31 Pull requests merged by 17 people

• C++: Deduplicate dataflow query results

  #14151 merged Sep 12, 2023

• C#: Exclude CIL arguments from `ArgumentNode` when they are compiled from source

  #14170 merged Sep 12, 2023

• Kotlin: Give some more informative errors messages

  #14144 merged Sep 12, 2023

• Fix space handling in Golang configure-baseline scripts

  #14179 merged Sep 11, 2023

• Swift: Additional dataflow test

  #14036 merged Sep 11, 2023

• C#: Explicitly quote arguments in the LUA tracer on windows.

  #14150 merged Sep 11, 2023

• C#: Poor mans quoting.

  #14172 merged Sep 11, 2023

• CPP: Remove sucessors of non-returning IR calls transitively.

  #14102 merged Sep 9, 2023

• JS: tolerate out of order requests in TypeScript extractor

  #14167 merged Sep 8, 2023

• C++: Fix dataflow out of post update nodes

  #14171 merged Sep 8, 2023

• Go: Add diagnostic for 1.21 `toolchain` error

  #14161 merged Sep 8, 2023

• Java: Automodel App Mode Extraction: Source Candidates

  #14162 merged Sep 8, 2023

• Revert "C#: Bump all dependencies"

  #14169 merged Sep 8, 2023

• C#: Remove test explorer recommendations (superseded by C# dev kit)

  #14168 merged Sep 8, 2023

• C#: Clear TRAP stack when calling `PopulateGenerics`

  #14149 merged Sep 8, 2023

• Bump chrono from 0.4.29 to 0.4.30 in /ql

  #14166 merged Sep 8, 2023

• Swift: collection/tuple content for dictionary flow

  #13947 merged Sep 7, 2023

• C++: Fix off-by-one in `asDefiningArgument`

  #14154 merged Sep 7, 2023

• Py: add new qhelp for clear-text-logging

  #14160 merged Sep 7, 2023

• CPP: Make functions that reach the end return.

  #14155 merged Sep 7, 2023

• C# Standalone: Install .NET SDK specified in `global.json`

  #13999 merged Sep 7, 2023

• Python: Support for command injection sinks found in the `asyncio` module

  #14145 merged Sep 7, 2023

• Python: Fix typo in SSRF example

  #14158 merged Sep 7, 2023

• Revert "C#: Bump all dependencies"

  #14153 merged Sep 6, 2023

• Swift: add queries for unresolved AST nodes

  #14141 merged Sep 6, 2023

• C#: Update extractor_messages relation schema.

  #14097 merged Sep 6, 2023

• Bump actions/checkout from 2 to 4

  #14137 merged Sep 6, 2023

• C#: Fix logic for flow into property writes

  #14132 merged Sep 6, 2023

• Bump chrono from 0.4.28 to 0.4.29 in /ql

  #14148 merged Sep 6, 2023

• Release preparation for version 2.14.4

  #14147 merged Sep 5, 2023

• CPP: Handle globals flowing into "UnreacheachedInstruction"

  #14143 merged Sep 5, 2023

15 Pull requests opened by 13 people

• Bump actions/checkout from 3 to 4

  #14157 opened Sep 7, 2023

• C#: Also execute dotnet test integration tests on windows.

  #14163 opened Sep 7, 2023

• C++: Fix more FPs in `cpp/invalid-pointer-deref`

  #14164 opened Sep 7, 2023

• Swift: flow through writeable keypaths

  #14165 opened Sep 7, 2023

• Post-release preparation for codeql-cli-2.14.4

  #14174 opened Sep 8, 2023

• Python: import all frameworks in SQL-injection query

  #14178 opened Sep 11, 2023

• Ruby: Port `UrlConcatenation.qll` from JS

  #14180 opened Sep 11, 2023

• Document assume_small_delta deprecation

  #14182 opened Sep 11, 2023

• Java: Automodel, new candidates fix

  #14184 opened Sep 12, 2023

• C#: Quoting hotfix.

  #14185 opened Sep 12, 2023

• Kotlin: Regenerate expected test output

  #14186 opened Sep 12, 2023

• Kotlin: Support 1.9.20

  #14188 opened Sep 12, 2023

• Swift: Consistent additional taint steps between the cleartext-* queries

  #14189 opened Sep 12, 2023

• Swift: fix CFG for identity expressions (await, dot_self, parent)

  #14190 opened Sep 12, 2023

• C++ tests: fix output of bug-stricken test

  #14191 opened Sep 12, 2023

2 Issues closed by 2 people

• CodeQL analysis successful but upload not showing up in GitHub

  #14107 closed Sep 12, 2023

• The alarm statement caused by the failure of the qls file disappears.

  #14175 closed Sep 11, 2023

4 Issues opened by 4 people

• Use Specific Python Virtual Environment Dependency

  #14187 opened Sep 12, 2023

• Question about `isBarrier`

  #14183 opened Sep 11, 2023

• False positive - when json.Marshal output is used - cant result in "Potentially unsafe quoting"

  #14159 opened Sep 7, 2023

• Java: CodeQL does not detect SSL certificate validation vulnerabilities in Apache HttpComponents

  #14156 opened Sep 6, 2023

39 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby: Use the new dataflow API for checked in queries

  #14124 commented on Sep 7, 2023 • 19 new comments

• SIGSEGV (code 134) during "Finalizing database" step

  #14138 commented on Sep 12, 2023 • 10 new comments

• Ruby: JWT Security Queries (CWE-347)

  #14061 commented on Sep 12, 2023 • 9 new comments

• JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.

  #13771 commented on Sep 11, 2023 • 5 new comments

• C++: Update for changes in frontend.

  #14135 commented on Sep 5, 2023 • 5 new comments

• go 1.21 support

  #13992 commented on Sep 8, 2023 • 4 new comments

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Sep 7, 2023 • 3 new comments

• Swift: Add path injection sinks for sqlite3 and SQLite.swift

  #13276 commented on Sep 12, 2023 • 3 new comments

• Swift: Improvements related to the swift/cleartext-logging query.

  #13980 commented on Sep 11, 2023 • 3 new comments

• Dataflow: Add type-based call-edge pruning.

  #13982 commented on Sep 12, 2023 • 3 new comments

• Python: promote nosql query

  #14070 commented on Sep 11, 2023 • 3 new comments

• C#: Avoid explicitly restoring projects in solution files.

  #14111 commented on Sep 11, 2023 • 3 new comments

• Swift: Flow through OpenExistentialExpr

  #14113 commented on Sep 11, 2023 • 3 new comments

• Go: Decompression Bombs

  #13553 commented on Sep 7, 2023 • 2 new comments

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Sep 11, 2023 • 2 new comments

• Java: Add JDK17 df-generated summary models

  #13962 commented on Sep 6, 2023 • 2 new comments

• Swift: use shared capture flow library

  #14078 commented on Sep 12, 2023 • 2 new comments

• Go: Add JWT Algorithm Confusion and JWT decoding without Signature Verification

  #14081 commented on Sep 11, 2023 • 2 new comments

• Ruby: More splat flow (alternative)

  #14090 commented on Sep 8, 2023 • 2 new comments

• Download GitHub database: fix `gh` invocation

  #10923 commented on Sep 6, 2023 • 1 new comment

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Sep 11, 2023 • 1 new comment

• C#: Add query for Insecure Direct Object Reference

  #13882 commented on Sep 11, 2023 • 1 new comment

• Java: Convert `SensitiveApi.qll` to use Models-as-Data

  #13978 commented on Sep 5, 2023 • 1 new comment

• Java: Convert implementations of `LocalUserInput` to Models-as-Data

  #14127 commented on Sep 11, 2023 • 1 new comment

• Ruby: Allow for implicit array reads at all sinks during taint tracking

  #12672 commented on Sep 11, 2023 • 0 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Sep 11, 2023 • 0 new comments

• Java: Decompression Bombs

  #13555 commented on Sep 5, 2023 • 0 new comments

• Ruby: Decompression Bombs

  #13556 commented on Sep 7, 2023 • 0 new comments

• Python: Decompression Bombs

  #13557 commented on Sep 7, 2023 • 0 new comments

• C#: Decompression Bombs

  #13558 commented on Sep 6, 2023 • 0 new comments

• Swift: dataflow for `for-in` loops

  #13909 commented on Sep 8, 2023 • 0 new comments

• Java: Add new Apache CXF models

  #14029 commented on Sep 12, 2023 • 0 new comments

• Update CSV framework coverage reports

  #14063 commented on Sep 12, 2023 • 0 new comments

• C#: Roslyn-based stub generation

  #14095 commented on Sep 8, 2023 • 0 new comments

• Data flow: Add another consistency check

  #14108 commented on Sep 12, 2023 • 0 new comments

• Python: Allow namespace packages

  #14114 commented on Sep 11, 2023 • 0 new comments

• Dynamic: add TypeModel.isTypeUsed

  #14120 commented on Sep 6, 2023 • 0 new comments

• Java: Fix alert message

  #14126 commented on Sep 12, 2023 • 0 new comments

• C++: Copy the Coding Standards' use-after-lifetime-ended query to Experimental

  #14134 commented on Sep 12, 2023 • 0 new comments