58 Pull requests merged by 25 people

• C++: Add models for `GLib` allocation and deallocation

  #15900 merged Mar 13, 2024

• JS: allow more flow through .filter()

  #15893 merged Mar 13, 2024

• Merge in main

  #15904 merged Mar 13, 2024

• JS: Add support for TS 5.4

  #15510 merged Mar 13, 2024

• C++: Add IR tests for the destruction of temporaries

  #15899 merged Mar 13, 2024

• JS: Do not treat AMD pseudo-dependencies as imports

  #15768 merged Mar 13, 2024

• Kotlin 2: Accept more changes in the exprs test

  #15889 merged Mar 13, 2024

• Python: Add type-tracking consistency query

  #15776 merged Mar 13, 2024

• Ruby: Lower access path limit to 1 for `OrmTracking`

  #15866 merged Mar 13, 2024

• Ruby: Add some more command injection sinks

  #15524 merged Mar 13, 2024

• Update CSV framework coverage reports

  #15891 merged Mar 13, 2024

• C#: Add source models for values from the Windows registry

  #15877 merged Mar 12, 2024

• Java: Add path-injection sink for `ParcelFileDescriptor::open`

  #15869 merged Mar 12, 2024

• Java: More sanitizers for request-forgery

  #15731 merged Mar 12, 2024

• Java: Accept test changes

  #15876 merged Mar 12, 2024

• C#: Deduplicate not yet restored package names

  #15881 merged Mar 12, 2024

• Data flow: Add `ConfigSig::accessPathLimit`

  #15867 merged Mar 12, 2024

• C#: Delete the CIL extractor.

  #15794 merged Mar 12, 2024

• C++: Add a new query for detecting type confusion vulnerabilities

  #15820 merged Mar 12, 2024

• Add changelog for 2.16.4

  #15880 merged Mar 11, 2024

• Ruby: Model second argument of `ActiveRecord` `from`

  #15857 merged Mar 11, 2024

• Go: Promote `go/uncontrolled-allocation-size` from experimental

  #15843 merged Mar 11, 2024

• C#: Overall change note for C# 12 / .NET 8 support.

  #15868 merged Mar 11, 2024

• Python: Add example of missing use-use flow

  #15841 merged Mar 11, 2024

• python: Remove `TaintStepFromSummary`

  #15551 merged Mar 11, 2024

• Python: Add test for `ReturnValue.TupleElement[n]`

  #15855 merged Mar 11, 2024

• C++: Provide an initial SSA definition of the address of a variable

  #15835 merged Mar 11, 2024

• Bump chrono from 0.4.34 to 0.4.35 in /ql

  #15836 merged Mar 11, 2024

• C#: Change ID of buildless output assembly

  #15854 merged Mar 11, 2024

• Python: Add `.copy()` method call as copy step

  #15695 merged Mar 11, 2024

• Update CSV framework coverage reports

  #15859 merged Mar 11, 2024

• C#: Remove `AddLocalSource` classes from queries

  #15756 merged Mar 11, 2024

• C#: Remove `Stored` variants of queries

  #15629 merged Mar 11, 2024

• Go: Decompression Bombs

  #13553 merged Mar 10, 2024

• C#: Add more `environment` and `commandargs` sources for the C# Standard Library

  #15605 merged Mar 8, 2024

• C#: Add references to threat modeling to C# Models-as-Data documentation

  #15758 merged Mar 8, 2024

• Ruby: Exclude calls with arguments from `OrmFieldAsSource`

  #15847 merged Mar 8, 2024

• JS: Call graph improvements

  #15823 merged Mar 8, 2024

• JS: Summarise store steps for type tracking

  #15760 merged Mar 8, 2024

• Kotlin 2: Accept some more loc changes in exprs test

  #15848 merged Mar 8, 2024

• csharp update MaD for HttpRequestMessage

  #15851 merged Mar 8, 2024

• C#: Remove IR queries.

  #15838 merged Mar 8, 2024

• JS: Improve detection of classes with escaping instances

  #15763 merged Mar 8, 2024

• Data flow: Allow for direct stores into nodes with `clearsContent`

  #15821 merged Mar 8, 2024

• Java: Add tests for multi-release jars under Java 11 and 17

  #15778 merged Mar 7, 2024

• C#: Deprecate dotnet and CIL in QL.

  #15736 merged Mar 7, 2024

• C#: Improve `global.json` file parsing

  #15844 merged Mar 7, 2024

• C#: Change `System.IO.TextReader` models to transfer taint to out parameter

  #15798 merged Mar 7, 2024

• Java: Explicitly import Lock class

  #15839 merged Mar 7, 2024

• Python: Copy Python extractor to `codeql` repo

  #15754 merged Mar 7, 2024

• Shared: Fill some QLDoc holes

  #15705 merged Mar 7, 2024

• Kotlin 2: Accept more loc changes in exprs test

  #15829 merged Mar 7, 2024

• Kotlin: Docs: Give upper bound as 1.9.2x rather than 1.9.20

  #15799 merged Mar 7, 2024

• Dataflow: Misc performance fixes

  #15822 merged Mar 7, 2024

• C#: Improve buildless progress reporting

  #15827 merged Mar 7, 2024

• Post-release preparation for codeql-cli-2.16.4

  #15834 merged Mar 7, 2024

• Release preparation for version 2.16.4

  #15833 merged Mar 6, 2024

• Revert "Release preparation for version 2.16.4"

  #15832 merged Mar 6, 2024

23 Pull requests opened by 18 people

• Python: Build external extractor

  #15845 opened Mar 7, 2024

• Data flow: Replace `hasLocationInfo` with `getLocation`

  #15853 opened Mar 8, 2024

• C# [Experimental]: Api type-flow.

  #15856 opened Mar 8, 2024

• C++: IR translation of temporary destructors

  #15858 opened Mar 8, 2024

• Bump tree-sitter from 0.20.10 to 0.22.1 in /ql

  #15862 opened Mar 11, 2024

• Go: Allow `BuildScript`s to have multiple build commands and add `yarn build`

  #15864 opened Mar 11, 2024

• Go: extractor: do not store intermediate values in long string concatenations

  #15865 opened Mar 11, 2024

• Mark lines of code queries as telemetry queries

  #15874 opened Mar 11, 2024

• C++: Clean up `cpp/non-constant-format`

  #15875 opened Mar 11, 2024

• JS: Add `DataFlow::Node.getLocation`

  #15882 opened Mar 12, 2024

• JS: show test changes after #15823

  #15883 opened Mar 12, 2024

• C#: CIL and Dotnet cleanup (removal).

  #15884 opened Mar 12, 2024

• C#: Fully qualified name.

  #15887 opened Mar 12, 2024

• [cpp-docs] Fix 404 link in guards library doc.

  #15890 opened Mar 12, 2024

• Java: update the url-redirection in the same style as the C# qhelp

  #15895 opened Mar 13, 2024

• Java: update expected output

  #15896 opened Mar 13, 2024

• Java: add test for partial gradle wrapper without gradle on the path

  #15897 opened Mar 13, 2024

• C++: Introduce re-use expressions in the database scheme

  #15901 opened Mar 13, 2024

• C#: Remove hard-coded local sources from the uncontrolled-format-string query.

  #15902 opened Mar 13, 2024

• Python: test MaD syntax for keyword argument

  #15903 opened Mar 13, 2024

• Python: Start modelling the standard library using MaD

  #15905 opened Mar 13, 2024

• Java: Add more neutral JDK models

  #15906 opened Mar 13, 2024

• [Draft] Ruby: Model ActiveDispatch::Http::UploadedFile

  #15907 opened Mar 13, 2024

4 Issues closed by 4 people

• Support for langVersion 12 and Net 8

  #14803 closed Mar 11, 2024

• Create AOSP C/C++ database in a easy way ?

  #15860 closed Mar 9, 2024

• Linux arm64 Support

  #15831 closed Mar 7, 2024

• codeql unable to correctly parse a valid js file

  #15842 closed Mar 7, 2024

7 Issues opened by 7 people

• C++: extractor fails when compiling with custom clang build

  #15898 opened Mar 13, 2024

• False positive for `go/incomplete-hostname-regexp` and `\Q`

  #15894 opened Mar 13, 2024

• Mapping CWEs to a Codeql Query

  #15892 opened Mar 13, 2024

• Chromium build snapshot missing several functions

  #15888 opened Mar 12, 2024

• ERROR: Uncaught Windows exception (EXCEPTION_STACK_OVERFLOW)

  #15885 opened Mar 12, 2024

• Ruby: support HAML template files

  #15863 opened Mar 11, 2024

• General issue: CodeQL seems to hang after 44s and stops after 6h

  #15852 opened Mar 8, 2024

29 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C++: Implement models-as-data

  #15371 commented on Mar 13, 2024 • 29 new comments

• [Python] Add Unicode DoS (qhelp, tests and the query)

  #15319 commented on Mar 13, 2024 • 25 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Mar 13, 2024 • 19 new comments

• Go: Add and Modify Sanitizers For TaintedPath

  #11703 commented on Mar 12, 2024 • 5 new comments

• python: Rewrite `HardcodedCredentials` away from `PointsTo`

  #15729 commented on Mar 7, 2024 • 3 new comments

• C#: Add source models for `file` threat model/source kind for .NET standard library

  #15784 commented on Mar 13, 2024 • 2 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Mar 13, 2024 • 2 new comments

• Java: Promote Unsafe URL Forward query from experimental

  #14854 commented on Mar 13, 2024 • 1 new comment

• Ruby: Add a query for CSRF protection not enabled

  #14308 commented on Mar 12, 2024 • 1 new comment

• Ruby: Decompression Bombs

  #13556 commented on Mar 10, 2024 • 1 new comment

• JS: Decompression Bombs

  #13554 commented on Mar 10, 2024 • 1 new comment

• Support new React directives

  #13296 commented on Mar 13, 2024 • 1 new comment

• CodeQL Package Manger and CodeQL Packs Beta Status

  #15287 commented on Mar 12, 2024 • 1 new comment

• CodeQL detected code written in Java but could not process any of it.General issue

  #14066 commented on Mar 11, 2024 • 1 new comment

• Path-problem result pattern

  #15744 commented on Mar 9, 2024 • 1 new comment

• Including All Query Results in .sarif File

  #15815 commented on Mar 7, 2024 • 1 new comment

• Python: New command execution sinks

  #15715 commented on Mar 6, 2024 • 0 new comments

• Python: Add type tracking for content

  #15711 commented on Mar 12, 2024 • 0 new comments

• Data flow: Account for hidden `subpath` wrappers

  #15734 commented on Mar 7, 2024 • 0 new comments

• C++: Output destructors of temporary objects

  #15770 commented on Mar 11, 2024 • 0 new comments

• Variable capture: Avoid overlapping and false-positive data flow paths

  #15802 commented on Mar 11, 2024 • 0 new comments

• C# WIP: Change pre-finalize to run standalone extraction - 2

  #15828 commented on Mar 12, 2024 • 0 new comments

• Dataflow: update fieldFlowBranchLimit semantics

  #15599 commented on Mar 7, 2024 • 0 new comments

• Python: remove assignments handled by capture library

  #15255 commented on Mar 11, 2024 • 0 new comments

• UAF not flagged

  #15806 commented on Mar 7, 2024 • 0 new comments

• [Java] Extract all unit test methods and the methods they call

  #15747 commented on Mar 7, 2024 • 0 new comments

• C# builds fails when invoking command from dotnet tools

  #15788 commented on Mar 7, 2024 • 0 new comments

• CodeQL failed to compile C# program based on Unity

  #15807 commented on Mar 7, 2024 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Mar 7, 2024 • 0 new comments