44 Pull requests merged by 19 people

• Java: Add support to ModuleImportDeclaration

  #20097 merged Sep 6, 2025

• Java: Update tests results with disabled annotation processing when lombok is not used.

  #20355 merged Sep 5, 2025

• Go: Set log level based on CODEQL_VERBOSITY

  #20376 merged Sep 5, 2025

• Remove non-breaking spaces from code

  #20373 merged Sep 5, 2025

• Java: Add support to Compact Source Files

  #20116 merged Sep 5, 2025

• Java: Add test for flexible constructor support

  #20136 merged Sep 4, 2025

• Java: accept new test results after extractor update

  #20247 merged Sep 4, 2025

• C++: Fix some Ql4Ql violations (crypto).

  #20350 merged Sep 4, 2025

• C++: Fix some Ql4Ql violations.

  #20325 merged Sep 4, 2025

• JS: Fix some Ql4Ql violations.

  #20329 merged Sep 4, 2025

• Overlay: Add discarding for Java classes, interfaces & fields

  #20294 merged Sep 4, 2025

• Update Go Path Injection Sanitizer and Sink

  #20064 merged Sep 3, 2025

• JS: Detect property injection via object enumeration patterns

  #20296 merged Sep 3, 2025

• Actions: Fix some Ql4Ql violations.

  #20324 merged Sep 3, 2025

• Rust: Assign locations to all DataFlowCallables

  #20351 merged Sep 3, 2025

• Update CSV framework coverage reports

  #20349 merged Sep 3, 2025

• JS: Remove totalorder()

  #20323 merged Sep 2, 2025

• C++: Support sizeof VLAs in the IR

  #20319 merged Sep 2, 2025

• Rust: Change inline expectation annotation for inferred certain types

  #20343 merged Sep 2, 2025

• Shared and Sync: Fix some Ql4Ql violations.

  #20335 merged Sep 2, 2025

• Post-release preparation for codeql-cli-2.23.0

  #20347 merged Sep 2, 2025

• Shared: Add a shared SuccessorType implementation

  #20300 merged Sep 2, 2025

• Python: Fix some Ql4Ql violations.

  #20330 merged Sep 2, 2025

• Rust: Fix some Ql4Ql violations.

  #20333 merged Sep 2, 2025

• Release preparation for version 2.23.0

  #20346 merged Sep 2, 2025

• Ruby: Fix some Ql4Ql violations.

  #20332 merged Sep 2, 2025

• Ql: Fix some Ql4Ql violations.

  #20331 merged Sep 2, 2025

• Java: Fix some Ql4Ql violations.

  #20328 merged Sep 2, 2025

• Shared: Fix changenote

  #20344 merged Sep 2, 2025

• Go: Fix some Ql4Ql violations.

  #20327 merged Sep 2, 2025

• C#: Fix some Ql4Ql violations.

  #20326 merged Sep 2, 2025

• Swift: Fix a Ql4Ql violation.

  #20334 merged Sep 2, 2025

• JS: Add overlay support to extractor

  #20307 merged Sep 2, 2025

• Rust: Remove extractor path resolution.

  #20295 merged Sep 2, 2025

• Rust: Take trait visibility into account when resolving paths and methods

  #20321 merged Sep 2, 2025

• Rust: Deref as taint step

  #20340 merged Sep 2, 2025

• C#: Add manual models for more some XML related classes.

  #20290 merged Sep 2, 2025

• Specify default queries in codeql-extractor.yml

  #20320 merged Sep 1, 2025

• Shared: Add and use a signature for basic blocks

  #20253 merged Sep 1, 2025

• Bump actions/checkout from 4 to 5

  #20313 merged Sep 1, 2025

• C++: Update dbscheme stats file

  #20316 merged Sep 1, 2025

• Shared: Add Option types with location

  #20280 merged Sep 1, 2025

• JS: Remove synthetic locations

  #20302 merged Sep 1, 2025

• C#: Fix context-sensitive dispatch when using base qualifier

  #20305 merged Sep 1, 2025

27 Pull requests opened by 13 people

• JS: Do not override AST methods in React model

  #20322 opened Sep 1, 2025

• Python: enable overlay compilation

  #20336 opened Sep 1, 2025

• Python: enable overlay compilation + extractor overlay support

  #20337 opened Sep 1, 2025

• Java: Add MaDs for `java.lang.ScopedValue`

  #20339 opened Sep 1, 2025

• Java: Add MaDs for `java.crypto.KDF`

  #20345 opened Sep 2, 2025

• Rust: Infer certain type for shorthand `self`

  #20348 opened Sep 2, 2025

• C#: Update to .NET SDK 9.0.300 and .NET Runtime 9.0.5.

  #20352 opened Sep 3, 2025

• Add missing doc strings

  #20354 opened Sep 3, 2025

• Java: Make Virtual Dispatch Global, but keep SSA local.

  #20357 opened Sep 3, 2025

• Shared: Make some generalizations in type inference library

  #20358 opened Sep 3, 2025

• JS: Remove special treatment of strings in AngularJS code

  #20360 opened Sep 4, 2025

• Bump actions/setup-dotnet from 4 to 5

  #20361 opened Sep 4, 2025

• Rust: Use `doublyBoundedFastTC` in `TraitIsVisible`

  #20362 opened Sep 4, 2025

• JS: Remove unused getFallbackTypeAnnotation()

  #20363 opened Sep 4, 2025

• JS: Refactor default import interop

  #20364 opened Sep 4, 2025

• Rust: Regenerate generated models

  #20365 opened Sep 4, 2025

• C#: Improve database quality diagnostics query.

  #20366 opened Sep 4, 2025

• Shared/Java: Introduce a shared control flow reachability library and replace the Java Nullness implementation.

  #20367 opened Sep 4, 2025

• Go: Support `git_source`

  #20368 opened Sep 4, 2025

• C++: Protect the value numbering library from instructions with multiple enclosing functions

  #20369 opened Sep 4, 2025

• Shared: Use `sourceBoundedFastTC` in TypeTracking

  #20370 opened Sep 4, 2025

• Actions: Add file coverage information for status page

  #20371 opened Sep 4, 2025

• Bump actions/labeler from 4 to 6

  #20372 opened Sep 5, 2025

• JS: Support TypeScript 5.9 and support 'import defer' syntax

  #20374 opened Sep 5, 2025

• JS: Add support for Promise.try

  #20375 opened Sep 5, 2025

• Java: Consolidate Assertions.qll and Preconditions.qll.

  #20377 opened Sep 5, 2025

• Jave: Use force local to make parsing local after global regex finding.

  #20378 opened Sep 5, 2025

4 Issues closed by 3 people

• Convent

  #20359 closed Sep 4, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 closed Sep 2, 2025

• 032_solver_1065112364 <script>console.table('666')</script>

  #20342 closed Sep 1, 2025

• There's an unnecessary trailing backslash and space at the end of the line. The backslash should be removed.

  #20338 closed Sep 1, 2025

1 Issue opened by 1 person

• [C#] General issue: CodeQL scanner encounters issues without reporting them

  #20353 opened Sep 3, 2025

18 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: Rework type inference for method calls

  #20282 commented on Sep 4, 2025 • 50 new comments

• JS: Move cors-misconfiguration query from experimental to Security

  #20146 commented on Sep 5, 2025 • 9 new comments

• JS: Modeling of `aws-sdk` clients*

  #20135 commented on Sep 4, 2025 • 6 new comments

• Python: Modernize the Signature Mismatch query

  #20217 commented on Sep 5, 2025 • 5 new comments

• Python: Update `tree-sitter` dependency

  #19929 commented on Sep 3, 2025 • 2 new comments

• Python extractor: overlay support

  #20206 commented on Sep 5, 2025 • 2 new comments

• REMOVE AGAIN: Introduce some mistakes that should be caught by QL4QL.

  #20308 commented on Sep 4, 2025 • 1 new comment

• Python: Refine the location of `flask.request` flow sources

  #20281 commented on Sep 2, 2025 • 1 new comment

• JS: Avoid overriding Expr predicates in xUnit.qll

  #20317 commented on Sep 1, 2025 • 0 new comments

• C#: Add all medium precision quality queries to code-quality-extended.

  #20292 commented on Sep 5, 2025 • 0 new comments

• C# SSRF Improvements

  #20284 commented on Sep 2, 2025 • 0 new comments

• Python: Modernize the Unreachable Except Block query

  #20263 commented on Sep 5, 2025 • 0 new comments

• Bump actions/download-artifact from 4 to 5

  #20175 commented on Sep 5, 2025 • 0 new comments

• Rust: Support blanket implementations

  #20133 commented on Sep 2, 2025 • 0 new comments

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented on Sep 5, 2025 • 0 new comments

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Sep 5, 2025 • 0 new comments

• How to extract source files when using a special compiler (e.g. TMS320C2000 C/C++ Compiler)?

  #8453 commented on Sep 5, 2025 • 0 new comments

• C#: Azure Function HttpTrigger SQL Injection is not being detected

  #15102 commented on Sep 1, 2025 • 0 new comments