41 Pull requests merged by 18 people

• YEAST: Allow multiple output nodes and merge in no-children

  #14975 merged Dec 1, 2023

• yeast: tree output

  #14960 merged Dec 1, 2023

• yeast: Add a bare-bones binary

  #14970 merged Nov 30, 2023

• Python: Add support for extraction filters

  #14918 merged Nov 30, 2023

• Remove unwanted period from query name

  #14969 merged Nov 30, 2023

• Update CodeQL model editor info for revised UI

  #14898 merged Nov 30, 2023

• YEAST: Hookup query code

  #14971 merged Nov 30, 2023

• Swift: move keypath dataflow writes to fix types

  #14865 merged Nov 30, 2023

• YEAST: Add missing method

  #14968 merged Nov 30, 2023

• Yeast: Implement matcher and tree builders

  #14966 merged Nov 30, 2023

• YEAST: implement applyRules

  #14967 merged Nov 30, 2023

• Java: Add support for Java 21 language features

  #14671 merged Nov 30, 2023

• YEAST: implement `tryRule` and insert placeholders for `isMatch`, `applyRules`

  #14964 merged Nov 30, 2023

• YEAST: update some interfaces ahead of merging actual implementations

  #14963 merged Nov 30, 2023

• Add documentation note on not supporting Objective-C(++), C++/CLI, and C++/CX

  #14958 merged Nov 30, 2023

• Java: Add test for empty argfile

  #14950 merged Nov 29, 2023

• Docs: List Python 3.12 as supported

  #14946 merged Nov 29, 2023

• yeast: update debug format to be more readable

  #14949 merged Nov 29, 2023

• yeast: parse input into the AST

  #14947 merged Nov 29, 2023

• C++: Add a new query for calling `c_str` on temporary objects

  #14928 merged Nov 29, 2023

• JS: Add django template urls as "save urls"

  #14943 merged Nov 29, 2023

• Mergeback post release changes from the `codeql-cli-2.15.3` branch to `main`

  #14942 merged Nov 28, 2023

• C++: Expose whether a function was prototyped or not

  #14921 merged Nov 28, 2023

• Swift: Heuristic sinks for swift/sql-injection

  #14797 merged Nov 28, 2023

• C#: Prevent infinite recursion in `EqualsModuloTupleElementNames`

  #14937 merged Nov 28, 2023

• Bump the extractor-dependencies group in /go/extractor with 1 update

  #14932 merged Nov 28, 2023

• Python: Highlight missing post-update flow for `*args` and `**kwargs`

  #14936 merged Nov 28, 2023

• C#: Pin integration tests to a specific .NET version.

  #14878 merged Nov 27, 2023

• Kotlin 2: Accept some location changes in test-kotlin2/library-tests/stmts

  #14906 merged Nov 27, 2023

• Swift: More sinks for swift/uncontrolled-format-string

  #14807 merged Nov 27, 2023

• Java Automodel extraction: remove primitives in framework mode

  #14849 merged Nov 27, 2023

• Swift: final 5.8/5.9 extractions

  #14800 merged Nov 27, 2023

• C++: Don't exclude `ExprNode`s as sources

  #14911 merged Nov 24, 2023

• Swift: Flow models for Set

  #14908 merged Nov 24, 2023

• Swift: "contentsOf" sources

  #14879 merged Nov 24, 2023

• C++: Remove workaround for negated conditions in `cpp/user-controlled-bypass`

  #14907 merged Nov 24, 2023

• C++: Do not use `isReturnValue` in `getenv`, `gets`, and `fgets` models

  #14903 merged Nov 24, 2023

• C++: Rewrite `cpp/user-controlled-bypass` away from `DefaultTaintTracking`

  #14896 merged Nov 24, 2023

• C++: Add Taint through int -> bool casts

  #14904 merged Nov 24, 2023

• Ruby: Add tests illustrating missing flow

  #14859 merged Nov 24, 2023

• Ruby: Add test for missing block flow

  #14874 merged Nov 24, 2023

26 Pull requests opened by 17 people

• C++: Remove `DefaultTaintTracking` library

  #14909 opened Nov 24, 2023

• CPP: Add query for detecteing incorrect error checking for scanf

  #14910 opened Nov 24, 2023

• C++: Deprecate `isUserInput`, `userInputArgument`, and `userInputReturned`

  #14912 opened Nov 24, 2023

• Java: add Spring models

  #14913 opened Nov 27, 2023

• C++: Add field flow for addresses of fields and use in `cpp/double-free` and `cpp/use-after-free`

  #14915 opened Nov 27, 2023

• Ruby: Add mysql2 model

  #14916 opened Nov 27, 2023

• Java: openjdk model autogeneration

  #14919 opened Nov 27, 2023

• Swift: Imprecise Taint Flows

  #14925 opened Nov 27, 2023

• Java: Improve Gson parse, get, and stream models

  #14926 opened Nov 27, 2023

• Fix sphinx.add_lexer.

  #14934 opened Nov 28, 2023

• Go: improve test unhandled close writable handle

  #14938 opened Nov 28, 2023

• Kotlin 2: Comment improvements

  #14940 opened Nov 28, 2023

• Kotlin 2: Accept some location changes

  #14941 opened Nov 28, 2023

• Python: Basic implementation of variable capture

  #14944 opened Nov 28, 2023

• C#: Fix a URL redirection from remote source false positive

  #14953 opened Nov 29, 2023

• 32 cpp string concatenation library

  #14954 opened Nov 29, 2023

• C#: Prefer framework assemblies over arbitrary nuget equivalents

  #14957 opened Nov 30, 2023

• Kotlin: add support for ktor Framework

  #14959 opened Nov 30, 2023

• C++: Replace a `strictcount(...)` with `unique(...)`

  #14961 opened Nov 30, 2023

• Go: Improve tests for Incorrect Integer Conversion

  #14962 opened Nov 30, 2023

• C# WIP: order conflicting assemblies by version and then .net core version

  #14965 opened Nov 30, 2023

• C++: Experimental query for implementation of a cryptographic primitive

  #14972 opened Nov 30, 2023

• Document threat models

  #14976 opened Nov 30, 2023

• Fix rst code format.

  #14977 opened Dec 1, 2023

• Prepare for the bazel 7 upgrade.

  #14979 opened Dec 1, 2023

• YEAST: Disable trace macro expandtion feature

  #14980 opened Dec 1, 2023

16 Issues closed by 15 people

• codeql can't handle chromium dataflow

  #14973 closed Dec 1, 2023

• VS 17.8.2 compiler not being recognized

  #14978 closed Dec 1, 2023

• Seeking guidance on detecting null pointer dereferences

  #14956 closed Dec 1, 2023

• codeql report "ERROR: 'funcName' is not bound to a value" when using `not exist` clause

  #14974 closed Dec 1, 2023

• Slow performing checks on our repository from Code QL

  #14905 closed Nov 30, 2023

• Null Pointer deref false positive

  #14945 closed Nov 29, 2023

• Question: False positive in Path traversal - Java

  #14922 closed Nov 29, 2023

• Failed to create database on Android

  #14404 closed Nov 29, 2023

• codeql_cpp QL pack not found

  #14917 closed Nov 29, 2023

• False positive: "Potentially unsafe external link" with Django template language

  #12267 closed Nov 29, 2023

• codeql says current master is affected by code injection but shows past commits

  #14935 closed Nov 28, 2023

• Query pack codeql/go-queries cannot be found

  #14884 closed Nov 28, 2023

• Will Objective C and Objective C++ be supported in CodeQL?

  #14923 closed Nov 28, 2023

• General issue:create java project database failed

  #14933 closed Nov 28, 2023

• Documentation for model YML files

  #14920 closed Nov 27, 2023

• codeql won't work with chromium special file

  #13849 closed Nov 27, 2023

6 Issues opened by 6 people

• cpp/memory-may-not-be-freed is not in security-and-quality suite

  #14955 opened Nov 30, 2023

• False positive: C# URL redirection from remote source

  #14952 opened Nov 29, 2023

• CodeQL reporting 0 lines of c# code in a simple action

  #14951 opened Nov 29, 2023

• Failure to create CodeQL database with latest Visual Studio (17.8.1)

  #14927 opened Nov 27, 2023

• Missing methods and constructors in Java GSON model

  #14924 opened Nov 27, 2023

• Wrong Pointer Size in Database for Chromium

  #14914 opened Nov 27, 2023

31 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: Add dataflow consistency query

  #8457 commented on Nov 28, 2023 • 13 new comments

• DataFlow: Add language-specific predicate for ignoring steps in flow-through calculation

  #14799 commented on Nov 28, 2023 • 9 new comments

• C++: Reduce duplication from crement operations

  #14867 commented on Nov 30, 2023 • 9 new comments

• Python: Decompression Bombs

  #13557 commented on Nov 27, 2023 • 6 new comments

• Go: fasthttp

  #14123 commented on Nov 27, 2023 • 6 new comments

• [CSharp] AWS Lambda Modelling

  #13110 commented on Nov 28, 2023 • 3 new comments

• Go: Decompression Bombs

  #13553 commented on Nov 30, 2023 • 3 new comments

• Swift: implement type pruning for dataflow

  #14592 commented on Nov 29, 2023 • 3 new comments

• C#: Strengthen call-back heuristics by considering body-less methods

  #14832 commented on Nov 28, 2023 • 3 new comments

• General issue Python:Unable to recognize calling a method through an instance member of a class

  #14899 commented on Nov 27, 2023 • 2 new comments

• C++ extractor fails to process code based on Unreal Engine

  #13994 commented on Nov 30, 2023 • 2 new comments

• JS: Add Permissive CORS query (CWE-942)

  #14342 commented on Nov 29, 2023 • 2 new comments

• Move `FlowSummaryImpl.qll` to `dataflow` pack

  #14573 commented on Nov 27, 2023 • 2 new comments

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Nov 30, 2023 • 2 new comments

• Swift: More sinks for swift/cleartext-logging

  #14853 commented on Nov 28, 2023 • 2 new comments

• workflow yml file configuration

  #14652 commented on Nov 25, 2023 • 1 new comment

• A typedef defined with extern "C" prevents CodeQL from finding the TypdefType of a C++ member function's FunctionDeclarationEntry

  #14869 commented on Nov 27, 2023 • 1 new comment

• Few questions about semmle-extractor-options

  #14826 commented on Nov 30, 2023 • 1 new comment

• Add a way for C/C++ code compiled as a part of a CodeQL test to detect it is being tested

  #9425 commented on Nov 30, 2023 • 1 new comment

• Java: Decompression Bombs

  #13555 commented on Nov 29, 2023 • 1 new comment

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Nov 29, 2023 • 1 new comment

• C++: Relax the dbscheme for `link_targets/2`

  #14897 commented on Nov 30, 2023 • 1 new comment

• Python : Unable to follow taint through indirect calls

  #14842 commented on Nov 27, 2023 • 0 new comments

• JS: [WIP] Add `dot.js` support

  #13624 commented on Nov 30, 2023 • 0 new comments

• Temporarily run the standalone extractor instead of autobuilding

  #14324 commented on Nov 27, 2023 • 0 new comments

• Swift: extract types for patterns

  #14570 commented on Nov 30, 2023 • 0 new comments

• Ruby: Experimental model editor support

  #14679 commented on Nov 27, 2023 • 0 new comments

• Java: Insecure Loading of Class in Android App without Package Signature Checking

  #14752 commented on Nov 30, 2023 • 0 new comments

• Java: Promote Unsafe URL Forward query from experimental

  #14854 commented on Nov 30, 2023 • 0 new comments

• C#: Extract and use ambiguous type information for call target resolution

  #14891 commented on Dec 1, 2023 • 0 new comments

• C#: Update to .NET 8.

  #14892 commented on Nov 28, 2023 • 0 new comments