Insights: github/codeql

56 Pull requests merged by 20 people

• Ruby: fix some more style-guide violations in the alert-messages

  #10731 merged Oct 11, 2022

• Ruby: Move `SummarizedCallableFromModel` into `ModelsAsData.qll`

  #10763 merged Oct 11, 2022

• Data flow: Improve `fastTC` bound in `PathNodeImpl::getANonHiddenSuccessor`

  #10754 merged Oct 11, 2022

• JS: Improve detection of XSS when JSON.stringify()

  #10670 merged Oct 10, 2022

• Kotlin: fix type variable erasure inside default function values

  #10737 merged Oct 10, 2022

• Kotlin: Recognize generated files

  #10723 merged Oct 10, 2022

• Koltin: Extract the corresponding classes of enum entries

  #10732 merged Oct 10, 2022

• CI: fix qhelp preview

  #10753 merged Oct 10, 2022

• Python: Fix typo in qldoc

  #10750 merged Oct 10, 2022

• RB: add some more meta queries for Ruby evaluations

  #10704 merged Oct 10, 2022

• C++: Tune cpp/unterminated-variadic-call

  #10706 merged Oct 10, 2022

• Data flow: Avoid call to `pathSuccPlus` in `Configuration::hasFlowTo(Expr)`

  #10744 merged Oct 10, 2022

• Ruby: Avoid computing full `fastTC` for `AstNode::getParent`

  #10741 merged Oct 10, 2022

• Kotlin: ignore properties in `java/internal-representation-exposure` check

  #10718 merged Oct 10, 2022

• Kotlin: Extract `override` modifier on SAM methods

  #10728 merged Oct 10, 2022

• Kotlin: Consider `::class` type check in `java/unchecked-cast-in-equals`

  #10720 merged Oct 10, 2022

• Ruby: Cache use of `DataFlowImplFor(Pathname|HttpClientLibraries)`

  #10745 merged Oct 10, 2022

• Python: Fix flask request modeling

  #10629 merged Oct 10, 2022

• Kotlin: allow building a single embeddable plugin version

  #10712 merged Oct 7, 2022

• Java: Android deeplink analysis

  #10368 merged Oct 7, 2022

• Post-release preparation for codeql-cli-2.11.1

  #10736 merged Oct 7, 2022

• Kotlin: keep method overloads together

  #10734 merged Oct 7, 2022

• Go: fix some more style-guide violations in the alert-messages

  #10726 merged Oct 7, 2022

• Ruby: fix use of deprecated class

  #10733 merged Oct 7, 2022

• C: fix some more style-guide violations in the alert-messages

  #10725 merged Oct 7, 2022

• C#: fix some more style-guide violations in the alert-messages

  #10724 merged Oct 7, 2022

• Ruby: Take overrides into account for singleton methods defined on modules

  #10705 merged Oct 7, 2022

• Release preparation for version 2.11.1

  #10716 merged Oct 7, 2022

• Kotlin: implement $default function synthesis

  #10683 merged Oct 7, 2022

• Ruby: Model flow through ActionController::Parameters

  #10538 merged Oct 7, 2022

• Update CSV framework coverage reports

  #10715 merged Oct 7, 2022

• Swift: Support MaD summaries

  #10699 merged Oct 6, 2022

• add BeegoInput.RequestBody source to Beego framework

  #10709 merged Oct 6, 2022

• Tag successfully extracted files queries

  #10698 merged Oct 6, 2022

• C++: prototype for off-by-one in array-typed field

  #10562 merged Oct 6, 2022

• Java: Promote `PathSanitizer.qll` from experimental

  #10177 merged Oct 6, 2022

• Java: Fixes bad magic in `Guard::guardControls_v3`

  #10693 merged Oct 6, 2022

• Data flow: Take conjunctive `With(out)Contents` into account in `prohibitsUseUseFlow`

  #10691 merged Oct 6, 2022

• Ruby: more type-tracking steps

  #10650 merged Oct 5, 2022

• Java Guidance: ExecTainted.ql (experimental version)

  #10665 merged Oct 5, 2022

• Kotlin: extract unary plus and minus operators

  #10672 merged Oct 5, 2022

• Ruby: fix CFG and toString for anonymous '*' and '**'

  #10692 merged Oct 5, 2022

• C++: Fix potentially bad join

  #10682 merged Oct 5, 2022

• Ruby: detect uses of LibXML with entity substitution enabled by default

  #10585 merged Oct 5, 2022

• Ruby: Remove `PairValueContent`

  #10686 merged Oct 5, 2022

• Kotlin: extract `implInterface`

  #10674 merged Oct 5, 2022

• Python: Rewrite `py/flask-debug` to use API graphs instead of type-trackers

  #10687 merged Oct 5, 2022

• Kotlin: Extract parameter modifiers (`noinline`, `crossinline`)

  #10677 merged Oct 4, 2022

• Kotlin: extract `isEnumConstant` relation

  #10675 merged Oct 4, 2022

• C#: Recognize options to `dotnet run` in tracer when injecting `-p:UseSharedCompilation=false`

  #10667 merged Oct 4, 2022

• Ruby: some improvements

  #10559 merged Oct 4, 2022

• Ruby: remove public abstract classes for Action{View,Controller}

  #10673 merged Oct 4, 2022

• Swift: Use ClassOrStructDecl

  #10681 merged Oct 4, 2022

• Swift: Add `ClassOrStructDecl` class

  #10595 merged Oct 4, 2022

• RB: add a link to the source in the alert-message for `rb/kernel-open`

  #10676 merged Oct 4, 2022

• Kotlin: Simplify `kotlinFunctionToJavaEquivalent`

  #10646 merged Oct 4, 2022

36 Pull requests opened by 20 people

• Kotlin: Extract type parameter modifiers (`reified`, `in`, `out`)

  #10678 opened Oct 4, 2022

• C#/Java: Limit telemetry results.

  #10679 opened Oct 4, 2022

• RB: add an unsafe-shell-command-construction query

  #10680 opened Oct 4, 2022

• Java: Add query for Sensitive Keyboard Cache

  #10684 opened Oct 4, 2022

• Ruby: summarize unary splat operators and add local field step

  #10685 opened Oct 4, 2022

• Swift: Query for CWE-312: Exposure of sensitive information using NSUserDefaults

  #10689 opened Oct 4, 2022

• C#: Count unsupported external library generics.

  #10694 opened Oct 5, 2022

• RB: change the summary for reject() to always flow to the first block parameter

  #10695 opened Oct 5, 2022

• Kotlin: Extract `lateinit` modifier

  #10696 opened Oct 5, 2022

• Ruby: Model some ActiveSupport methods

  #10700 opened Oct 6, 2022

• Java: Add line break sanitizers to java/log-injection

  #10707 opened Oct 6, 2022

• RB: add a query flagging uses of `Kernel.open()` that are not with a constant string

  #10708 opened Oct 6, 2022

• C++: Fix `getType` for experimental IR dataflow

  #10713 opened Oct 6, 2022

• Ruby: Model flow through `initialize` constructors

  #10714 opened Oct 6, 2022

• JS: fix some more style-guide violations in the alert-messages

  #10727 opened Oct 7, 2022

• Py: fix some more style-guide violations in the alert-messages

  #10729 opened Oct 7, 2022

• QL: fix some more style-guide violations in the alert-messages

  #10730 opened Oct 7, 2022

• Ruby: add `ActionMailer#params` as a `RemoteFlowSource`

  #10735 opened Oct 7, 2022

• Java: update framework list

  #10738 opened Oct 7, 2022

• Spelling

  #10743 opened Oct 9, 2022

• Ruby: Add `ActiveJob::Serializers.deserialize` as a code execution sink

  #10746 opened Oct 9, 2022

• Ruby: also treat included/prepended modules as subclasses

  #10747 opened Oct 10, 2022

• Ruby: TypeTracker: model instance variables as attributes

  #10748 opened Oct 10, 2022

• Ruby: treat Faraday#run_request as remote source

  #10749 opened Oct 10, 2022

• JS: Move mongodb model to a data-extension (experimental, do not merge)

  #10751 opened Oct 10, 2022

• Python: DB Modeling: Add `pymssql` and `executemany` in general

  #10752 opened Oct 10, 2022

• C#: Draft implementation of using extensible predicates for CSV rows.

  #10755 opened Oct 10, 2022

• Kotlin: extract `protected` modifier from java class files

  #10756 opened Oct 10, 2022

• Swift: Query for SQL injection

  #10757 opened Oct 10, 2022

• Type tracking: Split up `levelStep` into `levelStepCall` and `levelStepNoCall`

  #10758 opened Oct 10, 2022

• kotlin: Populate numlines

  #10759 opened Oct 10, 2022

• Ruby: Restrict regexp taint flow to `String` summaries

  #10760 opened Oct 10, 2022

• Java: Add query to detect insufficient key size (globalflow both)

  #10761 opened Oct 10, 2022

• Java: Add query to detect insufficient key size (globalflow keygen)

  #10762 opened Oct 11, 2022

• Consider other XSS unsafe content-types when reasoning about XSS vulnerabilities

  #10764 opened Oct 11, 2022

• Kotlin: adjust extracted property reference base class

  #10767 opened Oct 11, 2022

3 Issues closed by 3 people

• Problems encountered by codeql in building chromium QL library

  #10392 closed Oct 10, 2022

• Unable to create database (Android source)

  #10717 closed Oct 7, 2022

• Possible false positive in `cpp/unterminated-variadic-call`

  #10688 closed Oct 5, 2022

3 Issues opened by 3 people

• CodeQL False Positive? java/xxe with javax.xml.transform.Transformer

  #10766 opened Oct 11, 2022

• Java CodeQL hangs for hazelcast repository

  #10765 opened Oct 11, 2022

• General issue: getting error code 100 after increasing CodeQL space to 16 GB

  #10703 opened Oct 6, 2022

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: subscript def nodes

  #10608 commented on Oct 7, 2022 • 23 new comments

• CPP: Add query for CWE-758: Reliance on Implementation-Defined Behavior when using malloc with zero size

  #9088 commented on Oct 11, 2022 • 16 new comments

• Java: Add jump steps for summarized callables

  #10660 commented on Oct 4, 2022 • 11 new comments

• Android ContentProvider Incomplete Permissions

  #10637 commented on Oct 11, 2022 • 8 new comments

• Javascript: Improve Restify support

  #10663 commented on Oct 11, 2022 • 8 new comments

• Ruby: add `rb/sensitive-get-query` query

  #10369 commented on Oct 9, 2022 • 6 new comments

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Oct 11, 2022 • 6 new comments

• Java: Type based summary models.

  #10628 commented on Oct 11, 2022 • 4 new comments

• CPP: Add query for CWE-297: Improper Validation of Certificate with Host Mismatch

  #9086 commented on Oct 10, 2022 • 3 new comments

• Partially remove mentions of lgtm.com from the CodeQL documentation

  #10647 commented on Oct 4, 2022 • 3 new comments

• LGTM.com - false positive (Python regex in verbose mode)

  #4707 commented on Oct 6, 2022 • 2 new comments

• C++ Function Call to Undefined Function

  #9799 commented on Oct 7, 2022 • 1 new comment

• CPP: Some guard questions about control

  #10568 commented on Oct 10, 2022 • 1 new comment

• CodeQL - false positive: Potentially uninitialized local variable after noreturn function.

  #10600 commented on Oct 10, 2022 • 1 new comment

• LGTM.com - false positive: size_t expression has no side effects

  #10601 commented on Oct 10, 2022 • 1 new comment

• Kotlin: implement default interface forwarding

  #9876 commented on Oct 10, 2022 • 1 new comment

• Add query for tainted `wordexp` calls.

  #10077 commented on Oct 7, 2022 • 1 new comment

• Java: New Android query to detect unsafe content URI resolution

  #10223 commented on Oct 6, 2022 • 1 new comment

• C++: New Query `cpp/comma-before-misleading-indentation`

  #10550 commented on Oct 10, 2022 • 1 new comment

• Ruby: update dependencies

  #10668 commented on Oct 4, 2022 • 1 new comment

• Java: Add Import.getATypeImport

  #4119 commented on Oct 5, 2022 • 0 new comments

• Ruby: Model ActionDispatch::Request

  #10602 commented on Oct 10, 2022 • 0 new comments

• Kotlin: Implement lockless TRAP writing

  #10648 commented on Oct 7, 2022 • 0 new comments

• QL: More alert-message fixing

  #10655 commented on Oct 6, 2022 • 0 new comments