46 Pull requests merged by 23 people

• Java: Use nested names in MaD signatures.

  #14032 merged Aug 24, 2023

• Java: Improve `JaxWsEndpoint::getARemoteMethod`

  #13900 merged Aug 24, 2023

• ReDoS: limit concretize to strings of at most length 100

  #14027 merged Aug 24, 2023

• Data flow: Use call contexts in stage 3

  #14026 merged Aug 24, 2023

• Java: New models for JAX-RS

  #13903 merged Aug 24, 2023

• C++: Add IR test case that shows regression after frontend update

  #14043 merged Aug 24, 2023

• Swift: teach autobuilder about SPM, CocoaPods, and Carthage

  #13979 merged Aug 24, 2023

• Shared extractor: support file path globs

  #13969 merged Aug 23, 2023

• CPP: Convert SQL tainted away from away from DefaultTaintTracking.

  #13985 merged Aug 23, 2023

• Python: Fix tests

  #14037 merged Aug 23, 2023

• JS: Follow immediate predecessors in path resolution

  #14007 merged Aug 23, 2023

• Ruby: Fix bug in excon model

  #14033 merged Aug 23, 2023

• JS: Ignore files larger than 10 MB during extraction

  #13928 merged Aug 23, 2023

• JS: fix crash in case of cyclic alias

  #13926 merged Aug 23, 2023

• C#: Exclude dll files when getting files in the dependency manager.

  #14019 merged Aug 23, 2023

• Java: Add XXE sinks for MDHT

  #13773 merged Aug 23, 2023

• Ruby: Update test fixture

  #14031 merged Aug 23, 2023

• Ruby: Remove isSplatAll

  #13967 merged Aug 23, 2023

• C#: Fix lazy evaluation of not yet downloaded packages

  #14020 merged Aug 23, 2023

• C++: Add `cpp/non-constant-format` test

  #14021 merged Aug 22, 2023

• Swift: flow through keypath optional components

  #14014 merged Aug 22, 2023

• C#: Generate source files from cshtml files in standalone

  #13957 merged Aug 22, 2023

• C#: Update of VS Code settings.

  #14015 merged Aug 22, 2023

• C#: Respect `$CODEQL_THREADS` environment variable

  #14016 merged Aug 22, 2023

• Python: Include all assignments in data flow paths

  #13738 merged Aug 22, 2023

• C#: Re-factor order of usings.

  #13995 merged Aug 22, 2023

• Ruby: Include more (hash) splat flow in type tracking

  #13997 merged Aug 22, 2023

• Java: add sanitizer to command injection query

  #14012 merged Aug 22, 2023

• Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.

  #13432 merged Aug 22, 2023

• Clarify system requirements for TypeScript extraction

  #14001 merged Aug 22, 2023

• C#: Add "c#" alias to language pack

  #14010 merged Aug 21, 2023

• Revert "Swift: use C++20 constraints and concepts to simplify code"

  #14011 merged Aug 21, 2023

• Swift: use C++20 constraints and concepts to simplify code

  #13991 merged Aug 21, 2023

• Data flow: Earlier call-context based dispatch filtering

  #13983 merged Aug 21, 2023

• Introduce shared taint tracking library

  #13881 merged Aug 21, 2023

• Python: Flask & Django Constant Secret Key initialization

  #13561 merged Aug 21, 2023

• Update CSV framework coverage reports

  #14003 merged Aug 21, 2023

• C#: Re-factor dependency fetching into a separate project.

  #13986 merged Aug 21, 2023

• Release preparation for version 2.14.3

  #13998 merged Aug 18, 2023

• Java: Trust Boundary Violation Query

  #13413 merged Aug 18, 2023

• Go: Basic Go 1.21 support

  #13867 merged Aug 18, 2023

• C++: Accept regression in test after evaluator fix

  #13996 merged Aug 18, 2023

• Ruby: More precise flow into splat parameters

  #13938 merged Aug 18, 2023

• Java: limit field flow when tracking regex strings

  #13916 merged Aug 18, 2023

• Java: Add dashes to SHA algorithm names in `Encryption.qll`

  #13934 merged Aug 17, 2023

• Swift: fix version check macro to be lexicographic

  #13988 merged Aug 17, 2023

23 Pull requests opened by 15 people

• Python: Port old experimental points-to based queries

  #13990 opened Aug 17, 2023

• C# Standalone: Install .NET SDK specified in `global.json`

  #13999 opened Aug 18, 2023

• C++: Promote `cpp/invalid-pointer-deref` out of experimental

  #14006 opened Aug 21, 2023

• C++: Reuse even more `DataFlow::Node`s

  #14008 opened Aug 21, 2023

• python: allow namespace packages as packages

  #14009 opened Aug 21, 2023

• CPP:Only taint argv indirections

  #14013 opened Aug 21, 2023

• TEST do not merge

  #14017 opened Aug 22, 2023

• Kotlin: Write usesK2 information to the database

  #14018 opened Aug 22, 2023

• Swift: extract `nextCall` from `ForEachStmt`

  #14023 opened Aug 22, 2023

• C#: Fetch FileInfo fewer times and make file info dependencies more transpararent in the code.

  #14028 opened Aug 23, 2023

• Java: Add new Apache CXF models

  #14029 opened Aug 23, 2023

• Java: Add new Apache CXF generated models

  #14030 opened Aug 23, 2023

• Swift: New query: Incomplete regular expression for hostnames

  #14034 opened Aug 23, 2023

• Variable capture: synchronize with aliases in nested scopes

  #14035 opened Aug 23, 2023

• Swift: Additional dataflow test

  #14036 opened Aug 23, 2023

• CPP: Add Delete[] calls to the IR.

  #14038 opened Aug 23, 2023

• C++: Omit assign case from `cpp/non-constant-format`

  #14039 opened Aug 23, 2023

• Java: Weak Cryptographic Algorithm from `.properties` files

  #14040 opened Aug 23, 2023

• Swift: Use shared control flow graph library

  #14044 opened Aug 24, 2023

• C#: Favor DLLs with most recent .NET Core target framework when resolving dependencies in standalone

  #14045 opened Aug 24, 2023

• Data flow: Fix a bad join order

  #14047 opened Aug 24, 2023

• Variable capture: allow arbitrary data-flow nodes to be the source of a write

  #14048 opened Aug 24, 2023

• Kotlin: We now support 1.9.10

  #14049 opened Aug 24, 2023

5 Issues closed by 4 people

• Tree-Sitter Shared Extractor doesn't support extension-less files

  #13964 closed Aug 23, 2023

• Could `CallInstruction` get virtual function target?

  #14005 closed Aug 23, 2023

• Question about connecting taint flows

  #13765 closed Aug 21, 2023

• `codeql query run` and `codeql database analyze` produce different results

  #14002 closed Aug 21, 2023

• Incorrect value of string literals

  #13993 closed Aug 21, 2023

8 Issues opened by 7 people

• Extend Kotlin support to version 1.9.10

  #14046 opened Aug 24, 2023

• How to Reason about Merged Taints?

  #14042 opened Aug 23, 2023

• Predicate to catch a load in C/C++?

  #14025 opened Aug 22, 2023

• False positive for blank space characters

  #14022 opened Aug 22, 2023

• Question: Extending Query (UnsafeDeserialization.ql) for CWE-502

  #14004 opened Aug 19, 2023

• CodeQL for php

  #14000 opened Aug 18, 2023

• C++ extractor fails to process code based on Unreal Engine

  #13994 opened Aug 18, 2023

• go 1.21 support

  #13992 opened Aug 17, 2023

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C#: Add query for Insecure Direct Object Reference

  #13882 commented on Aug 24, 2023 • 22 new comments

• Java: Convert `SensitiveApi.qll` to use Models-as-Data

  #13978 commented on Aug 24, 2023 • 10 new comments

• JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.

  #13771 commented on Aug 23, 2023 • 9 new comments

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Aug 24, 2023 • 6 new comments

• codeql won't work with chromium special file

  #13849 commented on Aug 23, 2023 • 3 new comments

• Python: Add dataflow consistency query

  #8457 commented on Aug 24, 2023 • 3 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Aug 24, 2023 • 3 new comments

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 commented on Aug 22, 2023 • 3 new comments

• Swift: collection/tuple content for dictionary flow

  #13947 commented on Aug 22, 2023 • 3 new comments

• Support new React directives

  #13296 commented on Aug 23, 2023 • 2 new comments

• Ruby: Add Improper LDAP Authentication query (CWE-287)

  #13313 commented on Aug 22, 2023 • 2 new comments

• Create separate automodel pack

  #13879 commented on Aug 22, 2023 • 2 new comments

• Java: Automodel Application Mode: Add Candidates for Regression Testing

  #13954 commented on Aug 23, 2023 • 2 new comments

• False positive, cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

  #13913 commented on Aug 18, 2023 • 1 new comment

• Query help files should be identified and processed when executing codeql pack create

  #13609 commented on Aug 18, 2023 • 1 new comment

• Python: Understand multiple parse mode flags specified in a regular expression string

  #13779 commented on Aug 24, 2023 • 1 new comment

• Swift: dataflow for `for-in` loops

  #13909 commented on Aug 17, 2023 • 1 new comment

• Swift: Update the weak sensitive data hashing examples and qhelp

  #13943 commented on Aug 21, 2023 • 1 new comment

• Python: parse mode chars should not be considered chars

  #13975 commented on Aug 24, 2023 • 1 new comment

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Aug 24, 2023 • 0 new comments

• JS: Move Directive subclasses into module and support "use client/server"

  #13303 commented on Aug 23, 2023 • 0 new comments

• [Python] Configuration Injection query

  #13640 commented on Aug 21, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Aug 23, 2023 • 0 new comments

• Ruby: query to automatically extract type definitions from library code

  #13750 commented on Aug 21, 2023 • 0 new comments

• Ruby: Model more flow from splat arguments

  #13974 commented on Aug 24, 2023 • 0 new comments