42 Pull requests merged by 23 people

• Kotlin 2: Accept some location changes

  #14941 merged Jan 9, 2024

• Kotlin: Remove 1.4 compatibility

  #14393 merged Jan 9, 2024

• C++: Fix QLDoc on `cmpWithLinearBound`

  #15262 merged Jan 9, 2024

• Update CSV framework coverage reports

  #15257 merged Jan 9, 2024

• C++: Remove test that is no longer relevant

  #15252 merged Jan 8, 2024

• Java: Environment variable injection query

  #14724 merged Jan 8, 2024

• 32 cpp string concatenation library

  #14954 merged Jan 8, 2024

• Swift: Add dataflow tests for property wrappers and SwiftUI

  #15230 merged Jan 8, 2024

• Release preparation for version 2.16.0

  #15250 merged Jan 8, 2024

• Bazel: Bump dependant rules versions.

  #15232 merged Jan 8, 2024

• Kotlin: Add a 2.0.255 snapshot

  #14895 merged Jan 8, 2024

• Ruby: Update Kernel.qll to include `Object.send` aliases

  #15203 merged Jan 8, 2024

• Ruby: Fix upgrade delete directives

  #15243 merged Jan 8, 2024

• C#: Fix upgrade delete directives

  #15242 merged Jan 8, 2024

• C++: Fix upgrade delete directives

  #15241 merged Jan 8, 2024

• Note Java 21 support

  #15231 merged Jan 8, 2024

• Java: Add more sinks to the Insecure Randomness query

  #14681 merged Jan 8, 2024

• Swift: Query for Use of an inappropriate cryptographic hashing algorithm on passwords

  #15122 merged Jan 8, 2024

• Ruby: update tree-sitter-ruby

  #15224 merged Jan 8, 2024

• C#: Improve arg-param mapping logic to better handle arguments passed to `params` parameters

  #15175 merged Jan 8, 2024

• Data flow: Avoid unnecessary non-linear recursion in `fwdFlowIn`

  #15157 merged Jan 8, 2024

• Merge `codeql-cli-2.15.5` back to `main`

  #15236 merged Jan 5, 2024

• Ruby: Add `[]` to the methods returning an `ActionController::Parameters"

  #15234 merged Jan 5, 2024

• Python: Fix typo in upgrade script

  #15237 merged Jan 5, 2024

• Merge `codeql-cli-2.15.4` into `codeql-cli-2.15.5`

  #15229 merged Jan 5, 2024

• Python: Automated subclass models

  #15044 merged Jan 5, 2024

• Java/C#: Make it possible to specify subfolder location of generated model files.

  #15228 merged Jan 5, 2024

• C#: Update DB stats.

  #15222 merged Jan 5, 2024

• Add test for Java buildless vs Maven multimodule projects

  #15227 merged Jan 4, 2024

• 0.0.11 release of `automodel` extraction queries

  #15226 merged Jan 4, 2024

• Go: Stratify `CFG::succ` to avoid recursion

  #15162 merged Jan 4, 2024

• C#: Fix Log forging false positive.

  #15212 merged Jan 4, 2024

• ensure `publish.sh` uses the latest `automodel` release

  #15165 merged Jan 4, 2024

• Update CSV framework coverage reports

  #15220 merged Jan 4, 2024

• Go: report any extracted file as successfully extracted

  #15211 merged Jan 3, 2024

• Go: fix FP in incorrect integer conversion query relating to strict comparisons with MaxInt and MaxUint

  #15128 merged Jan 3, 2024

• C++: Improve special members test by printing more function details

  #15214 merged Jan 3, 2024

• Add missing `override`.

  #15190 merged Jan 3, 2024

• Kotlin 2: Accept changes in query-tests/UnderscoreIdentifier

  #15049 merged Jan 3, 2024

• Ruby: Model editor improvements

  #15048 merged Jan 3, 2024

• C#: .NET 8 Runtime models.

  #15174 merged Jan 3, 2024

• C++: Support more function types

  #15210 merged Jan 3, 2024

26 Pull requests opened by 20 people

• C++: Accept test changes after frontend upgrade

  #15213 opened Jan 3, 2024

• Go: extract entities for type parameters

  #15216 opened Jan 3, 2024

• Swift: switch to shared, parameterized CFG library

  #15219 opened Jan 3, 2024

• JS: promote `PropsTaintStep` to a `PreCallGraphStep`

  #15221 opened Jan 4, 2024

• Add test for erb flow

  #15223 opened Jan 4, 2024

• Java: Bring the Model Diff workflow back into a working state.

  #15225 opened Jan 4, 2024

• C++: Uncomment `@function.kind` in the dbscheme

  #15233 opened Jan 5, 2024

• Replace blog link with link to GitHub user docs

  #15235 opened Jan 5, 2024

• Java: Improve Regex flag parsing

  #15244 opened Jan 6, 2024

• C#/Java: Manual neutral summaries should block generated summaries

  #15246 opened Jan 6, 2024

• C# 12: Support for lambda `param` arguments and default arguments.

  #15249 opened Jan 8, 2024

• Support dry-run of publishing script

  #15251 opened Jan 8, 2024

• Post-release preparation for codeql-cli-2.16.0

  #15254 opened Jan 8, 2024

• Python: remove assignments handled by capture library

  #15255 opened Jan 8, 2024

• Js/Py/Rb: Report any extracted file as successfully extracted

  #15256 opened Jan 8, 2024

• Swift: upgrade to 5.9.2

  #15259 opened Jan 9, 2024

• Data flow: Remove column from `mayBenefitFromCallContext`

  #15260 opened Jan 9, 2024

• document weak aliases in the language reference

  #15261 opened Jan 9, 2024

• Automodel: Do not generate features for compiler-generated program elements.

  #15264 opened Jan 9, 2024

• C++: add `.def` to exceptions to AV rule 32

  #15265 opened Jan 9, 2024

• Update supported-versions-compilers.rst on release candidate branch

  #15266 opened Jan 9, 2024

• Go: Migrate AppenderOrSprinter model to models-as-data

  #15267 opened Jan 9, 2024

• Go: Adds sources and sinks to `go/clear-text-logging`

  #15268 opened Jan 9, 2024

• Kotlin: Reformat code

  #15269 opened Jan 9, 2024

• C++: PrintAST support for destructor calls

  #15270 opened Jan 9, 2024

• JS: faster TypeScript extraction

  #15271 opened Jan 9, 2024

4 Issues closed by 4 people

• C++: Documentation clarification for `cmpWithLinearBound`

  #15248 closed Jan 9, 2024

• False positive CWE-117 C#

  #15195 closed Jan 4, 2024

• CodeQL Rediscovering Alerts Marked As "False Positive"

  #15218 closed Jan 3, 2024

• github upload-results fails when uploading large SARIF with incorrect error message

  #15209 closed Jan 3, 2024

7 Issues opened by 6 people

• The CODEQL query result cannot be redirected

  #15258 opened Jan 9, 2024

• C#: False positive

  #15253 opened Jan 8, 2024

• Java: Add sinks for `sun.misc.Unsafe`

  #15247 opened Jan 7, 2024

• SARIF: Backslash in query message is not escaped

  #15245 opened Jan 6, 2024

• General issue with setup

  #15240 opened Jan 5, 2024

• CodeQL not detecting YAML workflow vulnerabilities using on.push & on.pull_request

  #15239 opened Jan 5, 2024

• Create java database error：[ERROR] dataset import> diagnostic.trap.gz, 35344: java.io.EOFException: Unexpected end of ZLIB input stream.

  #15217 opened Jan 3, 2024

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Data flow: prune context-sensitivity relations

  #15140 commented on Jan 8, 2024 • 13 new comments

• Ruby: Add Insecure Randomness Query

  #14554 commented on Jan 9, 2024 • 7 new comments

• JS: Web Cache Deception Express

  #15180 commented on Jan 4, 2024 • 3 new comments

• C#: Extract and use ambiguous type information for call target resolution

  #14891 commented on Jan 9, 2024 • 3 new comments

• Go: Decompression Bombs

  #13553 commented on Jan 4, 2024 • 3 new comments

• Go: Support Go 1.22

  #15202 commented on Jan 3, 2024 • 2 new comments

• Kotlin 2: Comment improvements

  #14940 commented on Jan 9, 2024 • 2 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Jan 5, 2024 • 2 new comments

• Create database failed with "diagnostic.trap.gz, 22593: java.io.EOFException: Unexpected end of ZLIB input stream"

  #11829 commented on Jan 5, 2024 • 2 new comments

• Encountering a Problem with CodeQL-ruby Query during the Execution Phase of the epsilonStar Function

  #15199 commented on Jan 3, 2024 • 2 new comments

• Go: fasthttp

  #14123 commented on Jan 4, 2024 • 1 new comment

• Java: Improve Gson parse, get, and stream models

  #14926 commented on Jan 9, 2024 • 1 new comment

• Sound static analysis needed to complement CodeQL

  #13092 commented on Jan 6, 2024 • 1 new comment

• C#: Add flow steps from a PageModel to cshtml page.

  #15039 commented on Jan 4, 2024 • 1 new comment

• False positive – "Statement has no effect" for Python type hint ellipsis

  #11351 commented on Jan 5, 2024 • 1 new comment

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Jan 9, 2024 • 0 new comments

• add security-severity score to code scanning query list

  #12557 commented on Jan 8, 2024 • 0 new comments

• Java: openjdk model autogeneration

  #14919 commented on Jan 4, 2024 • 0 new comments

• Upgrade to bazel 7.

  #15068 commented on Jan 8, 2024 • 0 new comments

• Ruby: Track types in data flow

  #15118 commented on Jan 8, 2024 • 0 new comments

• Python: Mention more sanitisation options in py/url-redirection qhelp.

  #15176 commented on Jan 3, 2024 • 0 new comments

• C#/Java: Increase precision of model generation.

  #15179 commented on Jan 5, 2024 • 0 new comments

• Python: Add support for more URL redirect sanitisers.

  #15187 commented on Jan 3, 2024 • 0 new comments

• C++: Global variable flow without explicit SSA definitions

  #15194 commented on Jan 8, 2024 • 0 new comments