48 Pull requests merged by 18 people

• Post-release preparation for codeql-cli-2.19.1

  #17631 merged Sep 30, 2024

• Release preparation for version 2.19.1

  #17629 merged Sep 30, 2024

• Rust: extract comments

  #17624 merged Sep 30, 2024

• Java: Minor model tweak and comment fix.

  #17625 merged Sep 30, 2024

• Rust: Accept CFG inconsistencies

  #17627 merged Sep 30, 2024

• Rust: Add more CFG tests

  #17626 merged Sep 30, 2024

• Rust: Add labelled block example

  #17623 merged Sep 30, 2024

• C#: reduce extraction message severity for missing text files

  #17619 merged Sep 30, 2024

• C#/Java: Content based model generation improvements.

  #17521 merged Sep 30, 2024

• Rust: Add extraction error consistency query

  #17617 merged Sep 30, 2024

• Java: Add more type-based sanitizers.

  #17579 merged Sep 30, 2024

• Rust: Prune CFG for obviously impossible true/false edges

  #17602 merged Sep 30, 2024

• Java: Add a couple of neutrals

  #17605 merged Sep 30, 2024

• Go: Add comments noting methods from embedded interfaces are already included

  #17607 merged Sep 28, 2024

• Kotlin: Fix the return type for lambda constructors

  #17599 merged Sep 27, 2024

• KE2: Add bugfix from KE1's #17599

  #17600 merged Sep 27, 2024

• KE2: Add CODEOWNERS

  #17601 merged Sep 27, 2024

• Codegen: Do not cache injectors/projectors in Synth module

  #17560 merged Sep 27, 2024

• Go: Add tests for model inheritance and fix bug in promoted methods

  #17505 merged Sep 26, 2024

• KE2: Remove the declaration stack for now

  #17594 merged Sep 26, 2024

• C++: Remove FPs in cpp/wrong-number-format-arguments due to BMN

  #17553 merged Sep 26, 2024

• Shared: Add CFG consistency check for scopes with missing entry points

  #17585 merged Sep 26, 2024

• KE2: Format code in IDEA

  #17507 merged Sep 26, 2024

• WIP: KE2: Change function and class extraction to be based on KaSymbol

  #17550 merged Sep 26, 2024

• Python: Add support for threat models

  #17203 merged Sep 26, 2024

• Go/Java/C#: Rename ThreatModelFlowSource to ActiveThreatModelSource

  #17424 merged Sep 26, 2024

• Rust: run cargo fmt

  #17592 merged Sep 26, 2024

• Rust: Repair rust/diagnostics/unextracted-elements

  #17589 merged Sep 26, 2024

• Add change note for Java 23 support

  #17591 merged Sep 26, 2024

• C#/Java: Re-factor the model generator to be a parameterized module.

  #17509 merged Sep 26, 2024

• C#: AttributeCollection is no longer considered a HTML sink.

  #17582 merged Sep 26, 2024

• Add support for Kotlin 2.1.0-Beta1

  #17555 merged Sep 25, 2024

• Resolve id conflict with XssWithAdditionalSources.ql

  #17587 merged Sep 25, 2024

• C++: Remove inline pragma from sink

  #17583 merged Sep 25, 2024

• Fix link to change logs on landing page

  #17586 merged Sep 25, 2024

• C++: Do not wrap quoted text to the next line

  #17576 merged Sep 25, 2024

• Revert changes that made the links in the drop-down on CodeQL docs site relative

  #17580 merged Sep 25, 2024

• Rust: Enable CFG consistency checks

  #17558 merged Sep 25, 2024

• Cpp: Replace sink inlining with a forward scan from source.

  #17578 merged Sep 25, 2024

• Rust: extract parse errors as diagnostics

  #17552 merged Sep 25, 2024

• Downgrade IncorrectIntegerConversionQuery precision to high

  #17571 merged Sep 25, 2024

• Rust: CFG improvements

  #17557 merged Sep 25, 2024

• Go: Expose whether functions are variadic in their pp() output

  #17360 merged Sep 24, 2024

• Java/Kotlin: Deprecate Field.getSourceDeclaration(), Field.isSourceDeclaration()

  #17503 merged Sep 24, 2024

• Python: Add Support for CORS Middlewares

  #17305 merged Sep 24, 2024

• Rust: generate the extractor

  #17543 merged Sep 24, 2024

• Data flow: Cache TNodeEx

  #17300 merged Sep 24, 2024

• Update CSV framework coverage reports

  #17529 merged Sep 24, 2024

23 Pull requests opened by 15 people

• BigInt Documentation

  #17556 opened Sep 24, 2024

• Add setVariable models for JellyContext

  #17563 opened Sep 24, 2024

• Python: model `urllib.parse.parse_qs`

  #17565 opened Sep 24, 2024

• Python: All dict constructor args are relevant

  #17566 opened Sep 24, 2024

• python: capture flow through comprehensions

  #17577 opened Sep 25, 2024

• C++: Merge the location tables

  #17581 opened Sep 25, 2024

• Dataflow: Deduplicate results when sinks accept multiple FlowStates.

  #17584 opened Sep 25, 2024

• Rust: Improve lines-of-code counts.

  #17588 opened Sep 25, 2024

• Java: FileUpload Support MaD

  #17590 opened Sep 25, 2024

• Java: Add model for CharArrayWriter.toString().

  #17597 opened Sep 27, 2024

• Shared: cache getBasicBlock() as it is needed from BarrierGuards

  #17598 opened Sep 27, 2024

• C#: Insecure Certificate Validation.

  #17603 opened Sep 27, 2024

• Java: Add overrides to the interpretation of neutral MaD models.

  #17604 opened Sep 27, 2024

• Rust: AST support for variables

  #17606 opened Sep 27, 2024

• C++: Add more macro expansion tests

  #17608 opened Sep 27, 2024

• Brodes/wcharcharconversion false positives upstream5

  #17611 opened Sep 27, 2024

• Bump regex from 1.10.6 to 1.11.0 in /ql

  #17616 opened Sep 30, 2024

• Go: Make the models-as-data subtypes column do something more sensible for promoted methods

  #17618 opened Sep 30, 2024

• C#: Interpolated string expressions.

  #17620 opened Sep 30, 2024

• C#: Make Nullable type a ConstructedType and VoidType a ValueType.

  #17621 opened Sep 30, 2024

• Java/Kotlin: Add some dbscheme comments

  #17622 opened Sep 30, 2024

• Go: add extractor option for vendor-directory extraction

  #17628 opened Sep 30, 2024

• Go: deduplicate integration tests

  #17630 opened Sep 30, 2024

8 Issues closed by 9 people

• [cpp] extractor crashed when creating database

  #16449 closed Sep 30, 2024

• Java: control-flow dependency query

  #17572 closed Sep 29, 2024

• Java 23 support

  #17564 closed Sep 27, 2024

• Cannot find a template function definition in rapidxml

  #17569 closed Sep 26, 2024

• C# False positive: XSS via AttributeCollection

  #17567 closed Sep 26, 2024

• [Java][QL] Need help improving the logic of this Java query

  #17559 closed Sep 25, 2024

• False positive

  #17575 closed Sep 25, 2024

• How to check CWE-404 when throw exception

  #17319 closed Sep 25, 2024

4 Issues opened by 2 people

• The number of paths different from codeql-cli and vscode

  #17615 opened Sep 29, 2024

• CleartextLogging.qhelp needs more help

  #17574 opened Sep 25, 2024

• Go: zip-slip FP / missed a zip-slip guard in argoproj/argo-cd

  #17573 opened Sep 25, 2024

• IncorrectIntegerConversionQuery precision is overly ambitious and its help should warn about false positives

  #17570 opened Sep 25, 2024

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: Unreachable code query

  #17525 commented on Sep 27, 2024 • 2 new comments

• C++: Remove FPs from cpp/uninitialized-local when encountered extraction errors

  #17481 commented on Sep 30, 2024 • 2 new comments

• Python: Bottle Framework Support

  #17370 commented on Sep 23, 2024 • 2 new comments

• C++: Improve AliasedSSA performance

  #17225 commented on Sep 24, 2024 • 1 new comment

• Java: Update Java JDK 17 models.

  #17547 commented on Sep 30, 2024 • 0 new comments

• Adapt to `sourceLocationPrefix` change in `qltest`

  #17536 commented on Sep 26, 2024 • 0 new comments

• JS: Follow use-use flow after a post-update

  #17535 commented on Sep 30, 2024 • 0 new comments

• WIP: KE2: Split extractor to self contained entity classes

  #17517 commented on Sep 26, 2024 • 0 new comments

• Python: Several standard library models

  #17454 commented on Sep 24, 2024 • 0 new comments

• Go: extract and expose struct tags, interface method IDs

  #17357 commented on Sep 30, 2024 • 0 new comments

• C#: Add query for insecure certificate validation

  #16824 commented on Sep 30, 2024 • 0 new comments

• WIP: Go: CORS Bypass due to incorrect checks

  #16813 commented on Sep 24, 2024 • 0 new comments

• C#: Relax dotnet rule.

  #16792 commented on Sep 30, 2024 • 0 new comments

• isSanitizerGuard works incorrectly when the function name startwith "isValid"

  #17393 commented on Sep 27, 2024 • 0 new comments

• CodeQL detected code written in Java but could not process any of it.General issue

  #14066 commented on Sep 27, 2024 • 0 new comments

• Update from Go 1.20 to 1.22 causes CodeQL to no longer detect that we built Go code

  #17526 commented on Sep 26, 2024 • 0 new comments

• CodeQL version 2.18.2 doubles the amount of time spent compiling CodeQL databases

  #17489 commented on Sep 26, 2024 • 0 new comments

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 commented on Sep 25, 2024 • 0 new comments

• Java: Call Graph

  #17457 commented on Sep 24, 2024 • 0 new comments