31 Pull requests merged by 20 people

• Swift: add DataFlow::Content for arrays

  #13741 merged Aug 2, 2023

• Go: Avoid using getTarget() as it may not exist

  #13785 merged Aug 2, 2023

• Dataflow: Move the shared library to a properly shared qlpack.

  #13863 merged Aug 2, 2023

• Swift: SubExpr may yield unresolved nodes in certain cases while MatchedExpr is always resolved

  #13857 merged Aug 2, 2023

• Update supported frameworks

  #13840 merged Aug 1, 2023

• Java: Tests for Automodel Extraction Queries

  #13788 merged Aug 1, 2023

• Java: Make the barrier in java/potentially-weak-cryptographic-algorithm less restrictive

  #13856 merged Aug 1, 2023

• JS: Add support for log injection in MaD

  #13841 merged Aug 1, 2023

• Ruby: Add LDAP Injection query

  #13309 merged Aug 1, 2023

• Update bazel to 6.3.1

  #13858 merged Aug 1, 2023

• C++: Add IR test that shows dataflow regression after frontend update

  #13862 merged Aug 1, 2023

• Update CSV framework coverage reports

  #13859 merged Aug 1, 2023

• Go: Add language-specific baseline configuration

  #13846 merged Aug 1, 2023

• Go : Improvements to Timing Attacks query

  #13645 merged Aug 1, 2023

• CodeQL library update to use modular API interface - Add note and include in articles

  #13854 merged Jul 31, 2023

• Swift: CustomUrlSchemes test enhancements and minor model improvement

  #13756 merged Jul 31, 2023

• Swift: Autoformat experimental query.

  #13853 merged Jul 31, 2023

• Java: Remove superfluous generated models

  #13850 merged Jul 31, 2023

• Java: Add taint steps for InputStream wrappers

  #13772 merged Jul 31, 2023

• Swift: Add Command Injection query (CWE-078)

  #13726 merged Jul 31, 2023

• C++: Add forgotten parentheses in ternary IR test

  #13844 merged Jul 31, 2023

• C++: Revert #13792

  #13843 merged Jul 29, 2023

• Backport: Compiler error messages changed in Go 1.20.6

  #13834 merged Jul 29, 2023

• Java: Support Argument[this] and parameters of bodiless interface methods in framework mode metadata extraction

  #13823 merged Jul 28, 2023

• [Java] Implement field taint inheritance for Struts2 unmarshalled objects

  #13713 merged Jul 28, 2023

• Dataflow: MergePathGraph3 signature fix

  #13822 merged Jul 28, 2023

• Docs: Fix indentation in tutorial examples

  #13832 merged Jul 28, 2023

• [Java] New models for Struts2 framework

  #13712 merged Jul 28, 2023

• Kotlin: Tweak our JSON escaping

  #13412 merged Jul 28, 2023

• Remove last updated information and sorting from MRVA views

  #13821 merged Jul 27, 2023

• Java: Allow flow out of FieldValueNodes for non-static fields

  #13817 merged Jul 27, 2023

16 Pull requests opened by 13 people

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 opened Jul 27, 2023

• Swift: Correct the behaviour of Type.getName

  #13829 opened Jul 27, 2023

• Java: Update Encryption.qll in line with NIST.SP.800-131Ar2

  #13830 opened Jul 27, 2023

• Don't treat logrus' WithContext method as a logging function

  #13835 opened Jul 28, 2023

• Swift: 'ParsedSequence' lacks proper types and yields 'Unresolved' AST nodes

  #13836 opened Jul 28, 2023

• Kotlin: Pass on a parentId and remove some redundant braces

  #13837 opened Jul 28, 2023

• Swift: add SetContent for data flow

  #13838 opened Jul 28, 2023

• DataFlow: Support stateless `isSink` in `StateConfigSig`s

  #13851 opened Jul 31, 2023

• Add option to filter automodel queries

  #13852 opened Jul 31, 2023

• Go: Fix missing flow through receiver for function variable (try 2)

  #13861 opened Aug 1, 2023

• Java: Expose the MaD documentation in the TOC for CodeQL Java

  #13864 opened Aug 1, 2023

• Go: Support Go 1.21

  #13867 opened Aug 2, 2023

• Swift: Route compiler diagnostics through our log.

  #13869 opened Aug 2, 2023

• Swift: CommonCrypto test cases for the BrokenCryptoAlgorithm query

  #13870 opened Aug 2, 2023

• Merge `rc/3.10` into `main`

  #13871 opened Aug 2, 2023

• Add sanitizer to remove paths passing through http.Error

  #13872 opened Aug 3, 2023

2 Issues closed by 2 people

• General issue codeql github upload-results

  #13860 closed Aug 1, 2023

• question about "and not" keyword

  #13809 closed Jul 31, 2023

7 Issues opened by 6 people

• Release preparation commits show "invalid-email-address" on GitHub

  #13868 opened Aug 2, 2023

• False positive: Cyclic import in Python

  #13866 opened Aug 2, 2023

• How to make the codeql aware a function called between the path.

  #13865 opened Aug 1, 2023

• codeql won't work with chromium special file

  #13849 opened Jul 31, 2023

• Go: support remote package analysis

  #13833 opened Jul 28, 2023

• False positive: passing context with credentials to logrus

  #13828 opened Jul 27, 2023

• False positive 'User-controlled bypass of sensitive method' for C# API endpoint that requires authorization

  #13826 opened Jul 27, 2023

33 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: Make flow configurations use new data flow API

  #13820 commented on Aug 2, 2023 • 41 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Aug 2, 2023 • 19 new comments

• Java: Trust Boundary Violation Query

  #13413 commented on Aug 2, 2023 • 17 new comments

• Java: Experimental version of Java Command Injection query

  #13484 commented on Aug 1, 2023 • 17 new comments

• Ruby: Add Unsafe HMAC Comparison Query.

  #13825 commented on Jul 28, 2023 • 7 new comments

• Java: Add proper support for variable capture flow.

  #13478 commented on Aug 2, 2023 • 6 new comments

• Ruby: Add Improper LDAP Authentication query (CWE-287)

  #13313 commented on Aug 2, 2023 • 4 new comments

• Java: Support for With[out]Element for MaD.

  #13546 commented on Aug 2, 2023 • 4 new comments

• Create database failed with "diagnostic.trap.gz, 22593: java.io.EOFException: Unexpected end of ZLIB input stream"

  #11829 commented on Aug 1, 2023 • 3 new comments

• Dynamic: add Fuzzy token

  #13737 commented on Aug 2, 2023 • 3 new comments

• C++: Constant type-bounds in the new range analysis

  #13783 commented on Aug 2, 2023 • 3 new comments

• JS: [WIP] Add `dot.js` support

  #13624 commented on Aug 1, 2023 • 2 new comments

• JavaScript: Improve qhelp for js/server-crash.

  #13755 commented on Aug 3, 2023 • 2 new comments

• Swift: properly identify types and declarations in trap files via mangling

  #12433 commented on Aug 2, 2023 • 1 new comment

• Go: Decompression Bombs

  #13553 commented on Jul 31, 2023 • 1 new comment

• Swift: Risky or Broken Cryptographic Algorithm Query

  #13649 commented on Aug 2, 2023 • 1 new comment

• C#: Turn RuntimeVersion into a record type.

  #13688 commented on Aug 1, 2023 • 1 new comment

• Python/JavaScript: Shared module for serverless functions

  #13729 commented on Jul 31, 2023 • 1 new comment

• Ruby: query to automatically extract type definitions from library code

  #13750 commented on Aug 1, 2023 • 1 new comment

• Java: Add XXE sinks for MDHT

  #13773 commented on Jul 31, 2023 • 1 new comment

• C# Zipslip improvements

  #13281 commented on Aug 1, 2023 • 0 new comments

• Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.

  #13432 commented on Aug 1, 2023 • 0 new comments

• Java: Threat Models

  #13506 commented on Aug 1, 2023 • 0 new comments

• C#: Use stubs for query tests.

  #13522 commented on Aug 1, 2023 • 0 new comments

• JS: Decompression Bombs

  #13554 commented on Jul 31, 2023 • 0 new comments

• Java: Decompression Bombs

  #13555 commented on Jul 31, 2023 • 0 new comments

• Ruby: Decompression Bombs

  #13556 commented on Jul 31, 2023 • 0 new comments

• Python: Decompression Bombs

  #13557 commented on Jul 31, 2023 • 0 new comments

• C#: Decompression Bombs

  #13558 commented on Jul 31, 2023 • 0 new comments

• C++: Decompression Bombs

  #13560 commented on Jul 31, 2023 • 0 new comments

• [Python] Configuration Injection query

  #13640 commented on Jul 27, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Aug 2, 2023 • 0 new comments

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Jul 28, 2023 • 0 new comments