26 Pull requests merged by 15 people

• Java: Add comments about use of sink kind regex-use

  #17053 merged Jul 24, 2024

• C++: Avoid expensive negation

  #17057 merged Jul 24, 2024

• Java: Update Annotation predicate examples in language guide

  #17026 merged Jul 24, 2024

• C++: Fix false positives in cpp/incorrectly-checked-scanf

  #17054 merged Jul 24, 2024

• C++: More tests for cpp/use-after-free

  #17055 merged Jul 24, 2024

• C++: Support destroying deletes

  #17050 merged Jul 24, 2024

• Java: Move SensitiveLoggerConfig source to extensible format

  #17036 merged Jul 23, 2024

• Post-release preparation for codeql-cli-2.18.1

  #17041 merged Jul 23, 2024

• C++: Fix issue with cpp/suspicious-allocation-size

  #17037 merged Jul 23, 2024

• C++: Fix issue with cpp/incorrect-allocation-error-handling

  #17035 merged Jul 23, 2024

• C++: Add UsingEnumDeclarationEntry changenote.

  #17047 merged Jul 23, 2024

• Docs: Document preference for American English in change notes.

  #17048 merged Jul 23, 2024

• Java: make a separate threat model kind for reverse DNS sources

  #16760 merged Jul 23, 2024

• C++: Support using enum declarations.

  #17006 merged Jul 23, 2024

• Release preparation for version 2.18.1

  #17040 merged Jul 22, 2024

• Revert "Release preparation for version 2.18.1"

  #17039 merged Jul 22, 2024

• Add models for the lastaflute framework

  #16993 merged Jul 22, 2024

• Release preparation for version 2.18.1

  #17032 merged Jul 22, 2024

• Update CSV framework coverage reports

  #17024 merged Jul 20, 2024

• Swift: Use shared library for sensitive private information heuristics

  #16570 merged Jul 19, 2024

• Integration tests: port to pytest.

  #17015 merged Jul 19, 2024

• Go: convert models for websocket readers as remote flow sources to models-as-data

  #17012 merged Jul 19, 2024

• Go: Output stdout/stderr for go version if something goes wrong

  #17016 merged Jul 18, 2024

• pkg.bzl: Disable remote caching of zipmerge steps.

  #17010 merged Jul 18, 2024

• Java: Add test for autobuild with maven-enforcer

  #17013 merged Jul 18, 2024

• Java: Tag java/non-https-url with CWE-345 ("Insufficient Verification of Data Authenticity")

  #16958 merged Jul 18, 2024

20 Pull requests opened by 13 people

• Shared: Add support for provenance pretty-printing as a qltest postprocess step.

  #17011 opened Jul 18, 2024

• Go: Add support for provenance pretty-printing as a qltest postprocess step

  #17014 opened Jul 18, 2024

• Add autofix reminder

  #17017 opened Jul 18, 2024

• Java: JWT decoding without verification [smowton fork]

  #17020 opened Jul 19, 2024

• Java: add apache-ant `Property` path injection sinks

  #17023 opened Jul 19, 2024

• Java: add TaintInheritingContent for URL synthetic fields

  #17025 opened Jul 21, 2024

• C++: Improve query doc advice for using encryption

  #17028 opened Jul 22, 2024

• Dataflow: Add provenance to StagePathGraph.

  #17029 opened Jul 22, 2024

• Python: remove the imprecise container taint steps

  #17030 opened Jul 22, 2024

• C++: Add more alias and side effect models

  #17034 opened Jul 22, 2024

• Update CSV framework coverage reports

  #17042 opened Jul 23, 2024

• Dataflow: Fix bug causing spurious flow for FeatureHasSinkCallContext

  #17049 opened Jul 23, 2024

• Java: sanitize values which are checked against an allowlist (currently only calling `List.contains` on a list constructed locally with `List.of`)

  #17051 opened Jul 23, 2024

• C++: Speed up alias analysis

  #17056 opened Jul 23, 2024

• Go: Support Go 1.23

  #17058 opened Jul 24, 2024

• Update unified changelog for 2.17.6 and 2.18.0

  #17060 opened Jul 24, 2024

• C++: Speed up alias analysis

  #17062 opened Jul 24, 2024

• Swift: Minor fixes

  #17064 opened Jul 24, 2024

• Java: integration tests with proxy server

  #17065 opened Jul 24, 2024

• Java: 17052 do not expose error message

  #17066 opened Jul 24, 2024

9 Issues closed by 6 people

• Help setting up the local repo so I can make and test changes to the open source shared queries

  #17061 closed Jul 24, 2024

• Migrating to new dataflow API causes missing results for my query

  #17044 closed Jul 24, 2024

• Including the external files in database create

  #17027 closed Jul 23, 2024

• Issue while running scan on Java project

  #17046 closed Jul 23, 2024

• Error running query: Webview is disposed in CodeQL with Java Extension Pack

  #16889 closed Jul 22, 2024

• Catastrophic error ("internal error: assertion failed at: "decls.c", line 21165 in mark_decl_after_first_in_comma_list") when compiling a CodeQL database from Chromium

  #16783 closed Jul 22, 2024

• Caching related doubts

  #17004 closed Jul 19, 2024

• General issue

  #17018 closed Jul 19, 2024

• Warning: "constexpr" is not valid here

  #16995 closed Jul 18, 2024

7 Issues opened by 5 people

• VSCode extension AST viewer tab not showing AST for some files.

  #17068 opened Jul 25, 2024

• `codeql resolve qlpacks` is reporting errors for duplicated packs from different languages even though it is not a problem

  #17059 opened Jul 24, 2024

• False positive: Java: stack-trace-exposure

  #17052 opened Jul 23, 2024

• taint tracking didn't connect

  #17045 opened Jul 23, 2024

• Confused about the query time

  #17022 opened Jul 19, 2024

• Python: Local/Global dataflow analysis not tracing class field?

  #17021 opened Jul 19, 2024

• Python: Why global dataflow not tracking `endpoints` in function `Service.start()`?

  #17019 opened Jul 19, 2024

28 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: Promote the insecure cookie query from experimental

  #16933 commented on Jul 24, 2024 • 7 new comments

• Python: Modelling of the Standard Library

  #16840 commented on Jul 23, 2024 • 6 new comments

• C++: Alias analysis follow-up to #16907

  #16981 commented on Jul 24, 2024 • 4 new comments

• C#/Java/Go: Neutrals are split into separate classes.

  #17007 commented on Jul 20, 2024 • 1 new comment

• C#: Adopt shared SSA data-flow integration

  #16936 commented on Jul 19, 2024 • 1 new comment

• Java: Decompression Bombs

  #13555 commented on Jul 19, 2024 • 1 new comment

• Javascript: Add environment variables to allow specifying memory sizes

  #16803 commented on Jul 24, 2024 • 1 new comment

• Ruby: Add get_response for Net::HTTP

  #17002 commented on Jul 23, 2024 • 0 new comments

• C++: Update attributes test output

  #16947 commented on Jul 24, 2024 • 0 new comments

• Ruby: Adopt shared SSA data-flow integration

  #16937 commented on Jul 19, 2024 • 0 new comments

• Python: Promote cookie injection query from experimental

  #16893 commented on Jul 24, 2024 • 0 new comments

• C#: Update .NET 8 Runtime models.

  #16872 commented on Jul 19, 2024 • 0 new comments

• C++/Java/C# Shared Range Analysis: BigInt rewrite experiment

  #16864 commented on Jul 19, 2024 • 0 new comments

• C#: Add query for insecure certificate validation

  #16824 commented on Jul 25, 2024 • 0 new comments

• C#: Restrict multi-body dataflow dispatch based on file-system distance

  #16817 commented on Jul 19, 2024 • 0 new comments

• WIP: Python: CORS Bypass

  #16814 commented on Jul 23, 2024 • 0 new comments

• WIP: Go: CORS Bypass due to incorrect checks

  #16813 commented on Jul 18, 2024 • 0 new comments

• Align Ruby NonConstantKernelOpen.ql Severity

  #16807 commented on Jul 23, 2024 • 0 new comments

• Add `rb/weak-sensitive-data-hashing` query port

  #16781 commented on Jul 23, 2024 • 0 new comments

• Java: JWT decoding without verification

  #14089 commented on Jul 19, 2024 • 0 new comments

• Secure Java RSA Crypto Not Recognized By CodeQL

  #12390 commented on Jul 24, 2024 • 0 new comments

• C++ extractor giving multiple compilation errors when trying to compile the linux kernel

  #16908 commented on Jul 23, 2024 • 0 new comments

• In sa_make_variable_label: Parameter has no associated parameter type.

  #16997 commented on Jul 19, 2024 • 0 new comments

• No entity set found for seq 0

  #16996 commented on Jul 19, 2024 • 0 new comments

• Parameterized codeql queries

  #17005 commented on Jul 19, 2024 • 0 new comments

• CodeQL configuration steps for Windows driver testing is giving an error

  #16837 commented on Jul 19, 2024 • 0 new comments

• False positive "Uncontrolled data used in path expression" in C code

  #16983 commented on Jul 18, 2024 • 0 new comments

• error: expression preceding parentheses of apparent call must have (pointer-to-) function type

  #17009 commented on Jul 18, 2024 • 0 new comments