github / codeql Public

37 Pull requests merged by 18 people

• Python: Support `flask.blueprints.Blueprint`

  #6991 merged Oct 29, 2021

• Python: Model `asyncpg`

  #6776 merged Oct 29, 2021

• Dataflow: Refactor public references to DataFlowCallable

  #7000 merged Oct 29, 2021

• Fix LGTM version number in language reference

  #6965 merged Oct 29, 2021

• JS: Move cookie queries out of experimental.

  #6855 merged Oct 29, 2021

• C++: Fix the two null termination queries and re-enable them.

  #6915 merged Oct 29, 2021

• Docs: Fix one-word typo

  #6856 merged Oct 28, 2021

• Java: instanceof pattern matching is no longer a preview feature

  #6992 merged Oct 28, 2021

• Python: Small fixup for `flask.send_from_directory`

  #6989 merged Oct 28, 2021

• Ruby: clean up docs

  #6987 merged Oct 28, 2021

• C++: Remove old and unused qhelp files

  #6980 merged Oct 28, 2021

• Python : Add Flask sinks for path injection query

  #6330 merged Oct 28, 2021

• Python: Model `ruamel.yaml` PyPI package

  #6967 merged Oct 28, 2021

• Update CSV framework coverage reports

  #6983 merged Oct 28, 2021

• Ruby: also revert Cargo.lock

  #6982 merged Oct 27, 2021

• Ruby: update lgtm.com query console links

  #6981 merged Oct 27, 2021

• Ruby: revert crate updates

  #6979 merged Oct 27, 2021

• Ruby: update Cargo.lock

  #6974 merged Oct 27, 2021

• Java: Simple support for Ratpack HTTP Framework

  #4991 merged Oct 27, 2021

• Java: Promote android sensitive broadcast query

  #6599 merged Oct 26, 2021

• JS: Avoid using non-existent attribute as parent

  #6962 merged Oct 26, 2021

• Fix version number in language reference

  #6939 merged Oct 26, 2021

• use set literal instead of big disjunction of literals

  #6960 merged Oct 26, 2021

• JS: skip pipes and other special files when determining which files to extract

  #6857 merged Oct 26, 2021

• C#: Fix join order in `inDefDominanceFrontier`

  #6961 merged Oct 26, 2021

• Add Ruby to generate-code-scanning-query-list.py and make the script faster

  #6952 merged Oct 26, 2021

• Java: Make a test output a bit more readable

  #6959 merged Oct 26, 2021

• JS: [Internal only] Rename ATM query pack for consistency with other packs

  #6958 merged Oct 25, 2021

• Automatically label Ruby PRs

  #6954 merged Oct 25, 2021

• Python: Add missing `pragma[noinline]`

  #6941 merged Oct 25, 2021

• JS: Skip files with unsupported file encoding

  #6924 merged Oct 25, 2021

• Ruby: remove VS Code workspace

  #6951 merged Oct 25, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/extractor

  #6944 merged Oct 25, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/generator

  #6943 merged Oct 25, 2021

• Update CSV framework coverage reports

  #6938 merged Oct 25, 2021

• Java: Replace @type with more specific types

  #6921 merged Oct 25, 2021

• Merge codeql-ruby into codeql

  #6942 merged Oct 25, 2021

25 Pull requests opened by 16 people

• CPP: Add query for CWE-377 Insecure Temporary File

  #6947 opened Oct 25, 2021

• CPP: Add query for CWE-243 Creation of chroot Jail Without Changing Working Directory

  #6948 opened Oct 25, 2021

• CPP: Add query for CWE-266 Incorrect Privilege Assignment

  #6949 opened Oct 25, 2021

• CPP: Add query for CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

  #6950 opened Oct 25, 2021

• RC 3.3: merge codeql-ruby repository into github/codeql

  #6955 opened Oct 25, 2021

• Android: Add the Intent parameter of the `onActivityResult` method as a source

  #6963 opened Oct 26, 2021

• Android: Add ExplicitIntentSanitizer and allowIntentExtrasImplicitRead

  #6966 opened Oct 26, 2021

• Python: Promote ReDoS queries

  #6972 opened Oct 27, 2021

• Java: CWE-266 - Query to detect Intent URI Permission Manipulation in Android applications

  #6975 opened Oct 27, 2021

• Ruby: add regex injection query

  #6978 opened Oct 27, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/extractor

  #6985 opened Oct 28, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/generator

  #6986 opened Oct 28, 2021

• Java: Expand `org.apache.commons.codec` model

  #6988 opened Oct 28, 2021

• JS: Recognize regexp-based '..' check in tainted path

  #6993 opened Oct 28, 2021

• remove redundant inline casts

  #6994 opened Oct 28, 2021

• Rewrite qhelp-pr-preview.yml

  #6995 opened Oct 28, 2021

• Java: Add FieldValueNode to break up cartesian step relation.

  #7002 opened Oct 29, 2021

• JS: Fix FP in mixed-this static access

  #7003 opened Oct 29, 2021

• Java: Deprecate `StringLiteral.getRepresentedString()`

  #7004 opened Oct 29, 2021

• Java: Ratpack HTTP Framework Additional Modeling

  #7007 opened Oct 29, 2021

• Java: Model java.util.Optional lambda methods

  #7008 opened Oct 29, 2021

• Python : Add sanitizers for Path Injection Query

  #7009 opened Oct 29, 2021

• JS: make array taint-step better

  #7010 opened Oct 31, 2021

• Dbartol/rc/merge

  #7011 opened Oct 31, 2021

• Fixed a typo. ( Minor PR)

  #7012 opened Oct 31, 2021

9 Issues closed by 8 people

• No source code was seen during the build.

  #6996 closed Oct 28, 2021

• Some .qhelp files appear to be unused

  #5274 closed Oct 28, 2021

• General issue - Maximum call stack size exceeded

  #6190 closed Oct 26, 2021

• the tracing always stops early

  #5906 closed Oct 26, 2021

• LGTM.com - false positive - Python import confusing two modules with the same name

  #5912 closed Oct 26, 2021

• Does CodeQL support dotNet 5.0?

  #6957 closed Oct 26, 2021

• How to compile this repository?

  #6391 closed Oct 26, 2021

• Error when trying to analyze Go db

  #6956 closed Oct 25, 2021

• LGTM.com - false positive

  #6940 closed Oct 25, 2021

6 Issues opened by 6 people

• CodeQL Language Feature: Trailing comma at end of List

  #7006 opened Oct 29, 2021

• Ruby parse error on valid Ruby code

  #7005 opened Oct 29, 2021

• Incorrect message when using `\G` in CodeQL beta support for Ruby

  #7001 opened Oct 29, 2021

• False Positive in Javascript ZipSlip

  #6990 opened Oct 28, 2021

• Horrible performance of Python PrintAst query on large databases

  #6964 opened Oct 26, 2021

• LGTM.com - false positive - Unnecessary deletion of local variable

  #6953 opened Oct 25, 2021

41 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C++: Redesign IR dataflow using the shared SSA library

  #6825 commented on Oct 30, 2021 • 45 new comments

• Python: Add JWT security-related queries

  #5588 commented on Oct 28, 2021 • 30 new comments

• Java: Initial CSV model generator

  #6664 commented on Oct 29, 2021 • 28 new comments

• [Javascript] CWE-348: Client supplied ip used in security check

  #6864 commented on Oct 29, 2021 • 13 new comments

• Java: CWE-347 Query for detecting Signature Exclusion Attack with SAML assertion

  #6935 commented on Oct 29, 2021 • 12 new comments

• Python: Model FastAPI

  #6782 commented on Oct 29, 2021 • 6 new comments

• JS/Py/Ruby: add a bad-tag-filter query

  #6561 commented on Oct 27, 2021 • 4 new comments

• JS: Move LDAP injection out of experimental

  #6781 commented on Oct 27, 2021 • 4 new comments

• JS: Add library input as source to js/prototype-polluting-assignment

  #5908 commented on Oct 28, 2021 • 2 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Oct 28, 2021 • 2 new comments

• Java: Add `CharacterLiteral.getCodePointValue()`

  #6614 commented on Oct 29, 2021 • 2 new comments

• Yet another SSRF query for Javascript

  #6714 commented on Oct 29, 2021 • 2 new comments

• C# : Add query to detect SSRF

  #5110 commented on Oct 29, 2021 • 1 new comment

• JS: Add query for unsafe construction of code from library input

  #5841 commented on Oct 28, 2021 • 1 new comment

• JS: extract regexp literals for string concatenations

  #6756 commented on Oct 28, 2021 • 1 new comment

• JS: add explicit this to all member calls

  #6873 commented on Oct 27, 2021 • 1 new comment

• JS: add pragma[noinline] to predicates where the qldoc mentions join-order

  #6881 commented on Oct 27, 2021 • 1 new comment

• LGTM.com - false positive

  #5872 commented on Oct 26, 2021 • 0 new comments

• [Python] LGTM.com - false positive

  #5777 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - unused import in Python

  #5546 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - TypedDict is not callable

  #5470 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive with torch.nn.Sequential

  #5789 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive

  #5787 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive

  #5813 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive

  #5910 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - Python: Call to a non-callable of class - false positive

  #6226 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - Python: An assert statement has a side-effect - false positive

  #6243 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive: null-check in LINQ Query Syntax causes inference of possible null value

  #6512 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - float is numbers.Number

  #6519 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - unnecessary null check C#

  #6554 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - @classmethod not seen

  #6527 commented on Oct 26, 2021 • 0 new comments

• Java: `PrimitiveType.getADefaultValue()` is misleading and might not work correctly

  #6615 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive (captured variable)

  #6457 commented on Oct 26, 2021 • 0 new comments

• LGTM.com - false positive - Use of the return value of a procedure

  #6827 commented on Oct 26, 2021 • 0 new comments

• Java:ecj is disabled for create a java database

  #6933 commented on Oct 28, 2021 • 0 new comments

• LGTM.com - false positive - typescript access to static methods

  #6853 commented on Oct 29, 2021 • 0 new comments

• Java : Add SSTI query

  #5935 commented on Oct 29, 2021 • 0 new comments

• Python: Add cookie security-related queries

  #6360 commented on Oct 28, 2021 • 0 new comments

• Python: Type tracker changes

  #6858 commented on Oct 31, 2021 • 0 new comments

• Dataflow: Add support for call context restrictions on sources/sinks.

  #6932 commented on Oct 27, 2021 • 0 new comments

• Use the new instanceof syntax everywhere

  #6934 commented on Oct 29, 2021 • 0 new comments