github / codeql Public

20 Pull requests merged by 14 people

• JS: support more property writes in js/prototype-pollution-utility

  #8165 merged Feb 22, 2022

• JS: add lodash.{clone, cloneDeep} as a clone step

  #8157 merged Feb 22, 2022

• QL: add ql-for-ql query for detecting bad predicate qldoc

  #8143 merged Feb 22, 2022

• C++: Add table that identifies C++ structured bindings

  #7928 merged Feb 22, 2022

• C++: Fix Spelling Typos.

  #8170 merged Feb 22, 2022

• C++/C#: Fix spelling of 'postDominanceFrontier'

  #8169 merged Feb 22, 2022

• Docs: Add note about muslc incompatibility

  #8162 merged Feb 22, 2022

• JS: Separate the ML model for ML-powered queries into its own pack

  #8151 merged Feb 22, 2022

• JS: Add CWE tags for ML-powered queries

  #8153 merged Feb 21, 2022

• Update counting query to match end-to-end results

  #8148 merged Feb 21, 2022

• Shared: Switch to dot-separated access paths in summary specs

  #7878 merged Feb 21, 2022

• Ruby: Implement `FileSystemWriteAccess` concept

  #8138 merged Feb 21, 2022

• Ruby: Add `rb/clear-text-logging-sensitive-data` query

  #7713 merged Feb 21, 2022

• JS: Sharpen hardcoded credentials

  #8043 merged Feb 21, 2022

• JS: fix most ql-for-ql warnings

  #7984 merged Feb 21, 2022

• Ruby: split standard library models into multiple files

  #7886 merged Feb 21, 2022

• Spelling: Use "descendant" rather than "descendent" for consistency

  #8052 merged Feb 16, 2022

• Language-agnostic document on db up-/downgrades

  #8044 merged Feb 16, 2022

• Java: CWE-073 File path injection with the JFinal framework

  #7712 merged Feb 16, 2022

• Add version of `prepare-db-upgrade.sh` supporting multiple languages

  #8041 merged Feb 16, 2022

21 Pull requests opened by 18 people

• JS: split request forgery query into server-side and client-side variants

  #8054 opened Feb 16, 2022

• CWE-552: Switch to the shared PathSanitizer library

  #8055 opened Feb 16, 2022

• C++: new query for insufficient key strength

  #8059 opened Feb 16, 2022

• Python: Add data-flow through Django ORM models

  #8061 opened Feb 17, 2022

• Port Java sign analysis to semantic layer

  #8068 opened Feb 18, 2022

• Ruby: Add IncompleteMultiCharSanitization query

  #8142 opened Feb 21, 2022

• JS: cache RegExpCreationNode::getAReference

  #8147 opened Feb 21, 2022

• Shared: use shared access path syntax to parse arguments in CSV rows

  #8149 opened Feb 21, 2022

• JS: preparation for sharing MaD library based on API graphs

  #8150 opened Feb 21, 2022

• C# Exclude dynamic casts from useless casts check

  #8152 opened Feb 21, 2022

• Java: Exclude files with errors from modulus analysis

  #8155 opened Feb 21, 2022

• QLSpeciifcation: Add documentation for expression pragmas

  #8156 opened Feb 21, 2022

• Ruby: interpret string escape sequences in getConstantValue()

  #8164 opened Feb 22, 2022

• Ruby/Python: regex parser: group sequences of 'normal' characters

  #8166 opened Feb 22, 2022

• C# Extractor Option for specifying compression.

  #8167 opened Feb 22, 2022

• JS: model hapi handler returns as reflected-xss sinks

  #8168 opened Feb 22, 2022

• update ATM NosqlInjection and SqlInjection query docs

  #8171 opened Feb 22, 2022

• add pre-commit configuration

  #8172 opened Feb 22, 2022

• C++: Add another `CWE-825` query

  #8173 opened Feb 22, 2022

• C++: Simplify `cpp/declaration-hides-variable`

  #8174 opened Feb 22, 2022

• Demonstrate Java range/sign/modulus on semantic layer

  #8175 opened Feb 22, 2022

3 Issues closed by 3 people

• CS8858 - false positive

  #8132 closed Feb 22, 2022

• LGTM.com - false positive 'Useless conditional'

  #8064 closed Feb 21, 2022

• Merge conflicts on LGTM when merge conflicts don't exist in-code

  #2477 closed Feb 16, 2022

3 Issues opened by 3 people

• [JS] Modifying query predicates `nodes` based on sink node

  #8163 opened Feb 22, 2022

• Too many arguments for string format. - false positive

  #8070 opened Feb 19, 2022

• Useless upcast - false positive

  #8069 opened Feb 19, 2022

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• JS: Functionality from untrusted sources query (CWE-830)

  #8014 commented on Feb 22, 2022 • 52 new comments

• Java : Add SSTI query

  #5935 commented on Feb 22, 2022 • 17 new comments

• Ruby: Add String flow summaries

  #7920 commented on Feb 22, 2022 • 13 new comments

• Java: Add Guard Classes for checking OS

  #8032 commented on Feb 21, 2022 • 10 new comments

• Python: Add Python_JWT to JWT security query

  #7452 commented on Feb 22, 2022 • 7 new comments

• Python: Dataflow improvements

  #7807 commented on Feb 21, 2022 • 6 new comments

• Java: Timing attacks while comparing the headers value

  #7867 commented on Feb 22, 2022 • 5 new comments

• Infinite loop when executing DataFlow queries

  #7481 commented on Feb 22, 2022 • 4 new comments

• Java: Add ReDoS queries

  #7723 commented on Feb 22, 2022 • 4 new comments

• C#: Refactor Structural Comparison for Control Flow Elements.

  #8038 commented on Feb 17, 2022 • 4 new comments

• Python: Fix bad `fastTC` in `ASTNode::contains`

  #8028 commented on Feb 17, 2022 • 3 new comments

• Question - Variable initialization

  #7827 commented on Feb 21, 2022 • 2 new comments

• Python: promote log injection

  #7735 commented on Feb 21, 2022 • 2 new comments

• Missed opportunity to use Where - false positive

  #7936 commented on Feb 20, 2022 • 1 new comment

• Java: semmle-extractor-options setting classpath prevents usage on Windows

  #5346 commented on Feb 21, 2022 • 1 new comment

• LGTM alert beyond response limit!

  #7889 commented on Feb 23, 2022 • 1 new comment

• CPP: Add query for CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

  #6950 commented on Feb 21, 2022 • 1 new comment

• Java: IPA the CFG.

  #711 commented on Feb 16, 2022 • 0 new comments

• Added vim syntax highlighting for dbschemes

  #1461 commented on Feb 18, 2022 • 0 new comments

• CS: Adding DecryptWithoutHash and CertificateValidationDisabled queries

  #1622 commented on Feb 18, 2022 • 0 new comments

• Java: Add flow steps through methods of `java.nio.Buffer` and its subclasses

  #4743 commented on Feb 17, 2022 • 0 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Feb 20, 2022 • 0 new comments

• Ruby: IncompleteHostnameRegExp.ql

  #7917 commented on Feb 17, 2022 • 0 new comments

• Introduce semantic layer to prepare to share range analysis

  #7986 commented on Feb 18, 2022 • 0 new comments