53 Pull requests merged by 26 people

• C#: Update insecure randomness query description to match implementation

  #14828 merged Nov 17, 2023

• C# fix integration tests

  #14830 merged Nov 17, 2023

• Kotlin: Build: Refactor version handling

  #14814 merged Nov 17, 2023

• C#: Fix integration test failures after dotnet upgrade on runners.

  #14825 merged Nov 17, 2023

• Release preparation for version 2.15.3

  #14813 merged Nov 16, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14816 merged Nov 16, 2023

• Bazel/CMake: small compatibility fix

  #14820 merged Nov 16, 2023

• Doc: Fix name of VS Code settings property to use extension packs

  #14819 merged Nov 16, 2023

• Java Automodel extraction: fix extracted meta information by using Object for the type of generic parameters

  #14818 merged Nov 16, 2023

• Bazel/CMake: support new internal transition rules

  #14805 merged Nov 16, 2023

• C++: Fix dataflow duplication from `ReferenceDereference` expressions

  #14810 merged Nov 16, 2023

• C++: Convert `cpp/integer-overflow-tainted` away from DefaultTaintTracking

  #14812 merged Nov 16, 2023

• Java: Improve QHelp for `java/path-injection` to mention less disruptive fixes.

  #14793 merged Nov 16, 2023

• Java: Automodel Extraction: Remove Qualifier Endpoints of Constructors

  #14795 merged Nov 16, 2023

• C++: Delete `cpp/tainted-format-string-through-global`

  #14808 merged Nov 16, 2023

• Ruby: Include more nodes in `{Hash,Array}LiteralCfgNode`

  #14783 merged Nov 16, 2023

• Remove LoC metrics from the analysis summary

  #14811 merged Nov 16, 2023

• Python: Accept new ordering of query predicates in `.expected`

  #14790 merged Nov 16, 2023

• Java: Publish Automodel query pack 0.0.7

  #14642 merged Nov 16, 2023

• C++: Move change note

  #14809 merged Nov 16, 2023

• Python: Update `.expected` to support Python 3.12

  #14791 merged Nov 16, 2023

• Prepare shared type tracking library for adoption by Ruby

  #14710 merged Nov 16, 2023

• Python: New FileSystem Access

  #14406 merged Nov 16, 2023

• C#: Fix assembly attribute extraction in standalone mode

  #14792 merged Nov 16, 2023

• Add content for the queries panel and language selector

  #14776 merged Nov 15, 2023

• C++: Catch more returns of stack-allocated memory

  #14794 merged Nov 15, 2023

• C++: Rewrite `cpp/uncontrolled-process-operation` to not use `DefaultTaintTracking`

  #14561 merged Nov 15, 2023

• Go: improve value flow through arrays

  #14778 merged Nov 15, 2023

• C++: Rewrite `cpp/tainted-arithmetic` away from `DefaultTaintTracking`

  #14784 merged Nov 15, 2023

• Python: Add basic flow for class attributes

  #14706 merged Nov 15, 2023

• JavaScript: Adjust XSS and log injection query severities

  #14419 merged Nov 14, 2023

• Swift: extract AST nodes related to move semantics

  #14768 merged Nov 14, 2023

• Swift: Use TaintInheritingContent in WebView.qll

  #14772 merged Nov 14, 2023

• Swift: Fix odds and ends

  #14773 merged Nov 14, 2023

• C#: Do not call nuget.exe on Apple Silicon

  #14789 merged Nov 14, 2023

• Update metadata-for-codeql-queries.rst

  #14785 merged Nov 14, 2023

• Ruby: Include name of variable in `UninitializedDefinition.toString`

  #14781 merged Nov 14, 2023

• C++: Fix missing results in `cpp/unbounded-write`

  #14771 merged Nov 14, 2023

• Disable the nuget standalone dependencies test on ARM-osx.

  #14782 merged Nov 14, 2023

• C#: Change IsARM to Apple silicon check

  #14760 merged Nov 14, 2023

• Bump tracing-subscriber from 0.3.17 to 0.3.18 in /ql

  #14779 merged Nov 14, 2023

• Swift: Add more path injection sinks

  #14748 merged Nov 13, 2023

• C++: Fix nonterminating test

  #14769 merged Nov 13, 2023

• Go: Add Cors Gin Support

  #14649 merged Nov 13, 2023

• Swift: Update the inline dataflow tests

  #14761 merged Nov 13, 2023

• Go: Add Improper LDAP Authentication query (CWE-287)

  #13366 merged Nov 13, 2023

• Rangeanalysis: Misc simplifications

  #14757 merged Nov 13, 2023

• Swift: mark BuiltinTuple as experimental

  #14759 merged Nov 13, 2023

• Java integration tests: More preparations to be executed on GH M1 machines

  #14719 merged Nov 13, 2023

• Swift: do not extract non-AST types, NFC

  #14756 merged Nov 13, 2023

• Java/C++/Rangeanalysis: Share more range analysis utility predicates.

  #14742 merged Nov 13, 2023

• Swift: extract parameter packs

  #14734 merged Nov 13, 2023

• Swift: update wordings in a downgrade script

  #14750 merged Nov 13, 2023

27 Pull requests opened by 17 people

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 opened Nov 12, 2023

• C#: Framework dependency detection.

  #14767 opened Nov 13, 2023

• Golang: Web Cache Deception Vulnerability

  #14775 opened Nov 13, 2023

• Python: remove EssaNodes

  #14777 opened Nov 13, 2023

• Ruby: Prune irrelevant data flow nodes and edges

  #14787 opened Nov 14, 2023

• Swift: extract `MacroDecl`

  #14796 opened Nov 15, 2023

• Swift: Heuristic sinks for swift/sql-injection

  #14797 opened Nov 15, 2023

• Go: model value flow with array content through slice expressions

  #14798 opened Nov 15, 2023

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 opened Nov 15, 2023

• Swift: final 5.8/5.9 extractions

  #14800 opened Nov 15, 2023

• C++: Rewrite `cpp/tainted-format-string` away from `DefaultTaintTracking`

  #14801 opened Nov 15, 2023

• Java: Add `.properties` file references in integration tests

  #14802 opened Nov 15, 2023

• Swift: More sinks for swift/uncontrolled-format-string

  #14807 opened Nov 16, 2023

• Type tracking: Parameterize consistency checks

  #14815 opened Nov 16, 2023

• C#: Detect highest `TargetFramework` and install it if there is no `global.json`

  #14821 opened Nov 16, 2023

• C++: Fix global-variable flow for array types

  #14822 opened Nov 16, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14823 opened Nov 16, 2023

• Add skeleton files for changelog.

  #14824 opened Nov 16, 2023

• Java: add a new query cover some instance of CWE-209

  #14827 opened Nov 17, 2023

• Bump golang.org/x/net from 0.0.0-20200505041828-1ed23360d12c to 0.17.0 in /go/ql/integration-tests/all-platforms/go/two-go-mods-nested-one-in-root

  #14829 opened Nov 17, 2023

• Kotlin: Add 2.0.0-Beta1

  #14831 opened Nov 17, 2023

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 opened Nov 17, 2023

• Kotlin: Add a kotlin2 copy of the testsuite

  #14833 opened Nov 17, 2023

• C#: Make assets file reading more robust.

  #14834 opened Nov 17, 2023

• Kotlin: Fix findTopLevelFunctionOrWarn for Kotlin 2

  #14835 opened Nov 17, 2023

• Kotlin: Add more CODEOWNERS entries

  #14837 opened Nov 17, 2023

• C++: Convert `cpp/arithmetic-with-extreme-values` away from `DefaultTaintTracking`

  #14838 opened Nov 17, 2023

2 Issues closed by 2 people

• Unable to resolve java qlpacks after v2.15.2

  #14788 closed Nov 14, 2023

• Issue with new Dataflow module

  #14740 closed Nov 14, 2023

8 Issues opened by 7 people

• zero files scanned results in green build

  #14841 opened Nov 18, 2023

• False positive: Static field written by instance method by Interlocked API

  #14840 opened Nov 18, 2023

• False positive: Missed 'readonly' opportunity for field used by Interlocked API

  #14839 opened Nov 18, 2023

• Monorepo setup with different c# areas

  #14836 opened Nov 17, 2023

• Few questions about semmle-extractor-options

  #14826 opened Nov 16, 2023

• Support for langVersion 12 and Net 8

  #14803 opened Nov 15, 2023

• Extractors/DIL source code

  #14762 opened Nov 13, 2023

• False positive - tuple unpacking bracket detected as variable

  #14753 opened Nov 12, 2023

14 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add support for Java 21 language features

  #14671 commented on Nov 17, 2023 • 51 new comments

• How to extract source files when using a special compiler (e.g. TMS320C2000 C/C++ Compiler)?

  #8453 commented on Nov 16, 2023 • 10 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 16, 2023 • 8 new comments

• Does C++ extractor support to process code with unity build?

  #14479 commented on Nov 16, 2023 • 7 new comments

• C#: Add flow steps for View calls refering to Razor pages

  #14343 commented on Nov 16, 2023 • 6 new comments

• C++ extractor fails to process code based on Unreal Engine

  #13994 commented on Nov 16, 2023 • 3 new comments

• Python: Add support for Python 3.12 type syntax

  #14636 commented on Nov 16, 2023 • 3 new comments

• Python: Add taint-flow modeling for `re` module

  #14725 commented on Nov 14, 2023 • 2 new comments

• CodeQL detected code written in Java but could not process any of it.General issue

  #14066 commented on Nov 16, 2023 • 1 new comment

• Java: Environment variable injection query

  #14724 commented on Nov 16, 2023 • 1 new comment

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Nov 13, 2023 • 1 new comment

• Java: Weak Hashing Algorithm specified in `.properties` files

  #14040 commented on Nov 16, 2023 • 0 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Nov 15, 2023 • 0 new comments

• Ruby: Adopt shared type tracking library

  #14709 commented on Nov 16, 2023 • 0 new comments