Pulse · github/codeql · GitHub

May 15, 2023 – May 22, 2023

Overview

78 Active pull requests

9 Active issues

50 Pull requests merged by 20 people

C++: Include inline namespaces in `StdNamespace`
#13234 merged May 22, 2023
Ruby: Allow for flow out of callbacks passed to summarized methods in type tracking
#13233 merged May 22, 2023
C++: Add `cpp/invalid-pointer-deref` false positives
#13237 merged May 22, 2023
repair and update the Identifier section of the QL specification
#13236 merged May 22, 2023
C++: Add FP testcase for `cpp/overrun-write`
#13229 merged May 22, 2023
Swift: fix hidden AST getters
#13232 merged May 22, 2023
JS: require arguments to be shell interpreted to be flagged by indirect-command-injection
#13196 merged May 22, 2023
Java: Add TemplateEngine.createTemplate as a Groovy injection sink
#13230 merged May 22, 2023
Ruby: Allow for flow through callbacks to summarized methods in type tracking
#13231 merged May 22, 2023
Swift: Use asNominalTypeDecl more.
#13223 merged May 19, 2023
add syntax for signature definitions to QL specification
#13222 merged May 19, 2023
Swift: Drop support for plaintext diagnostics (and `helpLinks`).
#13224 merged May 19, 2023
Swift: reword TSP diagnostics after doc team review
#13186 merged May 19, 2023
Swift: Taint model for FilePath
#13221 merged May 19, 2023
Update CSV framework coverage reports
#13220 merged May 19, 2023
Swift: Emit diagnostics on assertion/expectation violations.
#13170 merged May 18, 2023
C++: Replace `C18` with `C17` in documentation
#13218 merged May 18, 2023
C++: Small cleanup of `cpp/overrun-write`
#13217 merged May 18, 2023
Java: Add SQLi sinks for Spring JDBC
#13140 merged May 18, 2023
C++: Fix pointer/pointee conflation
#13191 merged May 18, 2023
C++: Update documentation for `TypeMention`
#13215 merged May 18, 2023
C++: Use range analysis-based `hasSize` predicate in `cpp/invalid-pointer-deref`
#13203 merged May 18, 2023
Java: Promote experimental XXE sinks
#12932 merged May 17, 2023
Change regexp to include released change-notes pattern
#13192 merged May 17, 2023
C++: Implement the `subpaths` query predicate for `cpp/invalid-pointer-deref`
#13200 merged May 17, 2023
C#: Add extension method testcase for Models as Data.
#13204 merged May 17, 2023
Misc: Add script to accept `.expected` changes from CI
#12977 merged May 17, 2023
Python: Container summaries, part 1
#13146 merged May 17, 2023
C++: Speedup product dataflow
#13139 merged May 17, 2023
JS: remove mention of TrackedNode from docs
#13194 merged May 17, 2023
Swift: bump all versions to 0.1.0
#13201 merged May 17, 2023
C++: Add forgotten `private` specifiers in product flow
#13199 merged May 17, 2023
C++: Add forgotten test annotation for `cpp/invalid-pointer-deref` test
#13197 merged May 17, 2023
Java: Automodel Extraction Parameter Name Fix
#13185 merged May 17, 2023
Ruby: Include `self` parameters in type tracking flow-through logic
#13068 merged May 17, 2023
C#: Include arguments to `ILogger` extension method calls in `LogMessageSink`
#13183 merged May 17, 2023
C++: Restrict flow-state space of `cpp/overrun-write`
#13142 merged May 16, 2023
Java: Use empty toolchains.xml for java-version-too-old
#13187 merged May 16, 2023
Swift: Recommend a proper source of randomness in `swift/hardcoded-key`
#13177 merged May 16, 2023
Swift: Mirror changes made in the tutorial docs.
#13184 merged May 16, 2023
Swift: Fix some FPs from the sensitive data library
#13167 merged May 16, 2023
C++: Add example with conflation in dataflow
#13182 merged May 16, 2023
Swift: turn internal error into a TSP warning
#13181 merged May 16, 2023
Java: Hide GHA variables in `java-version-too-old` test
#13180 merged May 16, 2023
Swift: Use `...` to find and run all Bazel tests instead of having list them.
#13169 merged May 16, 2023
C++: Block flow through back-edges in `cpp/overrun-write`
#13149 merged May 16, 2023
Enable implicit this warnings for shared packs
#13173 merged May 16, 2023
Java: Add `XPath.evaluate` as XXE sink
#13166 merged May 16, 2023
JS: fixup in the qhelp for `js/prototype-polluting-assignment`
#13165 merged May 16, 2023
Go: fix unit test
#13135 merged May 16, 2023

28 Pull requests opened by 21 people

Fix "Introducing the JavaScript libraries" query12.qll and add test case
#13176 opened May 16, 2023
ruby/python: Shared module for typetracking through flow summaries
#13178 opened May 16, 2023
[Java] Add basic support for Google's Gson library
#13179 opened May 16, 2023
cpp: Add basic GSSAPI memory leak query
#13189 opened May 16, 2023
Swift: Adopt the shared sensitive data library
#13190 opened May 16, 2023
JS: Avoid using global vars in documentation examples
#13195 opened May 17, 2023
C#: System.DateTime defaults.
#13202 opened May 17, 2023
Remove GITHUB_TOKEN permissions note since it's no longer required
#13206 opened May 17, 2023
C++: Reduce memory pressure from `getInstruction`
#13207 opened May 17, 2023
python: Container summaries, part 2
#13209 opened May 17, 2023
Kotlin: Refactor extractTypeAccessRecursive
#13210 opened May 17, 2023
Shared: Add stubs for `identify-environment` scripts
#13211 opened May 17, 2023
Swift: Add EnumDecl.getEnumElement(_)
#13213 opened May 17, 2023
C++: Quotient dataflow nodes by an equivalence relation
#13219 opened May 18, 2023
Java: Migrate path injection sinks to models-as-data (simplified)
#13225 opened May 19, 2023
C++: fix equality refinement in new range analysis
#13226 opened May 19, 2023
Java: Add autogenerated models for frameworks related to Jenkins
#13227 opened May 19, 2023
Java: add error message for deprecated sink kinds in `getInvalidModelKind`
#13228 opened May 19, 2023
Java: Add Hudson models
#13235 opened May 22, 2023
Swift: remove unneeded properties from `InterpolatedStringLiteralExpr`
#13238 opened May 22, 2023
Java: Add QL support for automodel application mode
#13239 opened May 22, 2023
Swift: reorganize `VarDecl` instances within `BraceStmt`
#13240 opened May 22, 2023
Ruby: Exclude block parameters from flow-through in type tracking
#13242 opened May 22, 2023
Release preparation for version 2.13.3
#13243 opened May 22, 2023
C++: Promote the product-dataflow library out of experimental
#13244 opened May 22, 2023
Update CSV framework coverage reports
#13245 opened May 23, 2023
C++: Fix more pointer/pointee conflation
#13246 opened May 23, 2023
Bump regex from 1.8.1 to 1.8.2 in /ql
#13247 opened May 23, 2023

5 Issues closed by 4 people

Issue with decoding bqrs file to a human readable format
#13047 closed May 19, 2023
CPP: TypeMention only covers mentions of user-defined types
#13214 closed May 18, 2023
Kind error in /go/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
#13171 closed May 18, 2023
Using flow labels JavaScript tutorial example queries don't work
#13175 closed May 17, 2023
Use of TrackedNode in JavaScript tutorial
#13174 closed May 17, 2023

4 Issues opened by 4 people

Go: RangeStmt declaring variables with := does not contain a DefineStmt
#13241 opened May 22, 2023
CodeQL CLI may be slow to run when the codeql.zip is extracted at $HOME
#13208 opened May 17, 2023
C/C++: how to optimize function pointer tracing?
#13198 opened May 17, 2023
General issue
#13193 opened May 17, 2023

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

[Python] Add Unicode Bypass Validation query tests and help
#12991 commented on May 22, 2023 • 13 new comments
[Ruby] Add Unicode Bypass Validation query, test and help file
#12992 commented on May 21, 2023 • 12 new comments
C#: Entity framework. Convert DbSet summaries to MaD models.
#13085 commented on May 17, 2023 • 9 new comments
C#: update MaD sink kinds
#13158 commented on May 22, 2023 • 7 new comments
ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input
#13164 commented on May 22, 2023 • 7 new comments
C++: stitch paths and ignore cast arrays in constant off-by-one query
#13045 commented on May 22, 2023 • 5 new comments
JS: Support sub modules
#12975 commented on May 22, 2023 • 4 new comments
CPP: Add query for CVE-2022-37454: Integer addition may overflow inside if statement
#12036 commented on May 19, 2023 • 3 new comments
Swift: Make the cleartext logging query consistent with other cleartext-* queries.
#13163 commented on May 16, 2023 • 3 new comments
Post-release preparation for codeql-cli-2.13.2
#13168 commented on May 22, 2023 • 3 new comments
JS/Ruby/QL/Python: sync dbscheme fragments
#13154 commented on May 22, 2023 • 2 new comments
[CPP][Questions]No effective API to qeury macro used in function parameter declaration
#8497 commented on May 17, 2023 • 1 new comment
[Java]: False positive CodeQL searches result is less according to the rules than the java code actually has🥺🥺
#12715 commented on May 23, 2023 • 1 new comment
Swift: minimal 5.8 compatibility
#12872 commented on May 17, 2023 • 1 new comment
Java: Refactor path injection sinks
#12886 commented on May 19, 2023 • 1 new comment
Java: Make inputStreamWrapper consider supertypes transitively
#13091 commented on May 22, 2023 • 1 new comment
Java: Add constraint to `HostnameSanitizingPrefix` to prevent false negatives in SSRF queries
#13097 commented on May 22, 2023 • 1 new comment
JS: update MaD sink kinds
#13157 commented on May 19, 2023 • 1 new comment
Java: add some neutral models discovered with heuristics
#12249 commented on May 22, 2023 • 0 new comments
JS: Add support for TS 5.1
#12874 commented on May 22, 2023 • 0 new comments
Ruby: Remove canonical return nodes
#12964 commented on May 17, 2023 • 0 new comments
[Draft] [C#] Add query for missing function level access control
#13094 commented on May 16, 2023 • 0 new comments