49 Pull requests merged by 24 people

• C#: Bump all dependencies

  #14082 merged Aug 29, 2023

• Java: Automodel: Add Candidates for Regression Testing

  #13954 merged Aug 29, 2023

• Python: parse mode chars should not be considered chars

  #13975 merged Aug 29, 2023

• Delete thin space from documentation

  #14079 merged Aug 29, 2023

• C++: Promote `cpp/invalid-pointer-deref` out of experimental

  #14006 merged Aug 29, 2023

• C++: Fix FP in `cpp/compare-where-assign-meant`

  #14060 merged Aug 29, 2023

• CPP: Add parent class for delete and delete[]

  #14058 merged Aug 29, 2023

• C#: Download `nuget.exe` in the dependency manager (if not present).

  #14069 merged Aug 29, 2023

• Consolidate all `InlineFlowTest` libraries in the dataflow qlpack

  #14050 merged Aug 29, 2023

• Post-release preparation for codeql-cli-2.14.3

  #14074 merged Aug 28, 2023

• Python: Fix stdlib sinks in LogInjection query

  #14059 merged Aug 28, 2023

• Python: MaD on externals

  #13935 merged Aug 28, 2023

• Python: Adopt tests to new `DataflowQueryTest`

  #14067 merged Aug 28, 2023

• C#: Improve GetFiles in the Dependency Manager.

  #14028 merged Aug 28, 2023

• Python: Port old experimental points-to based queries

  #13990 merged Aug 28, 2023

• Ruby: Add Improper LDAP Authentication query (CWE-287)

  #13313 merged Aug 25, 2023

• Docs: Update screenshots of variant analysis results view

  #14051 merged Aug 25, 2023

• CPP:Only taint argv indirections

  #14013 merged Aug 25, 2023

• Swift: Route compiler diagnostics through our log.

  #14052 merged Aug 25, 2023

• Java: Re-generate Jenkins and Stapler models

  #14056 merged Aug 25, 2023

• Data flow: Fix a bad join order

  #14047 merged Aug 25, 2023

• Kotlin: We now support 1.9.10

  #14049 merged Aug 25, 2023

• Swift: Model withUnsafeBytes and similar closure methods

  #13827 merged Aug 25, 2023

• Update CSV framework coverage reports

  #14055 merged Aug 25, 2023

• Python: Understand multiple parse mode flags specified in a regular expression string

  #13779 merged Aug 24, 2023

• C#: Favor DLLs with most recent .NET Core target framework when resolving dependencies in standalone

  #14045 merged Aug 24, 2023

• C++: Omit assign case from `cpp/non-constant-format`

  #14039 merged Aug 24, 2023

• Variable capture: synchronize with aliases in nested scopes

  #14035 merged Aug 24, 2023

• Java: Use nested names in MaD signatures.

  #14032 merged Aug 24, 2023

• Java: Improve `JaxWsEndpoint::getARemoteMethod`

  #13900 merged Aug 24, 2023

• ReDoS: limit concretize to strings of at most length 100

  #14027 merged Aug 24, 2023

• Data flow: Use call contexts in stage 3

  #14026 merged Aug 24, 2023

• Java: New models for JAX-RS

  #13903 merged Aug 24, 2023

• C++: Add IR test case that shows regression after frontend update

  #14043 merged Aug 24, 2023

• Swift: teach autobuilder about SPM, CocoaPods, and Carthage

  #13979 merged Aug 24, 2023

• Shared extractor: support file path globs

  #13969 merged Aug 23, 2023

• CPP: Convert SQL tainted away from away from DefaultTaintTracking.

  #13985 merged Aug 23, 2023

• Python: Fix tests

  #14037 merged Aug 23, 2023

• JS: Follow immediate predecessors in path resolution

  #14007 merged Aug 23, 2023

• Ruby: Fix bug in excon model

  #14033 merged Aug 23, 2023

• JS: Ignore files larger than 10 MB during extraction

  #13928 merged Aug 23, 2023

• JS: fix crash in case of cyclic alias

  #13926 merged Aug 23, 2023

• C#: Exclude dll files when getting files in the dependency manager.

  #14019 merged Aug 23, 2023

• Java: Add XXE sinks for MDHT

  #13773 merged Aug 23, 2023

• Ruby: Update test fixture

  #14031 merged Aug 23, 2023

• Ruby: Remove isSplatAll

  #13967 merged Aug 23, 2023

• C#: Fix lazy evaluation of not yet downloaded packages

  #14020 merged Aug 23, 2023

• C++: Add `cpp/non-constant-format` test

  #14021 merged Aug 22, 2023

• Swift: flow through keypath optional components

  #14014 merged Aug 22, 2023

26 Pull requests opened by 18 people

• Swift: extract `nextCall` from `ForEachStmt`

  #14023 opened Aug 22, 2023

• Java: Add new Apache CXF models

  #14029 opened Aug 23, 2023

• Java: Add new Apache CXF generated models

  #14030 opened Aug 23, 2023

• Swift: New query: Incomplete regular expression for hostnames

  #14034 opened Aug 23, 2023

• Swift: Additional dataflow test

  #14036 opened Aug 23, 2023

• CPP: Add delete/delete[] calls to the IR.

  #14038 opened Aug 23, 2023

• Java: Weak Cryptographic Algorithm from `.properties` files

  #14040 opened Aug 23, 2023

• Swift: Use shared control flow graph library

  #14044 opened Aug 24, 2023

• Variable capture: allow arbitrary data-flow nodes to be the source of a write

  #14048 opened Aug 24, 2023

• JS: Add support for TypeScript 5.2

  #14053 opened Aug 24, 2023

• Update codeql-library-for-go.rst

  #14057 opened Aug 25, 2023

• Ruby: JWT Security Queries (CWE-347)

  #14061 opened Aug 25, 2023

• Update CSV framework coverage reports

  #14063 opened Aug 26, 2023

• Go: New File System Access Sinks

  #14064 opened Aug 27, 2023

• Bump regex from 1.9.3 to 1.9.4 in /ql

  #14065 opened Aug 28, 2023

• Python: Use new dataflow API

  #14068 opened Aug 28, 2023

• Python: promote nosql query

  #14070 opened Aug 28, 2023

• Go: Improved JWT query, JWT decoding without verification

  #14075 opened Aug 28, 2023

• Swift: use shared capture flow library

  #14078 opened Aug 28, 2023

• Go: Add JWT Algorithm Confusion and JWT decoding without Signature Verification

  #14081 opened Aug 29, 2023

• C#: Re-factor using statements order in autobuilder.

  #14083 opened Aug 29, 2023

• Python: Remove XSS FP from use of `flask.jsonify`

  #14084 opened Aug 29, 2023

• C#: Use stubs in unit tests.

  #14085 opened Aug 29, 2023

• C#: Various performance fixes

  #14086 opened Aug 29, 2023

• JS: JWT constant key, no Verification issues

  #14088 opened Aug 29, 2023

• Java: JWT decoding without verification

  #14089 opened Aug 29, 2023

3 Issues closed by 3 people

• False positive, cpp/compare-where-assign-meant

  #14054 closed Aug 29, 2023

• Tree-Sitter Shared Extractor doesn't support extension-less files

  #13964 closed Aug 23, 2023

• Could `CallInstruction` get virtual function target?

  #14005 closed Aug 23, 2023

9 Issues opened by 6 people

• Question 01: How to identify TempleClass

  #14077 opened Aug 28, 2023

• Question 00: How to identify a function call path.

  #14076 opened Aug 28, 2023

• CodeQL detected code written in Java but could not process any of it.General issue

  #14066 opened Aug 28, 2023

• cs/unused-collection false positive?

  #14073 opened Aug 26, 2023

• Propagating Taint from a Pointer to a Field Access

  #14062 opened Aug 25, 2023

• Extend Kotlin support to version 1.9.10

  #14046 opened Aug 24, 2023

• How to Reason about Merged Taints?

  #14042 opened Aug 23, 2023

• Predicate to catch a load in C/C++?

  #14025 opened Aug 22, 2023

• Python: False positive for blank space characters

  #14022 opened Aug 22, 2023

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C#: Add query for Insecure Direct Object Reference

  #13882 commented on Aug 25, 2023 • 30 new comments

• C# Standalone: Install .NET SDK specified in `global.json`

  #13999 commented on Aug 29, 2023 • 13 new comments

• Java: Convert `SensitiveApi.qll` to use Models-as-Data

  #13978 commented on Aug 28, 2023 • 10 new comments

• Java: Understand multiple parse mode flags specified in a regular expression string

  #13778 commented on Aug 24, 2023 • 6 new comments

• Swift: Update the weak sensitive data hashing examples and qhelp

  #13943 commented on Aug 29, 2023 • 6 new comments

• Go: Add sanitizer to remove paths passing through http.Error

  #13872 commented on Aug 29, 2023 • 4 new comments

• Python: Add dataflow consistency query

  #8457 commented on Aug 24, 2023 • 3 new comments

• Ruby: Reimplement flow through captured variables using field flow

  #11725 commented on Aug 29, 2023 • 3 new comments

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Aug 24, 2023 • 3 new comments

• JS: Add 'vulnerableCallModel' extension point

  #13727 commented on Aug 27, 2023 • 3 new comments

• codeql won't work with chromium special file

  #13849 commented on Aug 23, 2023 • 2 new comments

• Support new React directives

  #13296 commented on Aug 23, 2023 • 2 new comments

• Go: Add Improper LDAP Authentication query (CWE-287)

  #13366 commented on Aug 27, 2023 • 2 new comments

• DataFlow::PathGraph Module not Found in codeql

  #13540 commented on Aug 28, 2023 • 1 new comment

• JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.

  #13771 commented on Aug 23, 2023 • 1 new comment

• JS: Move Directive subclasses into module and support "use client/server"

  #13303 commented on Aug 23, 2023 • 0 new comments

• C++: Updates for changes in frontend

  #13716 commented on Aug 28, 2023 • 0 new comments

• Create separate automodel pack

  #13879 commented on Aug 22, 2023 • 0 new comments

• Ruby: Model more flow from splat arguments

  #13974 commented on Aug 24, 2023 • 0 new comments

• C++: Reuse even more `DataFlow::Node`s

  #14008 commented on Aug 29, 2023 • 0 new comments

• python: allow namespace packages as packages

  #14009 commented on Aug 28, 2023 • 0 new comments

• Kotlin: Write usesK2 information to the database

  #14018 commented on Aug 23, 2023 • 0 new comments