github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
69 461 коммит 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

69461 Коммитов

Автор SHA1 Сообщение Дата
Ed Minnix 704cd8aee3 Update change note 2024-08-19 12:28:55 -04:00
Edward Minnix III fc38476e42 Fix models 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-08-19 12:25:55 -04:00
Ed Minnix f89174a6f3 CI changes (provenance) 2024-08-19 12:25:52 -04:00
Ed Minnix 0f7ad98a23 Change note 2024-08-19 12:25:48 -04:00
Ed Minnix eb8c785c6b Fix formatting 2024-08-19 12:25:43 -04:00
Ed Minnix 3f640a99d3 Tests for `file` models 2024-08-19 12:25:37 -04:00
Ed Minnix 383e27c2bd Add file sources 2024-08-19 12:25:27 -04:00
Asger F 3be219c79d
Merge pull request #17243 from asgerf/js/post-message-source-client-side 
JS: Classify post-message events as client side taint sources
 2024-08-19 11:09:26 +02:00
Geoffrey White a25d9c7397
Merge pull request #17220 from paldepind/reuse-unbounded-in-tainted-allocation-size 
C++: Reuse bounded predicate in TaintedAllocationSize query
 2024-08-19 09:37:55 +01:00
Cornelius Riemenschneider 2933a3be9c
Merge pull request #17088 from github/criemen/modext-isolation 
`crate_universe`: Enable modext isolation.
 2024-08-19 10:22:55 +02:00
Cornelius Riemenschneider 675e920667 Fix formatting. 2024-08-19 09:00:08 +02:00
Cornelius Riemenschneider 1faad979ad Address review. 2024-08-19 08:54:56 +02:00
Michael Nebel ec9f533325
Merge pull request #17248 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2024-08-19 08:26:47 +02:00
Simon Friis Vindum 1665badc83 C++: Add change note for cpp/uncontrolled-allocation-size 2024-08-19 08:23:40 +02:00
Simon Friis Vindum 1959e1929e C++: Reuse bounded predicate in TaintedAllocationSize query 2024-08-19 08:23:32 +02:00
github-actions[bot] 9279bebf07 Add changed framework coverage reports 2024-08-19 00:19:04 +00:00
Cornelius Riemenschneider f9bc97b2a1 `crate_universe`: Enable modext isolation. 
This should allow us to build our python and ruby
code independently - in particular, we can now do shallow
checkouts of one without the other.
Previously, the modext introduced cross-dependency.
This also reduces the amount of work we do in the
crate universe processing for the other language, even
though it's unused.

This does need renaming the module, as otherwise
the generated paths from rules_rust get too long
for Windows :(
 2024-08-18 21:00:30 +02:00
Geoffrey White b001f47c17
Merge pull request #17211 from paldepind/uncontrolled-allocation-size-docs 
C++: Update documentation for cpp/uncontrolled-allocation-size to clarify its scope
 2024-08-16 16:36:22 +01:00
Geoffrey White e3b9b0a9bd
Merge pull request #17210 from geoffw0/mailto 
Swift: Fix false positives in the swift/cleartext-transmission query
 2024-08-16 16:23:09 +01:00
Simon Friis Vindum 5504799d44
Merge branch 'main' into uncontrolled-allocation-size-docs 2024-08-16 16:15:14 +02:00
Anders Schack-Mulligen 3a9610795b
Merge pull request #16808 from JLLeitschuh/patch-8 
Align Java CommandInjectionRuntimeExec.ql Severity
 2024-08-16 15:14:48 +02:00
Asger F 7a7ab457a9 JS: Delete unneeded test code (and shift line numbers) 2024-08-16 14:38:54 +02:00
Asger F 9ee7599aeb JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query 
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
 2024-08-16 14:37:13 +02:00
Asger F 699d3a0a0a JS: Update a RegExp injection test 
RegExpInjection does not use client-side sources, but one of its tests was using postMessage events
as the taint source. Updating the test to use a different taint source.
 2024-08-16 14:20:34 +02:00
Simon Friis Vindum 07800ea7ef
Merge branch 'main' into uncontrolled-allocation-size-docs 2024-08-16 13:10:08 +02:00
Simon Friis Vindum 5548304432 C++: Grammar improvements to query help text 2024-08-16 13:08:34 +02:00
Chris Smowton f7d8c210e5
Merge pull request #17239 from smowton/smowton/admin/camel-test 
Java: add test for Apache Camel dead-code analysis
 2024-08-16 11:00:30 +01:00
Rasmus Wriedt Larsen d6af999c2d
Merge pull request #17234 from github/felicitymay-patch-1 
Update CookieInjection.ql to remove period from @name
 2024-08-16 11:26:16 +02:00
Asger F 467256d465 JS: Add change note 2024-08-16 11:06:59 +02:00
Asger F 2d264052b3 JS: Treat browser message events as client-side sources 2024-08-16 11:02:12 +02:00
Rasmus Wriedt Larsen 25fc5f3803
Merge pull request #17209 from RasmusWL/threat-models-stdin 
ThreatModels: Add `stdin` kind
 2024-08-16 11:01:33 +02:00
Rasmus Wriedt Larsen c3d8efc43d
Merge branch 'main' into stdin3 2024-08-16 09:54:45 +02:00
Anders Schack-Mulligen ae013ba01a
Merge pull request #17235 from aschackmull/dataflow/fix-missing-subpaths 
Dataflow: Fix missing subpaths due to type strengthening.
 2024-08-16 08:41:35 +02:00
Anders Schack-Mulligen 51c43a7440 Java: Accept expected changes. 2024-08-16 07:01:35 +02:00
Anders Schack-Mulligen 86708c9ff8 Dataflow: Fix missing subpaths due to type strengthening. 2024-08-15 18:57:10 +02:00
Chris Smowton 0b56bf98f3 Java: add test for Apache Camel dead-code analysis 
This exercises code that detects Camel entry-points and marks them as live.
 2024-08-15 17:26:38 +01:00
Tom Hvitved fb7b89f309
Merge pull request #17237 from aschackmull/java/fix-merge-conflict 
Java: Fix expected files following semantic merge conflict.
 2024-08-15 17:25:03 +02:00
Rasmus Wriedt Larsen 7a446231b6
C#: Accept benign test changes 2024-08-15 16:20:00 +02:00
Anders Schack-Mulligen e77c3dfda1 Java: Fix expected files following https://github.com/github/codeql/pull/17233 and https://github.com/github/codeql/pull/17224. 2024-08-15 15:45:37 +02:00
Rasmus Wriedt Larsen 78770bcd1b
Docs: Mention new `stdin` threat-model 2024-08-15 15:45:21 +02:00
Rasmus Wriedt Larsen 1e7eae58f4
Java: Add change-note 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen ebafe65ac2
C#: Fixup test expectations from using `stdin` 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen 43b61dd2aa
C#: Support `stdin` in LocalFlowSource 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen fee38b3781
Java: Fixup test 2024-08-15 15:37:35 +02:00
Rasmus Wriedt Larsen 1e12c11adc
Java: Model `System.in` as `stdin` threat-model 2024-08-15 15:37:35 +02:00
Rasmus Wriedt Larsen 7395223410
C#: Model `System.Console` reads as `stdin` threat-model 2024-08-15 15:36:28 +02:00
Rasmus Wriedt Larsen 157d0b7f37
ThreatModels: Add `stdin` kind 
None of the current local subgroups precisely captures stdin, so
although it's much like both commandargs and file, a separate kind seems
better.
 2024-08-15 15:36:28 +02:00
Anders Schack-Mulligen 7d61d9282c
Merge pull request #17233 from aschackmull/dataflow/match-summarylabel 
Dataflow: Fix missing join on summaryLabel.
 2024-08-15 14:55:38 +02:00
Felicity Chapman fcb2b5730f
Update CookieInjection.ql to remove period 2024-08-15 13:17:13 +01:00
Anders Schack-Mulligen 6f23e8dcf3
Merge pull request #17224 from aschackmull/java/inlineflow-pathgraph 
Java: Add PathGraph to test output for default inline flow tests.
 2024-08-15 13:35:24 +02:00