hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 13:11:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,689 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
github-actions[bot]
33ee947f8d Add changed framework coverage reports 2021-10-06 00:08:24 +00:00
Andrew Eisenberg
57ef989a89 Fixes compile errors by moving files 
The two files moved in this commit are referenced from the
javascript/lib qlpack, but they are located in the
javascript/src qlpack. This causes compile errors when running
compile-ish commands for javascript queries. Moving the
files fixes it.
 2021-10-05 14:00:02 -07:00
Andrew Eisenberg
0590e2a5fb Ignore .codeql folder 2021-10-05 13:42:36 -07:00
Chris Smowton
5b13232a9d Merge pull request #6739 from joefarebrother/android-intent-extra 
Java: Model Android Bundle and Intent extras methods
 2021-10-05 15:39:42 +01:00
Tom Hvitved
1d1215923c Merge pull request #323 from github/hvitved/get-value-text 
Introduce `Expr::getValueText`
 2021-10-05 14:26:25 +02:00
Harry Maclean
7bf818fdf5 Refactor KernelMethodCall modelling 
By extending `DataFlow::CallNode` instead of `MethodCall`, we get rid of
a lot of `.asExpr().getExpr()` calls.
 2021-10-05 12:26:59 +01:00
Anders Schack-Mulligen
9133adac30 Java: Adjust csv validation. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
04892df45a Java: Include stream method overrides. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
af7d633f2f Java: Add Stream::mapMulti* and Stream::toList. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
ef80263106 Java: Add models for java.util.stream. 2021-10-05 13:13:27 +02:00
Anders Schack-Mulligen
5d63a76e25 Merge pull request #6797 from Marcono1234/marcono1234/remove-overwritten-NestedType-isStatic-qldoc 
Java: Remove overwritten `NestedType.isStatic()` QLDoc
 2021-10-05 13:05:53 +02:00
Joe Farebrother
b956238efa Fill in gen/get methods for tests 2021-10-05 12:01:25 +01:00
Harry Maclean
232fb9ad5b Add cwe-073 tag to KernelOpen query 
CWE-073 is External Control of File Name or Path, which applies here.
 2021-10-05 11:13:58 +01:00
Harry Maclean
6f293c7a5e Add a query for uses of Kernel.open and IO.read 2021-10-05 11:13:58 +01:00
Harry Maclean
0fcb079ba7 Merge pull request #326 from github/hmac/eval-fixes 
Make Code execution query more specific
 2021-10-05 10:57:54 +01:00
Calum Grant
a95b87dfcb Update CONTRIBUTING guidelines 2021-10-05 10:48:34 +01:00
Calum Grant
d8a19ecd6e Initial version of CONTRIBUTING from codeql-go 2021-10-05 10:30:22 +01:00
Calum Grant
d8209719e1 Moved developer information into its own doc 2021-10-05 10:28:40 +01:00
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
haby0
a17b0d4e5c Modify Sanitizer 2021-10-05 17:12:04 +08:00
Mathias Vorreiter Pedersen
b089e6d84e C++/C#: Fix QLDoc of 'CopyInstruction'. 2021-10-05 09:14:20 +01:00
Asger Feldthaus
3a20ca96c4 JS: Update CWE tags and severity score of code injection query 
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
 2021-10-05 10:12:19 +02:00
Asger Feldthaus
c4e8af983a JS: Update score and add CWE-730 to LoopBoundInjection 
This is a denial-of-service query, but was missing the CWE-730 tag
("denial of service") and consequently had a lower score than the
other DoS queries.
 2021-10-05 10:10:01 +02:00
Asger Feldthaus
682a71176d JS: Make TaintedFormatString have same severity as LogInjection 
The CWE number for this query is associated with buffer overflows
from printf/scanf-style functions in C++, which has likely determined
its derived security score.

But in JavaScript, a tainted format string is unlikely to lead to
anything worse than log injection so we're manually update its score
to reflect this.
 2021-10-05 10:10:01 +02:00
Asger Feldthaus
83ca4ef6d9 JS: Lower security-severity of queries with speculative threat model 
In the CVSS calculator we model this by setting 'Attack Complexity' to
High and 'User Interaction' to Low (as opposed to None).

CVSS vector:
  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
 2021-10-05 10:10:01 +02:00
Tony Torralba
a86cbd884e Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-10-05 09:40:22 +02:00
Tony Torralba
3323f7ab1a Fix qhelp 2021-10-05 09:18:50 +02:00
Tony Torralba
9f54b1065a Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2021-10-05 09:18:49 +02:00
Tony Torralba
9c1021134a Add some links to qhelp 2021-10-05 09:18:49 +02:00
Tony Torralba
2d1278ece5 Consider setStartTLSRequired for Apache SimpleEmail 2021-10-05 09:18:48 +02:00
Tony Torralba
baffb0ed89 Consider Jakarta Mail 2021-10-05 09:18:47 +02:00
Tony Torralba
a2e9c2f4ab Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-10-05 09:18:47 +02:00
Tony Torralba
c13bf2a2a1 Add change note 2021-10-05 09:18:46 +02:00
Tony Torralba
73653f77aa Use InlineExpectationsTest 2021-10-05 09:18:45 +02:00
Tony Torralba
8c6d58e6d8 Refactored into libraries 2021-10-05 09:18:44 +02:00
Tony Torralba
0e149f0523 Move from experimental 2021-10-05 09:18:44 +02:00
CodeQL CI
40d98ad678 Merge pull request #6789 from asgerf/js/restrict-package-exports 
Approved by erik-krogh
 2021-10-05 06:20:23 +01:00
Aditya Sharad
9913221010 CLI docs: Add example for creating a database using a Bazel build command 
We have internal material on this subject, so it makes sense to have a reference example.
Bazel builds could be in any compiled language, so follow the pattern
of the generic build script example.
Include the build flags that we recommend to customers,
which turn off Bazel's caching and distributed behaviour
so that CodeQL can observe the entire build.
 2021-10-04 11:08:43 -07:00
yoff
f230a37004 Merge pull request #6804 from tausbn/python-fix-bad-magic-in-conditionblock-controls 
Python: Fix bad magic in `controls/2`
 2021-10-04 19:16:06 +02:00
Geoffrey White
11b8d4191f C++: Repair .expected following merge. 2021-10-04 16:53:33 +01:00
Geoffrey White
2c64fa50d2 Merge branch 'main' into impropnullfp 2021-10-04 16:51:21 +01:00
Mathias Vorreiter Pedersen
7f7f90681f Merge pull request #6808 from MathiasVP/add-cwes-to-incorrect-allocation-handling 
C++: Add more CWEs to 'cpp/incorrect-allocation-error-handling'.
 2021-10-04 17:02:08 +02:00
Marcono1234
0bce8234d8 Java: Remove overwritten NestedType.isStatic() QLDoc 
Did not mention nested non-member interfaces and record classes.
The documentation of the overridden `isStatic()` predicate already mentions
that this predicate holds for explicitly and implicitly static elements, so
overwriting it is not necessary and only adds more maintenance work.
 2021-10-04 16:30:57 +02:00
Anders Schack-Mulligen
745ece6e6d Merge pull request #6613 from Marcono1234/marcono1234/literals-test-split 
Java: Split literals tests
 2021-10-04 16:20:08 +02:00
Mathias Vorreiter Pedersen
eac0222f2c C++: Add more CWEs to 'cpp/incorrect-allocation-error-handling'. 2021-10-04 15:15:40 +01:00
Tom Hvitved
70e41b180e Merge pull request #6800 from hvitved/csharp/constant-cond-tuple-discard 
C#: Filter discards in tuples in `ConstantCondition.ql`
 2021-10-04 14:38:45 +02:00
Tom Hvitved
9762ce706b Merge pull request #6799 from hvitved/csharp/dead-store-using-discard 
C#: Filter using `var _ = ... results` from `DeadStoreOfLocal.ql`
 2021-10-04 14:38:15 +02:00
Chris Smowton
041aff6bfd Merge pull request #6802 from atorralba/atorralba/fix-flowtestcasegenerator-folder 
Java: Fix flow test case generator's folder name
 2021-10-04 13:36:01 +01:00
Nick Rolfe
b955fdb58d Merge pull request #324 from github/clippy_fixes 
clippy fixes
 2021-10-04 13:35:26 +01:00
Nick Rolfe
2a44cd8c98 Merge pull request #6803 from nickrolfe/cpp_upgrade_script 
C++: add upgrade script for dbscheme comment changes
 2021-10-04 13:31:13 +01:00