github
/
codeql-go
зеркало из https://github.com/github/codeql-go.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
1 040 коммитов 92 Ветки 49 Теги 23 MiB
Граф коммитов

1040 Коммитов

Автор SHA1 Сообщение Дата
Sauyon Lee 0b97e486a2
Fix one use of master in README 2020-08-07 08:49:57 -07:00
Max Schaefer 97291e4c41
Merge pull request #279 from github/rc/1.25 
Merge rc/1.25 into master
 2020-08-06 11:18:11 +01:00
Max Schaefer 90bab34e88
Merge pull request #277 from sauyon/file-url-fix 
autobuilder: Don't try to determine import paths for file URLs
 2020-08-06 09:46:10 +01:00
Sauyon Lee 8e6c1835dd
autobuilder: Don't try to determine import paths for file URLs 
Also improve logging
 2020-08-05 23:21:34 -07:00
Max Schaefer 4e409aa9fa
Merge pull request #274 from gagliardetto/standard-lib-pt-2 
Add taint tracking for bufio and bytes packages
 2020-08-05 17:10:08 +01:00
Slavomir df71f0bf8b Remove ReadByte, WriteByte, ReadRune, WriteRune 2020-08-04 17:53:50 +03:00
Slavomir ff81ad622f Fix back ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected 2020-08-04 17:22:40 +03:00
Slavomir c1f2e77488 Fix generated codeql 2020-08-04 17:11:55 +03:00
Slavomir 6b1bbf16aa Remove taint-tracking for objects that implement io.Reader 2020-08-04 16:01:30 +03:00
Slavomir 72254b7682 Fix ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected 2020-08-04 15:36:34 +03:00
Slavomir 3fd6062b3d Add taint-tracking for package "bytes" 2020-08-04 14:15:26 +03:00
Slavomir dd8e1243a2 Add bufio taint-tracking 2020-08-04 14:11:00 +03:00
Max Schaefer b057cbee7b
Merge pull request #256 from smowton/smowton/admin/cwe-327-cleanup 
Polish CWE-327 (weak TLS config) query
 2020-08-03 10:28:53 +01:00
Sauyon Lee 5de55d02d7
Merge pull request #273 from max-schaefer/unresolved-reference 
Speed up `unresolvedReference`.
 2020-08-02 22:31:13 -07:00
Max Schaefer f6da34b546 Speed up `unresolvedReference`. 2020-07-31 14:13:05 +01:00
Chris Smowton 7e65575e95
Merge pull request #272 from smowton/smowton/admin/fix-makefile-escaping 
Escape go-fmt file filter
 2020-07-30 20:05:04 +01:00
Chris Smowton 2a7754af59 Factor ErrorType out of two duplicate tests 2020-07-30 17:25:53 +01:00
Chris Smowton 4b6810eefc InsecureFeatureFlag: make getAFlag a member of FlagKind 2020-07-30 17:23:01 +01:00
Chris Smowton 7dd20107fe Insecure-TLS query: trivial style and typo fixes 2020-07-30 17:18:54 +01:00
Chris Smowton 3c1daf08f8 Escape go-fmt file filter 
This should have been looking for \.go$, but I forgot to escape the dollar sign in a Makefile
 2020-07-30 17:06:01 +01:00
Max Schaefer 2134757ebf
Merge pull request #261 from smowton/smowton/admin/cleanup-cwe-322 
Polish CWE-322: detect and exclude cases where host-checking is optional
 2020-07-30 10:38:57 +01:00
Chris Smowton cce3a70412 Insecure-TLS: restrict sources to potentially interesting integers. 2020-07-29 16:46:36 +01:00
Chris Smowton d7c0671ea1 Add test using SSH host-key checker factory knownhosts.New 
This produces a secure host-key checker; we assume by default that an opaque function not otherwise specified returns an acceptable checker, but we need to particularly cope with its multiple return values to handle this factory function.
 2020-07-29 16:30:51 +01:00
Chris Smowton d0e86f787d SSH host checking: Expand definition of a host-key checking function to include calls with multiple return types 
For example, https://godoc.org/golang.org/x/crypto/ssh/knownhosts#New returns a host-key checker and an error value, and we previously didn't consider the first return value a candidate checker function.
 2020-07-29 16:06:38 +01:00
Chris Smowton e89cd16cb1 Move query-specific flag definitions into their respective .ql files 2020-07-29 15:21:49 +01:00
Chris Smowton f31ed52943 Clean up InsecureFeatureFlag 
Move the flag regexes inline, use `any` instead of a constructor function to select a particular flag kind, and remove explicit limitation on the common superclass FlagKind.
 2020-07-29 15:15:50 +01:00
Chris Smowton f162a5be94 Promote CWE-322 out of experimental status 2020-07-29 14:43:47 +01:00
Chris Smowton 99f08750f3 Polish CWE-322: detect and exclude cases where host-checking is optional 2020-07-29 14:43:47 +01:00
Max Schaefer 2831ffdad0
Merge pull request #270 from smowton/smowton/cleanup/ricterz-libraries 
Add support for Gorm, Gorestful, Sqlx and Json-iterator
 2020-07-29 14:21:41 +01:00
Max Schaefer f8b8af5ac5
Merge pull request #269 from aibaars/lgtm-suites 
CodeQL: complete LGTM suites
 2020-07-29 07:19:41 +01:00
Arthur Baars 0db8ba881b CodeQL: complete LGTM suites 2020-07-28 20:36:53 +02:00
Chris Smowton abfae4365f Move CWE-327 out of experimental 2020-07-28 15:47:44 +01:00
Chris Smowton 026dc5c97f Add changelog notes regarding added library support 2020-07-28 14:57:14 +01:00
Chris Smowton 0e6feb923c Add test for json-iterator package, and support more of its API 
Specifically the top-level functions Unmarshal and UnmarshalFromString are just convenience wrappers around the type API, which is the usual documented way to use the library.
 2020-07-28 14:52:10 +01:00
Chris Smowton e19f476341 Add test for Sqlx 2020-07-28 14:52:10 +01:00
Chris Smowton f5caf7e9e2 Add test for Gorm 2020-07-28 14:52:10 +01:00
Chris Smowton a813607a76 go-restful model: Add support for ReadEntity method 2020-07-28 14:52:10 +01:00
Chris Smowton 3c4a1b90fe Add test for Go-restful 2020-07-28 14:52:10 +01:00
Chris Smowton b96546b0f8 Improve style of library models 2020-07-28 14:40:48 +01:00
Max Schaefer e9ae697d0d
Merge pull request #251 from gagliardetto/standard-lib-pt-1 
Add taint-tracking for archive/tar and archive/zip
 2020-07-28 14:27:02 +01:00
Chris Smowton 88cb435843 Split security flags into more distinct categories 
There are now three categories: general security or option flags, those related to TLS version selection, and those related to certificate configuration. The TLS and disabled-certificate-check queries use two categories each.
 2020-07-28 13:54:37 +01:00
Chris Smowton 3c244e2235 Insecure-TLS: remove obsolete TODO 
The case noted works fine.
 2020-07-28 13:04:16 +01:00
Chris Smowton 9b4e189374 Insecure-TLS: Use DataFlow::Node::getRoot, and factor getEnclosingFunction 2020-07-28 11:55:58 +01:00
Chris Smowton 2751552cbe Insecure-TLS: Reintroduce tests for InsecureCipherSuites() 
These stopped producing an alert because they used a variable name that acknowledges an insecure setup
 2020-07-28 11:55:58 +01:00
Chris Smowton db9760082d Insecure-TLS: simplify warning message 2020-07-28 11:55:58 +01:00
Chris Smowton 2a0642b67b Insecure-TLS: remove is-test-file filter 2020-07-28 11:55:58 +01:00
Chris Smowton 5c8534f56e EXCUSED -> OK 2020-07-28 11:55:58 +01:00
Chris Smowton d0c76187da Fix comment 2020-07-28 11:55:58 +01:00
Chris Smowton a10db25b7d Remove redundant constraint 2020-07-28 11:55:58 +01:00
Chris Smowton 779901cdbd Reference Mozilla's TLS advice in qhelp 2020-07-28 11:55:58 +01:00