Insights: github/codeql

99 Pull requests merged by 26 people

• JS/RB/PY: Recognize `passcode` as sensitive

  #11178 merged Nov 10, 2022

• Ruby: Fix SSA entry definitions for `self` in top-level

  #11206 merged Nov 10, 2022

• C++: Fix the `accept` prototype in the dataflow taint tests

  #11202 merged Nov 10, 2022

• Swift: drop impossible nodes from schema

  #11209 merged Nov 10, 2022

• Java: Type based summary models.

  #10628 merged Nov 10, 2022

• Kotlin: Update docs and tests

  #11199 merged Nov 10, 2022

• Swift: detect the use of constant passwords for password-based encryption

  #11063 merged Nov 10, 2022

• Swift: detect the use of static initialization vectors

  #11084 merged Nov 10, 2022

• Java/Kotlin: Add ExtractorInformation query

  #11200 merged Nov 10, 2022

• Swift: extract some more `Expr`

  #11190 merged Nov 10, 2022

• RB: add join(" ") calls as a sink for rb/shell-command-constructed-from-input

  #11191 merged Nov 10, 2022

• QL-for-QL: don't use the deprecated set-output feature in github-actions

  #11201 merged Nov 10, 2022

• Kotlin: Run java-interface-redeclares-tostring on all platforms

  #11053 merged Nov 10, 2022

• C#: Generate data extension files

  #10777 merged Nov 10, 2022

• C++: Re-introduce the `ast` annotations in the taint tests and related test infrastructure

  #11184 merged Nov 10, 2022

• C++: Simplify dataflow taint test query

  #11197 merged Nov 10, 2022

• Post-release preparation for codeql-cli-2.11.3

  #11194 merged Nov 10, 2022

• Ruby: generalise summaries for ActiveSupport Hash extensions

  #11166 merged Nov 10, 2022

• Java: Improve sink model generation precision by excluding variable capture.

  #11188 merged Nov 10, 2022

• Swift: avoid wrongly using `doc` instead of `desc` for properties

  #11193 merged Nov 10, 2022

• CI: compile-queries: use cache when running on main, and support more base-branches

  #11180 merged Nov 9, 2022

• JS: fix issue with zero-column yaml locations

  #11157 merged Nov 9, 2022

• Add documentation about the `codeQL.queryHistory.ttl` setting

  #11073 merged Nov 9, 2022

• Java/C#: Split active configurations for model generator

  #11182 merged Nov 9, 2022

• Ruby: expand DataFlow API

  #11024 merged Nov 9, 2022

• Swift: extract `PoundDiagnosticDecl` and `MissingMemberDecl`

  #11177 merged Nov 9, 2022

• C++: Fix imports and module names in old dataflow/taint tracking library

  #11179 merged Nov 9, 2022

• Swift: add an internal query-suite for listing all the compiler errors

  #11181 merged Nov 9, 2022

• JS: recognize more re-exported values as exported

  #11095 merged Nov 9, 2022

• Swift: extract diagnostics

  #11101 merged Nov 9, 2022

• Swift: extract opaque types and their decls

  #11176 merged Nov 9, 2022

• Ruby: handle knownOrUnkown in default taint step

  #11170 merged Nov 9, 2022

• Java: Promote insufficient key size query from experimental

  #10785 merged Nov 8, 2022

• Swift: extract remaining `Stmt`s

  #11169 merged Nov 8, 2022

• Swift: extract `PostfixUnaryExpr`

  #11168 merged Nov 8, 2022

• C++: Clearer messages for the format args queries

  #11149 merged Nov 8, 2022

• CI: try only to fill the compilation cache from main in the compile-queries workflow

  #11162 merged Nov 8, 2022

• Swift: Add LocalFlowSource class and a few sources.

  #11161 merged Nov 8, 2022

• Swift: print unextracted entities

  #11164 merged Nov 8, 2022

• C++: Add dataflow test that deliberately omits the return of a non-void function

  #11163 merged Nov 8, 2022

• C++: Also taint the return value dereference in the `strcat` model

  #11159 merged Nov 8, 2022

• JS: expand localFieldStep to use access-paths, and build access-paths in more cases

  #10378 merged Nov 8, 2022

• Swift: deal with incomplete ASTs

  #11131 merged Nov 8, 2022

• Ruby: Avoid stage recomputation

  #11155 merged Nov 8, 2022

• Ruby: Split basic blocks around constant conditionals

  #11153 merged Nov 8, 2022

• Swift: Add `BitwiseOperation.qll`

  #11156 merged Nov 8, 2022

• C++: Fix wrong return types and missing statement in dataflow test

  #11154 merged Nov 8, 2022

• Swift: add bitwise ops to `PrintAst` test

  #11152 merged Nov 8, 2022

• Kotlin: Excluded compiler generated methods from `java/confusing-method-signature`

  #11045 merged Nov 8, 2022

• RB: add an unsafe-shell-command-construction query

  #10680 merged Nov 8, 2022

• Ruby: Cosmetic change

  #11150 merged Nov 7, 2022

• Ruby: try/try! as code execution

  #11022 merged Nov 7, 2022

• Java: Add flow summaries for startActivities

  #10890 merged Nov 7, 2022

• C++: Fix the use-use dataflow configuration in `dataflow/dataflow-tests`

  #11147 merged Nov 7, 2022

• QL Spec: Add instanceof in classes

  #11068 merged Nov 7, 2022

• Ruby: add a couple of missing links to a new article

  #11145 merged Nov 7, 2022

• Merge documentation changes of 2.11.2 into 2.11.3

  #11140 merged Nov 7, 2022

• Kotlin: exclude loop variables on ranges from 'unused locals' check

  #11032 merged Nov 7, 2022

• Swift: detect the use of constant salts

  #10993 merged Nov 7, 2022

• JS: Bump version numbers of ML-powered packs after 0.4.0 release

  #11143 merged Nov 7, 2022

• ReDoS: fix canonicalization in NfaUtils

  #11071 merged Nov 7, 2022

• Ruby: expand explanation of desugaring

  #11141 merged Nov 7, 2022

• Java: Add test for multiply-bounded wildcards

  #11079 merged Nov 7, 2022

• Kotlin: Extract missing arguments of enum constructor calls

  #11089 merged Nov 7, 2022

• Swift: extract `AwaitExpr`

  #11124 merged Nov 7, 2022

• Ruby: docs add missing entry

  #11139 merged Nov 7, 2022

• Swift: refactor visitors to use translations

  #11094 merged Nov 7, 2022

• Ruby: add an AST reference guide

  #11056 merged Nov 7, 2022

• Swift: detect hash functions with low # of iterations

  #10947 merged Nov 7, 2022

• Kotlin: fix extraction of Java nested wildcards; wildcards in return types

  #11121 merged Nov 7, 2022

• Kotlin: always populate the `files` table

  #11130 merged Nov 7, 2022

• C++: Small fixes for the dataflow tests

  #11137 merged Nov 7, 2022

• Dataflow: Fix a couple of join-orders.

  #10886 merged Nov 7, 2022

• Kotlin: use `$default` functions to implement `@JvmOverloads`

  #11105 merged Nov 7, 2022

• Post-release preparation for codeql-cli-2.11.3

  #11134 merged Nov 5, 2022

• Release preparation for version 2.11.3

  #11133 merged Nov 5, 2022

• Swift: Add and use ApplyExpr.getArgumentByParamName.

  #11036 merged Nov 5, 2022

• Sink endpoint characteristics

  #11055 merged Nov 4, 2022

• ATM: Miscellaneous improvements for the check queries workflow

  #11118 merged Nov 4, 2022

• Ruby: data flow docs

  #10932 merged Nov 4, 2022

• ATM: Use `${workspace}` for CodeQL pack workspace references

  #11127 merged Nov 4, 2022

• C++: Do not use the old dataflow library in `additional-flow-to-parameter`

  #11128 merged Nov 4, 2022

• Ruby: document API graphs

  #10957 merged Nov 4, 2022

• Ruby: Improve weak crypto query

  #11129 merged Nov 4, 2022

• fix typo in compile-queries workflow

  #11123 merged Nov 4, 2022

• Swift: make sed on macos happy

  #11122 merged Nov 4, 2022

• Swift: rework workflows

  #11008 merged Nov 4, 2022

• C++: Let `(Indirect|Direct)Position` be sub classes of `Position`

  #11126 merged Nov 4, 2022

• Ruby: Improve weak crypto query

  #11119 merged Nov 4, 2022

• fix merge-base compilation when running directly on main

  #11117 merged Nov 4, 2022

• Kotlin: Extract extension binary operators

  #11106 merged Nov 4, 2022

• Swift: add possibility to run the extractor under an env-specified tool

  #11029 merged Nov 4, 2022

• C++: Improve `Buffer.qll` performance

  #11112 merged Nov 4, 2022

• add workflow that checks compilation of all queries with the latest stable release

  #11078 merged Nov 4, 2022

• JS: second-order-command-injection

  #11013 merged Nov 4, 2022

• Swift: allow expecting failure in qltest.sh

  #11116 merged Nov 4, 2022

• C#: Fix flow steps into phi/uncertain def nodes

  #10933 merged Nov 4, 2022

• Data flow: Restrict public `PathNode`s to those that may reach a sink

  #11060 merged Nov 4, 2022

• Java: Fix some join-orders.

  #10904 merged Nov 4, 2022

35 Pull requests opened by 22 people

• Ruby: Add case string comparison barrier guard

  #11114 opened Nov 3, 2022

• Swift: Adds XMLDocument sinks to the XXE query

  #11120 opened Nov 4, 2022

• Use `any()` to stub getCallbackParameter/ReturnType

  #11125 opened Nov 4, 2022

• QL: fix non-attached annotations for newtype branches

  #11132 opened Nov 4, 2022

• Ruby: JSON flow summaries

  #11136 opened Nov 6, 2022

• Swift: Add AEXML sinks to XXE query

  #11138 opened Nov 7, 2022

• C#: Extend `Constant Condition` query with `String.IsNullOrEmpty`.

  #11142 opened Nov 7, 2022

• C#: Qualifiedname

  #11144 opened Nov 7, 2022

• JS: Improved Hapi support

  #11146 opened Nov 7, 2022

• RB: add a step directly from a store of an instance field to a read

  #11158 opened Nov 8, 2022

• DataFlow: Add read/store stepIsLocal consistency checks

  #11160 opened Nov 8, 2022

• Swift: Add libxml2 sinks to the XXE query

  #11165 opened Nov 8, 2022

• C++: Use-use flow through global variables

  #11171 opened Nov 8, 2022

• QL: improve the dead-code query

  #11173 opened Nov 8, 2022

• Non-sink endpoint characteristics

  #11174 opened Nov 8, 2022

• JS: extract .erb files as html

  #11175 opened Nov 8, 2022

• Dataflow: Introduce support for src/sink grouping in path results.

  #11183 opened Nov 9, 2022

• Swift: add `String` taint steps

  #11185 opened Nov 9, 2022

• Ruby: add ActionCable channel RPC params as remote flow sources

  #11187 opened Nov 9, 2022

• Ruby: un-deprecate ActionControllerControllerClass

  #11189 opened Nov 9, 2022

• Share encryption key sizes across languages

  #11192 opened Nov 9, 2022

• Swift: create common `ErrorElement` superclass and tests

  #11196 opened Nov 10, 2022

• SSA: Expose phi-read nodes

  #11198 opened Nov 10, 2022

• C#: update cs/assembly-path-injection cs/hardcoded-key to path-problems

  #11203 opened Nov 10, 2022

• ATM: add XSSThroughDOM boosted query

  #11204 opened Nov 10, 2022

• Swift: db up/downgrade scripts

  #11205 opened Nov 10, 2022

• Ruby: add `SqlConstruction` concept, and implement it for calls to `Arel.sql`

  #11207 opened Nov 10, 2022

• Python: Test improvements in preparation for new call-graph PR

  #11208 opened Nov 10, 2022

• Swift: Add Alamofire model to swift/cleartext-transmission

  #11210 opened Nov 10, 2022

• Swift: fix printing of unextracted entities

  #11211 opened Nov 10, 2022

• C++: Split `std::string::insert` off in a separate class and do some cleanup

  #11212 opened Nov 10, 2022

• Swift: extract or ignore last remaining types

  #11213 opened Nov 10, 2022

• CI: remove langauge specific format checks

  #11214 opened Nov 10, 2022

• Java/Kotlin: Write Kotlin version information to the database

  #11217 opened Nov 10, 2022

• C++: Remove some `IndirectOperand` and `IndirectInstruction` nodes

  #11218 opened Nov 10, 2022

6 Issues closed by 6 people

• [Question] How to override RemoteFlowSource for custom frameworks

  #11186 closed Nov 10, 2022

• LGTM.com - false negative

  #11148 closed Nov 10, 2022

• https://github.com/github/codeql/issues/11195#issue-1443524166LGTM.com - false positive

  #11195 closed Nov 10, 2022

• Library API Index documentation is incomplete

  #10200 closed Nov 8, 2022

• About SARIF output: originalUriBaseIds property in run object is not generated?

  #10900 closed Nov 8, 2022

• Ruby: Noisiness of rb/weak-cryptographic-algorithm / MD5 detection

  #11107 closed Nov 4, 2022

6 Issues opened by 3 people

• Issue templates should be made more relevant to people

  #11222 opened Nov 10, 2022

• C++ view AST / printAST.ql performance analysis

  #11221 opened Nov 10, 2022

• false positive - cpp/unused-static-function

  #11219 opened Nov 10, 2022

• General issue - cpp/uninitialized-local should provide at least 1 path that leaves variable uninitialized (preferably all if possible)

  #11216 opened Nov 10, 2022

• cpp/uncontrolled-allocation-size - false positive

  #11215 opened Nov 10, 2022

• Java: xml extractor ... does not provide file-indexing capabilities

  #11115 opened Nov 4, 2022

37 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Swift: Unsafe JS Eval Query

  #11001 commented on Nov 10, 2022 • 17 new comments

• Java: Promote regex injection query from experimental

  #11070 commented on Nov 8, 2022 • 11 new comments

• Swift: Content flow through tuples

  #11111 commented on Nov 9, 2022 • 11 new comments

• Ruby: Document flow summary syntax

  #10899 commented on Nov 6, 2022 • 10 new comments

• QL: Query for detecting unused parameter in override methods

  #9827 commented on Nov 8, 2022 • 8 new comments

• Update go libraries to 55e052a

  #11002 commented on Nov 10, 2022 • 7 new comments

• ReDoS: add a shared regex pack

  #11061 commented on Nov 8, 2022 • 7 new comments

• Java: Add query for Sensitive Keyboard Cache

  #10684 commented on Nov 9, 2022 • 6 new comments

• Swift: Add new query for XML External Entities (XML) vulnerabilities

  #11086 commented on Nov 8, 2022 • 6 new comments

• C#: Include "phi reads" in `DataFlow::Node`

  #10927 commented on Nov 10, 2022 • 5 new comments

• Failed to create database from node module

  #11102 commented on Nov 8, 2022 • 4 new comments

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Nov 9, 2022 • 4 new comments

• Ruby: also treat included/prepended modules as subclasses

  #10747 commented on Nov 9, 2022 • 2 new comments

• [Draft] Java: Add Android missing certificate pinning query (CWE-295)

  #10971 commented on Nov 9, 2022 • 2 new comments

• CPP - fields of classes inside namespaces are not parsed correctly in the AST

  #10972 commented on Nov 10, 2022 • 1 new comment

• Java: Add line break sanitizers to java/log-injection

  #10707 commented on Nov 9, 2022 • 1 new comment

• Ruby: Model various ActionController methods

  #11058 commented on Nov 7, 2022 • 1 new comment

• Data flow: Add summary/return context to pruning stages 2-4

  #11087 commented on Nov 8, 2022 • 1 new comment

• How to filter the result of hasFlowPath API

  #10659 commented on Nov 6, 2022 • 0 new comments

• C/C++ question: taintTracking can not identify indirect use of Array pointer in a structure

  #11093 commented on Nov 7, 2022 • 0 new comments

• C++ Function Call to Undefined Function

  #9799 commented on Nov 7, 2022 • 0 new comments

• QL: detect unqueryable code

  #8454 commented on Nov 7, 2022 • 0 new comments

• JS: recognize "-->" as a bad tag filter

  #9807 commented on Nov 10, 2022 • 0 new comments

• Wip: test changes to fieldflowbranchlimit semantics

  #10025 commented on Nov 10, 2022 • 0 new comments

• Python: New call-graph based on type-trackers [still WIP]

  #10148 commented on Nov 4, 2022 • 0 new comments

• ReDoS: testing a parameterised ReDoS module

  #10604 commented on Nov 7, 2022 • 0 new comments

• JS: Move mongodb model to a data-extension (experimental, do not merge)

  #10751 commented on Nov 8, 2022 • 0 new comments

• Ruby: add library input as a source for `rb/polynomial-redos`

  #10782 commented on Nov 9, 2022 • 0 new comments

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Nov 10, 2022 • 0 new comments

• Ruby: add dataflow for getters/setters defined using `alias_attribute`

  #10820 commented on Nov 8, 2022 • 0 new comments

• Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class

  #10855 commented on Nov 7, 2022 • 0 new comments

• Rb: Add an `unsafe-code-construction` query

  #10862 commented on Nov 8, 2022 • 0 new comments

• Java: Add library support for activity-alias elements in AndroidManifest.qll

  #10865 commented on Nov 8, 2022 • 0 new comments

• Data flow: Add synthetic return nodes

  #10906 commented on Nov 7, 2022 • 0 new comments

• JS: treat arrays that gets executed with shell:true as a sink for `js/shell-command-constructed-from-input`

  #11082 commented on Nov 7, 2022 • 0 new comments

• C#: Telemetry query updates.

  #11083 commented on Nov 10, 2022 • 0 new comments

• Python: Inline query tests

  #11088 commented on Nov 10, 2022 • 0 new comments