41 Pull requests merged by 21 people

• Java: Add test for empty argfile

  #14950 merged Nov 29, 2023

• Docs: List Python 3.12 as supported

  #14946 merged Nov 29, 2023

• yeast: update debug format to be more readable

  #14949 merged Nov 29, 2023

• yeast: parse input into the AST

  #14947 merged Nov 29, 2023

• C++: Add a new query for calling `c_str` on temporary objects

  #14928 merged Nov 29, 2023

• JS: Add django template urls as "save urls"

  #14943 merged Nov 29, 2023

• Mergeback post release changes from the `codeql-cli-2.15.3` branch to `main`

  #14942 merged Nov 28, 2023

• C++: Expose whether a function was prototyped or not

  #14921 merged Nov 28, 2023

• Swift: Heuristic sinks for swift/sql-injection

  #14797 merged Nov 28, 2023

• C#: Prevent infinite recursion in `EqualsModuloTupleElementNames`

  #14937 merged Nov 28, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14932 merged Nov 28, 2023

• Python: Highlight missing post-update flow for `*args` and `**kwargs`

  #14936 merged Nov 28, 2023

• C#: Pin integration tests to a specific .NET version.

  #14878 merged Nov 27, 2023

• Kotlin 2: Accept some location changes in test-kotlin2/library-tests/stmts

  #14906 merged Nov 27, 2023

• Swift: More sinks for swift/uncontrolled-format-string

  #14807 merged Nov 27, 2023

• Java Automodel extraction: remove primitives in framework mode

  #14849 merged Nov 27, 2023

• Swift: final 5.8/5.9 extractions

  #14800 merged Nov 27, 2023

• C++: Don't exclude `ExprNode`s as sources

  #14911 merged Nov 24, 2023

• Swift: Flow models for Set

  #14908 merged Nov 24, 2023

• Swift: "contentsOf" sources

  #14879 merged Nov 24, 2023

• C++: Remove workaround for negated conditions in `cpp/user-controlled-bypass`

  #14907 merged Nov 24, 2023

• C++: Do not use `isReturnValue` in `getenv`, `gets`, and `fgets` models

  #14903 merged Nov 24, 2023

• C++: Rewrite `cpp/user-controlled-bypass` away from `DefaultTaintTracking`

  #14896 merged Nov 24, 2023

• C++: Add Taint through int -> bool casts

  #14904 merged Nov 24, 2023

• Ruby: Add tests illustrating missing flow

  #14859 merged Nov 24, 2023

• Ruby: Add test for missing block flow

  #14874 merged Nov 24, 2023

• Kotlin: Add LighterAST support to numlines extraction

  #14887 merged Nov 24, 2023

• C++: Don't short circuit logical negation in conditions

  #14894 merged Nov 24, 2023

• Go: improve CallNode documentation

  #14882 merged Nov 24, 2023

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

  #14302 merged Nov 24, 2023

• Codegen: allow marking properties as internal

  #14902 merged Nov 24, 2023

• Swift: extract `MacroDecl`

  #14796 merged Nov 24, 2023

• Codegen: fix bug where stub rewriting globbles too much code

  #14893 merged Nov 23, 2023

• C++: Rewrite `cpp/tainted-permissions-check` to not use `DefaultTaintTracking`

  #14886 merged Nov 23, 2023

• Fix changelog docs based on latest generator version

  #14889 merged Nov 23, 2023

• C++: Rewrite `cpp/user-controlled-null-termination-tainted` away from `DefaultTaintTracking`

  #14881 merged Nov 23, 2023

• Go: Change how we refer to a query in a change note

  #14890 merged Nov 23, 2023

• Golang: Web Cache Deception Vulnerability

  #14775 merged Nov 23, 2023

• C#: Add flow steps for View calls refering to Razor pages

  #14343 merged Nov 23, 2023

• Python: support `*args` and `**kwargs` in request handlers

  #14353 merged Nov 23, 2023

• Swift: generate more QLdocs

  #14864 merged Nov 23, 2023

29 Pull requests opened by 21 people

• Swift: Add Unsafe Unpacking Query (CWE-022)

  #14888 opened Nov 23, 2023

• C#: Add test case for ambiguous types in Standalone extraction

  #14891 opened Nov 23, 2023

• C#: Update to .NET 8.

  #14892 opened Nov 23, 2023

• Kotlin: Add a 2.0.255 snapshot

  #14895 opened Nov 23, 2023

• C++: Relax the dbscheme for `link_targets/2`

  #14897 opened Nov 23, 2023

• Update CodeQL model editor info for revised UI

  #14898 opened Nov 23, 2023

• C++: Remove `DefaultTaintTracking` library

  #14909 opened Nov 24, 2023

• CPP: Add query for detecteing incorrect error checking for scanf

  #14910 opened Nov 24, 2023

• C++: Deprecate `isUserInput`, `userInputArgument`, and `userInputReturned`

  #14912 opened Nov 24, 2023

• Java: add Spring models

  #14913 opened Nov 27, 2023

• C++: Add field flow for addresses of fields and use in `cpp/double-free` and `cpp/use-after-free`

  #14915 opened Nov 27, 2023

• Ruby: Add mysql2 model

  #14916 opened Nov 27, 2023

• Python: Add support for extraction filters

  #14918 opened Nov 27, 2023

• Java: openjdk model autogeneration

  #14919 opened Nov 27, 2023

• Swift: Imprecise Taint Flows

  #14925 opened Nov 27, 2023

• Java: Improve Gson parse, get, and stream models

  #14926 opened Nov 27, 2023

• Fix sphinx.add_lexer.

  #14934 opened Nov 28, 2023

• Go: improve test unhandled close writable handle

  #14938 opened Nov 28, 2023

• Kotlin 2: Comment improvements

  #14940 opened Nov 28, 2023

• Kotlin 2: Accept some location changes

  #14941 opened Nov 28, 2023

• Python: Basic implementation of variable capture

  #14944 opened Nov 28, 2023

• draft implement rudimentary queries

  #14948 opened Nov 29, 2023

• C#: Fix a URL redirection from remote source false positive

  #14953 opened Nov 29, 2023

• 32 cpp string concatenation library

  #14954 opened Nov 29, 2023

• C#: Prefer framework assemblies over arbitrary nuget equivalents

  #14957 opened Nov 30, 2023

• Add documentation note on not supporting Objective-C(++), C++/CLI, and C++/CX

  #14958 opened Nov 30, 2023

• Kotlin: add support for ktor Framework

  #14959 opened Nov 30, 2023

• yeast: tree output

  #14960 opened Nov 30, 2023

• C++: Replace a `strictcount(...)` with `unique(...)`

  #14961 opened Nov 30, 2023

12 Issues closed by 12 people

• Null Pointer deref false positive

  #14945 closed Nov 29, 2023

• Question: False positive in Path traversal - Java

  #14922 closed Nov 29, 2023

• Failed to create database on Android

  #14404 closed Nov 29, 2023

• codeql_cpp QL pack not found

  #14917 closed Nov 29, 2023

• False positive: "Potentially unsafe external link" with Django template language

  #12267 closed Nov 29, 2023

• codeql says current master is affected by code injection but shows past commits

  #14935 closed Nov 28, 2023

• Query pack codeql/go-queries cannot be found

  #14884 closed Nov 28, 2023

• Will Objective C and Objective C++ be supported in CodeQL?

  #14923 closed Nov 28, 2023

• General issue:create java project database failed

  #14933 closed Nov 28, 2023

• Documentation for model YML files

  #14920 closed Nov 27, 2023

• codeql won't work with chromium special file

  #13849 closed Nov 27, 2023

• Error running query: Internal error. (codeQL.runQueryContextEditor) Error: Error running query: Internal error.

  #14883 closed Nov 23, 2023

9 Issues opened by 9 people

• Seeking guidance on detecting null pointer dereferences

  #14956 opened Nov 30, 2023

• cpp/memory-may-not-be-freed is not in security-and-quality suite

  #14955 opened Nov 30, 2023

• False positive: C# URL redirection from remote source

  #14952 opened Nov 29, 2023

• CodeQL reporting 0 lines of c# code in a simple action

  #14951 opened Nov 29, 2023

• Failure to create CodeQL database with latest Visual Studio (17.8.1)

  #14927 opened Nov 27, 2023

• Missing methods and constructors in Java GSON model

  #14924 opened Nov 27, 2023

• Wrong Pointer Size in Database for Chromium

  #14914 opened Nov 27, 2023

• Slow performing checks on our repository from Code QL

  #14905 opened Nov 24, 2023

• General issue Python:Unable to recognize calling a method through an instance member of a class

  #14899 opened Nov 23, 2023

29 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Nov 29, 2023 • 19 new comments

• Go: fasthttp

  #14123 commented on Nov 27, 2023 • 17 new comments

• Java: Add support for Java 21 language features

  #14671 commented on Nov 28, 2023 • 16 new comments

• Python: Add dataflow consistency query

  #8457 commented on Nov 28, 2023 • 13 new comments

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 commented on Nov 28, 2023 • 9 new comments

• Go: Add Rs Cors Support

  #14873 commented on Nov 23, 2023 • 9 new comments

• Python: Decompression Bombs

  #13557 commented on Nov 27, 2023 • 6 new comments

• [CSharp] AWS Lambda Modelling

  #13110 commented on Nov 28, 2023 • 4 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Nov 29, 2023 • 3 new comments

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 commented on Nov 28, 2023 • 3 new comments

• C++ extractor fails to process code based on Unreal Engine

  #13994 commented on Nov 30, 2023 • 2 new comments

• Move `FlowSummaryImpl.qll` to `dataflow` pack

  #14573 commented on Nov 27, 2023 • 2 new comments

• Swift: More sinks for swift/cleartext-logging

  #14853 commented on Nov 28, 2023 • 2 new comments

• LGTM.com - false positive "Statement has no effect" for Python await

  #11235 commented on Nov 23, 2023 • 1 new comment

• workflow yml file configuration

  #14652 commented on Nov 25, 2023 • 1 new comment

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 commented on Nov 27, 2023 • 1 new comment

• Few questions about semmle-extractor-options

  #14826 commented on Nov 30, 2023 • 1 new comment

• Java: Decompression Bombs

  #13555 commented on Nov 29, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 29, 2023 • 1 new comment

• JS: decoding JWT without signature verification

  #14088 commented on Nov 24, 2023 • 1 new comment

• Python : Unable to follow taint through indirect calls

  #14842 commented on Nov 27, 2023 • 0 new comments

• [Go] Add Unicode Bypass Validation query, test and help file

  #12994 commented on Nov 24, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 27, 2023 • 0 new comments

• Swift: extract types for patterns

  #14570 commented on Nov 29, 2023 • 0 new comments

• Ruby: refine `ActiveRecord` `update_all` as an SQL sink

  #14627 commented on Nov 24, 2023 • 0 new comments

• Ruby: Experimental model editor support

  #14679 commented on Nov 27, 2023 • 0 new comments

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Nov 28, 2023 • 0 new comments

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 commented on Nov 30, 2023 • 0 new comments

• Swift: move keypath dataflow writes to fix types

  #14865 commented on Nov 29, 2023 • 0 new comments