Insights: github/codeql

73 Pull requests merged by 22 people

• qlpacks: libraryPathDependencies -> dependencies

  #10964 merged Oct 28, 2022

• C++: Don't create `DataFlow::Node`s for `void`-typed instructions

  #11033 merged Oct 28, 2022

• Kotlin: fix wildcard suppression where the annotation applies to a parent type/argument.

  #11017 merged Oct 28, 2022

• Kotlin: specialise extension receivers the same as other function parameters

  #11018 merged Oct 28, 2022

• Kotlin: Get some integration tests running on Windows

  #11019 merged Oct 28, 2022

• C++: repair Adding365DaysPerYear.ql

  #11020 merged Oct 28, 2022

• Kotlin: Remove `javaEquivalent` consistency query

  #11026 merged Oct 28, 2022

• Swift: Simplify queries using MethodDecl.hasQualifiedName

  #11031 merged Oct 28, 2022

• C++: Fix QL-for-QL in #10817

  #11030 merged Oct 28, 2022

• Swift: Fix flow out of summarized callables

  #10967 merged Oct 28, 2022

• Swift: fix remapping

  #11028 merged Oct 28, 2022

• Kotlin: Fix external location in integration test

  #11025 merged Oct 28, 2022

• C++: Fix `asExpr` and `asIndirectExpr` in IR dataflow

  #10995 merged Oct 28, 2022

• InlineExpectationsTest: Fail if missing `getARelevantTag`

  #10999 merged Oct 28, 2022

• C++: Fix printf.qll bug

  #10938 merged Oct 28, 2022

• Misc: Add automatic `DataFlow Library` label

  #11009 merged Oct 28, 2022

• RB: fix rb/code-injection

  #10968 merged Oct 28, 2022

• C++: repair the ReturnCstr query

  #10994 merged Oct 27, 2022

• Swift: Add MethodDecl.hasQualifiedName

  #10996 merged Oct 27, 2022

• Go: Extract locations of successfully extracted files

  #10997 merged Oct 27, 2022

• Kotlin: reintroduce pointless wildcards when a Java declaration explicitly uses them

  #11003 merged Oct 27, 2022

• Kotlin: Ignore tags when comparing versions

  #10976 merged Oct 27, 2022

• Kotlin: Fix integration tests on Mac

  #11012 merged Oct 27, 2022

• JS: fix some more style-guide violations in the alert-messages

  #10727 merged Oct 27, 2022

• Kotlin: Handle /modules/... paths specially too

  #11011 merged Oct 27, 2022

• Swift: use `std::filesystem` and `picoSHA2`

  #10987 merged Oct 27, 2022

• Javascript/Python: Tokens built from predictable UUIDs

  #10943 merged Oct 27, 2022

• Kotlin: Handle /!unknown-binary-location/... paths specially on Windows

  #11000 merged Oct 27, 2022

• Spelling code scanning product

  #10905 merged Oct 27, 2022

• JS: Add Next.js parameters as source

  #10984 merged Oct 27, 2022

• JS: remove some FPs in `js/password-in-configuration-file`

  #10988 merged Oct 27, 2022

• Kotlin: fix test to expect diagnostic

  #11006 merged Oct 27, 2022

• Swift: fix cmake generator on Linux

  #11007 merged Oct 27, 2022

• Kotlin: do not report on unused `object` extension parameters

  #10992 merged Oct 27, 2022

• Ruby: Add Faraday::Connection.new as sink for SSRF query

  #10913 merged Oct 26, 2022

• C++: repair InconsistentLoopDirection

  #10975 merged Oct 26, 2022

• C++: Prepare `Buffer.qll` for IR-based use-use dataflow

  #10833 merged Oct 26, 2022

• Kotlin: don't try to call nonexistent `j.l.Number.toChar`

  #10974 merged Oct 26, 2022

• Docs: Mention new navigation commands

  #10925 merged Oct 26, 2022

• Java/Kotlin: Add a diagnostics consistency query

  #10959 merged Oct 26, 2022

• C++: Prepare `cpp/cleartext-transmission` for IR-based use-use dataflow

  #10838 merged Oct 26, 2022

• JS: Do not track returned values out of the enclosing function

  #10985 merged Oct 26, 2022

• Update CSV framework coverage reports

  #10977 merged Oct 26, 2022

• Swift: move libraries from `tools` to `third_party`

  #10983 merged Oct 26, 2022

• C++: Fix performance issue on cpp/comma-before-misleading-indentation

  #10958 merged Oct 26, 2022

• Swift: Fix UrlRemoteFlowSource name clash

  #10973 merged Oct 25, 2022

• Swift: Add some summary queries.

  #10903 merged Oct 25, 2022

• Java: update framework list

  #10738 merged Oct 25, 2022

• C++: Fix `getType` in IR dataflow

  #10965 merged Oct 25, 2022

• Kotlin: Exclude .kt files from `java/unreachable-catch-clause`

  #10962 merged Oct 25, 2022

• Kotlin: Exclude constructs in serialization constructors from `java/evaluation-to-constant`

  #10881 merged Oct 25, 2022

• C++: Spelling fixes and documentation clarification

  #10966 merged Oct 25, 2022

• C++: additional comments for modulus analysis

  #10939 merged Oct 25, 2022

• Kotlin: Improve `java/abstract-to-concrete-cast` to handle `when` branches

  #10961 merged Oct 25, 2022

• JS: Bump version numbers of ML-powered packs after 0.3.6 release

  #10963 merged Oct 25, 2022

• Python: Add TarSlip Improv query

  #10887 merged Oct 25, 2022

• Java models-as-data: infer Kotlin $default models from that of its parent function

  #10876 merged Oct 25, 2022

• Bazel/CMake: make cmake runnable from outside the workspace

  #10953 merged Oct 25, 2022

• Kotlin: extract interface redeclarations of `Object` methods

  #10952 merged Oct 25, 2022

• documentation for type signature members

  #10929 merged Oct 24, 2022

• Kotlin: ignore enhanced nullability when extracting primitive types

  #10921 merged Oct 24, 2022

• Swift: fix missing extraction of function bodies in SPM builds

  #10955 merged Oct 24, 2022

• RB: don't flag code-injection for dynamic loading where an attacker only controls a substring

  #10883 merged Oct 24, 2022

• Swift: Add a new Custom URL Scheme source

  #10892 merged Oct 24, 2022

• Ruby: add model for Dir.glob and other Dir methods

  #10888 merged Oct 24, 2022

• Ruby: handle compound constant-assignment

  #10918 merged Oct 24, 2022

• Ruby: assume some global constants are defined

  #10928 merged Oct 24, 2022

• C++: Update test result after extractor changes

  #10912 merged Oct 24, 2022

• Kotlin: exclude Kotlin files from `java/underscore-identifier`

  #10949 merged Oct 24, 2022

• Kotlin: give external extension properties with matching name and file distinct trap filenames

  #10930 merged Oct 24, 2022

• Kotlin: make internal constructors' trap labels consistent with the Java extractor

  #10936 merged Oct 24, 2022

• Swift: add infrastructure for documenting generated code

  #10875 merged Oct 24, 2022

• Swift: add qltest tests and fix its failure reporting

  #10924 merged Oct 24, 2022

30 Pull requests opened by 19 people

• Swift: detect hash functions with low # of iterations

  #10947 opened Oct 23, 2022

• Swift: extract `RegexLiteralExpr`

  #10950 opened Oct 24, 2022

• Kotlin: Fix location (start position) of method calls

  #10951 opened Oct 24, 2022

• Swift: failing test for linkage awareness

  #10956 opened Oct 24, 2022

• Ruby: document API graphs

  #10957 opened Oct 24, 2022

• CI: Add Internal CI Checks workflow

  #10969 opened Oct 25, 2022

• [Draft] Java: Add Android missing certificate pinning query (CWE-295)

  #10971 opened Oct 25, 2022

• Ruby: Case barrier guards

  #10981 opened Oct 26, 2022

• JS: push more context into load/store steps from the exploratory flow-analysis

  #10986 opened Oct 26, 2022

• C#: Just for test execution.

  #10991 opened Oct 26, 2022

• Swift: detect the use of constant salts

  #10993 opened Oct 26, 2022

• Python: Add failing ESSA use-use test

  #10998 opened Oct 26, 2022

• Swift: Unsafe JS Eval Query

  #11001 opened Oct 26, 2022

• Update go libraries to 55e052a

  #11002 opened Oct 26, 2022

• Use `${workspace}` for intra-workspace dependencies

  #11004 opened Oct 26, 2022

• Swift: rework workflows

  #11008 opened Oct 27, 2022

• Ruby: use flow-insensitive capture flow in flowsTo and type tracking

  #11010 opened Oct 27, 2022

• JS: second-order-command-injection

  #11013 opened Oct 27, 2022

• Kotlin: Resugar `for` loops

  #11014 opened Oct 27, 2022

• Go: exclude protobuf read steps from cleartext-logging query

  #11015 opened Oct 27, 2022

• Java: Check whether there are internal files in the App that can be read and written by any other App

  #11016 opened Oct 27, 2022

• Ruby: try/try! as code execution

  #11022 opened Oct 27, 2022

• Tests

  #11024 opened Oct 28, 2022

• Swift: WebView JS-native bridge sources

  #11027 opened Oct 28, 2022

• Swift: add possibility to run the extractor under an env-specified tool

  #11029 opened Oct 28, 2022

• Kotlin: exclude loop variables on ranges from 'unused locals' check

  #11032 opened Oct 28, 2022

• Swift: Add and use AbstractFunctionDecl.hasGlobalName predicate.

  #11034 opened Oct 28, 2022

• Swift: Simplify some more QL

  #11035 opened Oct 28, 2022

• Swift: Add and use ApplyExpr.getArgumentByParamName.

  #11036 opened Oct 28, 2022

• Kotlin: Integration tests: Allow \ as a path separator in logs test

  #11037 opened Oct 28, 2022

5 Issues closed by 5 people

• Analysis of module-ified TypeScript compiler repo takes >6 hours, normally 6 minutes

  #10937 closed Oct 26, 2022

• False positive from cpp/wrong-number-format-arguments

  #10941 closed Oct 25, 2022

• Questions about CPP BufferWrite module

  #10926 closed Oct 25, 2022

• LGTM.com - false positive

  #10945 closed Oct 24, 2022

• How can I query the receiver object of a call in java

  #10946 closed Oct 23, 2022

11 Issues opened by 10 people

• General issue

  #11039 opened Oct 28, 2022

• Code scanning results should be visible to everyone, not only those with write permission on the repository

  #11021 opened Oct 27, 2022

• CodeQL ships vulnerable version of commons-text (1.6)

  #10990 opened Oct 26, 2022

• (java,bug)SpringRequestMappingMethod::getValue does not return when a constant in jar is used

  #10989 opened Oct 26, 2022

• Platform support request: FreeBSD

  #10982 opened Oct 26, 2022

• Missing data flow

  #10980 opened Oct 26, 2022

• go SqlInjection ... Ellipsis

  #10979 opened Oct 26, 2022

• CPP - fields of classes inside namespaces are not parsed correctly in the AST

  #10972 opened Oct 25, 2022

• False positive - Uncontrolled data used in path expression

  #10948 opened Oct 23, 2022

• co​deql database analyze ERROR: Could not resolve predicate ref_returns/1 General issue

  #10944 opened Oct 22, 2022

• Forks of this repository spam contributors with failing CI jobs

  #10942 opened Oct 22, 2022

28 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Javascript: Improve Restify support and add new Spife support

  #10663 commented on Oct 25, 2022 • 40 new comments

• Java: Promote insufficient key size query from experimental

  #10785 commented on Oct 27, 2022 • 31 new comments

• C#: Generate data extension files

  #10777 commented on Oct 28, 2022 • 16 new comments

• Run some tests

  #10858 commented on Oct 26, 2022 • 10 new comments

• ReDoS: testing a parameterised ReDoS module

  #10604 commented on Oct 28, 2022 • 6 new comments

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Oct 28, 2022 • 4 new comments

• Ruby: Document flow summary syntax

  #10899 commented on Oct 28, 2022 • 3 new comments

• CodeQL False Positive? java/xxe with javax.xml.transform.Transformer

  #10766 commented on Oct 23, 2022 • 2 new comments

• Ruby: Model some ActiveSupport methods

  #10700 commented on Oct 28, 2022 • 2 new comments

• Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class

  #10855 commented on Oct 24, 2022 • 2 new comments

• Java: Add library support for activity-alias elements in AndroidManifest.qll

  #10865 commented on Oct 28, 2022 • 2 new comments

• False positive - Log entries created from user input

  #10922 commented on Oct 24, 2022 • 1 new comment

• CodeQL analysis hangs up on UnsupportedExternalAPIs.ql

  #10866 commented on Oct 27, 2022 • 1 new comment

• Update bazel to v5.3.1

  #10481 commented on Oct 26, 2022 • 1 new comment

• Python: Clean up import resolution

  #10861 commented on Oct 27, 2022 • 1 new comment

• Ruby: Fix flow steps into phi nodes

  #10931 commented on Oct 24, 2022 • 1 new comment

• Ruby: first draft of data flow docs

  #10932 commented on Oct 27, 2022 • 1 new comment

• CPP: Add query for CWE-297: Improper Validation of Certificate with Host Mismatch

  #9086 commented on Oct 28, 2022 • 0 new comments

• Python: New call-graph based on type-trackers [still WIP]

  #10148 commented on Oct 27, 2022 • 0 new comments

• Create a shared implementation for Locations and Files

  #10592 commented on Oct 28, 2022 • 0 new comments

• RB: add an unsafe-shell-command-construction query

  #10680 commented on Oct 24, 2022 • 0 new comments

• Ruby: also treat included/prepended modules as subclasses

  #10747 commented on Oct 28, 2022 • 0 new comments

• JS: Move mongodb model to a data-extension (experimental, do not merge)

  #10751 commented on Oct 26, 2022 • 0 new comments

• ATM/refactor endpoint filters to labels 1

  #10834 commented on Oct 24, 2022 • 0 new comments

• Rb: Add an `unsafe-code-construction` query

  #10862 commented on Oct 24, 2022 • 0 new comments

• Ruby: drop beta notice

  #10873 commented on Oct 27, 2022 • 0 new comments

• Ruby: Call-context sensitivity for singleton method calls

  #10917 commented on Oct 24, 2022 • 0 new comments

• C#: Include "phi reads" in `DataFlow::Node`

  #10927 commented on Oct 22, 2022 • 0 new comments