59 Pull requests merged by 22 people

• Swift: Add more path injection sinks

  #14748 merged Nov 13, 2023

• C++: Fix nonterminating test

  #14769 merged Nov 13, 2023

• Go: Add Cors Gin Support

  #14649 merged Nov 13, 2023

• Swift: Update the inline dataflow tests

  #14761 merged Nov 13, 2023

• Go: Add Improper LDAP Authentication query (CWE-287)

  #13366 merged Nov 13, 2023

• Rangeanalysis: Misc simplifications

  #14757 merged Nov 13, 2023

• Swift: mark BuiltinTuple as experimental

  #14759 merged Nov 13, 2023

• Java integration tests: More preparations to be executed on GH M1 machines

  #14719 merged Nov 13, 2023

• Swift: do not extract non-AST types, NFC

  #14756 merged Nov 13, 2023

• Java/C++/Rangeanalysis: Share more range analysis utility predicates.

  #14742 merged Nov 13, 2023

• Swift: extract parameter packs

  #14734 merged Nov 13, 2023

• Swift: update wordings in a downgrade script

  #14750 merged Nov 13, 2023

• C++: Move a couple of predicates to `Node0Impl`

  #14749 merged Nov 10, 2023

• Swift: parameter packs migration scripts

  #14745 merged Nov 10, 2023

• C++: Add models for `strlcpy` and `strlcat`

  #14735 merged Nov 10, 2023

• C++: Rewrite `cpp/unbounded-write` away from `DefaultTaintTracking`

  #14669 merged Nov 10, 2023

• C++: Fix indirect global-variable flow

  #14736 merged Nov 10, 2023

• C++: Fix `hasRemoteFlowSource` for `fgets`

  #14744 merged Nov 10, 2023

• C#: Adjust standalone integration test to not reference mono assemblies

  #14743 merged Nov 10, 2023

• C#: Use `C'X` fully-qualified-name format instead of `C<,...,>`

  #14589 merged Nov 10, 2023

• Update CSV framework coverage reports

  #14739 merged Nov 10, 2023

• Swift: add more doc strings to generated things

  #14715 merged Nov 10, 2023

• C++: 28 strsafe library updates2

  #14726 merged Nov 9, 2023

• Take our node, not the one that comes first on the PATH.

  #14738 merged Nov 9, 2023

• C#: Include all (legacy) nuget restored folders in standalone references

  #14723 merged Nov 9, 2023

• C#: Include type parameters in MaD format for generics

  #14662 merged Nov 9, 2023

• C++: Fix operand ssa variables for range analysis.

  #14732 merged Nov 9, 2023

• Java: model JDK21 SequencedCollection, Set and Map

  #14699 merged Nov 9, 2023

• Docs: document dataflow `neverSkip` (and expand section on hidden nodes)

  #14731 merged Nov 9, 2023

• C#: Disable CIL extraction by default.

  #14564 merged Nov 9, 2023

• Java/C++/RangeAnalysis: Move SsaReadPosition to shared qlpack.

  #14721 merged Nov 9, 2023

• JS: Move the language pack build and tests to Bazel

  #14677 merged Nov 9, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14729 merged Nov 9, 2023

• Swift: Fix defaultImplicitTaintRead on fields

  #14661 merged Nov 8, 2023

• Swift: Promote the command injection query out of experimental

  #14701 merged Nov 8, 2023

• Swift: upgrade to 5.9

  #14261 merged Nov 8, 2023

• Restructure go Makefile: Build the per-platform target.

  #14718 merged Nov 8, 2023

• Swlft: fix CFG for SingleValueStmtExpr

  #14717 merged Nov 8, 2023

• VS Code extension docs: Changes to database downloads

  #14668 merged Nov 8, 2023

• Python: Fix dataflow consistency error due to missing class scope

  #14590 merged Nov 8, 2023

• JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.

  #14603 merged Nov 8, 2023

• C#: Keep only one framework reference nuget package in standalone

  #14707 merged Nov 8, 2023

• C#: Fix compiler warning of possible null de-reference.

  #14693 merged Nov 8, 2023

• C#: Tracer improvement for `dotnet test`

  #14712 merged Nov 8, 2023

• C++: Don't use GVN as SSAVariable in new range analysis

  #14713 merged Nov 8, 2023

• Java: Add JMS sink to java/unsafe-deserialization

  #14610 merged Nov 8, 2023

• JS: catch when the main: path is invalid on Windows

  #14716 merged Nov 8, 2023

• Java/C++/RangeAnalysis: Move a couple of utility predicates to shared qlpack

  #14711 merged Nov 8, 2023

• C++: IR'ify `cpp/uninitialized-local` and fix FPs

  #14704 merged Nov 7, 2023

• Fix a dead ReDoS link in docs

  #14705 merged Nov 7, 2023

• C++: Add comment to testcase

  #14714 merged Nov 7, 2023

• C++: Add range analysis testcase

  #14708 merged Nov 7, 2023

• C++: Simplify the definition of `SemExpr` for range analysis

  #14697 merged Nov 7, 2023

• C#: Correctly parse operator names in MaD

  #14678 merged Nov 7, 2023

• Python: Misc: show that all tests passed in validTest

  #14694 merged Nov 7, 2023

• Java: Make integration test more robust wrt recent Java versions.

  #14702 merged Nov 7, 2023

• Swlft: force canonical type computation before using the type

  #14696 merged Nov 7, 2023

• C++: Allocate more `FunctionInput` and `FunctionOutput`s

  #14667 merged Nov 7, 2023

• Swift: Fix an issue with Realm sinks for swift/cleartext-storage-database

  #14698 merged Nov 7, 2023

25 Pull requests opened by 15 people

• Python: Add basic flow for class attributes

  #14706 opened Nov 7, 2023

• Ruby: Adopt shared type tracking library

  #14709 opened Nov 7, 2023

• Prepare shared type tracking library for adoption by Ruby

  #14710 opened Nov 7, 2023

• Java: Environment variable injection query

  #14724 opened Nov 8, 2023

• Python: Add taint-flow modeling for `re` module

  #14725 opened Nov 8, 2023

• Temporarily run the standalone extractor instead of autobuilding - beginning of the quarter

  #14741 opened Nov 10, 2023

• misc: add dbscheme diff generation

  #14746 opened Nov 10, 2023

• Go: Switch from def-use flow to use-use flow

  #14751 opened Nov 11, 2023

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 opened Nov 12, 2023

• C# integration tests: Prepare for moving to GH-hosted ARM runner

  #14758 opened Nov 13, 2023

• C#: Change IsARM to Apple silicon check

  #14760 opened Nov 13, 2023

• Bump golang.org/x/net from 0.0.0-20210405180319-a5a99cb37ef4 to 0.17.0 in /go/ql/test/experimental/CWE-918

  #14763 opened Nov 13, 2023

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /go/ql/test/experimental/CWE-347

  #14764 opened Nov 13, 2023

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /go/ql/test/experimental/CWE-321-V2

  #14765 opened Nov 13, 2023

• Bump golang.org/x/net from 0.8.0 to 0.17.0 in /go/ql/test/experimental/CWE-321

  #14766 opened Nov 13, 2023

• C#: Framework dependency detection.

  #14767 opened Nov 13, 2023

• Swift: extract AST nodes related to move semantics

  #14768 opened Nov 13, 2023

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /go/ql/test/experimental/CWE-942

  #14770 opened Nov 13, 2023

• C++: Fix missing results in `cpp/unbounded-write`

  #14771 opened Nov 13, 2023

• Swift: Use TaintInheritingContent in WebView.qll

  #14772 opened Nov 13, 2023

• Swift: Fix odds and ends

  #14773 opened Nov 13, 2023

• Golang: Web Cache Deception Vulnerability

  #14775 opened Nov 13, 2023

• Add content for the queries panel and language selector

  #14776 opened Nov 13, 2023

• Python: remove EssaNodes

  #14777 opened Nov 13, 2023

• Go: improve value flow through arrays

  #14778 opened Nov 13, 2023

3 Issues closed by 3 people

• Unrelated change: I just spotted that this was out of date.

  #14755 closed Nov 13, 2023

• LICENSE

  #14754 closed Nov 13, 2023

• C++: Customization mechanism for the standard library

  #14722 closed Nov 10, 2023

6 Issues opened by 6 people

• Extractors/DIL source code

  #14762 opened Nov 13, 2023

• False positive - tuple unpacking bracket detected as variable

  #14753 opened Nov 12, 2023

• Issue with new Dataflow module

  #14740 opened Nov 10, 2023

• False positive: Go x, _ := strconv.ParseUint(,, strconv.IntSize-1); int(x)

  #14733 opened Nov 9, 2023

• False positive: cpp/non-constant-format

  #14727 opened Nov 8, 2023

• codeql fails with exit code 32 for c language analysis under the macOS environment

  #14703 opened Nov 7, 2023

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• JS: decoding JWT without signature verification

  #14088 commented on Nov 8, 2023 • 13 new comments

• Go: fasthttp

  #14123 commented on Nov 10, 2023 • 12 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 7, 2023 • 5 new comments

• Java: Add support for Java 21 language features

  #14671 commented on Nov 13, 2023 • 5 new comments

• Java: JWT decoding without verification

  #14089 commented on Nov 7, 2023 • 4 new comments

• Python: Add support for Python 3.12 type syntax

  #14636 commented on Nov 13, 2023 • 4 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 8, 2023 • 3 new comments

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

  #14302 commented on Nov 9, 2023 • 3 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Nov 10, 2023 • 3 new comments

• Does C++ extractor support to process code with unity build?

  #14479 commented on Nov 9, 2023 • 2 new comments

• How to extract source files when using a special compiler (e.g. TMS320C2000 C/C++ Compiler)?

  #8453 commented on Nov 13, 2023 • 2 new comments

• Ruby: Implement `mustFlow`

  #14303 commented on Nov 8, 2023 • 2 new comments

• JS: [WIP] Add `dot.js` support

  #13624 commented on Nov 9, 2023 • 1 new comment

• C#: Add flow steps for View calls refering to Razor pages

  #14343 commented on Nov 9, 2023 • 1 new comment

• 27 cppnon constant format bug

  #14700 commented on Nov 7, 2023 • 1 new comment

• workflow yml file configuration

  #14652 commented on Nov 11, 2023 • 0 new comments

• Java: Weak Hashing Algorithm specified in `.properties` files

  #14040 commented on Nov 8, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 9, 2023 • 0 new comments

• Java: Add more sinks to the Weak Randomness query

  #14681 commented on Nov 8, 2023 • 0 new comments