26 Pull requests merged by 15 people

• Java: Support Argument[this] and parameters of bodiless interface methods in framework mode metadata extraction

  #13823 merged Jul 28, 2023

• [Java] Implement field taint inheritance for Struts2 unmarshalled objects

  #13713 merged Jul 28, 2023

• Dataflow: MergePathGraph3 signature fix

  #13822 merged Jul 28, 2023

• Docs: Fix indentation in tutorial examples

  #13832 merged Jul 28, 2023

• [Java] New models for Struts2 framework

  #13712 merged Jul 28, 2023

• Kotlin: Tweak our JSON escaping

  #13412 merged Jul 28, 2023

• Remove last updated information and sorting from MRVA views

  #13821 merged Jul 27, 2023

• Java: Allow flow out of FieldValueNodes for non-static fields

  #13817 merged Jul 27, 2023

• Go: Compiler error messages changed in Go 1.20.6

  #13824 merged Jul 26, 2023

• Post-release preparation for codeql-cli-2.14.1

  #13793 merged Jul 26, 2023

• Java: Automodel Fix, Prevent Some Erroneous Endpoints

  #13818 merged Jul 26, 2023

• C++: Support printing of global and namespace variables in `PrintAST`

  #13775 merged Jul 26, 2023

• C#: Limit detection of sub-command names in tracer configuration

  #13794 merged Jul 25, 2023

• Java: Improve the diagnostics consistency query

  #13751 merged Jul 25, 2023

• Swift: Use enum content in withContiguousStorageIfAvailable model.

  #13816 merged Jul 25, 2023

• Swift: Model Sequence.withContiguousStorageIfAvailable

  #12416 merged Jul 25, 2023

• Swift: Support EnumContent in models-as-data

  #13795 merged Jul 25, 2023

• C++: Add `cpp/invalid-pointer-deref` false negative

  #13815 merged Jul 25, 2023

• C++: Add more documentation to the `cpp/invalid-pointer-deref` query

  #13774 merged Jul 25, 2023

• Swift: improve print-cfg query

  #13763 merged Jul 25, 2023

• Swift: Query for bad HTML filtering regexps

  #13549 merged Jul 24, 2023

• Java: Exclude qualifier argument for existing models

  #13747 merged Jul 24, 2023

• C++: Add more IR tests for the ternary operator

  #13811 merged Jul 24, 2023

• C++: Swap argument order in `cpp/invalid-pointer-deref`

  #13792 merged Jul 24, 2023

• C++: Improve names of identifiers in `cpp/invalid-pointer-deref`

  #13789 merged Jul 24, 2023

• Update CSV framework coverage reports

  #13797 merged Jul 24, 2023

13 Pull requests opened by 11 people

• Python: Relax module resolution

  #13819 opened Jul 25, 2023

• Go: Make flow configurations use new data flow API

  #13820 opened Jul 26, 2023

• Ruby: Add Unsafe HMAC Comparison Query.

  #13825 opened Jul 26, 2023

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 opened Jul 27, 2023

• Swift: Correct the behaviour of Type.getName

  #13829 opened Jul 27, 2023

• Java: Update Encryption.qll in line with NIST.SP.800-131Ar2

  #13830 opened Jul 27, 2023

• Backport: Compiler error messages changed in Go 1.20.6

  #13834 opened Jul 28, 2023

• Don't treat logrus' WithContext method as a logging function

  #13835 opened Jul 28, 2023

• Swift: 'ParsedSequence' lacks proper types and yields 'Unresolved' AST nodes

  #13836 opened Jul 28, 2023

• Kotlin: Pass on a parentId and remove some redundant braces

  #13837 opened Jul 28, 2023

• Swift: add SetContent for data flow

  #13838 opened Jul 28, 2023

• Update supported frameworks

  #13840 opened Jul 28, 2023

• Add support for log injection in MaD

  #13841 opened Jul 28, 2023

1 Issue closed by 1 person

• questioin about variablecall

  #13766 closed Jul 23, 2023

4 Issues opened by 4 people

• Go: support remote package analysis

  #13833 opened Jul 28, 2023

• False positive: passing context with credentials to logrus

  #13828 opened Jul 27, 2023

• False positive 'User-controlled bypass of sensitive method' for C# API endpoint that requires authorization

  #13826 opened Jul 27, 2023

• question about "and not" keyword

  #13809 opened Jul 23, 2023

29 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Trust Boundary Violation Query

  #13413 commented on Jul 28, 2023 • 29 new comments

• Java: Tests for Automodel Extraction Queries

  #13788 commented on Jul 28, 2023 • 19 new comments

• Python: Flask & Django Constant Secret Key initialization

  #13561 commented on Jul 26, 2023 • 18 new comments

• Java: Experimental version of Java Command Injection query

  #13484 commented on Jul 24, 2023 • 17 new comments

• C++: Constant type-bounds in the new range analysis

  #13783 commented on Jul 25, 2023 • 17 new comments

• Python/JavaScript: Shared module for serverless functions

  #13729 commented on Jul 26, 2023 • 9 new comments

• Swift: add DataFlow::Content for arrays

  #13741 commented on Jul 28, 2023 • 7 new comments

• Swift: CustomUrlSchemes test enhancements and minor model improvement

  #13756 commented on Jul 28, 2023 • 7 new comments

• Swift: Add Command Injection query (CWE-078)

  #13726 commented on Jul 28, 2023 • 5 new comments

• Java: Add proper support for variable capture flow.

  #13478 commented on Jul 28, 2023 • 4 new comments

• [Python] Configuration Injection query

  #13640 commented on Jul 27, 2023 • 3 new comments

• Go : Improvements to Timing Attacks query

  #13645 commented on Jul 27, 2023 • 3 new comments

• Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer

  #13782 commented on Jul 25, 2023 • 3 new comments

• Ruby: Add LDAP Injection query

  #13309 commented on Jul 27, 2023 • 2 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Jul 24, 2023 • 2 new comments

• Go: Avoid using getTarget() as it may not exist

  #13785 commented on Jul 28, 2023 • 2 new comments

• mvnw issue

  #13435 commented on Jul 25, 2023 • 1 new comment

• C#: Decompression Bombs

  #13558 commented on Jul 24, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Jul 28, 2023 • 1 new comment

• Dynamic: add Fuzzy token

  #13737 commented on Jul 27, 2023 • 1 new comment

• Java: Add taint steps for InputStream wrappers

  #13772 commented on Jul 26, 2023 • 1 new comment

• Python: Understand multiple parse mode flags specified in a regular expression string

  #13779 commented on Jul 24, 2023 • 1 new comment

• Swift: properly identify types and declarations in trap files via mangling

  #12433 commented on Jul 28, 2023 • 0 new comments

• C# Zipslip improvements

  #13281 commented on Jul 26, 2023 • 0 new comments

• Ruby: printCfg: only show graph for selected CfgScope

  #13334 commented on Jul 24, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Jul 28, 2023 • 0 new comments

• C++: Fix barriers in invalid pointer deref

  #13725 commented on Jul 25, 2023 • 0 new comments

• Ruby: query to automatically extract type definitions from library code

  #13750 commented on Jul 28, 2023 • 0 new comments

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Jul 28, 2023 • 0 new comments