44 Pull requests merged by 19 people

• C++: Un-nest the if-then-else sequence.

  #18634 merged Jan 30, 2025

• C++: Support mixed typedefs and usings

  #18606 merged Jan 30, 2025

• QL reference: more BigInt updates

  #18610 merged Jan 30, 2025

• Mergeback from codeql-cli-2.20.3

  #18617 merged Jan 29, 2025

• Go: Fix "Parameter" in models-as-data

  #18565 merged Jan 29, 2025

• Go: miscellaneous improvements rs cors models

  #18543 merged Jan 29, 2025

• Rust: add UseTree::is_star

  #18611 merged Jan 29, 2025

• C++: Fix FPs in cpp/overflow-buffer

  #18615 merged Jan 29, 2025

• C++: Don't infer lambda calls when there is a static dispatch

  #18618 merged Jan 29, 2025

• Shared: Generalize the number of columns in a generated MaD row

  #18612 merged Jan 29, 2025

• Java: Deprecate experimental queries.

  #18299 merged Jan 29, 2025

• Rust: Improve models for environment sources, expect and unwrap

  #18605 merged Jan 29, 2025

• JavaScript CodeQL library updates: new Angular sink(s)

  #18397 merged Jan 29, 2025

• C++: #18592 follow-up

  #18616 merged Jan 28, 2025

• Delete .github/pull_request_template.md

  #18614 merged Jan 28, 2025

• Mergeback from codeql-cli-2.20.2

  #18589 merged Jan 28, 2025

• C++: Don't generate dataflow nodes for functions with summaries

  #18592 merged Jan 28, 2025

• All: delete outdated deprecations

  #18601 merged Jan 28, 2025

• C++: Test and (perhaps) fix an issue with guards on floating point comparisons.

  #18586 merged Jan 28, 2025

• Actions: Improve bash support

  #18540 merged Jan 28, 2025

• Rust: Additional models for Reqwest

  #18602 merged Jan 28, 2025

• Ruby: Implement localMustFlowStep

  #14303 merged Jan 27, 2025

• JS: fix example in clear-text-logging qhelp to actually be bad

  #18595 merged Jan 27, 2025

• Rust: Query for cleartext logging of sensitive information

  #18582 merged Jan 27, 2025

• Go: 1.24 support - Tolerate type parameters on alias types

  #18585 merged Jan 27, 2025

• C#: Verify that downloaded .NET CLIs are executable

  #18570 merged Jan 27, 2025

• Rust: Add two additional control flow tests

  #18590 merged Jan 27, 2025

• C++: Fix join-order problem in UserType::getADeclarationEntry

  #18588 merged Jan 24, 2025

• Add changelog entries for CodeQL CLI versions 2.20.1 to 2.20.3

  #18591 merged Jan 24, 2025

• C# 13: Overload resolution priority.

  #18575 merged Jan 24, 2025

• Ruby: fix and improve diff-informed queries

  #18572 merged Jan 24, 2025

• JS: Add view-component-input threat model

  #18466 merged Jan 24, 2025

• JS: fix and improve diff-informed queries

  #18574 merged Jan 24, 2025

• Add shared basic block library

  #18497 merged Jan 24, 2025

• Actions: Fix version range for known vulnerable actions

  #18560 merged Jan 24, 2025

• Rust: Change array element content type into a general collection element content type

  #18568 merged Jan 24, 2025

• Rust: Take nested functions into account when resolving variables

  #18482 merged Jan 24, 2025

• C++: Fix join order problem in TaintedAllocationSize.

  #18578 merged Jan 23, 2025

• Java: Don't expect logged properties files in source archives

  #18573 merged Jan 23, 2025

• C++: Remove pointer/pointee conflation from models of "pure" functions

  #18556 merged Jan 23, 2025

• Rust: give more options for building in README.md

  #18468 merged Jan 23, 2025

• Rust: Translate more MaD IDs in tests

  #18576 merged Jan 23, 2025

• C++: Fix join-order problem found on IncorrectCheckScanf.ql

  #18561 merged Jan 23, 2025

• C# 13: [TEST ONLY] Implicit index usage in initializers.

  #18562 merged Jan 23, 2025

21 Pull requests opened by 13 people

• Rust: Add initial RuSQLite support

  #18577 opened Jan 23, 2025

• Rust: Implement path resolution in QL

  #18579 opened Jan 23, 2025

• C++: Remove potential FPs for cpp/wrong-type-format-argument in BMN

  #18581 opened Jan 23, 2025

• C#: Update stubs

  #18587 opened Jan 24, 2025

• [Draft] Python: Update NonSelf and NonCls quality queries to not depend on PointsTo

  #18599 opened Jan 27, 2025

• AlertFiltering: add restrictAlertsToExactLocation

  #18603 opened Jan 27, 2025

• Java: Add XSS Sanitizer for `HttpServletResponse.setContentType` with safe values

  #18607 opened Jan 28, 2025

• Rust: use tracing/tracing-subscriber for logging

  #18608 opened Jan 28, 2025

• Rust: Use `PathResolution` module in data flow

  #18609 opened Jan 28, 2025

• C++: Remove FPs in cpp/wrong-type-format-argument caused by no linker awareness

  #18613 opened Jan 28, 2025

• Use inline test expectations for query predicates

  #18620 opened Jan 29, 2025

• Rust: Improve models for environment sources, iterators

  #18621 opened Jan 29, 2025

• JS: Treat more file patterns as tsconfig-like files

  #18622 opened Jan 29, 2025

• JS: Add support for dependency injection in Nest

  #18623 opened Jan 29, 2025

• C#: Remove experimental queries

  #18625 opened Jan 29, 2025

• Java: Remove experimental queries.

  #18626 opened Jan 29, 2025

• Rust: Initial model generation setup

  #18628 opened Jan 29, 2025

• C++: Fix more FPs in `cpp/overflow-buffer`

  #18629 opened Jan 29, 2025

• Rust: Implement basic type inference in QL

  #18632 opened Jan 30, 2025

• Dataflow: Refactor FlowState to be paired with Node

  #18633 opened Jan 30, 2025

• Codegen: Improve return type of self-typed properties

  #18635 opened Jan 30, 2025

4 Issues closed by 3 people

• Kotlin: "CodeQL currently supports versions below 2.1.10"

  #18596 closed Jan 30, 2025

• Relax Version Restrictions for new Kotlin versions

  #18624 closed Jan 30, 2025

• General issue

  #18594 closed Jan 26, 2025

• Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the [contributing guidelines](https://docs.github.com/en/contributing).

  #18583 closed Jan 23, 2025

7 Issues opened by 6 people

• [Java] Detecting the flow into a file within a certain directory

  #18631 opened Jan 30, 2025

• Strange detection on ClientSideUrlRedirect.ql

  #18630 opened Jan 29, 2025

• Experimental CodeInjection query for JavaScript doesn't seem to work

  #18619 opened Jan 29, 2025

• `js/weak-cryptographic-algorithm`/`BrokenCryptoAlgorithm` got 25-30x slower

  #18604 opened Jan 28, 2025

• General issue: missing vulnerability in react application

  #18600 opened Jan 27, 2025

• Analysis on Maven projects failing due to certificate validation error against Maven Central artefacts

  #18598 opened Jan 27, 2025

• RegExpInjection takes 6 hours to scan the TypeScript repo after 2.20.2

  #18584 opened Jan 24, 2025

10 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby/performance queries

  #18304 commented on Jan 29, 2025 • 3 new comments

• C# 13: Partial properties and indexers.

  #18533 commented on Jan 30, 2025 • 3 new comments

• C++ extraction aborted for compiler invocation when using std::format

  #18244 commented on Jan 24, 2025 • 0 new comments

• Swift: Xcode 16 - Library not loaded: @rpath/libSwiftSyntax.dylib

  #17819 commented on Jan 27, 2025 • 0 new comments

• CodeQL: Setting paths in Github Advanced Security for Azure Devops

  #18372 commented on Jan 27, 2025 • 0 new comments

• Better explain how to exclude paths for compiled languages

  #8689 commented on Jan 30, 2025 • 0 new comments

• Go: extract explicit alias types

  #18283 commented on Jan 27, 2025 • 0 new comments

• Java: add CSRF query

  #18288 commented on Jan 30, 2025 • 0 new comments

• Rust/Swift: add integration tests checking env dumping

  #18567 commented on Jan 23, 2025 • 0 new comments

• Ruby: remove some unneeded code from ConditionalBypass

  #18569 commented on Jan 29, 2025 • 0 new comments