codeql
codeql copied to clipboard
github
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
When an AMD `define()` call declares `exports`, `module`, or `require` as a dependency, it does not import a module with that name, but we accidentally treated them as imports. Also...
A class was erroneously considered to escape into client code if it escaping into a upstream library: ```js class A {} module.exports = new A(); // Correct: escapes downstream class...
This PR pulls out the shareable parts of Java's type-flow library into a new shared qlpack. In a subsequent PR, I plan to make use of this library for C/C++...
This PR adds the same sanitizers as https://github.com/github/codeql/pull/15596 did for C#. I mostly used AI to translate the tests from C# to Java. [An evaluation](https://github.com/github/codeql-dca-main/issues/19423) looks fine. One less result...
when i try to analysis aosp database with this qury script: ``` /** * @id 1 * @kind path-problem */ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking module SensitiveLoggerConfig implements DataFlow::ConfigSig...
- `urllib.parse.urljoin` - `fnmatch.filter` - `optparse.parse_args` This brings the number of results for `py/shell-command-constructed-from-input` on a database for `tanghaibao/jvci` extracted without the standard lib up from 5978 to 17055. With...
In preparation for a future where models are generated from the ModelEditor and via AI (as well as the bespoke internal tools we are already building..). I would like to...
**Description of the false positive** C# CWE-117 is incorrectly applied to user input sanitized with {string}.ReplaceLineEndings() instead of {string}.Replace(Environment.NewLine, string.Empty) **Code sample ``` var username = authInfo.Username.ReplaceLineEndings(); _logger.LogError("Invalid login attempt:...
When running the `database analyze` command, CodeQL seems to check if you have enough memory available. e.g., If I run this command on a machine that has less than 16...
