Pulse · github/codeql · GitHub - web.archive.org

April 7, 2023 – April 14, 2023

Overview

58 Active pull requests

12 Active issues

36 Pull requests merged by 20 people

Swift: Add CryptoSwift sinks in swift/weak-sensitive-data-hashing
#12824 merged Apr 14, 2023
Java: Finish dataflow refactor
#12751 merged Apr 14, 2023
C++: Consider ArrayExpr with non-constant size expressions as a BufferAccess
#12752 merged Apr 14, 2023
C#: Re-factor dataflow queries to use the new API.
#12803 merged Apr 14, 2023
Release preparation for version 2.13.0
#12831 merged Apr 14, 2023
Go: Partial URLs should not sanitize against SSRF
#10026 merged Apr 14, 2023
JS: add browser history as XSS sink
#12802 merged Apr 14, 2023
Bump all qlpacks major versions
#12823 merged Apr 14, 2023
C++: Promote `cpp/redundant-null-check-simple` to Code Scanning
#12822 merged Apr 13, 2023
Swift: Add CSV extension points to the encryption queries.
#12794 merged Apr 13, 2023
Java: update provenance of `Connection#nativeSQL` sink to "hq-manual"
#12820 merged Apr 13, 2023
Release preparation for version 2.13.0
#12819 merged Apr 13, 2023
Java: Refactor experimental queries to new DataFlow API
#12808 merged Apr 13, 2023
Java/C# : Enhance provenance.
#12595 merged Apr 13, 2023
Merge `rc/3.9` into `main`
#12816 merged Apr 13, 2023
Java: Add tests for SensitiveActions and fix getCommonSensitiveInfoRegex
#12813 merged Apr 13, 2023
Python: Clarify version data
#12796 merged Apr 13, 2023
C#: Re-factor queries to use the new API.
#12723 merged Apr 13, 2023
Java: Add command-injection sink kind and refactor command injection queries
#12685 merged Apr 13, 2023
C#: Re-factor data flow unit tests to use the new API.
#12732 merged Apr 13, 2023
ATM: Remove legacy model integration PR checks
#12814 merged Apr 13, 2023
QL: Don't warn about cached predicates possibly being inlined
#12810 merged Apr 13, 2023
Go: mass-convert taint-flow models to models-as-data format (with `viableParamArgSpecific` hook)
#12750 merged Apr 12, 2023
C++: Fix joins in `cpp/constant-array-overflow`
#12800 merged Apr 12, 2023
JS: use 1-based column locations for diagnostics
#12799 merged Apr 12, 2023
Swift: Extract structured keypath components.
#12784 merged Apr 12, 2023
JS: add getForwardingFunction and use to sharpen useSelector model
#12792 merged Apr 12, 2023
JS: Add New XSS sink - Next.js router.push/replace
#12787 merged Apr 12, 2023
C#: Re-factor CleartextStorage to use the new API.
#12731 merged Apr 12, 2023
Update CSV framework coverage reports
#12798 merged Apr 12, 2023
Java: add summary model for `UnsupportedOperationException(String)` constructor
#12739 merged Apr 11, 2023
JS: Fix parsing of 'get' or 'set' pattern with a default value
#12759 merged Apr 11, 2023
Go: hide summary nodes from path explanations
#12783 merged Apr 11, 2023
Merge `rc/3.9` back to `main`
#12768 merged Apr 11, 2023
Update CSV framework coverage reports
#12785 merged Apr 11, 2023
Java: Update MaD Declarations after Triage
#12726 merged Apr 11, 2023

22 Pull requests opened by 16 people

Turn inline expectation test into a parameterized module
#12789 opened Apr 8, 2023
JavaScript: switch to shared YamlPopulator
#12793 opened Apr 11, 2023
Python: type track through flow summaries
#12795 opened Apr 11, 2023
Ruby: restrict join order of API graph predicates
#12804 opened Apr 12, 2023
Remove all `queries.xml` files
#12805 opened Apr 12, 2023
Java: Add missing write-file models for Java IO / NIO
#12806 opened Apr 12, 2023
Swift: Dataflow for keypaths
#12807 opened Apr 12, 2023
Java: Refactor Test DataFlow configurations to new API
#12812 opened Apr 13, 2023
C++: Update test expectations after extractor changes
#12815 opened Apr 13, 2023
Dataflow: Refactor the shared library into a qlpack.
#12817 opened Apr 13, 2023
C++: Use the new dataflow library in `cpp/missing-check-scanf`
#12818 opened Apr 13, 2023
Ruby: Add Rails `render inline:` as Template Injection Sink
#12821 opened Apr 13, 2023
JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…
#12825 opened Apr 14, 2023
JS: Improvements to type-tracking through 'extend' and 'this'
#12826 opened Apr 14, 2023
C#: Re-factor tainttracking and dataflow configurations to use the new API.
#12829 opened Apr 14, 2023
Java: ExtractAutomodelCandidates.ql query
#12830 opened Apr 14, 2023
Ruby: Add SQL Injection Sinks
#12832 opened Apr 14, 2023
Swift: Add some sink models
#12833 opened Apr 14, 2023
Refactor autobuilder
#12834 opened Apr 14, 2023
Go: Refactor to use new module API for DataFlow configurations
#12835 opened Apr 14, 2023
Swift: Downgrade swift/unsafe-js-eval to precision medium.
#12836 opened Apr 14, 2023
Swift: widen swift/predicate-injection sources
#12837 opened Apr 14, 2023

9 Issues closed by 6 people

False positive: go/incorrect-integer-conversion
#12241 closed Apr 14, 2023
csharp Attribute.getNamedArgument doesn't work for parameters
#12809 closed Apr 13, 2023
[question] typescript and alias imports
#11839 closed Apr 13, 2023
Java: `getCommonSensitiveInfoRegex()` pattern might be incorrect
#7636 closed Apr 13, 2023
How to scan Android project?
#12801 closed Apr 13, 2023
Docs: Metadata guides do not mention new `@kind` and `@tag` values
#5827 closed Apr 12, 2023
CONTRIBUTING.md should mention change note creation
#5904 closed Apr 12, 2023
Java: Extractor does not properly report type conversion compilation errors for `codeql test run`
#10118 closed Apr 12, 2023
Java: `Type.getErasure()` erroneously has `Object` as result on some databases
#11264 closed Apr 12, 2023

3 Issues opened by 3 people

Parse errors, no idea how to find the files
#12828 opened Apr 14, 2023
Missing code file generated database using codeql
#12827 opened Apr 14, 2023
Excluding filepaths from CodeQL CLI at analysis
#12811 opened Apr 12, 2023

20 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

C++: Implement use-after-free and double-free queries using the new IR use-use dataflow
#12569 commented on Apr 14, 2023 • 46 new comments
JS: Add more sources, more unit tests, fixes to the GitHub Actions injection query
#12748 commented on Apr 14, 2023 • 14 new comments
C++: add overflow detection to new range analysis
#12599 commented on Apr 13, 2023 • 10 new comments
Go: add memoryAllocationDos query
#12663 commented on Apr 11, 2023 • 5 new comments
Shared yaml lib
#12780 commented on Apr 13, 2023 • 4 new comments
Ruby: port `py/weak-sensitive-data-hashing`
#12782 commented on Apr 14, 2023 • 4 new comments
C#: Add local filesystem writes as External Location sinks
#12658 commented on Apr 14, 2023 • 2 new comments
Ruby/QL: Merge extractor binaries
#12786 commented on Apr 12, 2023 • 2 new comments
rejecting SARIF, as there are more threadflow steps per result than allowed (26287 > 10000)
#12717 commented on Apr 11, 2023 • 1 new comment
General issue
#12702 commented on Apr 14, 2023 • 1 new comment
Java: Add line break sanitizers to java/log-injection
#10707 commented on Apr 14, 2023 • 1 new comment
JS: Rename InsufficientPasswordHash_CryptoJS_fixed to InsufficientPasswor…
#12772 commented on Apr 11, 2023 • 1 new comment
Javascript: Add new queries for Javascript actions
#12781 commented on Apr 11, 2023 • 1 new comment
Go: Allow data flow through varargs parameters
#11732 commented on Apr 14, 2023 • 0 new comments
Java: add ssrf models discovered with heuristics
#12155 commented on Apr 13, 2023 • 0 new comments
C#: Add static call graph tests
#12262 commented on Apr 12, 2023 • 0 new comments
DO NOT MERGE: C++: Replace simple range analysis uses by semantic range analysis uses
#12505 commented on Apr 13, 2023 • 0 new comments
Python: Captured variables for type tracking and the API graph
#12537 commented on Apr 11, 2023 • 0 new comments
Java: Move more dataflow configurations to `*Query.qll` files
#12721 commented on Apr 14, 2023 • 0 new comments
Swift: Closure Capture Flow
#12736 commented on Apr 11, 2023 • 0 new comments