47 Pull requests merged by 26 people

• JS: faster TypeScript extraction

  #15271 merged Jan 10, 2024

• Go: Adds sources and sinks to `go/clear-text-logging`

  #15268 merged Jan 10, 2024

• Support dry-run of publishing script

  #15251 merged Jan 10, 2024

• document weak aliases in the language reference

  #15261 merged Jan 10, 2024

• Kotlin: Reformat code

  #15269 merged Jan 10, 2024

• Swift: fix upgrade and downgrade scripts

  #15277 merged Jan 10, 2024

• Go: Migrate AppenderOrSprinter model to models-as-data

  #15267 merged Jan 10, 2024

• Bazel/CMake: drop confusing `_INTERNAL_TRANSITION` suffix

  #15276 merged Jan 10, 2024

• Data flow: Remove column from `mayBenefitFromCallContext`

  #15260 merged Jan 10, 2024

• Automodel: Do not generate features for compiler-generated program elements.

  #15264 merged Jan 10, 2024

• JS: promote `PropsTaintStep` to a `PreCallGraphStep`

  #15221 merged Jan 10, 2024

• Java: Improve Gson parse, get, and stream models

  #14926 merged Jan 10, 2024

• Java: Bring the Model Diff workflow back into a working state.

  #15225 merged Jan 10, 2024

• Kotlin 2: Accept some location changes

  #14941 merged Jan 9, 2024

• Kotlin: Remove 1.4 compatibility

  #14393 merged Jan 9, 2024

• C++: Fix QLDoc on `cmpWithLinearBound`

  #15262 merged Jan 9, 2024

• Update CSV framework coverage reports

  #15257 merged Jan 9, 2024

• C++: Remove test that is no longer relevant

  #15252 merged Jan 8, 2024

• Java: Environment variable injection query

  #14724 merged Jan 8, 2024

• 32 cpp string concatenation library

  #14954 merged Jan 8, 2024

• Swift: Add dataflow tests for property wrappers and SwiftUI

  #15230 merged Jan 8, 2024

• Release preparation for version 2.16.0

  #15250 merged Jan 8, 2024

• Bazel: Bump dependant rules versions.

  #15232 merged Jan 8, 2024

• Kotlin: Add a 2.0.255 snapshot

  #14895 merged Jan 8, 2024

• Ruby: Update Kernel.qll to include `Object.send` aliases

  #15203 merged Jan 8, 2024

• Ruby: Fix upgrade delete directives

  #15243 merged Jan 8, 2024

• C#: Fix upgrade delete directives

  #15242 merged Jan 8, 2024

• C++: Fix upgrade delete directives

  #15241 merged Jan 8, 2024

• Note Java 21 support

  #15231 merged Jan 8, 2024

• Java: Add more sinks to the Insecure Randomness query

  #14681 merged Jan 8, 2024

• Swift: Query for Use of an inappropriate cryptographic hashing algorithm on passwords

  #15122 merged Jan 8, 2024

• Ruby: update tree-sitter-ruby

  #15224 merged Jan 8, 2024

• C#: Improve arg-param mapping logic to better handle arguments passed to `params` parameters

  #15175 merged Jan 8, 2024

• Data flow: Avoid unnecessary non-linear recursion in `fwdFlowIn`

  #15157 merged Jan 8, 2024

• Merge `codeql-cli-2.15.5` back to `main`

  #15236 merged Jan 5, 2024

• Ruby: Add `[]` to the methods returning an `ActionController::Parameters"

  #15234 merged Jan 5, 2024

• Python: Fix typo in upgrade script

  #15237 merged Jan 5, 2024

• Merge `codeql-cli-2.15.4` into `codeql-cli-2.15.5`

  #15229 merged Jan 5, 2024

• Python: Automated subclass models

  #15044 merged Jan 5, 2024

• Java/C#: Make it possible to specify subfolder location of generated model files.

  #15228 merged Jan 5, 2024

• C#: Update DB stats.

  #15222 merged Jan 5, 2024

• Add test for Java buildless vs Maven multimodule projects

  #15227 merged Jan 4, 2024

• 0.0.11 release of `automodel` extraction queries

  #15226 merged Jan 4, 2024

• Go: Stratify `CFG::succ` to avoid recursion

  #15162 merged Jan 4, 2024

• C#: Fix Log forging false positive.

  #15212 merged Jan 4, 2024

• ensure `publish.sh` uses the latest `automodel` release

  #15165 merged Jan 4, 2024

• Update CSV framework coverage reports

  #15220 merged Jan 4, 2024

21 Pull requests opened by 18 people

• Add test for erb flow

  #15223 opened Jan 4, 2024

• C++: Uncomment `@function.kind` in the dbscheme

  #15233 opened Jan 5, 2024

• Replace blog link with link to GitHub user docs

  #15235 opened Jan 5, 2024

• Java: Improve Regex flag parsing

  #15244 opened Jan 6, 2024

• C#/Java: Manual neutral summaries should block generated summaries

  #15246 opened Jan 6, 2024

• C# 12: Support for lambda `param` parameter and parameter defaults.

  #15249 opened Jan 8, 2024

• Post-release preparation for codeql-cli-2.16.0

  #15254 opened Jan 8, 2024

• Python: remove assignments handled by capture library

  #15255 opened Jan 8, 2024

• Js/Py/Rb: Report any extracted file as successfully extracted

  #15256 opened Jan 8, 2024

• Swift: upgrade to 5.9.2

  #15259 opened Jan 9, 2024

• C++: add `.def` to exceptions to AV rule 32

  #15265 opened Jan 9, 2024

• Update supported-versions-compilers.rst on release candidate branch

  #15266 opened Jan 9, 2024

• C++: PrintAST support for destructor calls

  #15270 opened Jan 9, 2024

• Ruby: Handle captured `yield` calls

  #15273 opened Jan 10, 2024

• Generate Changelogs for 2.15.5

  #15279 opened Jan 10, 2024

• Java: improve models for some important JDK methods

  #15280 opened Jan 10, 2024

• [Draft] Java: Add query for exposure of sensitive information to android notifiactions

  #15281 opened Jan 10, 2024

• C++: Fix duplicate "final global value" nodes

  #15282 opened Jan 10, 2024

• Release automodel extraction queries v0.0.12.

  #15283 opened Jan 10, 2024

• Update query-metadata-style-guide.md clarify problem.severity

  #15288 opened Jan 10, 2024

• Update CSV framework coverage reports

  #15289 opened Jan 11, 2024

5 Issues closed by 5 people

• CodeQL not detecting YAML workflow vulnerabilities using on.push & on.pull_request

  #15239 closed Jan 10, 2024

• Taint Tracking of Function Passed Through JSX Attributes

  #15207 closed Jan 10, 2024

• Missing methods and constructors in Java GSON model

  #14924 closed Jan 10, 2024

• C++: Documentation clarification for `cmpWithLinearBound`

  #15248 closed Jan 9, 2024

• False positive CWE-117 C#

  #15195 closed Jan 4, 2024

9 Issues opened by 8 people

• CodeQL Package Manger and CodeQL Packs Beta Status

  #15287 opened Jan 10, 2024

• False positive - "zx" npm package usage is mistakenly detected as jQuery usage

  #15286 opened Jan 10, 2024

• False positive - cs/unused-reftype - C#

  #15278 opened Jan 10, 2024

• The QL query should not have multiple results?

  #15274 opened Jan 10, 2024

• The CODEQL query result cannot be redirected

  #15258 opened Jan 9, 2024

• C#: False positive

  #15253 opened Jan 8, 2024

• Java: Add sinks for `sun.misc.Unsafe`

  #15247 opened Jan 7, 2024

• SARIF: Backslash in query message is not escaped

  #15245 opened Jan 6, 2024

• General issue with setup

  #15240 opened Jan 5, 2024

26 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Data flow: prune context-sensitivity relations

  #15140 commented on Jan 10, 2024 • 13 new comments

• Swift: switch to shared, parameterized CFG library

  #15219 commented on Jan 9, 2024 • 7 new comments

• Ruby: Add Insecure Randomness Query

  #14554 commented on Jan 9, 2024 • 7 new comments

• JS: Web Cache Deception Express

  #15180 commented on Jan 4, 2024 • 3 new comments

• C#: Extract and use ambiguous type information for call target resolution

  #14891 commented on Jan 10, 2024 • 3 new comments

• Go: Decompression Bombs

  #13553 commented on Jan 4, 2024 • 3 new comments

• Kotlin 2: Comment improvements

  #14940 commented on Jan 10, 2024 • 2 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Jan 5, 2024 • 2 new comments

• Create database failed with "diagnostic.trap.gz, 22593: java.io.EOFException: Unexpected end of ZLIB input stream"

  #11829 commented on Jan 5, 2024 • 2 new comments

• C++: Global variable flow without explicit SSA definitions

  #15194 commented on Jan 10, 2024 • 1 new comment

• False positive – "Statement has no effect" for Python type hint ellipsis

  #11351 commented on Jan 5, 2024 • 1 new comment

• C#/Java: Increase precision of model generation.

  #15179 commented on Jan 10, 2024 • 1 new comment

• C#: Add flow steps from a PageModel to cshtml page.

  #15039 commented on Jan 4, 2024 • 1 new comment

• Sound static analysis needed to complement CodeQL

  #13092 commented on Jan 6, 2024 • 1 new comment

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 commented on Jan 10, 2024 • 1 new comment

• Go: fasthttp

  #14123 commented on Jan 4, 2024 • 1 new comment

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Jan 10, 2024 • 1 new comment

• Bump actions/labeler from 4 to 5

  #15017 commented on Jan 10, 2024 • 0 new comments

• Bump actions/setup-python from 4 to 5

  #15033 commented on Jan 10, 2024 • 0 new comments

• Java: openjdk model autogeneration

  #14919 commented on Jan 4, 2024 • 0 new comments

• Upgrade to bazel 7.

  #15068 commented on Jan 8, 2024 • 0 new comments

• Bump actions/upload-artifact from 3 to 4

  #15114 commented on Jan 10, 2024 • 0 new comments

• Ruby: Track types in data flow

  #15118 commented on Jan 8, 2024 • 0 new comments

• Create java database error：[ERROR] dataset import> diagnostic.trap.gz, 35344: java.io.EOFException: Unexpected end of ZLIB input stream.

  #15217 commented on Jan 6, 2024 • 0 new comments

• add security-severity score to code scanning query list

  #12557 commented on Jan 8, 2024 • 0 new comments

• C++: Accept test changes after frontend upgrade

  #15213 commented on Jan 10, 2024 • 0 new comments