63 Pull requests merged by 24 people

• Rust: Query for dereferencing an invalid pointer

  #19080 merged Apr 4, 2025

• Rust: Reduce CI noise from the SummaryStats query

  #19180 merged Apr 4, 2025

• Rust: Use macro call location as fall back in macro expansions

  #19217 merged Apr 4, 2025

• Rust: Take prelude into account when resolving paths

  #19157 merged Apr 4, 2025

• C#: Add cs/useless-assignment-to-local to the code quality suite.

  #19061 merged Apr 4, 2025

• Rust: Add another disjunct to postWithInFlowExclude

  #19195 merged Apr 4, 2025

• Ruby: Make getPreUpdateNode Unique Again

  #19121 merged Apr 4, 2025

• C#: Accept file sync mismatch for C# testfiles.

  #19199 merged Apr 4, 2025

• Ssa: Deprecate the public DefinitionExt and PhiReadNode

  #19160 merged Apr 4, 2025

• Support post-procesed inline expectations for query predicates in unit tests

  #19211 merged Apr 3, 2025

• Rust: Add inline expectations test for type inference

  #19198 merged Apr 3, 2025

• Misc: Add stage overlap script

  #19156 merged Apr 3, 2025

• C#: Extend simple type sanitizers with enums and System.DateTimeOffset.

  #19194 merged Apr 3, 2025

• C#: Blazor: Support string literals as property names in jump nodes

  #19145 merged Apr 3, 2025

• JS: Modeling of rimraf functions

  #19196 merged Apr 3, 2025

• Swift: Update SSA to reference the new use-use predicates.

  #19177 merged Apr 3, 2025

• JS: Some preliminary fixes from name resolution branch

  #19192 merged Apr 3, 2025

• Rust: Make trait a base type mention of the self type parameter

  #19149 merged Apr 3, 2025

• Docs: Add GitHub Actions as a supported language

  #19190 merged Apr 2, 2025

• Add @ps-codeql to CODEOWNERS for experimental cryptography

  #19201 merged Apr 2, 2025

• actions: add MaD model for permissions needed by actions

  #19166 merged Apr 2, 2025

• Update tags for js/useless-expression

  #19189 merged Apr 2, 2025

• Rust: Fix capturedCallRead

  #19185 merged Apr 2, 2025

• C++: update expected test results after extractor changes

  #19202 merged Apr 2, 2025

• Run pytest server with sudo and higher nice value

  #19204 merged Apr 2, 2025

• Java: generalise javax.persistence models to also recognise jakarta.persistence.

  #19187 merged Apr 2, 2025

• Actions: Fix bad performance in getTargetPath

  #19186 merged Apr 2, 2025

• C#: Update PreSSA to reference the new use-use predicates.

  #19178 merged Apr 2, 2025

• Ssa: Replace phi-read references in VariableCapture with default use-use flow

  #19154 merged Apr 2, 2025

• Update CSV framework coverage reports

  #19191 merged Apr 2, 2025

• Update query-metadata-style-guide.md

  #19020 merged Apr 1, 2025

• JS: Handle spread/rest in API graphs

  #19108 merged Apr 1, 2025

• Python: Modernize py/mixed-tuple-returns

  #19136 merged Apr 1, 2025

• Rust: Make Element.toString non-recursive

  #19162 merged Apr 1, 2025

• Post-release preparation for codeql-cli-2.21.0

  #19182 merged Apr 1, 2025

• Update UntrustedCheckoutCritical.ql

  #19183 merged Apr 1, 2025

• Rust: QLTest: delete Cargo.lock files

  #19181 merged Apr 1, 2025

• C#: Extract string interpolation alignment and format.

  #19089 merged Apr 1, 2025

• Python: Add file-not-closed and special-method-wrong-signature to python code-quality suite

  #19179 merged Apr 1, 2025

• Release preparation for version 2.21.0

  #19172 merged Apr 1, 2025

• Rust: introduce upgrades/downgrades infrastructure

  #19167 merged Apr 1, 2025

• Update UseOfKnownVulnerableAction.ql

  #19126 merged Apr 1, 2025

• Rust: More path resolution improvements

  #19133 merged Apr 1, 2025

• UntrustedCheckout: Try and differentiate between two versions of the query

  #19127 merged Apr 1, 2025

• C++: Add class representing calling conventions

  #19159 merged Apr 1, 2025

• C#: Update generated .NET 9 Runtime models.

  #19125 merged Apr 1, 2025

• C++: Refactor Iterator SSA flow to use the data flow integration module.

  #19155 merged Apr 1, 2025

• Update CSV framework coverage reports

  #19173 merged Apr 1, 2025

• Javascript, add missing * to changenote

  #19169 merged Mar 31, 2025

• Actions: rename changenote file

  #19168 merged Mar 31, 2025

• Merge rc/3.17 into main

  #19161 merged Mar 31, 2025

• Java: add test exercising Gradle download pruning

  #19135 merged Mar 31, 2025

• Rust: rename several entities to their more natural names

  #19137 merged Mar 31, 2025

• Misc: Add another path prefix to accept-expected-changes-from-ci.py

  #19158 merged Mar 31, 2025

• Java buildless: add buildless-maven variant with a wildcard mirrorOf spec

  #19152 merged Mar 31, 2025

• Codegen: add ql.db_table_name property pragma

  #19063 merged Mar 31, 2025

• Java: Adjust caching of BasicBlocks, BaseSSA, and CompileTimeConstants

  #19093 merged Mar 31, 2025

• JS: Modeling of fs-extra functions

  #19143 merged Mar 31, 2025

• JS: support hana db client

  #19118 merged Mar 31, 2025

• JavaScript: Add support for indexing additional SAP related JSON files

  #19117 merged Mar 31, 2025

• Ssa: Refactor data flow integration to make the input signature simpler

  #19147 merged Mar 31, 2025

• csharp update MaD for System.Uri

  #19142 merged Mar 31, 2025

• Rust: crate_graph: generate 'use' statements for re-exported items

  #19113 merged Mar 30, 2025

19 Pull requests opened by 12 people

• ruby: remove some FPs from `rb/useless-assignment-to-local`

  #19164 opened Mar 31, 2025

• Python: Modernize the Loop Variable Capture query

  #19165 opened Mar 31, 2025

• Rust: Query for uncontrolled allocation size

  #19171 opened Mar 31, 2025

• Java: Add new quality query to detect calls to `Thread.run()`

  #19175 opened Apr 1, 2025

• JS: Support for `Request` and `NextRequest`

  #19184 opened Apr 1, 2025

• Rust: Take `where` clauses into account in path resolution

  #19193 opened Apr 2, 2025

• JS: Add sinks for calls to 'new Response()'

  #19200 opened Apr 2, 2025

• Go: Add database source models for `uptrace/bun` and `gogf/gf/database/gdb`

  #19203 opened Apr 2, 2025

• ruby: refine `rb/uninitialized-local-variable`

  #19205 opened Apr 2, 2025

• Ruby: Synthesize implicit super arguments

  #19206 opened Apr 2, 2025

• Java: add exclude-from-incremental tag to telemetry queries

  #19208 opened Apr 2, 2025

• JS: Modeling of `mkdirp` functions

  #19210 opened Apr 3, 2025

• Rust: Associated types

  #19214 opened Apr 4, 2025

• Rust: Handle path attributes in path resolution

  #19216 opened Apr 4, 2025

• JS: Refactor `WebSocket` to use `API` graphs

  #19218 opened Apr 4, 2025

• Add changelog entries for CodeQL CLI versions 2.20.7 and 2.21.0

  #19219 opened Apr 4, 2025

• Rust: Minor path resolution fix for `($)crate` paths

  #19220 opened Apr 4, 2025

• C++: Parameters can have a static specifier but are not static

  #19221 opened Apr 4, 2025

• Rust: Define queries more consistently and include all sinks in stats

  #19222 opened Apr 4, 2025

7 Issues closed by 4 people

• Request textDocument/definition failed - CodeQL 2.21.0 seems to break Language Server integration

  #19213 closed Apr 4, 2025

• Change IntegerOverflowTainted.ql @kind to path-problem.Execution error：“These should include at least an 'edges' result set”

  #19209 closed Apr 3, 2025

• C++: Model indirect data flow through external functions

  #19151 closed Apr 1, 2025

• The self-implemented taintloop rule has an empty detection result. Is there a good debugging method?

  #19163 closed Apr 1, 2025

• CodeQL Analysis error for Swift 6 on ubuntu

  #19176 closed Apr 1, 2025

• General issue

  #19174 closed Apr 1, 2025

• Why TaintedAllocationSize can't detect the following problems.

  #19109 closed Apr 1, 2025

3 Issues opened by 3 people

• SQL file support for Liquibase code

  #19207 opened Apr 2, 2025

• ArrayIndexOutOfBoundsException in com.semmle.inmemory.pipeline.MetaPipelineInstance.wrapWithRaDump(MetaPipelineInstance.java:204)

  #19197 opened Apr 2, 2025

• Missing taint flow

  #19153 opened Mar 30, 2025

15 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add new quality query to detect `finalize` calls

  #19075 commented on Apr 4, 2025 • 13 new comments

• Java: Add new quality query to detect `String#replaceAll` with non-regex first argument

  #19115 commented on Apr 1, 2025 • 9 new comments

• Rust: Compute canonical paths in QL

  #19134 commented on Apr 4, 2025 • 4 new comments

• Java: Add new quality query to detect missing `@Nested` annotation in JUnit5 tests

  #19094 commented on Apr 4, 2025 • 2 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on Apr 3, 2025 • 1 new comment

• Python: Initial version of the Model Generator Lib and Queries

  #19131 commented on Mar 31, 2025 • 1 new comment

• External predicate recording multiple values

  #19140 commented on Mar 31, 2025 • 0 new comments

• Inconsistency between the sarif file and information from vscode codeql panel

  #18933 commented on Apr 1, 2025 • 0 new comments

• Rust: extract sources of crates

  #18523 commented on Apr 2, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on Apr 1, 2025 • 0 new comments

• ruby: ad 'quality' tag to 'rb/unused-parameter'

  #19040 commented on Mar 31, 2025 • 0 new comments

• Rust: Model futures::executor::block_on.

  #19095 commented on Apr 4, 2025 • 0 new comments

• Ruby: Make module graph queries avoid relying on evalaution order.

  #19116 commented on Apr 1, 2025 • 0 new comments

• Rust: Implement support for inference of type aliases

  #19146 commented on Apr 3, 2025 • 0 new comments

• C#: Add cs/invalid-string-formatting to the codeql quality suite.

  #19148 commented on Apr 4, 2025 • 0 new comments