58 Pull requests merged by 21 people

• C++: Move a couple of predicates to `Node0Impl`

  #14749 merged Nov 10, 2023

• Swift: parameter packs migration scripts

  #14745 merged Nov 10, 2023

• C++: Add models for `strlcpy` and `strlcat`

  #14735 merged Nov 10, 2023

• C++: Rewrite `cpp/unbounded-write` away from `DefaultTaintTracking`

  #14669 merged Nov 10, 2023

• C++: Fix indirect global-variable flow

  #14736 merged Nov 10, 2023

• C++: Fix `hasRemoteFlowSource` for `fgets`

  #14744 merged Nov 10, 2023

• C#: Adjust standalone integration test to not reference mono assemblies

  #14743 merged Nov 10, 2023

• C#: Use `C'X` fully-qualified-name format instead of `C<,...,>`

  #14589 merged Nov 10, 2023

• Update CSV framework coverage reports

  #14739 merged Nov 10, 2023

• Swift: add more doc strings to generated things

  #14715 merged Nov 10, 2023

• C++: 28 strsafe library updates2

  #14726 merged Nov 9, 2023

• Take our node, not the one that comes first on the PATH.

  #14738 merged Nov 9, 2023

• C#: Include all (legacy) nuget restored folders in standalone references

  #14723 merged Nov 9, 2023

• C#: Include type parameters in MaD format for generics

  #14662 merged Nov 9, 2023

• C++: Fix operand ssa variables for range analysis.

  #14732 merged Nov 9, 2023

• Java: model JDK21 SequencedCollection, Set and Map

  #14699 merged Nov 9, 2023

• Docs: document dataflow `neverSkip` (and expand section on hidden nodes)

  #14731 merged Nov 9, 2023

• C#: Disable CIL extraction by default.

  #14564 merged Nov 9, 2023

• Java/C++/RangeAnalysis: Move SsaReadPosition to shared qlpack.

  #14721 merged Nov 9, 2023

• JS: Move the language pack build and tests to Bazel

  #14677 merged Nov 9, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14729 merged Nov 9, 2023

• Swift: Fix defaultImplicitTaintRead on fields

  #14661 merged Nov 8, 2023

• Swift: Promote the command injection query out of experimental

  #14701 merged Nov 8, 2023

• Swift: upgrade to 5.9

  #14261 merged Nov 8, 2023

• Restructure go Makefile: Build the per-platform target.

  #14718 merged Nov 8, 2023

• Swlft: fix CFG for SingleValueStmtExpr

  #14717 merged Nov 8, 2023

• VS Code extension docs: Changes to database downloads

  #14668 merged Nov 8, 2023

• Python: Fix dataflow consistency error due to missing class scope

  #14590 merged Nov 8, 2023

• JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.

  #14603 merged Nov 8, 2023

• C#: Keep only one framework reference nuget package in standalone

  #14707 merged Nov 8, 2023

• C#: Fix compiler warning of possible null de-reference.

  #14693 merged Nov 8, 2023

• C#: Tracer improvement for `dotnet test`

  #14712 merged Nov 8, 2023

• C++: Don't use GVN as SSAVariable in new range analysis

  #14713 merged Nov 8, 2023

• Java: Add JMS sink to java/unsafe-deserialization

  #14610 merged Nov 8, 2023

• JS: catch when the main: path is invalid on Windows

  #14716 merged Nov 8, 2023

• Java/C++/RangeAnalysis: Move a couple of utility predicates to shared qlpack

  #14711 merged Nov 8, 2023

• C++: IR'ify `cpp/uninitialized-local` and fix FPs

  #14704 merged Nov 7, 2023

• Fix a dead ReDoS link in docs

  #14705 merged Nov 7, 2023

• C++: Add comment to testcase

  #14714 merged Nov 7, 2023

• C++: Add range analysis testcase

  #14708 merged Nov 7, 2023

• C++: Simplify the definition of `SemExpr` for range analysis

  #14697 merged Nov 7, 2023

• C#: Correctly parse operator names in MaD

  #14678 merged Nov 7, 2023

• Python: Misc: show that all tests passed in validTest

  #14694 merged Nov 7, 2023

• Java: Make integration test more robust wrt recent Java versions.

  #14702 merged Nov 7, 2023

• Swlft: force canonical type computation before using the type

  #14696 merged Nov 7, 2023

• C++: Allocate more `FunctionInput` and `FunctionOutput`s

  #14667 merged Nov 7, 2023

• Swift: Fix an issue with Realm sinks for swift/cleartext-storage-database

  #14698 merged Nov 7, 2023

• Swift: Generalize flow through subscript writes / test and fix some closure methods of Data

  #14680 merged Nov 6, 2023

• Swift: Correct a couple of FilePath models.

  #14682 merged Nov 6, 2023

• Docs: Put lists in supported-frameworks.rst in more alphabetical order

  #14695 merged Nov 6, 2023

• C#: Use `project.assets.json` for package dependencies.

  #14655 merged Nov 6, 2023

• Swift: Model NSString.enumerate*

  #14683 merged Nov 6, 2023

• C#: Add another data flow test

  #14690 merged Nov 6, 2023

• C#: Deprecate `UnboundGenericType::getInstanceType/0`

  #14688 merged Nov 6, 2023

• Python: Minor cleanup for string pool interaction

  #14591 merged Nov 6, 2023

• Swift: Add a webview test case

  #14691 merged Nov 6, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14687 merged Nov 6, 2023

• Swift: Fix failing tests

  #14684 merged Nov 3, 2023

14 Pull requests opened by 9 people

• Swift: Simplify AdoptsWkNavigationDelegate in WebView.qll.

  #14692 opened Nov 6, 2023

• 27 cppnon constant format bug

  #14700 opened Nov 6, 2023

• Python: Add basic flow for class attributes

  #14706 opened Nov 7, 2023

• Ruby: Adopt shared type tracking library

  #14709 opened Nov 7, 2023

• Prepare shared type tracking library for adoption by Ruby

  #14710 opened Nov 7, 2023

• Java integration tests: More preparations to be executed on GH M1 machines

  #14719 opened Nov 8, 2023

• Java: Environment variable injection query

  #14724 opened Nov 8, 2023

• Python: Add taint-flow modeling for `re` module

  #14725 opened Nov 8, 2023

• Swift: extract parameter packs

  #14734 opened Nov 9, 2023

• Temporarily run the standalone extractor instead of autobuilding - beginning of the quarter

  #14741 opened Nov 10, 2023

• Java/C++/Rangeanalysis: Share more range analysis utility predicates.

  #14742 opened Nov 10, 2023

• misc: add dbscheme diff generation

  #14746 opened Nov 10, 2023

• Swift: Add more path injection sinks

  #14748 opened Nov 10, 2023

• Swift: update wordings in a downgrade script

  #14750 opened Nov 10, 2023

2 Issues closed by 2 people

• C++: Customization mechanism for the standard library

  #14722 closed Nov 10, 2023

• Updated Kotlin version range 1.8.10

  #12172 closed Nov 6, 2023

5 Issues opened by 5 people

• Issue with new Dataflow module

  #14740 opened Nov 10, 2023

• False positive: Go x, _ := strconv.ParseUint(,, strconv.IntSize-1); int(x)

  #14733 opened Nov 9, 2023

• False positive: cpp/non-constant-format

  #14727 opened Nov 8, 2023

• codeql fails with exit code 32 for c language analysis under the macOS environment

  #14703 opened Nov 7, 2023

• False positive: Python - Deserialization of user-controlled data

  #14685 opened Nov 5, 2023

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: fasthttp

  #14123 commented on Nov 10, 2023 • 20 new comments

• JS: decoding JWT without signature verification

  #14088 commented on Nov 8, 2023 • 16 new comments

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

  #14302 commented on Nov 9, 2023 • 10 new comments

• Python: New FileSystem Access

  #14406 commented on Nov 6, 2023 • 10 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 7, 2023 • 8 new comments

• Go: Add Improper LDAP Authentication query (CWE-287)

  #13366 commented on Nov 10, 2023 • 7 new comments

• Java: JWT decoding without verification

  #14089 commented on Nov 7, 2023 • 7 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 8, 2023 • 5 new comments

• C#: Inspect project.assets.json to find dependencies.

  #14411 commented on Nov 10, 2023 • 4 new comments

• Go: Add Cors Gin Support

  #14649 commented on Nov 7, 2023 • 4 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Nov 10, 2023 • 3 new comments

• Python: Add support for Python 3.12 type syntax

  #14636 commented on Nov 10, 2023 • 3 new comments

• Java: Add support for Java 21 language features

  #14671 commented on Nov 10, 2023 • 3 new comments

• Does C++ extractor support to process code with unity build?

  #14479 commented on Nov 9, 2023 • 2 new comments

• JS: [WIP] Add `dot.js` support

  #13624 commented on Nov 9, 2023 • 2 new comments

• Ruby: Implement `mustFlow`

  #14303 commented on Nov 8, 2023 • 2 new comments

• Java: Decompression Bombs

  #13555 commented on Nov 6, 2023 • 1 new comment

• Ruby: Decompression Bombs

  #13556 commented on Nov 6, 2023 • 1 new comment

• C#: Add flow steps for View calls refering to Razor pages

  #14343 commented on Nov 9, 2023 • 1 new comment

• Java: Weak Hashing Algorithm specified in `.properties` files

  #14040 commented on Nov 8, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 9, 2023 • 0 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Nov 6, 2023 • 0 new comments

• JS: update typescript extractor to use 5.3 .

  #14510 commented on Nov 6, 2023 • 0 new comments

• Ruby: Add Insecure Randomness Query

  #14554 commented on Nov 6, 2023 • 0 new comments

• Java: Add more sinks to the Weak Randomness query

  #14681 commented on Nov 8, 2023 • 0 new comments