Pulse · github/codeql · GitHub

May 19, 2023 – May 26, 2023

Overview

79 Active pull requests

9 Active issues

55 Pull requests merged by 22 people

Bump regex from 1.8.2 to 1.8.3 in /ql
#13295 merged May 26, 2023
C++: Fix result duplication on `DefaultTaintTracking`
#13293 merged May 25, 2023
Swift: Promote some Data models to DataProtocol
#13291 merged May 25, 2023
Swift: add consistency check and accept results for the moment
#13277 merged May 25, 2023
Swift: turn change note check on
#13282 merged May 25, 2023
Update CSV framework coverage reports
#13280 merged May 25, 2023
C++: fix equality refinement in new range analysis
#13226 merged May 24, 2023
C++/Swift: Rewrite inline expectation tests to use the parameterized module
#13269 merged May 24, 2023
C++: Add `cpp/invalid-pointer-deref` FP test case
#13271 merged May 24, 2023
Docs: Late inlining now supported for member predicates
#13274 merged May 24, 2023
Swift: make only certain elements hideable in the AST
#13249 merged May 24, 2023
Ruby: Include both `self` parameters and SSA definitions in call graph construction
#13251 merged May 24, 2023
Ruby: fix some name clashes between summarized callables
#13265 merged May 24, 2023
Fix "Introducing the JavaScript libraries" query12.qll and add test case
#13176 merged May 24, 2023
Java: Tweak java.nio.file.Files.copy models
#13248 merged May 24, 2023
C++: Modernize `PrintIR` for local dataflow
#13266 merged May 24, 2023
C#: Entity framework. Convert DbSet summaries to MaD models.
#13085 merged May 24, 2023
Ruby: Include underlying SSA parameter definition in `localFlowSsaParamCaptureInput`
#13255 merged May 24, 2023
Add forgotten classes related to the legacy `InlineExpectationsTest`class
#13261 merged May 24, 2023
C++: Promote the product-dataflow library out of experimental
#13244 merged May 23, 2023
C++: Fix more pointer/pointee conflation
#13246 merged May 23, 2023
JS/Ruby/QL/Python: sync dbscheme fragments
#13154 merged May 23, 2023
C++: Rewrite flow test common to use inline expectation test module
#13260 merged May 23, 2023
move section on signatures in the QL specification
#13264 merged May 23, 2023
update QL specification on annotations for parameterised modules
#13263 merged May 23, 2023
Java: Add constraint to `HostnameSanitizingPrefix` to prevent false negatives in SSRF queries
#13097 merged May 23, 2023
Hotfix: Go: exclude method receivers from dead-store-of-field query
#13257 merged May 23, 2023
Swift: remove unneeded properties from `InterpolatedStringLiteralExpr`
#13238 merged May 23, 2023
Swift: Make the cleartext logging query consistent with other cleartext-* queries.
#13163 merged May 23, 2023
Turn inline expectation test into a parameterized module
#12789 merged May 23, 2023
Swift: Add EnumDecl.getEnumElement(_)
#13213 merged May 23, 2023
Java: Make inputStreamWrapper consider supertypes transitively
#13091 merged May 23, 2023
C#: System.DateTime defaults.
#13202 merged May 23, 2023
Hotfix: Go: count passing to a vararg function as escaping
#13250 merged May 23, 2023
Swift: trigger workflow on `codeql-cli-*`
#13252 merged May 23, 2023
Release preparation for version 2.13.3
#13243 merged May 23, 2023
[Python] Add Unicode Bypass Validation query tests and help
#12991 merged May 23, 2023
Update CSV framework coverage reports
#13245 merged May 23, 2023
ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input
#13164 merged May 23, 2023
JS: Support sub modules
#12975 merged May 23, 2023
Bump regex from 1.8.1 to 1.8.2 in /ql
#13247 merged May 23, 2023
C++: Include inline namespaces in `StdNamespace`
#13234 merged May 22, 2023
Ruby: Allow for flow out of callbacks passed to summarized methods in type tracking
#13233 merged May 22, 2023
C++: Add `cpp/invalid-pointer-deref` false positives
#13237 merged May 22, 2023
repair and update the Identifier section of the QL specification
#13236 merged May 22, 2023
C++: Add FP testcase for `cpp/overrun-write`
#13229 merged May 22, 2023
Swift: fix hidden AST getters
#13232 merged May 22, 2023
JS: require arguments to be shell interpreted to be flagged by indirect-command-injection
#13196 merged May 22, 2023
Java: Add TemplateEngine.createTemplate as a Groovy injection sink
#13230 merged May 22, 2023
Ruby: Allow for flow through callbacks to summarized methods in type tracking
#13231 merged May 22, 2023
Swift: Use asNominalTypeDecl more.
#13223 merged May 19, 2023
add syntax for signature definitions to QL specification
#13222 merged May 19, 2023
Swift: Drop support for plaintext diagnostics (and `helpLinks`).
#13224 merged May 19, 2023
Swift: reword TSP diagnostics after doc team review
#13186 merged May 19, 2023
Swift: Taint model for FilePath
#13221 merged May 19, 2023

24 Pull requests opened by 16 people

Java: Migrate path injection sinks to models-as-data (simplified)
#13225 opened May 19, 2023
Java: Add autogenerated models for frameworks related to Jenkins
#13227 opened May 19, 2023
Java: add error message for deprecated sink kinds in `getInvalidModelKind`
#13228 opened May 19, 2023
Java: Add Hudson models
#13235 opened May 22, 2023
Java: Add QL support for automodel application mode
#13239 opened May 22, 2023
Swift: reorganize `VarDecl` instances within `BraceStmt`
#13240 opened May 22, 2023
Java: Model the Stapler framework
#13256 opened May 23, 2023
Codegen: allow `synth` properties of non-`synth` classes
#13258 opened May 23, 2023
Ruby: Refactor and slightly expand `ActionDispatch` modelling
#13259 opened May 23, 2023
C#: Re-factor getComponent.
#13262 opened May 23, 2023
C++: Promote `cpp/overrun-write` out of experimental
#13267 opened May 23, 2023
Post-release preparation for codeql-cli-2.13.3
#13272 opened May 24, 2023
Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.
#13273 opened May 24, 2023
Swift: Add path injection sinks for sqlite3 and SQLite.swift
#13276 opened May 24, 2023
C# Zipslip improvements
#13281 opened May 25, 2023
JS: Be more conservative about flagging "search" call arguments as regex
#13283 opened May 25, 2023
Swift: remove some AST and CFG inconsistencies
#13284 opened May 25, 2023
ReDoS: fix whitespace in the samples in ReDoS.qhelp
#13285 opened May 25, 2023
Kotlin: Support 1.9.0
#13286 opened May 25, 2023
Swift: Fix some string length conflation false positives
#13287 opened May 25, 2023
Ruby: two bug fixes
#13288 opened May 25, 2023
Ruby: rack - model redirect responses and `Rack::Mime::mime_type`
#13289 opened May 25, 2023
WIP: Extracted source files generated by source generators
#13290 opened May 25, 2023
C++: Change range-analysis test to not use `getAst`
#13294 opened May 25, 2023

4 Issues closed by 4 people

Java: xml extractor ... does not provide file-indexing capabilities
#11115 closed May 25, 2023
[Java]: False positive CodeQL searches result is less according to the rules than the java code actually has🥺🥺
#12715 closed May 24, 2023
Go: RangeStmt declaring variables with := does not contain a DefineStmt
#13241 closed May 23, 2023
Issue with decoding bqrs file to a human readable format
#13047 closed May 19, 2023

5 Issues opened by 5 people

Support new React directives
#13296 opened May 26, 2023
Question: Java taint analysis through "factory pattern"
#13292 opened May 25, 2023
False positive - regex injection in Angular $location.search
#13279 opened May 24, 2023
[CLI] [Enhancement] Include checksums for codeql-cli-binaries releases
#13278 opened May 24, 2023
"Finding definitions" in non-ql files
#13254 opened May 23, 2023

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

[Ruby] Add Unicode Bypass Validation query, test and help file
#12992 commented on May 25, 2023 • 27 new comments
Shared: Add stubs for `identify-environment` scripts
#13211 commented on May 23, 2023 • 13 new comments
ReDoS: revert new superlinear algorithm.
#13127 commented on May 25, 2023 • 8 new comments
C++: stitch paths and ignore cast arrays in constant off-by-one query
#13045 commented on May 25, 2023 • 7 new comments
C/C++: how to optimize function pointer tracing?
#13198 commented on May 23, 2023 • 5 new comments
Ruby: Add SQL Injection Sinks
#12832 commented on May 25, 2023 • 3 new comments
C#: Use synthetic global in the EntityFramework code instead of jump steps.
#13147 commented on May 24, 2023 • 3 new comments
CPP: Add query for CVE-2022-37454: Integer addition may overflow inside if statement
#12036 commented on May 19, 2023 • 2 new comments
C#: update MaD sink kinds
#13158 commented on May 25, 2023 • 2 new comments
C++: Reduce memory pressure from `getInstruction`
#13207 commented on May 25, 2023 • 2 new comments
CodeQL for unity
#11791 commented on May 24, 2023 • 1 new comment
Java: Convert all command injection sinks to MaD format
#12879 commented on May 25, 2023 • 1 new comment
Java: Refactor path injection sinks
#12886 commented on May 19, 2023 • 1 new comment
JS: update MaD sink kinds
#13157 commented on May 19, 2023 • 1 new comment
Java: add some neutral models discovered with heuristics
#12249 commented on May 22, 2023 • 0 new comments
Swift: Model Sequence.withContiguousStorageIfAvailable
#12416 commented on May 23, 2023 • 0 new comments
Swift: mangle types
#12433 commented on May 26, 2023 • 0 new comments
JS: Add support for TS 5.1
#12874 commented on May 22, 2023 • 0 new comments
Ruby: Remove canonical return nodes
#12964 commented on May 25, 2023 • 0 new comments
[Draft] [C#] Add query for missing function level access control
#13094 commented on May 25, 2023 • 0 new comments
ruby/python: Shared module for typetracking through flow summaries
#13178 commented on May 22, 2023 • 0 new comments
Swift: Adopt the shared sensitive data library
#13190 commented on May 23, 2023 • 0 new comments
python: Container summaries, part 2
#13209 commented on May 25, 2023 • 0 new comments
C++: Quotient dataflow nodes by an equivalence relation
#13219 commented on May 23, 2023 • 0 new comments