30 Pull requests merged by 20 people

• Update CSV framework coverage reports

  #15545 merged Feb 8, 2024

• C# Add missing Windows Forms implicit usings

  #15535 merged Feb 8, 2024

• Add supported build modes to extractor metadata

  #15532 merged Feb 7, 2024

• Added model for gettext variants.

  #15513 merged Feb 7, 2024

• C++: Fix IR generation when `ConditionDeclExpr` does not have an immediate `VariableAccess`

  #15539 merged Feb 7, 2024

• C++: Also clear the `0`'th argument of `swap`

  #15537 merged Feb 7, 2024

• C++: Add an interface for models to block flow

  #15528 merged Feb 7, 2024

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #15534 merged Feb 7, 2024

• C#: Add summaries for Span<T> and ReadOnlySpan<T>.

  #15459 merged Feb 7, 2024

• C#: Extract dependency restore telemetry data

  #15518 merged Feb 7, 2024

• C++: Delete unused IR predicate

  #15529 merged Feb 6, 2024

• Java: fix typo in JndiInjection.qhelp

  #15526 merged Feb 6, 2024

• Release preparation for version 2.16.2

  #15522 merged Feb 6, 2024

• Ruby: Add query for access paths in model editor

  #15503 merged Feb 6, 2024

• False positive in SensitiveDataHeuristics - exclude certification from maybeCertificate() regex

  #15480 merged Feb 6, 2024

• Java: Add query for sensitive data exposed in text fields

  #15396 merged Feb 5, 2024

• Update CSV framework coverage reports

  #15517 merged Feb 5, 2024

• Kotlin: Add path transformer support

  #15477 merged Feb 2, 2024

• C++: Add PreprocBlock.qll library

  #15476 merged Feb 2, 2024

• Automodel: Do not consider `@FunctionalInterface`-typed expressions as candidates.

  #15499 merged Feb 2, 2024

• C++: Block summary flow through `strdup` and friends

  #15504 merged Feb 2, 2024

• Java: Remove two redundant models implied by CharSequence models.

  #15511 merged Feb 2, 2024

• C#: Inter-procedural dataflow for `ref` structs when used as arguments.

  #15502 merged Feb 2, 2024

• C#: Disable msbuild node reuse in dependency fetcher

  #15509 merged Feb 2, 2024

• C++: Ensure that only one Function exists for every function - take 2

  #15421 merged Feb 2, 2024

• C#: Improve messages in buildless extraction logs

  #15505 merged Feb 2, 2024

• Go: Include versions in newer Go version needed diagnostic

  #15492 merged Feb 1, 2024

• Ruby: Add another dataflow test

  #15498 merged Feb 1, 2024

• Updated dotnet version to 8.0.101

  #15475 merged Feb 1, 2024

• C#: Fix extraction of qualified delegate calls

  #15484 merged Feb 1, 2024

20 Pull requests opened by 16 people

• DO NOT MERGE. Bump automodel query pack version for release kaspersv/automodel-pack-publisher-7739955510-dryrun

  #15500 opened Feb 1, 2024

• Dataflow: Support alert provenance

  #15501 opened Feb 1, 2024

• C++: Add implicit destructors for named variables to the IR

  #15506 opened Feb 1, 2024

• Shared: fix a bug in stateful outbarriers

  #15507 opened Feb 1, 2024

• JS: Add support for TS 5.4-beta

  #15510 opened Feb 2, 2024

• Bump org.springframework:spring-context from 5.3.18 to 5.3.19 in /java/ql/test/utils/flowtestcasegenerator

  #15515 opened Feb 2, 2024

• C++: Change sources in `NonConstantFormat.ql`

  #15516 opened Feb 2, 2024

• C#: Improve the `cs/path-injection` QHelp

  #15519 opened Feb 5, 2024

• Ruby: Recognise raw Erb output as XSS sink

  #15520 opened Feb 5, 2024

• Ruby: Recognise more ActiveRecord connections

  #15521 opened Feb 5, 2024

• JS: exclude tagged template literals from `js/superfluous-trailing-arguments`

  #15523 opened Feb 6, 2024

• Ruby: Add some more command injection sinks

  #15524 opened Feb 6, 2024

• Go: Promote `go/hardcoded-key` from experimental

  #15527 opened Feb 6, 2024

• Post-release preparation for codeql-cli-2.16.2

  #15531 opened Feb 6, 2024

• Reduce severity of `java/relative-path-command`

  #15533 opened Feb 6, 2024

• Bazel/CMake: auto detect all `cc_binary`/`cc_test` targets

  #15536 opened Feb 7, 2024

• Capture flow: Take overwrites in nested scopes into account

  #15540 opened Feb 7, 2024

• Ruby: Remove `ReturnValue` as access path for constructors

  #15541 opened Feb 7, 2024

• C#: Try resolve relative paths in line mappings

  #15542 opened Feb 7, 2024

• Kotlin 2: Some test fixes

  #15544 opened Feb 7, 2024

8 Issues closed by 7 people

• eliminate GuardConditions that are part of Assertions in cpp

  #15512 closed Feb 7, 2024

• When I run database analyse for cpp, the exported sarif is empty while bqrs contains many warnings

  #15514 closed Feb 6, 2024

• Test extraction for maven project fails

  #15422 closed Feb 6, 2024

• False positive: Certification should not match maybeCertificate()

  #15478 closed Feb 6, 2024

• Python extractor failure when Python 3.6 is used

  #15337 closed Feb 5, 2024

• cpp query does not stop

  #15442 closed Feb 2, 2024

• Kotlin Extractor does not respect SEMMLE_PATH_TRANSFORMER for Source Files

  #15382 closed Feb 2, 2024

• C++ Function Call to Undefined Function

  #9799 closed Feb 2, 2024

4 Issues opened by 4 people

• General issue [cpp] Bug when using Macro in query

  #15538 opened Feb 7, 2024

• cpp - compiler support

  #15530 opened Feb 6, 2024

• Shadowing happens when overriding method

  #15525 opened Feb 6, 2024

• SARIF produced in `csharp` scan contains `NaN` values

  #15508 opened Feb 2, 2024

31 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Update MaD Declarations after Triage

  #15486 commented on Feb 7, 2024 • 31 new comments

• Declare permissions

  #15493 commented on Feb 8, 2024 • 22 new comments

• Tree-sitter extractors: use fresh IDs for locations

  #15496 commented on Feb 2, 2024 • 7 new comments

• Ruby: add docs for customizing library models with data extensions

  #15488 commented on Feb 7, 2024 • 7 new comments

• C++: Implement models-as-data

  #15371 commented on Feb 7, 2024 • 7 new comments

• Go: Update autobuilder to deal with the upcoming deprecation of the legacy GOPATH mode

  #15361 commented on Feb 2, 2024 • 5 new comments

• False positive - "zx" npm package usage is mistakenly detected as jQuery usage

  #15286 commented on Feb 6, 2024 • 4 new comments

• Python: add models for `stdlib`

  #15306 commented on Feb 6, 2024 • 3 new comments

• Swift: Add Unsafe Unpacking Query (CWE-022)

  #14888 commented on Feb 7, 2024 • 2 new comments

• Java: Extend JAXB.qll to cover Jakarta XML Binding

  #4840 commented on Feb 1, 2024 • 2 new comments

• explicit java Function<X,Y> implementation is not tainted?

  #15494 commented on Feb 1, 2024 • 1 new comment

• Java: Add query for insecure local authentication

  #15481 commented on Feb 2, 2024 • 1 new comment

• C#: Refactor C# queries to use `ThreatModelFlowSource` instead of `RemoteFlowSource`

  #15419 commented on Feb 5, 2024 • 1 new comment

• General issue - CodeQL exiting with exit code 2

  #14866 commented on Feb 6, 2024 • 1 new comment

• Wrong Pointer Size in Database for Chromium

  #14914 commented on Feb 7, 2024 • 1 new comment

• Java ExceptionInInitializerError - com.sun.tools.javac.code.TypeTags

  #7535 commented on Feb 8, 2024 • 1 new comment

• Java: QL Query to Detect Security Sensitive non-CSPRNG usage

  #2694 commented on Feb 6, 2024 • 1 new comment

• JS: Web Cache Deception Express

  #15180 commented on Feb 1, 2024 • 0 new comments

• C++: Accept test changes after frontend upgrade

  #15213 commented on Feb 7, 2024 • 0 new comments

• C# WIP: Change pre-finalize to run standalone extraction

  #15298 commented on Feb 1, 2024 • 0 new comments

• Javascript: Regex Global Flag in Test Function

  #15163 commented on Feb 1, 2024 • 0 new comments

• Ruby: Add type row for extends calls

  #15311 commented on Feb 5, 2024 • 0 new comments

• Ruby: Add mysql2 model

  #14916 commented on Feb 5, 2024 • 0 new comments

• Dataflow break when using a switch statement with type assertions in golang?

  #15350 commented on Feb 1, 2024 • 0 new comments

• Check for large runners

  #15471 commented on Feb 7, 2024 • 0 new comments

• C# 12: Primary constructors.

  #15474 commented on Feb 6, 2024 • 0 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Feb 1, 2024 • 0 new comments

• Unique IDs for C++ Functions

  #15342 commented on Feb 1, 2024 • 0 new comments

• Python codeql analysis hangs at `UnusedModuleVariable`

  #15466 commented on Feb 1, 2024 • 0 new comments

• C#: Additional tracking of lambdas through fields and properties

  #15489 commented on Feb 1, 2024 • 0 new comments

• Ruby: Decompression Bombs

  #13556 commented on Feb 1, 2024 • 0 new comments