Insights: github/codeql

80 Pull requests merged by 24 people

• Post-release preparation for codeql-cli-2.11.0

  #10565 merged Sep 23, 2022

• Swift: fix regression.

  #10564 merged Sep 23, 2022

• Minor updates to reflect recommendations for Python support

  #10553 merged Sep 23, 2022

• C++: Fix missing bounds in range analysis

  #10555 merged Sep 23, 2022

• C++: Further work on buffer-overflow queries

  #10398 merged Sep 23, 2022

• Kotlin: Simplify trapFilePathForDecl

  #10556 merged Sep 23, 2022

• Release preparation for version 2.11.0

  #10543 merged Sep 23, 2022

• New atm features rebased

  #10018 merged Sep 23, 2022

• Swift: Add full stop at the end of alert-messages

  #10551 merged Sep 23, 2022

• Kotlin: Fix non-nested local class extraction

  #10549 merged Sep 23, 2022

• C#: Fix join order in InterpretedCallable characteristic predicate.

  #10433 merged Sep 23, 2022

• C# Integration test validations for `dotnet run`.

  #10540 merged Sep 23, 2022

• Python: Model `flask.jsonify`

  #10535 merged Sep 23, 2022

• JS: Add generated typings to SQL models

  #10253 merged Sep 23, 2022

• Data flow: Guard against `viableImplInCallContext` not being a subset of `viableCallable`

  #10505 merged Sep 23, 2022

• Final mergeback from `rc/3.7`

  #10532 merged Sep 22, 2022

• Update qlpack properties descriptions

  #10458 merged Sep 22, 2022

• QL: A few more improvements to `ql/alert-message-style-violation`

  #10529 merged Sep 22, 2022

• JS: Remove old Portal-based flow summary implementation

  #10490 merged Sep 22, 2022

• JS: Try to parse files without using our parser extensions before enabling the extensions

  #10470 merged Sep 22, 2022

• Ruby: RBI library changes to support models-as-data model generation

  #9932 merged Sep 22, 2022

• Java: Delete some unused code

  #10486 merged Sep 22, 2022

• Ruby: Add post-update nodes for compound arguments

  #10444 merged Sep 22, 2022

• Ruby: use consistent capitalization with `import ... as`

  #10531 merged Sep 22, 2022

• C#: Prepend `-p:UseSharedCompilation=false` instead of append for `dotnet run`

  #10469 merged Sep 22, 2022

• Kotlin: Tolerate kotlinc versions like 1.7.20-Beta

  #10530 merged Sep 22, 2022

• Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink

  #10512 merged Sep 22, 2022

• Ruby: Two fixes for `private` methods

  #10504 merged Sep 22, 2022

• Swift: update Swift frontend to 5.7

  #10522 merged Sep 22, 2022

• Ruby: Add query for debugging regexp flow

  #10517 merged Sep 22, 2022

• Bump actions/stale from 5 to 6

  #10527 merged Sep 22, 2022

• Swift: express the schema in Python

  #10516 merged Sep 22, 2022

• Update section on query specifiers

  #10500 merged Sep 21, 2022

• QL: improve the `ql/alert-message-style-violation` query.

  #10513 merged Sep 21, 2022

• Aeisenberg/merge rc3.7 into main

  #10496 merged Sep 21, 2022

• Kotlin: Extract `suspend` functions

  #10473 merged Sep 21, 2022

• Swift: fix `IfConfigDecl` in QL libraries

  #10511 merged Sep 21, 2022

• Kotlin: Tidy up TrapLocker

  #10495 merged Sep 21, 2022

• Kotlin: Catch exception thrown by kotlinc

  #10353 merged Sep 21, 2022

• Swift: skip one more unsupported CLI arg

  #10488 merged Sep 21, 2022

• Ruby: Do not expose AST layer through `ruby.qll`

  #10376 merged Sep 21, 2022

• C#: Integration test(s)

  #10465 merged Sep 21, 2022

• Swift: move toposort in `schema.py`

  #10508 merged Sep 21, 2022

• C++: Multiple minor improvements to the cpp/cleartext-* queries

  #10300 merged Sep 21, 2022

• Ruby: Fix bad join-order

  #10491 merged Sep 21, 2022

• GO: make the alert messages of taint-tracking queries more consistent

  #10413 merged Sep 21, 2022

• Update CSV framework coverage reports

  #10501 merged Sep 21, 2022

• RB: make the alert messages of taint-tracking queries more consistent

  #10304 merged Sep 20, 2022

• Python: Fix imports for tarslip tests

  #10494 merged Sep 20, 2022

• Python: `getStarArg` gives first `*args` argument

  #10387 merged Sep 20, 2022

• Swift: do not extract unresolved things from `IfConfigDecl`

  #10386 merged Sep 20, 2022

• Bazel: add some bazel files to `CODEOWNERS`

  #10492 merged Sep 20, 2022

• C++: Add shared files in `experimental` to `identical-files.json`.

  #10487 merged Sep 20, 2022

• JS: change alert messages of path queries to use the same template

  #10286 merged Sep 20, 2022

• Java: Promote Server-side template injection from experimental

  #10352 merged Sep 20, 2022

• Swift: remove (dead) VFS related code

  #10452 merged Sep 20, 2022

• Swift: trigger workflows on bazel changes

  #10482 merged Sep 20, 2022

• Ruby: Rework call graph implementation

  #10336 merged Sep 20, 2022

• Swift: Fix missing results in swift/cleartext-storage-database

  #10430 merged Sep 20, 2022

• Ruby: model ActionView::FileSystemResolver as a FileSystemAccess

  #10450 merged Sep 20, 2022

• Python dataflow: flow summaries restart

  #8781 merged Sep 20, 2022

• Swift: fix version in integration tests

  #10485 merged Sep 20, 2022

• JS: filter out "file read after existence check" from js/file-system-race

  #10471 merged Sep 20, 2022

• ruby: remove unused predicate from NfaUtilsSpecific

  #10476 merged Sep 20, 2022

• Java: Improve and add predicates and classes for annotations

  #6246 merged Sep 20, 2022

• update the style guide on alert-messages

  #10405 merged Sep 20, 2022

• Go: Fix source/sanitizer class that were never used

  #10475 merged Sep 20, 2022

• JS: don't mention classes that don't exist in TaintTracking.qll

  #10472 merged Sep 20, 2022

• Java: really return a unique location for non-source entities

  #10457 merged Sep 20, 2022

• C++: Add a `cpp/invalid-pointer-deref` query to experimental

  #10438 merged Sep 20, 2022

• Swift: open(2) interception

  #10447 merged Sep 20, 2022

• C#: Theorems for Free - Model generation

  #10238 merged Sep 20, 2022

• Add redirect for removed 'About QL packs' article

  #10468 merged Sep 19, 2022

• C#: Remove `dotnet run` support in LUA tracer.

  #10464 merged Sep 19, 2022

• Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`

  #10384 merged Sep 19, 2022

• ensure consistent casing of names

  #10312 merged Sep 19, 2022

• python: Port `RaisingTuple.ql` to not use `points-to`

  #10264 merged Sep 19, 2022

• python: port UnguardedNextInIterator from `points-to` to API graph

  #10265 merged Sep 19, 2022

• python: rewrite CatchingBaseException from `points-to` to API graph

  #10266 merged Sep 19, 2022

• JS: Fix FP in js/regexp/always-matches

  #10396 merged Sep 19, 2022

30 Pull requests opened by 22 people

• Kotlin: Add test cases for argument-parameter mismatch

  #10477 opened Sep 19, 2022

• Java: add Android service sources

  #10479 opened Sep 19, 2022

• Update supported language codes

  #10480 opened Sep 19, 2022

• Update bazel to v5.3.1

  #10481 opened Sep 19, 2022

• Java: Improve `ImportStaticTypeMember` and `ImportStaticOnDemand`

  #10497 opened Sep 20, 2022

• Java: Add `CompilationUnit.getATypeAvailableBySimpleName()`

  #10498 opened Sep 20, 2022

• Java: Add `getJavadoc` predicate for `JavadocParent` and `JavadocElement`

  #10499 opened Sep 20, 2022

• Kotlin: Fix type access expressions in enum constructor calls

  #10506 opened Sep 21, 2022

• CPP: Make more alert-messages follow the style guide

  #10507 opened Sep 21, 2022

• C#: Add test case for `JsonConvert.DeserializeObject` in interpolated string

  #10509 opened Sep 21, 2022

• C++: Fix FPs for cpp/unused-static-function in files that were not extracted completely

  #10510 opened Sep 21, 2022

• Run tests

  #10515 opened Sep 21, 2022

• Kotlin: Fix comment extraction for anonymous objects

  #10520 opened Sep 21, 2022

• Java: Disable Kotlin element of test re: database inconsistency exposed by JDK18 extractor upgrade

  #10523 opened Sep 21, 2022

• Java: Update the alert messages to better follow the style guide

  #10528 opened Sep 22, 2022

• Java: Add support for java.util.StringJoiner

  #10533 opened Sep 22, 2022

• Swift: check for using ECB encryption mode

  #10536 opened Sep 22, 2022

• Ruby: Model flow through ActionController::Parameters

  #10538 opened Sep 22, 2022

• Python: add subscript to API graphs

  #10539 opened Sep 22, 2022

• Kotlin unit tests: use best plugin version compatible with environment kotlinc

  #10542 opened Sep 22, 2022

• Bump actions/upload-artifact from 2 to 3

  #10545 opened Sep 23, 2022

• Ruby: Add call graph tests for unsupported constructs

  #10548 opened Sep 23, 2022

• C++: New Query `cpp/comma-before-misleading-indentation`

  #10550 opened Sep 23, 2022

• C#: Consider DateTime as simple type sanitizer.

  #10554 opened Sep 23, 2022

• C#: Update the alert messages to better follow the style guide #10528

  #10557 opened Sep 23, 2022

• Java: Improve performance of StaticInitializationVector.

  #10558 opened Sep 23, 2022

• Ruby: some improvements

  #10559 opened Sep 23, 2022

• Ruby: add YAML.load_file as an unsafe deserialization sink

  #10560 opened Sep 23, 2022

• Go: Use a consistent query identifier for successfully extracted files

  #10561 opened Sep 23, 2022

• C++: prototype for off-by-one in array-typed field

  #10562 opened Sep 23, 2022

8 Issues closed by 5 people

• LGTM.com - false positive: `js/prototype-polluting-assignment`

  #10552 closed Sep 23, 2022

• LGTM.com - false positivehe alert on the project page on LGTM.com

  #10547 closed Sep 23, 2022

• LGTM.com - false positive

  #10546 closed Sep 23, 2022

• Expected exactly one pattern. [INVALID_RESULT_PATTERNS]

  #10484 closed Sep 20, 2022

• LGTM.com - false positive

  #10462 closed Sep 20, 2022

• Query evaluation ran out of Java heap

  #10432 closed Sep 19, 2022

• C:FunctionCall has different name from its in source code

  #10467 closed Sep 19, 2022

• General issue

  #10463 closed Sep 17, 2022

5 Issues opened by 4 people

• Javascript GetAChainedMethodCall

  #10544 opened Sep 22, 2022

• C: Question aboutDataFlow Analyse

  #10534 opened Sep 22, 2022

• codeql resolve qlpacks hangs

  #10526 opened Sep 22, 2022

• How to customize the results of @kind: path-problem ?

  #10493 opened Sep 20, 2022

• CPP: Missing code in database

  #10466 opened Sep 17, 2022

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby: type-tracking and API edges through simple library callables

  #10375 commented on Sep 23, 2022 • 21 new comments

• Update the analyze databases article

  #10459 commented on Sep 22, 2022 • 17 new comments

• Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications

  #9199 commented on Sep 23, 2022 • 13 new comments

• Java: Android deeplink analysis

  #10368 commented on Sep 23, 2022 • 7 new comments

• Kotlin: Implement JvmOverloads annotation

  #9811 commented on Sep 23, 2022 • 6 new comments

• Ruby: Context sensitive instance method resolution

  #10358 commented on Sep 23, 2022 • 5 new comments

• Ruby: add `rb/sensitive-get-query` query

  #10369 commented on Sep 23, 2022 • 5 new comments

• General issue (No source was seen and extracted)

  #10132 commented on Sep 21, 2022 • 4 new comments

• Java: Promote `PathSanitizer.qll` from experimental

  #10177 commented on Sep 21, 2022 • 4 new comments

• Java: New Android query to detect unsafe content URI resolution

  #10223 commented on Sep 21, 2022 • 4 new comments

• Java: Add query for WebView debugging enabled

  #10241 commented on Sep 23, 2022 • 2 new comments

• JS: expand localFieldStep to use access-paths, and build access-paths in more cases

  #10378 commented on Sep 22, 2022 • 2 new comments

• CPP：Some questions about Control flow analyse and query time

  #10411 commented on Sep 20, 2022 • 1 new comment

• Scala Compatibility

  #4365 commented on Sep 22, 2022 • 1 new comment

• Python: Add dataflow consistency query

  #8457 commented on Sep 23, 2022 • 1 new comment

• Bump actions/setup-python from 3 to 4

  #10346 commented on Sep 23, 2022 • 1 new comment

• C#: Dynamically create type based summaries

  #10436 commented on Sep 22, 2022 • 1 new comment

• Java: JavadocTag does not contain multi-line JavadocText children

  #3825 commented on Sep 19, 2022 • 0 new comments

• Java: Add Import.getATypeImport

  #4119 commented on Sep 20, 2022 • 0 new comments

• QL: detect unqueryable code

  #8454 commented on Sep 20, 2022 • 0 new comments

• Add a test file

  #9967 commented on Sep 23, 2022 • 0 new comments

• Ruby: Model Activestorage

  #10090 commented on Sep 20, 2022 • 0 new comments

• Python: New call-graph based on type-trackers [still WIP]

  #10148 commented on Sep 23, 2022 • 0 new comments

• Ruby: Model ActionView

  #10316 commented on Sep 20, 2022 • 0 new comments

• Ruby: Treat ActiveRecord::Base.create as a model instantiation

  #10338 commented on Sep 20, 2022 • 0 new comments