Insights: github/codeql

72 Pull requests merged by 24 people

• Update section on query specifiers

  #10500 merged Sep 21, 2022

• QL: improve the `ql/alert-message-style-violation` query.

  #10513 merged Sep 21, 2022

• Aeisenberg/merge rc3.7 into main

  #10496 merged Sep 21, 2022

• Kotlin: Extract `suspend` functions

  #10473 merged Sep 21, 2022

• Swift: fix `IfConfigDecl` in QL libraries

  #10511 merged Sep 21, 2022

• Kotlin: Tidy up TrapLocker

  #10495 merged Sep 21, 2022

• Kotlin: Catch exception thrown by kotlinc

  #10353 merged Sep 21, 2022

• Swift: skip one more unsupported CLI arg

  #10488 merged Sep 21, 2022

• Ruby: Do not expose AST layer through `ruby.qll`

  #10376 merged Sep 21, 2022

• C#: Integration test(s)

  #10465 merged Sep 21, 2022

• Swift: move toposort in `schema.py`

  #10508 merged Sep 21, 2022

• C++: Multiple minor improvements to the cpp/cleartext-* queries

  #10300 merged Sep 21, 2022

• Ruby: Fix bad join-order

  #10491 merged Sep 21, 2022

• GO: make the alert messages of taint-tracking queries more consistent

  #10413 merged Sep 21, 2022

• Update CSV framework coverage reports

  #10501 merged Sep 21, 2022

• RB: make the alert messages of taint-tracking queries more consistent

  #10304 merged Sep 20, 2022

• Python: Fix imports for tarslip tests

  #10494 merged Sep 20, 2022

• Python: `getStarArg` gives first `*args` argument

  #10387 merged Sep 20, 2022

• Swift: do not extract unresolved things from `IfConfigDecl`

  #10386 merged Sep 20, 2022

• Bazel: add some bazel files to `CODEOWNERS`

  #10492 merged Sep 20, 2022

• C++: Add shared files in `experimental` to `identical-files.json`.

  #10487 merged Sep 20, 2022

• JS: change alert messages of path queries to use the same template

  #10286 merged Sep 20, 2022

• Java: Promote Server-side template injection from experimental

  #10352 merged Sep 20, 2022

• Swift: remove (dead) VFS related code

  #10452 merged Sep 20, 2022

• Swift: trigger workflows on bazel changes

  #10482 merged Sep 20, 2022

• Ruby: Rework call graph implementation

  #10336 merged Sep 20, 2022

• Swift: Fix missing results in swift/cleartext-storage-database

  #10430 merged Sep 20, 2022

• Ruby: model ActionView::FileSystemResolver as a FileSystemAccess

  #10450 merged Sep 20, 2022

• Python dataflow: flow summaries restart

  #8781 merged Sep 20, 2022

• Swift: fix version in integration tests

  #10485 merged Sep 20, 2022

• JS: filter out "file read after existence check" from js/file-system-race

  #10471 merged Sep 20, 2022

• ruby: remove unused predicate from NfaUtilsSpecific

  #10476 merged Sep 20, 2022

• Java: Improve and add predicates and classes for annotations

  #6246 merged Sep 20, 2022

• update the style guide on alert-messages

  #10405 merged Sep 20, 2022

• Go: Fix source/sanitizer class that were never used

  #10475 merged Sep 20, 2022

• JS: don't mention classes that don't exist in TaintTracking.qll

  #10472 merged Sep 20, 2022

• Java: really return a unique location for non-source entities

  #10457 merged Sep 20, 2022

• C++: Add a `cpp/invalid-pointer-deref` query to experimental

  #10438 merged Sep 20, 2022

• Swift: open(2) interception

  #10447 merged Sep 20, 2022

• C#: Theorems for Free - Model generation

  #10238 merged Sep 20, 2022

• Add redirect for removed 'About QL packs' article

  #10468 merged Sep 19, 2022

• C#: Remove `dotnet run` support in LUA tracer.

  #10464 merged Sep 19, 2022

• Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`

  #10384 merged Sep 19, 2022

• ensure consistent casing of names

  #10312 merged Sep 19, 2022

• python: Port `RaisingTuple.ql` to not use `points-to`

  #10264 merged Sep 19, 2022

• python: port UnguardedNextInIterator from `points-to` to API graph

  #10265 merged Sep 19, 2022

• python: rewrite CatchingBaseException from `points-to` to API graph

  #10266 merged Sep 19, 2022

• JS: Fix FP in js/regexp/always-matches

  #10396 merged Sep 19, 2022

• Updates the library path section of the CodeQL spec

  #10460 merged Sep 16, 2022

• Post-release preparation for codeql-cli-2.10.5

  #10456 merged Sep 16, 2022

• Java: Add test for annotations with annotation-array-typed fields

  #10445 merged Sep 16, 2022

• Swift: Update test for swift/cleartext-transmission

  #10455 merged Sep 16, 2022

• Docs: Use `instanceof` in `::Range` pattern description

  #10404 merged Sep 16, 2022

• Java: Model taint flow for java.net.URI constructors in tainted path queries

  #10393 merged Sep 16, 2022

• Java: Remove low confidence dispatch for which we have a manual summary.

  #10416 merged Sep 16, 2022

• Correct link to API docs for 'Get a CodeQL database for a repository'

  #10449 merged Sep 16, 2022

• Java: Add test regarding the type of an implicit `this` expression

  #10191 merged Sep 16, 2022

• Swift: skip more unsupported CLI args (new in Xcode 14)

  #10448 merged Sep 16, 2022

• Update CSV framework coverage reports

  #10446 merged Sep 16, 2022

• QL: recognize the names from all VarDefs

  #10443 merged Sep 15, 2022

• JavaScript: remove upper-case variable names

  #10439 merged Sep 15, 2022

• Token validation

  #9693 merged Sep 15, 2022

• Java: Fix wrong packages in minor analysis change note

  #10437 merged Sep 15, 2022

• Java: remove upper-case variable name

  #10440 merged Sep 15, 2022

• C++: remove more upper-case variable names

  #10435 merged Sep 15, 2022

• Java: Add Implicit PendingIntents sinks for Compat classes

  #10330 merged Sep 15, 2022

• Java: Add summaries for NotificationCompat and its inner classes

  #10318 merged Sep 15, 2022

• Bazel: only pass `-std=c++17` for C++ compilation

  #10434 merged Sep 15, 2022

• Ruby: Fix bad join-order in DB upgrade script

  #10425 merged Sep 15, 2022

• Kotlin: Remove an unused method

  #10419 merged Sep 15, 2022

• Kotlin: Compile with -Werror, and fix warnings

  #10427 merged Sep 15, 2022

• C++: remove several upper-case `NamedExpression` variable names

  #10420 merged Sep 15, 2022

34 Pull requests opened by 19 people

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 opened Sep 15, 2022

• C#: Fix join order in InterpretedCallable characteristic predicate.

  #10433 opened Sep 15, 2022

• C#: Dynamically create type based summaries

  #10436 opened Sep 15, 2022

• Ruby: Add post-update nodes for compound arguments

  #10444 opened Sep 15, 2022

• Ruby: bazel

  #10451 opened Sep 16, 2022

• Update qlpack properties descriptions

  #10458 opened Sep 16, 2022

• Update the analyze databases article

  #10459 opened Sep 16, 2022

• C#: Prepend `-p:UseSharedCompilation=false` instead of append for `dotnet run`

  #10469 opened Sep 19, 2022

• JS: Try to parse files without using our parser extensions before enabling the extensions

  #10470 opened Sep 19, 2022

• Kotlin: Add test cases for argument-parameter mismatch

  #10477 opened Sep 19, 2022

• Java: add Android service sources

  #10479 opened Sep 19, 2022

• Update supported language codes

  #10480 opened Sep 19, 2022

• Update bazel to v5.3.1

  #10481 opened Sep 19, 2022

• Java: Delete some unused code

  #10486 opened Sep 20, 2022

• JS: Remove old Portal-based flow summary implementation

  #10490 opened Sep 20, 2022

• Java: Improve `ImportStaticTypeMember` and `ImportStaticOnDemand`

  #10497 opened Sep 20, 2022

• Java: Add `CompilationUnit.getATypeAvailableBySimpleName()`

  #10498 opened Sep 20, 2022

• Java: Add `getJavadoc` predicate for `JavadocParent` and `JavadocElement`

  #10499 opened Sep 20, 2022

• Ruby: Two fixes for `private` methods

  #10504 opened Sep 21, 2022

• Data flow: Guard against `viableImplInCallContext` not being a subset of `viableCallable`

  #10505 opened Sep 21, 2022

• Kotlin: Fix type access expressions in enum constructor calls

  #10506 opened Sep 21, 2022

• CPP: Make more alert-messages follow the style guide

  #10507 opened Sep 21, 2022

• C#: Add test case for `JsonConvert.DeserializeObject` in interpolated string

  #10509 opened Sep 21, 2022

• C++: Fix FPs for cpp/unused-static-function in files that were not extracted completely

  #10510 opened Sep 21, 2022

• Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink

  #10512 opened Sep 21, 2022

• Ruby/call graph nested methods test

  #10514 opened Sep 21, 2022

• Run tests

  #10515 opened Sep 21, 2022

• Swift: express the schema in Python

  #10516 opened Sep 21, 2022

• Ruby: Add query for debugging regexp flow

  #10517 opened Sep 21, 2022

• Fixing wrong example

  #10518 opened Sep 21, 2022

• Kotlin: Fix comment extraction for anonymous objects

  #10520 opened Sep 21, 2022

• Swift: update Swift package to 5.7

  #10522 opened Sep 21, 2022

• Java: Disable Kotlin element of test re: database inconsistency exposed by JDK18 extractor upgrade

  #10523 opened Sep 21, 2022

• Bump actions/stale from 5 to 6

  #10527 opened Sep 22, 2022

7 Issues closed by 6 people

• Expected exactly one pattern. [INVALID_RESULT_PATTERNS]

  #10484 closed Sep 20, 2022

• LGTM.com - false positive

  #10462 closed Sep 20, 2022

• Query evaluation ran out of Java heap

  #10432 closed Sep 19, 2022

• C:FunctionCall has different name from its in source code

  #10467 closed Sep 19, 2022

• General issue

  #10463 closed Sep 17, 2022

• BUGS report

  #9864 closed Sep 16, 2022

• XSS Java not detected in a simple example

  #10395 closed Sep 15, 2022

4 Issues opened by 4 people

• codeql resolve qlpacks hangs

  #10526 opened Sep 22, 2022

• How to customize the results of @kind: path-problem ?

  #10493 opened Sep 20, 2022

• CPP: Missing code in database

  #10466 opened Sep 17, 2022

• LGTM.com - false positive - unused static function

  #10442 opened Sep 15, 2022

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Android deeplink analysis

  #10368 commented on Sep 21, 2022 • 7 new comments

• Ruby: RBI library changes to support models-as-data model generation

  #9932 commented on Sep 21, 2022 • 6 new comments

• CPP：Some questions about Control flow analyse and query time

  #10411 commented on Sep 20, 2022 • 4 new comments

• General issue (No source was seen and extracted)

  #10132 commented on Sep 21, 2022 • 4 new comments

• Java: Promote `PathSanitizer.qll` from experimental

  #10177 commented on Sep 21, 2022 • 4 new comments

• Java: New Android query to detect unsafe content URI resolution

  #10223 commented on Sep 21, 2022 • 4 new comments

• false positive:Data flow does't restrict while variable reassigned

  #9935 commented on Sep 15, 2022 • 2 new comments

• JS: expand localFieldStep to use access-paths, and build access-paths in more cases

  #10378 commented on Sep 19, 2022 • 2 new comments

• Java: Add query for WebView debugging enabled

  #10241 commented on Sep 21, 2022 • 1 new comment

• Ruby: Call sensitive instance method resolution

  #10358 commented on Sep 21, 2022 • 1 new comment

• Java: JavadocTag does not contain multi-line JavadocText children

  #3825 commented on Sep 19, 2022 • 0 new comments

• Java: Add Import.getATypeImport

  #4119 commented on Sep 20, 2022 • 0 new comments

• QL: detect unqueryable code

  #8454 commented on Sep 20, 2022 • 0 new comments

• Kotlin: Implement JvmOverloads annotation

  #9811 commented on Sep 21, 2022 • 0 new comments

• Java: Add support for data flow through thrown exceptions.

  #9914 commented on Sep 16, 2022 • 0 new comments

• New atm features rebased

  #10018 commented on Sep 21, 2022 • 0 new comments

• Wip: test changes to fieldflowbranchlimit semantics

  #10025 commented on Sep 16, 2022 • 0 new comments

• Ruby: Model Activestorage

  #10090 commented on Sep 20, 2022 • 0 new comments

• JS: Add generated typings to SQL models

  #10253 commented on Sep 20, 2022 • 0 new comments

• Ruby: Model ActionView

  #10316 commented on Sep 20, 2022 • 0 new comments

• Ruby: Treat ActiveRecord::Base.create as a model instantiation

  #10338 commented on Sep 20, 2022 • 0 new comments

• Ruby: add `rb/sensitive-get-query` query

  #10369 commented on Sep 20, 2022 • 0 new comments

• Ruby: type-tracking and API edges through simple library callables

  #10375 commented on Sep 20, 2022 • 0 new comments

• C++: Further work on buffer-overflow queries

  #10398 commented on Sep 21, 2022 • 0 new comments