37 Pull requests merged by 23 people

• Ruby: Use API graphs asCallable() instead of Proc.new workaround

  #13746 merged Jul 14, 2023

• Ruby : XPath Injection Query (CWE-643)

  #13130 merged Jul 14, 2023

• Java: Limit the number of samples extracted in application mode

  #13730 merged Jul 14, 2023

• Ruby: Improve support for explicit proc-creation

  #13612 merged Jul 14, 2023

• Swift: Query for REDOS (Regular Expression Denial Of Service)

  #13548 merged Jul 14, 2023

• Dataflow: Fix forceHighPrecision for length-2 prefixes.

  #13735 merged Jul 14, 2023

• Update CSV framework coverage reports

  #13742 merged Jul 14, 2023

• JS: Replace barrier edges with barrier nodes

  #13719 merged Jul 13, 2023

• [Java] Add missing commons lang3 model for ToStringBuilder.reflectionToString

  #13714 merged Jul 13, 2023

• JavaScript: Improve query help for js/command-line-injection

  #13661 merged Jul 13, 2023

• C#/Java/Ruby: Remove superfluous module members.

  #13736 merged Jul 13, 2023

• C#: Fix test expectations in `RuntimeVersion` tests to handle platfor…

  #13733 merged Jul 13, 2023

• Java: Update MaD Declarations after Triage

  #13403 merged Jul 13, 2023

• C++/Swift: Remove `none()` dataflow configuration predicates

  #13732 merged Jul 13, 2023

• Go: minor cleanup to Twirp models

  #13728 merged Jul 12, 2023

• DataFlow: Add default implementations of isBarrier/2 and isAddiitonalFlowStep/4

  #13694 merged Jul 12, 2023

• [Go] GoMicro framework support

  #13625 merged Jul 12, 2023

• Update CONTRIBUTING.md

  #13724 merged Jul 12, 2023

• Kotlin: Improve file class support

  #13718 merged Jul 12, 2023

• Go: make `ParameterNode`s for unused parameters #2 (make a disjoint class for unused ones)

  #13672 merged Jul 12, 2023

• Kotlin: Run CI with 1.9.0

  #13723 merged Jul 12, 2023

• Java: Add support for Kotlin's `apply` to java/android/unsafe-android-wevbiew-fetch

  #13705 merged Jul 12, 2023

• Go: Add support for Bun library

  #13601 merged Jul 11, 2023

• Go: Deal better with a single go.mod file which is not in the project root

  #13589 merged Jul 11, 2023

• JS: Recognize 'fs/promises' alias and handle spread arguments in path.join()

  #13700 merged Jul 11, 2023

• Swift: Expand taint models for URL

  #13698 merged Jul 11, 2023

• Rework the remaining inline expectation tests to use the parameterized module

  #13643 merged Jul 11, 2023

• DataFlow: Speed up the big step relation

  #13679 merged Jul 11, 2023

• C++: exclude uninitialized uses inside pure expression statements

  #13647 merged Jul 11, 2023

• Update CSV framework coverage reports

  #13708 merged Jul 11, 2023

• C++: more constant array off-by-one tests

  #13701 merged Jul 10, 2023

• C++: Add assignment operation IR test where the result is being used

  #13704 merged Jul 10, 2023

• Kotlin: Support apply

  #13702 merged Jul 10, 2023

• Ruby: exclude Object class from API graph

  #13683 merged Jul 10, 2023

• Bump regex from 1.9.0 to 1.9.1 in /ql

  #13693 merged Jul 10, 2023

• Swift: 5.9 preparation

  #13678 merged Jul 10, 2023

• Post-release preparation for codeql-cli-2.14.0

  #13690 merged Jul 7, 2023

26 Pull requests opened by 18 people

• Mention needed imports at top of "Analyzing data flow in Java"

  #13692 opened Jul 8, 2023

• C++: Handle call-contexts mismatches in `cpp/invalid-pointer-deref`

  #13699 opened Jul 10, 2023

• Swift: Query for escaping parameters of unsafe closures

  #13706 opened Jul 10, 2023

• [Java] New models for Struts2 framework

  #13712 opened Jul 11, 2023

• [Java] Implement field taint inheritance for Struts2 unmarshalled objects

  #13713 opened Jul 11, 2023

• Swift: Recognize regular expression parse mode flags

  #13715 opened Jul 11, 2023

• C++: Updates for changes in frontend

  #13716 opened Jul 11, 2023

• Dataflow: Add support for not skipping configuration-specific nodes in big-step

  #13717 opened Jul 11, 2023

• WIP: C#: Generate source files from `cshtml` files in standalone

  #13722 opened Jul 11, 2023

• C++: Fix barriers in invalid pointer deref

  #13725 opened Jul 11, 2023

• WIP : Swift: Add Command Injection query

  #13726 opened Jul 12, 2023

• JS: Add 'vulnerableCallModel' extension point

  #13727 opened Jul 12, 2023

• Python/JavaScript: Shared module for serverless functions

  #13729 opened Jul 12, 2023

• Python: Aiohttp improvements

  #13731 opened Jul 12, 2023

• Dynamic: add Fuzzy token

  #13737 opened Jul 13, 2023

• Python: Include all assignments in data flow paths

  #13738 opened Jul 13, 2023

• Test using Origin() in Go extractor

  #13739 opened Jul 13, 2023

• C++: Uniquify `getEntryPoint` to prevent malformed IR

  #13740 opened Jul 13, 2023

• Swift: add DataFlow::Content for arrays

  #13741 opened Jul 13, 2023

• Docs: Update data flow documentation to the new API.

  #13743 opened Jul 14, 2023

• C#: Add integration test for standalone extraction

  #13744 opened Jul 14, 2023

• Python - Add Models as Data support for Reflected XSS Query

  #13745 opened Jul 14, 2023

• Java: Exclude qualifier argument for existing models

  #13747 opened Jul 14, 2023

• Failing test to demonstrate problem with detecting regex match calls in Ruby

  #13748 opened Jul 14, 2023

• Ruby: query to automatically extract type definitions from library code

  #13750 opened Jul 14, 2023

• Java: Improve the diagnostics consistency query

  #13751 opened Jul 14, 2023

1 Issue closed by 2 people

• Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the [contributing guidelines](https://github.com/github/docs/blob/main/CONTRIBUTING.md).ج

  #13734 closed Jul 14, 2023

6 Issues opened by 4 people

• False positive for IncompleteHostnameRegExp in Ruby

  #13749 opened Jul 14, 2023

• Why is it that when CodeQL generates a database, some source code is not analyzed?

  #13710 opened Jul 11, 2023

• C# False Positive Suggestion PathBase

  #13709 opened Jul 11, 2023

• FP in C# XSS Sink

  #13707 opened Jul 10, 2023

• Are there any alternative commands available to resolve the following situation?

  #13697 opened Jul 10, 2023

• [Question] How to eliminate cartesian product for negation

  #13691 opened Jul 7, 2023

28 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: Add support for the gqlgen library

  #13602 commented on Jul 14, 2023 • 11 new comments

• [Java] Add Unicode Bypass Validation query, test and help file

  #12995 commented on Jul 14, 2023 • 9 new comments

• Ruby: Add LDAP Injection query

  #13309 commented on Jul 14, 2023 • 7 new comments

• Java: Add metric queries for counting sinks coming from models

  #13636 commented on Jul 14, 2023 • 7 new comments

• Swift: Improve SensitiveExprs.qll Heuristics

  #13354 commented on Jul 14, 2023 • 6 new comments

• Python: Flask & Django Constant Secret Key initialization

  #13561 commented on Jul 14, 2023 • 6 new comments

• JS: Add Node.js File system Promises API

  #13593 commented on Jul 10, 2023 • 5 new comments

• C++: Add EmscriptenRunScriptTaint query

  #13493 commented on Jul 11, 2023 • 4 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Jul 12, 2023 • 4 new comments

• JS/RB: write qhelp for `incomplete-multi-character-sanitization`

  #13641 commented on Jul 13, 2023 • 4 new comments

• Python: Model parameter with default value as `DefinitionNode`

  #13685 commented on Jul 12, 2023 • 4 new comments

• Convert shared CFG construction library to a parameterized module

  #13509 commented on Jul 10, 2023 • 3 new comments

• Go: Improve go-pg support

  #13599 commented on Jul 12, 2023 • 3 new comments

• Swift: Risky or Broken Cryptographic Algorithm Query

  #13649 commented on Jul 12, 2023 • 3 new comments

• Swift: Add path injection sinks for sqlite3 and SQLite.swift

  #13276 commented on Jul 12, 2023 • 2 new comments

• Trust Boundary Violation Query

  #13413 commented on Jul 11, 2023 • 2 new comments

• Ruby: Decompression Bombs

  #13556 commented on Jul 11, 2023 • 2 new comments

• C++: Deprecate AST dataflow

  #13621 commented on Jul 11, 2023 • 2 new comments

• Swift: Query for regular expression injection

  #13660 commented on Jul 14, 2023 • 2 new comments

• When publishing a codeql query pack with the --allow-prerelease option, if the version already exists, it should be overwritten

  #13686 commented on Jul 10, 2023 • 1 new comment

• No code found during the build

  #13571 commented on Jul 13, 2023 • 1 new comment

• Ruby: add rack `env['QUERY_STRING']` as a remote flow input

  #13585 commented on Jul 14, 2023 • 1 new comment

• C#: Turn RuntimeVersion into a record type.

  #13688 commented on Jul 11, 2023 • 1 new comment

• Swift: Query for bad HTML filtering regexps

  #13549 commented on Jul 11, 2023 • 0 new comments

• Ruby: add `Rack::Request` params and cookies as remote input sources

  #13566 commented on Jul 14, 2023 • 0 new comments

• Ruby: align type-tracking visibility with JS/Python

  #13615 commented on Jul 13, 2023 • 0 new comments

• [Python] Configuration Injection query

  #13640 commented on Jul 14, 2023 • 0 new comments

• Swift: minimal 5.9 support

  #13668 commented on Jul 11, 2023 • 0 new comments