50 Pull requests merged by 24 people

• Kotlin: Regenerate expected test output

  #14186 merged Sep 22, 2023

• Swift: Improve getABaseType implementions

  #14252 merged Sep 22, 2023

• Swift: Models and tests for numeric conversions

  #13946 merged Sep 22, 2023

• Java: Consider AssignOps in ArithExpr

  #14254 merged Sep 22, 2023

• Python: Improve source-location information for RegExpTerms.

  #14292 merged Sep 22, 2023

• Update CSV framework coverage reports

  #14290 merged Sep 22, 2023

• C#: Roslyn-based stub generation

  #14095 merged Sep 22, 2023

• Ruby: Collapse DIL stages

  #14283 merged Sep 22, 2023

• Swift: Fix bug in taint flow through string interpolation

  #14286 merged Sep 22, 2023

• Java: Add test re: buildless mode interaction with snapshot repositories

  #14288 merged Sep 21, 2023

• Java: standalone: add basic integration tests

  #14281 merged Sep 21, 2023

• Java: Test module definition in a file not named module-info.java in a buildless extraction

  #14285 merged Sep 21, 2023

• Ruby: Minor fixes for dataflow queries

  #14274 merged Sep 21, 2023

• Revert "Revert "Swift: use C++20 constraints and concepts to simplify code""

  #14280 merged Sep 21, 2023

• Swift: Improve taint models for NSString

  #14266 merged Sep 21, 2023

• Java/Dataflow: Add new light-weight data flow api and use it in XmlParsers

  #14268 merged Sep 21, 2023

• Dataflow: Add type-based call-edge pruning.

  #13982 merged Sep 21, 2023

• C++: Lift `getParameter` to `ParameterNode`

  #14269 merged Sep 21, 2023

• C#: Remove platform-specific runtime nuget packages from the reference list in Standalone

  #14273 merged Sep 21, 2023

• Bump rayon from 1.7.0 to 1.8.0 in /ql

  #14278 merged Sep 21, 2023

• C#: Parallelize restore logic of missing packages

  #14243 merged Sep 21, 2023

• Ruby: Fix bad join

  #14267 merged Sep 20, 2023

• s/Replace/ReplaceAll/ in LogInjectionGood.go

  #14265 merged Sep 20, 2023

• Misc: Update auto labeler for shared dataflow pack

  #14262 merged Sep 20, 2023

• CPP / Swift: Typos

  #14263 merged Sep 19, 2023

• Release preparation for version 2.14.6

  #14256 merged Sep 19, 2023

• Docs: fix minor typos

  #14131 merged Sep 19, 2023

• C++: Use `size_t` explicitly in CWE-193 tests

  #14258 merged Sep 19, 2023

• Data flow: Fix two consistency checks

  #14247 merged Sep 19, 2023

• C++: Fix the declaration of `malloc` in test

  #14249 merged Sep 19, 2023

• Lua: Tracing of `dotnet dotnet`.

  #14218 merged Sep 19, 2023

• C#: Re-factor Dotnet.cs to enable unit testing.

  #14142 merged Sep 19, 2023

• Update codeql-library-for-go.rst

  #14057 merged Sep 19, 2023

• C++: Reduce dataflow duplication for allocations

  #14250 merged Sep 19, 2023

• CPP: Simplify some code in IRGuards.

  #14242 merged Sep 19, 2023

• Python: Add debug queries

  #14248 merged Sep 19, 2023

• Java: Fix alert message

  #14126 merged Sep 19, 2023

• Update CSV framework coverage reports

  #14253 merged Sep 19, 2023

• Updates to the Java and VS Code docs

  #14207 merged Sep 18, 2023

• Python: Modernize modeling of `BaseHTTPRequestHandler`

  #14245 merged Sep 18, 2023

• C++: Remove unnecessary `size_t` cast from allocations

  #14244 merged Sep 18, 2023

• Shared: use final class aliases to use `extends` instead of `instanceof` in the shared libraries

  #13488 merged Sep 18, 2023

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 merged Sep 18, 2023

• Swift: rename `base_types` in `TypeDecl` to `inherited_types`

  #14208 merged Sep 18, 2023

• C#: Generate source file with implicit usings in Standalone

  #14228 merged Sep 18, 2023

• Update CSV framework coverage reports

  #14063 merged Sep 18, 2023

• Swift: Improvements related to the swift/cleartext-logging query.

  #13980 merged Sep 18, 2023

• C++: Fix order of non-linear join in range analysis

  #14237 merged Sep 18, 2023

• Java: Add new Apache CXF models

  #14029 merged Sep 18, 2023

• Bump chrono from 0.4.30 to 0.4.31 in /ql

  #14241 merged Sep 18, 2023

21 Pull requests opened by 13 people

• Release automodel queries version 0.0.3

  #14246 opened Sep 18, 2023

• Data flow: Performance improvements

  #14255 opened Sep 19, 2023

• Java: Introduce a class of dataflow nodes for the threat modeling.

  #14257 opened Sep 19, 2023

• Swift: upgrade to 5.9

  #14261 opened Sep 19, 2023

• Go CI: test multiple Go versions

  #14270 opened Sep 20, 2023

• Post-release preparation for codeql-cli-2.14.6

  #14271 opened Sep 20, 2023

• C#: Minor improvements to the ExternalApi implementation.

  #14272 opened Sep 20, 2023

• CPP: Fix some use after free FPs.

  #14275 opened Sep 20, 2023

• Enable GoKit module into the default list

  #14276 opened Sep 20, 2023

• Update language display names

  #14282 opened Sep 21, 2023

• Bump junit:junit from 4.11 to 4.13.1 in /java/ql/integration-tests/all-platforms/java/buildless-maven

  #14287 opened Sep 21, 2023

• 16 cryptography models libraries and queries migration

  #14289 opened Sep 21, 2023

• JS: Shelljs improvement

  #14291 opened Sep 22, 2023

• JS: Dynamic import as code injection sink

  #14293 opened Sep 22, 2023

• JS: provide command execution sinks for execa package

  #14294 opened Sep 22, 2023

• C#: Improve lambda dispatch using type flow

  #14295 opened Sep 22, 2023

• Java: Add support for additional nodes, read steps, and store steps for QL models and model ThreadLocal.initialValue

  #14297 opened Sep 22, 2023

• Lua: Use --property for specifying properties to dotnet.

  #14298 opened Sep 22, 2023

• Dataflow: Make use of defaults for language-specific hooks.

  #14299 opened Sep 22, 2023

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` packages

  #14302 opened Sep 23, 2023

• Ruby: Implement `mustFlow`

  #14303 opened Sep 23, 2023

3 Issues closed by 3 people

• CodeQL fails to detect C++ code under a standard compiler

  #14264 closed Sep 21, 2023

• Why does CodeQL output many duplicate paths in alerts?

  #14227 closed Sep 20, 2023

• How Can I use SinkNodeCsv

  #14240 closed Sep 18, 2023

3 Issues opened by 3 people

• Extraction is broken with Swift 5.9 toolchain

  #14300 opened Sep 22, 2023

• Certain syntaxes in ruby cause extraction errors

  #14279 opened Sep 21, 2023

• Java: Should `FunctionalExpr` be a non-extending subtype of `ClassInstanceExpr`?

  #14277 opened Sep 20, 2023

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C#: Add VS Code model editor queries

  #14200 commented on Sep 22, 2023 • 44 new comments

• Go: New File System Access Sinks

  #14064 commented on Sep 22, 2023 • 21 new comments

• Go: Improved JWT query, JWT decoding without verification

  #14075 commented on Sep 19, 2023 • 15 new comments

• Go: fasthttp

  #14123 commented on Sep 19, 2023 • 10 new comments

• Ruby: Port `UrlConcatenation.qll` from JS

  #14180 commented on Sep 22, 2023 • 9 new comments

• Ruby: Restrict GraphQL remote flow sources

  #14216 commented on Sep 22, 2023 • 9 new comments

• C#: Add query for Insecure Direct Object Reference

  #13882 commented on Sep 22, 2023 • 7 new comments

• Go: Add JWT Algorithm Confusion and JWT decoding without Signature Verification

  #14081 commented on Sep 22, 2023 • 7 new comments

• Swift: dataflow for `for-in` loops

  #13909 commented on Sep 22, 2023 • 6 new comments

• Go: Better determine Go versions in Go 1.21+

  #14194 commented on Sep 22, 2023 • 6 new comments

• Java: Framework mode source candidates

  #14197 commented on Sep 20, 2023 • 6 new comments

• Python: promote nosql query

  #14070 commented on Sep 22, 2023 • 4 new comments

• Java: Add VS Code model editor queries

  #14199 commented on Sep 22, 2023 • 4 new comments

• Ruby: Improve performance of flow through (hash) splats

  #14229 commented on Sep 20, 2023 • 3 new comments

• Kotlin: Extract LighterAST comments as well as PSI comments

  #14220 commented on Sep 22, 2023 • 2 new comments

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 commented on Sep 18, 2023 • 1 new comment

• Preserving taint through arithmetic operations in Java

  #14233 commented on Sep 19, 2023 • 1 new comment

• codeql won't work with chromium special file

  #13849 commented on Sep 22, 2023 • 1 new comment

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Sep 20, 2023 • 1 new comment

• Swift: Port regex mode flag fix from Python to Swift

  #14209 commented on Sep 19, 2023 • 1 new comment

• Swift: CFG and data flow for nil coalescing operator

  #14224 commented on Sep 18, 2023 • 1 new comment

• DataFlow::PathGraph Module not Found in codeql

  #13540 commented on Sep 19, 2023 • 0 new comments

• Swift: use shared capture flow library

  #14078 commented on Sep 18, 2023 • 0 new comments

• C++: Fix more FPs in `cpp/invalid-pointer-deref`

  #14164 commented on Sep 18, 2023 • 0 new comments

• CPP: No longer constant fold (most) IR.

  #14210 commented on Sep 19, 2023 • 0 new comments