56 Pull requests merged by 22 people

• Java: Move `NumericType` to `Type.qll`

  #9201 merged May 18, 2022

• Update CSV framework coverage reports

  #9202 merged May 18, 2022

• Ruby: Force cached taint tracking predicates to be evaluated in data flow stage

  #9191 merged May 18, 2022

• Data flow: Do not materialize `summaryArgParam`

  #9190 merged May 18, 2022

• QL: add unused-field query

  #7763 merged May 18, 2022

• Update Lua tracing configs.

  #9187 merged May 17, 2022

• QL: Allow class + `Base` in `ql/primary-ql-class-consistency`

  #9188 merged May 17, 2022

• QL: add query warning about `count(...) = 0`.

  #9082 merged May 17, 2022

• Kotlin: Add support for InlineExpectationsTest

  #9186 merged May 17, 2022

• C++: Clean up the XXE query QL.

  #9176 merged May 17, 2022

• Ruby: update tree-sitter-ruby

  #9178 merged May 17, 2022

• Post-release preparation for codeql-cli-2.9.2

  #9141 merged May 17, 2022

• Kotlin: Fix parent class lookup from field initializers in `isUnspecialised`

  #9174 merged May 17, 2022

• JS: change @id from js/actions/injection to js/actions/command-injection

  #9184 merged May 17, 2022

• Java: Rename `FloatingPointLiteral` to `FloatLiteral`

  #9181 merged May 17, 2022

• C#: Add missing EntityFramework SQL sinks

  #9180 merged May 17, 2022

• Kotlin: Respect `override` modifier in useless parameter query

  #9145 merged May 17, 2022

• Kotlin: exclude Kotlin source from 'inner class could be static' check

  #9146 merged May 17, 2022

• Kotlin: Exclude operands of `NotNullExpr` from NullMaybe query

  #9149 merged May 17, 2022

• Kotlin: Add more type check casts to MissingInstanceofInEquals query

  #9150 merged May 17, 2022

• QL for QL: generalise non-US spelling query

  #9132 merged May 16, 2022

• Swift: replace `getCanonicalPointer` with `std::variant`

  #9172 merged May 16, 2022

• JS: add query for detecting insecure temporary files

  #7626 merged May 16, 2022

• Ruby: add safe navigation operator

  #8971 merged May 16, 2022

• C++: Fixes some typos and increases the XXE query precision.

  #9142 merged May 16, 2022

• Dataflow: Improve standard order through easier type check elimination.

  #9134 merged May 16, 2022

• Kotlin: Handle variables as comment owners

  #9151 merged May 16, 2022

• Java: Fix Intent Redirection sanitizer

  #8956 merged May 16, 2022

• Update CSV framework coverage reports

  #9164 merged May 14, 2022

• Kotlin: Fix initializer field flow by extracting field finality

  #9155 merged May 13, 2022

• Swift: Introduce visitors

  #9144 merged May 13, 2022

• Kotlin: Don't use capture_output or text

  #9131 merged May 13, 2022

• Java: Sensitive Info Log query improvements

  #9127 merged May 13, 2022

• Swift: introduce dispatcher

  #9112 merged May 13, 2022

• Swift: publish C++ generated code as artifacts

  #9147 merged May 13, 2022

• Kotlin: QLDoc tweaks from intrigus

  #9136 merged May 13, 2022

• Kotlin: Apply changes since https://github.com/github/codeql/pull/9109 branched away from kotlin-main

  #9122 merged May 13, 2022

• Claim Go 1.18 support

  #9113 merged May 13, 2022

• Update CSV framework coverage reports

  #9143 merged May 13, 2022

• C++: Repair support for createLSParser in the CWE-611 XXE query.

  #9114 merged May 12, 2022

• C++: Handle C++17 if and switch initializers

  #9130 merged May 12, 2022

• Data flow: Add `Configuration::includeHiddenNodes()`

  #9101 merged May 12, 2022

• JS: resolve main module when there is a folder with the same name as the main file

  #9115 merged May 12, 2022

• Devcontainer: Install test dependencies

  #9133 merged May 12, 2022

• Java: Add ReDoS queries

  #7723 merged May 12, 2022

• JS: promote `js/actions/injection` out of experimental

  #9021 merged May 12, 2022

• Python: Fully disallow `API::moduleImport` of module with dots

  #9126 merged May 12, 2022

• Swift: `TrapOutput`

  #9107 merged May 12, 2022

• Release preparation for version 2.9.2

  #9128 merged May 12, 2022

• Fix non-US spellings and the corresponding query

  #9119 merged May 12, 2022

• Ruby: Introduce `With(out)Element` MaD input tokens

  #8938 merged May 12, 2022

• Ruby: Model IO.popen

  #8635 merged May 12, 2022

• Update CSV framework coverage reports

  #9124 merged May 12, 2022

• Kotlin: Fix some alerts

  #9120 merged May 12, 2022

• JS: add support for typed NextJS route-handlers

  #9103 merged May 12, 2022

• Java: tolerate `cookie.setSecure(request.isSecure())`

  #9116 merged May 11, 2022

29 Pull requests opened by 16 people

• Kotlin: fix cases where type variables were used out of scope

  #9123 opened May 11, 2022

• JS: recognize functions that return object of methods as library input

  #9125 opened May 12, 2022

• Java: Add Expr::getUnderlyingExpr predicate

  #9129 opened May 12, 2022

• Python: Modernise py/jinja2/autoescape-false

  #9135 opened May 12, 2022

• Ruby: Add getAPrimaryQlClass to CfgNodes classes

  #9137 opened May 12, 2022

• Ruby: Make StringArrayInclusion more sensitive

  #9138 opened May 12, 2022

• ATM: make training data selection also select sinks that are NOT constants

  #9140 opened May 12, 2022

• Kotlin: Fix extraction of reflective call generated by Parcelize

  #9152 opened May 13, 2022

• Kotlin: Unify loop `break`/`continue` statement handling between java and kotlin

  #9153 opened May 13, 2022

• Kotlin: Adjust diagnostic message severity

  #9154 opened May 13, 2022

• ATM: sample negative examples down to 10%

  #9156 opened May 13, 2022

• Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`

  #9157 opened May 13, 2022

• Ruby: tweak join order in `API::Impl::edge`

  #9159 opened May 13, 2022

• Ruby: stop considering post-update nodes to be local source nodes

  #9175 opened May 16, 2022

• use string equality instead of regexps to compare constant strings

  #9182 opened May 16, 2022

• Swift: move TBD code to ql

  #9185 opened May 17, 2022

• Swift: declaration visitor

  #9189 opened May 17, 2022

• Swift: statement visitor

  #9192 opened May 17, 2022

• JS: Add individual per-security-query counting queries

  #9193 opened May 17, 2022

• Swift: pattern visitor

  #9194 opened May 17, 2022

• Java: Performance fixes for local flow relation

  #9195 opened May 17, 2022

• Swift: expression visitor

  #9196 opened May 17, 2022

• Swift: type visitor

  #9197 opened May 17, 2022

• Swift: make C++ code generation more self-contained

  #9198 opened May 17, 2022

• Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications

  #9199 opened May 17, 2022

• Python: Modernise weak file permissions query

  #9200 opened May 17, 2022

• Data flow: Track state when computing cons candidates

  #9204 opened May 18, 2022

• Ruby: flow through instance variables

  #9206 opened May 18, 2022

• Java: Add sources for Android external storage

  #9207 opened May 18, 2022

3 Issues closed by 3 people

• Is it possible to re-use databases for custom tools?

  #9179 closed May 17, 2022

• Java: Rename `FloatingPointLiteral` to `FloatLiteral`

  #9170 closed May 17, 2022

• LGTM.com - false positive in java/insecure-cookie rule

  #9106 closed May 11, 2022

3 Issues opened by 3 people

• LGTM.com - false positive - Zip Slip when guard `FileNameUtils#normalize` is used

  #9205 opened May 18, 2022

• taint tracking misses some results

  #9177 opened May 16, 2022

• How to get the same security scans of CodeQL with Jenkins?

  #9162 opened May 13, 2022

23 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: add MaD implementation

  #8883 commented on May 17, 2022 • 25 new comments

• CPP: Add query for CWE-552 Files Accessible to External Parties when using rename

  #9090 commented on May 18, 2022 • 24 new comments

• CPP: Add query for CWE-670: Always-Incorrect Control Flow Implementation when use SSL_shutdown

  #9087 commented on May 17, 2022 • 20 new comments

• JS: ATM: New features for imports and for function parameters related to an endpoint

  #8740 commented on May 18, 2022 • 19 new comments

• C: refactor code to solve false positive

  #8739 commented on May 14, 2022 • 7 new comments

• Python: Promote `py/pam-auth-bypass`

  #9108 commented on May 18, 2022 • 7 new comments

• C/C++ : memory may not be freed on loop

  #9053 commented on May 17, 2022 • 5 new comments

• C#: Dotnet Runtime models.

  #8600 commented on May 12, 2022 • 3 new comments

• C#: Support suppression comments in XML files

  #4948 commented on May 17, 2022 • 2 new comments

• JS/Python/Ruby: Document how API graphs should be interpreted

  #8606 commented on May 18, 2022 • 2 new comments

• Simply query cannot find function even though it should be in the database

  #9084 commented on May 12, 2022 • 1 new comment

• False Negative with https://github.com/robmoffat/codeql-vuln-blog

  #8880 commented on May 13, 2022 • 1 new comment

• Python: Broaden noqa regex to allow comments

  #6570 commented on May 18, 2022 • 1 new comment

• Python dataflow: flow summaries restart

  #8781 commented on May 16, 2022 • 1 new comment

• C/C++ : Wrong Uint access

  #8994 commented on May 15, 2022 • 1 new comment

• ReDoS refactorizations

  #8522 commented on May 12, 2022 • 0 new comments

• Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)

  #8669 commented on May 16, 2022 • 0 new comments

• Ruby: Data-flow through hashes

  #8942 commented on May 18, 2022 • 0 new comments

• C++: Update stats file

  #8993 commented on May 17, 2022 • 0 new comments

• C#: Dataflow callable refactoring.

  #9014 commented on May 18, 2022 • 0 new comments

• Data flow: Introduce `ContentDataFlow.qll`

  #9024 commented on May 18, 2022 • 0 new comments

• CPP: Add query for CWE-758: Reliance on Implementation-Defined Behavior when using malloc with zero size

  #9088 commented on May 13, 2022 • 0 new comments

• Kotlin: Write the log file as Line-delimited JSON

  #9121 commented on May 13, 2022 • 0 new comments