Insights: github/codeql

56 Pull requests merged by 21 people

• C++/Swift: Rewrite inline expectation tests to use the parameterized module

  #13269 merged May 24, 2023

• C++: Add `cpp/invalid-pointer-deref` FP test case

  #13271 merged May 24, 2023

• Docs: Late inlining now supported for member predicates

  #13274 merged May 24, 2023

• Swift: make only certain elements hideable in the AST

  #13249 merged May 24, 2023

• Ruby: Include both `self` parameters and SSA definitions in call graph construction

  #13251 merged May 24, 2023

• Ruby: fix some name clashes between summarized callables

  #13265 merged May 24, 2023

• Fix "Introducing the JavaScript libraries" query12.qll and add test case

  #13176 merged May 24, 2023

• Java: Tweak java.nio.file.Files.copy models

  #13248 merged May 24, 2023

• C++: Modernize `PrintIR` for local dataflow

  #13266 merged May 24, 2023

• C#: Entity framework. Convert DbSet summaries to MaD models.

  #13085 merged May 24, 2023

• Ruby: Include underlying SSA parameter definition in `localFlowSsaParamCaptureInput`

  #13255 merged May 24, 2023

• Add forgotten classes related to the legacy `InlineExpectationsTest`class

  #13261 merged May 24, 2023

• C++: Promote the product-dataflow library out of experimental

  #13244 merged May 23, 2023

• C++: Fix more pointer/pointee conflation

  #13246 merged May 23, 2023

• JS/Ruby/QL/Python: sync dbscheme fragments

  #13154 merged May 23, 2023

• C++: Rewrite flow test common to use inline expectation test module

  #13260 merged May 23, 2023

• move section on signatures in the QL specification

  #13264 merged May 23, 2023

• update QL specification on annotations for parameterised modules

  #13263 merged May 23, 2023

• Java: Add constraint to `HostnameSanitizingPrefix` to prevent false negatives in SSRF queries

  #13097 merged May 23, 2023

• Hotfix: Go: exclude method receivers from dead-store-of-field query

  #13257 merged May 23, 2023

• Swift: remove unneeded properties from `InterpolatedStringLiteralExpr`

  #13238 merged May 23, 2023

• Swift: Make the cleartext logging query consistent with other cleartext-* queries.

  #13163 merged May 23, 2023

• Turn inline expectation test into a parameterized module

  #12789 merged May 23, 2023

• Swift: Add EnumDecl.getEnumElement(_)

  #13213 merged May 23, 2023

• Java: Make inputStreamWrapper consider supertypes transitively

  #13091 merged May 23, 2023

• C#: System.DateTime defaults.

  #13202 merged May 23, 2023

• Hotfix: Go: count passing to a vararg function as escaping

  #13250 merged May 23, 2023

• Swift: trigger workflow on `codeql-cli-*`

  #13252 merged May 23, 2023

• Release preparation for version 2.13.3

  #13243 merged May 23, 2023

• [Python] Add Unicode Bypass Validation query tests and help

  #12991 merged May 23, 2023

• Update CSV framework coverage reports

  #13245 merged May 23, 2023

• ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input

  #13164 merged May 23, 2023

• JS: Support sub modules

  #12975 merged May 23, 2023

• Bump regex from 1.8.1 to 1.8.2 in /ql

  #13247 merged May 23, 2023

• C++: Include inline namespaces in `StdNamespace`

  #13234 merged May 22, 2023

• Ruby: Allow for flow out of callbacks passed to summarized methods in type tracking

  #13233 merged May 22, 2023

• C++: Add `cpp/invalid-pointer-deref` false positives

  #13237 merged May 22, 2023

• repair and update the Identifier section of the QL specification

  #13236 merged May 22, 2023

• C++: Add FP testcase for `cpp/overrun-write`

  #13229 merged May 22, 2023

• Swift: fix hidden AST getters

  #13232 merged May 22, 2023

• JS: require arguments to be shell interpreted to be flagged by indirect-command-injection

  #13196 merged May 22, 2023

• Java: Add TemplateEngine.createTemplate as a Groovy injection sink

  #13230 merged May 22, 2023

• Ruby: Allow for flow through callbacks to summarized methods in type tracking

  #13231 merged May 22, 2023

• Swift: Use asNominalTypeDecl more.

  #13223 merged May 19, 2023

• add syntax for signature definitions to QL specification

  #13222 merged May 19, 2023

• Swift: Drop support for plaintext diagnostics (and `helpLinks`).

  #13224 merged May 19, 2023

• Swift: reword TSP diagnostics after doc team review

  #13186 merged May 19, 2023

• Swift: Taint model for FilePath

  #13221 merged May 19, 2023

• Update CSV framework coverage reports

  #13220 merged May 19, 2023

• Swift: Emit diagnostics on assertion/expectation violations.

  #13170 merged May 18, 2023

• C++: Replace `C18` with `C17` in documentation

  #13218 merged May 18, 2023

• C++: Small cleanup of `cpp/overrun-write`

  #13217 merged May 18, 2023

• Java: Add SQLi sinks for Spring JDBC

  #13140 merged May 18, 2023

• C++: Fix pointer/pointee conflation

  #13191 merged May 18, 2023

• C++: Update documentation for `TypeMention`

  #13215 merged May 18, 2023

• C++: Use range analysis-based `hasSize` predicate in `cpp/invalid-pointer-deref`

  #13203 merged May 18, 2023

19 Pull requests opened by 13 people

• C++: Quotient dataflow nodes by an equivalence relation

  #13219 opened May 18, 2023

• Java: Migrate path injection sinks to models-as-data (simplified)

  #13225 opened May 19, 2023

• C++: fix equality refinement in new range analysis

  #13226 opened May 19, 2023

• Java: Add autogenerated models for frameworks related to Jenkins

  #13227 opened May 19, 2023

• Java: add error message for deprecated sink kinds in `getInvalidModelKind`

  #13228 opened May 19, 2023

• Java: Add Hudson models

  #13235 opened May 22, 2023

• Java: Add QL support for automodel application mode

  #13239 opened May 22, 2023

• Swift: reorganize `VarDecl` instances within `BraceStmt`

  #13240 opened May 22, 2023

• Java: Model the Stapler framework

  #13256 opened May 23, 2023

• Codegen: allow `synth` properties of non-`synth` classes

  #13258 opened May 23, 2023

• Ruby: Refactor and slightly expand `ActionDispatch` modelling

  #13259 opened May 23, 2023

• C#: Re-factor getComponent.

  #13262 opened May 23, 2023

• C++: Promote `cpp/overrun-write` out of experimental

  #13267 opened May 23, 2023

• Swift: add CFG and PrintAst consistency queries, enabling them in CI

  #13270 opened May 24, 2023

• Post-release preparation for codeql-cli-2.13.3

  #13272 opened May 24, 2023

• Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.

  #13273 opened May 24, 2023

• Kotlin 1.9 support

  #13275 opened May 24, 2023

• Swift: Add path injection sinks for sqlite3 and SQLite.swift

  #13276 opened May 24, 2023

• Swift: add consistency check and accept results for the moment

  #13277 opened May 24, 2023

5 Issues closed by 4 people

• [Java]: False positive CodeQL searches result is less according to the rules than the java code actually has🥺🥺

  #12715 closed May 24, 2023

• Go: RangeStmt declaring variables with := does not contain a DefineStmt

  #13241 closed May 23, 2023

• Issue with decoding bqrs file to a human readable format

  #13047 closed May 19, 2023

• CPP: TypeMention only covers mentions of user-defined types

  #13214 closed May 18, 2023

• Kind error in /go/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql

  #13171 closed May 18, 2023

1 Issue opened by 1 person

• "Finding definitions" in non-ql files

  #13254 opened May 23, 2023

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [Ruby] Add Unicode Bypass Validation query, test and help file

  #12992 commented on May 24, 2023 • 21 new comments

• Shared: Add stubs for `identify-environment` scripts

  #13211 commented on May 23, 2023 • 14 new comments

• C/C++: how to optimize function pointer tracing?

  #13198 commented on May 23, 2023 • 12 new comments

• C++: stitch paths and ignore cast arrays in constant off-by-one query

  #13045 commented on May 22, 2023 • 5 new comments

• CPP: Add query for CVE-2022-37454: Integer addition may overflow inside if statement

  #12036 commented on May 19, 2023 • 3 new comments

• Ruby: Add SQL Injection Sinks

  #12832 commented on May 24, 2023 • 3 new comments

• C#: Use synthetic global in the EntityFramework code instead of jump steps.

  #13147 commented on May 24, 2023 • 3 new comments

• Kotlin: Refactor extractTypeAccessRecursive

  #13210 commented on May 23, 2023 • 2 new comments

• [CPP][Questions]No effective API to qeury macro used in function parameter declaration

  #8497 commented on May 17, 2023 • 1 new comment

• CodeQL for unity

  #11791 commented on May 24, 2023 • 1 new comment

• Java: Refactor path injection sinks

  #12886 commented on May 19, 2023 • 1 new comment

• JS: update MaD sink kinds

  #13157 commented on May 19, 2023 • 1 new comment

• C#: update MaD sink kinds

  #13158 commented on May 22, 2023 • 1 new comment

• [Java] Add basic support for Google's Gson library

  #13179 commented on May 18, 2023 • 1 new comment

• cpp: Add basic GSSAPI memory leak query

  #13189 commented on May 17, 2023 • 1 new comment

• Java: add some neutral models discovered with heuristics

  #12249 commented on May 22, 2023 • 0 new comments

• Swift: Model Sequence.withContiguousStorageIfAvailable

  #12416 commented on May 23, 2023 • 0 new comments

• Swift: mangle types

  #12433 commented on May 24, 2023 • 0 new comments

• JS: Add support for TS 5.1

  #12874 commented on May 22, 2023 • 0 new comments

• Ruby: Remove canonical return nodes

  #12964 commented on May 24, 2023 • 0 new comments

• [Draft] [C#] Add query for missing function level access control

  #13094 commented on May 23, 2023 • 0 new comments

• ReDoS: revert new superlinear algorithm.

  #13127 commented on May 24, 2023 • 0 new comments

• ruby/python: Shared module for typetracking through flow summaries

  #13178 commented on May 22, 2023 • 0 new comments

• Swift: Adopt the shared sensitive data library

  #13190 commented on May 23, 2023 • 0 new comments

• python: Container summaries, part 2

  #13209 commented on May 24, 2023 • 0 new comments