Insights: github/codeql

58 Pull requests merged by 24 people

• Release preparation for version 2.12.4

  #12386 merged Mar 3, 2023

• Swift: Fill some gaps in arithmetic / bitwise operations modelling

  #12368 merged Mar 3, 2023

• Swift: Update swift/string-length-conflation to taint tracking

  #12307 merged Mar 3, 2023

• Java TSP: test changes re: formatting improvements

  #12384 merged Mar 3, 2023

• C++: Properly deprecate `hasQualifiedName` by using the `deprecated` keyword

  #12387 merged Mar 3, 2023

• Swift: extract lazy declarations

  #12335 merged Mar 3, 2023

• ActionController: Prevent bad join

  #12360 merged Mar 3, 2023

• Revert "C#: Tool status page support"

  #12379 merged Mar 3, 2023

• JS: add the html argument to the jQuery functions as an XSS sink

  #12377 merged Mar 3, 2023

• C++: Silence some more bogus consistency errors in syntax zoo

  #12381 merged Mar 3, 2023

• ATM: Update model pack to version 0.3.1-2023-03-01-12h42m43s.strong-turtle-1xp3dqvv.ecb17d40286d14132b481c065a43459a7f0ba9059015b7a49c909c9f9ce5fec5

  #12374 merged Mar 3, 2023

• C++: Include "phi reads" in `DataFlow::Node`

  #12356 merged Mar 3, 2023

• C++: Silence a number of bogus consistency errors in syntax zoo

  #12378 merged Mar 3, 2023

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 merged Mar 3, 2023

• Swift: turn on QLdoc check

  #12373 merged Mar 3, 2023

• Swift: Additional NSString taint test cases

  #12367 merged Mar 2, 2023

• Swift: Split the taint flow test.

  #12355 merged Mar 2, 2023

• C#: Tool status page support

  #12217 merged Mar 2, 2023

• C++: Disable a bad standard order

  #12350 merged Mar 2, 2023

• Ruby: improve diagnostic messages

  #12216 merged Mar 2, 2023

• Update CSV framework coverage reports

  #12357 merged Mar 2, 2023

• Python: Document `API::CallNode`

  #12320 merged Mar 1, 2023

• Swift: Taint models for NSString

  #12225 merged Mar 1, 2023

• Java: Update MaD sink decls after triage

  #12228 merged Mar 1, 2023

• Swift: move decision making out of dispatcher. NFC

  #12348 merged Mar 1, 2023

• Swift: move location extraction logic into a separate class. NFC

  #12347 merged Mar 1, 2023

• C# 11: Support for explicit interface implementations of operators.

  #12322 merged Mar 1, 2023

• ReflectedXss: Prevent bad join order

  #12333 merged Mar 1, 2023

• C++: Speedup `cpp/command-line-injection`

  #12338 merged Mar 1, 2023

• Swift: extract mangler into a separate class. NFC

  #12337 merged Mar 1, 2023

• Ruby: flow steps for ActionController filters

  #12051 merged Mar 1, 2023

• C# 11: Support for `file` scoped types.

  #12234 merged Mar 1, 2023

• Swift: Model assignment operators (+= etc)

  #12308 merged Mar 1, 2023

• Mergeback: codeql-cli-2.12.3 into main

  #12342 merged Feb 28, 2023

• C++: Remove dead code

  #12340 merged Feb 28, 2023

• JS: Actually extract `.html.erb` files.

  #12190 merged Feb 28, 2023

• CodeQL extension for VS Code docs update

  #12321 merged Feb 28, 2023

• C++: Add tests for all dataflow examples that occur in our docs

  #12336 merged Feb 28, 2023

• C++: Remove indirect -> direct taint-flow

  #12316 merged Feb 28, 2023

• C#: Update query to handle static field writes from properties.

  #12334 merged Feb 28, 2023

• Swift: Modernize the cleartext-* queries

  #12329 merged Feb 28, 2023

• Update CSV framework coverage reports

  #12330 merged Feb 28, 2023

• C++: Make `gets` indirect output a LocalFlowSource

  #12325 merged Feb 27, 2023

• C++: Use correct DataFlow import in new TaintTracking.qll

  #12324 merged Feb 27, 2023

• Python: Fix expected of call-graph after merge

  #12326 merged Feb 27, 2023

• C++: Fix missing enclosing callables

  #12323 merged Feb 27, 2023

• JS: More precise type-test sanitizer guards in unsafe-html-construction

  #12177 merged Feb 27, 2023

• Java: Promote Hardcoded JWT credential query

  #12032 merged Feb 27, 2023

• JS: Sanitizer for `sanitizer(x) === true`

  #11769 merged Feb 27, 2023

• Make "Detecting a potential buffer overflow" example more uniform

  #12275 merged Feb 27, 2023

• Query and tests for sum without domain

  #12292 merged Feb 27, 2023

• Python: New type-tracking based call-graph

  #11376 merged Feb 27, 2023

• Codegen: make Swift codegen language agnostic

  #12319 merged Feb 27, 2023

• JS: Use shared `CryptographicOperation` concept

  #12080 merged Feb 27, 2023

• Java: Add new java.net.URL taintsteps

  #12305 merged Feb 27, 2023

• Swift: update to 5.7.3

  #12227 merged Feb 27, 2023

• JS: add process.env and process.argv etc. as source for `js/regex-injection`

  #12175 merged Feb 27, 2023

• JS: also consider relative exports when finding library inputs

  #12189 merged Feb 27, 2023

20 Pull requests opened by 14 people

• Ruby: Add Server Side Template Injection query

  #12311 opened Feb 25, 2023

• Python: Port `SensitiveActions.qll`

  #12314 opened Feb 26, 2023

• C++: Add copy of dataflow docs for new use-use dataflow library

  #12339 opened Feb 28, 2023

• Go: tools status page support

  #12341 opened Feb 28, 2023

• C++: Implement `clearsContent`

  #12344 opened Feb 28, 2023

• delete old deprecations

  #12345 opened Mar 1, 2023

• Java: Create SpelInjectionMongoDB.ql

  #12354 opened Mar 1, 2023

• Java: Update MaD Declarations after Triage

  #12366 opened Mar 2, 2023

• C#: .NET 7 Runtime and ASP.NET 7 stubs.

  #12369 opened Mar 2, 2023

• C#: Improve the `unsafe` predicate on Modifiable.

  #12370 opened Mar 2, 2023

• C#: Make diagnostics visible everywhere

  #12371 opened Mar 2, 2023

• C#: Add diagnostic checks to all remaining integration tests

  #12372 opened Mar 2, 2023

• JS: Support import assertions

  #12382 opened Mar 3, 2023

• C#: Append process id to diagnostics filename

  #12383 opened Mar 3, 2023

• C#: Add support for the tool status page

  #12385 opened Mar 3, 2023

• Swift: introduce type mangling

  #12388 opened Mar 3, 2023

• C++: Add `deprecated` to predicates that are deprecated according to the QLDoc

  #12389 opened Mar 3, 2023

• Swift: Permit data flow out through pointer arguments

  #12391 opened Mar 3, 2023

• Swift: mangle builtin types

  #12392 opened Mar 3, 2023

• Go: Add more JWT sinks

  #12396 opened Mar 3, 2023

6 Issues closed by 6 people

• codeql query compile error

  #12361 closed Mar 3, 2023

• General issue : There was no upgrade path to the target dbscheme

  #12331 closed Mar 1, 2023

• cs/static-field-written-by-instance false positive

  #12328 closed Feb 28, 2023

• False positive: About Javascript TaintBarriers

  #11667 closed Feb 27, 2023

• A missing import statement in the document

  #12274 closed Feb 27, 2023

• General issue - python default query suite not giving any results

  #12156 closed Feb 27, 2023

9 Issues opened by 9 people

• C++: getACanonicalMemberFunction does not return some unused members

  #12397 opened Mar 3, 2023

• Secure Java RSA Crypto Not Recognized By CodeQL

  #12390 opened Mar 3, 2023

• C/C++: Running query stopped generating logs

  #12380 opened Mar 3, 2023

• Why doesn't CodeQL support auditing PHP

  #12376 opened Mar 3, 2023

• CodeQL throws non-relevant error messages due to colon : in filepath, fails to query.

  #12358 opened Mar 2, 2023

• CodeQL C check for potential memset() removal by compiler dead store elimination is desired

  #12352 opened Mar 1, 2023

• The generated java database resource (XML file) is duplicate

  #12351 opened Mar 1, 2023

• Ruby scanning job hangs forever and doesn't complete on Ubuntu-latest

  #12349 opened Mar 1, 2023

• C/C++: Kalimba C Compiler not recognised

  #12346 opened Mar 1, 2023

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: model remaining top-500 JDK APIs

  #11968 commented on Mar 3, 2023 • 17 new comments

• Dataflow: Add a language specific term to `join` and `branch`

  #12236 commented on Mar 3, 2023 • 17 new comments

• add Ruby YAML unsafe_* methods as sink

  #12301 commented on Mar 1, 2023 • 12 new comments

• Java: Arbitrary APK installation

  #11915 commented on Mar 3, 2023 • 10 new comments

• Data flow: Refactor configuration

  #12186 commented on Mar 3, 2023 • 7 new comments

• Mass autoformat with class and module declarations format fix

  #12230 commented on Mar 3, 2023 • 7 new comments

• Rb: more taint-steps for shell-command-construction

  #11478 commented on Mar 1, 2023 • 6 new comments

• JS: docs for customizing library models with data extensions

  #11615 commented on Mar 3, 2023 • 5 new comments

• Java: add some neutral models discovered with heuristics

  #12249 commented on Mar 1, 2023 • 5 new comments

• JS: Implement diagnostics

  #12113 commented on Mar 2, 2023 • 4 new comments

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Mar 3, 2023 • 1 new comment

• Add ZipSlip and TarSlip query to ruby

  #12208 commented on Mar 1, 2023 • 1 new comment

• Python: Fix import of refined variable

  #12244 commented on Feb 27, 2023 • 1 new comment

• Python: Timing attack

  #9722 commented on Feb 27, 2023 • 0 new comments

• [WIP] Add ATM support for Java

  #11898 commented on Mar 1, 2023 • 0 new comments

• JS: Add support for TypeScript 5.0

  #12011 commented on Mar 2, 2023 • 0 new comments

• Java: Model the Netty framework

  #12049 commented on Feb 28, 2023 • 0 new comments

• Java: add ssrf models discovered with heuristics

  #12155 commented on Mar 3, 2023 • 0 new comments

• Ruby: Model ActiveModel#serializable_hash

  #12253 commented on Feb 27, 2023 • 0 new comments

• C#: Add static call graph tests

  #12262 commented on Mar 1, 2023 • 0 new comments

• C#: Stub generator improvements.

  #12264 commented on Mar 3, 2023 • 0 new comments

• Ruby: ensure that all Ast `Expr`s have a dataflow node type more precise than `ExprNode`

  #12306 commented on Feb 27, 2023 • 0 new comments