github / codeql Public

74 Pull requests merged by 28 people

• C#: Update expected test output after passing in `--qltest` in `codeql test run`

  #7751 merged Jan 26, 2022

• Java: Add models for java.util.regex.Pattern and Matcher

  #7733 merged Jan 26, 2022

• C#: Remove some unused legacy relations from the DB scheme

  #7746 merged Jan 26, 2022

• Ruby: taint steps for pattern matches

  #7568 merged Jan 26, 2022

• js: add support for the 'node:' prefix for importing internal modules

  #7734 merged Jan 26, 2022

• Ruby: Fix bad join in `ActionControllerHelperMethod`

  #7738 merged Jan 26, 2022

• Ruby: Introduce `TAnyArrayElementContent`

  #7726 merged Jan 26, 2022

• Ruby extractor: bump clap

  #7729 merged Jan 26, 2022

• JS: Move experimental notice to the bottom of the ML-powered query help

  #7744 merged Jan 25, 2022

• Merge `rc/3.4` into `main`

  #7739 merged Jan 25, 2022

• Docs: Mention packaging commands in CodeQL extension

  #7661 merged Jan 25, 2022

• Docs: Simplify getting started docs

  #7618 merged Jan 25, 2022

• CodeQL documentation fixes

  #7743 merged Jan 25, 2022

• C#: Exclude extractor arguments from `compilation_args` relation

  #7741 merged Jan 25, 2022

• C++: Upgrade cpp/cleartext-storage-file

  #7737 merged Jan 25, 2022

• JS: add a js/samesite-none-cookie cookie

  #7721 merged Jan 25, 2022

• C#: Add change notes for the already implemented C# 10 features.

  #7730 merged Jan 25, 2022

• C++: Add security-severity to `cpp/return-stack-allocated-memory`

  #7732 merged Jan 25, 2022

• Ruby: Replace `getValueText` with `getConstantValue`

  #7677 merged Jan 25, 2022

• Update CSV framework coverage reports

  #7728 merged Jan 25, 2022

• JS: add a predicate to recognize path arguments in calls to the fs-extra lib

  #7715 merged Jan 25, 2022

• C#: Query to detect hash without salt

  #4949 merged Jan 25, 2022

• C#: Get rid of negative parameter/argument data-flow positions

  #7658 merged Jan 25, 2022

• JS: add a js/empty-password-in-configuration-file query

  #7632 merged Jan 24, 2022

• Update supported Go version

  #7725 merged Jan 24, 2022

• C++: Add `security` tag to `cpp/return-stack-allocated-memory`

  #7718 merged Jan 24, 2022

• Python: Add shutil module sinks for path injection query

  #7455 merged Jan 24, 2022

• Update docs on the output of `resolve qlpacks`

  #7571 merged Jan 24, 2022

• JS: add CWE-219 to js/exposure-of-private-files

  #7719 merged Jan 24, 2022

• Data flow: Restructure `RequiredSummaryComponentStack`

  #7688 merged Jan 24, 2022

• Java: Promote Insecure TrustManager from experimental

  #7136 merged Jan 24, 2022

• JS: add CWE-80 to queries that detect bad HTML sanitizers

  #7717 merged Jan 24, 2022

• Post-release preparation for codeql-cli-2.7.6

  #7673 merged Jan 24, 2022

• C++: Remove FPs from `cpp/return-stack-allocated-memory`

  #7701 merged Jan 24, 2022

• C++: Another improvement to cpp/cleartext-transmission

  #7704 merged Jan 24, 2022

• Java: Remove some JNDI Injection sinks

  #7702 merged Jan 24, 2022

• Update CSV framework coverage reports

  #7705 merged Jan 24, 2022

• Java: Add support for bitwise compound assignments in Guards.

  #7698 merged Jan 24, 2022

• Merge rc/3.3 into rc/3.4

  #7685 merged Jan 21, 2022

• Ruby: Add Module#const_get as a code execution

  #7419 merged Jan 21, 2022

• Ruby: Update `StringConstArrayInclusionCall` barrier guard

  #7665 merged Jan 21, 2022

• JS: Fix copy/paste error in XSS ML-powered queries results patterns

  #7700 merged Jan 21, 2022

• C++: Use the IR for `cpp/return-stack-allocated-memory`.

  #7682 merged Jan 21, 2022

• small refactorizations across CodeQL

  #7684 merged Jan 21, 2022

• C#: Struct (and to a minor extent anonymous types) improvements

  #7643 merged Jan 21, 2022

• Java: Improvements to the Android query Use of implicit PendingIntents

  #7681 merged Jan 21, 2022

• Java: Replace Commons IO model

  #7603 merged Jan 21, 2022

• Python: Move regex injection configuration files

  #7659 merged Jan 21, 2022

• Java: Fix recursion in `entrypointFieldStep`

  #7691 merged Jan 21, 2022

• Python: Remove usernames as sensitive source for cleartext queries

  #7652 merged Jan 21, 2022

• JS: fix most issues found by ql/class-doc-style

  #7679 merged Jan 21, 2022

• JS: move electron sink to the customizations file

  #7675 merged Jan 21, 2022

• JS: use more set literals

  #7678 merged Jan 20, 2022

• Java: Add data flow node encapsulating instance accesses.

  #7676 merged Jan 20, 2022

• simplify expressions that could be type-casts

  #7668 merged Jan 20, 2022

• Ruby: flag up `protect_from_forgery` calls without an exception strategy

  #7611 merged Jan 20, 2022

• Android: Add the Intent parameter of the `onActivityResult` method as a source

  #6963 merged Jan 20, 2022

• Java: CWE-266 - Query to detect Intent URI Permission Manipulation in Android applications

  #6975 merged Jan 20, 2022

• C++: Improve cpp/cleartext-transmission

  #7650 merged Jan 20, 2022

• Java: Promote Unsafe certificate trust query from experimental

  #6171 merged Jan 20, 2022

• Port changes from main to rc/3.3 to avoid regression

  #7653 merged Jan 20, 2022

• Fix typo in FileWritable

  #7662 merged Jan 20, 2022

• Refactor Apache Commons Lang model

  #7634 merged Jan 20, 2022

• JS: add CWE-471 to the prototype-pollution queries

  #7651 merged Jan 20, 2022

• Release preparation for version 2.7.6

  #7667 merged Jan 20, 2022

• Java: Exclude irrelevant rows from models

  #7656 merged Jan 20, 2022

• C#: Make support for Line span pragma

  #7577 merged Jan 20, 2022

• C#: Workaround Roslyn bug in `INamedTypeSymbol.TupleElements`

  #7646 merged Jan 19, 2022

• QL-for-QL: Add a could-be-cast query

  #7472 merged Jan 19, 2022

• JS: Bump ML-powered query packs to v0.0.6

  #7655 merged Jan 19, 2022

• C#: Introduce extractor mode to identify DBs created with `codeql test run`

  #7515 merged Jan 19, 2022

• Remove security-severity tag to java/random-used-once

  #7613 merged Jan 19, 2022

• Ruby: Resolve simple string interpolations

  #7334 merged Jan 19, 2022

• C++: Fix branch related FPs in cpp/improper-null-termination.

  #7627 merged Jan 19, 2022

26 Pull requests opened by 16 people

• Python: Cleanup: Remove old points-to versions of queries

  #7654 opened Jan 19, 2022

• Java: Add model for Apache Commons Beanutil

  #7657 opened Jan 19, 2022

• Python: Deprecate old points-to based modeling

  #7660 opened Jan 19, 2022

• Ruby: Add basic subclassing support to API Graphs

  #7663 opened Jan 19, 2022

• Ruby: Add File.open as a FileSystemAccess

  #7666 opened Jan 20, 2022

• QL: field unused in disjunct

  #7669 opened Jan 20, 2022

• Python: Adding initial LocalFlowSources

  #7670 opened Jan 20, 2022

• QL: Use of db-type outside language core.

  #7674 opened Jan 20, 2022

• VSCode: Autosave when running query

  #7680 opened Jan 20, 2022

• Ruby: Use multiple threads in QL test CI job

  #7683 opened Jan 20, 2022

• python: Rewrite path injection query to use flow state

  #7687 opened Jan 21, 2022

• C++: Split 'gets' model.

  #7703 opened Jan 21, 2022

• Java: CWE-073 File path injection with the JFinal framework

  #7712 opened Jan 23, 2022

• Ruby: Add `rb/clear-text-logging-sensitive-data` query [WIP]

  #7713 opened Jan 23, 2022

• C#: Desugar property patterns that uses member access syntax.

  #7720 opened Jan 24, 2022

• Java: Regenerate framework models automatically

  #7722 opened Jan 24, 2022

• Java: Add ReDoS queries

  #7723 opened Jan 24, 2022

• Add new groups for examples packs

  #7724 opened Jan 24, 2022

• Python: promote log injection

  #7735 opened Jan 25, 2022

• JS: promote the js/jwt-missing-verification query out of exeprimental

  #7740 opened Jan 25, 2022

• C++: Upgrade cpp/cleartext-storage-buffer

  #7742 opened Jan 25, 2022

• C# 10 - Lambda improvements.

  #7749 opened Jan 26, 2022

• Ruby: Desugar hash literals

  #7750 opened Jan 26, 2022

• Fix issues with downgrade pack releases

  #7752 opened Jan 26, 2022

• Ruby 3.1 features

  #7753 opened Jan 26, 2022

• C#: Restrict stub logic to QL test DBs

  #7755 opened Jan 26, 2022

9 Issues closed by 9 people

• [C/C++] How to sanitize a class object after its member function change its value?

  #7714 closed Jan 26, 2022

• VariableCall as a sink

  #7716 closed Jan 25, 2022

• several source files are included in src.zip, but not in the database

  #7582 closed Jan 24, 2022

• JNDI Injection - false positive

  #7699 closed Jan 24, 2022

• LGTM.com - false positive

  #7709 closed Jan 22, 2022

• Why won't codeql compiler throw an error here?

  #7690 closed Jan 21, 2022

• LGTM.com - false positive Sensitive data (id)

  #6363 closed Jan 21, 2022

• [JS][question] How can I set js file as module if I don't add "import ..." line in the origin js file?

  #7664 closed Jan 21, 2022

• java.lang.NegativeArraySizeException with CodeQL CLI 2.7.5

  #7642 closed Jan 20, 2022

7 Issues opened by 7 people

• A symbol in CodeQL Query Results

  #7745 opened Jan 26, 2022

• Creating too many QL classes generates an internal error when compiled

  #7754 opened Jan 25, 2022

• Java: Record components (and their annotations) are not extracted

  #7727 opened Jan 24, 2022

• Spawned process exited abnormally

  #7711 opened Jan 23, 2022

• LGTM.com - false positive: Syntax error detected in async function detection

  #7710 opened Jan 22, 2022

• Generate beautiful HTML page similar to LGTM

  #7686 opened Jan 21, 2022

• Feature - Control the Disable button based on the administrative rights

  #7672 opened Jan 20, 2022

21 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python/support match

  #7635 commented on Jan 26, 2022 • 15 new comments

• JS: add js/http-dependency query

  #7633 commented on Jan 26, 2022 • 14 new comments

• Java: Create new query Cleartext storage of sensitive information in Android databases

  #6492 commented on Jan 24, 2022 • 8 new comments

• Need help on JNDI injection query, does not work for log4j test project

  #7621 commented on Jan 21, 2022 • 7 new comments

• Ruby: Rails route resolution

  #7061 commented on Jan 26, 2022 • 7 new comments

• Java: CWE-200: Temp directory local information disclosure vulnerability

  #4388 commented on Jan 21, 2022 • 5 new comments

• "Failed with bad exit code during 'Checkout'" when not using "main" branch

  #7640 commented on Jan 19, 2022 • 4 new comments

• QL: field only used in charPred

  #7598 commented on Jan 20, 2022 • 4 new comments

• how can i analysis two project with "database import" command?

  #7644 commented on Jan 24, 2022 • 3 new comments

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on Jan 24, 2022 • 3 new comments

• Python: Add cookie security-related queries

  #6360 commented on Jan 24, 2022 • 2 new comments

• Python: Add Python_JWT to JWT security query

  #7452 commented on Jan 24, 2022 • 2 new comments

• assignment is unnessary under suppress()

  #7638 commented on Jan 19, 2022 • 1 new comment

• LGTM.com - false positive - Python: Module is imported with 'import' and 'import from'

  #7639 commented on Jan 19, 2022 • 1 new comment

• [Feature Request] support add constraint on typeVariable while perform virtual dispatch in java query

  #7486 commented on Jan 20, 2022 • 1 new comment

• LGTM.com - false positive go-path-injection despite using `path.Clean`

  #7540 commented on Jan 24, 2022 • 1 new comment

• Java: An experimental query for ignored hostname verification

  #6443 commented on Jan 19, 2022 • 1 new comment

• Fix order of IR call side effects

  #6601 commented on Jan 25, 2022 • 1 new comment

• Python: Port and extend XXE modeling

  #6112 commented on Jan 24, 2022 • 0 new comments

• C#: Shared extraction

  #7456 commented on Jan 19, 2022 • 0 new comments

• Ruby: add more Array/Enumerable flow summaries

  #7614 commented on Jan 25, 2022 • 0 new comments