github / codeql Public

45 Pull requests merged by 21 people

• Dataflow: Flow-state changing steps should always be in path explanations

  #8474 merged Mar 18, 2022

• QL: expand redundant-inline-cast, and rename to redundant-cast

  #8473 merged Mar 17, 2022

• JS: Refactor the XSS / Client-side-url queries

  #8304 merged Mar 17, 2022

• Add flow state versions of isBarrierIn, isBarrierOut, and isBarrierGuard

  #8435 merged Mar 16, 2022

• C#: Fix bad join order in returnNodeAsOutput.

  #8462 merged Mar 16, 2022

• C++: Handle initialization of structured bindings via bitwise copy in extractor

  #8320 merged Mar 16, 2022

• Ruby: implement getComponent(n) for simple and hash-key symbols

  #8399 merged Mar 16, 2022

• JS: add missing @security-severity to JS queries

  #8459 merged Mar 16, 2022

• Ruby: interpret string escape sequences in getConstantValue()

  #8164 merged Mar 16, 2022

• disallow lowercase import-as aliases

  #8450 merged Mar 16, 2022

• C++: Handle C11 _Noreturn in DefaultOptions

  #8428 merged Mar 16, 2022

• Delete dead code

  #8431 merged Mar 15, 2022

• Detection reduction on request

  #8424 merged Mar 15, 2022

• C++: fix hasImplicitCopyConstructor for templates

  #7884 merged Mar 15, 2022

• Add docstring to `ExtractEndpointMapping.ql`

  #8448 merged Mar 15, 2022

• JS: merge hasDominatingWrite and hasDominatingAssignment

  #8253 merged Mar 15, 2022

• JS: add some API-nodes to js/disabling-certificate-validation

  #8438 merged Mar 15, 2022

• C++: Add missing `security-severity` tags

  #8447 merged Mar 15, 2022

• Java: Add security severity to sensitive logging query

  #8446 merged Mar 15, 2022

• C++: Use a `TaintTracking::Configuration` in three more queries

  #8382 merged Mar 15, 2022

• Added MissingSecurityMetadata query

  #8437 merged Mar 15, 2022

• JS: Remove `isEffectiveSinkWithOverridingScore` from ML-powered libraries

  #8433 merged Mar 15, 2022

• Update CSV framework coverage reports

  #8440 merged Mar 15, 2022

• Rename all upper-case variables, and all lower-case modules

  #8403 merged Mar 15, 2022

• CI: add QLdoc test

  #8365 merged Mar 14, 2022

• Post-release preparation for codeql-cli-2.8.3

  #8398 merged Mar 14, 2022

• C#: Avoid combinatorial explosion in structural comparison library

  #8425 merged Mar 14, 2022

• JS: Bump version numbers of ML-powered packs after 0.1.0 release

  #8404 merged Mar 14, 2022

• C#: Capture Summary models.

  #8329 merged Mar 14, 2022

• Java: Promote Sensitive Logging query

  #8410 merged Mar 14, 2022

• Java: Add JDBC connection SSRF sinks

  #8357 merged Mar 14, 2022

• C++: Fix join in `cpp/return-stack-allocated-memory`

  #8427 merged Mar 14, 2022

• JS: Address some code that weren't affecting any query result

  #8422 merged Mar 14, 2022

• C#/Java: Range analysis: use ranked phi nodes

  #8405 merged Mar 14, 2022

• Extend taint tracking interface with flow states

  #8401 merged Mar 14, 2022

• Python: Port and extend XXE modeling

  #6112 merged Mar 14, 2022

• Enforcing consistent casing of acronyms

  #8323 merged Mar 14, 2022

• C++: Remove uniqueness constraint from uuid

  #8390 merged Mar 11, 2022

• Ruby: resolve `ql/field-only-used-in-charpred` alerts

  #8396 merged Mar 11, 2022

• QL: make a query checking for `edges` relation in a path-problem query

  #8408 merged Mar 11, 2022

• Java: Revert #8325, Add CharacterLiteral to CompileTimeConstantExpr.getStringValue

  #8407 merged Mar 11, 2022

• CPP: Add query for CWE-754: Improper Check for Unusual or Exceptional Conditions when using functions scanf

  #8246 merged Mar 11, 2022

• Java: Revert #8360, "Add CompileTimeConstantExpr.getStringified method"

  #8402 merged Mar 11, 2022

• QL: add query detecting block comments in a position where a QLDoc should be

  #8374 merged Mar 11, 2022

• [Java] Add CompileTimeConstantExpr.getStringified method

  #8360 merged Mar 11, 2022

20 Pull requests opened by 14 people

• QL: add restrictive transitive closure query

  #8411 opened Mar 11, 2022

• Ruby: Add `rb/weak-cryptographic-algorithm` query

  #8421 opened Mar 13, 2022

• [CPP][Linux Kernel]Add ql to detect CVE-2017-5123

  #8423 opened Mar 14, 2022

• Java: Add missing security-severity scores

  #8426 opened Mar 14, 2022

• JS: add library input as tainted-path sources

  #8429 opened Mar 14, 2022

• JS: Add taint step for handlebars model

  #8430 opened Mar 14, 2022

• Python: Add CSV injection model

  #8443 opened Mar 15, 2022

• renaming more upper-case acronyms to PascalCase

  #8444 opened Mar 15, 2022

• Sign, Modulus, and Range analysis for C++ using sharable semantic layer

  #8445 opened Mar 15, 2022

• C#: Model generator improvements and more tests

  #8451 opened Mar 15, 2022

• QL: detect unqueryable code

  #8454 opened Mar 15, 2022

• Python: Add dataflow consistency query

  #8457 opened Mar 16, 2022

• Add query for double-fetch vulnerability

  #8461 opened Mar 16, 2022

• C#: Refactor asPartial to allow re-use.

  #8466 opened Mar 16, 2022

• [Java]: Best Practice InterruptedException handling

  #8469 opened Mar 16, 2022

• ATM: undo unsound performance optimizations

  #8470 opened Mar 16, 2022

• Python/JS/Ruby: Shared concepts scaffolding

  #8476 opened Mar 17, 2022

• JS: private import javascript in DataFlow

  #8477 opened Mar 17, 2022

• JS: fix context sensitivity bug in store-load matching

  #8478 opened Mar 17, 2022

• C++: Fix expensive getWideCharType().

  #8479 opened Mar 17, 2022

5 Issues closed by 4 people

• Error reporting using vscode ast viewer

  #8472 closed Mar 18, 2022

• Detecting C-style variadic function

  #8468 closed Mar 17, 2022

• `cpp/missing-return` incorrectly flags functions using C11 `_Noreturn/noreturn` macros

  #8409 closed Mar 16, 2022

• LGTM.com - false positive

  #8439 closed Mar 15, 2022

• The two `Cargo.toml` files have conflicts, could you resolve these please. In addition, the [Cargo.lock](https://github.com/github/codeql/blob/ef227a47219aef17c62bfe881b6459ef20ceb828/ruby/Cargo.lock) file needs to be updated to reflect the dependency changes.

  #8441 closed Mar 15, 2022

5 Issues opened by 5 people

• Can I define only sink and not source? I want to use this way to list the data flow diagram

  #8480 opened Mar 18, 2022

• new expression parsing failure

  #8467 opened Mar 16, 2022

• How to extract source files when using a special compiler (e.g. TMS320C2000 C/C++ Compiler)?

  #8453 opened Mar 15, 2022

• Ran with database overwriting enabled, but the directory does not appear to be a CodeQL database or database cluster

  #8413 opened Mar 12, 2022

• Compiled CodeQL packs cannot reference another pack from one of its query suites

  #8412 opened Mar 11, 2022

30 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add `MyBatis`' `Providers` sinks

  #8345 commented on Mar 16, 2022 • 32 new comments

• Ruby: initial prototype of models-as-data

  #8254 commented on Mar 17, 2022 • 31 new comments

• en CPP: Add query for CWE-476: NULL Pointer Dereference when using exception handling blocks

  #8245 commented on Mar 16, 2022 • 21 new comments

• Ruby: IncompleteHostnameRegExp.ql

  #7917 commented on Mar 16, 2022 • 18 new comments

• Incomplete url string sanitization

  #8354 commented on Mar 16, 2022 • 14 new comments

• C++: New query cpp/potential-system-data-exposure

  #8318 commented on Mar 16, 2022 • 13 new comments

• Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability

  #4473 commented on Mar 16, 2022 • 11 new comments

• Java: Add Guard Classes for checking OS & unify System Property Access

  #8032 commented on Mar 17, 2022 • 10 new comments

• Start sharing Concepts across dynamic languages

  #8307 commented on Mar 17, 2022 • 10 new comments

• C#: Extensive use of stubs in testcases.

  #8279 commented on Mar 17, 2022 • 7 new comments

• Python: Add data-flow through Django ORM models

  #8061 commented on Mar 16, 2022 • 4 new comments

• Ruby: Use taint tracking instead of type tracking to define `regExpSource`

  #8332 commented on Mar 16, 2022 • 4 new comments

• Ruby: Add rb/tainted-format-string query

  #8272 commented on Mar 15, 2022 • 3 new comments

• Java: Add query to detect clickjacking

  #8308 commented on Mar 15, 2022 • 3 new comments

• C#: Deprecate the StructuralComparisonConfiguration interface and use sameGvn instead.

  #8391 commented on Mar 16, 2022 • 3 new comments

• Java: Add ReDoS queries

  #7723 commented on Mar 17, 2022 • 2 new comments

• Ruby: Add rb/http-to-file-access query

  #8224 commented on Mar 15, 2022 • 2 new comments

• Infinite loop when executing DataFlow queries

  #7481 commented on Mar 14, 2022 • 1 new comment

• LGTM alert beyond response limit!

  #7889 commented on Mar 16, 2022 • 1 new comment

• QL: add unused-field query

  #7763 commented on Mar 17, 2022 • 1 new comment

• Python: Add def nodes to API graphs

  #7806 commented on Mar 14, 2022 • 1 new comment

• Add query to detect ZipSlip

  #8004 commented on Mar 11, 2022 • 1 new comment

• Python: Fix bad `fastTC` in `ASTNode::contains`

  #8028 commented on Mar 17, 2022 • 1 new comment

• JS: Use `TypeTracker::continue` when doing taint steps

  #8333 commented on Mar 15, 2022 • 1 new comment

• Gelişme

  #8388 commented on Mar 15, 2022 • 1 new comment

• JS: Add StoredXss XssThroughDom CodeInjection to all QL required for endpoint pipeline

  #8392 commented on Mar 16, 2022 • 1 new comment

• Ruby: add `rb/clear-text-storage-sensitive-data` query

  #8395 commented on Mar 17, 2022 • 1 new comment

• QL: Add query detecting suspiciously missing parameters from the QLDoc of a predicate

  #7450 commented on Mar 16, 2022 • 0 new comments

• C#: ExternalAPI implementation for Telemetry.

  #8348 commented on Mar 18, 2022 • 0 new comments

• QL: add query detecting inconsistent deprecations

  #8351 commented on Mar 16, 2022 • 0 new comments