github / codeql Public

51 Pull requests merged by 21 people

• Ruby: add configuration for 'cross'

  #7883 merged Feb 11, 2022

• Python: Fix setStoreStep to use `SetElementContent`

  #7874 merged Feb 11, 2022

• Docs: remove mention of 'filter queries'

  #7969 merged Feb 11, 2022

• QL: Use of db-type outside language core.

  #7674 merged Feb 11, 2022

• JS: convert more type-trackers to API-graphs

  #7912 merged Feb 11, 2022

• C#: Remove FPs from `cs/dereferenced-value-may-be-null`

  #2513 merged Feb 11, 2022

• Release preparation for version 2.8.1

  #7948 merged Feb 11, 2022

• JS: Add a `isNaN` sanitizer, and use it in queries that already had a typeof check

  #7892 merged Feb 11, 2022

• JS: add model for the snapdragon library

  #7921 merged Feb 11, 2022

• C#: Use Brotli instead of Gzip

  #7926 merged Feb 11, 2022

• Ruby: recognise additional form for OpenURI

  #7919 merged Feb 11, 2022

• C++: move change note

  #7943 merged Feb 10, 2022

• Javascript: move change note

  #7940 merged Feb 10, 2022

• Add C# 10 and .NET 6 to `versions-compilers.rst`

  #7927 merged Feb 10, 2022

• Python: Normalise string prefixes

  #7894 merged Feb 10, 2022

• Fix and improve Extractor options documentation formatting

  #7885 merged Feb 10, 2022

• JS: Recognize "sql" option as a query string in MySQL

  #7591 merged Feb 10, 2022

• Ruby: add def-nodes and separate method/return steps to API graphs

  #7819 merged Feb 10, 2022

• JS: Add query for unsafe construction of code from library input

  #5841 merged Feb 10, 2022

• C++: Update C++ variable hiding test

  #7841 merged Feb 10, 2022

• JS: add a getFlowLabel method to the PathNode class

  #7911 merged Feb 10, 2022

• Ruby: Rails route resolution

  #7061 merged Feb 9, 2022

• Post-release preparation for codeql-cli-2.8.0

  #7865 merged Feb 9, 2022

• Ruby: Hide more SSA nodes from data-flow path explanations

  #7891 merged Feb 9, 2022

• QL: Streamline qlpacks

  #7913 merged Feb 9, 2022

• Misc: Streamline `consistency-queries/qlpack.yml`

  #7842 merged Feb 9, 2022

• Ruby: add more Array/Enumerable flow summaries

  #7614 merged Feb 9, 2022

• C# 10: Tuple deconstruction.

  #7846 merged Feb 9, 2022

• CPP: Fix performance for cpp/cleartext-transmission

  #7881 merged Feb 9, 2022

• Ruby: Model calls to `constantize` as code executions

  #7824 merged Feb 8, 2022

• Ruby: Cache more predicates

  #7090 merged Feb 8, 2022

• Docs: Note codeql-go needs an install step before use

  #7879 merged Feb 8, 2022

• JS: recognize more startswith sanitizers for path-injection queries

  #7876 merged Feb 8, 2022

• Ruby/QL: add `unique` annotation on `node` column

  #7890 merged Feb 8, 2022

• C# 10 - Lambda improvements.

  #7749 merged Feb 8, 2022

• Collect framework coverage on demand

  #7872 merged Feb 8, 2022

• Java: Start running telemetry queries on Code Scanning

  #7417 merged Feb 8, 2022

• QL for QL: sync changes from Ruby

  #7880 merged Feb 8, 2022

• JS: recognize a nodejs re-exports in a loop

  #7870 merged Feb 8, 2022

• Python: CWE-338 insecureRandomness

  #7252 merged Feb 7, 2022

• Ruby: put AST node locations in a single table

  #7875 merged Feb 7, 2022

• C#: Add flow test cases for undetected value flow, when making variable bindings in pattern matching.

  #7809 merged Feb 7, 2022

• C/C++: Useless Test : verification of "Fully converted" Type

  #7849 merged Feb 7, 2022

• C++: Add query for missing mode argument in `open`/`openat` calls

  #7798 merged Feb 7, 2022

• Ruby 3.1 features

  #7753 merged Feb 6, 2022

• JS: Adding model for `.get` function of `Map` in Unvalidated Dynamic Method Call

  #7828 merged Feb 4, 2022

• JS: add file sources from `jszip` to `js/zip-slip`

  #7843 merged Feb 4, 2022

• Restrict AST nodes according to string length

  #7785 merged Feb 4, 2022

• JS: Add codeowners for ML-powered queries

  #7848 merged Feb 4, 2022

• Python: Fix performance issue in `charSet`

  #7838 merged Feb 4, 2022

• C#: Attribute kind and return value attributes.

  #7792 merged Feb 4, 2022

19 Pull requests opened by 16 people

• Python: Update `.expected` to support Python 3.10

  #7844 opened Feb 4, 2022

• Java: Timing attacks while comparing the headers value

  #7867 opened Feb 6, 2022

• Python: Fix attribute taint

  #7873 opened Feb 7, 2022

• Shared: Switch to dot-separated access paths in summary specs

  #7878 opened Feb 7, 2022

• C++: fix hasImplicitCopyConstructor for templates

  #7884 opened Feb 7, 2022

• Ruby: split standard library models into multiple files

  #7886 opened Feb 8, 2022

• C#: Include all binding expr in data flow analysis.

  #7893 opened Feb 8, 2022

• Upgrade scripts testing: set initial dbschemes

  #7895 opened Feb 8, 2022

• C#: Gvn based structural equality.

  #7910 opened Feb 9, 2022

• Ruby: Generalize `ArrayElementContent` to `ElementContent`

  #7914 opened Feb 9, 2022

• Python: promote xpath injection query

  #7915 opened Feb 9, 2022

• Ruby: IncompleteHostnameRegExp.ql

  #7917 opened Feb 9, 2022

• Ruby: Add String flow summaries

  #7920 opened Feb 10, 2022

• C++: Add table that identifies C++ structured bindings

  #7928 opened Feb 10, 2022

• RB: convert the ruby ApiGraphs to use IPA labels

  #7930 opened Feb 10, 2022

• C++: Improve cpp/system-data-exposure

  #7933 opened Feb 10, 2022

• Workflows: Augment workflow to ensure failure with invalid change notes

  #7946 opened Feb 10, 2022

• JS: Taint analysis for win paths [DRAFT]

  #7968 opened Feb 11, 2022

• Post-release preparation for codeql-cli-2.8.1

  #7975 opened Feb 11, 2022

10 Issues closed by 10 people

• LGTM.com - false positive - (C#) Dereferenced variable may be null

  #2485 closed Feb 11, 2022

• False Negative in JavaScript SQL Injection for MySQL library

  #7586 closed Feb 10, 2022

• LGTM.com - false positive "Declaration hides variable" for structured bindings

  #4026 closed Feb 10, 2022

• Internal error. (codeQL.runQueries)

  #7620 closed Feb 9, 2022

• Unexpected C# extractor error: Unhandled top-level syntax node

  #7882 closed Feb 7, 2022

• Got error while analyzing a Go db

  #4815 closed Feb 7, 2022

• sdfsdfsdf

  #7850 closed Feb 7, 2022

• Does CodeQL understand C# file-scoped namespaces?

  #7544 closed Feb 7, 2022

• LGTM.com - false positive

  #4239 closed Feb 6, 2022

• js/trivial-conditional - false positive

  #7847 closed Feb 4, 2022

10 Issues opened by 7 people

• How to enforce only a single language for lgtm.io?

  #7976 opened Feb 11, 2022

• Is there (or should there be) a mapping between the `@security-severity` and `@problem.severity` metadata properties?

  #7941 opened Feb 10, 2022

• Java: Promote `java/abnormal-finally-completion` to standard query

  #7939 opened Feb 10, 2022

• Provide API for merging/stitching two paths together in the standard library

  #7938 opened Feb 10, 2022

• How to disable particular rule by its ID from GitHub workflow?

  #7937 opened Feb 10, 2022

• Missed opportunity to use Where - false positive

  #7936 opened Feb 10, 2022

• Redundant ToString() call - false positive

  #7935 opened Feb 10, 2022

• INVALID_RESULT_PATTERNS

  #7922 opened Feb 10, 2022

• LGTM.com - false positive - c# top-level statements

  #7916 opened Feb 9, 2022

• LGTM alert beyond response limit!

  #7889 opened Feb 8, 2022

28 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add ReDoS queries

  #7723 commented on Feb 10, 2022 • 111 new comments

• Java: CWE-073 File path injection with the JFinal framework

  #7712 commented on Feb 11, 2022 • 37 new comments

• Java: CWE-200: Temp directory local information disclosure vulnerability

  #4388 commented on Feb 10, 2022 • 24 new comments

• Java: Add HTTP Request Splitting to Netty Query

  #7823 commented on Feb 9, 2022 • 16 new comments

• Ruby: Add `rb/clear-text-logging-sensitive-data` query

  #7713 commented on Feb 10, 2022 • 11 new comments

• Java: An experimental query for ignored hostname verification

  #6443 commented on Feb 10, 2022 • 8 new comments

• Java: Simplify model generator query using flow state.

  #7832 commented on Feb 9, 2022 • 8 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Feb 10, 2022 • 7 new comments

• JS: add query for detecting insecure temporary files

  #7626 commented on Feb 7, 2022 • 5 new comments

• Infinite loop when executing DataFlow queries

  #7481 commented on Feb 8, 2022 • 4 new comments

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on Feb 7, 2022 • 4 new comments

• [Javascript] CWE-348: Client supplied ip used in security check

  #6864 commented on Feb 11, 2022 • 4 new comments

• Python: promote LDAP injection query

  #7783 commented on Feb 8, 2022 • 3 new comments

• FastAPI Request: possible false positive

  #7786 commented on Feb 7, 2022 • 2 new comments

• how can i analysis two project with "database import" command?

  #7644 commented on Feb 8, 2022 • 2 new comments

• Ruby: Cleanup flow through `self`

  #7084 commented on Feb 11, 2022 • 2 new comments

• Python: Add Python_JWT to JWT security query

  #7452 commented on Feb 11, 2022 • 2 new comments

• Python: promote log injection

  #7735 commented on Feb 9, 2022 • 2 new comments

• [Update Request] support `dotnet 6` for C#

  #7086 commented on Feb 4, 2022 • 1 new comment

• Question - Variable initialization

  #7827 commented on Feb 5, 2022 • 1 new comment

• LGTM.com - false positive This assignment to is useless, since its value is never read.

  #6785 commented on Feb 6, 2022 • 1 new comment

• Java: Expand `org.apache.commons.codec` model

  #6988 commented on Feb 7, 2022 • 1 new comment

• Adding a codeql script to find PendingIntent Vulnerbilies to new_branch

  #7471 commented on Feb 10, 2022 • 1 new comment

• Python: Deprecate old points-to based modeling

  #7660 commented on Feb 11, 2022 • 1 new comment

• Sign analysis for C++

  #7794 commented on Feb 4, 2022 • 1 new comment

• Python: Dataflow improvements

  #7807 commented on Feb 8, 2022 • 1 new comment

• Java : Add SSTI query

  #5935 commented on Feb 5, 2022 • 0 new comments

• Python: Points-to performance improvements

  #7549 commented on Feb 10, 2022 • 0 new comments