Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Deprecate experimental queries. #18299

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Java: Deprecate experimental queries. #18299

wants to merge 5 commits into from

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Dec 16, 2024
edited
Loading

In this PR we deprecate all the Java experimental queries as they have been moved to the Code QL Community packs repo: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/

DCA looks good.

@github-actions github-actions bot added the Java label Dec 16, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 16, 2024
View reviewed changes
java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql Fixed Show fixed Hide fixed
java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql Dismissed Show dismissed Hide dismissed
@michaelnebel michaelnebel force-pushed the java/deprecateexperimental branch 2 times, most recently from fe1a2a1 to 3fa6d32 Compare December 17, 2024 08:16
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 17, 2024
View reviewed changes
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
sink0 = sink and
message1 =
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
message2 = sourceCmd.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
message2 = sourceCmd.toString() and
sourceNode = source.getNode() and
message3 = source.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
sink0 = sink and
message1 =
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
message2 = sourceCmd.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
message2 = sourceCmd.toString() and
sourceNode = source.getNode() and
message3 = source.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
@michaelnebel michaelnebel force-pushed the java/deprecateexperimental branch from 3fa6d32 to a861f2f Compare December 17, 2024 09:46
@michaelnebel michaelnebel force-pushed the java/deprecateexperimental branch from a861f2f to de27511 Compare December 17, 2024 10:47
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 17, 2024
View reviewed changes
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
import semmle.code.xml.MyBatisMapperXML
deprecated import MyBatisCommonLib
deprecated import MyBatisMapperXmlSqlInjectionLib
deprecated import semmle.code.xml.MyBatisMapperXML

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
MyBatisCommonLib
Loading
.
Redundant import, the module is already imported inside
MyBatisMapperXmlSqlInjectionLib
Loading
.
@michaelnebel michaelnebel marked this pull request as ready for review December 18, 2024 10:39
@michaelnebel michaelnebel requested a review from a team as a code owner December 18, 2024 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaelnebel