github / codeql Public

31 Pull requests merged by 18 people

• Let 'ql/lib' folders trigger the CSV workflow

  #6792 merged Oct 1, 2021

• Python/JS: Recognize SHA-3 hash functions

  #6761 merged Oct 1, 2021

• Java: Fix more performance issues with future versions of codeql.

  #6755 merged Oct 1, 2021

• C++: New query for 'Cleartext transmission of sensitive information'

  #6713 merged Oct 1, 2021

• Update CSV framework coverage reports

  #6784 merged Oct 1, 2021

• Java: CWE-798: Query to detect hard-coded SHIRO key

  #5907 merged Sep 30, 2021

• Java: CWE-798 Query to detect hard-coded Azure credentials

  #5852 merged Sep 30, 2021

• Python: Add QLDoc to `Function.getArgByName`

  #6738 merged Sep 30, 2021

• C++: Refactor ExecTainted.ql to only report results after string concatenation

  #6184 merged Sep 29, 2021

• Fix `hasLocationInfo` URL reference

  #6775 merged Sep 29, 2021

• C#: Handle invalid code gracefully: global statements in library

  #6773 merged Sep 29, 2021

• Increase precision to high for cpp/static-buffer-overflow

  #6760 merged Sep 29, 2021

• Java: Avoid stubbing methods with private parameter types

  #6748 merged Sep 29, 2021

• Update CSV framework coverage reports

  #6772 merged Sep 29, 2021

• Merge 3.2 into main

  #6771 merged Sep 28, 2021

• C++: Refactor code to use predicate isGuardPhi/4

  #6678 merged Sep 28, 2021

• Docs: Fix a few links in the training slides

  #6764 merged Sep 28, 2021

• Fix dead links in README.md

  #6769 merged Sep 28, 2021

• QL Language Spec: Trailing comma in set literal

  #6505 merged Sep 28, 2021

• Java: model remaining subpackages of Apache Commons Collections

  #6684 merged Sep 28, 2021

• Java: Add sources for content providers in Android

  #6724 merged Sep 28, 2021

• Java: Add callback dispatch to more anonymous classes.

  #6740 merged Sep 28, 2021

• Update CSV framework coverage reports

  #6766 merged Sep 28, 2021

• Docs: Fix inconsistencies in sphinx config files

  #6765 merged Sep 28, 2021

• Update links to match those on the staging site

  #6762 merged Sep 27, 2021

• Java: Promote XSLT Injection from experimental

  #6097 merged Sep 27, 2021

• Java: Promote SpEL Injection query from experimental

  #6037 merged Sep 27, 2021

• Java: Add StringLiteral.isTextBlock().

  #6749 merged Sep 27, 2021

• C++: Small improvement to cpp/improper-null-termination

  #6757 merged Sep 27, 2021

• C++: Handle overflow for upperbound

  #6745 merged Sep 27, 2021

• Update one more link in the QL training content

  #6754 merged Sep 27, 2021

16 Pull requests opened by 11 people

• Dataflow: Support side-effects for callbacks in summaries.

  #6767 opened Sep 28, 2021

• Java: Add models for java.util.stream.

  #6770 opened Sep 28, 2021

• Python: Model `asyncpg`

  #6776 opened Sep 29, 2021

• Data flow: Rework `SummarizedCallable::clearsContent/2`

  #6777 opened Sep 29, 2021

• Java: CWE-927 - Query to detect the use of implicit PendingIntents

  #6779 opened Sep 30, 2021

• Data flow: Prevent "fluent summary flow" when it will result in a flow loop

  #6780 opened Sep 30, 2021

• JS: Move LDAP injection out of experimental

  #6781 opened Sep 30, 2021

• Python: Model FastAPI

  #6782 opened Sep 30, 2021

• JS: Restrict what PackageExports considers to be public

  #6789 opened Oct 1, 2021

• Dataflow: Force high precision of certain Contents.

  #6790 opened Oct 1, 2021

• C#: Update nuget packages

  #6791 opened Oct 1, 2021

• C++: Handle return value dereferences in `ModelUtil.qll`

  #6793 opened Oct 1, 2021

• C++: Improvements to cpp/improper-null-termination

  #6794 opened Oct 1, 2021

• Change class name in InlineExpectationTest to avoid clash

  #6795 opened Oct 2, 2021

• Java: Deprecate `PrimitiveType.getADefaultValue()`

  #6796 opened Oct 2, 2021

• Java: Remove overwritten `NestedType.isStatic()` QLDoc

  #6797 opened Oct 2, 2021

3 Issues closed by 3 people

• LGTM.com - false positive - Comparison is always false because denom >= 1.

  #6752 closed Oct 1, 2021

• could not resolve XXX

  #6768 closed Sep 29, 2021

• Java: Add CodeQL class (or predicate) for Text Blocks

  #6619 closed Sep 27, 2021

6 Issues opened by 3 people

• is not compatible with the QL library (General issue)

  #6798 opened Oct 3, 2021

• LGTM.com - false positive This assignment to _ is useless, since its value is never read.

  #6788 opened Oct 1, 2021

• LGTM.com - false positive This assignment to X is useless, since its value is never read.

  #6787 opened Oct 1, 2021

• LGTM.com - false positive Pattern always matches.

  #6786 opened Oct 1, 2021

• LGTM.com - false positive This assignment to is useless, since its value is never read.

  #6785 opened Oct 1, 2021

• General issue - CodeQL Unit Test at Windows - Path not found: C

  #6759 opened Sep 27, 2021

23 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [Java] CWE-552: Unsafe url forward

  #6240 commented on Sep 28, 2021 • 12 new comments

• JS/Python: add a bad-tag-filter query for Python and JavaScript

  #6561 commented on Oct 1, 2021 • 12 new comments

• Java: CWE-400 - Query to detect uncontrolled thread resource consumption

  #6717 commented on Sep 28, 2021 • 8 new comments

• Java: Promote Insecure JavaMail SSL Configuration from experimental

  #6103 commented on Oct 1, 2021 • 6 new comments

• Java: Draft of CSV model generator

  #6664 commented on Sep 30, 2021 • 6 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Sep 28, 2021 • 5 new comments

• C# : Add query to detect SSRF

  #5110 commented on Oct 1, 2021 • 3 new comments

• Python: Add Header Injection query

  #5463 commented on Sep 27, 2021 • 2 new comments

• C++: Exclusion rules for system macros

  #6723 commented on Sep 30, 2021 • 2 new comments

• CodeQL - false positive - JPL Rule 24

  #6522 commented on Sep 27, 2021 • 1 new comment

• Can someone explain what isAdditionalTaintStep means?

  #6729 commented on Sep 30, 2021 • 1 new comment

• JS: Add query for unsafe construction of code from library input

  #5841 commented on Oct 1, 2021 • 1 new comment

• JS: Add library input as source to js/prototype-polluting-assignment

  #5908 commented on Oct 1, 2021 • 1 new comment

• Python: CWE-117 Log injection

  #6182 commented on Sep 30, 2021 • 1 new comment

• [Python] CWE-348: Client supplied ip used in security check

  #6214 commented on Sep 30, 2021 • 1 new comment

• Java: Split literals tests

  #6613 commented on Oct 1, 2021 • 1 new comment

• Python: Promote `py/regex-injection`

  #6693 commented on Oct 1, 2021 • 1 new comment

• Java: Model Android Bundle and Intent extras methods

  #6739 commented on Oct 1, 2021 • 1 new comment

• Python: model os path file accesses

  #6741 commented on Sep 30, 2021 • 1 new comment

• C#: Add consistency queries

  #6535 commented on Sep 28, 2021 • 0 new comments

• CPP: Add query for CWE-1041 Use of Redundant Code

  #6710 commented on Sep 29, 2021 • 0 new comments

• Yet another SSRF query for Javascript

  #6714 commented on Sep 27, 2021 • 0 new comments

• JS: extract regexp literals for string concatenations

  #6756 commented on Sep 27, 2021 • 0 new comments