github / codeql Public

33 Pull requests merged by 16 people

• CPP: Add query for CWE-754: Improper Check for Unusual or Exceptional Conditions when using functions scanf

  #8246 merged Mar 11, 2022

• Java: Revert #8360, "Add CompileTimeConstantExpr.getStringified method"

  #8402 merged Mar 11, 2022

• QL: add query detecting block comments in a position where a QLDoc should be

  #8374 merged Mar 11, 2022

• [Java] Add CompileTimeConstantExpr.getStringified method

  #8360 merged Mar 11, 2022

• remove all deprecations that are over a year old

  #8347 merged Mar 11, 2022

• Release preparation for version 2.8.3

  #8397 merged Mar 11, 2022

• JS: support that the base is not a method-call in getAChainedMethodCall

  #8380 merged Mar 10, 2022

• Ruby: Add `OrmWriteAccess` concept to model writes to a DB using an ORM

  #8271 merged Mar 10, 2022

• Ruby: Avoid multiple `RegExpEscape::getValue` results

  #8389 merged Mar 10, 2022

• C++: Upgrade cpp/system-data-exposure to high precision

  #8358 merged Mar 10, 2022

• Ruby: Cleanup flow through `self`

  #7084 merged Mar 10, 2022

• C#: Remove legacy `odasa` support

  #8322 merged Mar 10, 2022

• C++: Factor must-flow predicates out of two queries

  #8368 merged Mar 9, 2022

• Python: Fix a bunch of QL warnings

  #8336 merged Mar 9, 2022

• QL: add query detecting ordering by a constant

  #8385 merged Mar 9, 2022

• C#: Refactor Structural Comparison for Control Flow Elements.

  #8038 merged Mar 9, 2022

• Ruby: Fix incorrect parsing of ranges

  #8373 merged Mar 9, 2022

• Ruby: Fix off-by-one error in `getGroupName`

  #8370 merged Mar 8, 2022

• Ruby: Fix regex parsing of `/[|]/`

  #8364 merged Mar 8, 2022

• C#: Refactoring - Move some of the standalone extractor code to the Standalone project.

  #8203 merged Mar 8, 2022

• C++: Mark everything in CodeDuplication.qll as deprecated

  #8366 merged Mar 8, 2022

• QL: field only used in charPred

  #7598 merged Mar 8, 2022

• Python: Add Server-side Request Forgery sinks

  #8275 merged Mar 8, 2022

• Ruby: TypeTracker: add smallstep for functions that return their arguments

  #8302 merged Mar 7, 2022

• CPP: Add query for CWE-190: Integer Overflow or Wraparound when using transform after operation

  #8247 merged Mar 7, 2022

• CPP: Add query for CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

  #6950 merged Mar 7, 2022

• C#: Add change note about recursive `codeql test run` extraction

  #8319 merged Mar 7, 2022

• Ruby/Python: Clear call contexts after jump steps in type tracking

  #8317 merged Mar 7, 2022

• JS: Add query that maps queries to sink type

  #8334 merged Mar 7, 2022

• C++: Update the DB scheme stats file

  #8310 merged Mar 7, 2022

• [Java] Add CharacterLiteral to CompileTimeConstantExpr.getStringValue

  #8325 merged Mar 7, 2022

• JS: Fix ATM timeout on NodeJS

  #8297 merged Mar 4, 2022

• C++: new query for insufficient key strength

  #8059 merged Mar 4, 2022

29 Pull requests opened by 17 people

• Ruby: Use taint tracking instead of type tracking to define `regExpSource`

  #8332 opened Mar 4, 2022

• JS: Use `TypeTracker::continue` when doing taint steps

  #8333 opened Mar 4, 2022

• python: minimal CSRF implementation

  #8340 opened Mar 4, 2022

• Java: Add `MyBatis`' `Providers` sinks

  #8345 opened Mar 6, 2022

• C#: ExternalAPI implementation for Telemetry.

  #8348 opened Mar 7, 2022

• Ruby: Cache `TRegExpParent`

  #8349 opened Mar 7, 2022

• QL: add query detecting inconsistent deprecations

  #8351 opened Mar 7, 2022

• Incomplete url string sanitization

  #8354 opened Mar 7, 2022

• Java: Add JDBC connection SSRF sinks

  #8357 opened Mar 7, 2022

• CI: add QLdoc test

  #8365 opened Mar 8, 2022

• Qldoc test test

  #8367 opened Mar 8, 2022

• Bump ATM pack version numbers to 0.1.0

  #8372 opened Mar 8, 2022

• Dataflow: Flow-state changing steps should always be in path explanations

  #8381 opened Mar 9, 2022

• C++: Use a `TaintTracking::Configuration` in three more queries

  #8382 opened Mar 9, 2022

• Gelişme

  #8388 opened Mar 9, 2022

• C++: Remove uniqueness constraint from uuid

  #8390 opened Mar 10, 2022

• C#: Deprecate the StructuralComparisonConfiguration interface and use sameGvn instead.

  #8391 opened Mar 10, 2022

• JS: Add StoredXss XssThroughDom CodeInjection to all QL required for endpoint pipeline

  #8392 opened Mar 10, 2022

• Improve join order for RangeAnalysis::boundedPhi

  #8393 opened Mar 10, 2022

• Ruby: add `rb/clear-text-storage-sensitive-data` query

  #8395 opened Mar 10, 2022

• Ruby: resolve `ql/field-only-used-in-charpred` alerts

  #8396 opened Mar 10, 2022

• Post-release preparation for codeql-cli-2.8.3

  #8398 opened Mar 11, 2022

• Ruby: implement getComponent(n) for simple and hash-key symbols

  #8399 opened Mar 11, 2022

• Extend taint tracking interface with flow states

  #8401 opened Mar 11, 2022

• Rename all upper-case variables, and all lower-case modules

  #8403 opened Mar 11, 2022

• JS: Bump version numbers of ML-powered packs after 0.1.0 release

  #8404 opened Mar 11, 2022

• C#/Java: Range analysis: use ranked phi nodes

  #8405 opened Mar 11, 2022

• C#: Refactor RelevantSummarized

  #8406 opened Mar 11, 2022

• Java: Revert #8325, Add CharacterLiteral to CompileTimeConstantExpr.getStringValue

  #8407 opened Mar 11, 2022

5 Issues closed by 5 people

• Support for Flow type-checking? :)

  #6016 closed Mar 9, 2022

• CodeQL lost some class parsing when parsing the project and building the database

  #8363 closed Mar 8, 2022

• LGTM.com - false positivenegativ

  #8346 closed Mar 7, 2022

• (Java) Taint Tracking fail on Argument of MethodAccess without Caller

  #8242 closed Mar 6, 2022

• About the language types supported by codeql

  #8331 closed Mar 5, 2022

8 Issues opened by 8 people

• False Positive: md5(gravatar) marked as insecure

  #8383 opened Mar 9, 2022

• How to make a call graph for a function in C/C++?

  #8376 opened Mar 8, 2022

• Python codeql analysis hangs

  #8353 opened Mar 7, 2022

• (Java) How to create database for Apache Dubbo project to include all source of its dependency?

  #8344 opened Mar 6, 2022

• How to make a database of a very large codebase very quickly?

  #8342 opened Mar 5, 2022

• [JS] Can't use specific path nodes of Configuration1 in Configuration2 definition (throws non-monotonic recursion error)

  #8341 opened Mar 5, 2022

• Java: `hasSubtype` / `getASubtype` does not work correctly for generic types

  #8339 opened Mar 4, 2022

• Add support for Java Project Reactor

  #8338 opened Mar 4, 2022

30 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add Guard Classes for checking OS & unify System Property Access

  #8032 commented on Mar 11, 2022 • 54 new comments

• C#: Capture Summary models.

  #8329 commented on Mar 10, 2022 • 15 new comments

• JS: Taint analysis for win paths

  #7968 commented on Mar 10, 2022 • 14 new comments

• Python: CWE-079 - Add Email injection query

  #7127 commented on Mar 10, 2022 • 13 new comments

• Enforcing consistent casing of acronyms

  #8323 commented on Mar 11, 2022 • 12 new comments

• Ruby: IncompleteHostnameRegExp.ql

  #7917 commented on Mar 11, 2022 • 10 new comments

• Python: Add data-flow through Django ORM models

  #8061 commented on Mar 9, 2022 • 10 new comments

• Ruby: initial prototype of models-as-data

  #8254 commented on Mar 10, 2022 • 9 new comments

• C++: New query cpp/potential-system-data-exposure

  #8318 commented on Mar 8, 2022 • 9 new comments

• Python: Add def nodes to API graphs

  #7806 commented on Mar 4, 2022 • 8 new comments

• Add query to detect ZipSlip

  #8004 commented on Mar 11, 2022 • 7 new comments

• Ruby: Add rb/tainted-format-string query

  #8272 commented on Mar 9, 2022 • 4 new comments

• JS: Refactor the XSS / Client-side-url queries

  #8304 commented on Mar 4, 2022 • 4 new comments

• Ruby: Add rb/http-to-file-access query

  #8224 commented on Mar 8, 2022 • 3 new comments

• Start sharing Concepts across dynamic languages

  #8307 commented on Mar 9, 2022 • 3 new comments

• C++: fix hasImplicitCopyConstructor for templates

  #7884 commented on Mar 10, 2022 • 2 new comments

• Java: Add query to detect clickjacking

  #8308 commented on Mar 4, 2022 • 2 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Mar 9, 2022 • 1 new comment

• JS: make array taint-step better

  #7010 commented on Mar 10, 2022 • 1 new comment

• Java: Add ReDoS queries

  #7723 commented on Mar 10, 2022 • 1 new comment

• JS: add new query: js/unclosed-stream

  #3682 commented on Mar 10, 2022 • 0 new comments

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on Mar 10, 2022 • 0 new comments

• Python: Cache more predicates and improve performance.

  #7339 commented on Mar 10, 2022 • 0 new comments

• QL: field unused in disjunct

  #7669 commented on Mar 9, 2022 • 0 new comments

• QL: Add should-be-non-member query

  #7762 commented on Mar 9, 2022 • 0 new comments

• QL: add unused-field query

  #7763 commented on Mar 9, 2022 • 0 new comments

• C++: Cache `getLocation` on `Instruction` and `Operand`

  #8030 commented on Mar 10, 2022 • 0 new comments

• Ruby: interpret string escape sequences in getConstantValue()

  #8164 commented on Mar 8, 2022 • 0 new comments

• Fix MaD workflows to be more resilient to missing files

  #8294 commented on Mar 10, 2022 • 0 new comments

• C++: Handle initialization of structured bindings via bitwise copy in extractor

  #8320 commented on Mar 9, 2022 • 0 new comments