Skip to content

codeql: use extended query pack #9559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2023
Merged

codeql: use extended query pack #9559

merged 1 commit into from
Nov 14, 2023

Conversation

mdtro
Copy link
Member

@mdtro mdtro commented Nov 14, 2023

This expands CodeQL to cover more potentially vulnerable code paths.

In addition to the current detections, this will add detections for:

> github/codeql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
> github/codeql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
> github/codeql/javascript/ql/src/Security/CWE-117/LogInjection.ql
> github/codeql/javascript/ql/src/Security/CWE-384/SessionFixation.ql
> github/codeql/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
> github/codeql/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
> github/codeql/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
> github/codeql/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
> github/codeql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
> github/codeql/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
> github/codeql/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
> github/codeql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
> github/codeql/javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql
> github/codeql/javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
> github/codeql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql
> github/codeql/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
> github/codeql/javascript/ql/src/Security/CWE-862/EmptyPasswordInConfigurationFile.ql
> github/codeql/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
> github/codeql/javascript/ql/src/Security/CWE-367/FileSystemRace.ql

The query logic can be found here: https://github.com/github/codeql/tree/codeql-cli/v2.15.2/javascript/ql/src/Security

@mdtro mdtro force-pushed the mdtro/codeql-extended branch from b6a571e to 04a41ee Compare November 14, 2023 17:19
@mdtro mdtro enabled auto-merge November 14, 2023 17:21
@mdtro mdtro merged commit ad4f2d1 into develop Nov 14, 2023
@mdtro mdtro deleted the mdtro/codeql-extended branch November 14, 2023 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oioki oioki oioki approved these changes

@Lms24 Lms24 Lms24 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mdtro @oioki @Lms24