51 Pull requests merged by 26 people

• Kotlin: Track taint through Array.get/set

  #15008 merged Dec 5, 2023

• Release preparation for version 2.15.4

  #15013 merged Dec 5, 2023

• Python: remove EssaNodes

  #14777 merged Dec 5, 2023

• Bump actions/setup-dotnet from 3 to 4

  #15002 merged Dec 5, 2023

• Bump actions/labeler from 4 to 5

  #15003 merged Dec 5, 2023

• C++: Fix IRGuards ternary behaviour

  #15005 merged Dec 5, 2023

• C#: Fix a URL redirection from remote source false positive

  #14953 merged Dec 5, 2023

• C++: Reduce duplication from crement operations

  #14867 merged Dec 5, 2023

• Kotlin: Accept some location changes in test-kotlin2/library-tests/vararg

  #14997 merged Dec 5, 2023

• C#: Add a few more `is (not) null` tests

  #14990 merged Dec 5, 2023

• Update CSV framework coverage reports

  #15000 merged Dec 5, 2023

• C#: Prefer assembly version over netcore version in conflict resolution

  #14991 merged Dec 5, 2023

• C++: Fix `chmod` prototype in toctou test and additional test

  #14996 merged Dec 4, 2023

• Go: improve test unhandled close writable handle

  #14938 merged Dec 4, 2023

• Java: add Spring models

  #14913 merged Dec 4, 2023

• Document threat models

  #14976 merged Dec 4, 2023

• Update inconsistent CWE tags

  #14993 merged Dec 4, 2023

• Ruby: refine `ActiveRecord` `update_all` as an SQL sink

  #14627 merged Dec 4, 2023

• Java: report any extracted file as successfully extracted

  #14988 merged Dec 4, 2023

• Python: Add dataflow consistency query

  #8457 merged Dec 4, 2023

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 merged Dec 4, 2023

• C#: Fix problem with logging unused packages.

  #14982 merged Dec 4, 2023

• C#: Prefer framework assemblies over arbitrary nuget equivalents

  #14957 merged Dec 4, 2023

• Prepare for the bazel 7 upgrade.

  #14979 merged Dec 4, 2023

• C++: Replace a `strictcount(...)` with `unique(...)`

  #14961 merged Dec 4, 2023

• C++: Remove unneeded dataflow imports

  #14987 merged Dec 4, 2023

• YEAST: Make some more fixes to rules.

  #14986 merged Dec 1, 2023

• Hackathinfixes

  #14985 merged Dec 1, 2023

• YEAST: Disable trace macro expandtion feature

  #14980 merged Dec 1, 2023

• YEAST: Allow multiple output nodes and merge in no-children

  #14975 merged Dec 1, 2023

• yeast: tree output

  #14960 merged Dec 1, 2023

• yeast: Add a bare-bones binary

  #14970 merged Nov 30, 2023

• Python: Add support for extraction filters

  #14918 merged Nov 30, 2023

• Remove unwanted period from query name

  #14969 merged Nov 30, 2023

• Update CodeQL model editor info for revised UI

  #14898 merged Nov 30, 2023

• YEAST: Hookup query code

  #14971 merged Nov 30, 2023

• Swift: move keypath dataflow writes to fix types

  #14865 merged Nov 30, 2023

• YEAST: Add missing method

  #14968 merged Nov 30, 2023

• Yeast: Implement matcher and tree builders

  #14966 merged Nov 30, 2023

• YEAST: implement applyRules

  #14967 merged Nov 30, 2023

• Java: Add support for Java 21 language features

  #14671 merged Nov 30, 2023

• YEAST: implement `tryRule` and insert placeholders for `isMatch`, `applyRules`

  #14964 merged Nov 30, 2023

• YEAST: update some interfaces ahead of merging actual implementations

  #14963 merged Nov 30, 2023

• Add documentation note on not supporting Objective-C(++), C++/CLI, and C++/CX

  #14958 merged Nov 30, 2023

• Java: Add test for empty argfile

  #14950 merged Nov 29, 2023

• Docs: List Python 3.12 as supported

  #14946 merged Nov 29, 2023

• yeast: update debug format to be more readable

  #14949 merged Nov 29, 2023

• yeast: parse input into the AST

  #14947 merged Nov 29, 2023

• C++: Add a new query for calling `c_str` on temporary objects

  #14928 merged Nov 29, 2023

• JS: Add django template urls as "save urls"

  #14943 merged Nov 29, 2023

• Mergeback post release changes from the `codeql-cli-2.15.3` branch to `main`

  #14942 merged Nov 28, 2023

17 Pull requests opened by 14 people

• Python: Basic implementation of variable capture

  #14944 opened Nov 28, 2023

• 32 cpp string concatenation library

  #14954 opened Nov 29, 2023

• Kotlin: add support for ktor Framework

  #14959 opened Nov 30, 2023

• Go: Improve tests for Incorrect Integer Conversion

  #14962 opened Nov 30, 2023

• C++: Experimental query for implementation of a cryptographic primitive

  #14972 opened Nov 30, 2023

• Fix rst code format.

  #14977 opened Dec 1, 2023

• Data Flow: Deprecate old data flow api.

  #14983 opened Dec 1, 2023

• Java: Just make the implementation slightly clearer for threat models.

  #14984 opened Dec 1, 2023

• python-package-conda.yml

  #14989 opened Dec 2, 2023

• C++: replace Guards with IRGuards

  #14992 opened Dec 4, 2023

• C#: Only consider latest version of dotnet framework flavors

  #14994 opened Dec 4, 2023

• Swift: fix autobuilder bug when Xcode failure breaks the whole autobuild process

  #15004 opened Dec 5, 2023

• Swift: Add some tests and model SecKeyCopyExternalRepresentation

  #15007 opened Dec 5, 2023

• Docs: DataFlow: Add a missing qualifier

  #15009 opened Dec 5, 2023

• C#: WIP: Support interpolated strings in `StringBuilder.Append`

  #15010 opened Dec 5, 2023

• C#: UIntPtr and IntPtr defaults in assemblies.

  #15011 opened Dec 5, 2023

• Java: Fix FPs in Missing certificate pinning

  #15012 opened Dec 5, 2023

13 Issues closed by 14 people

• False positive: C# URL redirection from remote source

  #14952 closed Dec 5, 2023

• workflow yml file configuration

  #14652 closed Dec 3, 2023

• codeql can't handle chromium dataflow

  #14973 closed Dec 1, 2023

• VS 17.8.2 compiler not being recognized

  #14978 closed Dec 1, 2023

• Seeking guidance on detecting null pointer dereferences

  #14956 closed Dec 1, 2023

• codeql report "ERROR: 'funcName' is not bound to a value" when using `not exist` clause

  #14974 closed Dec 1, 2023

• Slow performing checks on our repository from Code QL

  #14905 closed Nov 30, 2023

• Null Pointer deref false positive

  #14945 closed Nov 29, 2023

• Question: False positive in Path traversal - Java

  #14922 closed Nov 29, 2023

• Failed to create database on Android

  #14404 closed Nov 29, 2023

• codeql_cpp QL pack not found

  #14917 closed Nov 29, 2023

• False positive: "Potentially unsafe external link" with Django template language

  #12267 closed Nov 29, 2023

• codeql says current master is affected by code injection but shows past commits

  #14935 closed Nov 28, 2023

5 Issues opened by 5 people

• Getting error while creating codeQL Database for C# language

  #15006 opened Dec 5, 2023

• C++: Return statement inside Guard Block

  #15001 opened Dec 5, 2023

• C# Dataflow limited heavily by lack of support for ServiceProvider and Dependency Injection tracking

  #14998 opened Dec 4, 2023

• cpp/memory-may-not-be-freed is not in security-and-quality suite

  #14955 opened Nov 30, 2023

• CodeQL reporting 0 lines of c# code in a simple action

  #14951 opened Nov 29, 2023

34 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby: Adopt shared type tracking library

  #14709 commented on Dec 5, 2023 • 9 new comments

• C#: Extract and use ambiguous type information for call target resolution

  #14891 commented on Dec 5, 2023 • 8 new comments

• Java: Environment variable injection query

  #14724 commented on Dec 5, 2023 • 7 new comments

• CPP: Add query for detecteing incorrect error checking for scanf

  #14910 commented on Dec 5, 2023 • 7 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Dec 5, 2023 • 6 new comments

• Ruby: Experimental model editor support

  #14679 commented on Dec 5, 2023 • 5 new comments

• Swift: Imprecise Taint Flows

  #14925 commented on Dec 5, 2023 • 4 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 30, 2023 • 3 new comments

• JS: provide command execution sinks for execa package

  #14294 commented on Dec 5, 2023 • 3 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Nov 29, 2023 • 3 new comments

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Dec 5, 2023 • 3 new comments

• C++ extractor fails to process code based on Unreal Engine

  #13994 commented on Nov 30, 2023 • 2 new comments

• Few questions about semmle-extractor-options

  #14826 commented on Nov 30, 2023 • 1 new comment

• Add a way for C/C++ code compiled as a part of a CodeQL test to detect it is being tested

  #9425 commented on Nov 30, 2023 • 1 new comment

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 commented on Dec 5, 2023 • 1 new comment

• Java: Decompression Bombs

  #13555 commented on Nov 29, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Dec 4, 2023 • 1 new comment

• JS: [WIP] Add `dot.js` support

  #13624 commented on Dec 4, 2023 • 1 new comment

• Swift: extract types for patterns

  #14570 commented on Dec 5, 2023 • 1 new comment

• C++: Relax the dbscheme for `link_targets/2`

  #14897 commented on Nov 30, 2023 • 1 new comment

• Java: Add support for algorithm names specified in `.properties` files to `java/potentially-weak-cryptographic-algorithm`

  #14040 commented on Dec 4, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Dec 5, 2023 • 0 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Dec 5, 2023 • 0 new comments

• Ruby: Add Insecure Randomness Query

  #14554 commented on Dec 4, 2023 • 0 new comments

• Swift: Simplify AdoptsWkNavigationDelegate in WebView.qll.

  #14692 commented on Dec 5, 2023 • 0 new comments

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 commented on Nov 30, 2023 • 0 new comments

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 commented on Dec 5, 2023 • 0 new comments

• Java: Add `.properties` file references in integration tests

  #14802 commented on Dec 4, 2023 • 0 new comments

• Swift: More sinks for swift/cleartext-logging

  #14853 commented on Dec 5, 2023 • 0 new comments

• Java: Promote Unsafe URL Forward query from experimental

  #14854 commented on Dec 1, 2023 • 0 new comments

• C#: Update to .NET 8.

  #14892 commented on Dec 5, 2023 • 0 new comments

• C++: Add field flow for addresses of fields and use in `cpp/double-free` and `cpp/use-after-free`

  #14915 commented on Dec 5, 2023 • 0 new comments

• Ruby: Add mysql2 model

  #14916 commented on Dec 4, 2023 • 0 new comments

• Fix sphinx.add_lexer.

  #14934 commented on Nov 30, 2023 • 0 new comments