65 Pull requests merged by 26 people

• Update CodeQL CLI to version 2.16.5

  #16024 merged Mar 22, 2024

• JS: change the precision of the `js/unsafe-external-link` query to `low`

  #16002 merged Mar 22, 2024

• C++: Add precision to `cpp/boost/tls-settings-misconfiguration` and `cpp/boost/use-of-deprecated-hardcoded-security-protocol`

  #16018 merged Mar 22, 2024

• C#: Add source models for `file` threat model/source kind for .NET standard library

  #15784 merged Mar 22, 2024

• C#: add hint regarding ECB to weak encryption QHelp

  #16019 merged Mar 22, 2024

• Java/Kotlin: Remove references to legacy ODASA_SNAPSHOT env var

  #16011 merged Mar 22, 2024

• Python: Two small join-order fixes

  #16010 merged Mar 22, 2024

• C++: Add destructor test cases for AV Rule 114

  #16017 merged Mar 22, 2024

• C++: Handle destructors of range-based for-loop, if, and switch initializer statements

  #16014 merged Mar 21, 2024

• Merge rc/3.13 into main

  #16013 merged Mar 21, 2024

• Swift genrule: Replace local with no-sandbox.

  #16012 merged Mar 21, 2024

• C#: Simplify the output of `cs/wrong-compareto-signature` to remove e…

  #16004 merged Mar 21, 2024

• Show lines of code data in debug mode only

  #15874 merged Mar 21, 2024

• C++: Handle `getInitializingExpr` in PrintAST

  #16008 merged Mar 21, 2024

• C++: Add tests showing missing destructors for initialization statements

  #16003 merged Mar 21, 2024

• C++: Fix `cpp/boost/tls-settings-misconfiguration` FPs

  #16007 merged Mar 21, 2024

• C++: Simplify use of guard conditions in `cpp/missing-check-scanf`

  #15997 merged Mar 21, 2024

• Swift: add `-headerpad_max_install_names` to link options

  #15967 merged Mar 21, 2024

• C#: Avoid using TRAP stack in buildless mode

  #15994 merged Mar 21, 2024

• C++: Simplify use of guard conditions in `cpp/incorrectly-checked-scanf`

  #15998 merged Mar 21, 2024

• C#: Source- and sink tests.

  #15940 merged Mar 21, 2024

• C++: Handle destruction of temporaries in expressions with a `thow` at the root

  #15991 merged Mar 21, 2024

• Tree-sitter: Split up `ast_node_info` table into two tables

  #15966 merged Mar 20, 2024

• Make `cpp/missing-check-scanf` a `path-problem` query

  #15996 merged Mar 20, 2024

• C++: Rewrite 'cpp/missing-check-scanf' to use standard dataflow configs

  #15988 merged Mar 20, 2024

• Go: Make `CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` on by default

  #15935 merged Mar 20, 2024

• Python: Build external extractor

  #15845 merged Mar 20, 2024

• Docs: Add Go 1.22 to supported versions range

  #15989 merged Mar 20, 2024

• C++: Handle destructors at temporary object lifetime expressions

  #15978 merged Mar 20, 2024

• Kotlin 2: Accept more test changes

  #15973 merged Mar 20, 2024

• Upgrade to bazel 7.1

  #15971 merged Mar 20, 2024

• C++: Support `<` reasoning for `switch` statements in Guards library

  #15980 merged Mar 20, 2024

• C++: Disable _some_ constant folding in IR

  #15969 merged Mar 20, 2024

• Mergeback from `rc/3.13`

  #15974 merged Mar 20, 2024

• Update CSV framework coverage reports

  #15983 merged Mar 20, 2024

• C++: Fix interface for `GuardCondition.comparesEq` and `GuardCondition.ensuresEq`

  #15976 merged Mar 19, 2024

• Python: No `fieldFlowBranchLimit` for `SummarizedCallable`s

  #15936 merged Mar 19, 2024

• C++: Fabricate destructors for temporaries that occur in dynamic initializations

  #15968 merged Mar 19, 2024

• Java: more manual models

  #15946 merged Mar 19, 2024

• Ruby: Track flow into ActiveRecord scopes

  #14426 merged Mar 19, 2024

• JDK22 upgrade test changes

  #15959 merged Mar 19, 2024

• C++: Implement guards logic for switch statements

  #15958 merged Mar 19, 2024

• Ruby: remove isString from TSymbol

  #15965 merged Mar 19, 2024

• C++: Handle destructors of temporaries with extended lifetimes

  #15937 merged Mar 19, 2024

• [Python] Add Unicode DoS (qhelp, tests and the query)

  #15319 merged Mar 19, 2024

• JS: show test changes after #15823

  #15883 merged Mar 19, 2024

• JS: Add `DataFlow::Node.getLocation`

  #15882 merged Mar 19, 2024

• C++: Convert `cpp/uninitialized-local` to a `path-problem` query

  #15960 merged Mar 18, 2024

• Java: update the url-redirection in the same style as the C# qhelp

  #15895 merged Mar 18, 2024

• python: Rewrite `HardcodedCredentials` away from `PointsTo`

  #15729 merged Mar 18, 2024

• Data flow: Replace `hasLocationInfo` with `getLocation`

  #15853 merged Mar 18, 2024

• Data flow: Account for hidden `subpath` wrappers

  #15734 merged Mar 18, 2024

• Java: add test for partial gradle wrapper without gradle on the path

  #15897 merged Mar 18, 2024

• Fix model provenance to df-manual

  #15947 merged Mar 18, 2024

• C++: Add an experimental query for surprising lifetimes from range-based for loops

  #15939 merged Mar 18, 2024

• Post-release preparation for codeql-cli-2.16.5

  #15955 merged Mar 18, 2024

• Ruby: Model ActiveDispatch::Http::UploadedFile

  #15907 merged Mar 18, 2024

• Fix minor formatting issues in changenotes

  #15951 merged Mar 18, 2024

• C#: Add logging for source file parsing

  #15952 merged Mar 18, 2024

• C#: Iterate text files only once

  #15953 merged Mar 18, 2024

• Kotlin 2: Accept more location changes

  #15943 merged Mar 18, 2024

• C++: Handle `switch` statements in the guards library

  #15941 merged Mar 18, 2024

• C++: Add alias and side-effect models to `begin` and `end` functions

  #15934 merged Mar 18, 2024

• Release preparation for version 2.16.5

  #15954 merged Mar 18, 2024

• Variable capture: Avoid overlapping and false-positive data flow paths

  #15802 merged Mar 18, 2024

24 Pull requests opened by 19 people

• Bump tree-sitter from 0.20.10 to 0.22.2 in /ql

  #15948 opened Mar 18, 2024

• Java: Update tests for when we default integration tests to Java 21.

  #15956 opened Mar 18, 2024

• C#: Limit extracted compilation and extraction messages

  #15957 opened Mar 18, 2024

• Java: Limit the amount of results that MissingEnumInSwitch produces per switch

  #15961 opened Mar 18, 2024

• C++: IR translation for destruction of temporaries with extended lifetimes

  #15964 opened Mar 18, 2024

• JS: Expose whether an endpoint name is synthetic

  #15975 opened Mar 19, 2024

• Shared: Permit '*' in access path tokens.

  #15977 opened Mar 19, 2024

• Go: Deal with incorrect toolchain versions

  #15979 opened Mar 19, 2024

• C++: IR translation for destruction of temporaries in dynamic initializers

  #15981 opened Mar 19, 2024

• Swift: upgrade to 5.10

  #15984 opened Mar 20, 2024

• Ruby: Extend barrier guards to handle phi inputs

  #15985 opened Mar 20, 2024

• Ruby: Add query for insecure mass assignment

  #15987 opened Mar 20, 2024

• Ruby: Recognise Grape params

  #15990 opened Mar 20, 2024

• C#: Introduce AssemblyPath and re-factor AssemblyCache to use this in…

  #15993 opened Mar 20, 2024

• C#: Reduce chatty query output sizes

  #16005 opened Mar 21, 2024

• C#: Remove support for legacy LGTM options in autobuilder

  #16016 opened Mar 22, 2024

• Go: Update query help for `go/path-injection` to include example fixes.

  #16020 opened Mar 22, 2024

• C#: Add high level diagnostic messages for buildless extraction (star…

  #16021 opened Mar 22, 2024

• Kotlin 2: Accept more location changes

  #16022 opened Mar 22, 2024

• Java: support Java 22 language features

  #16023 opened Mar 22, 2024

• Swift: fix ARM build and add it to CI

  #16025 opened Mar 22, 2024

• RB: Add barrier guard for `.html_safe?` to the XSS queries

  #16026 opened Mar 22, 2024

• Update CSV framework coverage reports

  #16027 opened Mar 23, 2024

• Java: whitelist variable name `tokenImage` for `java/sensitive-log` as it's used in code generated by JavaCC

  #16028 opened Mar 23, 2024

9 Issues closed by 7 people

• Mapping CWEs to a Codeql Query

  #15892 closed Mar 22, 2024

• Disable js/unsafe-external-link by default

  #15995 closed Mar 22, 2024

• "Could not start Node.js" issue when building database with cluster-db option

  #15970 closed Mar 22, 2024

• Java - Taint propagation across visitor pattern + lambdas

  #15992 closed Mar 22, 2024

• Advice in out-of-memory message can be misleading on Windows

  #15552 closed Mar 20, 2024

• Is default setup of Codeql blocking the (SARIF file)results from my external CI ?

  #15950 closed Mar 18, 2024

• codeql fails when using a go.work file

  #14235 closed Mar 18, 2024

• go 1.21 support

  #13992 closed Mar 18, 2024

• support Go 1.22.0

  #15647 closed Mar 18, 2024

6 Issues opened by 6 people

• Ruby: ERB parse failure with trailing implicit keyword argument

  #16006 opened Mar 21, 2024

• Codeql database create fails when building mozilla

  #16001 opened Mar 21, 2024

• [cpp] for C code, query variable does not extract all variables (mostly const variable and not ram variable)

  #16000 opened Mar 20, 2024

• JS MaD: the `Instance` access path component does not match subclasses of the selected class

  #15999 opened Mar 20, 2024

• cant find taint flow in a LocalVariable statement

  #15972 opened Mar 19, 2024

• Codeql using open-api generator does not take into consideration .openapi-generator-ignore

  #15949 opened Mar 18, 2024

16 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: Add type tracking for content

  #15711 commented on Mar 21, 2024 • 15 new comments

• Java/Shared: Refactor `TypeFlow.qll` into a shared library

  #15728 commented on Mar 20, 2024 • 8 new comments

• C#: Sources for the `Dapper` database library

  #15930 commented on Mar 22, 2024 • 8 new comments

• Dataflow: Support alert provenance

  #15501 commented on Mar 22, 2024 • 6 new comments

• Why doesn't CodeQL support auditing PHP

  #12376 commented on Mar 21, 2024 • 1 new comment

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Mar 21, 2024 • 1 new comment

• Java: Promote Unsafe URL Forward query from experimental

  #14854 commented on Mar 18, 2024 • 1 new comment

• Java: openjdk model autogeneration

  #14919 commented on Mar 20, 2024 • 1 new comment

• Go: extractor: do not store intermediate values in long string concatenations

  #15865 commented on Mar 21, 2024 • 1 new comment

• Python: test MaD syntax for keyword argument

  #15903 commented on Mar 22, 2024 • 1 new comment

• Ruby: support sprintf formatted string with modulo operator

  #15945 commented on Mar 18, 2024 • 0 new comments

• Ruby: Add a query for CSRF protection not enabled

  #14308 commented on Mar 19, 2024 • 0 new comments

• Python: add models for `stdlib`

  #15306 commented on Mar 22, 2024 • 0 new comments

• C# [Experimental]: Api type-flow.

  #15856 commented on Mar 18, 2024 • 0 new comments

• Java: update expected output

  #15896 commented on Mar 18, 2024 • 0 new comments

• Properly shared `XML.qll` implementation

  #15923 commented on Mar 22, 2024 • 0 new comments