codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Java: Propagate taint through field reads

Open owen-mc opened this issue 1 month ago • 1 comments

Currently Go and Javascript have this behaviour without any problems, but we have to check that it doesn't lead to FPs (or at least that they're balanced out by enough TPs) or any performance problems.

owen-mc avatar Nov 18 '25 23:11 owen-mc

DCA shows an increase in analysis time of 13%-320%, plus one workflow failure:

[255/255 eval 230m25s] Query failed: codeql/java-queries/Security/CWE/CWE-532/SensitiveInfoLog.ql (Query evaluation ran out of Java heap (Java heap maximum: 3441 MiB). The evaluator previously allocated beyond the heap limit.
  (eventual cause: OutOfMemoryError "Java heap space")).
  CodeQL is out of memory. Try running CodeQL on a larger runner (hosted or self-hosted). If you continue to encounter this issue, contact GitHub Support.

This might be fixable, with some investigation.

owen-mc avatar Nov 28 '25 22:11 owen-mc