Insights: github/codeql

23 Pull requests merged by 14 people

• C++: Refactor `ProductFlow` to have a `DataFlow::ConfigSig`-like interface

  #12615 merged Apr 6, 2023

• Actions: Add workflow to fast-forward tracking branch for latest CodeQL release

  #12771 merged Apr 6, 2023

• C++: Fix number of join order problems in memory corruption queries

  #12777 merged Apr 6, 2023

• Java: test GeneratedVsManualCoverage query on top 500 JDK APIs

  #12680 merged Apr 6, 2023

• Java: Update MaD Declarations after Triage

  #12727 merged Apr 6, 2023

• Bump tree-sitter from 0.20.9 to 0.20.10 in /ql

  #12775 merged Apr 6, 2023

• Swift: Modernize the encryption queries

  #12764 merged Apr 6, 2023

• C++: Fix FN in `cpp/tainted-arithmetic`

  #12779 merged Apr 6, 2023

• Ruby/QL: Bump clap to 4.0

  #12774 merged Apr 6, 2023

• Ruby: update tree-sitter to 0.20.10

  #12776 merged Apr 6, 2023

• Update CSV framework coverage reports

  #12773 merged Apr 6, 2023

• Ruby/QL: Share dbscheme generation code

  #12765 merged Apr 5, 2023

• Post-release preparation for codeql-cli-2.12.6

  #12762 merged Apr 5, 2023

• Java: Update MaD Declarations after Triage

  #12691 merged Apr 5, 2023

• Swift: Convert dataflow / taint tests to DataFlow::ConfigSig.

  #12769 merged Apr 5, 2023

• Swift: Update final two queries to use `DataFlow::ConfigSig`

  #12763 merged Apr 5, 2023

• C++: Deprecate single-parameter `getFieldExpr` and `getElementExpr`

  #12758 merged Apr 4, 2023

• Swift: Rewrite more queries to use `DataFlow::ConfigSig`

  #12749 merged Apr 4, 2023

• C++: IR generation for repeated initializers

  #12755 merged Apr 4, 2023

• Go: Add more JWT sinks

  #12396 merged Apr 4, 2023

• C++: Promote IR-based range-analysis library out of experimental

  #12747 merged Apr 4, 2023

• Fix miscellaneous errors highlighted by QL-for-QL

  #12246 merged Apr 4, 2023

• Ruby: Minor fix in NetHttpRequest

  #12730 merged Apr 4, 2023

15 Pull requests opened by 15 people

• C++: Consider ArrayExpr with non-constant size expressions as a BufferAccess

  #12752 opened Apr 4, 2023

• JS: Fix parsing of 'get' or 'set' pattern with a default value

  #12759 opened Apr 4, 2023

• Swift: route compiler diagnostics through our log

  #12760 opened Apr 4, 2023

• Merge `rc/3.9` back to `main`

  #12768 opened Apr 5, 2023

• JS: Rename InsufficientPasswordHash_CryptoJS_fixed to InsufficientPasswor…

  #12772 opened Apr 5, 2023

• Shared yaml lib

  #12780 opened Apr 6, 2023

• Javascript: Add new queries for Javascript actions

  #12781 opened Apr 6, 2023

• Ruby: port `py/weak-sensitive-data-hashing`

  #12782 opened Apr 6, 2023

• Go: hide summary nodes from path explanations

  #12783 opened Apr 6, 2023

• Swift: Extract structured keypath components.

  #12784 opened Apr 6, 2023

• Update CSV framework coverage reports

  #12785 opened Apr 7, 2023

• Ruby/QL: Merge extractor binaries

  #12786 opened Apr 7, 2023

• JS: Add New XSS sink - Next.js router.push/replace

  #12787 opened Apr 8, 2023

• Create Mine

  #12788 opened Apr 8, 2023

• Turn inline expectation test into a parameterized module

  #12789 opened Apr 8, 2023

2 Issues closed by 1 person

• False negatives: arithmetic tainted for c++

  #12770 closed Apr 6, 2023

• False positive: CWE-78 OS Command Injection

  #12753 closed Apr 4, 2023

2 Issues opened by 2 people

• Broken Links for FlowExploration

  #12761 opened Apr 4, 2023

• Started to see a message on each PR about a new CodeQL configuration

  #12754 opened Apr 4, 2023

18 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Swift: introduce usage of binlog

  #12745 commented on Apr 6, 2023 • 23 new comments

• JS: Add more sources, more unit tests, fixes to the GitHub Actions injection query

  #12748 commented on Apr 7, 2023 • 12 new comments

• C++: add overflow detection to new range analysis

  #12599 commented on Apr 10, 2023 • 7 new comments

• Java: Update MaD Declarations after Triage

  #12726 commented on Apr 6, 2023 • 5 new comments

• Java: Finish dataflow refactor

  #12751 commented on Apr 10, 2023 • 5 new comments

• Partial URLs should not sanitize against SSRF

  #10026 commented on Apr 5, 2023 • 3 new comments

• Java: Move more dataflow configurations to `*Query.qll` files

  #12721 commented on Apr 10, 2023 • 3 new comments

• MSBuild doesn't respect MvcBuildViews-setting in .csproj -file when run through CodeQL-cli or through codeql github action

  #11890 commented on Apr 5, 2023 • 2 new comments

• C++: Implement use-after-free and double-free queries using the new IR use-use dataflow

  #12569 commented on Apr 6, 2023 • 2 new comments

• Ruby scanning job hangs forever and doesn't complete on Ubuntu-latest

  #12349 commented on Apr 5, 2023 • 1 new comment

• Java: add ssrf models discovered with heuristics

  #12155 commented on Apr 7, 2023 • 1 new comment

• Go: add memoryAllocationDos query

  #12663 commented on Apr 4, 2023 • 1 new comment

• Java: add summary model for `UnsupportedOperationException(String)` constructor

  #12739 commented on Apr 6, 2023 • 1 new comment

• C++: Fix global flow without an SSA definition

  #12740 commented on Apr 5, 2023 • 1 new comment

• DO NOT MERGE: C++: Replace simple range analysis uses by semantic range analysis uses

  #12505 commented on Apr 6, 2023 • 0 new comments

• C#: Add local filesystem writes as External Location sinks

  #12658 commented on Apr 5, 2023 • 0 new comments

• Swift: turn extractor into a `swift-frontend` plugin

  #12713 commented on Apr 5, 2023 • 0 new comments

• Swift: Closure Capture Flow

  #12736 commented on Apr 4, 2023 • 0 new comments