github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
69 657 коммитов 1 531 ветка 130 Теги 460 MiB
Граф коммитов

69657 Коммитов

Автор SHA1 Сообщение Дата
Cornelius Riemenschneider c4bf1c0594 Fix ripunzip installation. 
Otherwise, the install script fails when being run from the main repo,
inside the ripunzip fixture.
 2024-08-26 18:08:08 +02:00
Michael Nebel e81fdc951a
Merge pull request #17246 from michaelnebel/modelgendebug 
C#/Java: Add some model generator summary debugging queries.
 2024-08-26 16:13:03 +02:00
Michael Nebel 34d83a6b0d C#/Java: Address review comments. 2024-08-26 15:02:27 +02:00
Asger F 4e3440aad0
Merge pull request #17275 from asgerf/cpp/taint-test-case-false-negative 
C++: Reveal false negative in test case
 2024-08-26 12:36:03 +02:00
Asger F 16c2cf24b3 C++: use inline annotation for missing flow 2024-08-26 11:53:31 +02:00
Asger F 592e2eafb6
Merge pull request #17262 from asgerf/shared/implicit-read 
Shared: restrict flow after using implicit read
 2024-08-26 11:48:50 +02:00
Paolo Tranquilli c4c8c9ddc1
Merge pull request #17291 from github/criemen/ripunzip 
Make ripunzip installer accessible from outside this repo.
 2024-08-23 20:14:44 +02:00
Cornelius Riemenschneider 3ac8108c4a Address review. 2024-08-23 17:26:05 +02:00
Tamás Vajk d710c1e89d
Merge pull request #17287 from tamasvajk/message-count-telemetry 
C#: Add aggregated compiler and extractor message counts to extractio…
 2024-08-23 14:41:27 +02:00
Cornelius Riemenschneider d84e745ce9 Make ripunzip installer accessible from outside this repo. 
* The relative path to misc doesn't work when running from another repo
* The buildifier dependency is not available from other repos,
  therefore we can't pull in //misc/bazel without further refactoring.

Therefore, inline the runfiles snippet here.
 2024-08-23 14:24:51 +02:00
Asger F 8df7fbf6d6 Swift: update test output 
The 'first' field is seen as a TaintInheritingContent, which means any read step for 'first' becomes a taint step too.
This type of taint step does not permit an implicit read before it, because it wasn't contributed by a configuration.
So there is no way for the taint to get out of the collection content before the taint step through '.first'.
The test previously passed because an implicit read at once of the earlier sinks could follow use-use flow down to the receiver of .first,
allowing it to escape the collection content.
 2024-08-23 11:30:50 +02:00
Asger F d27b28d371 C++: update test output 
This reveals that some tests were passing for the wrong reasons.
See https://github.com/github/codeql/pull/17275
 2024-08-23 11:29:24 +02:00
Asger F 9703f67794 Test output updates that only affect nodes/edges 2024-08-23 11:03:26 +02:00
Asger F 6bc8407bd6 Java: Update test output 2024-08-23 11:02:29 +02:00
Asger F c3b36325b2 Shared: prevent use-use flow through implicit reads (part 1) 2024-08-23 11:02:28 +02:00
Michael Nebel 20d9fd11ac
Merge pull request #17288 from michaelnebel/shared/contentflow 
Shared: ContentFlow.
 2024-08-23 09:52:27 +02:00
Michael Nebel 19c2eb17c4 C#: Remove redundant imports. 2024-08-23 09:04:13 +02:00
Chris Smowton 67d94376e8
Merge pull request #17227 from smowton/smowton/fix/baseline-vs-nonroot-vendor-dirs 
Go / configure-baseline: account for multiple vendor directories and the `CODEQL_EXTRACTOR_GO_EXTRACT_VENDOR_DIRS` setting
 2024-08-22 15:00:51 +01:00
Michael Nebel d935c47231 C#: Use the shared content flow implementation. 2024-08-22 15:46:01 +02:00
Michael Nebel e6424f0f45 Shared: Make ContentDataFlow reusable. 2024-08-22 15:45:58 +02:00
Owen Mansel-Chan 18b99ffecc
Merge pull request #17284 from owen-mc/go/fix-frameworks-coverage 
Go: Try to fix packages in frameworks coverage
 2024-08-22 14:43:52 +01:00
Tamas Vajk 6827bedaa7 C#: Add aggregated compiler and extractor message counts to extraction telemetry query 2024-08-22 15:14:33 +02:00
Tamás Vajk 3dce56b0b1
Merge pull request #17276 from tamasvajk/impr/change-partial-method-location 
C#: Change reporting location of partial methods
 2024-08-22 15:10:21 +02:00
Michael Nebel 4cd34531c6 Shared: Add a copy of the existing C# Content Dataflow implementation. 2024-08-22 15:07:45 +02:00
Owen Mansel-Chan 2edadbf423
Try to fix packages in frameworks coverage 2024-08-22 11:44:34 +01:00
Asger F a1688f6a1a
Merge pull request #17240 from knewbury01/knewbury01/fix-helmetrequiredsetting-model 
Update JS helmet model structure
 2024-08-22 11:59:28 +02:00
Asger F 81239dcd95 Java: add test case 2024-08-22 11:26:05 +02:00
Michael Nebel bd69b96752
Merge pull request #17273 from michaelnebel/csharp/sqlinject 
C#: ASP.NET Controller is allowed to be abstract.
 2024-08-22 11:18:48 +02:00
Asger F 43f54db4db
Merge pull request #17274 from asgerf/java/implicit-pending-intents-implicit-read 
Java: Reveal false negative in test
 2024-08-22 11:00:07 +02:00
Tom Hvitved d41d7c8246
Merge pull request #17207 from hvitved/csharp/content-set 
C#: Implement `ContentSet`
 2024-08-22 10:55:11 +02:00
Tom Hvitved a213982b48
Merge pull request #17222 from hvitved/ruby/hash-splat-param-arg-matching 
Ruby: Rework (hash) splat argument/parameter matching
 2024-08-22 10:54:52 +02:00
Asger F 09aca6b47e
Merge pull request #17212 from mbaluda/main 
Add support for importing NPM modules in XSJS sources
 2024-08-22 10:54:33 +02:00
Anders Schack-Mulligen d97a301fef
Merge pull request #17105 from aschackmull/dataflow/stage6 
Dataflow: Refactor stage 6 to use shared stage code.
 2024-08-22 09:46:49 +02:00
Tom Hvitved e94fabcc19 Address review comment 2024-08-22 08:27:15 +02:00
Tom Hvitved cb1b1da422 Ruby: Add another array flow test 2024-08-21 19:06:53 +02:00
Tom Hvitved b0003c0453 Ruby: Remove two redundant checks 2024-08-21 19:06:29 +02:00
Edward Minnix III 2f3ebfb81f
Merge pull request #17205 from egregius313/egregius313/go/dataflow/models/environment 
Go: Add models for environment variables
 2024-08-21 12:27:33 -04:00
Tamas Vajk f7bf5e89be Add change note 2024-08-21 15:58:05 +02:00
Ed Minnix c2fa721966 Fix stub 2024-08-21 09:56:42 -04:00
Ed Minnix 6fdff977e5 Fix test cases 2024-08-21 09:47:46 -04:00
Edward Minnix III 2aa3e1f7a2
Alphabetize models 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-08-21 09:44:20 -04:00
Edward Minnix III 210ea5be79
Add model from older versions of caarlos0/env 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-08-21 09:43:58 -04:00
Edward Minnix III 7ae52425ce
Update package list in change note 2024-08-21 09:43:24 -04:00
Edward Minnix III 318a376a78
Remove ProcAttr models 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-08-21 09:43:04 -04:00
Chris Smowton 15989ce213
Merge pull request #14089 from am0o0/amammad-java-JWT 
Java: JWT decoding without verification
 2024-08-21 14:14:08 +01:00
Tamas Vajk 7c4733e88f C#: Change reporting location of partial methods 2024-08-21 15:13:14 +02:00
Michael Nebel 7049499e95 C#: Add change-note. 2024-08-21 14:38:55 +02:00
Asger F 3aa32e4aff Java: use MISSING inline annotation 2024-08-21 13:40:40 +02:00
Asger F f7ea8a1563 Java: trivial result set re-order 2024-08-21 13:37:38 +02:00
Asger F 5751fc2d3a Java: Reveal false negative in test 
One of the sinks was flagged for the wrong reason in the test case.

The flow into the 'startActivities' sink isn't working properly, but this was not revealed by the test since an alternate, spurious path exists. The spurious path goes through the implicit read at the prior sink and takes a use-use step to the 'startActivities' sink. Swapping the order of the two sinks reveals the false negative.
 2024-08-21 13:36:47 +02:00