codeql
codeql copied to clipboard
github
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
**Description of the issue** There is a newer variation of GitHub Actions TOCTOU vulnerabilities known as "Workflow dispatch TOCTOU" - I wrote about a real-world example in a recent bug...
**Description of the false positive** The artifact poisoning CodeQL query creates a Critical false-positive under the following scenario: * Download Artifact with path set to start with `${{ runner.temp }}`...
https://codeql.github.com/codeql-query-help/java/java-unsafe-deserialization/ This query currently documents that SnakeYaml is currently insecure by default. As of 2.0, this is no longer the case. It's now secure by default. This should be updated...
Hi! I'm trying to write a query that checks whether function A can call (directly or transitively) function B. I've implemented it with recursive predicate that uses `Function.calls`. It works,...
Fixes #19764 * Allow queries to be extended using a new `sql-injection` Models as Data (MaD) sink kind for C/C++. * Add `sql-injection` sink models for the Oracle Call Interface...
This PR adds an actions workflow to enforce usage of the [`add-overlay-annotations.py` script](https://github.com/github/codeql/pull/19778) to help maintain overlay annotations. This PR enables the script for Java. For https://github.com/github/codeql-core/issues/4951.
This PR adds overlay annotations for Java libraries and shared libraries to support experimentation with Java overlay analysis. Overlay annotations were added automatically using the [`add-overlay-annotations.py` script](https://github.com/github/codeql/pull/19778). The high-level intend...
This PR adds a script to automatically add sensible default annotations to files without existing overlay annotations. The script uses naming heuristics to determine which files to annotate. The script...
I tried to build the language database using CodeQL, but encountered an error. And now I have read this article: https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build. I didn't receive any help However, I used the...
