Insights: github/codeql

61 Pull requests merged by 18 people

• C++: New Query: missing return-value check for scanf-like functions

  #10163 merged Sep 1, 2022

• C++: Fix join in sign analysis

  #10261 merged Sep 1, 2022

• Kotlin: Refactor kotlinFunctionToJavaEquivalent

  #10242 merged Sep 1, 2022

• Ruby: Exclude top-level `self` accesses from `trackModule`

  #10245 merged Sep 1, 2022

• Java: Correct hasModifier documentation

  #10257 merged Sep 1, 2022

• Merge `rc/3.7` into `main`

  #10260 merged Sep 1, 2022

• JS: Bump version numbers of ML-powered packs after 0.3.2 release

  #10258 merged Sep 1, 2022

• Kotlin: Fix array indexer extraction

  #10255 merged Sep 1, 2022

• Swift: Use TypeDecl.getABaseTypeDecl().

  #10256 merged Sep 1, 2022

• Kotlin: Removed a couple of casts from extractExpression

  #10243 merged Sep 1, 2022

• Kotlin: Refactor extractConstructorCall

  #10246 merged Sep 1, 2022

• Kotlin: Remove another cast

  #10247 merged Sep 1, 2022

• Swift: Add `getBaseTypeDecl` to `TypeDecl`

  #10254 merged Sep 1, 2022

• Swift: Queries for CWE-311 (originally CWE-200)

  #10061 merged Sep 1, 2022

• SSA: Make shared library a parameterized module

  #10203 merged Sep 1, 2022

• Update CSV framework coverage reports

  #10248 merged Sep 1, 2022

• Post-release preparation for codeql-cli-2.10.4

  #10186 merged Aug 31, 2022

• Swift: Clean up the URL.init model.

  #10244 merged Aug 31, 2022

• Kotlin: Fix issues in comment extraction

  #10224 merged Aug 31, 2022

• Kotlin: Refactor useSimpleType to avoid some casts

  #10228 merged Aug 31, 2022

• Kotlin: Refactor extractStaticTypeAccessQualifier

  #10227 merged Aug 31, 2022

• Kotlin: Implement and use singleOrNullSubType

  #10229 merged Aug 31, 2022

• JS: Make API graph more sparse for escaping class instance members

  #10234 merged Aug 31, 2022

• Swift: Add field flow

  #10157 merged Aug 31, 2022

• Swift: add generic type parameters to AST children

  #10237 merged Aug 31, 2022

• Java: Update models for commons-io and add negative models.

  #10170 merged Aug 31, 2022

• Swift: add `PrintAst`

  #10226 merged Aug 31, 2022

• Java: CWE-625 Query to detect regex dot bypass

  #9873 merged Aug 31, 2022

• C#: CIL Extractor option.

  #10086 merged Aug 31, 2022

• Update CSV framework coverage reports

  #10232 merged Aug 31, 2022

• Support type variables in MaD typings

  #10205 merged Aug 30, 2022

• Docs: Add CodeQL standard packs and bundle to CodeQL tools page

  #10013 merged Aug 30, 2022

• print a correct range for ranges that doesn't contain any alpha-numeric chars

  #10220 merged Aug 30, 2022

• Java: A couple of small virtual dispatch fixes

  #10208 merged Aug 30, 2022

• C#: Narrow collection like types in model generation.

  #10158 merged Aug 30, 2022

• JS: Some JS-specific MaD changes

  #10206 merged Aug 30, 2022

• Kotlin: Small simplification

  #10193 merged Aug 30, 2022

• Kotlin: Remove another cast

  #10192 merged Aug 30, 2022

• Kotlin: Remove a cast from substituteTypeAndArguments

  #10189 merged Aug 30, 2022

• Kotlin: Add AnyDbType

  #10178 merged Aug 30, 2022

• Java: Add additional taint steps for java.lang.String methods

  #10092 merged Aug 30, 2022

• Swift: fix integration tests

  #10219 merged Aug 30, 2022

• Swift: make `ConstructorDecl`'s name include params

  #10218 merged Aug 30, 2022

• Swift: add missing `qlgen.py` docstring

  #10217 merged Aug 30, 2022

• Swift: generate indexed parent/child relationship

  #10211 merged Aug 30, 2022

• put a limit on the length of the equivalent range

  #10215 merged Aug 30, 2022

• fix performance issue in the ReDoS query

  #10207 merged Aug 30, 2022

• JS: add call-edge for dynamic dispatch to unknown property from an object literal

  #9751 merged Aug 30, 2022

• put a limit on the length of the equivalent range in overly-large-range

  #10213 merged Aug 30, 2022

• Update CSV framework coverage reports

  #10214 merged Aug 30, 2022

• Swift: fix double parent

  #10210 merged Aug 29, 2022

• JavaScript: Update to TypeScript 4.8

  #10184 merged Aug 29, 2022

• Java: Add data flow model for Spring's CrudRepository.save() method

  #10173 merged Aug 29, 2022

• JS: Enable type extraction inside conditional types again

  #10202 merged Aug 29, 2022

• Java: Improve virtual dispatch via better unification check and deduplicate code with parameterised module

  #10097 merged Aug 29, 2022

• QL: remove consistency errors related to resolving multiple predicates from parameterized modules

  #10181 merged Aug 29, 2022

• Ruby: port js/hardcoded-data-interpreted-as-code

  #9896 merged Aug 26, 2022

• Swift: fix missing extractions

  #10175 merged Aug 26, 2022

• Swift: port frontend-invocations test to linux

  #10187 merged Aug 26, 2022

• more renamings of acronyms to camelCase

  #10153 merged Aug 26, 2022

• Kotlin: fix array iterator extraction

  #10169 merged Aug 26, 2022

26 Pull requests opened by 13 people

• C++: Switch to use-use flow in IR dataflow

  #10190 opened Aug 26, 2022

• Java: Add test regarding the type of an implicit `this` expression

  #10191 opened Aug 26, 2022

• QL: add query detecting consistent casing of names

  #10209 opened Aug 29, 2022

• SSA: Create a new `shared` library pack and move implementation there

  #10216 opened Aug 30, 2022

• Kotlin: Change `Modifiable::isPublic` to not cover Kotlin `internal` members

  #10221 opened Aug 30, 2022

• Ruby: type-tracking and API edges through simple library callables

  #10222 opened Aug 30, 2022

• Java: New Android query to detect unsafe content URI resolution

  #10223 opened Aug 30, 2022

• Swift: show conversions in `PrintAst`

  #10233 opened Aug 31, 2022

• C#: Remove legacy tracer support

  #10235 opened Aug 31, 2022

• C++: Workaround for missing `DeclarationEntry` for `DeclStmt`

  #10236 opened Aug 31, 2022

• C#: Theorems for Free - Model generation

  #10238 opened Aug 31, 2022

• Kotlin: Fix declaration stack

  #10239 opened Aug 31, 2022

• Java: Support SCCs in TypeFlow.

  #10240 opened Aug 31, 2022

• Java: Add query for WebView debugging enabled

  #10241 opened Aug 31, 2022

• Java: Documentation fixes in the "Permissive dot regex" experimental query

  #10249 opened Sep 1, 2022

• QL: silence reported consistency errors that are fine

  #10250 opened Sep 1, 2022

• Java: Add new AlarmManager sinks to Use of implicit PendingIntents

  #10251 opened Sep 1, 2022

• PY: change alert messages of path queries to use the same template

  #10252 opened Sep 1, 2022

• JS: Add generated typings to SQL models

  #10253 opened Sep 1, 2022

• Ruby/restrict self flow

  #10259 opened Sep 1, 2022

• Kotlin: Avoid unsafe casts in useArrayType

  #10262 opened Sep 1, 2022

• Kotlin: Remove some casts in useSimpleType

  #10263 opened Sep 1, 2022

• python: Port `RaisingTuple.ql` to not use `points-to`

  #10264 opened Sep 1, 2022

• python: port UnguardedNextInIterator from `points-to` to API graph

  #10265 opened Sep 1, 2022

• python: rewrite CatchingBaseException from `points-to` to API graph

  #10266 opened Sep 1, 2022

• python: Rewrite EmptyExcept from `points-to` to API graph

  #10267 opened Sep 1, 2022

4 Issues closed by 3 people

• Sarif Upload Does not work from docker container

  #10188 closed Aug 31, 2022

• General issue: Excessive Comments (and General Poor Performance)

  #10179 closed Aug 30, 2022

• Cpp CodeQL analysis fails (Exit code 99)

  #10194 closed Aug 29, 2022

• Fatal error when specifying a default pack with an `apply` file

  #10185 closed Aug 26, 2022

2 Issues opened by 1 person

• Library API Index documentation is incomplete

  #10200 opened Aug 28, 2022

• Java: `getNumberOfCommentLines` and `getNumberOfLinesOfCode` should only exist for supported classes

  #10199 opened Aug 28, 2022

31 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Merge and update `about-ql-packs` with `about-codeql-packs`

  #10105 commented on Sep 1, 2022 • 25 new comments

• Add docs for codeql workspaces

  #10182 commented on Sep 1, 2022 • 24 new comments

• General issue (No source was seen and extracted)

  #10132 commented on Sep 1, 2022 • 23 new comments

• parameterised modules in the QL language reference

  #10088 commented on Aug 30, 2022 • 22 new comments

• Java: Promote `PathSanitizer.qll` from experimental

  #10177 commented on Sep 1, 2022 • 21 new comments

• Kotlin: Add MaD for stdlib

  #9783 commented on Aug 31, 2022 • 16 new comments

• Ruby: Model Activestorage

  #10090 commented on Sep 2, 2022 • 12 new comments

• Token validation

  #9693 commented on Sep 1, 2022 • 8 new comments

• Python: Timing attack

  #9722 commented on Aug 31, 2022 • 8 new comments

• C#: Replace clears content with CSV summaries.

  #10127 commented on Aug 31, 2022 • 8 new comments

• CPP: Add query for CWE-297: Improper Validation of Certificate with Host Mismatch

  #9086 commented on Aug 29, 2022 • 7 new comments

• Ruby: Model ActiveResource

  #9974 commented on Sep 2, 2022 • 4 new comments

• Remove upgrade database docs

  #10146 commented on Sep 1, 2022 • 4 new comments

• Add missing security tags

  #10180 commented on Aug 29, 2022 • 4 new comments

• CPP: Add query for CWE-758: Reliance on Implementation-Defined Behavior when using malloc with zero size

  #9088 commented on Aug 31, 2022 • 3 new comments

• database index-files doesn't work with --db-cluster database

  #10183 commented on Aug 26, 2022 • 1 new comment

• CPP: Nested Conditionals and BarrierGuards

  #10101 commented on Aug 31, 2022 • 1 new comment

• CodeQL - false positive - JPL Rule 24

  #6522 commented on Sep 1, 2022 • 1 new comment

• Java: Promote HashWithoutSalt query

  #8541 commented on Aug 28, 2022 • 1 new comment

• Add TCP and UDP socket client taint sources

  #9415 commented on Aug 30, 2022 • 1 new comment

• C++: Experimental product flow library

  #9997 commented on Sep 1, 2022 • 1 new comment

• RB: introduce the cached stages pattern for Ruby

  #10104 commented on Aug 29, 2022 • 1 new comment

• QL: detect unqueryable code

  #8454 commented on Aug 29, 2022 • 0 new comments

• Field-sensitive flow summary generation

  #8667 commented on Aug 31, 2022 • 0 new comments

• Java: Timing attack

  #8686 commented on Aug 30, 2022 • 0 new comments

• C++: Global value numbering for function calls

  #9892 commented on Aug 29, 2022 • 0 new comments

• Add a test file

  #9967 commented on Aug 30, 2022 • 0 new comments

• New atm features rebased

  #10018 commented on Sep 1, 2022 • 0 new comments

• Java: Query to detect Android backup allowed

  #10106 commented on Aug 30, 2022 • 0 new comments

• Python: New call-graph based on type-trackers [still WIP]

  #10148 commented on Aug 26, 2022 • 0 new comments

• Python: Fixes for variable access

  #10171 commented on Aug 26, 2022 • 0 new comments