Insights: github/codeql

42 Pull requests merged by 20 people

• CPP: delete the deprecated Container::getURL predicates

  #13460 merged Jun 19, 2023

• Release preparation for Swift

  #13500 merged Jun 19, 2023

• Update inline flow tests to use parameterized module

  #13426 merged Jun 19, 2023

• Swift: Bare-bones extractor pack for Windows.

  #13447 merged Jun 19, 2023

• Swift: remove `std::result_of` from swift headers

  #13497 merged Jun 19, 2023

• Java: clean up mad kinds use

  #13480 merged Jun 19, 2023

• Java: Model the Stapler framework

  #13256 merged Jun 19, 2023

• C#/Go/Java/JS/Python/Ruby: Update the description and qhelp of the Zipslip query

  #13475 merged Jun 19, 2023

• Kotlin: Avoid another cause of ConcurrentModificationException with 1.9

  #13482 merged Jun 19, 2023

• Kotlin: Handle IrSyntheticBodyKind.ENUM_ENTRIES

  #13479 merged Jun 19, 2023

• Ruby: update grammar

  #13423 merged Jun 19, 2023

• ReDoS: stop spuriously matching everything when encountering an unsupported charclass

  #13469 merged Jun 19, 2023

• Ruby : Naming error

  #13494 merged Jun 19, 2023

• C#: Use stubs in the Security feature related tests.

  #13472 merged Jun 19, 2023

• C++: Add FP test cases for `cpp/invalid-pointer-deref`

  #13466 merged Jun 17, 2023

• Exclude `cpp/overrun-write` from `cpp-security-extended.qls`

  #13485 merged Jun 16, 2023

• Kotlin: Remove diags.ql from classes test

  #13477 merged Jun 16, 2023

• rc3.10 mergeback: getting Swift changes back to main

  #13476 merged Jun 16, 2023

• Swift: upgrade extractor to support Swift 5.8.1

  #13458 merged Jun 16, 2023

• C#: Remove jump step

  #13150 merged Jun 15, 2023

• Kotlin: Remove use of AccessControlException

  #13463 merged Jun 15, 2023

• Update CSV framework coverage reports

  #13465 merged Jun 15, 2023

• JS: Restrict length of state path in vuex model

  #13456 merged Jun 14, 2023

• Swift: reorganize `VarDecl` instances within `BraceStmt`

  #13240 merged Jun 14, 2023

• Python: container summaries, part 3

  #13395 merged Jun 14, 2023

• Swift: Don't use `std::hash<fs::path>`.

  #13459 merged Jun 14, 2023

• Java: Add autogenerated models for frameworks related to Jenkins

  #13227 merged Jun 14, 2023

• C#: Use synthetic global in the EntityFramework code instead of jump steps.

  #13147 merged Jun 14, 2023

• JS: Fix invalid source kind in test

  #13380 merged Jun 14, 2023

• Java: Add Hudson models

  #13235 merged Jun 14, 2023

• Kotlin: Avoid using deprecated APIs

  #13427 merged Jun 14, 2023

• Java: Add QL support for automodel application mode

  #13239 merged Jun 14, 2023

• Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.

  #13273 merged Jun 14, 2023

• python: Container summaries, part 2

  #13209 merged Jun 13, 2023

• Swift: Fix some C++20 todos.

  #13336 merged Jun 13, 2023

• Build: Bump build mode to C++20.

  #13335 merged Jun 13, 2023

• Python: Add modeling of `flask.render_template_string`

  #13438 merged Jun 13, 2023

• JS: remove the second argument of findByIdAndUpdate as a NoSQL sink

  #13381 merged Jun 13, 2023

• Go: Remove commented out code from test

  #13439 merged Jun 13, 2023

• Update inline expectation tests to use parameterized module

  #13346 merged Jun 13, 2023

• Ruby: fix bug in filter_map summary

  #13422 merged Jun 13, 2023

• C#: Make sure System.Private.CoreLib is added only once as a reference in standalone extraction

  #13420 merged Jun 13, 2023

23 Pull requests opened by 17 people

• Shared: support quoted operands in access path components

  #13441 opened Jun 13, 2023

• add QL specification section on module instantiations

  #13443 opened Jun 13, 2023

• Java: Update MaD Declarations after Triage

  #13444 opened Jun 13, 2023

• C++: ignore iterators that are their own value type

  #13445 opened Jun 13, 2023

• Kotlin: Add a test for parcelize, and improve tryReplaceFunctionInSyntheticClass

  #13450 opened Jun 14, 2023

• C#: Re-factor printing of summary component stacks.

  #13452 opened Jun 14, 2023

• Go: Add failing tests for MaD with pointer content

  #13453 opened Jun 14, 2023

• Go: Add models-as-data content for pointer content

  #13454 opened Jun 14, 2023

• Dataflow: add language-specific hook for breaking up big step relation

  #13455 opened Jun 14, 2023

• Go: show FunctionModel steps in path summaries

  #13461 opened Jun 14, 2023

• ReDoS: stop spuriously matching everything when encountering an unsupported charclass

  #13468 opened Jun 15, 2023

• Swift: Regular expressions library.

  #13470 opened Jun 15, 2023

• Go: improve path summary by changing post update nodes

  #13473 opened Jun 15, 2023

• Java: Add proper support for variable capture flow.

  #13478 opened Jun 16, 2023

• Ruby: rack - model more responses and app types

  #13483 opened Jun 16, 2023

• Java: Experimental version of Java Command Injection query

  #13484 opened Jun 16, 2023

• Shared: use final class aliases to use `extends` instead of `instanceof` in the shared libraries

  #13488 opened Jun 17, 2023

• C++: Add EmscriptenRunScriptTaint query

  #13493 opened Jun 18, 2023

• Ruby: overhaul API graphs

  #13496 opened Jun 19, 2023

• Rework more inline expectation tests to use the parameterized module

  #13498 opened Jun 19, 2023

• Add another example the Hardcoded credential help

  #13501 opened Jun 19, 2023

• C++: Account for the signedness of the lesser operand in `cpp/comparison-with-wider-type`

  #13502 opened Jun 20, 2023

• Update CSV framework coverage reports

  #13503 opened Jun 20, 2023

5 Issues opened by 5 people

• Create AOSP C/C++ database failed with the error tip that "Brotli stream decoding failed"

  #13495 opened Jun 19, 2023

• Java: `ReflectiveMethodAccess::inferAccessedMethod()` ignores parameters

  #13490 opened Jun 17, 2023

• Problems encountered by codeql in building chromium QL library 2

  #13489 opened Jun 17, 2023

• Query id java/improper-intent-verification does not follow convention

  #13474 opened Jun 15, 2023

• False positive

  #13464 opened Jun 14, 2023

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• ruby/python: Shared module for typetracking through flow summaries

  #13178 commented on Jun 16, 2023 • 36 new comments

• C#: Add query for missing function level access control

  #13094 commented on Jun 19, 2023 • 14 new comments

• Java: Convert all command injection sinks to MaD format

  #12879 commented on Jun 13, 2023 • 13 new comments

• Java: Update MaD Declarations after Triage

  #13403 commented on Jun 15, 2023 • 11 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Jun 16, 2023 • 11 new comments

• [Go] Add Unicode Bypass Validation query, test and help file

  #12994 commented on Jun 14, 2023 • 7 new comments

• C++: Fix more conflation in dataflow

  #13425 commented on Jun 19, 2023 • 6 new comments

• Ruby: rack - model redirect responses and `Rack::Mime::mime_type`

  #13289 commented on Jun 13, 2023 • 4 new comments

• Swift: Add path injection sinks for sqlite3 and SQLite.swift

  #13276 commented on Jun 19, 2023 • 2 new comments

• Shared: share MaD kind validation across languages

  #13324 commented on Jun 19, 2023 • 2 new comments

• Trust Boundary Violation Query

  #13413 commented on Jun 15, 2023 • 2 new comments

• Ruby : XPath Injection Query (CWE-643)

  #13130 commented on Jun 14, 2023 • 1 new comment

• Swift: Improve SensitiveExprs.qll Heuristics

  #13354 commented on Jun 19, 2023 • 1 new comment

• Java: mark MaD step sources as uninteresting to model in framework mode

  #13372 commented on Jun 14, 2023 • 1 new comment

• Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.

  #13432 commented on Jun 16, 2023 • 1 new comment

• C#: Add static call graph tests

  #12262 commented on Jun 14, 2023 • 0 new comments

• python: enable summaries from model

  #12581 commented on Jun 18, 2023 • 0 new comments

• [Java] Add Unicode Bypass Validation query, test and help file

  #12995 commented on Jun 13, 2023 • 0 new comments

• [CSharp] Additional data extensions for sink models

  #13093 commented on Jun 19, 2023 • 0 new comments

• Py: delete more old deprecations

  #13342 commented on Jun 14, 2023 • 0 new comments

• Go: Add Improper LDAP Authentication query (CWE-287)

  #13366 commented on Jun 18, 2023 • 0 new comments

• Post-release preparation for codeql-cli-2.13.4

  #13421 commented on Jun 19, 2023 • 0 new comments