hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
23,207 Commits 1,673 Branches 157 Tags
dee93783a290b0067500e15bc768d9536073f526
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rasmus Wriedt Larsen dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
2021-06-11 13:56:55 +02:00
.devcontainer
Update devcontainer memory settings
2020-09-02 12:04:34 -07:00
.github
Temporarily disable CSV coverage PR file comparison step
2021-06-03 08:17:28 +02:00
.vscode
Apply suggestions from code review
2021-03-11 15:57:44 +01:00
change-notes
Python: Update change notes for 1.26
2020-12-02 14:01:46 +01:00
config
Merge pull request #5854 from dbartol/dbartol/smart-pointers/side-effects
2021-06-01 16:57:05 +02:00
cpp
C++: Match the join order from before #5522.
2021-06-09 15:02:31 +02:00
csharp
C++: Match the join order from before #5522.
2021-06-09 15:02:31 +02:00
docs
Update wording
2021-06-09 15:54:57 +01:00
java
Merge pull request #5823 from atorralba/promote-jexl-injection
2021-06-07 10:03:12 +02:00
javascript
Merge pull request #6035 from erik-krogh/joi
2021-06-09 04:42:54 -07:00
misc
Improve error reporting in CI check for CSV coverage report comparison
2021-05-31 09:52:14 +02:00
python
Python: Update .expected for py/weak-sensitive-data-hashing
2021-06-11 13:56:55 +02:00
.codeqlmanifest.json
Replace an odd queries.xml with qlpack.yml
2021-06-06 09:04:18 -04:00
.editorconfig
Normalize all text files to LF
2018-09-23 16:24:31 -07:00
.gitattributes
.gitattributes: PDB files are binary
2019-03-13 10:42:28 +00:00
.gitignore
add .venv/ to .gitignore
2021-01-22 14:44:18 +01:00
.lgtm.yml
JS: Exclude test cases from extraction
2019-05-07 14:36:35 +01:00
CODE_OF_CONDUCT.md
Update code of conduct in line with GH
2020-04-23 10:19:13 +01:00
CODEOWNERS
Add @codeql-go as code owners for the shared data-flow library files
2021-03-02 10:39:47 +00:00
CONTRIBUTING.md
Fix dead link in CONTRIBUTING.md
2021-03-11 13:36:19 +01:00
LICENSE
Relicense under MIT
2020-04-07 12:03:26 +01:00
README.md
Docs: Rename default branch
2020-08-14 12:03:00 +01:00

README.md

CodeQL

This open source repository contains the standard CodeQL libraries and queries that power LGTM and the other CodeQL products that GitHub makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the CodeQL for Go repository.

How do I learn CodeQL and run queries?

There is extensive documentation on getting started with writing CodeQL. You can use the interactive query console on LGTM.com or the CodeQL for Visual Studio Code extension to try out your queries on any open source project that's currently being analyzed.

Contributing

We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our contributing guidelines. You can also consult our style guides to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

License

The code in this repository is licensed under the MIT License by GitHub.

Visual Studio Code integration

If you use Visual Studio Code to work in this repository, there are a few integration features to make development easier.

CodeQL for Visual Studio Code

You can install the CodeQL for Visual Studio Code extension to get syntax highlighting, IntelliSense, and code navigation for the QL language, as well as unit test support for testing CodeQL libraries and queries.

Tasks

The .vscode/tasks.json file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the Terminal | Run Task... menu option, and then select the desired task from the dropdown. You can also invoke the Tasks: Run Task command from the command palette.

Description
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
codeqlgithub-advanced-securitygithub-security-labsemmle-qlworks-with-codespaces
Readme MIT 15 GiB
Languages
CodeQL 31.7%
Kotlin 27.1%
C# 16.4%
Java 7.5%
Python 4.5%
Other 12.6%