github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
69 676 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

2426 Коммитов

Автор SHA1 Сообщение Дата
github-actions[bot] cc6d87c276 Post-release preparation for codeql-cli-2.18.2 2024-08-08 12:56:21 +00:00
Cornelius Riemenschneider 2310bd94a4 Simplify test. 2024-08-08 13:51:38 +02:00
Owen Mansel-Chan 55de3511b0
Fix frameworks.csv 2024-08-08 10:31:00 +01:00
dependabot[bot] c1e242ecda
Bump golang.org/x/tools 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.23.0 to 0.24.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-08 03:50:32 +00:00
github-actions[bot] 019da8c287 Release preparation for version 2.18.2 2024-08-07 14:02:38 +00:00
Alexander Eyers-Taylor 46577b585e
Revert "Release preparation for version 2.18.2" 2024-08-07 14:24:37 +01:00
Cornelius Riemenschneider 46cf779062 Address review. 2024-08-06 18:08:25 +02:00
Cornelius Riemenschneider ffde68aaec Merge remote-tracking branch 'origin/main' into criemen/pytest-go 2024-08-06 17:03:16 +02:00
Owen Mansel-Chan f0d1740ff8
Update text expectations 2024-08-06 13:48:45 +01:00
github-actions[bot] c14ba0e4bd Release preparation for version 2.18.2 2024-08-06 12:46:15 +00:00
Owen Mansel-Chan 572c773345
Change provenance for MaD models that use package grouping 2024-08-06 13:13:39 +01:00
Paolo Tranquilli 79740ed72b
Merge pull request #17145 from github/redsun82/go 
Go/Bazel: fix gazelle invocation to use bundled bazel go
 2024-08-06 10:36:40 +02:00
Dave Bartolomeo 7e82986e7c Update Go test expectations 2024-08-05 13:20:12 -04:00
Paolo Tranquilli 841f317cbd
Merge branch 'main' into redsun82/go 2024-08-05 14:30:28 +02:00
Cornelius Riemenschneider 133a0914b5 Delete old go integration test library. 2024-08-05 13:31:33 +02:00
Cornelius Riemenschneider 6cb6aeffbb Rename build-environment.expected to build_environment.expected. 
This follows the convention of our other expected files.
 2024-08-05 13:30:23 +02:00
Cornelius Riemenschneider aec06c8100 Port go tests. 2024-08-05 13:22:03 +02:00
Paolo Tranquilli ccec347b0a Go/Bazel: fix gazelle invocation to use bundled bazel go 2024-08-05 10:13:14 +02:00
dependabot[bot] 74596ef000
Bump golang.org/x/mod 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.19.0 to 0.20.0
- [Commits](https://github.com/golang/mod/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-05 03:18:38 +00:00
github-actions[bot] f5394c9ee9 Add changed framework coverage reports 2024-08-04 00:19:56 +00:00
Owen Mansel-Chan 4d75832c9a
Update go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected 2024-08-02 07:41:26 +01:00
Owen Mansel-Chan b95189d132
Merge branch 'main' into go/gokogiri/update-import-paths 2024-08-01 16:30:52 +01:00
Owen Mansel-Chan c23938d119
Merge pull request #17113 from owen-mc/go/xmlpath/add-more-package-paths 
Go: add more import paths for `xmlpath`
 2024-08-01 16:26:33 +01:00
Owen Mansel-Chan 9167057dfd
Update test expectations 2024-08-01 15:22:08 +01:00
Owen Mansel-Chan c75db669ed
Add import path for gokogiri 2024-08-01 15:21:24 +01:00
Owen Mansel-Chan 1a697fe993
Merge pull request #17115 from owen-mc/go/update-frameworks 
Go: add newly modeled packages to frameworks.csv
 2024-08-01 15:13:12 +01:00
Owen Mansel-Chan 3ccdce291a
Update test expectations 2024-08-01 15:12:08 +01:00
Owen Mansel-Chan 62adb31ca6
Add more import paths for xmlpath 2024-08-01 14:52:19 +01:00
Owen Mansel-Chan 9d866192a6
Add paths from QL models to MaD models 2024-08-01 14:52:18 +01:00
Owen Mansel-Chan 8325c4c69c
Updated .expected files 2024-08-01 13:12:21 +01:00
Owen Mansel-Chan cbe54717f6
Revert "Revert post-processing for 6 queries pending bug fix" 
This reverts commit a8236e1545.
 2024-08-01 13:10:06 +01:00
Owen Mansel-Chan d5dc95f1e6
Update frameworks.csv 2024-08-01 11:03:50 +01:00
Anders Schack-Mulligen 377301a55a
Merge pull request #17108 from aschackmull/dataflow/flowthrough-provenance 
Dataflow: Propagate provenance correctly for flow-through wrappers.
 2024-08-01 09:35:56 +02:00
Anders Schack-Mulligen 9724516c84 C#/Go/Java/Python/Ruby: Accept qltest .expected changes. 2024-07-31 14:45:10 +02:00
Owen Mansel-Chan 01c6dbaa27
Accept provenance numbering changes 2024-07-31 12:19:18 +01:00
Owen Mansel-Chan e4cd29efc6
Fix missing go-jose package path 2024-07-31 11:09:53 +01:00
Owen Mansel-Chan f8e8b362ab
Merge branch 'main' into workflow/coverage/update 2024-07-31 10:07:35 +01:00
github-actions[bot] d0c2b4a60f Add changed framework coverage reports 2024-07-31 00:15:22 +00:00
Owen Mansel-Chan a8236e1545
Revert post-processing for 6 queries pending bug fix 
This commit will be reverted when a bug is fixed which is currently
stopping these tests from working with post-processing.
 2024-07-30 12:58:01 +01:00
Owen Mansel-Chan ffeb86c1f5
Update `.expected` files 2024-07-30 12:54:42 +01:00
Owen Mansel-Chan 5c8f21d596
Use post-process provenance pretty-printing in ql tests 2024-07-30 11:35:10 +01:00
Owen Mansel-Chan 94f290411f
Use post-process provenance pretty-printing in qlref tests 2024-07-30 11:35:09 +01:00
Owen Mansel-Chan 9cb01d4573
Merge branch 'main' into go/mad/convert-sinks 2024-07-30 08:03:18 +01:00
Owen Mansel-Chan f307f272d5 Go: Use provenance pretty-printing as a qltest post-process step 2024-07-28 21:31:50 +01:00
Owen Mansel-Chan 6960c5232b Go: Add support for provenance pretty-printing as a qltest post-process step 2024-07-28 21:31:50 +01:00
Owen Mansel-Chan 1aa63c3f2e
Accept model numbering changes 2024-07-25 14:55:50 +01:00
Owen Mansel-Chan a6cb511ed7
Convert XPath injection sinks to MaD 2024-07-25 12:56:06 +01:00
Owen Mansel-Chan f3069c8fbb
Improve XPath injection test (incl extra sinks) 
Currently the extra sinks are not detected. This will be fixed in the
next commit.
 2024-07-25 12:55:05 +01:00
Owen Mansel-Chan 78b66abad3
Convert existing credentials sinks to MaD 
I checked that the tests failed when I removed the classes and passed
again when I add the MaD models.
 2024-07-25 12:53:16 +01:00
Owen Mansel-Chan 93c9910e6f
Convert go/request-forgery sinks to MaD 2024-07-25 12:53:15 +01:00
Owen Mansel-Chan f7d681516a
Allow MaD sinks for go/request-forgery 
Request forgery sinks which have `getRequest` different from the sink
itself cannot be modeled using models-as-data.
 2024-07-25 12:53:14 +01:00
Anders Schack-Mulligen 7a48fe1102 Dataflow: Replace ppReprType with DataFlowType.toString. 2024-07-25 13:08:47 +02:00
github-actions[bot] 49cc8f8ff8 Post-release preparation for codeql-cli-2.18.1 2024-07-22 22:00:48 +00:00
github-actions[bot] 368bcb684a Release preparation for version 2.18.1 2024-07-22 21:30:50 +00:00
Chuan-kai Lin 23320b6e5e
Revert "Release preparation for version 2.18.1" 2024-07-22 13:22:49 -07:00
github-actions[bot] 55935fc123 Release preparation for version 2.18.1 2024-07-22 14:56:15 +00:00
github-actions[bot] f83b70dbc2 Add changed framework coverage reports 2024-07-20 00:17:36 +00:00
Owen Mansel-Chan 24261b29d5
Merge pull request #17012 from owen-mc/go/mad/convert-sources-websockets 
Go: convert models for websocket readers as remote flow sources to models-as-data
 2024-07-19 10:04:27 +01:00
Michael Nebel 2796597d1a Code quality improvements. 2024-07-19 09:36:17 +02:00
Michael B. Gale 3a9ff64780
Go: Output stdout/stderr for `go version` if something goes wrong 2024-07-18 15:37:59 +01:00
Michael Nebel ca4bd0c606 C#/Java/Go: Neutrals are split into seperate classes. 2024-07-18 16:29:38 +02:00
Owen Mansel-Chan cb0589dfb7
Tests: accept model numbering changes 2024-07-18 11:35:52 +01:00
Owen Mansel-Chan fc17b905f0
Convert WebSocketReaderAsSource to MaD 2024-07-18 10:53:13 +01:00
Owen Mansel-Chan 0a2ed8302a
Add test for websocket remote flow sources 2024-07-18 07:45:03 +01:00
Owen Mansel-Chan 1e4aadfbfd
Trivial: improve variable name 2024-07-18 07:44:19 +01:00
Owen Mansel-Chan 8bc883274f
Minor improvement to jsoniter test 2024-07-18 07:38:23 +01:00
github-actions[bot] ca42eac589 Add changed framework coverage reports 2024-07-18 00:17:53 +00:00
Owen Mansel-Chan 433137ada6
Merge pull request #16960 from owen-mc/go/mad-sources-fasthttp 
Go: Convert fasthttp sources to MaD
 2024-07-17 21:31:49 +01:00
dependabot[bot] 3641dfebff
Bump the extractor-dependencies group across 1 directory with 2 updates 
Bumps the extractor-dependencies group with 2 updates in the /go/extractor directory: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/mod` from 0.15.0 to 0.19.0
- [Commits](https://github.com/golang/mod/compare/v0.15.0...v0.19.0)

Updates `golang.org/x/tools` from 0.18.0 to 0.23.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.18.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-17 11:46:01 +00:00
Paolo Tranquilli bf69c76829
Merge pull request #16987 from github/redsun82/go 
Go/Bazel: use gazelle `go_deps` instead of a vendor directory
 2024-07-17 13:44:23 +02:00
Owen Mansel-Chan d109b1e20d
Accept model numbering changes in tests 2024-07-17 12:37:23 +01:00
Owen Mansel-Chan 6b52cd4957
Do not use "request" threat model kind 
It is not supported yet.
 2024-07-17 12:12:00 +01:00
Owen Mansel-Chan cfdd48711b
Convert Fasthttp::RequestHeader::RemoteFlowSource to MaD 2024-07-17 12:11:59 +01:00
Owen Mansel-Chan abeca3d9f9
Convert Fasthttp::RequestCtx::RemoteFlowSource to MaD 2024-07-17 12:11:58 +01:00
Owen Mansel-Chan 729069e3d9
Convert Fasthttp::Request::RemoteFlowSource to MaD 2024-07-17 12:11:57 +01:00
Owen Mansel-Chan c3169d258f
Convert Fasthttp::Args::RemoteFlowSource to MaD 2024-07-17 12:11:57 +01:00
Owen Mansel-Chan 5a00b5ec96
Convert Fasthttp::URI::RemoteFlowSource to MaD 2024-07-17 12:11:56 +01:00
Owen Mansel-Chan f33927457f
Adapt test to work better for MaD 
In MaD, `Argument[n]` corresponds to the post-update node of the
argument, which in the old version of the test will be the definition of
`dstReader` for the tests for `ReadBody`, `ReadLimitBody`,
`ContinueReadBodyStream`, `ContinueReadBody`.
 2024-07-17 12:11:55 +01:00
Owen Mansel-Chan a8a4a201bd
Merge pull request #16992 from owen-mc/go/mad/use-package-grouping 
Go: use package grouping in existing models-as-data models
 2024-07-17 12:08:26 +01:00
Owen Mansel-Chan f67026f2ad
Accept model numbering changes in tests 2024-07-17 11:02:28 +01:00
Owen Mansel-Chan 4c3220ea9d
Use package grouping in models for gocb 2024-07-17 10:36:38 +01:00
Owen Mansel-Chan 4b2075bfb1
Split models for separate protobuf packages into separate files 2024-07-17 10:36:37 +01:00
Owen Mansel-Chan aa0749e4ba
Use package grouping for go-jose/jwt models 2024-07-17 10:36:37 +01:00
Owen Mansel-Chan 8a5a9418c7
Add frameworks to frameworks.csv 2024-07-17 10:20:44 +01:00
Owen Mansel-Chan e6c7e1a0bc
Merge pull request #16990 from owen-mc/go/change-string-prefix-check 
Go: Change string prefix check
 2024-07-17 09:57:45 +01:00
Owen Mansel-Chan fc6b17ad64
Test: accept model numbers changing 2024-07-16 21:36:12 +01:00
Owen Mansel-Chan 535b4ea986
Convert net/http UserControlledRequestField sources to MaD 2024-07-16 16:53:02 +01:00
Owen Mansel-Chan 873fd6646b
Convert Revel::UserControlledRequestMethod sources to MaD 2024-07-16 16:53:01 +01:00
Owen Mansel-Chan 034f2d4221
Convert Revel field read sources to MaD 2024-07-16 16:53:01 +01:00
Owen Mansel-Chan 2da1de7b13
Use `packageGrouping` in Revel models 2024-07-16 16:53:00 +01:00
Owen Mansel-Chan 8647f69720
Change string prefix check 
This avoids putting all the prefixes in the string pool.
 2024-07-16 15:56:28 +01:00
Owen Mansel-Chan ca06589386
Make comments clearer 2024-07-16 12:14:21 +01:00
Owen Mansel-Chan cafb1181a0
Tests: Accept model numbering changes 2024-07-16 12:14:09 +01:00
Paolo Tranquilli e469534b84 Go/Bazel: use gazelle `go_deps` instead of a vendor directory 2024-07-16 13:12:37 +02:00
Owen Mansel-Chan 124567caa4
Convert Mux::RequestVars to MaD 2024-07-16 11:18:19 +01:00
Owen Mansel-Chan b3744ef230
Sort Gin source models 2024-07-16 11:18:18 +01:00
Owen Mansel-Chan 061c187a8e
Convert GithubComGinGonicGinContextBindSource to MaD 2024-07-16 11:18:18 +01:00
Owen Mansel-Chan ef833de123
Convert GithubComGinGonicGinContextSource to MaD 2024-07-16 11:18:17 +01:00
Owen Mansel-Chan 06a2a40f50
Convert GoRestfulReadEntitySource to MaD 2024-07-16 11:18:16 +01:00
Owen Mansel-Chan 7bfa4c1947
Convert GoRestfulSource to MaD 2024-07-16 11:18:14 +01:00
Anders Schack-Mulligen 0fb27fb6fc
Merge pull request #16979 from aschackmull/dataflow/internsets 
Dataflow: Replace MakeSets with QlBuiltins::InternSets.
 2024-07-16 10:47:07 +02:00
Anders Schack-Mulligen da5abc8321 Dataflow: Replace MakeSets with QlBuiltins::InternSets. 2024-07-15 13:35:57 +02:00
Owen Mansel-Chan 3efbee0d81
Accept provenance numbering changes 2024-07-14 16:06:29 +01:00
Owen Mansel-Chan 99ed3c2ac1
Convert ElazarlGoproxy::UserControlledRequestData to MaD 2024-07-14 14:28:48 +01:00
Owen Mansel-Chan 2ec64a9ca8
Convert EchoContextBinder to MaD 2024-07-14 14:28:47 +01:00
Owen Mansel-Chan 3fc598dbe9
Convert EchoContextSource to MaD 2024-07-14 14:28:46 +01:00
Owen Mansel-Chan 5b38d51f62
Convert Chi::UserControlledMethod to MaD 2024-07-14 14:28:46 +01:00
Owen Mansel-Chan 3bd4a203bb
Convert Chi::UserControlledFunction to MaD 2024-07-14 14:28:44 +01:00
github-actions[bot] 5d657ba99a Add changed framework coverage reports 2024-07-13 00:18:24 +00:00
Owen Mansel-Chan 5bdef38dd9
Merge pull request #16941 from owen-mc/go/mad-package-alias 
Go: Allow grouping import paths for models-as-data
 2024-07-11 12:27:43 +01:00
Michael B. Gale 45b782554c
Merge pull request #16925 from github/mbg/go/add-vendor-env-var 
Go: Add environment variable to include `vendor` directories in extraction
 2024-07-11 11:06:31 +01:00
Owen Mansel-Chan 3417605b6d
Tests: update provenance numbering 2024-07-11 06:42:58 +01:00
Owen Mansel-Chan 2c7fbda2ec
Accept review suggestion for QLDoc 2024-07-10 16:48:11 +01:00
Owen Mansel-Chan 32acff76c2
Make `groupPrefix()` private 
This could be made public in future. But I expect that we will want to
use this logic for QL models as well then we will want to move it into a
different file, which will be much easier if it's all private at the
moment.
 2024-07-10 16:48:10 +01:00
Owen Mansel-Chan b64ef84393
Use `prefix()` method on string to check for group prefix 2024-07-10 16:48:10 +01:00
Owen Mansel-Chan 3e2ebf436c
Move logic for dealing with groups into a predicate 2024-07-10 16:48:09 +01:00
Owen Mansel-Chan f6b9195a61
Add validation of package groups 2024-07-10 16:48:08 +01:00
Owen Mansel-Chan ab991af2a5
Fix package validation errors 2024-07-10 16:48:07 +01:00
Owen Mansel-Chan f650e3f72b
Update MaD documentation explain "group:" in package column 2024-07-10 16:48:06 +01:00
Owen Mansel-Chan 01afa360d7
Tests: accept model numbering changes 2024-07-10 16:48:05 +01:00
Owen Mansel-Chan 1e448d547d
Rename Beego MaD files using path from current version 2024-07-10 16:48:04 +01:00
Owen Mansel-Chan fde7d7b969
Use `packageGrouping` for Beego models 2024-07-10 16:48:03 +01:00
Michael Nebel 4193b7e591
Allow grouping import paths for models-as-data 2024-07-10 16:48:02 +01:00
Owen Mansel-Chan 496e76c1c5
Merge pull request #16931 from owen-mc/go/fix/clear-sanitizer 
Go: fix `clear` sanitizer
 2024-07-08 16:52:37 +01:00
Owen Mansel-Chan a774aacfa8
Add change note 2024-07-08 16:09:17 +01:00
Owen Mansel-Chan 68929d1f73
Fix definition of `ClearSanitizer` 2024-07-08 16:05:17 +01:00
Owen Mansel-Chan eec2aa82a6
Add failing tests for `ClearSanitizer` 2024-07-08 16:05:04 +01:00
github-actions[bot] ae3aba061b Post-release preparation for codeql-cli-2.18.0 2024-07-08 13:30:13 +00:00
Michael B. Gale 7ca57e114f
Go: Add `CODEQL_EXTRACTOR_GO_EXTRACT_VENDOR_DIRS` env var 
If set to `true`, this allows `vendor` directories to be extracted
 2024-07-08 14:08:19 +01:00
Michael B. Gale bc61a58000
Go: Add integration test for extracting vendored dependencies 2024-07-08 14:05:06 +01:00
github-actions[bot] b0d6778652 Release preparation for version 2.18.0 2024-07-08 09:10:51 +00:00
github-actions[bot] 13bb93ea20 Add changed framework coverage reports 2024-07-03 00:17:59 +00:00
Owen Mansel-Chan 801edda9b2
Accept MaD edge provenance label changes/additions 2024-07-01 16:13:41 +01:00
Owen Mansel-Chan 247abf95ee
Convert BeegoContextSource to MaD 2024-07-01 16:13:40 +01:00
Owen Mansel-Chan 84bb8a400b
Convert BeegoInputRequestBodySource to MaD 2024-07-01 16:13:39 +01:00
Owen Mansel-Chan 194491f3fb
Convert BeegoControllerSource to MaD 2024-07-01 16:13:38 +01:00
Owen Mansel-Chan 6bc0ffe429
Convert BeegoInputSource to MaD 2024-07-01 16:13:37 +01:00
Owen Mansel-Chan 2bbd9ab4eb
Change definition of BeegoInputSafeUrlSource 2024-07-01 16:13:36 +01:00
Owen Mansel-Chan 8d8af320bf
Add in missing summary models for Beego 2024-07-01 16:13:34 +01:00
Arthur Baars c6d02e4909
Merge pull request #16878 from github/aibaars/merge-3.14 
Merge rc/3.14 into main
 2024-07-01 11:04:57 +02:00
github-actions[bot] 26194eb65f Add changed framework coverage reports 2024-06-30 00:19:16 +00:00
Arthur Baars b12b33c8f9 Merge remote-tracking branch 'upstream/main' into 'rc/3.14' 2024-06-28 19:50:35 +02:00
Owen Mansel-Chan 98b2d1f2d7
Add Go JOSE to library coverage frameworks 2024-06-27 14:52:08 +01:00
github-actions[bot] 0a8c9da0ac Add changed framework coverage reports 2024-06-27 00:17:25 +00:00
Owen Mansel-Chan a30b34c4bd Used "fixed-version:" prefix in a test 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan 418a56d385 Replace "$THISVERSION" suffix with "fixed-version:" prefix 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan 081f32141c Accept review suggestion fixing a comment 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan d4e8e4c943 Add QLDoc for `majorVersionSuffixRegex` 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan 46d0c6ff9c Use lookahead in regex to not match e.g. "/v2foo" 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan c8a3bedf44 Move major version suffix regex into one place 2024-06-26 05:01:09 +01:00