Insights: github/codeql

52 Pull requests merged by 24 people

• Python/Ruby/JS Crypto: Add a few algorithms + block modes

  #12165 merged Feb 15, 2023

• Java: merge the @class and @interface database types and tables

  #12111 merged Feb 15, 2023

• Go: Upgrade extractor compiler and dependency versions

  #12188 merged Feb 15, 2023

• Swift: some restructuring of codegen

  #12180 merged Feb 15, 2023

• Update CSV framework coverage reports

  #12191 merged Feb 15, 2023

• Ruby: Refactor test directories

  #12056 merged Feb 15, 2023

• C++: Better discrimination for union `Content`s

  #12184 merged Feb 14, 2023

• Java: update `createTempDirectory` and `copy` "create-file" sinks

  #12081 merged Feb 14, 2023

• Python: Clean up version handling

  #12029 merged Feb 14, 2023

• C++: Update test annotations for use-use dataflow

  #12185 merged Feb 14, 2023

• C++: Fix node types

  #12181 merged Feb 14, 2023

• JS: dont recognize regexps that match dot as sanitizers

  #12171 merged Feb 14, 2023

• JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss

  #12166 merged Feb 14, 2023

• C++: Use `Content` approximation

  #12182 merged Feb 14, 2023

• JS: add encodeURIComponent as a sanitizer for request-forgery

  #11959 merged Feb 14, 2023

• JS: More library inputs

  #12170 merged Feb 14, 2023

• JS: add express-ws as a source

  #12159 merged Feb 14, 2023

• Java: Stub generator: Use fully qualified names to avoid conflicts

  #12174 merged Feb 14, 2023

• Java: Improve performance of GeneratedFileMarker.

  #12138 merged Feb 14, 2023

• Java: Add local version of the XXE query

  #12139 merged Feb 14, 2023

• Java: Exclude interface members from model generation.

  #11634 merged Feb 14, 2023

• Move `NumberUtils.qll` from Ruby into shared `util` pack

  #12169 merged Feb 13, 2023

• Go: port integration tests

  #12130 merged Feb 13, 2023

• QLDocs: Document inline_late pragma

  #12162 merged Feb 13, 2023

• Data flow: Call context virtual dispatch pruning in stage 1

  #12124 merged Feb 13, 2023

• C# 11: Test of relaxed shift operator requirements.

  #12147 merged Feb 13, 2023

• Ruby: add support for one-line pattern matches

  #12093 merged Feb 13, 2023

• C++: Add `semmle.code.cpp.dataflow.new`

  #12163 merged Feb 13, 2023

• Add `hasLocationInfo` for `Type`s

  #12131 merged Feb 13, 2023

• Ruby: add library input as a source for `rb/polynomial-redos`

  #10782 merged Feb 13, 2023

• RB: add query detecting validators that use badly anchored regular expressions on library/remote input

  #11824 merged Feb 13, 2023

• Swift: make `codegen` run also outside `bazel`

  #12164 merged Feb 13, 2023

• Swift: control flow for #available

  #12150 merged Feb 13, 2023

• Swift: add documentation for generated documentation

  #12137 merged Feb 13, 2023

• C++: Fix spurious flow-through

  #12149 merged Feb 10, 2023

• C++: Remove experimental copy of the use-use IR dataflow library

  #12151 merged Feb 10, 2023

• C++: Revert `semmle.code.cpp.dataflow` to its old state

  #12148 merged Feb 10, 2023

• Rename Query History Actions

  #12000 merged Feb 10, 2023

• C++: Do not mark global indirect flow as spurious in dataflow tests

  #12146 merged Feb 10, 2023

• C# 11: Scoped parameters and local variables.

  #12103 merged Feb 10, 2023

• C++: Deduplicate `OutNode`s

  #12141 merged Feb 10, 2023

• Swift: remove query predicates in upgrade/downgrade scripts

  #12140 merged Feb 10, 2023

• C#: Delete dead assembly load code.

  #12067 merged Feb 9, 2023

• C++: Map operand nodes that are only used once onto the related instruction node

  #12004 merged Feb 9, 2023

• Kotlin: 1.8.10 and 1.8.20 are supported, and use 1.8.10 for CI

  #12090 merged Feb 9, 2023

• build(deps): bump serde_json from 1.0.91 to 1.0.93 in /ruby

  #12134 merged Feb 9, 2023

• Go: Downgrade `go/log-injection` precision to medium

  #12132 merged Feb 9, 2023

• Swift: Move some models into collections

  #12126 merged Feb 9, 2023

• C# 11: Check that we get AST for structs that doesn't initialise all fields.

  #12058 merged Feb 9, 2023

• C#/Java: Materialize sink/source/summary predicates to avoid bad join order.

  #12118 merged Feb 9, 2023

• build(deps): bump serde_json from 1.0.92 to 1.0.93 in /ql

  #12135 merged Feb 9, 2023

• [GoLang] Add support for Twirp framework

  #12059 merged Feb 8, 2023

19 Pull requests opened by 12 people

• Swift: `case let` dataflow

  #12133 opened Feb 8, 2023

• Python: Shared SSA analysis

  #12152 opened Feb 10, 2023

• C#: Improve C# autobuilder compatibility with Arm-based Macs

  #12153 opened Feb 10, 2023

• Swift: More path injection sinks

  #12154 opened Feb 10, 2023

• Java: add ssrf models discovered with heuristics

  #12155 opened Feb 10, 2023

• C#: Checked operator support.

  #12167 opened Feb 13, 2023

• Python: Add modeling of `hmac`

  #12168 opened Feb 13, 2023

• JS: add process.env and process.argv etc. as source for `js/regex-injection`

  #12175 opened Feb 13, 2023

• C++: use explicit models for reverse flow

  #12176 opened Feb 13, 2023

• JS: Add more alias steps to unsafe-html-construction

  #12177 opened Feb 13, 2023

• Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource to CWE-798

  #12178 opened Feb 14, 2023

• Python: Update a few examples so queries work on them

  #12183 opened Feb 14, 2023

• Data flow: Refactor configuration

  #12186 opened Feb 14, 2023

• JS: also consider relative exports when finding library inputs

  #12189 opened Feb 14, 2023

• JS: Actually extract `.html.erb` files.

  #12190 opened Feb 14, 2023

• Python: Fix `from <pkg> import *` import resolution

  #12193 opened Feb 15, 2023

• PY: delete the cached-stages-pattern from Python

  #12194 opened Feb 15, 2023

• Java: Test generator improvements

  #12195 opened Feb 15, 2023

• C#: Add an integration test which uses MSBuild

  #12196 opened Feb 15, 2023

5 Issues closed by 3 people

• General issue - Broken DataFlow in javascript

  #12115 closed Feb 13, 2023

• task_assigned_email.html - Crowdin - Crowdin translation

  #12160 closed Feb 13, 2023

• LGTM.com - false positive

  #8847 closed Feb 13, 2023

• LGTM.com - false positive [Node.JS Express]

  #8807 closed Feb 13, 2023

• JavaExtractorArgs#parse method parameter parsing takes too long

  #12136 closed Feb 9, 2023

2 Issues opened by 2 people

• Updated Kotlin version range 1.8.10

  #12172 opened Feb 13, 2023

• General issue - python default query suite not giving any results

  #12156 opened Feb 11, 2023

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [Ruby] Add support for Twirp framework

  #12083 commented on Feb 15, 2023 • 18 new comments

• Python: Unsafe unpacking using `shutil.unpack_archive()` query and tests

  #11570 commented on Feb 12, 2023 • 15 new comments

• Py: add unsafe-shell-command-construction

  #12047 commented on Feb 15, 2023 • 13 new comments

• JS: Use shared `CryptographicOperation` concept

  #12080 commented on Feb 15, 2023 • 10 new comments

• JS: Implement diagnostics

  #12113 commented on Feb 14, 2023 • 7 new comments

• Ruby: flow steps for ActionController filters

  #12051 commented on Feb 14, 2023 • 6 new comments

• Go: go/log-injection produces false positives for logrus when sanitising formatters are used

  #11657 commented on Feb 9, 2023 • 4 new comments

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Feb 15, 2023 • 4 new comments

• Swift: Extract typealias relations

  #12001 commented on Feb 13, 2023 • 4 new comments

• Rb: more taint-steps for shell-command-construction

  #11478 commented on Feb 15, 2023 • 3 new comments

• JS: Sanitizer for `sanitizer(x) === true`

  #11769 commented on Feb 14, 2023 • 3 new comments

• Python: New type-tracking based call-graph

  #11376 commented on Feb 10, 2023 • 2 new comments

• Script to generate shared code metrics

  #12091 commented on Feb 14, 2023 • 2 new comments

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Feb 12, 2023 • 1 new comment

• MSBuild doesn't respect MvcBuildViews-setting in .csproj -file when run through CodeQL-cli or through codeql github action

  #11890 commented on Feb 8, 2023 • 0 new comments

• False positive - Uncontrolled data used in path expression

  #10948 commented on Feb 12, 2023 • 0 new comments

• JS: use the class hierarchy from TypeScript in the callgraph

  #5694 commented on Feb 15, 2023 • 0 new comments

• Add a test file

  #9967 commented on Feb 15, 2023 • 0 new comments

• Python: Support more dictionary read/store steps

  #11280 commented on Feb 13, 2023 • 0 new comments

• Go: Allow data flow through varargs parameters

  #11732 commented on Feb 13, 2023 • 0 new comments

• [WIP] Add ATM support for Java

  #11898 commented on Feb 15, 2023 • 0 new comments

• Java: Promote Hardcoded JWT credential query

  #12032 commented on Feb 15, 2023 • 0 new comments

• [Draft] Java: Model the Netty framework

  #12049 commented on Feb 14, 2023 • 0 new comments

• Ruby: Model ApplicationController.renderer

  #12053 commented on Feb 14, 2023 • 0 new comments