78 Pull requests merged by 27 people

• Use codeql-action/upload-sarif@main in CSV coverage metrics workflow

  #8957 merged Apr 29, 2022

• CPP: PAM Authorization Bypass

  #8775 merged Apr 29, 2022

• Swift: teach bazel to install python dependencies

  #8959 merged Apr 29, 2022

• Swift: cc wrapper rules

  #8960 merged Apr 29, 2022

• Python: Fix bad join in `import_star_read`

  #8581 merged Apr 29, 2022

• JS: Nit: Fix typo in QLDoc

  #8949 merged Apr 29, 2022

• JS: recognize more module exports from the factory pattern

  #8221 merged Apr 29, 2022

• JS: fix a FN for prototype polluting function query

  #8946 merged Apr 29, 2022

• JS: don't initialize sanitizer-guards in the standard library

  #8783 merged Apr 29, 2022

• Update CSV framework coverage reports

  #8954 merged Apr 29, 2022

• Swift: tracer integration

  #8939 merged Apr 28, 2022

• Ruby: Add type tracker tests for flow through keyword/positional parameters

  #8935 merged Apr 28, 2022

• Swift: use `#pragma once`

  #8947 merged Apr 28, 2022

• Swift: added trapgen

  #8934 merged Apr 28, 2022

• Release preparation for version 2.9.1

  #8941 merged Apr 28, 2022

• Java: Fix join-order.

  #8878 merged Apr 28, 2022

• Ruby: Generalize `ArrayElementContent` to `ElementContent`

  #7914 merged Apr 28, 2022

• C#: Add auto generated comment to generated models as data files.

  #8905 merged Apr 28, 2022

• C#: Port the java FrameworkCoverage query.

  #8869 merged Apr 28, 2022

• QL: Improve camel case query

  #8936 merged Apr 28, 2022

• Python: Fix bad join in `MethodCallsiteRefinement`

  #8897 merged Apr 28, 2022

• Java: Improve Spring models

  #8639 merged Apr 28, 2022

• Bump actions/setup-python from 2 to 3

  #8921 merged Apr 28, 2022

• Bump actions/download-artifact from 2 to 3

  #8922 merged Apr 28, 2022

• C++: Revert #8515

  #8933 merged Apr 28, 2022

• Bump actions/setup-dotnet from 1 to 2

  #8920 merged Apr 28, 2022

• JS: Add flow step to `...rest` parameters

  #8886 merged Apr 28, 2022

• Update CSV framework coverage reports

  #8913 merged Apr 28, 2022

• Ruby: Add InsecureDownload query

  #8658 merged Apr 27, 2022

• Ruby: Add MissingRegExpAnchor query

  #8573 merged Apr 27, 2022

• Java: Add flow sources and steps for RabbitMQ and JMS

  #8765 merged Apr 27, 2022

• Swift: file extraction

  #8788 merged Apr 27, 2022

• C++: Add support for createLSParser to the CWE-611 XXE query.

  #8888 merged Apr 27, 2022

• ATM: Update `TaintedPathInjection` -> `TaintedPath`

  #8895 merged Apr 27, 2022

• Swift: Sync schema after extractor changes

  #8904 merged Apr 27, 2022

• Add CODEOWNERS for Actions workflows

  #8906 merged Apr 27, 2022

• Bump actions/checkout from 2 to 3

  #8901 merged Apr 27, 2022

• Bump actions/stale from 3 to 5

  #8903 merged Apr 27, 2022

• Bump actions/cache from 2 to 3

  #8902 merged Apr 27, 2022

• Bump actions/labeler from 2 to 4

  #8900 merged Apr 27, 2022

• Bump actions/upload-artifact from 2 to 3

  #8899 merged Apr 27, 2022

• Swift: add unit tests to code generation

  #8889 merged Apr 27, 2022

• Java: Make all imports of ExternalFlow private

  #8876 merged Apr 27, 2022

• Enable Dependabot updates for Actions

  #8896 merged Apr 27, 2022

• PY: more API-graphs refactorings

  #8693 merged Apr 27, 2022

• Remove redundant imports

  #8796 merged Apr 27, 2022

• Python: Fix a bunch of bad joins

  #8859 merged Apr 27, 2022

• Ruby: Simplify flow summary for `fetch`

  #8893 merged Apr 27, 2022

• Replace `git.io` link with the actual URL

  #8885 merged Apr 26, 2022

• C++: generate IR for global variables with initializers

  #8515 merged Apr 26, 2022

• C++: New query for CWE-611 / XML External Entity Expansion (XXE)

  #8736 merged Apr 26, 2022

• Ruby: port of `js/incomplete-sanitization`

  #8607 merged Apr 26, 2022

• Experimental (ATM): update query label mappings

  #8605 merged Apr 26, 2022

• Ruby: fix typo in edge key for graph query

  #8881 merged Apr 26, 2022

• Ruby: fix graph query tests by defining total ordering

  #8879 merged Apr 26, 2022

• PY: move the polynomialbacktracking-test to the test folder

  #8560 merged Apr 26, 2022

• Java: Remove some useless imports.

  #8875 merged Apr 26, 2022

• Java insecure cookies query: look through named constants

  #8874 merged Apr 26, 2022

• Claim Java 18 support

  #8865 merged Apr 26, 2022

• QL: delete old copy of the identical files scripts

  #8871 merged Apr 26, 2022

• JS: step through parentheses in barrier functions

  #8229 merged Apr 26, 2022

• Dataflow: Fix join-on-config producing a CP.

  #8853 merged Apr 26, 2022

• Fix test regressions due to C++ frontend update

  #8852 merged Apr 26, 2022

• Swift: Update `schema.yml` and regenerate files

  #8861 merged Apr 26, 2022

• Update CSV framework coverage reports

  #8868 merged Apr 26, 2022

• Post-release preparation for codeql-cli-2.9.0

  #8802 merged Apr 25, 2022

• Include Swift in `labeler.yml`

  #8862 merged Apr 25, 2022

• ML: add .gitkeep to resources dir in which ML models are to be found

  #8751 merged Apr 25, 2022

• QL: add swift to QL-for-QL

  #8858 merged Apr 25, 2022

• Java: Add value-preserving flow steps for Android's SharedPreferences

  #8817 merged Apr 25, 2022

• Swift: QL generation script

  #8854 merged Apr 25, 2022

• Minor clean-up in AccessPathSyntax.qll

  #8851 merged Apr 25, 2022

• C++: add new Windows pool allocation functions in `Allocation.qll`

  #8849 merged Apr 25, 2022

• Java: Make `JumpStmt` a proper superclass

  #8582 merged Apr 25, 2022

• Clarify `min`, `max` and `rank` documentation

  #8760 merged Apr 25, 2022

• Data flow: Introduce `ContentSet`

  #8641 merged Apr 25, 2022

• Replace `help.semmle.com` links by `codeql.github.com` links

  #8818 merged Apr 25, 2022

• C++: Cover variable sized member arrays without a size in `Buffer.qll`

  #8813 merged Apr 25, 2022

29 Pull requests opened by 17 people

• Ruby: Add partial support for working with RBI (Ruby Interface) files

  #8845 opened Apr 24, 2022

• C#: Only allow single read/write steps.

  #8855 opened Apr 25, 2022

• C#: Include models for higher order methods (needed for DCA test).

  #8856 opened Apr 25, 2022

• Fix broken link in analyzing-databases-with-the-codeql-cli.rst

  #8860 opened Apr 25, 2022

• Data flow: Introduce `expectsContent`

  #8870 opened Apr 26, 2022

• Java: Add Editable.toString flow step

  #8872 opened Apr 26, 2022

• Java: Add flow step from startActivity to getIntent

  #8873 opened Apr 26, 2022

• Use flow to collection `Element` in MaD generator

  #8877 opened Apr 26, 2022

• C++: Fix join order in `bbSuccessorEntryReaches`

  #8882 opened Apr 26, 2022

• Python: add MaD implementation

  #8883 opened Apr 26, 2022

• Java: Add additional `File` taint value flow models

  #8884 opened Apr 26, 2022

• Python: Add support for global attribute writes

  #8890 opened Apr 26, 2022

• QL: point the dataset measure workflow to a merge_stats.py file that exists

  #8891 opened Apr 26, 2022

• C#: Upgrade dotnet to 6.0.202.

  #8894 opened Apr 27, 2022

• Data flow: Introduce 'with/without content' summary components

  #8898 opened Apr 27, 2022

• Tree sitter update

  #8909 opened Apr 27, 2022

• C++: Fix IR variable reuse for global var inits

  #8912 opened Apr 27, 2022

• QL language reference: variables must be lowerId

  #8930 opened Apr 28, 2022

• QL: more precise alert locations

  #8937 opened Apr 28, 2022

• Ruby: Introduce `With(out)Element` MaD input tokens

  #8938 opened Apr 28, 2022

• Ruby: Initial data-flow through hashes

  #8942 opened Apr 28, 2022

• C++: Remove import order workarounds

  #8943 opened Apr 28, 2022

• C++: Add support for SAXParser to the CWE-611 XXE query.

  #8948 opened Apr 28, 2022

• Add examples to copy from (experimental contributions)

  #8951 opened Apr 28, 2022

• Fix syntax errors in QL comments

  #8952 opened Apr 28, 2022

• C#: Add FP test for `cs/useless-cast-to-self`

  #8955 opened Apr 29, 2022

• Java: Fix Intent Redirection sanitizer

  #8956 opened Apr 29, 2022

• Ruby: add safe navigation operator

  #8971 opened Apr 29, 2022

• Ruby: fix some flow summary join orders

  #8975 opened Apr 29, 2022

5 Issues closed by 5 people

• No alerts generated

  #8940 closed Apr 29, 2022

• No code found during the build for a small C# project.

  #8867 closed Apr 26, 2022

• General issue

  #8850 closed Apr 25, 2022

• Add codeql bundle in existing docker: Exception caught at top level: IOException while executing process with args

  #8753 closed Apr 25, 2022

• Java: Make `JumpStmt` a proper superclass

  #8569 closed Apr 25, 2022

7 Issues opened by 7 people

• LGTM.com - Missing Vulnerability Path Steps in LGTM render

  #8976 opened Apr 29, 2022

• `ql/dead-code` False Positive

  #8953 opened Apr 28, 2022

• False Negative with https://github.com/robmoffat/codeql-vuln-blog

  #8880 opened Apr 26, 2022

• C++: Missing associating between `DeclarationEntry` and `DeclStmt` in template instantiation

  #8866 opened Apr 25, 2022

• LGTM.com - false positive

  #8847 opened Apr 25, 2022

• False Negatives - Prototype Pollution

  #8846 opened Apr 24, 2022

• Resource not accessible by integration

  #8843 opened Apr 24, 2022

32 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• ReDoS refactorizations

  #8522 commented on Apr 29, 2022 • 146 new comments

• JS: refactor most library models away from AST nodes

  #8604 commented on Apr 29, 2022 • 60 new comments

• Java: CWE-552 Add sources and sinks to to detect unsafe getResource calls in Java EE applications

  #8706 commented on Apr 29, 2022 • 35 new comments

• Merge codeql-go repository into codeql

  #8631 commented on Apr 26, 2022 • 34 new comments

• Java: Add `MyBatis`' `Providers` sinks

  #8345 commented on Apr 29, 2022 • 27 new comments

• Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)

  #8669 commented on Apr 28, 2022 • 23 new comments

• JS: Add StoredXss and XssThroughDom to ATM QL extraction code

  #8557 commented on Apr 28, 2022 • 14 new comments

• Add auto-remediation to InsecureDependencyResolution.qhelp

  #8790 commented on Apr 28, 2022 • 9 new comments

• JS: ATM: New features for imports and for function parameters related to an endpoint

  #8740 commented on Apr 29, 2022 • 8 new comments

• Python dataflow: flow summaries restart

  #8781 commented on Apr 29, 2022 • 8 new comments

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on Apr 28, 2022 • 7 new comments

• ATM: Refactors EndpointFeatures.qll and add two new features

  #8586 commented on Apr 29, 2022 • 7 new comments

• Java: Improve and add predicates and classes for annotations

  #6246 commented on Apr 25, 2022 • 4 new comments

• QL: add unused-field query

  #7763 commented on Apr 29, 2022 • 4 new comments

• Ruby: Model IO.popen

  #8635 commented on Apr 28, 2022 • 4 new comments

• java: false positive with insecure cookie

  #4103 commented on Apr 26, 2022 • 3 new comments

• Java: Add `StmtExpr`

  #8571 commented on Apr 26, 2022 • 3 new comments

• C#: Dotnet Runtime models.

  #8600 commented on Apr 27, 2022 • 3 new comments

• JS: drag and drop API Xss sources

  #8710 commented on Apr 25, 2022 • 2 new comments

• JS: promote the `js/missing-origin-verification` query

  #8724 commented on Apr 29, 2022 • 2 new comments

• codeql analyze multiple wrong paths in cpp project

  #8697 commented on Apr 24, 2022 • 1 new comment

• Chromium database much smaller than it should be

  #8755 commented on Apr 24, 2022 • 1 new comment

• [C++] Adding marking field access as tainted when qualifier is tainted in additionalTaintStep results in duplicate paths

  #8567 commented on Apr 26, 2022 • 1 new comment

• cs/useless-cast-to-self - false positive

  #8627 commented on Apr 29, 2022 • 1 new comment

• Add support for jdk18

  #8673 commented on Apr 30, 2022 • 1 new comment

• JS: add `js/path-injection-from-library-input` query

  #8429 commented on Apr 25, 2022 • 1 new comment

• C: refactor code to solve false positive

  #8739 commented on Apr 25, 2022 • 1 new comment

• JS: add query for detecting insecure temporary files

  #7626 commented on Apr 29, 2022 • 0 new comments

• C++: IR data flow through global variables

  #8596 commented on Apr 29, 2022 • 0 new comments

• C#: Field-sensitive flow summary generation

  #8667 commented on Apr 29, 2022 • 0 new comments

• C++: Precise flow through dereferences in IR dataflow

  #8715 commented on Apr 28, 2022 • 0 new comments

• ML: extract Unknown endpoints in training data

  #8752 commented on Apr 29, 2022 • 0 new comments