github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
67 823 коммитов 1 541 ветка 132 Теги 497 MiB
Граф коммитов

699 Коммитов

Автор SHA1 Сообщение Дата
Edward Minnix III e7852f520f
Merge pull request #15605 from egregius313/egregius313/csharp/dataflow/sources/commandargs-and-environment 
C#: Add more `environment` and `commandargs` sources for the C# Standard Library
 2024-03-08 14:10:09 -05:00
Tom Hvitved 63bb772ef9 Variable capture: Avoid overlapping and false-positive data flow paths 2024-03-08 10:00:42 +01:00
Tom Hvitved 2896bfbd9f
Merge pull request #15821 from hvitved/dataflow/clears-content-store 
Data flow: Allow for direct stores into nodes with `clearsContent`
 2024-03-08 09:59:29 +01:00
Ed Minnix b0eb0e1f1e Move common source kinds to "shared" 2024-03-07 12:20:45 -05:00
Tom Hvitved 76564edc93 Address review comment 2024-03-07 16:50:28 +01:00
Geoffrey White b71b43a2fb
Merge pull request #15705 from geoffw0/qldoc3 
Shared: Fill some QLDoc holes
 2024-03-07 14:12:51 +00:00
Tom Hvitved 22b168beee Data flow: Allow for direct stores into nodes with `clearsContent` 2024-03-07 12:47:12 +01:00
github-actions[bot] dc9092c9ec Post-release preparation for codeql-cli-2.16.4 2024-03-06 22:19:33 +00:00
github-actions[bot] 2f058ffb4d Release preparation for version 2.16.4 2024-03-06 20:56:51 +00:00
Angela P Wen ce31f8641a
Revert "Release preparation for version 2.16.4" 2024-03-06 12:07:33 -08:00
Geoffrey White 0edfafeb06 Shared: Correct and clarify doc for SemBound.getExpr. 2024-03-06 16:00:36 +00:00
Anders Schack-Mulligen caa45058ae Dataflow: Improve join-order. 
Join with the functional getApprox before filtering with revFlow as this
is always better.
 2024-03-06 11:29:08 +01:00
Anders Schack-Mulligen 55e6255e05 Dataflow: Extend the first join to also include argApa. 
Improves from
2024-03-04 13:29:20] Evaluated non-recursive predicate DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowThroughIntoCall/6#b44155c7@6dd478n9 in 126ms (size: 398332).
Evaluated relational algebra for predicate DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowThroughIntoCall/6#b44155c7@6dd478n9 with tuple counts:
              1  ~0%    {2} r1 = SCAN `DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::TAccessPathApproxNone#dom#04382804` OUTPUT _, _
              1  ~0%    {0}    | REWRITE WITH Tmp.0 := true, Tmp.1 := false, TEST Tmp.0 != Tmp.1 KEEPING 0
          83798  ~0%    {4}    | JOIN WITH `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::returnFlowsThrough/8#ffafcf14` CARTESIAN PRODUCT OUTPUT Rhs.0, Rhs.3, Rhs.1, Rhs.2
        4044102  ~3%    {7}    | JOIN WITH `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowIntoCallApaTaken/6#d989a8d1#cpe#12346_2013#join_rhs` ON FIRST 1 OUTPUT Rhs.2, Lhs.2, Lhs.3, Rhs.3, Lhs.1, Lhs.0, Rhs.1
         398332  ~3%    {6}    | JOIN WITH `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::fwdFlow/9#00ae2fc8#2` ON FIRST 4 OUTPUT Lhs.6, Lhs.0, Lhs.5, _, Lhs.2, Lhs.4
         398332  ~1%    {6}    | REWRITE WITH Out.3 := true
                        return r1
to
[2024-03-04 15:20:26] Evaluated non-recursive predicate DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowThroughIntoCall/6#b44155c7@97bd358u in 35ms (size: 398332).
Evaluated relational algebra for predicate DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowThroughIntoCall/6#b44155c7@97bd358u with tuple counts:
         83798   ~0%    {7} r1 = SCAN `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::returnFlowsThrough/9#53894c55` OUTPUT In.0, In.1, In.2, In.3, In.4, _, _
                        {5}    | REWRITE WITH Tmp.5 := true, Tmp.6 := false, TEST Tmp.5 != Tmp.6 KEEPING 5
         83798   ~3%    {5}    | SCAN OUTPUT In.0, In.3, In.4, In.1, In.2
        416847   ~2%    {7}    | JOIN WITH `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::flowIntoCallApaTaken/6#d989a8d1#cpe#12346_2301#join_rhs` ON FIRST 2 OUTPUT Rhs.3, Lhs.3, Lhs.4, Lhs.1, Lhs.2, Lhs.0, Rhs.2
        398332   ~3%    {6}    | JOIN WITH `project#DataFlowImpl::Impl<TaintedPath::TaintedPath::C>::Stage5::fwdFlow/9#00ae2fc8#2` ON FIRST 4 OUTPUT Lhs.6, Lhs.0, Lhs.5, _, Lhs.2, Lhs.4
        398332   ~1%    {6}    | REWRITE WITH Out.3 := true
                        return r1
 2024-03-06 11:29:08 +01:00
github-actions[bot] 661e68dab5 Release preparation for version 2.16.4 2024-03-05 18:13:58 +00:00
Angela P Wen 967963a653
Revert "Release preparation for version 2.16.4" 2024-03-05 08:53:33 -08:00
Tom Hvitved d5c34264ad Data flow: Prune call-context sensitivity relations 2024-03-05 10:44:12 +01:00
github-actions[bot] a67218a027 Release preparation for version 2.16.4 2024-03-04 17:42:08 +00:00
Geoffrey White 50ad45944c
Update shared/dataflow/codeql/dataflow/DataFlow.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-03-04 12:02:01 +00:00
Geoffrey White 5def2887e7 Shared: Add an example for SemBound.getExpr. 2024-03-04 11:59:52 +00:00
Geoffrey White cb1c68260e Shared: QLDoc for ContentApprox and getContentApprox. 2024-03-01 17:36:53 +00:00
Geoffrey White c663809cc7
Update shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-03-01 17:06:48 +00:00
Geoffrey White 0e24ed14da
Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-03-01 17:04:34 +00:00
Geoffrey White 1fece75f15
Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-03-01 11:10:26 +00:00
Geoffrey White a499919239 Shared: More helpful QLDoc for simpleLocalFlowStep. 2024-02-29 17:13:40 +00:00
Geoffrey White f834768720 Shared: Improve QLDoc for forceHighPrecision. 2024-02-29 17:09:31 +00:00
Geoffrey White 9d2dc7a3cc Shared: Format. 2024-02-29 17:09:16 +00:00
Geoffrey White 88e3bc6865
Update shared/dataflow/codeql/dataflow/DataFlow.qll 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-02-29 17:03:30 +00:00
Geoffrey White 445b82b4e1 Shared: Explain 'guard'. 2024-02-29 16:07:20 +00:00
Geoffrey White 70465b22c7 Shared: Remove @ annotations. 2024-02-29 16:00:43 +00:00
Geoffrey White 98289b52d6 Shared: Explain SsaPhiNode a bit more. 2024-02-29 15:45:43 +00:00
Geoffrey White 8151f3024d Shared: Pinch better doc for isEquality from a related Guards class in csharp. 2024-02-29 15:41:51 +00:00
Mathias Vorreiter Pedersen 2fd57f6ee7 Shared: Remove cached annotation. 2024-02-28 16:24:21 +00:00
Anders Schack-Mulligen 699dddcfbe
Merge pull request #15725 from aschackmull/dataflow/summary-join-fix 
Dataflow: Prevent bad join in FlowSummaryImpl::Private::Steps::summaryLocalStep.
 2024-02-27 10:32:38 +01:00
Tom Hvitved bbeee8f38d
Merge pull request #15717 from hvitved/csharp/view-cfg 
Shared `View CFG` implementation
 2024-02-27 09:13:18 +01:00
Mathias Vorreiter Pedersen 690fdc076d Shared: Add change note. 2024-02-26 17:13:32 +00:00
Mathias Vorreiter Pedersen 9ec17e6338 Shared: Pull out the shared parts of Java's type flow library into a shared module. 2024-02-26 17:13:27 +00:00
Anders Schack-Mulligen 20bb631456 Dataflow: Prevent bad join. 2024-02-26 13:45:19 +01:00
Tom Hvitved 5b6e76c030 Move `View CFG` implementation from Ruby/Swift into shared library 2024-02-26 11:23:49 +01:00
Rasmus Wriedt Larsen 07223031e8
Merge branch 'main' into lgtm_index_filter_handling 2024-02-26 09:56:02 +01:00
Tom Hvitved 2683e40038
Merge pull request #15708 from hvitved/share-ide-contextual 
Share `getFileBySourceArchiveName` implementation
 2024-02-23 19:56:33 +01:00
Erik Krogh Kristensen a0f91fbc15
Merge pull request #15706 from erik-krogh/pol-reg 
ReDoS: Restrict some edges related to upper/lower-case when constructing possible attack strings for polynomial-redos.
 2024-02-23 12:06:17 +01:00
Tom Hvitved 62b16c0fa3 Share `getFileBySourceArchiveName` implementation 2024-02-23 11:25:49 +01:00
Geoffrey White 573763a4b3 Shared: More revisions, manual and aided by further discussion with Copilot. 2024-02-22 18:59:35 +00:00
erik-krogh e74e5b3613
try to restrict the edges we follow (related to upper/lower-case) when contructing possible attack-strings for polynomial-redos 2024-02-22 13:15:17 +01:00
Tom Hvitved ebee35b385 Ruby: No `fieldFlowBranchLimit` for `SummarizedCallable`s 2024-02-22 10:27:25 +01:00
Geoffrey White 7b85bb4c95 Shared: Autoformat. 2024-02-21 17:54:00 +00:00
Geoffrey White 4367b7813c Shared: Use more standard QLDoc phrasing. 2024-02-21 17:54:00 +00:00
Geoffrey White d1c0294551 Shared: Delete hallucinated return values. 2024-02-21 17:54:00 +00:00
Geoffrey White 5e401abccb Shared: Undo changes to existing QLDoc. 2024-02-21 17:53:59 +00:00
Geoffrey White 2f1d4b923e Shared: Generate some QLDoc using the "GitHub Copilot: Generate Docs" command. 2024-02-21 17:53:59 +00:00
Anders Schack-Mulligen 71f8ccf45f
Merge pull request #15654 from aschackmull/java/static-init-vec-query-perf 
Java: Switch helper flow from Global to SimpleGlobal in StaticInitializationVectorQuery.
 2024-02-21 10:51:16 +01:00
github-actions[bot] 37f8fa3413 Post-release preparation for codeql-cli-2.16.3 2024-02-20 16:50:47 +00:00
github-actions[bot] 6d061fbc35 Release preparation for version 2.16.3 2024-02-20 14:26:23 +00:00
Anders Schack-Mulligen 5a348a5048 Dataflow: SimpleGlobal / Typetracker perf fix. 2024-02-20 14:40:28 +01:00
Tony Torralba 1704bfe2bf
Merge pull request #15585 from atorralba/atorralba/go/promote-jwt-unsafe-verification 
Go: Promote `go/missing-jwt-signature-check` from experimental
 2024-02-19 15:35:44 +01:00
Anders Schack-Mulligen 2fa8c2f992
Merge pull request #15634 from aschackmull/dataflow/simpleglobal-fixreads 
Dataflow: Bugfix for field reads in SimpleGlobal.
 2024-02-19 14:02:38 +01:00
Anders Schack-Mulligen 53801e8efb Dataflow: Bugfix for field reads in SimpleGlobal. 2024-02-16 14:00:04 +01:00
Anders Schack-Mulligen 03f7968dbf Dataflow: Fix flow-feature bug. 2024-02-16 11:38:30 +01:00
Tony Torralba 551875cb5a Add 'jwt' as valid sink kind 2024-02-14 17:25:08 +01:00
Anders Schack-Mulligen 393251dde6
Merge pull request #15582 from hvitved/dataflow/cache-viable-callable-ext 
Data flow: Cache `viableCallableExt`
 2024-02-14 10:31:43 +01:00
Tom Hvitved bc8761c51b Data flow: Cache `viableCallableExt` 2024-02-13 14:12:50 +01:00
Asger F faefa056eb
Merge pull request #15507 from asgerf/shared/outbarrier-bugfix 
Shared: fix a bug in stateful outbarriers
 2024-02-12 21:44:49 +01:00
Nick Rolfe b2ee5808f0
Merge pull request #15496 from github/nickrolfe/loc-fresh-ids 
Tree-sitter extractors: use fresh IDs for locations
 2024-02-12 09:54:09 +00:00
Tom Hvitved 1ea7717714 Capture flow: Take overwrites in nested scopes into account 2024-02-09 14:49:23 +01:00
Anders Schack-Mulligen 4fcb90298d Dataflow: Add change note. 2024-02-09 11:32:08 +01:00
Anders Schack-Mulligen b7d4a6926f Dataflow: Add empty provenance column to PathGraph. 2024-02-09 11:27:30 +01:00
github-actions[bot] b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
github-actions[bot] c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00
Nick Rolfe 514a92d5bd Tree-sitter extractors: use fresh IDs for locations 
Since locations for any given source file are never referenced in any
TRAP files besides the one for that particular source file, it's not
necessary to use global IDs. Using fresh IDs will reduce the size of the
ID pool (both on disk and in memory) and the speed of multi-threaded
TRAP import.

The one exception is the empty location, which still uses a global ID.
 2024-02-02 15:06:10 +00:00
Joe Farebrother 031bd8bd0c
Merge pull request #15281 from joefarebrother/android-sensitive-ui-notif 
Java: Add query for exposure of sensitive information to android notifiactions
 2024-01-26 16:42:55 +00:00
Asger F f15ead6130 Shared: check stateful outBarrier as part of pathStep SCC 2024-01-26 11:14:23 +01:00
Asger F d1310c74fc Shared: remove old stateful outBarrier check 2024-01-26 11:14:23 +01:00
Mathias Vorreiter Pedersen 2db76c7fad
Merge pull request #15434 from MathiasVP/fix-dataflow-join-order 
DataFlow: Fix join order
 2024-01-25 16:32:14 +00:00
Henry Mercer 10343dd822
Merge pull request #15416 from github/post-release-prep/codeql-cli-2.16.1 
Post-release preparation for codeql-cli-2.16.1
 2024-01-25 14:15:25 +00:00
erik-krogh 396da117bb
remove an FP in overly-large-range for [@-Z] 2024-01-25 14:15:06 +01:00
Mathias Vorreiter Pedersen db929ccf9b DataFlow: Fix join order. 2024-01-25 12:51:35 +00:00
github-actions[bot] d0b74c00fe Post-release preparation for codeql-cli-2.16.1 2024-01-23 23:02:29 +00:00
github-actions[bot] 7ef611e6dc Release preparation for version 2.16.1 2024-01-23 19:45:16 +00:00
Joe Farebrother 0acb647e7d Fix tests and add notification sink kind to model verification 2024-01-23 09:51:41 +00:00
erik-krogh 865df920f9
add change-notes 2024-01-22 19:30:57 +01:00
erik-krogh 8be7eadace
delete outdated deprecations 2024-01-22 09:11:35 +01:00
Rasmus Wriedt Larsen f20d4e22fe
Handle only `exclude` 2024-01-18 13:54:45 +01:00
Rasmus Wriedt Larsen 54c7c5e8be
Tree sitter extractor: Proper handling of `LGTM_INDEX_FILTERS` 
If someone had used `LGTM_INDEX_FILTERS=exclude:**/*\ninclude:*.rb`
before, we would have mistakenly excluded all files :|
(LGTM_INDEX_FILTERS is a prioritized list where later matches take
priority over earlier ones)

This change is needed to support adding `exclude:**/*` as the first
filter if `paths` include a glob, which currently causes bad behavior in
the Python extractor. However, we can first introduce that change once
this PR has been merged.

I realize this change can cause more folders and files to be traversed
(since they are not just skipped with --exclude). We plan to make a
better long term fix which should bring back the previous performance.
 2024-01-18 11:44:31 +01:00
Calum Grant 4660a25d44
Merge pull request #15354 from github/calumgrant/shared-diagnostics 
C++/Swift: Create shared library and share Diagnostics
 2024-01-17 15:40:12 +00:00
Calum Grant d57fc3d7db C++: Remove unneeded includes 2024-01-17 14:34:28 +00:00
Calum Grant 51c5afff8b Create shared/cpp library and move Diagnostics there 2024-01-17 14:23:18 +00:00
erik-krogh 1a8a70dc1b
mark the range [0-?] as good in the overly-large-range query 2024-01-17 13:11:57 +01:00
Alexander Eyers-Taylor 934474681d
Merge pull request #15254 from github/post-release-prep/codeql-cli-2.16.0 
Post-release preparation for codeql-cli-2.16.0
 2024-01-16 14:50:40 +00:00
github-actions[bot] 57df8b92df Post-release preparation for codeql-cli-2.16.0 2024-01-15 15:00:50 +00:00
Tom Hvitved 295198744b Ruby: Handle captured `yield` calls 2024-01-10 14:25:15 +01:00
Tom Hvitved c9cf2a899c
Merge pull request #15260 from hvitved/dataflow/may-benefit-from-cctx-simplify 
Data flow: Remove column from `mayBenefitFromCallContext`
 2024-01-10 11:43:15 +01:00
Tom Hvitved f90201eb56 Data flow: Remove column from `mayBenefitFromCallContext` 2024-01-09 11:34:43 +01:00
Ed Minnix 65d05bf3de Add environment-injection to Model Validation 2024-01-08 09:38:43 -05:00
github-actions[bot] a6c8cc9551 Release preparation for version 2.16.0 2024-01-08 13:11:26 +00:00
Tom Hvitved 25e2271b2f
Merge pull request #15157 from hvitved/dataflow/fwd-flow-in-non-linear-rec 
Data flow: Avoid unnecessary non-linear recursion in `fwdFlowIn`
 2024-01-08 10:31:51 +01:00
Aditya Sharad b1803d0ac2
Merge rc/3.12 into main 2023-12-21 16:40:51 -08:00
Tom Hvitved 5be4fe1887 Data flow: Avoid unnecessary non-linear recursion in `fwdFlowIn` 2023-12-19 21:03:03 +01:00
github-actions[bot] 8f72b0e4f7 Post-release preparation for codeql-cli-2.15.5 2023-12-19 10:32:57 +00:00
github-actions[bot] 19af35b29a Release preparation for version 2.15.5 2023-12-18 21:22:44 +00:00
yoff e0c027f13c
Merge pull request #14848 from hvitved/python/shared-type-tracking 
Python: Adopt shared type tracking library
 2023-12-18 21:14:42 +01:00
Anders Schack-Mulligen 07ad770437 Dataflow: Deprecate FlowStateString. 2023-12-14 15:05:33 +01:00
Tom Hvitved 84aa9f17a0 Python/Ruby: Use `SummaryTypeTracker` from `typetracking` pack 2023-12-14 13:25:18 +01:00
Tom Hvitved 1e24de7e83 Copy `SummaryTypeTracker.qll` to `typetracking` pack 2023-12-14 13:22:48 +01:00
Tom Hvitved 4776e9ccd2 Type tracking: Allow for a non-standard `flowsTo` predicate 2023-12-14 12:36:09 +01:00
Tom Hvitved c8b4a215bc
Merge pull request #14573 from hvitved/flow-summary-impl-param 
Move `FlowSummaryImpl.qll` to `dataflow` pack
 2023-12-14 12:24:15 +01:00
Tom Hvitved 8f0e0b6559
Merge pull request #15090 from hvitved/inline-flow-test-get-arg-string 
InlineFlowTest: Allow for custom `getArgString`
 2023-12-14 10:53:55 +01:00
Tom Hvitved 7da10e0013
Merge pull request #15095 from hvitved/dataflow/boolean-class 
Data flow: Use `Boolean` class
 2023-12-14 10:29:52 +01:00
Tom Hvitved 8fc6fb1ec0
Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-12-14 10:10:53 +01:00
Tom Hvitved 098afb935b Address more review comments 2023-12-14 09:48:45 +01:00
Tom Hvitved 5a426d1800 Data flow: Use `Boolean` class 2023-12-14 09:04:16 +01:00
Jeroen Ketema 99e65df6ce
Merge remote-tracking branch 'upstream/rc/3.12' into mb12 2023-12-13 15:43:39 +01:00
Tom Hvitved 28a2d05cf8 InlineFlowTest: Allow for custom `getArgString` 2023-12-13 13:58:44 +01:00
Tom Hvitved 3c2336e40b
Merge pull request #15074 from hvitved/dataflow/get-node-type-cached 
Data flow: Use cached `nodeDataFlowType` instead of `getNodeType`
 2023-12-12 14:49:41 +01:00
Tom Hvitved b3929e2375 Data flow: Use cached `nodeDataFlowType` instead of `getNodeType` 2023-12-12 13:46:39 +01:00
Anders Schack-Mulligen 3bf6c0fe02 Rangeanalysis: Focus pre-bound calculation. 2023-12-11 14:07:10 +01:00
Anders Schack-Mulligen c14d917a76 Rangeanalysis: Prune range calculation. 2023-12-11 14:07:10 +01:00
Anders Schack-Mulligen 58d463dd33 Rangeanalysis: Minor refactor for bound steps. 2023-12-11 14:07:10 +01:00
Anders Schack-Mulligen 73671b6da3 Rangeanalysis: Refactor base bounds. 2023-12-11 14:07:10 +01:00
Anders Schack-Mulligen 6b178fb64a Rangeanalysis: Preparatory refactor for bounds sharing. 2023-12-11 14:07:10 +01:00
Tom Hvitved cdf59e1e1d Ruby: Cache more predicates 2023-12-11 10:15:17 +01:00
Tom Hvitved adc4455f09 Parameterize `FlowSummaryImpl.qll` 2023-12-10 11:11:05 +01:00
Tom Hvitved 41fa39eb7c Parameterize `AccessPathSyntax.qll` 2023-12-10 11:11:05 +01:00
Tom Hvitved fd7e3454d6 Copy `FlowSummaryImpl.qll` to `dataflow` pack 2023-12-10 11:11:05 +01:00
Tom Hvitved 4fbd806d70 Copy `AccessPathSyntax.qll` to `dataflow` pack 2023-12-10 11:11:05 +01:00
Anders Schack-Mulligen 75d8da9007 Dataflow: Add change note about deprecation. 2023-12-08 14:25:20 +01:00
github-actions[bot] 92af5f5386 Post-release preparation for codeql-cli-2.15.4 2023-12-06 22:59:22 +00:00
github-actions[bot] c04457e9e7 Release preparation for version 2.15.4 2023-12-06 21:11:50 +00:00
Mathias Vorreiter Pedersen 911f1543e0 DataFlow: Adjust QLDoc. 2023-11-28 15:26:48 +00:00
Mathias Vorreiter Pedersen 339bf1363a DataFlow: s/flowThroughStepAllowed/validParameterAliasStep. 2023-11-28 14:32:23 +00:00
Mathias Vorreiter Pedersen 064f68fdca DataFlow: Add a predicate for modifying which dataflow steps participate in flow-through summaries. 2023-11-28 14:27:15 +00:00
Tom Hvitved 1a6886cf99 SSA: Add locations to ease debugging 2023-11-22 08:37:02 +01:00
Tom Hvitved fab6813a49
Merge pull request #14815 from hvitved/type-tracking/param-consistency-checks 
Type tracking: Parameterize consistency checks
 2023-11-20 11:05:06 +01:00
github-actions[bot] bad499e360 Post-release preparation for codeql-cli-2.15.3 2023-11-17 14:35:41 +00:00
Tom Hvitved 40a07de566 Type tracking: Parameterize consistency checks 2023-11-16 15:23:23 +01:00
github-actions[bot] 6ec9b95072 Release preparation for version 2.15.3 2023-11-16 13:07:16 +00:00
Tom Hvitved 57f6859ddc Shared: Update type tracking consistency checks 2023-11-15 17:08:05 +01:00
Tom Hvitved 5f087f0084 Shared: Port features from Ruby's type tracking library to the shared library 
- Cache relevant predicates.
- Expose some predicates and classes (only exposed internally).
- Make some top-level `inline_late` predicates member predicates.
- Actually eliminate type check in `flowsTo`.
- Fix bug in `getACompatibleTypeTracker`.
- Adopt the `CallGraphConstruction` module.
 2023-11-15 17:08:05 +01:00
Tom Hvitved f66f7ce8d7 Shared: Split up `TypeTracking.qll` into two files 2023-11-15 17:07:27 +01:00
Anders Schack-Mulligen bf6cfd3bef Rangeanalysis: Simplify api. 2023-11-13 10:35:44 +01:00
Anders Schack-Mulligen 30aefabb2a Rangeanalysis: Rename predicate. 2023-11-13 10:35:44 +01:00
Anders Schack-Mulligen f05b75e04f Rangeanalysis: RIP standard order. 2023-11-13 10:35:44 +01:00
Anders Schack-Mulligen c28f54a78b Rangeanalysis: Remove superfluous pragmas. These appear useless after the abolishment of the different delta orders. 2023-11-13 10:35:44 +01:00
Anders Schack-Mulligen 71e25521cf Rangeanalysis: Use SsaReadPositionBlock.getAnSsaRead. 2023-11-13 10:35:44 +01:00
Anders Schack-Mulligen 3a73faf061 Rangeanalysis: Remove unused getAlternateType predicates. 2023-11-13 10:35:43 +01:00
Anders Schack-Mulligen 657c29f409 Java/C++: Share valueFlowStep. 2023-11-09 20:24:28 +01:00
Anders Schack-Mulligen b8e7e1d15e Java/C++: Share ssaUpdateStep. 2023-11-09 16:02:44 +01:00
Anders Schack-Mulligen daffae020b Java/C++: Share eqFlowCond. 2023-11-09 16:00:46 +01:00
Anders Schack-Mulligen 1f4cd74a1c Java/C++: Move SsaReadPosition to shared qlpack. 2023-11-08 12:11:17 +01:00
Anders Schack-Mulligen 45ae4ed362
Merge pull request #14711 from aschackmull/shared/rangeutil-share2 
Java/C++/RangeAnalysis: Move a couple of utility predicates to shared qlpack
 2023-11-08 08:33:12 +01:00
Anders Schack-Mulligen 12cba7909b Java/C++: Move range util guard-controls predicates to shared pack. 2023-11-07 15:14:34 +01:00
Anders Schack-Mulligen f2ca52d951 Java/C++: Move range util backEdge predicate to shared pack. 2023-11-07 15:14:34 +01:00
Geoffrey White e8a466a02c Update dead link. 2023-11-07 09:26:07 +00:00
Anders Schack-Mulligen f2b52650d5 Rangeanalysis: Filter useless modulo results. 2023-11-02 15:29:56 +01:00
Anders Schack-Mulligen 7bf271fb6c RangeAnalysis: Improve bounds that rely on relative modulus. 2023-11-02 12:51:48 +01:00
Anders Schack-Mulligen 484d0fe4cd
Merge pull request #14659 from aschackmull/shared/modulus-analysis 
Java/C++: Share modulus analysis
 2023-11-02 12:45:35 +01:00
Geoffrey White 431d9d58f1
Merge pull request #14639 from geoffw0/anchorquery 
Swift: New query for Missing Regular Expression Anchor
 2023-11-02 09:20:19 +00:00
Anders Schack-Mulligen 7c3684dbb7 RangeAnalysis: Rename semExprModulus to exprModulus. 2023-11-02 08:19:23 +01:00
Anders Schack-Mulligen ac115e0a6f Rangeanalysis: Reshuffle perf fix. This should result in the same join-order, but with less materialisation. 2023-11-01 15:59:24 +01:00
Anders Schack-Mulligen bb2bbd2d4d Rangeanalysis: Remove useless pragma. 2023-11-01 15:59:24 +01:00
Anders Schack-Mulligen f6794fe859 Rangeanalysis: Adjust modulo analysis comment. 2023-11-01 15:59:24 +01:00
Anders Schack-Mulligen a7f3ef1a6c Rangeanalysis: Parameterise shared modulus analysis. 2023-11-01 15:59:24 +01:00
Anders Schack-Mulligen 8e2b17cd86 Rangeanalysis: Copy C++ ModulusAnalysis file verbatim. 2023-11-01 15:59:24 +01:00
Anders Schack-Mulligen 6d859daf3d
Merge pull request #14656 from aschackmull/shared/range-utils 
Rangeanalysis: Share ssaRead predicate
 2023-11-01 15:57:52 +01:00
Anders Schack-Mulligen 048a7c4e42 Rangeanalysis: Rename SsaBound.getAVariable to getVariable. 2023-11-01 11:58:06 +01:00
Anders Schack-Mulligen 48291dd32d Rangeanalysis: Remove superfluous ignoreZeroLowerBound. 2023-11-01 11:51:46 +01:00
Edward Minnix III 1ec1dd368d
Merge pull request #13978 from egregius313/egregius313/java/mad/convert-sensitive-api-to-mad 
Java: Convert `SensitiveApi.qll` to use Models-as-Data
 2023-10-31 15:25:42 -04:00
Anders Schack-Mulligen 34b9791e46 Rangeanalysis: Remove superfluous ignoreSsaReadCopy. 2023-10-31 15:32:25 +01:00
Anders Schack-Mulligen 322e6c91be Rangeanalysis: Remove superfluous specificSsaRead. 2023-10-31 15:30:36 +01:00
Anders Schack-Mulligen 8b6c940e76 Rangeanalysis: Remove superfluous ignoreSsaReadAssignment. 2023-10-31 15:28:37 +01:00
Anders Schack-Mulligen 6d6f89e71e Rangeanalysis: Remove superfluous ignoreSsaReadArithmeticExpr. 2023-10-31 15:25:28 +01:00
Anders Schack-Mulligen a39a94ca8e Rangeanalysis: Switch to shared ssaRead predicate. 2023-10-31 15:23:05 +01:00
Anders Schack-Mulligen 19644a8f07 Rangeanalysis: Implement shared ssaRead predicate 2023-10-31 15:07:11 +01:00
github-actions[bot] 2b939fdf08 Post-release preparation for codeql-cli-2.15.2 2023-10-30 16:06:51 +00:00
Geoffrey White 8f115bfd06 Swift: Implement 'isUsedAsReplace'. 2023-10-30 14:33:42 +00:00
github-actions[bot] 4641990021 Release preparation for version 2.15.2 2023-10-30 11:05:53 +00:00
Dave Bartolomeo b18a6d5e0b
Merge pull request #14582 from github/dbartol/threat-models-2 
Java: Threat model implementation with priorities.
 2023-10-27 09:33:53 -04:00
Anders Schack-Mulligen e9cb272396
Merge pull request #14615 from aschackmull/dataflow/stage-alias 
Dataflow: simplify using stage aliases.
 2023-10-27 14:17:30 +02:00
Anders Schack-Mulligen 10c657bc23 Dataflow: simplify using stage aliases. 2023-10-27 13:40:21 +02:00
Mathias Vorreiter Pedersen 9cae488ef4
Merge pull request #14612 from aschackmull/dataflow/type-doc 
Dataflow: Improve qldoc on the type system.
 2023-10-27 10:39:57 +01:00
Anders Schack-Mulligen 776e35279d Dataflow: Improve qldoc on the type system. 2023-10-27 10:43:54 +02:00
Michael Nebel e4276f7adb
Java: Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-10-27 10:34:20 +02:00
Anders Schack-Mulligen b106db6fda Dataflow: Add change note for partial flow api change. 2023-10-27 09:46:46 +02:00
Dave Bartolomeo d2afb20f3f Merge remote-tracking branch 'origin/main' into dbartol/threat-models-2 2023-10-26 14:05:40 -04:00
Dave Bartolomeo 9800458467
Update shared/threat-models/codeql/threatmodels/ThreatModels.qll 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2023-10-26 13:46:55 -04:00
Dave Bartolomeo 927eb8424d
Update shared/threat-models/codeql/threatmodels/ThreatModels.qll 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2023-10-26 13:46:37 -04:00
Dave Bartolomeo 8d9e4d391f
Update shared/threat-models/codeql/threatmodels/ThreatModels.qll 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2023-10-26 13:46:28 -04:00
Mathias Vorreiter Pedersen 30ecb4b0c8
Merge pull request #14588 from aschackmull/shared/rangeanalysis 
C++/Java: Share core range analysis
 2023-10-26 16:32:46 +01:00
Anders Schack-Mulligen a2e3b37847 Dataflow: Fix accidental visibility. 2023-10-26 11:28:52 +02:00
Anders Schack-Mulligen 4dca4a7389 Dataflow: Restrict partial flow to either forward or reverse flow. 2023-10-26 10:33:03 +02:00
Ed Minnix 3b0b5e403c Replace crypto-parameter with credentials-key 2023-10-25 14:31:55 -04:00
Ed Minnix 24c809b3b5 Move `credentials-%` sink kinds to "shared" status 2023-10-25 14:31:54 -04:00
Ed Minnix c6641dfbf3 fix model validator to credentials-password 2023-10-25 14:31:54 -04:00
Ed Minnix a85df81b67 Rename sink kind to "credentials-username" to match naming convention 2023-10-25 14:31:54 -04:00
Ed Minnix 958c6ff289 Remove credential-other 2023-10-25 14:31:53 -04:00
Ed Minnix 4aec302fb7 Create new sink kinds 2023-10-25 14:31:53 -04:00
Anders Schack-Mulligen 283d6efdf8 Rangeanalysis/Java/C++: Address some ql4ql findings. 2023-10-25 14:06:35 +02:00
Anders Schack-Mulligen c1c4a5bfcf Rangeanalysis: Copy qldoc and simplification from Java. 2023-10-25 11:17:02 +02:00
Anders Schack-Mulligen cd44d67529 Rangeanalysis: Add temporary Java compatibility flag. 2023-10-25 11:17:02 +02:00
Anders Schack-Mulligen 06fe10bbe9 Rangeanalysis: Bugfix division with float representation. 2023-10-25 11:17:02 +02:00
Anders Schack-Mulligen 232c147f6b Rangeanalysis: Port join-order fix from Java version. 2023-10-25 11:17:02 +02:00