36 Pull requests merged by 20 people

• Java: Add proper support for variable capture flow.

  #13478 merged Aug 8, 2023

• Add option to filter automodel queries

  #13852 merged Aug 8, 2023

• Revert "Swift: Route compiler diagnostics through our log."

  #13917 merged Aug 8, 2023

• Release preparation for version 2.14.2

  #13912 merged Aug 7, 2023

• Swift: add SetContent for data flow

  #13838 merged Aug 7, 2023

• C++: Small cleanup of `SsaInternals`

  #13907 merged Aug 7, 2023

• C++: Constant type-bounds in the new range analysis

  #13783 merged Aug 7, 2023

• C#: Turn RuntimeVersion into a record type.

  #13688 merged Aug 7, 2023

• Java: remove duplicate models

  #13889 merged Aug 7, 2023

• C++: Remove support for `_Float128x` which is not actually supported by gcc

  #13887 merged Aug 7, 2023

• Java: Fix typo in `StdlibRandomSource::getOutput`

  #13899 merged Aug 7, 2023

• Data flow: Refactor shared library

  #13901 merged Aug 7, 2023

• Kotlin: Pass on a parentId and remove some redundant braces

  #13837 merged Aug 7, 2023

• Java: Threat Models

  #13506 merged Aug 7, 2023

• Revert "Swift: Pragmatic fix for CustomUrlSchemes.qll."

  #13888 merged Aug 7, 2023

• Bump regex from 1.9.1 to 1.9.3 in /ql

  #13898 merged Aug 7, 2023

• DataFlow: Support stateless `isSink` in `StateConfigSig`s

  #13851 merged Aug 4, 2023

• Swift: Route compiler diagnostics through our log.

  #13869 merged Aug 4, 2023

• Java: Experimental version of Java Command Injection query

  #13484 merged Aug 4, 2023

• C#: Use stubs for query tests.

  #13522 merged Aug 4, 2023

• C++: Add a type-based `SemReason`.

  #13880 merged Aug 4, 2023

• C++: Add test for `__declspec` attribute on a global variable

  #13884 merged Aug 4, 2023

• Convert shared CFG construction library to a parameterized module

  #13509 merged Aug 3, 2023

• C++: Improve the QL doc of `isConstant`

  #13877 merged Aug 3, 2023

• Swift: properly identify types and declarations in trap files via mangling

  #12433 merged Aug 3, 2023

• C++: Improve use-after-free example code

  #13874 merged Aug 3, 2023

• Merge `rc/3.10` into `main`

  #13871 merged Aug 3, 2023

• C++: Add semantic range analysis test as IR test

  #13873 merged Aug 3, 2023

• Don't treat logrus' WithContext method as a logging function

  #13835 merged Aug 3, 2023

• JavaScript: Improve qhelp for js/server-crash.

  #13755 merged Aug 3, 2023

• Dynamic: add Fuzzy token

  #13737 merged Aug 3, 2023

• Swift: add DataFlow::Content for arrays

  #13741 merged Aug 2, 2023

• Go: Avoid using getTarget() as it may not exist

  #13785 merged Aug 2, 2023

• Dataflow: Move the shared library to a properly shared qlpack.

  #13863 merged Aug 2, 2023

• Swift: SubExpr may yield unresolved nodes in certain cases while MatchedExpr is always resolved

  #13857 merged Aug 2, 2023

• Update supported frameworks

  #13840 merged Aug 1, 2023

26 Pull requests opened by 18 people

• Go: Support Go 1.21

  #13867 opened Aug 2, 2023

• Swift: CommonCrypto test cases for the BrokenCryptoAlgorithm query

  #13870 opened Aug 2, 2023

• Go: Add sanitizer to remove paths passing through http.Error

  #13872 opened Aug 3, 2023

• C#: Include ASP.NET assemblies in the standalone extraction.

  #13876 opened Aug 3, 2023

• Ruby: Track flow from splat arguments to positional parameters

  #13878 opened Aug 3, 2023

• Create separate automodel pack

  #13879 opened Aug 3, 2023

• Introduce shared taint tracking library

  #13881 opened Aug 3, 2023

• [Draft] [C#] Add query for Insecure Direct Object Reference

  #13882 opened Aug 3, 2023

• C#: LINQ recommendation queries.

  #13885 opened Aug 4, 2023

• Java: automodel application mode: use endpoint class like in framework mode

  #13886 opened Aug 4, 2023

• cs/hardcoded-credentials - Removes false positive matches on benign Microsoft.AspNetCore.Identity properties

  #13891 opened Aug 4, 2023

• C++: Add a predicate for getting dataflow nodes whose value has been constant folded

  #13895 opened Aug 6, 2023

• Java: Improve `JaxWsEndpoint::getARemoteMethod`

  #13900 opened Aug 7, 2023

• Java: New models for JAX-RS

  #13903 opened Aug 7, 2023

• JS: Fix a bug caused by capture nodes not being SourceNodes

  #13904 opened Aug 7, 2023

• Swift: Flow through ForceValueExpr on LHS of assignment

  #13905 opened Aug 7, 2023

• Swift: Add tests and develop command injection query

  #13906 opened Aug 7, 2023

• Swift: dataflow for `for-in` loops

  #13909 opened Aug 7, 2023

• Swift: CFG test for for-try-await

  #13910 opened Aug 7, 2023

• C++: Fix taint-flow in preparation for frontend upgrade

  #13911 opened Aug 7, 2023

• ReDoS: escape unicode chars in the output for the ReDoS queries

  #13914 opened Aug 7, 2023

• Update CSV framework coverage reports

  #13915 opened Aug 8, 2023

• Java: limit field flow when tracking regex strings

  #13916 opened Aug 8, 2023

• Post-release preparation for codeql-cli-2.14.2

  #13918 opened Aug 8, 2023

• Kotlin: useFunction might return null

  #13919 opened Aug 8, 2023

• C++: Remove unnecessary predicates

  #13920 opened Aug 8, 2023

2 Issues closed by 2 people

• UseAfterFree.ql miss case 00

  #13896 closed Aug 7, 2023

• False positive: passing context with credentials to logrus

  #13828 closed Aug 3, 2023

7 Issues opened by 6 people

• strange behavior when I use asParameter.

  #13921 opened Aug 8, 2023

• False positive, cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

  #13913 opened Aug 7, 2023

• UseAfterFree.ql miss case 01

  #13897 opened Aug 7, 2023

• preload tracer sets errno

  #13894 opened Aug 5, 2023

• Database does not contain all the source files

  #13875 opened Aug 3, 2023

• Release preparation commits show "invalid-email-address" on GitHub

  #13868 opened Aug 2, 2023

• False positive: Cyclic import in Python

  #13866 opened Aug 2, 2023

31 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Aug 7, 2023 • 23 new comments

• Java: Support for With[out]Element for MaD.

  #13546 commented on Aug 8, 2023 • 18 new comments

• Go: Make flow configurations use new data flow API

  #13820 commented on Aug 7, 2023 • 14 new comments

• Ruby: Add Improper LDAP Authentication query (CWE-287)

  #13313 commented on Aug 4, 2023 • 12 new comments

• Java: Trust Boundary Violation Query

  #13413 commented on Aug 7, 2023 • 10 new comments

• Swift: Correct the behaviour of Type.getName

  #13829 commented on Aug 7, 2023 • 8 new comments

• Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.

  #13432 commented on Aug 8, 2023 • 6 new comments

• Swift: Risky or Broken Cryptographic Algorithm Query

  #13649 commented on Aug 7, 2023 • 6 new comments

• JS: [WIP] Add `dot.js` support

  #13624 commented on Aug 4, 2023 • 5 new comments

• C++: Fix barriers in invalid pointer deref

  #13725 commented on Aug 7, 2023 • 5 new comments

• Error downloading packs with corporate certificate in chain

  #13132 commented on Aug 4, 2023 • 2 new comments

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Aug 4, 2023 • 1 new comment

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Aug 7, 2023 • 1 new comment

• Go: Decompression Bombs

  #13553 commented on Aug 5, 2023 • 1 new comment

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Aug 7, 2023 • 1 new comment

• Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer

  #13782 commented on Aug 8, 2023 • 1 new comment

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 commented on Aug 8, 2023 • 1 new comment

• Java: Update Encryption.qll in line with NIST.SP.800-131Ar2

  #13830 commented on Aug 3, 2023 • 1 new comment

• DO NOT MERGE: C++: Replace simple range analysis uses by semantic range analysis uses

  #12505 commented on Aug 6, 2023 • 0 new comments

• add security-severity score to code scanning query list

  #12557 commented on Aug 8, 2023 • 0 new comments

• Ruby: printCfg: only show graph for selected CfgScope

  #13334 commented on Aug 3, 2023 • 0 new comments

• C#: Adopt shared CFG construction library from shared `controlflow` pack

  #13595 commented on Aug 4, 2023 • 0 new comments

• JS/RB: write qhelp for `incomplete-multi-character-sanitization`

  #13641 commented on Aug 7, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Aug 8, 2023 • 0 new comments

• Python/JavaScript: Shared module for serverless functions

  #13729 commented on Aug 7, 2023 • 0 new comments

• Python: Aiohttp improvements

  #13731 commented on Aug 8, 2023 • 0 new comments

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Aug 8, 2023 • 0 new comments

• Python: Relax module resolution

  #13819 commented on Aug 8, 2023 • 0 new comments

• Swift: 'ParsedSequence' lacks proper types and yields 'Unresolved' AST nodes

  #13836 commented on Aug 8, 2023 • 0 new comments

• Go: Fix missing flow through receiver for function variable (try 2)

  #13861 commented on Aug 2, 2023 • 0 new comments

• Java: Expose the MaD documentation in the TOC for CodeQL Java

  #13864 commented on Aug 2, 2023 • 0 new comments