44 Pull requests merged by 27 people

• Go: Include versions in newer Go version needed diagnostic

  #15492 merged Feb 1, 2024

• Ruby: Add another dataflow test

  #15498 merged Feb 1, 2024

• Updated dotnet version to 8.0.101

  #15475 merged Feb 1, 2024

• C#: Fix extraction of qualified delegate calls

  #15484 merged Feb 1, 2024

• Ruby: Model constructors in endpoint query on new instead of initialize

  #15490 merged Feb 1, 2024

• C#: Disable msbuild node reuse in autobuild

  #15491 merged Feb 1, 2024

• Ruby: Add Insecure Randomness Query

  #14554 merged Jan 31, 2024

• Ruby: Model flow through `ViewComponent` render methods

  #15370 merged Jan 31, 2024

• Ruby: Only model relevant files for type models

  #15485 merged Jan 31, 2024

• C#: Extract expanded compiler arguments

  #15472 merged Jan 31, 2024

• False positive fix for cpp/uninitialized-local

  #15463 merged Jan 31, 2024

• Ruby: Only generate models for public methods

  #15473 merged Jan 31, 2024

• C++: Support function calls throwing exceptions in the IR

  #15461 merged Jan 31, 2024

• Ruby: Rework `mayBenefitFromCallContext`

  #15468 merged Jan 30, 2024

• Ruby: additional unsafe deserialization sinks for ox and one for oj

  #14544 merged Jan 30, 2024

• JS/TS/Python/Ruby: Renames diagnostic query files and tests

  #15465 merged Jan 30, 2024

• Python: Add `html.escape` as HTML sanitizer

  #15398 merged Jan 30, 2024

• Ruby: Correctly report supported status of summary and neutral models

  #15470 merged Jan 30, 2024

• Ruby: Block flow from LHS of && expressions

  #15467 merged Jan 30, 2024

• C# 12: Support for collection expressions.

  #15426 merged Jan 30, 2024

• cpp/incorrect-string-type-conversion false positive fixes

  #15448 merged Jan 30, 2024

• C++: Fix more `asExpr` duplication

  #15458 merged Jan 30, 2024

• C++: Fix another FP in `cpp/incorrectly-checked-scanf`

  #15460 merged Jan 30, 2024

• C++: Fix FP in `cpp/incorrectly-checked-scanf`

  #15456 merged Jan 29, 2024

• Python: Support `a` (ASCII) inline regex flag

  #15390 merged Jan 29, 2024

• C#: Change asp.net core view generation to be opt out

  #15454 merged Jan 29, 2024

• Kotlin: Catch/ignore a IllegalArgumentException exception

  #15428 merged Jan 29, 2024

• Kotlin 2: Comment improvements

  #14940 merged Jan 29, 2024

• Update CSV framework coverage reports

  #15449 merged Jan 29, 2024

• C++: Report any extracted file as successfully extracted

  #15381 merged Jan 26, 2024

• Java: Add `java.util.UUID` and `java.util.Date` to the `SimpleTypeSanitizer` class

  #15292 merged Jan 26, 2024

• Java: Add query for exposure of sensitive information to android notifications

  #15281 merged Jan 26, 2024

• Java: Add models for overloads of DatagramPacket constructor

  #15436 merged Jan 26, 2024

• Merge `codeql-cli-2.16.1` back to `main`

  #15446 merged Jan 26, 2024

• Merge `codeql-cli-2.16.0` back into `codeql-cli-2.16.1`

  #15447 merged Jan 26, 2024

• Generate changelog for 2.16.1

  #15438 merged Jan 26, 2024

• C#: Introduce log verbosity extractor option

  #15437 merged Jan 26, 2024

• Java: Update MaD Declarations after Triage

  #15420 merged Jan 26, 2024

• Bump chrono from 0.4.32 to 0.4.33 in /ql

  #15441 merged Jan 26, 2024

• C++: Add `asExpr` and `asIndirectExpr` library tests (and fix more duplication)

  #15427 merged Jan 25, 2024

• DataFlow: Fix join order

  #15434 merged Jan 25, 2024

• Java: Improve the QHelp for `java/path-injection`.

  #15409 merged Jan 25, 2024

• Swift: update formatting to `clang-format` 17.0.6

  #15433 merged Jan 25, 2024

• Post-release preparation for codeql-cli-2.16.1

  #15416 merged Jan 25, 2024

22 Pull requests opened by 17 people

• Dataflow perf investigations

  #15444 opened Jan 26, 2024

• Java: test changes for making buildless' classpath ordering deterministic

  #15445 opened Jan 26, 2024

• Java: Document which assignment type is covered by which class

  #15451 opened Jan 28, 2024

• Python: Model the `psycopg` package

  #15457 opened Jan 29, 2024

• C#: Add summaries for Span<T> and ReadOnlySpan<T>.

  #15459 opened Jan 29, 2024

• Check for large runners

  #15471 opened Jan 30, 2024

• C# 12: Primary constructors.

  #15474 opened Jan 30, 2024

• C++: Add PreprocBlock.qll library

  #15476 opened Jan 30, 2024

• Kotlin: Add path transformer support

  #15477 opened Jan 30, 2024

• Revert "Ruby: additional unsafe deserialization sinks for ox and one for oj"

  #15479 opened Jan 30, 2024

• False positive in SensitiveDataHeuristics - exclude certification from maybeCertificate() regex

  #15480 opened Jan 30, 2024

• [Draft] Java: Add query for insecure local authentication

  #15481 opened Jan 31, 2024

• Ruby: Block flow into flow sources

  #15483 opened Jan 31, 2024

• Java: Update MaD Declarations after Triage

  #15486 opened Jan 31, 2024

• Ruby: add docs for customizing library models with data extensions

  #15488 opened Jan 31, 2024

• C#: Additional tracking of lambdas through fields and properties

  #15489 opened Jan 31, 2024

• Declare permissions

  #15493 opened Jan 31, 2024

• Tree-sitter extractors: use fresh IDs for locations

  #15496 opened Jan 31, 2024

• Python: Support integer subscripts in the API graph

  #15497 opened Jan 31, 2024

• Automodel: Do not consider `@FunctionalInterface`-typed expressions as candidates.

  #15499 opened Feb 1, 2024

• DO NOT MERGE. Bump automodel query pack version for release kaspersv/automodel-pack-publisher-7739955510-dryrun

  #15500 opened Feb 1, 2024

• Dataflow/Java: Support alert provenance

  #15501 opened Feb 1, 2024

4 Issues closed by 3 people

• How to show all the results from multiple queiries?

  #15482 closed Jan 31, 2024

• Failed to load semmle.go.controlflow: "Could not resolve module semmle.go.controlflow"

  #15469 closed Jan 31, 2024

• Issues Encountered While Analyzing C Control Flow with CodeQL

  #15455 closed Jan 30, 2024

• False positive and misleading diagnostic on scanf

  #15415 closed Jan 30, 2024

7 Issues opened by 6 people

• explicit java Function<X,Y> implementation is not tainted?

  #15494 opened Jan 31, 2024

• False positive: Certification should not match maybeCertificate()

  #15478 opened Jan 30, 2024

• Python codeql analysis hangs at `UnusedModuleVariable`

  #15466 opened Jan 29, 2024

• Workflows get stuck on forks

  #15464 opened Jan 29, 2024

• Workflows are missing permissions requests

  #15462 opened Jan 29, 2024

• cpp query does not stop

  #15442 opened Jan 26, 2024

• query keep waiting :An error occurred while evaluating _BasicBlocks

  #15440 opened Jan 26, 2024

30 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• JS: Add library for naming endpoints

  #15380 commented on Jan 31, 2024 • 15 new comments

• Java: Add query for sensitive data exposed in text fields

  #15396 commented on Feb 1, 2024 • 11 new comments

• C#: Refactor C# queries to use `ThreatModelFlowSource` instead of `RemoteFlowSource`

  #15419 commented on Jan 31, 2024 • 8 new comments

• Go: Update autobuilder to deal with the upcoming deprecation of the legacy GOPATH mode

  #15361 commented on Feb 1, 2024 • 7 new comments

• Swift: Add Unsafe Unpacking Query (CWE-022)

  #14888 commented on Jan 26, 2024 • 6 new comments

• Java: Extend JAXB.qll to cover Jakarta XML Binding

  #4840 commented on Feb 1, 2024 • 3 new comments

• Unable to create database on windows 11 ARM machine

  #15417 commented on Jan 25, 2024 • 2 new comments

• Issues using published codeql pack

  #15400 commented on Jan 25, 2024 • 2 new comments

• Python: add models for `stdlib`

  #15306 commented on Jan 31, 2024 • 2 new comments

• JS: use the class hierarchy from TypeScript in the callgraph

  #5694 commented on Jan 27, 2024 • 1 new comment

• Kotlin Extractor does not respect SEMMLE_PATH_TRANSFORMER for Source Files

  #15382 commented on Jan 29, 2024 • 1 new comment

• Some CPP source files do not contain headers

  #15366 commented on Jan 29, 2024 • 1 new comment

• Java: Add sinks for `sun.misc.Unsafe`

  #15247 commented on Jan 28, 2024 • 1 new comment

• General issue Python:Unable to recognize calling a method through an instance member of a class

  #14899 commented on Jan 28, 2024 • 1 new comment

• The compilation process of "gradlew.bat" cannot be detected.

  #15431 commented on Jan 25, 2024 • 1 new comment

• Non dominating flow after free queries

  #15412 commented on Jan 25, 2024 • 0 new comments

• C#: Merge `cs/exposure-of-private-information` into `cs/cleartext-storage-of-sensitive-information`,

  #15379 commented on Jan 29, 2024 • 0 new comments

• Tree sitter extractor: Proper handling of `LGTM_INDEX_FILTERS`

  #15365 commented on Jan 30, 2024 • 0 new comments

• C++: Unique function fix

  #15421 commented on Jan 25, 2024 • 0 new comments

• [Python] Add Unicode DoS (qhelp, tests and the query)

  #15319 commented on Jan 29, 2024 • 0 new comments

• Python: add new Pandas sinks

  #15314 commented on Jan 29, 2024 • 0 new comments

• C# WIP: Change pre-finalize to run standalone extraction

  #15298 commented on Feb 1, 2024 • 0 new comments

• Python: remove assignments handled by capture library

  #15255 commented on Jan 28, 2024 • 0 new comments

• C++: Accept test changes after frontend upgrade

  #15213 commented on Jan 26, 2024 • 0 new comments

• Data flow: prune context-sensitivity relations

  #15140 commented on Jan 30, 2024 • 0 new comments

• Bump actions/upload-artifact from 3 to 4

  #15114 commented on Jan 25, 2024 • 0 new comments

• Bump actions/download-artifact from 3 to 4

  #15113 commented on Jan 25, 2024 • 0 new comments

• Java: Refactor path injection sinks

  #12886 commented on Jan 30, 2024 • 0 new comments

• False negative: NestJS TypeORM SQLInjection vulnerability not detected

  #15299 commented on Jan 29, 2024 • 0 new comments

• Python extractor failure when Python 3.6 is used

  #15337 commented on Jan 28, 2024 • 0 new comments