Insights: github/codeql

79 Pull requests merged by 28 people

• Kotlin: format string literals like the Java annotaton extractor

  #11296 merged Nov 17, 2022

• Release preparation for version 2.11.4

  #11320 merged Nov 17, 2022

• Update go libraries to 55e052a

  #11002 merged Nov 17, 2022

• Java: Remove no-longer-needed expected diagnostics

  #11293 merged Nov 17, 2022

• C++: Update auto-builder nuget packages

  #11317 merged Nov 17, 2022

• C++: Accept test changes on the use-use flow branch

  #11315 merged Nov 17, 2022

• Kotlin: Add test case for confusing overloading query

  #11291 merged Nov 17, 2022

• Kotlin: Exclude .kt files from empty block query

  #11289 merged Nov 17, 2022

• Kotlin: Exclude .kt files from dead code queries

  #11310 merged Nov 17, 2022

• Kotlin: Exclude .kt files from non serializable field query

  #11308 merged Nov 17, 2022

• Kotlin: Exclude .kt files from missing `instanceof` in `equals` query

  #11306 merged Nov 17, 2022

• CI: clean up the cache when compiling on main

  #11272 merged Nov 17, 2022

• JS: Improved Hapi support

  #11146 merged Nov 17, 2022

• Ruby: Model various ActionController methods

  #11058 merged Nov 16, 2022

• C#: Update all nuget packages

  #11266 merged Nov 16, 2022

• Kotlin: Exclude .kt files from mutual dependency query

  #11304 merged Nov 16, 2022

• Kotlin: Exclude .kt files from one stmt in line query

  #11303 merged Nov 16, 2022

• Swift: remove synthesized classes from the dbscheme

  #11292 merged Nov 16, 2022

• Java: Add query for Sensitive Keyboard Cache

  #10684 merged Nov 16, 2022

• Kotlin: Exclude .kt files from ignored return value query

  #11302 merged Nov 16, 2022

• Kotlin: Exclude .kt files from misnamed reftype query

  #11301 merged Nov 16, 2022

• Kotlin: Exclude .kt files from useless parameter query

  #11300 merged Nov 16, 2022

• Kotlin: Exclude .kt files from serializable inner class query

  #11299 merged Nov 16, 2022

• C++: Remove some `IndirectOperand` and `IndirectInstruction` nodes

  #11218 merged Nov 16, 2022

• ql-style-guide: Remove use of `return`

  #11307 merged Nov 16, 2022

• SSA: Expose phi-read nodes

  #11198 merged Nov 16, 2022

• JS: add stats for @satisfies_expr

  #11297 merged Nov 16, 2022

• Kotlin: Exclude .kt files from autoboxing query

  #11290 merged Nov 16, 2022

• Kotlin: Exclude .kt files from `java/complex-boolean-expression`

  #11284 merged Nov 16, 2022

• Kotlin: Exclude .kt files from resource leak queries

  #11286 merged Nov 16, 2022

• CodeQL: add 'False positive' issue template

  #11276 merged Nov 16, 2022

• Remove issue template for LGTM.com false positive reports

  #11227 merged Nov 16, 2022

• Dataflow: Introduce support for src/sink grouping in path results.

  #11183 merged Nov 16, 2022

• Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class

  #10855 merged Nov 16, 2022

• Java: Stub generator: Exclude invalid identifiers from generated stubs

  #11269 merged Nov 16, 2022

• Swift: fix path of generated C++ files artifact

  #11285 merged Nov 16, 2022

• JS: Add support for TypeScript 4.9

  #11256 merged Nov 16, 2022

• ATM: Extract training data

  #11263 merged Nov 15, 2022

• Add more information about ATM queries for external users

  #11279 merged Nov 15, 2022

• Swift: remove IPA classes from `cppgen`

  #11277 merged Nov 15, 2022

• Swift: remove double newlines in schema

  #11274 merged Nov 15, 2022

• JS: extract .erb files as html

  #11175 merged Nov 15, 2022

• C++: Fix typo in dataflow test comment

  #11278 merged Nov 15, 2022

• Java: use the shared regex pack

  #11246 merged Nov 15, 2022

• Swift: Add `AdditionalTaintStep`

  #11273 merged Nov 15, 2022

• Swift: Add AEXML sinks to XXE query

  #11138 merged Nov 15, 2022

• C#: update cs/assembly-path-injection cs/hardcoded-key to path-problems

  #11203 merged Nov 15, 2022

• C++: Reintroduce the AST testing configuration for the smart pointer test too

  #11271 merged Nov 15, 2022

• JS: Handle DynamicImport in the context of a type

  #11255 merged Nov 15, 2022

• ATM: remove superfluous class in EndpointCharacteristics hierarchy

  #11267 merged Nov 15, 2022

• C++: Reduce path duplication

  #11257 merged Nov 15, 2022

• Ruby: add flow summary for Enumerable#index_by

  #11252 merged Nov 15, 2022

• Python: use the shared regex pack

  #11247 merged Nov 14, 2022

• Non-sink endpoint characteristics

  #11174 merged Nov 14, 2022

• Kotlin: Add total number of diagnostics to telemetry

  #11251 merged Nov 14, 2022

• Swift: Adds XMLDocument sinks to the XXE query

  #11120 merged Nov 14, 2022

• Go: Optimize trap.Writer by buffering gzip writes

  #11232 merged Nov 14, 2022

• Java/Kotlin: Add compilation info to telemetry

  #11249 merged Nov 14, 2022

• Revert "Revert "SSA: Turn consistency predicates into `query` predicates""

  #11080 merged Nov 14, 2022

• Swift: Add new query for XML External Entities (XML) vulnerabilities

  #11086 merged Nov 14, 2022

• Java/Kotlin: Write Kotlin version information to the database

  #11217 merged Nov 14, 2022

• Ruby: add `SqlConstruction` concept, and implement it for calls to `Arel.sql`

  #11207 merged Nov 14, 2022

• ReDoS: add a shared regex pack

  #11061 merged Nov 14, 2022

• Swift: db up/downgrade scripts

  #11205 merged Nov 14, 2022

• C++: Recognize `basic_string::iterator` as an iterator

  #11234 merged Nov 11, 2022

• Swift: create common `ErrorElement` superclass and tests

  #11196 merged Nov 11, 2022

• Swift: Content flow through tuples

  #11111 merged Nov 11, 2022

• JS: Bump version numbers of ML-powered packs after 0.4.1 release

  #11233 merged Nov 11, 2022

• QL: Query for detecting unused parameter in override methods

  #9827 merged Nov 11, 2022

• DataFlow: Add read/store stepIsLocal consistency checks

  #11160 merged Nov 11, 2022

• Swift: extract or ignore last remaining types

  #11213 merged Nov 11, 2022

• Swift: fix synthesized wrapper decls

  #11231 merged Nov 11, 2022

• CI: use `find` in the format check to fix it

  #11226 merged Nov 11, 2022

• Ruby: add ActionCable channel RPC params as remote flow sources

  #11187 merged Nov 11, 2022

• Update CSV framework coverage reports

  #11223 merged Nov 11, 2022

• C++: Improve handling of `std::string::insert` with iterator return type and do some cleanup

  #11212 merged Nov 11, 2022

• C#: Telemetry query updates.

  #11083 merged Nov 11, 2022

• CI: remove langauge specific format checks

  #11214 merged Nov 11, 2022

• Swift: fix printing of unextracted entities

  #11211 merged Nov 11, 2022

31 Pull requests opened by 18 people

• RB: add second-order-command-injection

  #11236 opened Nov 11, 2022

• Java: Query for detecting enabling Javascript in Android WebSettings

  #11238 opened Nov 12, 2022

• Java: Query to detect Android Webview file access

  #11241 opened Nov 12, 2022

• Java: Use data extensions for MaD models.

  #11243 opened Nov 14, 2022

• Python: support grouped exceptions

  #11244 opened Nov 14, 2022

• Ruby: use the shared regex pack

  #11245 opened Nov 14, 2022

• JS: use the shared regex pack

  #11248 opened Nov 14, 2022

• Ruby: add stack-trace exposure query

  #11250 opened Nov 14, 2022

• Dynamic: Merge package and type columns

  #11253 opened Nov 14, 2022

• C++: Fix spurious reference flow

  #11254 opened Nov 14, 2022

• Kotlin: extract annotations

  #11258 opened Nov 14, 2022

• Docs: Add note about old/unsupported VS versions

  #11261 opened Nov 14, 2022

• C++: deprecate AST-based GVN

  #11262 opened Nov 14, 2022

• Enable accelerated go-extractor opt-in using 'go list -deps'

  #11268 opened Nov 15, 2022

• Swift: Dataflow through ?? and ? :

  #11270 opened Nov 15, 2022

• Java: Add generated JDK sinks

  #11275 opened Nov 15, 2022

• Python: Support more dictionary read/store steps

  #11280 opened Nov 15, 2022

• ATM: Implement the current endpoint filters as EndpointCharacteristics

  #11281 opened Nov 16, 2022

• Java: Query for detecting addJavascriptInterface method calls

  #11282 opened Nov 16, 2022

• Java: Android WebView Content Access Query

  #11283 opened Nov 16, 2022

• Golang: add `rsync` as a program capable of arbitrary shell command execution

  #11288 opened Nov 16, 2022

• QL: improve the "this block-comment should have been a QLDoc"-query

  #11294 opened Nov 16, 2022

• "CodeQL False positive" -> "CodeQL false positive"

  #11295 opened Nov 16, 2022

• Swift: update prebuilt binary names

  #11298 opened Nov 16, 2022

• C++: Repair `MustFlow` library for use-use flow

  #11311 opened Nov 16, 2022

• C++: Fix flow out of const member functions

  #11314 opened Nov 16, 2022

• CI: Also compile the `examples` folder

  #11316 opened Nov 17, 2022

• delete old deprecations

  #11318 opened Nov 17, 2022

• Remove redundant code

  #11321 opened Nov 17, 2022

• Post-release preparation for codeql-cli-2.11.4

  #11322 opened Nov 17, 2022

• Simplify query configurations

  #11323 opened Nov 18, 2022

6 Issues closed by 5 people

• CodeQL - False positive for uninitialized variable in Python

  #11312 closed Nov 16, 2022

• [Java][Files] False positive in CreateFileSinkModels

  #11309 closed Nov 16, 2022

• CodeQL runs failing with link to experimental-atm-queries that are not configured

  #11305 closed Nov 16, 2022

• https://github.com/github/codeql/issues/11237#issuecomment-1312366460General issue

  #11239 closed Nov 12, 2022

• LGTM.com - false positive

  #11237 closed Nov 12, 2022

• Autobuild support for .NET 7.0

  #11224 closed Nov 12, 2022

8 Issues opened by 7 people

• Migration from LGTM is missing support for .lgtm.yml

  #11319 opened Nov 17, 2022

• CodeQL: False positive for uninitialized variable (via import) in Python

  #11313 opened Nov 16, 2022

• Java: For some projects JDK classes have location under `sourceLocationPrefix`

  #11265 opened Nov 15, 2022

• Java: `Type.getErasure()` erroneously has `Object` as result on some databases

  #11264 opened Nov 15, 2022

• LGTM.com - false positive - contextlib.suppress not seen as thrown exception

  #11242 opened Nov 13, 2022

• cpp/uninitialized-local - false positive

  #11240 opened Nov 12, 2022

• LGTM.com - false positive "Statement has no effect" for Python await

  #11235 opened Nov 11, 2022

• Indent about codeql vscode extension

  #11225 opened Nov 11, 2022

30 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Swift: Unsafe JS Eval Query

  #11001 commented on Nov 17, 2022 • 15 new comments

• C#: Deprecate hasQualifiedName/1 and prepare for deprecating getQualifiedName/0.

  #11144 commented on Nov 16, 2022 • 15 new comments

• Python: Test improvements in preparation for new call-graph PR

  #11208 commented on Nov 15, 2022 • 10 new comments

• Ruby: Add case string comparison barrier guard

  #11114 commented on Nov 17, 2022 • 8 new comments

• Python: Clean up import resolution

  #10861 commented on Nov 17, 2022 • 7 new comments

• Ruby: Document flow summary syntax

  #10899 commented on Nov 16, 2022 • 7 new comments

• Share encryption key sizes across languages

  #11192 commented on Nov 17, 2022 • 7 new comments

• false positive - cpp/unused-static-function

  #11219 commented on Nov 16, 2022 • 6 new comments

• Swift: add `String` taint steps

  #11185 commented on Nov 16, 2022 • 5 new comments

• cpp/uncontrolled-allocation-size - false positive

  #11215 commented on Nov 16, 2022 • 3 new comments

• Swift: Add Alamofire model to swift/cleartext-transmission

  #11210 commented on Nov 16, 2022 • 2 new comments

• General issue - cpp/uninitialized-local should provide at least 1 path that leaves variable uninitialized (preferably all if possible)

  #11216 commented on Nov 11, 2022 • 1 new comment

• C++ view AST / printAST.ql performance analysis

  #11221 commented on Nov 11, 2022 • 1 new comment

• Potential false positives - cs/dereferenced-value-may-be-null - when working with C# 8 nullability feature

  #2774 commented on Nov 15, 2022 • 1 new comment

• Issue templates should be made more relevant to people

  #11222 commented on Nov 16, 2022 • 1 new comment

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Nov 11, 2022 • 1 new comment

• Python : Improve the PAM authentication bypass query

  #10656 commented on Nov 17, 2022 • 1 new comment

• Swift: Simplify the API for Decl members

  #11046 commented on Nov 15, 2022 • 1 new comment

• Data flow: Add summary/return context to pruning stages 2-4

  #11087 commented on Nov 17, 2022 • 1 new comment

• Python: Inline query tests

  #11088 commented on Nov 11, 2022 • 1 new comment

• Java: Timing attack

  #8686 commented on Nov 13, 2022 • 0 new comments

• Java: Add support for data flow through thrown exceptions.

  #9914 commented on Nov 11, 2022 • 0 new comments

• Ruby: also treat included/prepended modules as subclasses

  #10747 commented on Nov 14, 2022 • 0 new comments

• Ruby: add library input as a source for `rb/polynomial-redos`

  #10782 commented on Nov 14, 2022 • 0 new comments

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Nov 17, 2022 • 0 new comments

• Data flow: Add synthetic return nodes

  #10906 commented on Nov 16, 2022 • 0 new comments

• C#: Include "phi reads" in `DataFlow::Node`

  #10927 commented on Nov 17, 2022 • 0 new comments

• Swift: extract `RegexLiteralExpr`

  #10950 commented on Nov 11, 2022 • 0 new comments

• [Draft] Java: Add Android missing certificate pinning query (CWE-295)

  #10971 commented on Nov 16, 2022 • 0 new comments

• Java: Promote regex injection query from experimental

  #11070 commented on Nov 14, 2022 • 0 new comments