github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
61 594 коммитов 1 542 Ветки 132 Теги 495 MiB
Граф коммитов

1343 Коммитов

Автор SHA1 Сообщение Дата
Owen Mansel-Chan da68153a96
Fix change note name and location 2023-10-20 11:24:25 +01:00
Owen Mansel-Chan e19ebf9ca8
Add external file scope 2023-10-19 16:48:38 +01:00
Owen Mansel-Chan 563805ff0c
Fix nodeGetEnclosingCallable 
It wasn't updated when MkImplicitVarargsSlice was added as a branch of
TNode. This meant that it gave no result for `ImplicitVarargsSlice`s
in function calls used to initialise variables declared at file level.
 2023-10-19 16:48:37 +01:00
Owen Mansel-Chan a3cecd178f
Add consistency query 
This can be run on an existing database to check for any assumptions
of the data flow library which do not hold.
 2023-10-19 16:47:56 +01:00
Owen Mansel-Chan 67601b5312
Add DataFlowImplConsistency.qll for Go library 2023-10-19 11:43:00 +01:00
Jaroslav Lobačevski 2b541b78ac
fix CWE number 2023-10-19 09:36:25 +02:00
Owen Mansel-Chan bddd448fdf
Add Go frameworks for automated coverage reports 
Note that the space at the beginning of the package patterns for the
standard library is deliberate, because builtin functions use the empty
string as their package and we want to attribute them to the standard
library.
 2023-10-18 12:49:31 +01:00
github-actions[bot] 8dcd8b9e5b Post-release preparation for codeql-cli-2.15.1 2023-10-17 20:24:00 +00:00
github-actions[bot] 3b3c036626 Release preparation for version 2.15.1 2023-10-16 17:49:39 +00:00
Owen Mansel-Chan 53561008a1
Merge pull request #14445 from owen-mc/go/automated-mad-coverage-report 
Go: automated mad coverage report
 2023-10-15 21:49:47 +01:00
Maiky 20bf3c7f67
Apply suggestions from code review 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2023-10-15 15:47:19 +02:00
BD 0ef83b3c74
Merge branch 'main' into enable-gokit-by-default 2023-10-15 10:22:27 +05:30
Michael B. Gale f6570710e7
Merge pull request #14441 from github/dependabot/go_modules/go/extractor/golang.org/x/tools-0.14.0 
Bump golang.org/x/tools from 0.13.0 to 0.14.0 in /go/extractor
 2023-10-12 10:19:34 +01:00
Owen Mansel-Chan 5fcdb9e112
Merge pull request #14442 from owen-mc/go/test-qldoc-coverage 
Fix module name
 2023-10-11 23:45:53 +01:00
Owen Mansel-Chan 286271340e
Merge branch 'main' into go/automated-mad-coverage-report 2023-10-11 21:31:25 +01:00
Owen Mansel-Chan e300440a8b
Delete redundant import 2023-10-11 21:28:31 +01:00
Owen Mansel-Chan e5e9c33005
Generated reports 2023-10-11 21:09:55 +01:00
Owen Mansel-Chan 06a600c7fb
Set up automated coverage reports for Go 
Copied from https://github.com/github/codeql/pull/6148
 2023-10-11 21:09:54 +01:00
Henry Mercer 1a370bfbbe
Merge pull request #14443 from github/post-release-prep/codeql-cli-2.15.0 
Post-release preparation for codeql-cli-2.15.0
 2023-10-11 17:39:04 +01:00
github-actions[bot] ae6af17c74 Post-release preparation for codeql-cli-2.15.0 2023-10-11 14:19:20 +00:00
Owen Mansel-Chan b6bf4d04ff
Fix module name 2023-10-11 14:47:46 +01:00
dependabot[bot] 442a4fe9cf
Bump golang.org/x/tools from 0.13.0 to 0.14.0 in /go/extractor 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-10-11 13:12:49 +00:00
Michael B. Gale 7a98afe6ec
Merge pull request #14439 from github/mbg/go/workspace-experiments 
Go: Move `go.mod` into `extractor` subdirectory
 2023-10-11 14:11:07 +01:00
Michael B. Gale 7d7d90e7e0
Update expected test output 2023-10-11 13:18:27 +01:00
Michael B. Gale 94b0bc1e35
Move `go.mod` into `extractor` directory 2023-10-11 13:10:20 +01:00
Owen Mansel-Chan 477d8f8b9a
Merge pull request #14064 from amammad/amammad-go-NewFileSystemAccess 
Go: New File System Access Sinks
 2023-10-11 12:58:38 +01:00
Owen Mansel-Chan 96543b8337
Merge pull request #14075 from amammad/amammad-go-JWT 
Go: Improved JWT query, JWT decoding without verification
 2023-10-11 12:31:43 +01:00
Owen Mansel-Chan 8a3aa2c767
Fix formatting 2023-10-11 11:46:31 +01:00
amammad 5e273238ca fix qldoc 2023-10-11 10:33:44 +02:00
amammad 4499048d8e better query quality thanks to owen 2023-10-10 23:41:45 +02:00
amammad 877605d31b change c to C for fixing the qhelp error :) 2023-10-10 23:35:05 +02:00
amammad b6968d9260 fix beego tests 2023-10-10 23:30:26 +02:00
amammad 8d6f985aea fix afero additional step and tests 2023-10-10 23:24:04 +02:00
amammad db9f74bc78 fix tests 2023-10-10 23:15:07 +02:00
amammad 82483a206e fix tests 2023-10-10 23:14:11 +02:00
amammad 38b0ed8176 fix issues according to codereview 2023-10-10 23:12:30 +02:00
Owen Mansel-Chan fd9c1d30f9
Remove argument that is always one value 2023-10-10 10:35:04 +01:00
Owen Mansel-Chan cf0411e7e2
Change MaxValueState API to get architecture bit size 
This fixes a performance regression, though it is not clear why.
 2023-10-10 10:35:02 +01:00
Erik Krogh Kristensen 4489e2bf28
Merge pull request #14403 from erik-krogh/dDEps 
All: delete outdated deprecations
 2023-10-09 21:04:55 +02:00
amammad 2579791f51 fix examples 2023-10-09 19:00:55 +02:00
erik-krogh a7ab9fd93b
add change-notes 2023-10-09 09:43:06 +02:00
erik-krogh 4bc4e0845d
delete the deprecated `isBarrierGuard` predicate from the shared dataflow library, and its uses 2023-10-07 21:48:49 +02:00
amammad 7d36c23d59 fix qhelp and PascalCase issues 2023-10-06 16:14:10 +02:00
amammad 7d73808d60 fix a test mistake, add comments for JWT extension points 2023-10-06 13:31:09 +02:00
amammad aa127b1662 do review improvements 2023-10-06 13:22:43 +02:00
Michael B. Gale 0b13da35eb
Go: Update `newer-go-version-needed` test 
- Use a version that is accepted by Go tooling
- Run is no longer successful with Go 1.21
 2023-10-06 11:57:47 +01:00
Michael B. Gale 01a1d814f4
Do not call `EmitNewerGoVersionNeeded` for v1.21+ 2023-10-06 11:57:37 +01:00
Michael B. Gale c63f6807c4
Go: Run `go version` with `GOTOOLCHAIN=local` 2023-10-06 11:57:26 +01:00
Michael B. Gale 76781e5d75
Go: Add `GoVersionInfo` type 
Refactors `tryReadGoDirective` to return this instead of a pair.
This will make it easier to return multiple versions.
 2023-10-06 11:57:08 +01:00
Owen Mansel-Chan 602bb4083c
Merge pull request #13949 from owen-mc/go/change-flowstate-for-incorrect-integer-conversion 
Go: Improve incorrect integer conversion
 2023-10-05 09:59:36 +01:00
Owen Mansel-Chan 11b92608c7
Add ".md" to the change note filename 2023-10-04 15:49:10 +01:00
Owen Mansel-Chan ab07a38c25
Use ternary type for architecture bit size 2023-10-04 15:43:51 +01:00
Owen Mansel-Chan 015519e9e0
Combine `isBoundFor` and `isBoundFor2` 2023-10-04 15:31:00 +01:00
Owen Mansel-Chan cd40663ca4
Address lots of review comments 2023-10-04 15:24:56 +01:00
github-actions[bot] 9fe993bec3 Release preparation for version 2.15.0 2023-10-04 14:15:27 +00:00
Owen Mansel-Chan 4122fd881f
Move UpperBoundCheckGuard 2023-10-04 14:17:00 +01:00
amammad 0f5dd40ff1 fix beego tests 2023-10-04 13:41:26 +02:00
amammad 0c2275ddb1 fix Gin tests 2023-10-04 12:57:15 +02:00
Owen Mansel-Chan 3703c5626f
Merge pull request #14364 from owen-mc/go/improve-output-of-check-formatting-in-makefile 
Go: improve output of check formatting in makefile
 2023-10-04 11:54:40 +01:00
amammad c3a21daf83 fix Echo tests 2023-10-04 12:54:34 +02:00
amammad 06ec3bbbb5 fix beego tests 2023-10-04 12:52:59 +02:00
Owen Mansel-Chan bd2c49fcf0
Improve message 2023-10-04 11:07:19 +01:00
Owen Mansel-Chan 567052f35e
Keep line breaks in list of files formatting 2023-10-04 10:23:29 +01:00
amammad 22c4b5113d do gofmt 2023-10-03 18:29:34 +02:00
Henry Mercer da92da2204 Bump minor versions of packs we regularly release 2023-10-03 16:31:23 +01:00
Henry Mercer f3847b3f51 Merge branch 'main' into henrymercer/rc-3.11-mergeback 2023-10-03 16:30:23 +01:00
Owen Mansel-Chan 7c8233aade
Add change note 2023-10-03 13:35:26 +01:00
Owen Mansel-Chan 5433636d49
Fix formatting errors in files included in qhelp 2023-10-03 12:48:03 +01:00
Owen Mansel-Chan 2a52455619
Improve output of check-formatting in Makefile 
The list of files that would change when reformatted is now printed.
Also, parsing errors now make the check fail.
 2023-10-03 12:48:01 +01:00
Bharadwaj Machiraju 53a291aeae Remove GoKit from untrusted flow sources test 2023-10-03 15:39:52 +05:30
Bharadwaj Machiraju 6c8ae55a68 Enable GoKit module into the default list 2023-10-03 15:39:52 +05:30
amammad 95363455af fix tests, and review suggestions. 2023-09-30 22:50:08 +10:00
amammad f0f60c3b7d move JWT.qll to experimental 2023-09-30 22:30:30 +10:00
Owen Mansel-Chan 832e78c518
Unify approach to architecture bit size in isSink2 2023-09-28 11:24:48 +01:00
Owen Mansel-Chan cf5d1e36fe
Add QLDoc 2023-09-28 11:02:04 +01:00
Owen Mansel-Chan e0b61b2d68
Reduce the number of `UpperBoundCheck`s 
No need to have a separate class for each state
being blocked.
 2023-09-28 11:00:43 +01:00
Owen Mansel-Chan c0b579c49f
Improve tests 2023-09-28 11:00:41 +01:00
Owen Mansel-Chan 7d34ce4dea
Rewrite with different flow state 2023-09-28 11:00:34 +01:00
Asger F 0d96ed8aee
Merge pull request #14305 from asgerf/shared/flow-state-inout-barriers 
Shared: add in/out barriers with flow state
 2023-09-28 11:07:23 +02:00
Anders Schack-Mulligen a08fe5b8b1 Go: Use shared FileSystem library. 2023-09-28 08:58:55 +02:00
Owen Mansel-Chan 84c0c09673
Always use getters for FlowState 2023-09-27 17:13:58 +01:00
Owen Mansel-Chan 72ca6b8c5f
Add `isSigned` to `IntegerParser`s 2023-09-27 17:13:56 +01:00
Owen Mansel-Chan c796cba02f
Improve `UpperBoundCheckGuard.isBoundFor` 2023-09-27 17:13:55 +01:00
amammad 7d5bbc3b1e put each new sink in its own framework 2023-09-28 01:02:05 +10:00
amammad 9598bb5a68 stash 2023-09-27 23:22:29 +10:00
amammad c6ad358751 fix package FPs, fix additioanlstep issue 2023-09-27 21:11:07 +10:00
amammad c78f390128 add go generate support, upgrade JWT.qll 2023-09-27 20:17:31 +10:00
amammad 73803eaac9 fix tests 
add missed afero sinks
 2023-09-27 06:27:05 +10:00
amammad cea44e2bee added the go generate commands for depstubber 2023-09-27 05:22:52 +10:00
amammad 3febbec64e fix qldoc and review suggestions 2023-09-27 05:16:35 +10:00
Tai Groot 013452c52d
fix vendor 2023-09-25 18:45:37 -07:00
Tai Groot 79dcb9e814
update go tools version from v0.11.1 to v0.13.0 2023-09-25 18:38:24 -07:00
amammad fd0d194a8a add changenote 2023-09-26 05:26:00 +10:00
amammad b7f874d1f1 fix tests, better afero support! 2023-09-26 05:04:25 +10:00
amammad c5faddc2a4 remove fasthttp in favor or fasthttp framework 2023-09-26 03:01:51 +10:00
amammad 9f9c9e0e5e fix issues according to codereview 2023-09-26 02:06:57 +10:00
amammad e239d763dc
Merge branch 'main' into amammad-go-NewFileSystemAccess 2023-09-26 02:04:59 +10:00
Asger F d501856519 Update DataFlowImpl.qll copies 2023-09-25 10:05:29 +02:00
Anders Schack-Mulligen 6316f61af9 Go: Fix import conflict. 2023-09-22 15:09:25 +02:00
Anders Schack-Mulligen 66da997b7b Dataflow: Make use of defaults for language-specific hooks. 2023-09-22 14:54:22 +02:00
Anders Schack-Mulligen 13f7daf71e
Merge pull request #13982 from aschackmull/dataflow/typeflow-calledge-pruning 
Dataflow: Add type-based call-edge pruning.
 2023-09-21 13:33:08 +02:00
github-actions[bot] 3acf5244b0 Post-release preparation for codeql-cli-2.14.6 2023-09-20 10:25:10 +00:00
Chris Smowton a8afa05b1d
Correct ReplaceAll params 
ReplaceAll doesn't take a count argument
 2023-09-20 10:00:53 +01:00
Phill MV 11218f79c6
s/Replace/ReplaceAll/ in LogInjectionGood.go 2023-09-19 14:43:54 -04:00
amammad da864bf7f7 fix QLDoc 2023-09-19 22:19:18 +10:00
amammad a96b0011f0 clean tests 2023-09-19 22:12:10 +10:00
amammad 1e12a86781 Merge branch 'main' into amammad-go-JWT 2023-09-19 22:01:50 +10:00
amammad 2136929164 clean tests 2023-09-19 22:01:40 +10:00
github-actions[bot] 0a3670727f Release preparation for version 2.14.6 2023-09-19 11:40:30 +00:00
amammad bc6a0fc776 move to CWE-347 2023-09-19 07:15:46 +10:00
Maiky 52007fb9a2 Change v3 to v2 2023-09-17 21:42:18 +02:00
Michael B. Gale d7278be064
Go: Update `versionRe` to include patch version 
This is optional
 2023-09-15 16:50:24 +01:00
amammad 52d1e45b05 add comments for better quality 2023-09-15 23:25:25 +10:00
Chris Smowton a63bb1bbed
Tidy 2023-09-15 12:58:44 +01:00
Anders Schack-Mulligen f5a4b792bd C++/Go/Python/Ruby/Swift: Add dummy localMustFlowStep. 2023-09-13 15:43:46 +02:00
Kevin Stubbings f9fe86a1ca Added change-notes 2023-09-12 21:34:30 -07:00
Kevin Stubbings 7d213d5bb9 Add Integer/Boolean Sanitizer 2023-09-12 21:10:11 -07:00
Chris Smowton d13f4210eb
Fix space handling in Golang configure-baseline scripts 2023-09-11 10:51:35 +01:00
github-actions[bot] d699880c86 Post-release preparation for codeql-cli-2.14.4 2023-09-08 21:17:52 +00:00
Michael B. Gale 3b708993c7
Go: Add diagnostic for 1.21 `toolchain` error 2023-09-07 11:51:20 +01:00
github-actions[bot] abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
Michael B. Gale 77369a09a4
Merge pull request #13872 from Kwstubbs/Kevin_error_sanitizer 
Go: Add sanitizer to remove paths passing through http.Error
 2023-09-04 13:25:55 +01:00
amammad f3ea72c234 proper tests with depstubber, remove Duplicates :( 2023-09-03 04:51:05 +10:00
Kevin Stubbings 84d52b94a3 Forgot delete 2023-08-29 08:38:18 -07:00
Kevin Stubbings ffa3bdc8bb Change note changes 2023-08-29 08:37:15 -07:00
amammad 40ff16bdaf
Merge branch 'main' into amammad-go-JWT 2023-08-29 20:02:57 +10:00
Jeroen Ketema 0d1fd88729
Merge pull request #14050 from jketema/inline-6 
Consolidate all `InlineFlowTest` libraries in the dataflow qlpack
 2023-08-29 09:30:35 +02:00
Kevin Stubbings 29e14f7d8d Feedback, Format, Add Change Notes 2023-08-28 14:15:21 -07:00
Dave Bartolomeo 3343b78015
Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot] 3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
amammad 68392e7ae7 V1 2023-08-28 22:23:51 +10:00
amammad 25c60c455e v1 2023-08-27 23:53:45 +10:00
Jeroen Ketema 9d573e5544
Consolidate all `InlineFlowTest` libraries in the dataflow qlpack 2023-08-24 21:38:46 +02:00
Michael Nebel ce6fd8ac5f
Merge pull request #13432 from michaelnebel/updateissupported 
Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.
 2023-08-22 08:39:38 +02:00
Jeroen Ketema 2d0f73d7c2
Merge pull request #13881 from jketema/shared-taint-tracking 
Introduce shared taint tracking library
 2023-08-21 12:45:49 +02:00
Michael Nebel 106ba11e10 Address review comments. 2023-08-21 09:59:02 +02:00
Michael Nebel d66fe08661 Add QLDoc for the getKind predicate. 2023-08-21 09:59:02 +02:00
Michael Nebel 25cc561e50 Go: Sync files and make manual adjustments. 2023-08-21 09:59:01 +02:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
Michael B. Gale a1c9deea61
Merge pull request #13867 from github/mbg/go/1.21-support 
Go: Basic Go 1.21 support
 2023-08-18 14:37:11 +01:00
Michael B. Gale 9082fd218e
Add taint flow tests for `clear` 2023-08-17 18:39:32 +01:00
Michael B. Gale 109b96f038
Add comment explaining `TaintStep` test 2023-08-17 17:50:41 +01:00
Michael B. Gale e65269be69
Add `DefaultTaintSanitizer` for `clear` 2023-08-17 17:49:46 +01:00
Jeroen Ketema 33e8310625
Merge branch 'main' into shared-taint-tracking 2023-08-17 00:14:25 +02:00
Michael B. Gale 1bd536dd9e
Rename `getLocation` to `hasLocation` 2023-08-16 11:21:35 +01:00
Michael B. Gale c981fd714e
Exclude `String` from `TaintSteps` 
For `os.dirEntry` and `os.unixDirent` which are only available
on unix and Windows respectively.
 2023-08-15 20:32:41 +01:00
Michael B. Gale ee58dbc6f7
Add new built-ins to `builtinFunction` predicate 
- `clear` isn't pure because it modifies a data structure in place
- `clear` may not be used correctly, but this is determined statically
 2023-08-15 20:16:42 +01:00
Chris Smowton 3bcfbcdf68
Don't warn when Go version exactly matches go.mod 
We had only previously tested this with e.g. installed go 1.20.5 >= go.mod request `go 1.20`; now we have go 1.21.0 which shouldn't elicit a warning because 1.21.0 is equal to the go.mod request `go 1.21`.
 2023-08-15 16:49:42 +01:00
Henry Mercer 1213eba630
Merge branch 'main' into post-release-prep/codeql-cli-2.14.2 2023-08-11 13:54:55 +01:00
Michael B. Gale 513da82510
Model data flow for `min` and `max` 2023-08-11 11:51:07 +01:00