53 Pull requests merged by 22 people

• C++: Rewrite `cpp/tainted-format-string` away from `DefaultTaintTracking`

  #14801 merged Nov 22, 2023

• Update change note 0.3.3.md

  #14880 merged Nov 22, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14877 merged Nov 22, 2023

• Add combined changelogs for 2.15.3 and backfill historic versions

  #14876 merged Nov 22, 2023

• Kotlin: Move tests from test/kotlin to test-kotlin1

  #14862 merged Nov 22, 2023

• SSA: Add locations to ease debugging

  #14868 merged Nov 22, 2023

• Kotlin 2: isFake is currently broken, so assume not fake for now

  #14860 merged Nov 22, 2023

• Python: test demonstrating the need for phi nodes

  #14861 merged Nov 22, 2023

• C#: Tolerate missing call targets in LogMessageSink

  #14855 merged Nov 22, 2023

• Python: Test demonstrating the need for phi-read-nodes

  #14858 merged Nov 21, 2023

• Update qhelp for js/path-injection.

  #14846 merged Nov 21, 2023

• Kotlin: Add more CODEOWNERS entries

  #14837 merged Nov 21, 2023

• Kotlin: Add a kotlin2 copy of the testsuite

  #14833 merged Nov 21, 2023

• Go: model value flow with array content through slice expressions

  #14798 merged Nov 21, 2023

• Kotlin: Add 2.0.0-Beta1

  #14831 merged Nov 21, 2023

• C#: Framework dependency detection.

  #14767 merged Nov 21, 2023

• Backport PR #14825

  #14852 merged Nov 21, 2023

• JS: update typescript extractor to use 5.3 .

  #14510 merged Nov 21, 2023

• C++: Convert `cpp/arithmetic-with-extreme-values` away from `DefaultTaintTracking`

  #14838 merged Nov 20, 2023

• Python: Add test for variable reference in list comprehension

  #14851 merged Nov 20, 2023

• Automodel: Fix a few nits.

  #14845 merged Nov 20, 2023

• Ruby: Prune irrelevant data flow nodes and edges

  #14787 merged Nov 20, 2023

• Python: Add support for Python 3.12 type syntax

  #14636 merged Nov 20, 2023

• C++: Fix global-variable flow for array types

  #14822 merged Nov 20, 2023

• Update cryptography bill of materials queries

  #14847 merged Nov 20, 2023

• Kotlin: Fix findTopLevelFunctionOrWarn for Kotlin 2

  #14835 merged Nov 20, 2023

• Type tracking: Parameterize consistency checks

  #14815 merged Nov 20, 2023

• C#: In Assets parser let TryReadAllText return null on read error.

  #14843 merged Nov 20, 2023

• C#: Make assets file reading more robust.

  #14834 merged Nov 20, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14823 merged Nov 19, 2023

• C#: Update insecure randomness query description to match implementation

  #14828 merged Nov 17, 2023

• C# fix integration tests

  #14830 merged Nov 17, 2023

• Kotlin: Build: Refactor version handling

  #14814 merged Nov 17, 2023

• C#: Fix integration test failures after dotnet upgrade on runners.

  #14825 merged Nov 17, 2023

• Release preparation for version 2.15.3

  #14813 merged Nov 16, 2023

• Post-release preparation for codeql-cli-2.15.3

  #14816 merged Nov 16, 2023

• Bazel/CMake: small compatibility fix

  #14820 merged Nov 16, 2023

• Doc: Fix name of VS Code settings property to use extension packs

  #14819 merged Nov 16, 2023

• Java Automodel extraction: fix extracted meta information by using Object for the type of generic parameters

  #14818 merged Nov 16, 2023

• Bazel/CMake: support new internal transition rules

  #14805 merged Nov 16, 2023

• C++: Fix dataflow duplication from `ReferenceDereference` expressions

  #14810 merged Nov 16, 2023

• C++: Convert `cpp/integer-overflow-tainted` away from DefaultTaintTracking

  #14812 merged Nov 16, 2023

• Java: Improve QHelp for `java/path-injection` to mention less disruptive fixes.

  #14793 merged Nov 16, 2023

• Java: Automodel Extraction: Remove Qualifier Endpoints of Constructors

  #14795 merged Nov 16, 2023

• C++: Delete `cpp/tainted-format-string-through-global`

  #14808 merged Nov 16, 2023

• Ruby: Include more nodes in `{Hash,Array}LiteralCfgNode`

  #14783 merged Nov 16, 2023

• Remove LoC metrics from the analysis summary

  #14811 merged Nov 16, 2023

• Python: Accept new ordering of query predicates in `.expected`

  #14790 merged Nov 16, 2023

• Java: Publish Automodel query pack 0.0.7

  #14642 merged Nov 16, 2023

• C++: Move change note

  #14809 merged Nov 16, 2023

• Python: Update `.expected` to support Python 3.12

  #14791 merged Nov 16, 2023

• Prepare shared type tracking library for adoption by Ruby

  #14710 merged Nov 16, 2023

• Python: New FileSystem Access

  #14406 merged Nov 16, 2023

21 Pull requests opened by 15 people

• Swift: More sinks for swift/uncontrolled-format-string

  #14807 opened Nov 16, 2023

• C#: Detect `TargetFramework`s and install them if there is no `global.json`

  #14821 opened Nov 16, 2023

• Java: add a new query cover some instance of CWE-209

  #14827 opened Nov 17, 2023

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 opened Nov 17, 2023

• Python: Adopt shared type tracking library

  #14848 opened Nov 20, 2023

• Java Automodel extraction: remove primitives in framework mode

  #14849 opened Nov 20, 2023

• C#: WIP Strengthen call-back heuristics by considering body-less methods and autobuild

  #14850 opened Nov 20, 2023

• Swift: More sinks for swift/cleartext-logging

  #14853 opened Nov 20, 2023

• Java: Promote Unsafe URL Forward query from experimental

  #14854 opened Nov 20, 2023

• Ruby: Add tests illustrating missing flow

  #14859 opened Nov 21, 2023

• Swift: generate more QLdocs

  #14864 opened Nov 21, 2023

• Swift: move keypath dataflow writes to fix types

  #14865 opened Nov 21, 2023

• C++: Reduce duplication from crement operations

  #14867 opened Nov 21, 2023

• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 in /go/ql/test/experimental/CWE-347

  #14870 opened Nov 21, 2023

• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 in /go/ql/test/experimental/CWE-321-V2

  #14871 opened Nov 21, 2023

• Go: Add Rs Cors Support

  #14873 opened Nov 21, 2023

• Ruby: Add test for missing block flow

  #14874 opened Nov 22, 2023

• C#: Pin integration tests to a specific .NET version.

  #14878 opened Nov 22, 2023

• Swift: "contentsOf" sources

  #14879 opened Nov 22, 2023

• C++: Rewrite `cpp/user-controlled-null-termination-tainted` away from `DefaultTaintTracking`

  #14881 opened Nov 22, 2023

• Go: avoid getTarget() and improve CallNode documentation

  #14882 opened Nov 22, 2023

1 Issue closed by 1 person

• Monorepo setup with different c# areas

  #14836 closed Nov 21, 2023

11 Issues opened by 10 people

• Query pack codeql/go-queries cannot be found

  #14884 opened Nov 23, 2023

• Error running query: Internal error. (codeQL.runQueryContextEditor) Error: Error running query: Internal error.

  #14883 opened Nov 23, 2023

• How can I use codeql cli without metadata?

  #14872 opened Nov 21, 2023

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 opened Nov 21, 2023

• General issue - CodeQL exiting with exit code 2

  #14866 opened Nov 21, 2023

• Python code QL reports (invalid?) parse error

  #14863 opened Nov 21, 2023

• Python : Unable to follow taint through indirect calls

  #14842 opened Nov 20, 2023

• zero files scanned results in green build

  #14841 opened Nov 18, 2023

• False positive: Static field written by instance method by Interlocked API

  #14840 opened Nov 18, 2023

• False positive: Missed 'readonly' opportunity for field used by Interlocked API

  #14839 opened Nov 18, 2023

• Few questions about semmle-extractor-options

  #14826 opened Nov 16, 2023

36 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add support for Java 21 language features

  #14671 commented on Nov 22, 2023 • 56 new comments

• Golang: Web Cache Deception Vulnerability

  #14775 commented on Nov 22, 2023 • 15 new comments

• Python: remove EssaNodes

  #14777 commented on Nov 22, 2023 • 11 new comments

• Python: Add dataflow consistency query

  #8457 commented on Nov 22, 2023 • 8 new comments

• Swift: extract `MacroDecl`

  #14796 commented on Nov 21, 2023 • 7 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 22, 2023 • 6 new comments

• Support for langVersion 12 and Net 8

  #14803 commented on Nov 17, 2023 • 5 new comments

• Python: Add taint-flow modeling for `re` module

  #14725 commented on Nov 21, 2023 • 5 new comments

• Does C++ extractor support to process code with unity build?

  #14479 commented on Nov 16, 2023 • 3 new comments

• How to extract source files when using a special compiler (e.g. TMS320C2000 C/C++ Compiler)?

  #8453 commented on Nov 19, 2023 • 3 new comments

• C#: Add flow steps for View calls refering to Razor pages

  #14343 commented on Nov 22, 2023 • 3 new comments

• C++ extractor fails to process code based on Unreal Engine

  #13994 commented on Nov 19, 2023 • 2 new comments

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

  #14302 commented on Nov 22, 2023 • 2 new comments

• Python: support `*args` and `**kwargs` in request handlers

  #14353 commented on Nov 22, 2023 • 2 new comments

• [Feature branch] JS: Migrate to shared dataflow library

  #14412 commented on Nov 21, 2023 • 2 new comments

• Ruby: Decompression Bombs

  #13556 commented on Nov 22, 2023 • 1 new comment

• Python: Decompression Bombs

  #13557 commented on Nov 22, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 16, 2023 • 1 new comment

• JS: decoding JWT without signature verification

  #14088 commented on Nov 22, 2023 • 1 new comment

• Java: JWT decoding without verification

  #14089 commented on Nov 22, 2023 • 1 new comment

• Go: fasthttp

  #14123 commented on Nov 21, 2023 • 1 new comment

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Nov 22, 2023 • 1 new comment

• Ruby: Experimental model editor support

  #14679 commented on Nov 22, 2023 • 1 new comment

• Swift: Heuristic sinks for swift/sql-injection

  #14797 commented on Nov 16, 2023 • 1 new comment

• java: false positive: javax.validation.constraints are not identified as input validation

  #8705 commented on Nov 22, 2023 • 0 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Nov 20, 2023 • 0 new comments

• Go: Fix missing flow through receiver for function variable (try 2)

  #13861 commented on Nov 22, 2023 • 0 new comments

• Java: Weak Hashing Algorithm specified in `.properties` files

  #14040 commented on Nov 16, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 23, 2023 • 0 new comments

• Ruby: refine `ActiveRecord` `update_all` as an SQL sink

  #14627 commented on Nov 20, 2023 • 0 new comments

• Ruby: Adopt shared type tracking library

  #14709 commented on Nov 21, 2023 • 0 new comments

• Java: Environment variable injection query

  #14724 commented on Nov 21, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding - beginning of the quarter

  #14741 commented on Nov 20, 2023 • 0 new comments

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 commented on Nov 18, 2023 • 0 new comments

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 commented on Nov 21, 2023 • 0 new comments

• Swift: final 5.8/5.9 extractions

  #14800 commented on Nov 16, 2023 • 0 new comments