56 Pull requests merged by 26 people

• Post-release preparation for codeql-cli-2.15.4

  #15032 merged Dec 7, 2023

• C#: Parameter defaults for `nint` and `nuint` in compiled code.

  #15036 merged Dec 7, 2023

• C#: Support interpolated strings in `StringBuilder.Append`

  #15010 merged Dec 7, 2023

• Swift: Add some tests and model SecKeyCopyExternalRepresentation

  #15007 merged Dec 7, 2023

• C#: Change `StringBuilder` flow models to not use `Element` access path

  #15025 merged Dec 7, 2023

• C#: Add interpolated string handler attributes to generated stubs

  #15024 merged Dec 7, 2023

• C++: Also support the `__noreturn__` attribute in `exits`

  #15027 merged Dec 6, 2023

• Release preparation for version 2.15.4

  #15031 merged Dec 6, 2023

• docs: update supported Swift version

  #15029 merged Dec 6, 2023

• Swift: extract types for patterns

  #14570 merged Dec 6, 2023

• C++: replace Guards with IRGuards

  #14992 merged Dec 6, 2023

• Kotlin: Fix dataflow with Array.set wrappers

  #15023 merged Dec 6, 2023

• C#: Only consider latest version of dotnet framework flavors

  #14994 merged Dec 6, 2023

• Docs: DataFlow: Add a missing qualifier

  #15009 merged Dec 6, 2023

• C++: Fix handling of unreached instructions in IRGuards

  #15021 merged Dec 6, 2023

• Swift: fix autobuilder bug when Xcode failure breaks the whole autobuild process

  #15004 merged Dec 6, 2023

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 merged Dec 6, 2023

• Swift: Simplify AdoptsWkNavigationDelegate in WebView.qll.

  #14692 merged Dec 6, 2023

• C++: Add `_Exit` to the list of exiting (non-returning) functions

  #15015 merged Dec 6, 2023

• Swift: More sinks for swift/cleartext-logging

  #14853 merged Dec 6, 2023

• Go: Improve tests for Incorrect Integer Conversion

  #14962 merged Dec 6, 2023

• C++: Relax the dbscheme for `link_targets/2`

  #14897 merged Dec 5, 2023

• Post-release preparation for codeql-cli-2.15.4

  #15014 merged Dec 5, 2023

• Revert "Bump actions/labeler from 4 to 5"

  #15016 merged Dec 5, 2023

• Ruby: Adopt shared type tracking library

  #14709 merged Dec 5, 2023

• Kotlin: Track taint through Array.get/set

  #15008 merged Dec 5, 2023

• Release preparation for version 2.15.4

  #15013 merged Dec 5, 2023

• Python: remove EssaNodes

  #14777 merged Dec 5, 2023

• Bump actions/setup-dotnet from 3 to 4

  #15002 merged Dec 5, 2023

• Bump actions/labeler from 4 to 5

  #15003 merged Dec 5, 2023

• C++: Fix IRGuards ternary behaviour

  #15005 merged Dec 5, 2023

• C#: Fix a URL redirection from remote source false positive

  #14953 merged Dec 5, 2023

• C++: Reduce duplication from crement operations

  #14867 merged Dec 5, 2023

• Kotlin: Accept some location changes in test-kotlin2/library-tests/vararg

  #14997 merged Dec 5, 2023

• C#: Add a few more `is (not) null` tests

  #14990 merged Dec 5, 2023

• Update CSV framework coverage reports

  #15000 merged Dec 5, 2023

• C#: Prefer assembly version over netcore version in conflict resolution

  #14991 merged Dec 5, 2023

• C++: Fix `chmod` prototype in toctou test and additional test

  #14996 merged Dec 4, 2023

• Go: improve test unhandled close writable handle

  #14938 merged Dec 4, 2023

• Java: add Spring models

  #14913 merged Dec 4, 2023

• Document threat models

  #14976 merged Dec 4, 2023

• Update inconsistent CWE tags

  #14993 merged Dec 4, 2023

• Ruby: refine `ActiveRecord` `update_all` as an SQL sink

  #14627 merged Dec 4, 2023

• Java: report any extracted file as successfully extracted

  #14988 merged Dec 4, 2023

• Python: Add dataflow consistency query

  #8457 merged Dec 4, 2023

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 merged Dec 4, 2023

• C#: Fix problem with logging unused packages.

  #14982 merged Dec 4, 2023

• C#: Prefer framework assemblies over arbitrary nuget equivalents

  #14957 merged Dec 4, 2023

• Prepare for the bazel 7 upgrade.

  #14979 merged Dec 4, 2023

• C++: Replace a `strictcount(...)` with `unique(...)`

  #14961 merged Dec 4, 2023

• C++: Remove unneeded dataflow imports

  #14987 merged Dec 4, 2023

• YEAST: Make some more fixes to rules.

  #14986 merged Dec 1, 2023

• Hackathinfixes

  #14985 merged Dec 1, 2023

• YEAST: Disable trace macro expandtion feature

  #14980 merged Dec 1, 2023

• YEAST: Allow multiple output nodes and merge in no-children

  #14975 merged Dec 1, 2023

• yeast: tree output

  #14960 merged Dec 1, 2023

14 Pull requests opened by 11 people

• Fix rst code format.

  #14977 opened Dec 1, 2023

• Data Flow: Deprecate old data flow api.

  #14983 opened Dec 1, 2023

• Java: Just make the implementation slightly clearer for threat models.

  #14984 opened Dec 1, 2023

• python-package-conda.yml

  #14989 opened Dec 2, 2023

• Java: Fix FPs in Missing certificate pinning

  #15012 opened Dec 5, 2023

• Bump actions/labeler from 4 to 5

  #15017 opened Dec 6, 2023

• Java: Deprecate or remove imports of dataflow library copies

  #15026 opened Dec 6, 2023

• Python: Remove control flow nodes for module entry definitions from the dataflow graph.

  #15030 opened Dec 6, 2023

• Bump actions/setup-python from 4 to 5

  #15033 opened Dec 7, 2023

• Bump actions/setup-go from 4 to 5

  #15034 opened Dec 7, 2023

• Ruby: Include ancestors in type generation

  #15035 opened Dec 7, 2023

• Rangeanalysis: Prune range calculation.

  #15037 opened Dec 7, 2023

• Swift: Model Manual Memory Management closure functions and withMemoryRebound variants

  #15038 opened Dec 7, 2023

• C#: Add flow steps from a PageModel to cshtml page.

  #15039 opened Dec 7, 2023

9 Issues closed by 9 people

• File name too long

  #15018 closed Dec 7, 2023

• C++: Return statement inside Guard Block

  #15001 closed Dec 7, 2023

• CodeQL reporting 0 lines of c# code in a simple action

  #14951 closed Dec 6, 2023

• False positive: C# URL redirection from remote source

  #14952 closed Dec 5, 2023

• workflow yml file configuration

  #14652 closed Dec 3, 2023

• codeql can't handle chromium dataflow

  #14973 closed Dec 1, 2023

• VS 17.8.2 compiler not being recognized

  #14978 closed Dec 1, 2023

• Seeking guidance on detecting null pointer dereferences

  #14956 closed Dec 1, 2023

• codeql report "ERROR: 'funcName' is not bound to a value" when using `not exist` clause

  #14974 closed Dec 1, 2023

3 Issues opened by 3 people

• Improve `cpp/wrong-type-format-argument` by adding correct formatting specifier

  #15028 opened Dec 6, 2023

• CodeQL adds redundant slash to upload sarif file endpoint

  #15020 opened Dec 6, 2023

• C# Dataflow limited heavily by lack of support for ServiceProvider and Dependency Injection tracking

  #14998 opened Dec 4, 2023

31 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: fasthttp

  #14123 commented on Dec 7, 2023 • 17 new comments

• 32 cpp string concatenation library

  #14954 commented on Dec 4, 2023 • 15 new comments

• Ruby: Experimental model editor support

  #14679 commented on Dec 7, 2023 • 9 new comments

• C#: Extract and use ambiguous type information for call target resolution

  #14891 commented on Dec 5, 2023 • 8 new comments

• Java: Environment variable injection query

  #14724 commented on Dec 5, 2023 • 7 new comments

• CPP: Add query for detecteing incorrect error checking for scanf

  #14910 commented on Dec 5, 2023 • 7 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Dec 7, 2023 • 6 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Dec 7, 2023 • 5 new comments

• C++: Experimental query for implementation of a cryptographic primitive

  #14972 commented on Dec 6, 2023 • 5 new comments

• JS: provide command execution sinks for execa package

  #14294 commented on Dec 6, 2023 • 4 new comments

• Swift: Imprecise Taint Flows

  #14925 commented on Dec 5, 2023 • 4 new comments

• Failure to create CodeQL database with latest Visual Studio (17.8.1)

  #14927 commented on Dec 7, 2023 • 3 new comments

• Python: Decompression Bombs

  #13557 commented on Dec 7, 2023 • 2 new comments

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 commented on Dec 5, 2023 • 1 new comment

• JS: [WIP] Add `dot.js` support

  #13624 commented on Dec 4, 2023 • 1 new comment

• Move `FlowSummaryImpl.qll` to `dataflow` pack

  #14573 commented on Dec 7, 2023 • 1 new comment

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Dec 6, 2023 • 1 new comment

• Fix sphinx.add_lexer.

  #14934 commented on Dec 6, 2023 • 1 new comment

• Kotlin: add support for ktor Framework

  #14959 commented on Dec 1, 2023 • 1 new comment

• Java: Add support for algorithm names specified in `.properties` files to `java/potentially-weak-cryptographic-algorithm`

  #14040 commented on Dec 4, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Dec 7, 2023 • 0 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Dec 6, 2023 • 0 new comments

• Ruby: Add Insecure Randomness Query

  #14554 commented on Dec 4, 2023 • 0 new comments

• Java: Add `.properties` file references in integration tests

  #14802 commented on Dec 7, 2023 • 0 new comments

• Python: Adopt shared type tracking library

  #14848 commented on Dec 7, 2023 • 0 new comments

• Java: Promote Unsafe URL Forward query from experimental

  #14854 commented on Dec 1, 2023 • 0 new comments

• C#: Update to .NET 8.

  #14892 commented on Dec 7, 2023 • 0 new comments

• C++: Remove `DefaultTaintTracking` library

  #14909 commented on Dec 7, 2023 • 0 new comments

• C++: Add field flow for addresses of fields and use in `cpp/double-free` and `cpp/use-after-free`

  #14915 commented on Dec 7, 2023 • 0 new comments

• Ruby: Add mysql2 model

  #14916 commented on Dec 7, 2023 • 0 new comments

• Python: Basic implementation of variable capture

  #14944 commented on Dec 6, 2023 • 0 new comments