hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-18 16:03:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,692 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Erik Krogh Kristensen
60920c1ecc require that the URL refers to graphql in some way 2021-06-15 09:53:32 +02:00
Erik Krogh Kristensen
416c986cbc add support for graphql in @actions/github 2021-06-15 09:43:11 +02:00
Asger Feldthaus
53bef94b75 JS: Extractor version bump 2021-06-15 09:34:54 +02:00
Tom Hvitved
3a37e321d5 Merge pull request #205 from github/hvitved/taint-tracking 
Initial taint-tracking library
 2021-06-15 09:30:59 +02:00
Cornelius Riemenschneider
0ebf53b9df Merge pull request #6073 from geoffw0/loc 
C++: Add lines of user code query
 2021-06-15 09:18:46 +02:00
Tom Hvitved
5a9521372b Merge pull request #206 from github/tausbn/fix-identical-files 2021-06-15 07:31:07 +02:00
jorgectf
c948970181 resolve merge conflicts 2021-06-15 01:24:04 +02:00
jorgectf
1662c5d113 resolve merge conflict 2021-06-15 01:22:11 +02:00
Mathias Vorreiter Pedersen
14a04ee453 C++: Accept more test changes. These all arise because we now transitively pull in 'semmle.code.cpp.Print' when including 'cpp'. 2021-06-14 22:02:46 +02:00
Mathias Vorreiter Pedersen
cc6ae7f8b8 Merge branch 'main' into path-sensitive-stack-variable-reachability-analysis 2021-06-14 22:02:46 +02:00
Mathias Vorreiter Pedersen
714ad105fe C++: Accept test changes. 2021-06-14 22:02:38 +02:00
Mathias Vorreiter Pedersen
79926788d1 C++: Fix non-monotonic recursion problems in 'StackVariableReachabilityWithReassignment' by using the old StackVariableReachability predicates that don't care about paths. 2021-06-14 22:00:17 +02:00
Mathias Vorreiter Pedersen
c32f72063f C++: Add path sensitivity to StackVariableReachability. 2021-06-14 21:59:13 +02:00
Shati Patel
cce8eac0a7 Merge pull request #5946 from shati-patel/vscode-custom-logs 
Docs: Describe custom log directory setting in VS Code extension
 2021-06-14 20:30:54 +01:00
Taus
2bbcbb2200 Bump submodule pointer 2021-06-14 19:04:22 +00:00
Aditya Sharad
75ed7c0568 Merge pull request #6014 from github/docs-4179-legacy-tools 
Remove docs about legacy tools
 2021-06-14 11:50:18 -07:00
Tom Hvitved
302b485f4c Merge pull request #204 from github/hvitved/cfg-nodes-perf 
Improve performance of `ExprChildMapping::reachesBasicBlock()`
 2021-06-14 20:14:17 +02:00
Taus
068b980517 Update identical-files.json 
As of https://github.com/github/codeql/pull/6063 we have now started using the shared type tracking library in Python as well. 🎉
 2021-06-14 19:01:24 +02:00
Taus
c6c9a5110a Merge pull request #6063 from tausbn/python-promote-type-tracking-library 
Python: Promote shared type tracking library
 2021-06-14 18:56:03 +02:00
Geoffrey White
d7db18213d C++: Add a generated file to the test. 2021-06-14 16:21:30 +01:00
Geoffrey White
1e1ae27974 C++: Test the new query. 2021-06-14 16:06:20 +01:00
Geoffrey White
e71264d1d2 C++: Lines of user code query. 2021-06-14 16:03:16 +01:00
Tom Hvitved
6b63e032a9 C#: Populate labels earlier 2021-06-14 15:17:33 +02:00
Rasmus Wriedt Larsen
d19bc1252b Python: limit size of extraStepForCalls predicate 
On django/django, this reduced the number of results in
`extraStepForCalls` from 201,283 to 541
 2021-06-14 15:06:42 +02:00
shati-patel
17f9aecab8 Docs: Update setting in CodeQL for VS Code 2021-06-14 13:38:06 +01:00
Rasmus Wriedt Larsen
cc311ac4cd Python: Re-introduce syntactic handling of str/bytes/unicode (again) 
This reverts commit 870389addb.
 2021-06-14 14:23:12 +02:00
Rasmus Wriedt Larsen
870389addb Revert "Python: Re-introduce syntactic handling of str/bytes/unicode" 
This reverts commit c4987e94e0.

Hoping that our new handling of builtins would solve this problem... but
it did not :|
 2021-06-14 14:22:40 +02:00
Tom Hvitved
8aa337ab01 Initial taint-tracking library 2021-06-14 14:19:34 +02:00
Rasmus Wriedt Larsen
af13064f6a Merge branch 'main' into pr/RasmusWL/5926 2021-06-14 14:17:33 +02:00
Rasmus Wriedt Larsen
4eed94a262 Python: Fix CWE tag for py/use-of-input 
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
 2021-06-14 14:08:34 +02:00
Asger Feldthaus
c58942092f JS: Add change note 2021-06-14 13:43:11 +02:00
Asger Feldthaus
bc375196d1 JS: Extract script tags with lang=tsx 2021-06-14 13:40:53 +02:00
Joe Farebrother
36cb207600 Increase precision of tests to test value flow 2021-06-14 11:20:07 +01:00
Tom Hvitved
b154c936c3 Improve performance of ExprChildMapping::reachesBasicBlock() 
Since all expressions are now post-order, the logic of `reachesBasicBlock` can
be simplified, and performance can be improved as well.
 2021-06-14 11:58:24 +02:00
Owen Mansel-Chan
5e89fce734 Avoid strange bug by commenting out two tests 2021-06-14 10:57:28 +01:00
CodeQL CI
02c017afec Merge pull request #6058 from RasmusWL/more-aiohttp 
Approved by yoff
 2021-06-14 02:56:59 -07:00
Owen Mansel-Chan
8cf47f12b4 Model constructors of classes implementing MultivaluedMap 2021-06-14 10:56:35 +01:00
Felicity Chapman
60b4669813 Remove sentence about legacy tools 2021-06-14 08:41:28 +01:00
luchua-bc
6a2c7d54cd Enhance the query to check more scenarios 2021-06-14 03:24:16 +00:00
Taus
6333752014 Python: Add getAMethodCall to LocalSourceNode 
This seems like something we have been missing for a while now, so I
figured it might be useful to add. It is roughly based on the JavaScript
equivalent, with one major difference: in the JavaScript libraries,
`getAMethodCall` is reserved for syntactic method calls (`obj.m(...)`)
whereas `getAMemberInvocation` is used for both this and the case where
the bound method `obj.m` is stored in a temporary variable and then
subsequently invoked in the same local scope.

It seems to me that the more general predicate is more useful, and hence
should have the simpler name. (And also we don't really work with a
notion of "invocation" in the Python libraries, so we would need a
better name for it anyway.)

I think as long as the documentation makes the behaviour clear, it
should be okay.
 2021-06-11 21:26:58 +00:00
Taus
8016715fb6 Python: Add missing QLDoc 2021-06-11 20:35:58 +00:00
Taus
3869ab76d1 Python: Promote shared type tracking library 
This was slightly messier than anticipated, as I hadn't accounted for
the dozen uses of `startInAttr` in our codebase. To circumvent this,
I decided to put the type tracking implementation in the `internal`
directory, and wrap it with a file that ensures the old interface still
works.
 2021-06-11 20:20:22 +00:00
Jonas Jensen
e23b88b7f1 Merge pull request #6052 from jsinglet/jsinglet/stdtypes 
Implementation of standard C/C++ fixed width, minimum width, and maximum width types
 2021-06-11 17:03:01 +02:00
Calum Grant
85467adc5e Merge pull request #5839 from github/security-severities5 
Add security-severity scores
 2021-06-11 15:56:20 +01:00
John L. Singleton
8c6c011be2 Formatting fixes, comment moving. 2021-06-11 10:17:05 -04:00
Joe Farebrother
678597f3f9 Update CSV rows for collection flow 2021-06-11 15:08:27 +01:00
John L. Singleton
9c946a79c7 Update cpp/change-notes/2021-06-10-std-types.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-06-11 09:49:44 -04:00
Rasmus Wriedt Larsen
53f7633662 Python: Model await request.post() as MultiDictProxy 
as highlight as being quite easy to do by @yoff 👍
 2021-06-11 14:53:30 +02:00
Chris Smowton
76838809bb Merge pull request #5818 from artem-smotrakov/rmi-deserialization 
Java: Unsafe RMI deserialization
 2021-06-11 13:43:07 +01:00
yoff
97486b448a Merge pull request #5999 from RasmusWL/aiohttp-modeling 
Python: Add aiohttp.web modeling
 2021-06-11 14:26:52 +02:00