35 Pull requests merged by 24 people

• Java: Promote Unsafe URL Forward query from experimental

  #14854 merged Mar 29, 2024

• Make customizing-library-models-for-javascript.rst visible to search and the docs TOC

  #16076 merged Mar 28, 2024

• Add C++ analysis in separate workflow

  #16071 merged Mar 28, 2024

• Go: Deal with incorrect toolchain versions

  #15979 merged Mar 28, 2024

• Ruby: Re-add MaD docs

  #16073 merged Mar 28, 2024

• Swift: upgrade to 5.10

  #15984 merged Mar 28, 2024

• Java: Limit the amount of results that MissingEnumInSwitch produces per switch

  #15961 merged Mar 28, 2024

• C++: Add value category column to the expr_reuse relation

  #16074 merged Mar 28, 2024

• C++: Divide CODEOWNERS responsibilities.

  #16065 merged Mar 27, 2024

• Add codeql-cli-2.16.6 updates to CodeQL changelog

  #16072 merged Mar 27, 2024

• Go: Improve QHelp for `go/unvalidated-url-redirection`.

  #16055 merged Mar 27, 2024

• Java: update expected output

  #15896 merged Mar 27, 2024

• C++: IR translation for destruction of temporaries with extended lifetimes

  #15964 merged Mar 27, 2024

• C++: Add `VariableTemplateInstantiation` class

  #16069 merged Mar 27, 2024

• Kotlin 2: Accept more location changes

  #16059 merged Mar 27, 2024

• Java: Add more neutrals and improve `java.net.URL` models

  #16062 merged Mar 27, 2024

• C++: Add `TaintInheritingContent`

  #16063 merged Mar 26, 2024

• Merge `rc/3.13` back to `main`

  #16058 merged Mar 26, 2024

• Go: Add changenote for `CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` change

  #16056 merged Mar 26, 2024

• Post-release preparation for codeql-cli-2.16.6

  #16048 merged Mar 26, 2024

• C#: Add high level diagnostic messages for buildless extraction (star…

  #16021 merged Mar 26, 2024

• Remove unused data extension in test

  #16050 merged Mar 26, 2024

• Go: Improve QHelp for `go/unsafe-quoting`.

  #16038 merged Mar 25, 2024

• Use correct model pack name in qltest data extension

  #16040 merged Mar 25, 2024

• Update Java version supported to 22

  #16047 merged Mar 25, 2024

• Java: support Java 22 language features

  #16023 merged Mar 25, 2024

• Release preparation for version 2.16.6

  #16045 merged Mar 25, 2024

• C#: Sources for the `Dapper` database library

  #15930 merged Mar 25, 2024

• Python: test MaD syntax for keyword argument

  #15903 merged Mar 25, 2024

• Swift: prepare integration tests for internal running

  #16034 merged Mar 25, 2024

• Kotlin 2: Accept more location changes

  #16022 merged Mar 25, 2024

• Java: Update buildless test expectations

  #16030 merged Mar 25, 2024

• Go: Update query help for `go/path-injection` to include example fixes.

  #16020 merged Mar 25, 2024

• Java: whitelist variable name `tokenImage` for `java/sensitive-log` as it's used in code generated by JavaCC

  #16028 merged Mar 25, 2024

• C#: Limit extracted compilation and extraction messages

  #15957 merged Mar 25, 2024

16 Pull requests opened by 9 people

• Bump rayon from 1.9.0 to 1.10.0 in /ql

  #16032 opened Mar 25, 2024

• Bump regex from 1.10.3 to 1.10.4 in /ql

  #16033 opened Mar 25, 2024

• C#: Properly dispose diagnostic writer objects

  #16036 opened Mar 25, 2024

• JS: Support value access paths in MaD type columns

  #16037 opened Mar 25, 2024

• C#: Reword public mentions of C# buildless

  #16039 opened Mar 25, 2024

• Remove [potentially] untrue claims about models-as-data

  #16042 opened Mar 25, 2024

• JS: more implied receiver steps

  #16054 opened Mar 26, 2024

• JS: Account for ExtendCalls in localFieldStep

  #16057 opened Mar 26, 2024

• C++: qual fix

  #16060 opened Mar 26, 2024

• JS: More robust CommonJS/ES2015 detection logic for extractor

  #16061 opened Mar 26, 2024

• Automodel: Filter unexploitable types in application mode.

  #16064 opened Mar 26, 2024

• QL: Run diagnostics and summary metrics in code scanning

  #16066 opened Mar 26, 2024

• C++: Handle explicitly instantiated function and variable templates

  #16075 opened Mar 27, 2024

• Bump chrono from 0.4.35 to 0.4.37 in /ql

  #16077 opened Mar 28, 2024

• Kotlin 2: Accept more changes

  #16078 opened Mar 28, 2024

• Kotlin 2: Accept some more location changes

  #16079 opened Mar 28, 2024

1 Issue closed by 1 person

• General issuexsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta

  #16067 closed Mar 26, 2024

7 Issues opened by 7 people

• How to solve "Referenced pack 'XXX' was found in multiple locations"?

  #16082 opened Mar 29, 2024

• How to create a mapping of key value pairs?

  #16080 opened Mar 28, 2024

• General issue

  #16070 opened Mar 27, 2024

• [C++] querying was stuck on Call.getArgument without detailed log

  #16068 opened Mar 27, 2024

• CodeQL fails to extract info of certain source files when compiling chromium v8

  #16053 opened Mar 26, 2024

• codeql stuck for 30+ minutes during FindHDF5.cmake execution

  #16051 opened Mar 26, 2024

• Python: open redirect protection example is still vulnerable

  #16041 opened Mar 25, 2024

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C++: Implement models-as-data

  #15371 commented on Mar 28, 2024 • 52 new comments

• Ruby: Add query for insecure mass assignment

  #15987 commented on Mar 26, 2024 • 4 new comments

• Codeql database create fails when building mozilla

  #16001 commented on Mar 25, 2024 • 3 new comments

• Go: Add Rs Cors Support

  #14873 commented on Mar 28, 2024 • 2 new comments

• Properly shared `XML.qll` implementation

  #15923 commented on Mar 25, 2024 • 1 new comment

• [cpp-docs] Fix 404 link in guards library doc.

  #15890 commented on Mar 29, 2024 • 1 new comment

• Go: extractor: do not store intermediate values in long string concatenations

  #15865 commented on Mar 27, 2024 • 1 new comment

• Dataflow break when using a switch statement with type assertions in golang?

  #15350 commented on Mar 28, 2024 • 1 new comment

• [cpp] for C code, query variable does not extract all variables (mostly const variable and not ram variable)

  #16000 commented on Mar 26, 2024 • 1 new comment

• Support new React directives

  #13296 commented on Mar 25, 2024 • 1 new comment

• Java: add dataflow-generated models for JDK17

  #14919 commented on Mar 27, 2024 • 0 new comments

• Ruby: Add a query for CSRF protection not enabled

  #14308 commented on Mar 28, 2024 • 0 new comments

• JS: Move Directive subclasses into module and support "use client/server"

  #13303 commented on Mar 26, 2024 • 0 new comments

• Java: add models for some resource-related methods

  #15921 commented on Mar 28, 2024 • 0 new comments

• Java: Update tests for when we default integration tests to Java 21.

  #15956 commented on Mar 25, 2024 • 0 new comments

• C#: Remove support for legacy LGTM options in autobuilder

  #16016 commented on Mar 25, 2024 • 0 new comments

• Swift: fix ARM build and add it to CI

  #16025 commented on Mar 25, 2024 • 0 new comments

• RB: Add barrier guard for `.html_safe?` to the XSS queries

  #16026 commented on Mar 25, 2024 • 0 new comments

• Update CSV framework coverage reports

  #16027 commented on Mar 30, 2024 • 0 new comments