Nov
DEC
Jan
27
2024
2025
2026
About this capture
T h e W a y b a c k M a c h i n e - h t t p : / / w e b . a r c h i v e . o r g / w e b / 2 0 2 5 1 2 2 7 0 9 2 3 1 2 / h t t p s : / / g i t h u b . c o m / g i t h u b / c o d e q l / p u l l / 3 9 9 2
S k i p t o c o n t e n t
N a v i g a t i o n M e n u
A p p e a r a n c e s e t t i n g s
P l a t f o r m A I C O D E C R E A T I O N G i t H u b C o p i l o t W r i t e b e t t e r c o d e w i t h A I G i t H u b S p a r k B u i l d a n d d e p l o y i n t e l l i g e n t a p p s G i t H u b M o d e l s M a n a g e a n d c o m p a r e p r o m p t s M C P R e g i s t r y N e w I n t e g r a t e e x t e r n a l t o o l s D E V E L O P E R W O R K F L O W S A c t i o n s A u t o m a t e a n y w o r k f l o w C o d e s p a c e s I n s t a n t d e v e n v i r o n m e n t s I s s u e s P l a n a n d t r a c k w o r k C o d e R e v i e w M a n a g e c o d e c h a n g e s A P P L I C A T I O N S E C U R I T Y G i t H u b A d v a n c e d S e c u r i t y F i n d a n d f i x v u l n e r a b i l i t i e s C o d e s e c u r i t y S e c u r e y o u r c o d e a s y o u b u i l d S e c r e t p r o t e c t i o n S t o p l e a k s b e f o r e t h e y s t a r t E X P L O R E ● W h y G i t H u b ● D o c u m e n t a t i o n ● B l o g ● C h a n g e l o g ● M a r k e t p l a c e V i e w a l l f e a t u r e s S o l u t i o n s B Y C O M P A N Y S I Z E ● E n t e r p r i s e s ● S m a l l a n d m e d i u m t e a m s ● S t a r t u p s ● N o n p r o f i t s B Y U S E C A S E ● A p p M o d e r n i z a t i o n ● D e v S e c O p s ● D e v O p s ● C I / C D ● V i e w a l l u s e c a s e s B Y I N D U S T R Y ● H e a l t h c a r e ● F i n a n c i a l s e r v i c e s ● M a n u f a c t u r i n g ● G o v e r n m e n t ● V i e w a l l i n d u s t r i e s V i e w a l l s o l u t i o n s R e s o u r c e s E X P L O R E B Y T O P I C ● AI ● S o f t w a r e D e v e l o p m e n t ● D e v O p s ● S e c u r i t y ● V i e w a l l t o p i c s E X P L O R E B Y T Y P E ● C u s t o m e r s t o r i e s ● E v e n t s & w e b i n a r s ● E b o o k s & r e p o r t s ● B u s i n e s s i n s i g h t s ● G i t H u b S k i l l s S U P P O R T & S E R V I C E S ● D o c u m e n t a t i o n ● C u s t o m e r s u p p o r t ● C o m m u n i t y f o r u m ● T r u s t c e n t e r ● P a r t n e r s O p e n S o u r c e C O M M U N I T Y G i t H u b S p o n s o r s F u n d o p e n s o u r c e d e v e l o p e r s P R O G R A M S ● S e c u r i t y L a b ● M a i n t a i n e r C o m m u n i t y ● A c c e l e r a t o r ● A r c h i v e P r o g r a m R E P O S I T O R I E S ● T o p i c s ● T r e n d i n g ● C o l l e c t i o n s E n t e r p r i s e E N T E R P R I S E S O L U T I O N S E n t e r p r i s e p l a t f o r m A I - p o w e r e d d e v e l o p e r p l a t f o r m A V A I L A B L E A D D - O N S G i t H u b A d v a n c e d S e c u r i t y E n t e r p r i s e - g r a d e s e c u r i t y f e a t u r e s C o p i l o t f o r B u s i n e s s E n t e r p r i s e - g r a d e A I f e a t u r e s P r e m i u m S u p p o r t E n t e r p r i s e - g r a d e 2 4 / 7 s u p p o r t ● P r i c i n g
S e a r c h o r j u m p t o . . .
Clear
S e a r c h s y n t a x t i p s
P r o v i d e f e e d b a c k
Include my email address so I can be contacted
C a n c e l
S u b m i t f e e d b a c k
S a v e d s e a r c h e s
U s e s a v e d s e a r c h e s t o f i l t e r y o u r r e s u l t s m o r e q u i c k l y
Query
To see all available qualifiers, see our documentation .
C a n c e l
C r e a t e s a v e d s e a r c h
A p p e a r a n c e s e t t i n g s
Y o u s i g n e d i n w i t h a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n . Y o u s i g n e d o u t i n a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n . Y o u s w i t c h e d a c c o u n t s o n a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n .
D i s m i s s a l e r t
{ { m e s s a g e } }
g i t h u b
/
c o d e q l
P u b l i c
●
N o t i f i c a t i o n s
Y o u m u s t b e s i g n e d i n t o c h a n g e n o t i f i c a t i o n s e t t i n g s
●
F o r k
1 . 9 k
S t a r
9 . 1 k
●
C o d e ●
I s s u e s 9 1 7
●
P u l l r e q u e s t s 3 7 0
●
D i s c u s s i o n s ●
A c t i o n s ●
P r o j e c t s 0
●
M o d e l s ●
S e c u r i t y
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e . ●
I n s i g h t s
A d d i t i o n a l n a v i g a t i o n o p t i o n s ●
C o d e
●
I s s u e s
●
P u l l r e q u e s t s
●
D i s c u s s i o n s
●
A c t i o n s
●
P r o j e c t s
●
M o d e l s
●
S e c u r i t y
●
I n s i g h t s
N e w i s s u e
H a v e a q u e s t i o n a b o u t t h i s p r o j e c t ? S i g n u p f o r a f r e e G i t H u b a c c o u n t t o o p e n a n i s s u e a n d c o n t a c t i t s m a i n t a i n e r s a n d t h e c o m m u n i t y .
S i g n u p f o r G i t H u b
B y c l i c k i n g “ S i g n u p f o r G i t H u b ” , y o u a g r e e t o o u r t e r m s o f s e r v i c e a n d
p r i v a c y s t a t e m e n t . W e ’ l l o c c a s i o n a l l y s e n d y o u a c c o u n t r e l a t e d e m a i l s .
A l r e a d y o n G i t H u b ?
S i g n i n t o y o u r a c c o u n t
J u m p t o b o t t o m
D r a f t
r v e r m e u l e n w a n t s t o m e r g e
6 c o m m i t s i n t o
g i t h u b : m a i n
C o u l d n o t l o a d b r a n c h e s
B r a n c h n o t f o u n d : { { r e f N a m e } }
L o a d i n g
C o u l d n o t l o a d t a g s
N o t h i n g t o s h o w
L o a d i n g
A r e y o u s u r e y o u w a n t t o c h a n g e t h e b a s e ?
S o m e c o m m i t s f r o m t h e o l d b a s e b r a n c h m a y b e r e m o v e d f r o m t h e t i m e l i n e ,
a n d o l d r e v i e w c o m m e n t s m a y b e c o m e o u t d a t e d .
L o a d i n g
C h a n g e b a s e
f r o m
r v e r m e u l e n : j a v a - i m p o r t a b l e - c w e - 7 9 8
D r a f t
r v e r m e u l e n w a n t s t o m e r g e
6 c o m m i t s i n t o
g i t h u b : m a i n f r o m
r v e r m e u l e n : j a v a - i m p o r t a b l e - c w e - 7 9 8
C o n v e r s a t i o n
10
C o m m i t s
6
C h e c k s
0
F i l e s c h a n g e d
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e . C o n v e r s a t i o n
T h i s f i l e c o n t a i n s h i d d e n o r b i d i r e c t i o n a l U n i c o d e t e x t t h a t m a y b e i n t e r p r e t e d o r c o m p i l e d d i f f e r e n t l y t h a n w h a t a p p e a r s b e l o w . T o r e v i e w , o p e n t h e f i l e i n a n e d i t o r t h a t r e v e a l s h i d d e n U n i c o d e c h a r a c t e r s .
L e a r n m o r e a b o u t b i d i r e c t i o n a l U n i c o d e c h a r a c t e r s S h o w h i d d e n c h a r a c t e r s
C o n t r i b u t o r
T h i s P R n e e d s s o m e s c r u t i n i z i n g . I n t h i s c h a n g e w e : ● M o v e t h e m o d u l e H a r d c o d e d C r e d e n t i a l s t o a n i m p o r t a b l e l o c a t i o n ● R e n a m e t h e m o d u l e S e n s i t i v e A p i to C r e d e n t i a l R e c e i v i n g A p i a n d m o v e i t t o a n i m p o r t a b l e l o c a t i o n ● E x t e n d t h e C r e d e n t i a l S i n k f r o m D a t a F l o w : : E x p r i n s t e a d o f E x p r ● G e n e r a l i z e U s e r n a m e V a r i a b l e a n d P a s s w o r d V a r i a b l e
Sorry, something went wrong.
r v e r m e u l e n
a d d e d 4 c o m m i t s
J u l y 3 0 , 2 0 2 0 1 3 : 0 6
M o v e H a r d c o d e d C r e d e n t i a l s a n d S e n s i t i v e A p i l i b s
…
4 3 1 e 2 3 1
The SensitiveApi library is renamed to CredentialReceivingApi to specify
its usage, because without context sensitive api is too general.
E x t e n d c r e d e n t i a l s i n k f r o m d a t a f l o w e x p r
d 1 b 3 8 3 e
A d d t o p - l e v e l q l d o c d e s c r i b i n g t h e m o d u l e s
6 b e 5 8 3 e
G e n e r a l i z e t h e U s e r n a m e V a r i a b l e a n d P a s s w o r d V a r i a b l e
…
2 c 7 6 c 0 1
This enables customizations to extend the notion of a username or
password variable.
r v e r m e u l e n r e q u e s t e d a r e v i e w
f r o m a t e a m a s a c o d e o w n e r J u l y 3 0 , 2 0 2 0 1 1 : 1 1
C h a n g e p r e d i c a t e q l d o c s s t y l e
2 a 1 f 7 3 c
i n t r i g u s - l g t m
r e v i e w e d
J u l 3 1 , 2 0 2 0
V i e w r e v i e w e d c h a n g e s
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / C r e d e n t i a l R e c e i v i n g A p i . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / H a r d c o d e d C r e d e n t i a l s . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / H a r d c o d e d C r e d e n t i a l s . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / H a r d c o d e d C r e d e n t i a l s . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / H a r d c o d e d C r e d e n t i a l s . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
" d a t a - p j a x = " t r u e " c l a s s = " L i n k - - s e c o n d a r y m a r k d o w n - t i t l e " h r e f = " / w e b / 2 0 2 5 1 2 2 7 0 9 2 3 1 2 / h t t p s : / / g i t h u b . c o m / g i t h u b / c o d e q l / p u l l / 3 9 9 2 / c o m m i t s / d 5 2 c 0 7 0 2 6 9 a e 6 5 c 2 d a 6 f b 0 b b e 6 e 5 b 7 c 5 f 2 0 5 8 2 a c " > F i x p u n c t u a t i o n a n d t y p o
…
d 5 2 c 0 7 0
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
a s c h a c k m u l l
r e v i e w e d
A u g 6 , 2 0 2 0
V i e w r e v i e w e d c h a n g e s
j a v a / q l / s r c / s e m m l e / c o d e / j a v a / s e c u r i t y / H a r d c o d e d C r e d e n t i a l s . q l l
*/
abstract class CredentialsSink extends Expr {
/** An argument to a sensitive call, expected to contain credentials. */
abstract class CredentialsSink extends DataFlow:: Expr {
C o n t r i b u t o r
T h e r e w a s a p r o b l e m h i d i n g t h i s c o m m e n t .
C h o o s e a r e a s o n f o r h i d i n g t h i s c o m m e n t
T h e r e a s o n w i l l b e d i s p l a y e d t o d e s c r i b e t h i s c o m m e n t t o o t h e r s . L e a r n m o r e .
S u g g e s t e d c h a n g e
abstract class CredentialsSink extends DataFlow :: Expr {
abstract class CredentialsSink extends Expr {
T h e t y p e E x p r i s n o t i n t e n t i o n a l l y e x p o s e d t h r o u g h t h e D a t a F l o w m o d u l e ( t h o u g h w i t h a l l t h e i m p o r t j a v a s t a t e m e n t s i t ' s n o s u r p r i s e t h a t i t s l i p p e d i n ) .
Sorry, something went wrong.
C o n t r i b u t o r
What is the use case for this PR? Which of the queries need support for extension and in which ways? And which parts of the moved library are expected to be re-usable in other contexts outside the CWE-798 queries?
Sorry, something went wrong.
C o n t r i b u t o r
A u t h o r
For this case there is no immediate use case. I'm making all possible extension points (e.g, source, sinks, ...) in the Security/CWE/* available to customization via Customizations.qll to prevent query duplication if we need to extend a CWE query. This should help if there are cases where closed source CredentialSink instances need to be modeled for example.
Sorry, something went wrong.
C o n t r i b u t o r
I'm making all possible extension points
In general, queries have an infinite number of possible extension points, although I agree that for most cases it comes down to source and sink extensions.
The way these queries are made, means that there's an implicit assumption that CredentialsSink consists of just two cases: Sinks defined in the source CredentialsSourceSink and sinks defined outside the source CredentialsApiSink. So CredentialsSink shouldn't really be exposed as an abstract class, as this suggests an extension point, which would invalidate this assumption. If a closed-source credential sink needs to be added, then it is the CredentialsApiSink that should be extended.
Sorry, something went wrong.
C o n t r i b u t o r
A u t h o r
I'm making all possible extension points
In general, queries have an infinite number of possible extension points, although I agree that for most cases it comes down to source and sink extensions.
True, I indeed mean the more common cases.
The way these queries are made, means that there's an implicit assumption that CredentialsSink consists of just two cases: > Sinks defined in the source CredentialsSourceSink and sinks defined outside the source CredentialsApiSink. So CredentialsSink shouldn't really be exposed as an abstract class, as this suggests an extension point, which would invalidate > this assumption. If a closed-source credential sink needs to be added, then it is the CredentialsApiSink that should be extended.
Clear, I agree that CredentialsApiSink should be the only exposed point of extension. Given how it is now structured I need to give this some more thought since both the abstract CredentialsSink as its subclasses are directly referenced.
Sorry, something went wrong.
r v e r m e u l e n m a r k e d t h i s p u l l r e q u e s t a s d r a f t
A u g u s t 6 , 2 0 2 0 1 2 : 1 7
a d i t y a s h a r a d c h a n g e d t h e b a s e b r a n c h f r o m
m a s t e r to
m a i n
A u g u s t 1 4 , 2 0 2 0 1 8 : 3 3
S i g n u p f o r f r e e t o j o i n t h i s c o n v e r s a t i o n o n G i t H u b .
A l r e a d y h a v e a n a c c o u n t ?
S i g n i n t o c o m m e n t
aschackmull
aschackmull left review comments
Copilot code review
Copilot
Awaiting requested review from Copilot
Copilot will automatically review once the pull request is marked ready for review
Reviewers whose approvals may not affect merge requirements
At least 1 approving review is required to merge this pull request.
No one assigned
N o n e y e t
No milestone
Successfully merging this pull request may close these issues.
A d d t h i s s u g g e s t i o n t o a b a t c h t h a t c a n b e a p p l i e d a s a s i n g l e c o m m i t . T h i s s u g g e s t i o n i s i n v a l i d b e c a u s e n o c h a n g e s w e r e m a d e t o t h e c o d e . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e t h e p u l l r e q u e s t i s c l o s e d . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e v i e w i n g a s u b s e t o f c h a n g e s . O n l y o n e s u g g e s t i o n p e r l i n e c a n b e a p p l i e d i n a b a t c h . A d d t h i s s u g g e s t i o n t o a b a t c h t h a t c a n b e a p p l i e d a s a s i n g l e c o m m i t . A p p l y i n g s u g g e s t i o n s o n d e l e t e d l i n e s i s n o t s u p p o r t e d . Y o u m u s t c h a n g e t h e e x i s t i n g c o d e i n t h i s l i n e i n o r d e r t o c r e a t e a v a l i d s u g g e s t i o n .
T h i s s u g g e s t i o n h a s b e e n a p p l i e d o r m a r k e d r e s o l v e d . S u g g e s t i o n s c a n n o t b e a p p l i e d f r o m p e n d i n g r e v i e w s . S u g g e s t i o n s c a n n o t b e a p p l i e d o n m u l t i - l i n e c o m m e n t s . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e t h e p u l l r e q u e s t i s q u e u e d t o m e r g e . S u g g e s t i o n c a n n o t b e a p p l i e d r i g h t n o w . P l e a s e c h e c k b a c k l a t e r . F o o t e r
© 2 0 2 5 G i t H u b , I n c .
●
T e r m s ●
P r i v a c y ●
S e c u r i t y ●
S t a t u s ●
C o m m u n i t y ●
D o c s ●
C o n t a c t ●
M a n a g e c o o k i e s
●
D o n o t s h a r e m y p e r s o n a l i n f o r m a t i o n
Y o u c a n ’ t p e r f o r m t h a t a c t i o n a t t h i s t i m e .
rvermeulen
commented
rvermeulen
requested a review
from a team
as a code owner
aschackmull
adityasharad
changed the base branch from
master
to
main
