Insights: github/codeql

73 Pull requests merged by 27 people

• GO: get the Go CI to go fast!

  #11430 merged Nov 26, 2022

• Kotlin: bump default CI version to 1.7.20

  #11352 merged Nov 25, 2022

• C++: Add more tests that exercise the default taint barrier implementation

  #11428 merged Nov 25, 2022

• Ruby: model ActiveSupport `json_escape` flow

  #11417 merged Nov 25, 2022

• Java: Add new Mockito runner class location.

  #11418 merged Nov 24, 2022

• JS: Bump version numbers of ML-powered packs after 0.4.2 release

  #11414 merged Nov 24, 2022

• Merge `rc/3.8` into `main`

  #11416 merged Nov 24, 2022

• ReDoS: add missing additional keywords

  #11403 merged Nov 24, 2022

• Merge `codeql-cli-2.11.4` into `rc/3.8`

  #11415 merged Nov 24, 2022

• C++: Fix upper bound detection in default taint flow

  #11413 merged Nov 24, 2022

• Java: Add binding between annotation and sink-param in MyBatis SQL Injection query

  #11368 merged Nov 24, 2022

• Swift: Add taint models for the Data class

  #11345 merged Nov 24, 2022

• Swift: Dataflow through ?? and ? :

  #11270 merged Nov 24, 2022

• Kotlin: Remove an unused argument

  #11401 merged Nov 24, 2022

• Kotlin build system: Refactor jar-finder

  #11404 merged Nov 24, 2022

• Java: Adjust the prioritisation between MaD and source dispatch.

  #11392 merged Nov 24, 2022

• Ruby: cache the compiled extractor in the build tests

  #11409 merged Nov 24, 2022

• Swift: Fix expectation in NSData tests

  #11411 merged Nov 24, 2022

• Adds Kotlin (beta) content

  #11384 merged Nov 24, 2022

• Swift: Add models for NSData and NSMutableData

  #11378 merged Nov 24, 2022

• Swift: Unsafe JS Eval Query

  #11001 merged Nov 24, 2022

• C#: ExternalFlow.qll cleanup.

  #11395 merged Nov 24, 2022

• C++: Fix CWE-611 XXE query to work with use-use dataflow - take 2

  #11405 merged Nov 24, 2022

• QL: improve the "this block-comment should have been a QLDoc"-query

  #11294 merged Nov 23, 2022

• Rb: use `instanceof` instead of `extends` on `DataFlow::CallNode` in some case

  #11397 merged Nov 23, 2022

• JS: fix two typos

  #11396 merged Nov 23, 2022

• C#: Split `AutobuildOptions` into C#/C++ specific classes

  #11387 merged Nov 23, 2022

• Swift: Add Alamofire model to swift/cleartext-transmission

  #11210 merged Nov 23, 2022

• ATM: Add descriptions to ML-powered packs

  #11390 merged Nov 23, 2022

• C++: Fix CWE-611 XXE query to work with use-use dataflow

  #11400 merged Nov 23, 2022

• Fix typo in `codeql-workspace.yml`

  #11388 merged Nov 23, 2022

• Java/Kotlin: Make the basic query in docs work for both languages

  #11399 merged Nov 23, 2022

• Java: Fix typo: ceritificate

  #11393 merged Nov 23, 2022

• Swift: reject uppercase acronyms in schema

  #11394 merged Nov 23, 2022

• C#: Include "phi reads" in `DataFlow::Node`

  #10927 merged Nov 23, 2022

• Ruby/QL: only create dbscheme case-splits for columns on defining tables

  #11386 merged Nov 23, 2022

• Swift: add downgrades script to extractor pack

  #11391 merged Nov 23, 2022

• Swift: Add libxml2 sinks to the XXE query

  #11165 merged Nov 23, 2022

• C#: Also include extractor unit tests in `csharp-qltest.yml`

  #11383 merged Nov 23, 2022

• C++: Fix spurious reference flow

  #11254 merged Nov 23, 2022

• Swift: do not abort if cannot archive a source file

  #11382 merged Nov 23, 2022

• Swift: fix remapping bug

  #11381 merged Nov 23, 2022

• Java: Consider taint through bitwise operations on PendingIntent flags

  #11367 merged Nov 22, 2022

• Python: Add change note for module resolution

  #11347 merged Nov 22, 2022

• Python: Model `getpass.getpass` as source of passwords

  #11372 merged Nov 22, 2022

• Python: Test improvements in preparation for new call-graph PR

  #11208 merged Nov 22, 2022

• CI: use read-only-cache when running on a PR

  #11362 merged Nov 22, 2022

• JS: treat arrays that gets executed with shell:true as a sink for `js/shell-command-constructed-from-input`

  #11082 merged Nov 22, 2022

• QL: add redundant-assignment query

  #11343 merged Nov 22, 2022

• JS: poly-redos: don't sanitize calls through substring calls that just remove the start

  #11072 merged Nov 22, 2022

• C++: Fix typo flagged up by QL-for-QL

  #11369 merged Nov 22, 2022

• C++: Ignore more instructions in dataflow

  #11357 merged Nov 22, 2022

• C#: Add workflow for running QL tests

  #11329 merged Nov 22, 2022

• Swift: set @github/codeql-swift as owner

  #11338 merged Nov 22, 2022

• Ruby: delete the target/packs folder in the `compile-queries` job

  #11358 merged Nov 22, 2022

• Update CSV framework coverage reports

  #11359 merged Nov 22, 2022

• C++: Reduce `readStep` fan-in

  #11355 merged Nov 21, 2022

• Java: Promote regex injection query from experimental

  #11070 merged Nov 21, 2022

• C++: Repair `MustFlow` library for use-use flow

  #11311 merged Nov 21, 2022

• Merge `rc/3.8` into `main`

  #11349 merged Nov 21, 2022

• Ruby: cache the entire extractor

  #11348 merged Nov 21, 2022

• Java: Fix a couple of taint models for `java.nio.file.Path(s)`

  #11346 merged Nov 21, 2022

• Ruby: Use compilation cache for the qltest CI workflow

  #11344 merged Nov 21, 2022

• Ruby: use the shared regex pack

  #11245 merged Nov 21, 2022

• Java: Handle disabled Maven repositories

  #11340 merged Nov 21, 2022

• Python: Clean up import resolution

  #10861 merged Nov 21, 2022

• CFG: Workaround in test output for origin/target pairs with multiple edges

  #11341 merged Nov 21, 2022

• C++: deprecate AST-based GVN

  #11262 merged Nov 21, 2022

• Ruby: Add `--check-undefined-labels` to QL test job

  #11336 merged Nov 21, 2022

• Swift: skip QL code generation on untouched files

  #11331 merged Nov 21, 2022

• QL/RB: delete language specific codeql query compile checks

  #11328 merged Nov 21, 2022

• C++: Fix flow out of const member functions

  #11314 merged Nov 21, 2022

• C++: Reduce size of `edges` and `nodes` in `cpp/upcast-array-pointer-arithmetic`

  #11330 merged Nov 21, 2022

29 Pull requests opened by 18 people

• Ruby: Active support enumerable

  #11339 opened Nov 21, 2022

• Add macOS 13 to supported platforms

  #11350 opened Nov 21, 2022

• Fix `QLLexer` instance as argument to `add_lexer`

  #11353 opened Nov 21, 2022

• C++: replace Guards with IRGuards

  #11356 opened Nov 21, 2022

• Swift: cache more aggressively in CI

  #11364 opened Nov 22, 2022

• Swift: fix extractor tests pack

  #11365 opened Nov 22, 2022

• Ruby: Add additional sinks to the `rb/kernel-open` query

  #11366 opened Nov 22, 2022

• Swift: upgrade to Swift 5.7.1

  #11370 opened Nov 22, 2022

• C++: Field flow through reference-returning functions

  #11374 opened Nov 22, 2022

• Python: New type-tracking based call-graph

  #11376 opened Nov 22, 2022

• Java: Add JDK sinks

  #11389 opened Nov 23, 2022

• Rb: add some more flow through splat parameters

  #11398 opened Nov 23, 2022

• Python: port `py/super-not-enclosing-class`

  #11402 opened Nov 23, 2022

• Go: Add query to check for deferred calls to functions which may return errors

  #11410 opened Nov 24, 2022

• LGTM deprecation: updates to CodeQL for JavaScript articles

  #11419 opened Nov 24, 2022

• LGTM deprecation: updates to CodeQL for Java articles

  #11420 opened Nov 24, 2022

• LGTM deprecation: updates to CodeQL for C/C++ articles

  #11421 opened Nov 24, 2022

• LGTM deprecation: updates to CodeQL for Python articles

  #11422 opened Nov 24, 2022

• LGTM deprecation: Update basic queries to use VS Code

  #11423 opened Nov 24, 2022

• Swift: Alamofire taint sources

  #11424 opened Nov 25, 2022

• Ruby: Model ApplicationController.renderer

  #11426 opened Nov 25, 2022

• Swift: make mapping from swift types to tags explicit

  #11429 opened Nov 25, 2022

• Make qldoc clearer about behaviour of override

  #11431 opened Nov 25, 2022

• Java: Flow test case generator

  #11432 opened Nov 25, 2022

• LGTM deprecation: miscellaneous changes

  #11433 opened Nov 25, 2022

• C++: Deprecate `DefaultTaintTracking` and `TaintTrackingImpl`

  #11434 opened Nov 25, 2022

• C++: Rewrite `cpp/path-injection` to not use `DefaultTaintTracking`

  #11435 opened Nov 25, 2022

• Kotlin: Enable java/misnamed-type query

  #11436 opened Nov 25, 2022

• Kotlin: Enable java/non-serializable-field for Kotlin

  #11437 opened Nov 25, 2022

4 Issues closed by 3 people

• /db-python does not exists ?

  #11412 closed Nov 24, 2022

• CodeQL can't resolve interface invoke when I analysis apache commons text

  #11385 closed Nov 24, 2022

• Which edges are automatically added by taint analysis?

  #11360 closed Nov 23, 2022

• False positive for Failure to use HTTPS or SFTP URL in Maven artifact upload/download when repo is disabled

  #11326 closed Nov 21, 2022

10 Issues opened by 9 people

• Java: Some expressions have `<any>` as type

  #11442 opened Nov 27, 2022

• Can Codeql be used to extract backward slice for Java?

  #11440 opened Nov 26, 2022

• CodeQl analysis log could not be generated when platform=arm64

  #11438 opened Nov 25, 2022

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 opened Nov 25, 2022

• Autobuild C#: environment variables availability in dotnet / msbuild

  #11425 opened Nov 25, 2022

• [False positive] `py/call-to-non-callable` on _decorated_ `__call__` magic methods

  #11408 opened Nov 24, 2022

• [False positive] `py/unused-local-variable` on SQLAlchemy model definition classes

  #11407 opened Nov 24, 2022

• Recursive monotonic aggregates related: example provided by official docu is reported as an error "Non-monotonic recursion"

  #11361 opened Nov 22, 2022

• False positive – "Statement has no effect" for Python type hint ellipsis

  #11351 opened Nov 21, 2022

• Example solution for "zip slip" contains a bug

  #11342 opened Nov 21, 2022

32 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• ATM: Implement the current endpoint filters as EndpointCharacteristics

  #11281 commented on Nov 24, 2022 • 34 new comments

• Ruby: Add case string comparison barrier guard

  #11114 commented on Nov 28, 2022 • 13 new comments

• Ruby: add stack-trace exposure query

  #11250 commented on Nov 24, 2022 • 9 new comments

• Dynamic: Merge package and type columns

  #11253 commented on Nov 25, 2022 • 8 new comments

• Data flow: Add summary/return context to pruning stages 2-4

  #11087 commented on Nov 24, 2022 • 6 new comments

• Ruby: JSON flow summaries

  #11136 commented on Nov 25, 2022 • 6 new comments

• Java: Use data extensions for MaD models.

  #11243 commented on Nov 23, 2022 • 6 new comments

• CPP: Add query for CWE-369: Divide By Zero.

  #10431 commented on Nov 24, 2022 • 3 new comments

• JS: use the shared regex pack

  #11248 commented on Nov 22, 2022 • 3 new comments

• ATM: Remove redundant code

  #11321 commented on Nov 22, 2022 • 3 new comments

• Java: `Type.getErasure()` erroneously has `Object` as result on some databases

  #11264 commented on Nov 22, 2022 • 2 new comments

• Java: Add line break sanitizers to java/log-injection

  #10707 commented on Nov 23, 2022 • 2 new comments

• Ruby: Document flow summary syntax

  #10899 commented on Nov 25, 2022 • 2 new comments

• C#: Deprecate hasQualifiedName/1 and prepare for deprecating getQualifiedName/0.

  #11144 commented on Nov 28, 2022 • 2 new comments

• Swift: add `String` taint steps

  #11185 commented on Nov 23, 2022 • 2 new comments

• RB: add second-order-command-injection

  #11236 commented on Nov 28, 2022 • 2 new comments

• Enable accelerated go-extractor opt-in using 'go list -deps'

  #11268 commented on Nov 21, 2022 • 2 new comments

• ATM: Simplify query configurations

  #11323 commented on Nov 24, 2022 • 2 new comments

• Ruby: add library input as a source for `rb/polynomial-redos`

  #10782 commented on Nov 22, 2022 • 1 new comment

• DO NOT MERGE: Replace AST with IR use-use dataflow

  #10817 commented on Nov 24, 2022 • 1 new comment

• Rb: Add an `unsafe-code-construction` query

  #10862 commented on Nov 25, 2022 • 1 new comment

• [Draft] Java: Add Android missing certificate pinning query (CWE-295)

  #10971 commented on Nov 25, 2022 • 1 new comment

• Share encryption key sizes across languages

  #11192 commented on Nov 22, 2022 • 1 new comment

• Java: Query for detecting enabling Javascript in Android WebSettings

  #11238 commented on Nov 21, 2022 • 1 new comment

• Java: Query to detect Android Webview file access

  #11241 commented on Nov 21, 2022 • 1 new comment

• Python: support grouped exceptions

  #11244 commented on Nov 24, 2022 • 1 new comment

• ATM: add XSSThroughDOM boosted query

  #11333 commented on Nov 21, 2022 • 1 new comment

• Python: Timing attack

  #9722 commented on Nov 24, 2022 • 0 new comments

• Python : Improve the PAM authentication bypass query

  #10656 commented on Nov 24, 2022 • 0 new comments

• build(deps): bump actions/setup-dotnet from 2 to 3.0.2

  #10826 commented on Nov 23, 2022 • 0 new comments

• Kotlin: extract annotations

  #11258 commented on Nov 25, 2022 • 0 new comments

• Ruby: Model ActionMailbox

  #11337 commented on Nov 25, 2022 • 0 new comments