51 Pull requests merged by 26 people

• Data flow: Speedup `subpaths` predicate

  #9017 merged May 4, 2022

• JS: track flow through string replace calls that just replace single chars for js/polynomial-redos

  #6736 merged May 4, 2022

• JS: fix bad join in js/unreachable-method-overloads

  #8549 merged May 4, 2022

• JS: cache RegExpCreationNode::getAReference

  #8147 merged May 4, 2022

• Ruby: fix some flow summary join orders

  #8975 merged May 4, 2022

• Swift: set @github/codeql-c as owner

  #9029 merged May 4, 2022

• Java: CWE-552 Add sources and sinks to to detect unsafe getResource calls in Java EE applications

  #8706 merged May 4, 2022

• C++: Support libxml2 in the XXE query

  #9018 merged May 3, 2022

• Java: Add CWE-377 tag to java/predictable-seed

  #9020 merged May 3, 2022

• Java: Make more ExternalFlow imports private

  #9013 merged May 3, 2022

• Java: Add Editable.toString flow step

  #8872 merged May 3, 2022

• Python: Flask: Improve `request.files` modeing

  #9001 merged May 3, 2022

• Fix syntax errors in QL comments

  #8952 merged May 3, 2022

• C++: Remove import order workarounds

  #8943 merged May 3, 2022

• Fix broken link in analyzing-databases-with-the-codeql-cli.rst

  #8860 merged May 3, 2022

• C++: Add support for SAXParser to the CWE-611 XXE query.

  #8948 merged May 3, 2022

• JS/RB: have `ApiGraphModelsSpecific.qll` mention all the required predicates

  #8989 merged May 3, 2022

• Update CSV framework coverage reports

  #9010 merged May 3, 2022

• Java: Add additional `File` taint value flow models

  #8884 merged May 2, 2022

• Python: Don't re-export `python` under `DataFlow::`

  #8732 merged May 2, 2022

• Python: Add support for global attribute writes

  #8890 merged May 2, 2022

• C#: Add FP test for `cs/useless-cast-to-self`

  #8955 merged May 2, 2022

• Java: Add `MyBatis`' `Providers` sinks

  #8345 merged May 2, 2022

• Use codeql-action/upload-sarif@main in CSV coverage metrics workflow

  #8957 merged Apr 29, 2022

• CPP: PAM Authorization Bypass

  #8775 merged Apr 29, 2022

• Swift: teach bazel to install python dependencies

  #8959 merged Apr 29, 2022

• Swift: cc wrapper rules

  #8960 merged Apr 29, 2022

• Python: Fix bad join in `import_star_read`

  #8581 merged Apr 29, 2022

• JS: Nit: Fix typo in QLDoc

  #8949 merged Apr 29, 2022

• JS: recognize more module exports from the factory pattern

  #8221 merged Apr 29, 2022

• JS: fix a FN for prototype polluting function query

  #8946 merged Apr 29, 2022

• JS: don't initialize sanitizer-guards in the standard library

  #8783 merged Apr 29, 2022

• Update CSV framework coverage reports

  #8954 merged Apr 29, 2022

• Swift: tracer integration

  #8939 merged Apr 28, 2022

• Ruby: Add type tracker tests for flow through keyword/positional parameters

  #8935 merged Apr 28, 2022

• Swift: use `#pragma once`

  #8947 merged Apr 28, 2022

• Swift: added trapgen

  #8934 merged Apr 28, 2022

• Release preparation for version 2.9.1

  #8941 merged Apr 28, 2022

• Java: Fix join-order.

  #8878 merged Apr 28, 2022

• Ruby: Generalize `ArrayElementContent` to `ElementContent`

  #7914 merged Apr 28, 2022

• C#: Add auto generated comment to generated models as data files.

  #8905 merged Apr 28, 2022

• C#: Port the java FrameworkCoverage query.

  #8869 merged Apr 28, 2022

• QL: Improve camel case query

  #8936 merged Apr 28, 2022

• Python: Fix bad join in `MethodCallsiteRefinement`

  #8897 merged Apr 28, 2022

• Java: Improve Spring models

  #8639 merged Apr 28, 2022

• Bump actions/setup-python from 2 to 3

  #8921 merged Apr 28, 2022

• Bump actions/download-artifact from 2 to 3

  #8922 merged Apr 28, 2022

• C++: Revert #8515

  #8933 merged Apr 28, 2022

• Bump actions/setup-dotnet from 1 to 2

  #8920 merged Apr 28, 2022

• JS: Add flow step to `...rest` parameters

  #8886 merged Apr 28, 2022

• Update CSV framework coverage reports

  #8913 merged Apr 28, 2022

25 Pull requests opened by 16 people

• QL language reference: variables must be lowerId

  #8930 opened Apr 28, 2022

• QL: more precise alert locations

  #8937 opened Apr 28, 2022

• Ruby: Introduce `With(out)Element` MaD input tokens

  #8938 opened Apr 28, 2022

• Ruby: Initial data-flow through hashes

  #8942 opened Apr 28, 2022

• Add examples to copy from (experimental contributions)

  #8951 opened Apr 28, 2022

• Java: Fix Intent Redirection sanitizer

  #8956 opened Apr 29, 2022

• Ruby: add safe navigation operator

  #8971 opened Apr 29, 2022

• JS: Selection API DOM text source

  #8990 opened Apr 30, 2022

• C++: Update stats file

  #8993 opened May 1, 2022

• C/C++ : Wrong Uint access

  #8994 opened May 1, 2022

• Java: Add OkHttp and Retrofit models

  #9002 opened May 2, 2022

• C#: Dataflow callable refactoring.

  #9014 opened May 3, 2022

• Swift: enable dynamic mode

  #9015 opened May 3, 2022

• C++: More XXE Tests

  #9019 opened May 3, 2022

• JS: promote `js/actions/injection` out of experimental

  #9021 opened May 3, 2022

• Ruby: Fix `isLocalSourceNode` implementation

  #9022 opened May 3, 2022

• Python: Clarify `getArg` is about positional arguments

  #9023 opened May 3, 2022

• Data flow: Introduce `ContentDataFlow.qll`

  #9024 opened May 3, 2022

• C#: Introduce provenance column in CSV format for Models as data summ…

  #9025 opened May 3, 2022

• Swift: add `trapgen` unit tests

  #9028 opened May 3, 2022

• Ruby: Model various bits of ActiveSupport

  #9030 opened May 4, 2022

• JS: exclude ATM folder from labeler

  #9033 opened May 4, 2022

• Swift: add structured C++ generated classes

  #9034 opened May 4, 2022

• C++: Phi instruction toString based on memory locs

  #9035 opened May 4, 2022

• Java: CWE-321 Query to detect hardcoded JWT secret keys

  #9036 opened May 4, 2022

4 Issues closed by 2 people

• Failed to Generate Test Queries

  #8795 closed May 3, 2022

• Add support for jdk18

  #8673 closed May 3, 2022

• [INVALID_RESULT_PATTERNS] for loop elements

  #8988 closed May 2, 2022

• No alerts generated

  #8940 closed Apr 29, 2022

10 Issues opened by 9 people

• Codeql database analyze on CLI is stuck

  #9037 opened May 4, 2022

• How to describe "The class name of source,node, and sink is the same"?

  #9032 opened May 4, 2022

• Codeql failed to create the database. I tried it on Linux and windows. It's the same error

  #9031 opened May 4, 2022

• False positive in `go/log-injection`

  #9016 opened May 3, 2022

• CatastrophicError does not include context information

  #9000 opened May 1, 2022

• CatastrophicError for `query compile --fast-compilation`: Primitive directionalBind has more than one unbound field

  #8999 opened May 1, 2022

• new M1

  #8992 opened May 1, 2022

• False Positive - Mismatch in multiple assignment

  #8991 opened May 1, 2022

• LGTM.com - Missing Vulnerability Path Steps in LGTM render

  #8976 opened Apr 29, 2022

• `ql/dead-code` False Positive

  #8953 opened Apr 28, 2022

44 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• ReDoS refactorizations

  #8522 commented on May 4, 2022 • 146 new comments

• Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)

  #8669 commented on May 3, 2022 • 23 new comments

• Java: Add ReDoS queries

  #7723 commented on May 4, 2022 • 20 new comments

• Python: add MaD implementation

  #8883 commented on May 4, 2022 • 18 new comments

• C++: Fix IR variable reuse for global var inits

  #8912 commented on May 3, 2022 • 14 new comments

• Python dataflow: flow summaries restart

  #8781 commented on May 4, 2022 • 12 new comments

• Java: Improvements to UnsafeAndroidAccess

  #8537 commented on May 4, 2022 • 7 new comments

• C#: Dotnet Runtime models.

  #8600 commented on May 4, 2022 • 6 new comments

• Add auto-remediation to InsecureDependencyResolution.qhelp

  #8790 commented on Apr 28, 2022 • 6 new comments

• Ruby: Add partial support for working with RBI (Ruby Interface) files

  #8845 commented on May 4, 2022 • 6 new comments

• QL: add unused-field query

  #7763 commented on Apr 29, 2022 • 4 new comments

• Data flow: Introduce `expectsContent`

  #8870 commented on May 4, 2022 • 4 new comments

• Spawned process exited abnormally

  #7711 commented on May 3, 2022 • 3 new comments

• JS: refactor most library models away from AST nodes

  #8604 commented on May 2, 2022 • 3 new comments

• cs/useless-cast-to-self - false positive

  #8627 commented on May 2, 2022 • 2 new comments

• CPP: Add query for CWE-476: NULL Pointer Dereference when using exception handling blocks

  #8245 commented on May 4, 2022 • 2 new comments

• Java: Add `StmtExpr`

  #8571 commented on May 2, 2022 • 2 new comments

• False Negatives - Prototype Pollution

  #8846 commented on Apr 28, 2022 • 1 new comment

• False Negative with https://github.com/robmoffat/codeql-vuln-blog

  #8880 commented on Apr 28, 2022 • 1 new comment

• PHPStorm extension

  #4168 commented on May 1, 2022 • 1 new comment

• Ruby: Add 'Print CFG' query

  #7820 commented on May 3, 2022 • 1 new comment

• Use flow to collection `Element` in MaD generator

  #8877 commented on May 3, 2022 • 1 new comment

• Tree sitter update

  #8909 commented on May 3, 2022 • 1 new comment

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on May 3, 2022 • 0 new comments

• QL: Add query detecting suspiciously missing parameters from the QLDoc of a predicate

  #7450 commented on May 4, 2022 • 0 new comments

• JS: add query for detecting insecure temporary files

  #7626 commented on Apr 29, 2022 • 0 new comments

• JS: Add StoredXss and XssThroughDom to ATM QL extraction code

  #8557 commented on Apr 28, 2022 • 0 new comments

• ATM: Refactors EndpointFeatures.qll and add two new features

  #8586 commented on Apr 29, 2022 • 0 new comments

• C++: IR data flow through global variables

  #8596 commented on Apr 29, 2022 • 0 new comments

• Python: Promote XXE and XML-bomb queries

  #8634 commented on May 2, 2022 • 0 new comments

• Ruby: Model IO.popen

  #8635 commented on May 2, 2022 • 0 new comments

• C++: add range analysis diff test

  #8665 commented on May 4, 2022 • 0 new comments

• C#: Field-sensitive flow summary generation

  #8667 commented on May 3, 2022 • 0 new comments

• Python: Improve experimental modeling for `pymongo`

  #8696 commented on May 2, 2022 • 0 new comments

• C++: Precise flow through dereferences in IR dataflow

  #8715 commented on Apr 28, 2022 • 0 new comments

• JS: promote the `js/missing-origin-verification` query

  #8724 commented on May 3, 2022 • 0 new comments

• JS: ATM: New features for imports and for function parameters related to an endpoint

  #8740 commented on May 3, 2022 • 0 new comments

• ML: extract Unknown endpoints in training data

  #8752 commented on Apr 29, 2022 • 0 new comments

• C#: Only allow two read and two store steps in model capturing.

  #8855 commented on May 4, 2022 • 0 new comments

• C#: Include models for higher order methods (needed for DCA test).

  #8856 commented on May 3, 2022 • 0 new comments

• Java: Add flow step from startActivity to getIntent

  #8873 commented on May 3, 2022 • 0 new comments

• QL: point the dataset measure workflow to a merge_stats.py file that exists

  #8891 commented on Apr 29, 2022 • 0 new comments

• C#: Upgrade dotnet to 6.0.202.

  #8894 commented on May 4, 2022 • 0 new comments

• Data flow: Introduce 'with/without content' summary components

  #8898 commented on Apr 29, 2022 • 0 new comments