76 Pull requests merged by 27 people

• ATM: add `workflow_dispatch` to ATM JS tests

  #9338 merged May 26, 2022

• Swift: Fixups for #9291

  #9329 merged May 26, 2022

• Ruby: Data flow for hash-splat expressions in hash literals

  #9334 merged May 26, 2022

• Swift: local dataflow

  #9333 merged May 25, 2022

• Ruby: Flow through hash-splat parameters

  #9320 merged May 25, 2022

• Ruby: fix spelling errors

  #9330 merged May 25, 2022

• Swift: CFG for property reads and writes

  #9291 merged May 25, 2022

• JS: add CWE-940 to js/missing-origin-check

  #9325 merged May 25, 2022

• Ruby: tweak join order in `API::Impl::edge`

  #9159 merged May 25, 2022

• JS: Remove Buffer.from sink from js/resource-exhaustion

  #9288 merged May 25, 2022

• Data flow: Fix bad join in `prohibitsUseUseFlow`

  #9324 merged May 25, 2022

• Release preparation for version 2.9.3

  #9317 merged May 25, 2022

• JS: Add individual per-security-query counting queries

  #9193 merged May 25, 2022

• C#: Dotnet Runtime models.

  #8600 merged May 25, 2022

• Swift: add integration tests

  #9283 merged May 25, 2022

• Swift: Sync changes to DataFlowImplCommon from PR #9024.

  #9315 merged May 25, 2022

• Swift: Add shared dataflow library

  #9275 merged May 24, 2022

• Swift: CFG for `TypeExpr`, `MemberRefExpr`, `DefaultArgumentExpr` and `ForceValueExpr`

  #9284 merged May 24, 2022

• Kotlin: fix implementation of SAM classes that inherit their abstract method

  #9213 merged May 24, 2022

• Kotlin: Add support for the 1.7 RC

  #9290 merged May 24, 2022

• Ruby: rename CfgScope::Range_ to CfgScopeImpl

  #9292 merged May 24, 2022

• C#: Summarized callable

  #9270 merged May 24, 2022

• C++: Fix missing closing quote in `cpp/potential-buffer-overflow` qldoc

  #9293 merged May 24, 2022

• Kotlin: Add support for versions 1.5.0, 1.5.10, and 1.5.21

  #9263 merged May 24, 2022

• Data flow: Introduce `ContentDataFlow.qll`

  #9024 merged May 24, 2022

• Ruby: Data-flow through hashes

  #8942 merged May 24, 2022

• Ruby: flow through instance variables

  #9206 merged May 24, 2022

• Kotlin: Fix missing kotlin to java property mapping

  #9280 merged May 24, 2022

• Change owner of Go-related workflows

  #9282 merged May 24, 2022

• JS: various QL-for-QL fixes

  #9281 merged May 24, 2022

• Kotlin: Fix CFG

  #9269 merged May 24, 2022

• Bump actions/setup-go from 1 to 3

  #9278 merged May 24, 2022

• Swift: Extract semantics and accessor kinds

  #9274 merged May 24, 2022

• C++: Better join order for reachesWithoutAssignment.

  #8730 merged May 24, 2022

• Support Go and Swift in the `prepare-db-upgrade` script

  #9276 merged May 24, 2022

• Go: trigger CI jobs on Go related changes only

  #9277 merged May 23, 2022

• Docs: Update references to github/codeql-go

  #9243 merged May 23, 2022

• JS: recognize functions that return object of methods as library input

  #9125 merged May 23, 2022

• JS: remove support for passport in the session-fixation query

  #9261 merged May 23, 2022

• Merge codeql-go repository into codeql

  #8631 merged May 23, 2022

• Swift: Extend AST classes and add control-flow library

  #9268 merged May 23, 2022

• Ruby: Add getAPrimaryQlClass to CfgNodes classes

  #9137 merged May 23, 2022

• C/C++ : Wrong Uint access

  #8994 merged May 23, 2022

• Python: Promote `py/pam-auth-bypass`

  #9108 merged May 23, 2022

• JS: API graph support for accessors (and classes members)

  #9234 merged May 23, 2022

• Ruby: Eliminate bad `isLocalSourceNode` antijoin

  #9262 merged May 23, 2022

• Python: Modernise py/jinja2/autoescape-false

  #9135 merged May 23, 2022

• Kotlin: extract non-private members of class supertypes

  #9229 merged May 23, 2022

• Swift: make C++ code generation more self-contained

  #9198 merged May 23, 2022

• Swift: remove `.codeqlmanifest`

  #9265 merged May 23, 2022

• Swift: fix extractor built with `NDEBUG`

  #9264 merged May 23, 2022

• C#: Remove default clears content.

  #9255 merged May 23, 2022

• C#: Rank summaries and source code in dataflow callables.

  #9256 merged May 23, 2022

• Data flow: Do not discard call context when computing reverse lambda flow through jumps

  #9214 merged May 23, 2022

• Java: Remove org.dom4j.DocumentHelper:parseText as XXE sink

  #9238 merged May 21, 2022

• QL: point the dataset measure workflow to a merge_stats.py file that exists

  #8891 merged May 20, 2022

• Kotlin changes

  #9241 merged May 20, 2022

• Swift: transfer all visitors

  #9239 merged May 20, 2022

• Kotlin: Adjust diagnostic message severity

  #9154 merged May 20, 2022

• Swift: move TBD code to ql

  #9185 merged May 20, 2022

• Kotlin: Use 'which' to find kotlinc

  #9236 merged May 20, 2022

• Kotlin: Write the log file as Line-delimited JSON

  #9121 merged May 20, 2022

• Kotlin: Fix test to correctly highlight lack of flow from field init

  #9233 merged May 20, 2022

• Kotlin: Handle missing kotlinc gracefully

  #9221 merged May 20, 2022

• Kotlin: Avoid "generic specialisation" label collisions

  #9218 merged May 20, 2022

• Improve LiveLiterals

  #9219 merged May 20, 2022

• Java: Performance fixes for local flow relation

  #9195 merged May 20, 2022

• Swift: type visitor

  #9197 merged May 20, 2022

• Swift: expression visitor

  #9196 merged May 20, 2022

• Swift: pattern visitor

  #9194 merged May 20, 2022

• Swift: statement visitor

  #9192 merged May 20, 2022

• Swift: declaration visitor

  #9189 merged May 20, 2022

• DataFlow - SummarizedCallable refactor

  #9210 merged May 20, 2022

• Kotlin: Fix extraction of reflective call generated by Parcelize

  #9152 merged May 20, 2022

• Kotlin: Tweak logging

  #9217 merged May 19, 2022

• Kotlin: fix cases where type variables were used out of scope

  #9123 merged May 19, 2022

29 Pull requests opened by 21 people

• python: avoid some unnecessary uses of points-to

  #9216 opened May 19, 2022

• Associate certain companion object fields with the parent class

  #9220 opened May 19, 2022

• Swift: use structured generated C++ classes in `DeclVisitor`

  #9230 opened May 20, 2022

• JS: Update the extractor to use TypeScript 4.7

  #9235 opened May 20, 2022

• CPP: Add query for CWE-805: Buffer Access with Incorrect Length Value using some functions

  #9245 opened May 21, 2022

• Java: Update commons-io SHA for model regeneration and update models.

  #9257 opened May 22, 2022

• JS: Some fixes to support proper analysis of d.ts files

  #9266 opened May 23, 2022

• Ruby: Add Improper Memoization query

  #9267 opened May 23, 2022

• Fix typo in recent docs update

  #9279 opened May 24, 2022

• JS: Bump version numbers of ML-powered packs after 0.3.0 release

  #9285 opened May 24, 2022

• Java: Improve customNullGuard performance.

  #9286 opened May 24, 2022

• Ruby: flow through getters/setters

  #9287 opened May 24, 2022

• JS: Support the remaining of the finished ES2022 proposals

  #9289 opened May 24, 2022

• Java: Add support for BarrierGuards as parameterised modules.

  #9294 opened May 24, 2022

• Update codeqlmanifest file

  #9314 opened May 24, 2022

• Data flow: Make `PathGraph::edges/2` and `PathNode::getASuccessor/1` consistent

  #9316 opened May 25, 2022

• JS: Fix FP in js/type-confusion-through-parameter-tampering

  #9318 opened May 25, 2022

• Kotlin: Add taint step for String.valueOf(Editable)

  #9319 opened May 25, 2022

• Swift: do not duplicate 'external' declarations

  #9321 opened May 25, 2022

• QL/RB: fix the QL-for-QL and ruby autobuilders

  #9322 opened May 25, 2022

• Java: CaptureModels Path versions.

  #9326 opened May 25, 2022

• C#: Re-create summary models and include source and sink models as well.

  #9327 opened May 25, 2022

• Swift: Improve `toString` implementations for Ast classes

  #9328 opened May 25, 2022

• Kotlin: use the same mtimes as Java

  #9331 opened May 25, 2022

• Post-release preparation for codeql-cli-2.9.3

  #9332 opened May 25, 2022

• Update CSV framework coverage reports

  #9335 opened May 26, 2022

• Swift: CFG for local declarations

  #9336 opened May 26, 2022

• [C#] CWE-348: Using a client-supplied IP address in a security check

  #9339 opened May 26, 2022

• C++: Improve cpp/linux-kernel-no-check-before-unsafe-put-user

  #9340 opened May 26, 2022

9 Issues closed by 4 people

• usage of syscall/js causes codeql analysis to fail

  #9311 closed May 25, 2022

• How to get the root definition of the node?

  #9302 closed May 25, 2022

• Suppress warnings from Github

  #9298 closed May 25, 2022

• go-extractor happened `undeclared name: any` error

  #9297 closed May 25, 2022

• A fatal error occurred: Extractors for 'go' are found in several same-priority locations

  #9307 closed May 24, 2022

• Use a lot of disk space

  #9305 closed May 24, 2022

• General issue

  #9258 closed May 24, 2022

• LGTM.com - false positive in `cas-bigdatalab/piflow-web`

  #9246 closed May 22, 2022

• Remove `org.dom4j.DocumentHelper:parseText` from `java/xxe-with-experimental-sinks`

  #9237 closed May 21, 2022

8 Issues opened by 8 people

• Linking function definition with its declaration

  #9337 opened May 26, 2022

• General issue

  #9323 opened May 25, 2022

• Ruby parser errors on certain lambdas

  #9313 opened May 24, 2022

• LGTM.com - false positive - Python: unreachable statement in a test following with pytest.raises()

  #9273 opened May 23, 2022

• LGTM.com - false positive: Unreachable Statement in Match-Case

  #9260 opened May 23, 2022

• LGTM.com - false positive: "Unused index variable" when using array to set order of execution

  #9242 opened May 20, 2022

• CodeQL for Ruby: false alert for `URI.parse`

  #9232 opened May 20, 2022

• Is it possible to support custom built-in functions.

  #9228 opened May 20, 2022

45 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`

  #9157 commented on May 23, 2022 • 16 new comments

• CPP: Add query for CWE-125 Out-of-bounds Read with different interpretation of the string when use mbtowc

  #9089 commented on May 26, 2022 • 14 new comments

• Ruby: Fixes for `Argument[any,any-named]` in MaD

  #9215 commented on May 25, 2022 • 14 new comments

• CPP: Add query for CWE-758: Reliance on Implementation-Defined Behavior when using malloc with zero size

  #9088 commented on May 25, 2022 • 13 new comments

• Java: Add sources for Android external storage

  #9207 commented on May 26, 2022 • 12 new comments

• CPP: Add query for CWE-552 Files Accessible to External Parties when using rename

  #9090 commented on May 25, 2022 • 10 new comments

• Ruby: Model the posix-spawn gem

  #8737 commented on May 26, 2022 • 9 new comments

• JS/Python/Ruby: Document how API graphs should be interpreted

  #8606 commented on May 24, 2022 • 5 new comments

• Python dataflow: flow summaries restart

  #8781 commented on May 24, 2022 • 5 new comments

• CPP: Add query for CWE-297: Improper Validation of Certificate with Host Mismatch

  #9086 commented on May 25, 2022 • 4 new comments

• LGTM.com - false positive - Zip Slip when guard `FileNameUtils#normalize` is used

  #9205 commented on May 23, 2022 • 3 new comments

• Python: add MaD implementation

  #8883 commented on May 23, 2022 • 3 new comments

• Ruby: stop considering post-update nodes to be local source nodes

  #9175 commented on May 26, 2022 • 3 new comments

• False Negative with https://github.com/robmoffat/codeql-vuln-blog

  #8880 commented on May 25, 2022 • 2 new comments

• Dataflow: order step side-conditions ahead of mapping Node <-> NodeEx and cartesian product with Configuration

  #7350 commented on May 25, 2022 • 2 new comments

• Python: Add CSV injection model

  #8443 commented on May 25, 2022 • 2 new comments

• Java: Promote HashWithoutSalt query

  #8541 commented on May 26, 2022 • 2 new comments

• Ruby: Model various bits of ActiveSupport

  #9030 commented on May 24, 2022 • 2 new comments

• Ruby: Make StringArrayInclusion more sensitive

  #9138 commented on May 23, 2022 • 2 new comments

• CatastrophicError for `query compile --fast-compilation`: Primitive directionalBind has more than one unbound field

  #8999 commented on May 23, 2022 • 1 new comment

• Simply query cannot find function even though it should be in the database

  #9084 commented on May 24, 2022 • 1 new comment

• Incorrect Integer Conversion Query appears to fail to capture integer parsing

  #9295 commented on May 24, 2022 • 1 new comment

• Codeql to detect CORS misconfiguration in go webapp

  #9303 commented on May 25, 2022 • 1 new comment

• Python: CWE-079 - Add Email injection query

  #7127 commented on May 20, 2022 • 1 new comment

• JS: add `js/path-injection-from-library-input` query

  #8429 commented on May 24, 2022 • 1 new comment

• ATM: undo unsound performance optimizations

  #8470 commented on May 23, 2022 • 1 new comment

• CPP: Add query for CWE-670: Always-Incorrect Control Flow Implementation when use SSL_shutdown

  #9087 commented on May 23, 2022 • 1 new comment

• Flow with non-trivial access path through receiver of method assigned to a variable is missed

  #9296 commented on May 24, 2022 • 0 new comments

• Reintroduce `Fprintf` as a log sink

  #9299 commented on May 24, 2022 • 0 new comments

• False positive for go/index-out-of-bounds

  #9300 commented on May 24, 2022 • 0 new comments

• Missing Source - net.Listen

  #9301 commented on May 24, 2022 • 0 new comments

• Newly-broken builds

  #9304 commented on May 24, 2022 • 0 new comments

• False positive: CWE-918

  #9306 commented on May 24, 2022 • 0 new comments

• TaintTracking: copy inside range on map produces multiple (incomplete) path variants if struct or field are a pointer

  #9308 commented on May 24, 2022 • 0 new comments

• Tracing test code

  #9309 commented on May 24, 2022 • 0 new comments

• Investigate running generic code generation commands in addition to build steps

  #9310 commented on May 24, 2022 • 0 new comments

• LGTM.com - false positive from go/hardcoded-credentials

  #9312 commented on May 24, 2022 • 0 new comments

• ReDoS refactorizations

  #8522 commented on May 25, 2022 • 0 new comments

• JS: refactor most library models away from AST nodes

  #8604 commented on May 23, 2022 • 0 new comments

• Field-sensitive flow summary generation

  #8667 commented on May 24, 2022 • 0 new comments

• Java: Timing attack

  #8686 commented on May 26, 2022 • 0 new comments

• C++: Fix IR variable reuse for global var inits

  #8912 commented on May 20, 2022 • 0 new comments

• Java: Add Expr::getUnderlyingExpr predicate

  #9129 commented on May 25, 2022 • 0 new comments

• Kotlin: Unify loop `break`/`continue` statement handling between java and kotlin

  #9153 commented on May 20, 2022 • 0 new comments

• Python: Modernise weak file permissions query

  #9200 commented on May 23, 2022 • 0 new comments