36 Pull requests merged by 19 people

• JS: tolerate out of order requests in TypeScript extractor

  #14167 merged Sep 8, 2023

• C++: Fix dataflow out of post update nodes

  #14171 merged Sep 8, 2023

• Go: Add diagnostic for 1.21 `toolchain` error

  #14161 merged Sep 8, 2023

• Java: Automodel App Mode Extraction: Source Candidates

  #14162 merged Sep 8, 2023

• Revert "C#: Bump all dependencies"

  #14169 merged Sep 8, 2023

• C#: Remove test explorer recommendations (superseded by C# dev kit)

  #14168 merged Sep 8, 2023

• C#: Clear TRAP stack when calling `PopulateGenerics`

  #14149 merged Sep 8, 2023

• Bump chrono from 0.4.29 to 0.4.30 in /ql

  #14166 merged Sep 8, 2023

• Swift: collection/tuple content for dictionary flow

  #13947 merged Sep 7, 2023

• C++: Fix off-by-one in `asDefiningArgument`

  #14154 merged Sep 7, 2023

• Py: add new qhelp for clear-text-logging

  #14160 merged Sep 7, 2023

• CPP: Make functions that reach the end return.

  #14155 merged Sep 7, 2023

• C# Standalone: Install .NET SDK specified in `global.json`

  #13999 merged Sep 7, 2023

• Python: Support for command injection sinks found in the `asyncio` module

  #14145 merged Sep 7, 2023

• Python: Fix typo in SSRF example

  #14158 merged Sep 7, 2023

• Revert "C#: Bump all dependencies"

  #14153 merged Sep 6, 2023

• Swift: add queries for unresolved AST nodes

  #14141 merged Sep 6, 2023

• C#: Update extractor_messages relation schema.

  #14097 merged Sep 6, 2023

• Bump actions/checkout from 2 to 4

  #14137 merged Sep 6, 2023

• C#: Fix logic for flow into property writes

  #14132 merged Sep 6, 2023

• Bump chrono from 0.4.28 to 0.4.29 in /ql

  #14148 merged Sep 6, 2023

• Release preparation for version 2.14.4

  #14147 merged Sep 5, 2023

• CPP: Handle globals flowing into "UnreacheachedInstruction"

  #14143 merged Sep 5, 2023

• C#: Exclude base type extraction of recursive generics

  #14101 merged Sep 5, 2023

• Ruby: Use proper `PathGraph` module in inline flow tests

  #14133 merged Sep 5, 2023

• Python: Use new dataflow API

  #14068 merged Sep 4, 2023

• Ruby: Hide desugared assignments from data flow path graph

  #14109 merged Sep 4, 2023

• Java: Delete java test query which fails to compile

  #14117 merged Sep 4, 2023

• Ruby: Add Unsafe HMAC Comparison Query.

  #13825 merged Sep 4, 2023

• Kotlin: Write usesK2 ("uses Kotlin 2") information to the database

  #14018 merged Sep 4, 2023

• Go: Add sanitizer to remove paths passing through http.Error

  #13872 merged Sep 4, 2023

• Kotlin: Make it possible to build with master

  #14118 merged Sep 4, 2023

• Swift: fix SequenceExpr extraction

  #14119 merged Sep 4, 2023

• Swift: rename autobuilder. NFC

  #14106 merged Sep 4, 2023

• Misc: Fixup for `accept-expected-changes-from-ci.py`

  #14130 merged Sep 4, 2023

• Bump regex from 1.9.3 to 1.9.5 in /ql

  #14129 merged Sep 4, 2023

18 Pull requests opened by 13 people

• Go: fasthttp

  #14123 opened Sep 2, 2023

• Ruby: Use the new dataflow API for checked in queries

  #14124 opened Sep 3, 2023

• Java: Fix alert message

  #14126 opened Sep 3, 2023

• Java: Convert implementations of `LocalUserInput` to Models-as-Data

  #14127 opened Sep 4, 2023

• Docs: fix minor typos

  #14131 opened Sep 4, 2023

• C++: Copy the Coding Standards' use-after-lifetime-ended query to Experimental

  #14134 opened Sep 4, 2023

• C++: Update for changes in frontend.

  #14135 opened Sep 4, 2023

• C#: Re-factor Dotnet.cs to enable unit testing.

  #14142 opened Sep 5, 2023

• Kotlin: Give some more informative errors messages

  #14144 opened Sep 5, 2023

• C#: Explicitly quote arguments in the LUA tracer on windows.

  #14150 opened Sep 6, 2023

• C++: Deduplicate dataflow query results

  #14151 opened Sep 6, 2023

• Bump actions/checkout from 3 to 4

  #14157 opened Sep 7, 2023

• C#: Also execute dotnet test integration tests on windows.

  #14163 opened Sep 7, 2023

• C++: Fix more FPs in `cpp/invalid-pointer-deref`

  #14164 opened Sep 7, 2023

• Swift: flow through writeable keypaths

  #14165 opened Sep 7, 2023

• C#: Exclude CIL arguments from `ArgumentNode` when they are compiled from source

  #14170 opened Sep 8, 2023

• C#: Poor mans quoting.

  #14172 opened Sep 8, 2023

• Post-release preparation for codeql-cli-2.14.4

  #14174 opened Sep 8, 2023

7 Issues opened by 7 people

• <!-- MODIFIED_CONTENT_LINKING_COMMENT -->

  #14176 opened Sep 9, 2023

• The alarm statement caused by the failure of the qls file disappears.

  #14175 opened Sep 9, 2023

• False positive - when json.Marshal output is used - cant result in "Potentially unsafe quoting"

  #14159 opened Sep 7, 2023

• CodeQL does not detect SSL certificate validation vulnerabilities in Apache HttpComponents

  #14156 opened Sep 6, 2023

• SIGSEGV (code 134) during "Finalizing database" step

  #14138 opened Sep 5, 2023

• Incorrect escaping of SARIF message.text

  #14128 opened Sep 4, 2023

• Size of CodeQL binary distribution has almost trippled since 2021

  #14125 opened Sep 3, 2023

32 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Convert `SensitiveApi.qll` to use Models-as-Data

  #13978 commented on Sep 5, 2023 • 13 new comments

• C#: Avoid explicitly restoring projects in solution files.

  #14111 commented on Sep 6, 2023 • 11 new comments

• Dataflow: Add type-based call-edge pruning.

  #13982 commented on Sep 8, 2023 • 5 new comments

• CPP: Remove sucessors of non-returning IR calls transitively.

  #14102 commented on Sep 8, 2023 • 5 new comments

• go 1.21 support

  #13992 commented on Sep 8, 2023 • 4 new comments

• Ruby: More splat flow (alternative)

  #14090 commented on Sep 8, 2023 • 4 new comments

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Sep 7, 2023 • 3 new comments

• Go: Decompression Bombs

  #13553 commented on Sep 7, 2023 • 2 new comments

• JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.

  #13771 commented on Sep 8, 2023 • 2 new comments

• Java: Add JDK17 df-generated summary models

  #13962 commented on Sep 6, 2023 • 2 new comments

• Go: Add JWT Algorithm Confusion and JWT decoding without Signature Verification

  #14081 commented on Sep 5, 2023 • 2 new comments

• Download GitHub database: fix `gh` invocation

  #10923 commented on Sep 6, 2023 • 1 new comment

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Sep 5, 2023 • 1 new comment

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Sep 8, 2023 • 1 new comment

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Sep 6, 2023 • 1 new comment

• Python: promote nosql query

  #14070 commented on Sep 8, 2023 • 1 new comment

• Swift: use shared capture flow library

  #14078 commented on Sep 5, 2023 • 1 new comment

• Java: Add support for data flow through thrown exceptions.

  #9914 commented on Sep 5, 2023 • 0 new comments

• Ruby: Allow for implicit array reads at all sinks during taint tracking

  #12672 commented on Sep 6, 2023 • 0 new comments

• Java: Decompression Bombs

  #13555 commented on Sep 5, 2023 • 0 new comments

• Ruby: Decompression Bombs

  #13556 commented on Sep 7, 2023 • 0 new comments

• Python: Decompression Bombs

  #13557 commented on Sep 7, 2023 • 0 new comments

• C#: Decompression Bombs

  #13558 commented on Sep 6, 2023 • 0 new comments

• Swift: dataflow for `for-in` loops

  #13909 commented on Sep 8, 2023 • 0 new comments

• Ruby: JWT Security Queries (CWE-347)

  #14061 commented on Sep 4, 2023 • 0 new comments

• Update CSV framework coverage reports

  #14063 commented on Sep 9, 2023 • 0 new comments

• Go: New File System Access Sinks

  #14064 commented on Sep 4, 2023 • 0 new comments

• C#: Roslyn-based stub generation

  #14095 commented on Sep 8, 2023 • 0 new comments

• Data flow: Add another consistency check

  #14108 commented on Sep 8, 2023 • 0 new comments

• Py: add sanitizer guard for `url_has_allowed_host_and_scheme`

  #14112 commented on Sep 4, 2023 • 0 new comments

• Python: Allow namespace packages

  #14114 commented on Sep 8, 2023 • 0 new comments

• Dynamic: add TypeModel.isTypeUsed

  #14120 commented on Sep 6, 2023 • 0 new comments