50 Pull requests merged by 27 people

• Go: Fix file info extraction for dummy files

  #15603 merged Feb 13, 2024

• C++: Update test results of `constexpr if` destructors

  #15597 merged Feb 13, 2024

• Swift: Add Unsafe Unpacking Query (CWE-022)

  #14888 merged Feb 13, 2024

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #15590 merged Feb 13, 2024

• C++: Revert #15528

  #15601 merged Feb 13, 2024

• Kotlin 2: Accept more test changes

  #15561 merged Feb 13, 2024

• C++: Fix `memset` model

  #15587 merged Feb 13, 2024

• C++: Add additional IR tests for destructors

  #15594 merged Feb 13, 2024

• Use `!cancelled` in qhelp-pr-preview workflow

  #15589 merged Feb 13, 2024

• Python: Update BUILD.bazel files.

  #15586 merged Feb 13, 2024

• C#: Improve the `cs/path-injection` QHelp

  #15519 merged Feb 13, 2024

• C# - Add default nuget feed if there's none

  #15577 merged Feb 13, 2024

• Shared: fix a bug in stateful outbarriers

  #15507 merged Feb 12, 2024

• Python: Model the `psycopg` package

  #15457 merged Feb 12, 2024

• Ruby: Fix ActionController path regex

  #15566 merged Feb 12, 2024

• Ruby: Recognise more ActiveRecord connections

  #15521 merged Feb 12, 2024

• Reduce severity of `java/relative-path-command`

  #15533 merged Feb 12, 2024

• Java: Add query for insecure local authentication

  #15481 merged Feb 12, 2024

• Java: Add extension point and default sanitizer to Open Redirect query

  #15565 merged Feb 12, 2024

• Kotlin 2: Accept loc changes in library-tests/parameter-defaults/defaults.expected

  #15573 merged Feb 12, 2024

• Kotlin 2: Accept more location changes

  #15569 merged Feb 12, 2024

• JS: exclude tagged template literals from `js/superfluous-trailing-arguments`

  #15523 merged Feb 12, 2024

• Tree-sitter extractors: use fresh IDs for locations

  #15496 merged Feb 12, 2024

• Update CSV framework coverage reports

  #15578 merged Feb 12, 2024

• C#: Actually cache module `Cached`

  #15567 merged Feb 12, 2024

• C#: Additional tracking of lambdas through fields and properties

  #15489 merged Feb 12, 2024

• Bump chrono from 0.4.33 to 0.4.34 in /ql

  #15579 merged Feb 12, 2024

• Capture flow: Take overwrites in nested scopes into account

  #15540 merged Feb 10, 2024

• Dataflow: Add empty provenance column to PathGraph.

  #15549 merged Feb 9, 2024

• Java: Update MaD Declarations after Triage

  #15486 merged Feb 9, 2024

• C++: Don't strip specifiers in `Node.getType`

  #15559 merged Feb 9, 2024

• Java: Refactor path injection sinks

  #12886 merged Feb 9, 2024

• C#: Try resolve relative paths in line mappings

  #15542 merged Feb 9, 2024

• Post-release preparation for codeql-cli-2.16.2

  #15560 merged Feb 8, 2024

• Release preparation for version 2.16.2

  #15557 merged Feb 8, 2024

• Ruby: Remove `ReturnValue` as access path for constructors

  #15541 merged Feb 8, 2024

• Revert "Merge pull request #15522 from github/release-prep/2.16.2"

  #15556 merged Feb 8, 2024

• Post-release preparation for codeql-cli-2.16.2

  #15531 merged Feb 8, 2024

• Kotlin 2: Some test fixes

  #15544 merged Feb 8, 2024

• C#: Simplify, getASuccessor is pruned now.

  #15547 merged Feb 8, 2024

• Update CSV framework coverage reports

  #15545 merged Feb 8, 2024

• C# Add missing Windows Forms implicit usings

  #15535 merged Feb 8, 2024

• Add supported build modes to extractor metadata

  #15532 merged Feb 7, 2024

• Added model for gettext variants.

  #15513 merged Feb 7, 2024

• C++: Fix IR generation when `ConditionDeclExpr` does not have an immediate `VariableAccess`

  #15539 merged Feb 7, 2024

• C++: Also clear the `0`'th argument of `swap`

  #15537 merged Feb 7, 2024

• C++: Add an interface for models to block flow

  #15528 merged Feb 7, 2024

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #15534 merged Feb 7, 2024

• C#: Add summaries for Span<T> and ReadOnlySpan<T>.

  #15459 merged Feb 7, 2024

• C#: Extract dependency restore telemetry data

  #15518 merged Feb 7, 2024

27 Pull requests opened by 20 people

• Bazel/CMake: auto detect all `cc_binary`/`cc_test` targets

  #15536 opened Feb 7, 2024

• Java: Add query for insecurely generated keys for local authentication.

  #15548 opened Feb 8, 2024

• python: remove a use of points-to

  #15550 opened Feb 8, 2024

• python: Remove `TaintStepFromSummary`

  #15551 opened Feb 8, 2024

• Automodel: Improve handling of varargs and overriding in extraction queries

  #15554 opened Feb 8, 2024

• Ruby: Support erb flow for ActionController

  #15555 opened Feb 8, 2024

• Jb1/zipslip performance fix upstream

  #15558 opened Feb 8, 2024

• Ruby: Fix formatting in changelog

  #15562 opened Feb 8, 2024

• C#: Models as Data Documentation

  #15563 opened Feb 9, 2024

• Autotune memory

  #15564 opened Feb 9, 2024

• Kotlin: Compile tests using the same jdk as the java tests.

  #15568 opened Feb 9, 2024

• Java: Cache interpretElement.

  #15570 opened Feb 9, 2024

• JS: False negative - unsafe postMessage handler not detected

  #15571 opened Feb 9, 2024

• Data flow: Cache `viableCallableExt`

  #15582 opened Feb 12, 2024

• Bazel: use bzlmod

  #15583 opened Feb 12, 2024

• Limit xl runner jobs to github org

  #15584 opened Feb 12, 2024

• Go: Promote `go/missing-jwt-signature-check` from experimental

  #15585 opened Feb 12, 2024

• Automodel: Make description of some negative characteristics more explicit.

  #15592 opened Feb 13, 2024

• Swift: update swift prebuilt package

  #15593 opened Feb 13, 2024

• C#: Add a few more sanitizers to `cs/web/unvalidated-url-redirection`

  #15596 opened Feb 13, 2024

• Dataflow: wip test of fieldflowbranchlimit adjustment

  #15599 opened Feb 13, 2024

• C# Change desktop dotnet assembly lookup to fall back to nuget reference assemblies

  #15600 opened Feb 13, 2024

• JS: Fix flow through &&

  #15602 opened Feb 13, 2024

• Ruby: add additional sources on the request object of Rails

  #15604 opened Feb 13, 2024

• C#: Add more `environment` and `commandargs` sources for the C# Standard Library

  #15605 opened Feb 13, 2024

• Kotlin: Fix build with latest 2.0.255 snapshots

  #15606 opened Feb 13, 2024

• Swift: Trivial changes to swift/unsafe-unpacking

  #15607 opened Feb 13, 2024

12 Issues closed by 7 people

• `.github/workflows/qhelp-pr-preview.yml` shouldn't upload-artifact if `cancelled()`

  #15588 closed Feb 13, 2024

• Workflows are missing permissions requests

  #15462 closed Feb 12, 2024

• PowerShell keeps open file handle to build-tracer.log when using indirect build tracing

  #15572 closed Feb 12, 2024

• [Java][UrlRedirect] False positive when doing string concat

  #15553 closed Feb 12, 2024

• False positive - "zx" npm package usage is mistakenly detected as jQuery usage

  #15286 closed Feb 12, 2024

• False positive

  #15581 closed Feb 12, 2024

• False positive

  #15580 closed Feb 12, 2024

• Python code QL reports (invalid?) parse error

  #14863 closed Feb 11, 2024

• 12.11

  #15576 closed Feb 9, 2024

• 1211

  #15575 closed Feb 9, 2024

• General issue [cpp] Bug when using Macro in query

  #15538 closed Feb 9, 2024

• eliminate GuardConditions that are part of Assertions in cpp

  #15512 closed Feb 7, 2024

3 Issues opened by 3 people

• Yaml scripts appear to be non-executable

  #15598 opened Feb 13, 2024

• False positive - LogInjection (CWE 117) is not mitigated via Log4j2 %{encodeCRLF) pattern

  #15574 opened Feb 9, 2024

• Advice in out-of-memory message can be misleading on Windows

  #15552 opened Feb 8, 2024

33 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Declare permissions

  #15493 commented on Feb 13, 2024 • 21 new comments

• C++: Add implicit destructors for named variables to the IR

  #15506 commented on Feb 13, 2024 • 21 new comments

• C# 12: Primary constructors.

  #15474 commented on Feb 13, 2024 • 20 new comments

• Dataflow perf investigations

  #15444 commented on Feb 8, 2024 • 9 new comments

• Ruby: add docs for customizing library models with data extensions

  #15488 commented on Feb 13, 2024 • 9 new comments

• Ruby: Recognise raw Erb output as XSS sink

  #15520 commented on Feb 13, 2024 • 8 new comments

• JS: Add library for naming endpoints

  #15380 commented on Feb 13, 2024 • 7 new comments

• Go: Promote `go/hardcoded-key` from experimental

  #15527 commented on Feb 13, 2024 • 7 new comments

• C++: Change sources in `NonConstantFormat.ql`

  #15516 commented on Feb 13, 2024 • 4 new comments

• Shadowing happens when overriding method

  #15525 commented on Feb 11, 2024 • 3 new comments

• cpp - compiler support

  #15530 commented on Feb 11, 2024 • 2 new comments

• Ruby: Block flow into flow sources

  #15483 commented on Feb 13, 2024 • 2 new comments

• CodeQL adds redundant slash to upload sarif file endpoint

  #15020 commented on Feb 8, 2024 • 2 new comments

• Java ExceptionInInitializerError - com.sun.tools.javac.code.TypeTags

  #7535 commented on Feb 8, 2024 • 2 new comments

• C++: Implement models-as-data

  #15371 commented on Feb 9, 2024 • 2 new comments

• Java: Document which assignment type is covered by which class

  #15451 commented on Feb 13, 2024 • 1 new comment

• C#: Refactor C# queries to use `ThreatModelFlowSource` instead of `RemoteFlowSource`

  #15419 commented on Feb 9, 2024 • 1 new comment

• Go: Update autobuilder to deal with the upcoming deprecation of the legacy GOPATH mode

  #15361 commented on Feb 13, 2024 • 1 new comment

• Java: QL Query to Detect Security Sensitive non-CSPRNG usage

  #2694 commented on Feb 6, 2024 • 1 new comment

• False negative: NestJS TypeORM SQLInjection vulnerability not detected

  #15299 commented on Feb 13, 2024 • 1 new comment

• Wrong Pointer Size in Database for Chromium

  #14914 commented on Feb 7, 2024 • 1 new comment

• [Python] Add Unicode DoS (qhelp, tests and the query)

  #15319 commented on Feb 13, 2024 • 0 new comments

• Python: add models for `stdlib`

  #15306 commented on Feb 9, 2024 • 0 new comments

• C#: Experiment with having no DB stats

  #15406 commented on Feb 12, 2024 • 0 new comments

• C++: Accept test changes after frontend upgrade

  #15213 commented on Feb 7, 2024 • 0 new comments

• Data flow: prune context-sensitivity relations

  #15140 commented on Feb 12, 2024 • 0 new comments

• C#: Decompression Bombs

  #13558 commented on Feb 9, 2024 • 0 new comments

• Python: Decompression Bombs

  #13557 commented on Feb 11, 2024 • 0 new comments

• JS: Decompression Bombs

  #13554 commented on Feb 11, 2024 • 0 new comments

• Dataflow: Support alert provenance

  #15501 commented on Feb 9, 2024 • 0 new comments

• Python codeql analysis hangs at `UnusedModuleVariable`

  #15466 commented on Feb 12, 2024 • 0 new comments

• SARIF produced in `csharp` scan contains `NaN` values

  #15508 commented on Feb 11, 2024 • 0 new comments

• Python : Unable to follow taint through indirect calls

  #14842 commented on Feb 11, 2024 • 0 new comments