codeql
codeql copied to clipboard
github
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
This PR is a proof of concept for how diff-informed queries could be made more high level, reducing hard-to-remember design patterns and simultaneously reducing reverse dependencies and the "module soup"...
This pull request drops items that are "obviously" private. Those are items that lack any visibility modifier. It also excludes items in `traits` and in `impl` block that implement a...
The introduction of `build-mode=none` has been very helpful for us. This allows us to create (partial) CodeQL databases, without being forced to fully resolve (maven) dependencies. Sometimes this is convenient...
`cpp-user-after-free` seems to have a number of false positives, particular when a pointer is `free`d, re-allocated, and then reused correctly. Consider the following code snippet from [this part](https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-piv.c#L2939) of [OpenSC](https://github.com/OpenSC/OpenSC):...
Hi! I recently did a test with CodeQL on a new Kotlin project, and I included [CWE-1204](https://codeql.github.com/codeql-query-help/java/java-static-initialization-vector/) to get a detection. I copied the example from documentation and [test case](https://github.com/github/codeql/blob/60cc63f4d4f6827ec68584b8ec0763ed4043189e/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java#L15)....
Cf. https://github.com/github/codeql/issues/19538 The test is failing for a couple of reasons. The most important is that `MethodCall.getMethod()` has no results for the call, i.e. the extractor has not populated `callableBinding`....
