hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 00:16:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,884 Commits 1,714 Branches 163 Tags
codeql-cli/v2.8.5
Commit Graph

33884 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
CodeQL CI
170a069657 Merge pull request #6403 from asgerf/js/handlebars-extraction 
Approved by erik-krogh
 2021-08-25 13:54:52 +01:00
Nick Rolfe
bc06817611 Add ERB comment as regression test for parsing bug 2021-08-25 12:43:33 +01:00
Nick Rolfe
289b59d3b0 Bump tree-sitter versions to pick up parsing fixes 
Particularly, in tree-siter-embedded-template
 2021-08-25 11:58:56 +01:00
Fosstars
f97c8bb049 Removed sanitizer in StaticInitializationVectorConfig 2021-08-25 12:40:48 +02:00
Fosstars
86b7b2b86d Updated qldoc for ArrayUpdate 2021-08-25 12:14:36 +02:00
Fosstars
c80a1da483 Don't consider copyOf() and clone() in ArrayUpdate 2021-08-25 12:11:34 +02:00
Tom Hvitved
ab2bc38789 C#: Use shared logic in NodeGraph.ql test 2021-08-25 11:35:12 +02:00
Tom Hvitved
d405284d36 C#: Make CFG library shared 2021-08-25 11:35:11 +02:00
Asger Feldthaus
87843a3794 JS: Autoformatttt 2021-08-25 10:37:37 +02:00
Tom Hvitved
01f7fdfea5 C#: Update call-context data-flow tests 2021-08-25 10:34:53 +02:00
Erik Krogh Kristensen
c664d7cfb3 add a getMaybePromisifiedCall method in API graphs, and use it to model child_process 2021-08-25 10:27:09 +02:00
Rasmus Wriedt Larsen
605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing 
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
 2021-08-25 10:19:22 +02:00
Jonas Jensen
abdf993e47 Merge pull request #6537 from andersfugmann/implicit_downcast_involving_references 
Implicit downcast involving references
 2021-08-25 09:45:32 +02:00
Anders Peter Fugmann
67a267d971 Update cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-08-25 08:58:44 +02:00
Andrew Eisenberg
e23df94748 Packaging: Fix identical files script 2021-08-24 16:12:43 -07:00
Andrew Eisenberg
8f73c6968a Merge pull request #6542 from github/aeisenberg/pack/move-external 
Java: Move the ExternalArtifact.qll module to the library pack
 2021-08-24 16:07:26 -07:00
yo-h
2b4635c4e0 Merge pull request #6539 from smowton/smowton/admin/downgrade-sql-unescaped 
Downgrade precision of java/concatenated-sql-query
 2021-08-24 17:22:01 -04:00
Andrew Eisenberg
3660c64328 Packaging: Rafactor Python core libraries 
Extract the external facing `qll` files into the codeql/python-all
query pack.
 2021-08-24 13:23:45 -07:00
Andrew Eisenberg
7f3066cd64 Java: Move the ExternalArtifact.qll module to the library pack 2021-08-24 13:01:02 -07:00
Chris Smowton
2689c13bde Merge pull request #6485 from Marcono1234/marcono1234/field-initializer-fix 
Java: Fix Field.getInitializer() matching non-initializer assignments
 2021-08-24 20:52:02 +01:00
Alex Ford
abc283ee8a remove ErbFile refs 2021-08-24 17:22:35 +01:00
Alex Ford
e403fc77d3 tests 2021-08-24 17:21:22 +01:00
Alex Ford
d628716c42 extend ActionController tests 2021-08-24 17:21:22 +01:00
Alex Ford
41ff10c908 extend modelling of ActionController, and start modelling ActionView 2021-08-24 17:21:22 +01:00
Geoffrey White
8f38ab0116 Merge pull request #6540 from jbj/ctime-weaken-claims 
C++:Lower potentially-dangerous-function precision
 2021-08-24 17:01:23 +01:00
Jonas Jensen
19ee64d9ad C++:Lower potentially-dangerous-function precision 
There have been multiple reports of false positives from this query over
time. Now that it has `@security-severity 10.0`, these false positives
look even worse.

The query looks purely for calls to functions with certain names, not
at whether the calls happen in a dangerous context. To justify a higher
precision, the query should only flag calls that happen in a thread or
another non-reentrant context.
 2021-08-24 17:14:42 +02:00
yoff
2f5ed03798 Merge pull request #6323 from RasmusWL/sec-test-layout 
Python: Restructure security tests to contain query name
 2021-08-24 16:50:08 +02:00
Rasmus Lerchedahl Petersen
e865a290de Python: straight port of query 
The old query uses `pointsTo` to limit the sinks
to methods on lists and dictionaries.
That constraint is omitted here which could hurt performance.
 2021-08-24 16:35:11 +02:00
Rasmus Lerchedahl Petersen
e3765ced78 Python: Add tests for modification of defaults 2021-08-24 16:35:11 +02:00
Nick Rolfe
5e783e4798 Implement getPrimaryQlClasses 2021-08-24 14:49:56 +01:00
Chris Smowton
5a2dfda09e Add test for field initializers 2021-08-24 14:04:45 +01:00
Marcono1234
c8d98ae649 Java: Fix Field.getInitializer() matching non-initializer assignments 2021-08-24 14:04:44 +01:00
Asger Feldthaus
8a564cc64b JS: Fix qldoc 2021-08-24 14:31:00 +02:00
Asger F
8f8a46848d Update javascript/ql/src/semmle/javascript/frameworks/Templating.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-08-24 14:16:41 +02:00
CodeQL CI
c66a34be9c Merge pull request #6533 from erik-krogh/cwdPath 
Approved by asgerf
 2021-08-24 13:10:38 +01:00
CodeQL CI
c0e8680c81 Merge pull request #6534 from erik-krogh/fallbackEntry 
Approved by asgerf
 2021-08-24 11:38:25 +01:00
Erik Krogh Kristensen
99d7e8b953 add change note 2021-08-24 12:35:20 +02:00
Chris Smowton
7f73efe3e1 Downgrade precision of java/concatenated-sql-query 2021-08-24 10:46:01 +01:00
Rasmus Wriedt Larsen
ca341bde08 Merge pull request #5612 from jty-team/jty/python/nosqlInjection 
Python: CWE-943 - Add NoSQL injection query
 2021-08-24 11:29:25 +02:00
Anders Fugmann
6b66f5dbb4 C++: Add change note for implicit downcasting involving references 2021-08-24 10:26:25 +02:00
Anders Fugmann
6d4b7c828c C++: Remove superfluous 'and any()' 2021-08-24 09:37:39 +02:00
Ian Lynagh
43355feaeb Merge pull request #6536 from github/igfoo/getPrimaryQlClasses 
All languages: Add getPrimaryQlClasses()
 2021-08-23 19:49:37 +01:00
Geoffrey White
bc9994774a Merge pull request #6515 from MathiasVP/clarify-initialization-vs-assignment-in-docs 
C++: Clarify difference between 'Initializer' and 'Assignment'.
 2021-08-23 18:00:36 +01:00
Ian Lynagh
1e06808105 Update cpp/change-notes/2021-08-23-getPrimaryQlClasses.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-08-23 16:52:07 +01:00
Chris Smowton
57d44b8a40 Merge pull request #6538 from atorralba/atorralba/fix-test-generator-qlpack 
Java: Adapt test generator to new qlpack name
 2021-08-23 15:57:38 +01:00
Ian Lynagh
a9db1c52e5 All languages: Add getPrimaryQlClasses() 
This is a non-overridable predicate that concatenates all the
getAPrimaryQlClass() results into a comma-separated string.
 2021-08-23 15:49:10 +01:00
Shati Patel
2a51abdee3 Merge pull request #6523 from shati-patel/vscode-docs 
Docs: Minor tweaks to VS Code docs (query history + viewing results)
 2021-08-23 15:06:09 +01:00
Tony Torralba
1ee2f6f207 Adapt test generator to new package name 2021-08-23 16:05:13 +02:00
Erik Krogh Kristensen
38477d7d2e Merge pull request #6462 from erik-krogh/repeat 
JS: support more regular expressions in js/incomplete-multi-character-sanitization
 2021-08-23 15:39:31 +02:00
Shati Patel
1dc18c4f9c Update docs/codeql/codeql-for-visual-studio-code/analyzing-your-projects.rst 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2021-08-23 14:37:51 +01:00