:00
Chris Smowton
3607d50994 Update remote flow source locations 2021-10-06 12:17:46 +01:00
luchua-bc
02bfa1ca57 Optimize the query 2021-10-06 12:16:04 +01:00
luchua-bc
0621e65827 Query to detect exposure of sensitive information from android file intent 2021-10-06 12:16:04 +01:00
Dave Bartolomeo
91b2ee2f10 Merge pull request #6822 from github/lgtm.com 
Make sure the lgtm.com branch is an ancestor of rc/3.3
 2021-10-06 06:58:13 -04:00
Geoffrey White
4c6f4ef14b Revert "C++: change note" and "C++: Exclusion rules for system macros" 
This reverts commit a055c86c4f.
This reverts commit 237a7d34b8.
 2021-10-06 10:21:19 +01:00
Harry Maclean
c50a6c180f Merge pull request #318 from github/hmac-open-query 
Add a query for uses of `Kernel.open` and `IO.read`
 2021-10-06 10:05:43 +01:00
Anders Schack-Mulligen
d0b307ecfb Merge pull request #6103 from atorralba/atorralba/promote-insecure-javamail 
Java: Promote Insecure JavaMail SSL Configuration from experimental
 2021-10-06 09:24:11 +02:00
Anders Schack-Mulligen
9505846088 Merge pull request #6821 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-10-06 09:06:14 +02:00
github-actions[bot]
33ee947f8d Add changed framework coverage reports 2021-10-06 00:08:24 +00:00
Andrew Eisenberg
57ef989a89 Fixes compile errors by moving files 
The two files moved in this commit are referenced from the
javascript/lib qlpack, but they are located in the
javascript/src qlpack. This causes compile errors when running
compile-ish commands for javascript queries. Moving the
files fixes it.
 2021-10-05 14:00:02 -07:00
Andrew Eisenberg
0590e2a5fb Ignore .codeql folder 2021-10-05 13:42:36 -07:00
Chris Smowton
5b13232a9d Merge pull request #6739 from joefarebrother/android-intent-extra 
Java: Model Android Bundle and Intent extras methods
 2021-10-05 15:39:42 +01:00
Tom Hvitved
1d1215923c Merge pull request #323 from github/hvitved/get-value-text 
Introduce `Expr::getValueText`
 2021-10-05 14:26:25 +02:00
Harry Maclean
7bf818fdf5 Refactor KernelMethodCall modelling 
By extending `DataFlow::CallNode` instead of `MethodCall`, we get rid of
a lot of `.asExpr().getExpr()` calls.
 2021-10-05 12:26:59 +01:00
Anders Schack-Mulligen
9133adac30 Java: Adjust csv validation. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
04892df45a Java: Include stream method overrides. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
af7d633f2f Java: Add Stream::mapMulti* and Stream::toList. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
ef80263106 Java: Add models for java.util.stream. 2021-10-05 13:13:27 +02:00
Anders Schack-Mulligen
5d63a76e25 Merge pull request #6797 from Marcono1234/marcono1234/remove-overwritten-NestedType-isStatic-qldoc 
Java: Remove overwritten `NestedType.isStatic()` QLDoc
 2021-10-05 13:05:53 +02:00
Joe Farebrother
b956238efa Fill in gen/get methods for tests 2021-10-05 12:01:25 +01:00
Harry Maclean
232fb9ad5b Add cwe-073 tag to KernelOpen query 
CWE-073 is External Control of File Name or Path, which applies here.
 2021-10-05 11:13:58 +01:00
Harry Maclean
6f293c7a5e Add a query for uses of Kernel.open and IO.read 2021-10-05 11:13:58 +01:00
Harry Maclean
0fcb079ba7 Merge pull request #326 from github/hmac/eval-fixes 
Make Code execution query more specific
 2021-10-05 10:57:54 +01:00
Calum Grant
a95b87dfcb Update CONTRIBUTING guidelines 2021-10-05 10:48:34 +01:00
Calum Grant
d8a19ecd6e Initial version of CONTRIBUTING from codeql-go 2021-10-05 10:30:22 +01:00
Calum Grant
d8209719e1 Moved developer information into its own doc 2021-10-05 10:28:40 +01:00
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
haby0
a17b0d4e5c Modify Sanitizer 2021-10-05 17:12:04 +08:00
Mathias Vorreiter Pedersen
b089e6d84e C++/C#: Fix QLDoc of 'CopyInstruction'. 2021-10-05 09:14:20 +01:00
Asger Feldthaus
3a20ca96c4 JS: Update CWE tags and severity score of code injection query 
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
 2021-10-05 10:12:19 +02:00