Pulse · github/codeql · GitHub

December 11, 2021 – December 18, 2021

Overview

73 Active Pull Requests

13 Active Issues

48 Pull requests merged by 23 people

JS: Only featurize endpoints that are part of a flow path
#7357 merged Dec 17, 2021
Bump ATM pack version to 0.0.2
#7445 merged Dec 17, 2021
QL for QL: add autobuilder that respects LGTM_INDEX_FILTERS
#7444 merged Dec 17, 2021
C++: Fix join-order in `phi_node` predicate.
#7434 merged Dec 17, 2021
Python: Add SSRF queries
#7420 merged Dec 17, 2021
JS: extend syntax of handlebars tags
#7327 merged Dec 17, 2021
JS: Add routing trees library
#7049 merged Dec 17, 2021
Java: New sinks for Log4j CloseableThreadContext
#7435 merged Dec 17, 2021
Add QL for QL
#7410 merged Dec 17, 2021
C++: Fix join-order in `HttpStringLiteral` charpred
#7426 merged Dec 17, 2021
Ruby: SimpleParameter should not be an Expr
#7393 merged Dec 17, 2021
Update CSV framework coverage reports
#7433 merged Dec 17, 2021
Add `kind` metadata to example query.
#7422 merged Dec 16, 2021
Java: Cover CVE-2021-45046 in the Log4jJndiInjection query
#7423 merged Dec 16, 2021
Update CSV framework coverage reports
#7402 merged Dec 16, 2021
Ruby: Deprecate `Pattern` classes
#7390 merged Dec 16, 2021
C#: Convert more flow summaries to CSV format.
#7406 merged Dec 16, 2021
JS: track functions with methods
#7409 merged Dec 16, 2021
JS: Use return value of trusted type policy callback as a sink
#7408 merged Dec 16, 2021
C#: Fix broken `FlowSummariesFiltered` test
#7413 merged Dec 16, 2021
Fix ruby incorrect version in documentation
#7249 merged Dec 15, 2021
Ruby: Prevent infinite recursion in module resolution library
#7378 merged Dec 15, 2021
Java: Preserve taint on field-read-steps on entrypoint types
#6098 merged Dec 15, 2021
C++: Fix FP in `cpp/comparison-of-identical-expressions`
#7395 merged Dec 15, 2021
C#: Convert XML related flow summaries to CSV and fix flow summaries test cases.
#7384 merged Dec 15, 2021
Ruby: handle private module methods
#7340 merged Dec 15, 2021
Release preparation for version 2.7.4
#7401 merged Dec 14, 2021
C#: Introduce class `Overridable`
#7377 merged Dec 14, 2021
Fix change notes
#7398 merged Dec 14, 2021
Ruby: Add `getBlock` and `getNumberOfArguments` predicates to `DataFlow::CallNode`
#7391 merged Dec 14, 2021
C#: Convert flow summaries to CSV for System.IO.*
#7389 merged Dec 14, 2021
Clarify Log4jJndiInjection.ql query name and help
#7388 merged Dec 14, 2021
Update creating-codeql-databases.rst
#7368 merged Dec 14, 2021
Java: Experimental query for Log4j JNDI Injection
#7354 merged Dec 14, 2021
C#: Update nuget packages
#6791 merged Dec 14, 2021
C++: refactor buffer overwrite queries with estimate reasons
#7272 merged Dec 14, 2021
ATM Endpoint filtering improvements
#7352 merged Dec 14, 2021
Update CSV framework coverage reports
#7381 merged Dec 14, 2021
JS: Improve inter-procedural type inference for FunctionExpr
#7344 merged Dec 13, 2021
Ruby: update crate versions
#7375 merged Dec 13, 2021
Fix semver for upgrades references
#7374 merged Dec 13, 2021
JS: Performance improvements to libraries using regex matching
#7323 merged Dec 13, 2021
C#: Flow summaries for virtual members in abstract classes should also apply to overrides.
#7370 merged Dec 13, 2021
Ruby: use Ruby object instantiation syntax in a comment
#7371 merged Dec 13, 2021
C#: Convert flow summaries for JSon.NET
#7348 merged Dec 13, 2021
C#: More Flow summaries in CSV format.
#7342 merged Dec 13, 2021
C#: Convert flow summaries to CSV format.
#7304 merged Dec 13, 2021
Ruby: Don't count private methods as Rails actions
#7325 merged Dec 13, 2021

25 Pull requests opened by 18 people

JS/Py/Ruby: Add more CWEs to bad-tag-filter queries
#7369 opened Dec 13, 2021
Release preparation for version 2.7.5
#7372 opened Dec 13, 2021
JS: Update featurization for absent features optimization
#7376 opened Dec 13, 2021
Merge advanced security workshops into docs/codeql/codeql-workshops/
#7379 opened Dec 13, 2021
C++: split `cpp/overrunning-write` into two
#7386 opened Dec 14, 2021
C++: Fix join order in `isArgumentForParameter`
#7392 opened Dec 14, 2021
Ruby: CFG: make all expressions "post-order" nodes
#7394 opened Dec 14, 2021
C++: failing test for a weird range analysis
#7396 opened Dec 14, 2021
Define the `sha` of `codeql` for ATM query pack `0.0.2`
#7397 opened Dec 14, 2021
Ruby: Model what is written to the log from stdlib `Logger` methods
#7399 opened Dec 14, 2021
Add instructions for creating change notes.
#7400 opened Dec 14, 2021
Post-release preparation for codeql-cli-2.7.4
#7407 opened Dec 15, 2021
C#: Delayed `files`/`folder` population
#7415 opened Dec 15, 2021
Remove experimental tag from non-ATM queries
#7416 opened Dec 15, 2021
Java: Start running telemetry queries on Code Scanning
#7417 opened Dec 15, 2021
Ruby: Add Module#const_get as a code execution
#7419 opened Dec 16, 2021
C#: Flow summaries in CSV format.
#7424 opened Dec 16, 2021
Solorigate: Extract to separate qlpack
#7431 opened Dec 16, 2021
Ruby: Include StringComponents in the CFG
#7440 opened Dec 17, 2021
QL-for-QL: Followup changes
#7441 opened Dec 17, 2021
Ruby: Data flow for keyword arguments/parameters
#7442 opened Dec 17, 2021
QL4QL: catch behaviour/behavior in ql/non-us-spelling
#7443 opened Dec 17, 2021
[Ruby] Bugfix: ConstantWriteAccess::getQualifiedName() returns wrong value in some cases
#7446 opened Dec 18, 2021
Ruby: demonstrate data flow not working with instance variables
#7447 opened Dec 18, 2021
QL: Add query detecting suspiciously missing parameters from the QLDoc of a predicate
#7450 opened Dec 18, 2021

5 Issues closed by 4 people

LGTM.com - false positive
#7439 closed Dec 17, 2021
LGTM.com - false positive
#7438 closed Dec 17, 2021
Understanding the difference between DataFlow::Node and DataFlow::PathNode while selecting nodes
#7387 closed Dec 17, 2021
[JavaScript] Another limited case for tainting objects with methods
#7106 closed Dec 16, 2021
LGTM.com - false positive `cpp/comparison-of-identical-expressions`
#7385 closed Dec 15, 2021

8 Issues opened by 8 people

strange duplicate query result and missing some of it
#7449 opened Dec 18, 2021
codeql not tracking certian object literals
#7421 opened Dec 16, 2021
Invalid Checksum Error
#7418 opened Dec 15, 2021
log4jJndiInjection UserInput instead of RemoteFlowSource
#7411 opened Dec 15, 2021
DataFlow can't pass taint flow for functions not found defined in Node.js?
#7405 opened Dec 15, 2021
General issue C/C++: help of understanding the division of a predicate
#7404 opened Dec 15, 2021
How to build a database that adds additional code based on lgtm's database
#7382 opened Dec 14, 2021
"No code found during the build." after successful compilation for C++ in Visual Studio 2019
#7365 opened Dec 12, 2021

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

C++: Improvements to cpp/cleartext-transmission
#7338 commented on Dec 15, 2021 • 16 new comments
Dataflow: Add support for flow state
#7349 commented on Dec 15, 2021 • 14 new comments
Ruby: Flow through arrays/enumerables
#7198 commented on Dec 17, 2021 • 11 new comments
Ruby: Rails route resolution
#7061 commented on Dec 16, 2021 • 10 new comments
C#: Enable data-flow consistency queries
#7231 commented on Dec 17, 2021 • 8 new comments
Dataflow: order step side-conditions ahead of mapping Node <-> NodeEx and cartesian product with Configuration
#7350 commented on Dec 15, 2021 • 8 new comments
Ruby: Add `rb/weak-cookie-configuration` query
#7313 commented on Dec 16, 2021 • 7 new comments
Java : Add SSTI query
#5935 commented on Dec 15, 2021 • 6 new comments
Ruby: query to find user-controlled bypass of sensitive actions
#7305 commented on Dec 16, 2021 • 6 new comments
JS: Initial models-as-data implementation
#7171 commented on Dec 14, 2021 • 5 new comments
Ruby: add CryptoAlgorithms library
#7273 commented on Dec 17, 2021 • 3 new comments
CPP: Add query for CWE-266 Incorrect Privilege Assignment
#6949 commented on Dec 13, 2021 • 2 new comments
Ruby: Resolve simple string interpolations
#7334 commented on Dec 17, 2021 • 2 new comments
[Feature Request] Support Trusted Types in JavaScript queries
#7336 commented on Dec 15, 2021 • 1 new comment
Java: CWE-470 - Queries to detect Fragment Injection in Android applications
#6923 commented on Dec 15, 2021 • 1 new comment
Java: Promote Log Injection from experimental
#7054 commented on Dec 12, 2021 • 1 new comment
Ruby: Add support for GraphQL
#7126 commented on Dec 18, 2021 • 0 new comments
Multiple scopes for neighborhood feature
#7196 commented on Dec 14, 2021 • 0 new comments
Java: CWE-552 Query to detect unsafe request dispatcher usage
#7286 commented on Dec 15, 2021 • 0 new comments
Python: Cache more predicates and improve performance.
#7339 commented on Dec 17, 2021 • 0 new comments
Move upgrades into standard library packs
#7355 commented on Dec 14, 2021 • 0 new comments
Python: Basic support for match statement
#7356 commented on Dec 13, 2021 • 0 new comments