Insights: github/codeql

73 Pull requests merged by 24 people

• Java: Consider taint through bitwise operations on PendingIntent flags

  #11367 merged Nov 22, 2022

• Python: Add change note for module resolution

  #11347 merged Nov 22, 2022

• Python: Model `getpass.getpass` as source of passwords

  #11372 merged Nov 22, 2022

• Python: Test improvements in preparation for new call-graph PR

  #11208 merged Nov 22, 2022

• CI: use read-only-cache when running on a PR

  #11362 merged Nov 22, 2022

• JS: treat arrays that gets executed with shell:true as a sink for `js/shell-command-constructed-from-input`

  #11082 merged Nov 22, 2022

• QL: add redundant-assignment query

  #11343 merged Nov 22, 2022

• JS: poly-redos: don't sanitize calls through substring calls that just remove the start

  #11072 merged Nov 22, 2022

• C++: Fix typo flagged up by QL-for-QL

  #11369 merged Nov 22, 2022

• C++: Ignore more instructions in dataflow

  #11357 merged Nov 22, 2022

• C#: Add workflow for running QL tests

  #11329 merged Nov 22, 2022

• Swift: set @github/codeql-swift as owner

  #11338 merged Nov 22, 2022

• Ruby: delete the target/packs folder in the `compile-queries` job

  #11358 merged Nov 22, 2022

• Update CSV framework coverage reports

  #11359 merged Nov 22, 2022

• C++: Reduce `readStep` fan-in

  #11355 merged Nov 21, 2022

• Java: Promote regex injection query from experimental

  #11070 merged Nov 21, 2022

• C++: Repair `MustFlow` library for use-use flow

  #11311 merged Nov 21, 2022

• Merge `rc/3.8` into `main`

  #11349 merged Nov 21, 2022

• Ruby: cache the entire extractor

  #11348 merged Nov 21, 2022

• Java: Fix a couple of taint models for `java.nio.file.Path(s)`

  #11346 merged Nov 21, 2022

• Ruby: Use compilation cache for the qltest CI workflow

  #11344 merged Nov 21, 2022

• Ruby: use the shared regex pack

  #11245 merged Nov 21, 2022

• Java: Handle disabled Maven repositories

  #11340 merged Nov 21, 2022

• Python: Clean up import resolution

  #10861 merged Nov 21, 2022

• CFG: Workaround in test output for origin/target pairs with multiple edges

  #11341 merged Nov 21, 2022

• C++: deprecate AST-based GVN

  #11262 merged Nov 21, 2022

• Ruby: Add `--check-undefined-labels` to QL test job

  #11336 merged Nov 21, 2022

• Swift: skip QL code generation on untouched files

  #11331 merged Nov 21, 2022

• QL/RB: delete language specific codeql query compile checks

  #11328 merged Nov 21, 2022

• C++: Fix flow out of const member functions

  #11314 merged Nov 21, 2022

• C++: Reduce size of `edges` and `nodes` in `cpp/upcast-array-pointer-arithmetic`

  #11330 merged Nov 21, 2022

• delete old deprecations

  #11318 merged Nov 19, 2022

• Update analyzing-databases-with-the-codeql-cli.rst

  #11332 merged Nov 18, 2022

• QL: fix non-attached annotations for newtype branches

  #11132 merged Nov 18, 2022

• Post-release preparation for codeql-cli-2.11.4

  #11327 merged Nov 18, 2022

• C++: Fix join order in `cpp/upcast-array-pointer-arithmetic`

  #11325 merged Nov 18, 2022

• CI: Also compile the `examples` folder

  #11316 merged Nov 18, 2022

• Kotlin: format string literals like the Java annotaton extractor

  #11296 merged Nov 17, 2022

• Release preparation for version 2.11.4

  #11320 merged Nov 17, 2022

• Update go libraries to 55e052a

  #11002 merged Nov 17, 2022

• Java: Remove no-longer-needed expected diagnostics

  #11293 merged Nov 17, 2022

• C++: Update auto-builder nuget packages

  #11317 merged Nov 17, 2022

• C++: Accept test changes on the use-use flow branch

  #11315 merged Nov 17, 2022

• Kotlin: Add test case for confusing overloading query

  #11291 merged Nov 17, 2022

• Kotlin: Exclude .kt files from empty block query

  #11289 merged Nov 17, 2022

• Kotlin: Exclude .kt files from dead code queries

  #11310 merged Nov 17, 2022

• Kotlin: Exclude .kt files from non serializable field query

  #11308 merged Nov 17, 2022

• Kotlin: Exclude .kt files from missing `instanceof` in `equals` query

  #11306 merged Nov 17, 2022

• CI: clean up the cache when compiling on main

  #11272 merged Nov 17, 2022

• JS: Improved Hapi support

  #11146 merged Nov 17, 2022

• Ruby: Model various ActionController methods

  #11058 merged Nov 16, 2022

• C#: Update all nuget packages

  #11266 merged Nov 16, 2022

• Kotlin: Exclude .kt files from mutual dependency query

  #11304 merged Nov 16, 2022

• Kotlin: Exclude .kt files from one stmt in line query

  #11303 merged Nov 16, 2022

• Swift: remove synthesized classes from the dbscheme

  #11292 merged Nov 16, 2022

• Java: Add query for Sensitive Keyboard Cache

  #10684 merged Nov 16, 2022

• Kotlin: Exclude .kt files from ignored return value query

  #11302 merged Nov 16, 2022

• Kotlin: Exclude .kt files from misnamed reftype query

  #11301 merged Nov 16, 2022

• Kotlin: Exclude .kt files from useless parameter query

  #11300 merged Nov 16, 2022

• Kotlin: Exclude .kt files from serializable inner class query

  #11299 merged Nov 16, 2022

• C++: Remove some `IndirectOperand` and `IndirectInstruction` nodes

  #11218 merged Nov 16, 2022

• ql-style-guide: Remove use of `return`

  #11307 merged Nov 16, 2022

• SSA: Expose phi-read nodes

  #11198 merged Nov 16, 2022

• JS: add stats for @satisfies_expr

  #11297 merged Nov 16, 2022

• Kotlin: Exclude .kt files from autoboxing query

  #11290 merged Nov 16, 2022

• Kotlin: Exclude .kt files from `java/complex-boolean-expression`

  #11284 merged Nov 16, 2022

• Kotlin: Exclude .kt files from resource leak queries

  #11286 merged Nov 16, 2022

• CodeQL: add 'False positive' issue template

  #11276 merged Nov 16, 2022

• Remove issue template for LGTM.com false positive reports

  #11227 merged Nov 16, 2022

• Dataflow: Introduce support for src/sink grouping in path results.

  #11183 merged Nov 16, 2022

• Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class

  #10855 merged Nov 16, 2022

• Java: Stub generator: Exclude invalid identifiers from generated stubs

  #11269 merged Nov 16, 2022

• Swift: fix path of generated C++ files artifact

  #11285 merged Nov 16, 2022

26 Pull requests opened by 18 people

• Golang: add `rsync` as a program capable of arbitrary shell command execution

  #11288 opened Nov 16, 2022

• QL: improve the "this block-comment should have been a QLDoc"-query

  #11294 opened Nov 16, 2022

• "CodeQL False positive" -> "CodeQL false positive"

  #11295 opened Nov 16, 2022

• ATM: Remove redundant code

  #11321 opened Nov 17, 2022

• ATM: Simplify query configurations

  #11323 opened Nov 18, 2022

• ATM: add XSSThroughDOM boosted query

  #11333 opened Nov 18, 2022

• Ruby: Model ActionMailbox

  #11337 opened Nov 21, 2022

• Ruby: Active support enumerable

  #11339 opened Nov 21, 2022

• Swift: Add taint models for the Data class

  #11345 opened Nov 21, 2022

• Add macOS 13 to supported platforms

  #11350 opened Nov 21, 2022

• Kotlin: bump default CI version to 1.7.20

  #11352 opened Nov 21, 2022

• Fix `QLLexer` instance as argument to `add_lexer`

  #11353 opened Nov 21, 2022

• C++: replace Guards with IRGuards

  #11356 opened Nov 21, 2022

• Swift: cache more aggressively in CI

  #11364 opened Nov 22, 2022

• Swift: fix extractor tests pack

  #11365 opened Nov 22, 2022

• Ruby: Add additional sinks to the `rb/kernel-open` query

  #11366 opened Nov 22, 2022

• Add binding between annotation and sink-param

  #11368 opened Nov 22, 2022

• Swift: upgrade to Swift 5.7.1

  #11370 opened Nov 22, 2022

• C++: Field flow through reference-returning functions

  #11374 opened Nov 22, 2022

• Python: New type-tracking based call-graph

  #11376 opened Nov 22, 2022

• Swift: Add models for NSData and NSMutableData

  #11378 opened Nov 22, 2022

• ATM: Kaeluka/endpoint filters modularity

  #11379 opened Nov 22, 2022

• Swift: fix remapping bug

  #11381 opened Nov 22, 2022

• Swift: do not abort if cannot archive a source file

  #11382 opened Nov 22, 2022

• C#: Also include extractor unit tests in `csharp-qltest.yml`

  #11383 opened Nov 22, 2022

• Adds Kotlin (beta) content

  #11384 opened Nov 22, 2022

7 Issues closed by 6 people

• Which edges are automatically added by taint analysis?

  #11360 closed Nov 23, 2022

• False positive for Failure to use HTTPS or SFTP URL in Maven artifact upload/download when repo is disabled

  #11326 closed Nov 21, 2022

• Migration from LGTM is missing support for .lgtm.yml

  #11319 closed Nov 18, 2022

• CPP - fields of classes inside namespaces are not parsed correctly in the AST

  #10972 closed Nov 18, 2022

• CodeQL - False positive for uninitialized variable in Python

  #11312 closed Nov 16, 2022

• [Java][Files] False positive in CreateFileSinkModels

  #11309 closed Nov 16, 2022

• CodeQL runs failing with link to experimental-atm-queries that are not configured

  #11305 closed Nov 16, 2022

5 Issues opened by 5 people

• Recursive monotonic aggregates related: example provided by official docu is reported as an error "Non-monotonic recursion"

  #11361 opened Nov 22, 2022

• False positive – "Statement has no effect" for Python type hint ellipsis

  #11351 opened Nov 21, 2022

• Example solution for "zip slip" contains a bug

  #11342 opened Nov 21, 2022

• go/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql kind error

  #11324 opened Nov 18, 2022

• CodeQL: False positive for uninitialized variable (via import) in Python

  #11313 opened Nov 16, 2022

37 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• ATM: Implement the current endpoint filters as EndpointCharacteristics

  #11281 commented on Nov 22, 2022 • 65 new comments

• Python: support grouped exceptions

  #11244 commented on Nov 16, 2022 • 17 new comments

• C#: Deprecate hasQualifiedName/1 and prepare for deprecating getQualifiedName/0.

  #11144 commented on Nov 16, 2022 • 15 new comments

• C++: Fix spurious reference flow

  #11254 commented on Nov 22, 2022 • 15 new comments

• Ruby: Add case string comparison barrier guard

  #11114 commented on Nov 21, 2022 • 14 new comments

• Java: Use data extensions for MaD models.

  #11243 commented on Nov 22, 2022 • 14 new comments

• Swift: Unsafe JS Eval Query

  #11001 commented on Nov 21, 2022 • 9 new comments

• Ruby: Document flow summary syntax

  #10899 commented on Nov 21, 2022 • 6 new comments

• Share encryption key sizes across languages

  #11192 commented on Nov 22, 2022 • 5 new comments

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Nov 22, 2022 • 4 new comments

• Swift: Add Alamofire model to swift/cleartext-transmission

  #11210 commented on Nov 22, 2022 • 4 new comments

• Java: Query for detecting addJavascriptInterface method calls

  #11282 commented on Nov 16, 2022 • 4 new comments

• JS: use the shared regex pack

  #11248 commented on Nov 22, 2022 • 3 new comments

• Java: Android WebView Content Access Query

  #11283 commented on Nov 16, 2022 • 3 new comments

• cpp/uncontrolled-allocation-size - false positive

  #11215 commented on Nov 16, 2022 • 2 new comments

• false positive - cpp/unused-static-function

  #11219 commented on Nov 16, 2022 • 2 new comments

• Java: `Type.getErasure()` erroneously has `Object` as result on some databases

  #11264 commented on Nov 22, 2022 • 2 new comments

• Java: Query to detect Android Webview file access

  #11241 commented on Nov 21, 2022 • 2 new comments

• Enable accelerated go-extractor opt-in using 'go list -deps'

  #11268 commented on Nov 21, 2022 • 2 new comments

• Python: Support more dictionary read/store steps

  #11280 commented on Nov 16, 2022 • 2 new comments

• Python : Improve the PAM authentication bypass query

  #10656 commented on Nov 21, 2022 • 1 new comment

• Java: Add line break sanitizers to java/log-injection

  #10707 commented on Nov 21, 2022 • 1 new comment

• Ruby: add library input as a source for `rb/polynomial-redos`

  #10782 commented on Nov 22, 2022 • 1 new comment

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Nov 22, 2022 • 1 new comment

• Data flow: Add summary/return context to pruning stages 2-4

  #11087 commented on Nov 20, 2022 • 1 new comment

• Swift: add `String` taint steps

  #11185 commented on Nov 16, 2022 • 1 new comment

• Java: Query for detecting enabling Javascript in Android WebSettings

  #11238 commented on Nov 21, 2022 • 1 new comment

• Issue templates should be made more relevant to people

  #11222 commented on Nov 16, 2022 • 0 new comments

• QL: detect unqueryable code

  #8454 commented on Nov 19, 2022 • 0 new comments

• Data flow: Add synthetic return nodes

  #10906 commented on Nov 16, 2022 • 0 new comments

• C#: Include "phi reads" in `DataFlow::Node`

  #10927 commented on Nov 17, 2022 • 0 new comments

• [Draft] Java: Add Android missing certificate pinning query (CWE-295)

  #10971 commented on Nov 16, 2022 • 0 new comments

• Swift: Add libxml2 sinks to the XXE query

  #11165 commented on Nov 21, 2022 • 0 new comments

• Ruby: add stack-trace exposure query

  #11250 commented on Nov 21, 2022 • 0 new comments

• Dynamic: Merge package and type columns

  #11253 commented on Nov 22, 2022 • 0 new comments

• Kotlin: extract annotations

  #11258 commented on Nov 16, 2022 • 0 new comments

• Swift: Dataflow through ?? and ? :

  #11270 commented on Nov 22, 2022 • 0 new comments