35 Pull requests merged by 19 people

• Python: fix nice locations for import aliases

  #13941 merged Aug 14, 2023

• Ruby: Improve desugaring of `for` loops

  #13937 merged Aug 14, 2023

• Ruby: printCfg: only show graph for selected CfgScope

  #13334 merged Aug 14, 2023

• C++: Fix barriers in invalid pointer deref

  #13725 merged Aug 14, 2023

• Swift: Correct the behaviour of Type.getName

  #13829 merged Aug 14, 2023

• C#: Include ASP.NET assemblies in the standalone extraction.

  #13876 merged Aug 14, 2023

• C#: .NET Runtime path detection (bugfix).

  #13952 merged Aug 14, 2023

• Post-release preparation for codeql-cli-2.14.2

  #13918 merged Aug 11, 2023

• Ruby: Add test for documenting missing flow through destructured parameters

  #13945 merged Aug 11, 2023

• Kotlin: Handle null parent IDs in getFunctionLabel correctly

  #13944 merged Aug 11, 2023

• Ruby: Fix another bug in `isCapturedAccess`

  #13939 merged Aug 11, 2023

• Make `CompareIdenticalValues` test work on arm64

  #13948 merged Aug 11, 2023

• Go: Make flow configurations use new data flow API

  #13820 merged Aug 11, 2023

• Swift: Models-as-data support for tuple content

  #13933 merged Aug 10, 2023

• JS: change the defaults in the qhelp for missing-rate-limit to something more reasonable

  #13940 merged Aug 10, 2023

• Data flow: Fix `localWriteStep` consistency query

  #13942 merged Aug 10, 2023

• C#: LINQ recommendation queries.

  #13885 merged Aug 10, 2023

• Swift: Flow sources for UITextInput

  #13930 merged Aug 10, 2023

• Kotlin: useFunction might return null

  #13919 merged Aug 10, 2023

• Ruby: Fix bug in `isCapturedAccess`

  #13936 merged Aug 10, 2023

• C#: Fix bad join order

  #13927 merged Aug 10, 2023

• Ruby: Track flow from splat arguments to positional parameters

  #13878 merged Aug 10, 2023

• C++: Only consider the maximum buffer size for badly bounded write

  #13929 merged Aug 10, 2023

• Python: Aiohttp improvements

  #13731 merged Aug 9, 2023

• C++: Revert constant bounds for new range analysis

  #13931 merged Aug 9, 2023

• Go: Bump extractor dependencies

  #13923 merged Aug 9, 2023

• C++: Fix taint-flow in preparation for frontend upgrade

  #13911 merged Aug 9, 2023

• Misc: Fixup `accept-expected-changes-from-ci.py`

  #13925 merged Aug 9, 2023

• Revert "Swift: Route compiler diagnostics through our log."

  #13924 merged Aug 9, 2023

• cs/hardcoded-credentials - Removes false positive matches on benign Microsoft.AspNetCore.Identity properties

  #13891 merged Aug 9, 2023

• C++: Remove unnecessary predicates

  #13920 merged Aug 8, 2023

• Swift: Flow through ForceValueExpr on LHS of assignment

  #13905 merged Aug 8, 2023

• Java: Add proper support for variable capture flow.

  #13478 merged Aug 8, 2023

• Add option to filter automodel queries

  #13852 merged Aug 8, 2023

• Revert "Swift: Route compiler diagnostics through our log."

  #13917 merged Aug 8, 2023

18 Pull requests opened by 15 people

• Update CSV framework coverage reports

  #13915 opened Aug 8, 2023

• Java: limit field flow when tracking regex strings

  #13916 opened Aug 8, 2023

• Swift: Initial data flow content for dictionaries

  #13922 opened Aug 8, 2023

• JS: fix crash in case of cyclic alias

  #13926 opened Aug 9, 2023

• JS: Ignore files larger than 10 MB during extraction

  #13928 opened Aug 9, 2023

• Java: Add dashes to SHA algorithm names in `Encryption.qll`

  #13934 opened Aug 9, 2023

• Python: MaD on externals

  #13935 opened Aug 9, 2023

• More precise flow into splat parameters

  #13938 opened Aug 10, 2023

• Swift: Update the weak sensitive data hashing examples and qhelp

  #13943 opened Aug 10, 2023

• Swift: Models and tests for numeric conversions

  #13946 opened Aug 10, 2023

• Swift: collection/tuple content for dictionary flow

  #13947 opened Aug 10, 2023

• Go: Improve incorrect integer conversion

  #13949 opened Aug 11, 2023

• Java: Automodel Application Mode: Add Candidates for Regression Testing

  #13954 opened Aug 14, 2023

• Ruby: Make type tracking flow-insensitive for captured variables

  #13955 opened Aug 14, 2023

• C#: Generate source files from cshtml files in standalone

  #13957 opened Aug 14, 2023

• C++: make cmake generation work with internal rule `cc_binary_add_features`

  #13959 opened Aug 14, 2023

• Kotlin: Handle Kotlin 2 parents better

  #13960 opened Aug 14, 2023

• Java: Add JDK17 df-generated summary models

  #13962 opened Aug 14, 2023

6 Issues closed by 6 people

• Thanks for your report. I agree that extending the `CXXFLAGS` variable if it already exists sounds like a good idea. I'll pass your request on to the team.

  #13956 closed Aug 14, 2023

• Can't skip CodeQL if the status check is set required

  #13932 closed Aug 10, 2023

• False positive, cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

  #13913 closed Aug 10, 2023

• Java data flow: Identify side effects on captured variable in lambda callback.

  #6906 closed Aug 9, 2023

• strange behavior when I use asParameter.

  #13921 closed Aug 9, 2023

• LGTM.com - false positive in py/reflective-xss

  #5129 closed Aug 9, 2023

2 Issues opened by 2 people

• Codeql usage under arm architecture

  #13953 opened Aug 14, 2023

• Customizing CMAKE_CXX_FLAGS is not possible with codeql-cli auto-build

  #13950 opened Aug 12, 2023

35 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: automodel application mode: use endpoint class like in framework mode

  #13886 commented on Aug 14, 2023 • 12 new comments

• Swift: Add tests and develop command injection query

  #13906 commented on Aug 14, 2023 • 9 new comments

• ReDoS: escape unicode chars in the output for the ReDoS queries

  #13914 commented on Aug 14, 2023 • 8 new comments

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Aug 14, 2023 • 7 new comments

• Go: Basic Go 1.21 support

  #13867 commented on Aug 11, 2023 • 6 new comments

• Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.

  #13432 commented on Aug 14, 2023 • 5 new comments

• Python: Flask & Django Constant Secret Key initialization

  #13561 commented on Aug 14, 2023 • 5 new comments

• Python/JavaScript: Shared module for serverless functions

  #13729 commented on Aug 11, 2023 • 5 new comments

• C#: Add integration test for standalone extraction

  #13744 commented on Aug 14, 2023 • 5 new comments

• Ruby: Add Unsafe HMAC Comparison Query.

  #13825 commented on Aug 11, 2023 • 5 new comments

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 commented on Aug 14, 2023 • 5 new comments

• Ruby: Add Improper LDAP Authentication query (CWE-287)

  #13313 commented on Aug 11, 2023 • 4 new comments

• Create separate automodel pack

  #13879 commented on Aug 14, 2023 • 4 new comments

• Python: Include all assignments in data flow paths

  #13738 commented on Aug 11, 2023 • 3 new comments

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Aug 14, 2023 • 3 new comments

• Python: Relax module resolution

  #13819 commented on Aug 14, 2023 • 3 new comments

• Swift: dataflow for `for-in` loops

  #13909 commented on Aug 11, 2023 • 3 new comments

• Swift: Risky or Broken Cryptographic Algorithm Query

  #13649 commented on Aug 10, 2023 • 2 new comments

• Python: Understand multiple parse mode flags specified in a regular expression string

  #13779 commented on Aug 14, 2023 • 2 new comments

• preload tracer sets errno

  #13894 commented on Aug 9, 2023 • 1 new comment

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 commented on Aug 9, 2023 • 1 new comment

• Java: Support for With[out]Element for MaD.

  #13546 commented on Aug 14, 2023 • 1 new comment

• C++: Decompression Bombs

  #13560 commented on Aug 10, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Aug 11, 2023 • 1 new comment

• Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer

  #13782 commented on Aug 8, 2023 • 1 new comment

• Go: Fix missing flow through receiver for function variable (try 2)

  #13861 commented on Aug 9, 2023 • 1 new comment

• Database does not contain all the source files

  #13875 commented on Aug 10, 2023 • 0 new comments

• add security-severity score to code scanning query list

  #12557 commented on Aug 9, 2023 • 0 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Aug 8, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Aug 9, 2023 • 0 new comments

• Ruby: query to automatically extract type definitions from library code

  #13750 commented on Aug 14, 2023 • 0 new comments

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Aug 8, 2023 • 0 new comments

• Swift: 'ParsedSequence' lacks proper types and yields 'Unresolved' AST nodes

  #13836 commented on Aug 14, 2023 • 0 new comments

• Go: Add sanitizer to remove paths passing through http.Error

  #13872 commented on Aug 8, 2023 • 0 new comments

• Swift: CFG test for for-try-await

  #13910 commented on Aug 14, 2023 • 0 new comments