48 Pull requests merged by 23 people

• C#: Pin integration tests to a specific .NET version.

  #14878 merged Nov 27, 2023

• Kotlin 2: Accept some location changes in test-kotlin2/library-tests/stmts

  #14906 merged Nov 27, 2023

• Swift: More sinks for swift/uncontrolled-format-string

  #14807 merged Nov 27, 2023

• Java Automodel extraction: remove primitives in framework mode

  #14849 merged Nov 27, 2023

• Swift: final 5.8/5.9 extractions

  #14800 merged Nov 27, 2023

• C++: Don't exclude `ExprNode`s as sources

  #14911 merged Nov 24, 2023

• Swift: Flow models for Set

  #14908 merged Nov 24, 2023

• Swift: "contentsOf" sources

  #14879 merged Nov 24, 2023

• C++: Remove workaround for negated conditions in `cpp/user-controlled-bypass`

  #14907 merged Nov 24, 2023

• C++: Do not use `isReturnValue` in `getenv`, `gets`, and `fgets` models

  #14903 merged Nov 24, 2023

• C++: Rewrite `cpp/user-controlled-bypass` away from `DefaultTaintTracking`

  #14896 merged Nov 24, 2023

• C++: Add Taint through int -> bool casts

  #14904 merged Nov 24, 2023

• Ruby: Add tests illustrating missing flow

  #14859 merged Nov 24, 2023

• Ruby: Add test for missing block flow

  #14874 merged Nov 24, 2023

• Kotlin: Add LighterAST support to numlines extraction

  #14887 merged Nov 24, 2023

• C++: Don't short circuit logical negation in conditions

  #14894 merged Nov 24, 2023

• Go: improve CallNode documentation

  #14882 merged Nov 24, 2023

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

  #14302 merged Nov 24, 2023

• Codegen: allow marking properties as internal

  #14902 merged Nov 24, 2023

• Swift: extract `MacroDecl`

  #14796 merged Nov 24, 2023

• Codegen: fix bug where stub rewriting globbles too much code

  #14893 merged Nov 23, 2023

• C++: Rewrite `cpp/tainted-permissions-check` to not use `DefaultTaintTracking`

  #14886 merged Nov 23, 2023

• Fix changelog docs based on latest generator version

  #14889 merged Nov 23, 2023

• C++: Rewrite `cpp/user-controlled-null-termination-tainted` away from `DefaultTaintTracking`

  #14881 merged Nov 23, 2023

• Go: Change how we refer to a query in a change note

  #14890 merged Nov 23, 2023

• Golang: Web Cache Deception Vulnerability

  #14775 merged Nov 23, 2023

• C#: Add flow steps for View calls refering to Razor pages

  #14343 merged Nov 23, 2023

• Python: support `*args` and `**kwargs` in request handlers

  #14353 merged Nov 23, 2023

• Swift: generate more QLdocs

  #14864 merged Nov 23, 2023

• Python: Add taint-flow modeling for `re` module

  #14725 merged Nov 23, 2023

• JS: update the JS change notes to mention security severity instead of just severity

  #14885 merged Nov 23, 2023

• C++: Rewrite `cpp/tainted-format-string` away from `DefaultTaintTracking`

  #14801 merged Nov 22, 2023

• Update change note 0.3.3.md

  #14880 merged Nov 22, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14877 merged Nov 22, 2023

• Add combined changelogs for 2.15.3 and backfill historic versions

  #14876 merged Nov 22, 2023

• Kotlin: Move tests from test/kotlin to test-kotlin1

  #14862 merged Nov 22, 2023

• SSA: Add locations to ease debugging

  #14868 merged Nov 22, 2023

• Kotlin 2: isFake is currently broken, so assume not fake for now

  #14860 merged Nov 22, 2023

• Python: test demonstrating the need for phi nodes

  #14861 merged Nov 22, 2023

• C#: Tolerate missing call targets in LogMessageSink

  #14855 merged Nov 22, 2023

• Python: Test demonstrating the need for phi-read-nodes

  #14858 merged Nov 21, 2023

• Update qhelp for js/path-injection.

  #14846 merged Nov 21, 2023

• Kotlin: Add more CODEOWNERS entries

  #14837 merged Nov 21, 2023

• Kotlin: Add a kotlin2 copy of the testsuite

  #14833 merged Nov 21, 2023

• Go: model value flow with array content through slice expressions

  #14798 merged Nov 21, 2023

• Kotlin: Add 2.0.0-Beta1

  #14831 merged Nov 21, 2023

• C#: Framework dependency detection.

  #14767 merged Nov 21, 2023

• Backport PR #14825

  #14852 merged Nov 21, 2023

26 Pull requests opened by 19 people

• Swift: move keypath dataflow writes to fix types

  #14865 opened Nov 21, 2023

• C++: Reduce duplication from crement operations

  #14867 opened Nov 21, 2023

• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 in /go/ql/test/experimental/CWE-347

  #14870 opened Nov 21, 2023

• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 in /go/ql/test/experimental/CWE-321-V2

  #14871 opened Nov 21, 2023

• Go: Add Rs Cors Support

  #14873 opened Nov 21, 2023

• Swift: Add Unsafe Unpacking Query (CWE-022)

  #14888 opened Nov 23, 2023

• C#: Add test case for ambiguous types in Standalone extraction

  #14891 opened Nov 23, 2023

• C#: Update to .NET 8.

  #14892 opened Nov 23, 2023

• Kotlin: Add a 2.0.255 snapshot

  #14895 opened Nov 23, 2023

• C++: Relax the dbscheme for `link_targets/2`

  #14897 opened Nov 23, 2023

• Update CodeQL model editor info for revised UI

  #14898 opened Nov 23, 2023

• C++: Remove `DefaultTaintTracking` library

  #14909 opened Nov 24, 2023

• CPP: Add query for detecteing incorrect error checking for scanf

  #14910 opened Nov 24, 2023

• C++: Deprecate `isUserInput`, `userInputArgument`, and `userInputReturned`

  #14912 opened Nov 24, 2023

• Java: add Spring models

  #14913 opened Nov 27, 2023

• C++: Add field flow for addresses of fields and use in `cpp/double-free` and `cpp/use-after-free`

  #14915 opened Nov 27, 2023

• Ruby: Add mysql2 model

  #14916 opened Nov 27, 2023

• Python: Add support for extraction filters

  #14918 opened Nov 27, 2023

• Java: openjdk model autogeneration

  #14919 opened Nov 27, 2023

• C++: Expose whether a function was prototyped or not

  #14921 opened Nov 27, 2023

• Swift: Imprecise Taint Flows

  #14925 opened Nov 27, 2023

• Java: Improve Gson parse, get, and stream models

  #14926 opened Nov 27, 2023

• C++: Add a new query for calling `c_str` on temporary objects

  #14928 opened Nov 27, 2023

• Bump org.eclipse.jetty:jetty-webapp from 9.3.3.v20150827 to 9.4.33.v20201020 in /java/ql/integration-tests/all-platforms/java/java-web-jsp

  #14929 opened Nov 27, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14932 opened Nov 28, 2023

• Fix sphinx.add_lexer.

  #14934 opened Nov 28, 2023

5 Issues closed by 5 people

• False positive

  #14931 closed Nov 28, 2023

• Documentation for model YML files

  #14920 closed Nov 27, 2023

• codeql won't work with chromium special file

  #13849 closed Nov 27, 2023

• Error running query: Internal error. (codeQL.runQueryContextEditor) Error: Error running query: Internal error.

  #14883 closed Nov 23, 2023

• Monorepo setup with different c# areas

  #14836 closed Nov 21, 2023

15 Issues opened by 15 people

• General issue:create java project database failed

  #14933 opened Nov 28, 2023

• I don't understand the definition of all the "Git Hub" terms?

  #14930 opened Nov 28, 2023

• Failure to create CodeQL database with latest Visual Studio (17.8.1)

  #14927 opened Nov 27, 2023

• Missing methods and constructors in Java GSON model

  #14924 opened Nov 27, 2023

• Will Objective C and Objective C++ be supported in CodeQL?

  #14923 opened Nov 27, 2023

• Question: False positive in Path traversal - Java

  #14922 opened Nov 27, 2023

• codeql_cpp QL pack not found

  #14917 opened Nov 27, 2023

• Wrong Pointer Size in Database for Chromium

  #14914 opened Nov 27, 2023

• Slow performing checks on our repository from Code QL

  #14905 opened Nov 24, 2023

• General issue Python:Unable to recognize calling a method through an instance member of a class

  #14899 opened Nov 23, 2023

• Query pack codeql/go-queries cannot be found

  #14884 opened Nov 23, 2023

• How can I use codeql cli without metadata?

  #14872 opened Nov 21, 2023

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 opened Nov 21, 2023

• General issue - CodeQL exiting with exit code 2

  #14866 opened Nov 21, 2023

• Python code QL reports (invalid?) parse error

  #14863 opened Nov 21, 2023

33 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add support for Java 21 language features

  #14671 commented on Nov 28, 2023 • 61 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Nov 27, 2023 • 21 new comments

• Go: fasthttp

  #14123 commented on Nov 27, 2023 • 18 new comments

• C#: Detect `TargetFramework`s and install them if there is no `global.json`

  #14821 commented on Nov 21, 2023 • 14 new comments

• Python: remove EssaNodes

  #14777 commented on Nov 22, 2023 • 11 new comments

• Python: Add dataflow consistency query

  #8457 commented on Nov 22, 2023 • 8 new comments

• Python: Decompression Bombs

  #13557 commented on Nov 27, 2023 • 7 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 22, 2023 • 6 new comments

• [CSharp] AWS Lambda Modelling

  #13110 commented on Nov 28, 2023 • 4 new comments

• Python : Unable to follow taint through indirect calls

  #14842 commented on Nov 27, 2023 • 2 new comments

• JS: decoding JWT without signature verification

  #14088 commented on Nov 24, 2023 • 2 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Nov 21, 2023 • 2 new comments

• Move `FlowSummaryImpl.qll` to `dataflow` pack

  #14573 commented on Nov 27, 2023 • 2 new comments

• False positive: Static field written by instance method by Interlocked API

  #14840 commented on Nov 23, 2023 • 1 new comment

• False positive: Missed 'readonly' opportunity for field used by Interlocked API

  #14839 commented on Nov 23, 2023 • 1 new comment

• Error downloading/installing codeql cpp-queries package

  #14492 commented on Nov 23, 2023 • 1 new comment

• LGTM.com - false positive "Statement has no effect" for Python await

  #11235 commented on Nov 23, 2023 • 1 new comment

• workflow yml file configuration

  #14652 commented on Nov 25, 2023 • 1 new comment

• Ruby: Decompression Bombs

  #13556 commented on Nov 22, 2023 • 1 new comment

• Java: JWT decoding without verification

  #14089 commented on Nov 22, 2023 • 1 new comment

• Ruby: Experimental model editor support

  #14679 commented on Nov 27, 2023 • 1 new comment

• Swift: More sinks for swift/cleartext-logging

  #14853 commented on Nov 24, 2023 • 1 new comment

• java: false positive: javax.validation.constraints are not identified as input validation

  #8705 commented on Nov 22, 2023 • 0 new comments

• [Go] Add Unicode Bypass Validation query, test and help file

  #12994 commented on Nov 24, 2023 • 0 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 27, 2023 • 0 new comments

• Go: Fix missing flow through receiver for function variable (try 2)

  #13861 commented on Nov 22, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 27, 2023 • 0 new comments

• Ruby: refine `ActiveRecord` `update_all` as an SQL sink

  #14627 commented on Nov 24, 2023 • 0 new comments

• Ruby: Adopt shared type tracking library

  #14709 commented on Nov 21, 2023 • 0 new comments

• Java: Environment variable injection query

  #14724 commented on Nov 21, 2023 • 0 new comments

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 commented on Nov 21, 2023 • 0 new comments

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 commented on Nov 27, 2023 • 0 new comments

• Python: Adopt shared type tracking library

  #14848 commented on Nov 21, 2023 • 0 new comments