43 Pull requests merged by 20 people

• Rust: fix typo in README.md

  #19742 merged Jun 12, 2025

• Rust: Also apply adjustedAccessType in RelevantAccess

  #19729 merged Jun 12, 2025

• Rust: Add another type inference debug predicate

  #19728 merged Jun 12, 2025

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages (#2)

  #19738 merged Jun 12, 2025

• Rust: Generate canonical paths for builtins

  #19732 merged Jun 12, 2025

• Rust: move body skipping logic to code generation

  #19559 merged Jun 12, 2025

• Rust: Simple type inference for index expressions

  #19657 merged Jun 12, 2025

• Update precision java concatenated command line

  #19723 merged Jun 12, 2025

• Rust: Update RegexInjectionExtensions to use getCanonicalPath.

  #19735 merged Jun 12, 2025

• Changedocs 2.22.0

  #19740 merged Jun 11, 2025

• C++: Add boolean for explicit lambda parameter lists

  #19686 merged Jun 11, 2025

• fixing some improperly escaped URLs

  #19739 merged Jun 11, 2025

• Rust: Adjust the taint reach metric for better stability.

  #19718 merged Jun 11, 2025

• Rust: Fix various bad joins

  #19725 merged Jun 11, 2025

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 merged Jun 11, 2025

• C#: Improve cs/dereference-* queries and add to the Code Quality suite.

  #19589 merged Jun 11, 2025

• Rust: Implement type inference for ref expression as type equality

  #19724 merged Jun 11, 2025

• Rust: regenerate MaD files using DCA

  #19674 merged Jun 11, 2025

• JS: Promote js/regex/duplicate-in-character-class to quality

  #19711 merged Jun 11, 2025

• Rust: Fix bad join

  #19714 merged Jun 11, 2025

• Actions: Improve Bash parsing performance on command and string interpolations

  #19701 merged Jun 10, 2025

• Rust: Use get(An){Arg,Param} helper predicates

  #19717 merged Jun 10, 2025

• C++: Add basic Aarch64 Neon IR test

  #19715 merged Jun 10, 2025

• Rust: Model futures-io, rustls, futures-rustls

  #19626 merged Jun 10, 2025

• C#: Freeze quality queries in the security-and-quality suite.

  #19713 merged Jun 10, 2025

• Rust: add Callable::getParam and CallExprBase::getArg shortcuts

  #19708 merged Jun 10, 2025

• JS: Improve useless-expression query to avoid duplicate alerts on compound expressions

  #19579 merged Jun 10, 2025

• Rust: Type inference for .await expressions

  #19584 merged Jun 10, 2025

• Rust: fix crate graph test

  #19710 merged Jun 10, 2025

• Rust: Path resolution for extern crates

  #19614 merged Jun 10, 2025

• C++: Support the __mfp8 floating point type

  #19688 merged Jun 10, 2025

• Add cs/string-concatenation-in-loop to the quality suite

  #19650 merged Jun 10, 2025

• Post-release preparation for codeql-cli-2.22.0

  #19704 merged Jun 9, 2025

• Release preparation for version 2.22.0

  #19703 merged Jun 9, 2025

• CI: Expand list of packs/languages for change note validation

  #19700 merged Jun 9, 2025

• Swift: Update to Swift 6.1.2

  #19678 merged Jun 9, 2025

• Merge rc/3.18 back to main

  #19699 merged Jun 9, 2025

• C++: Update stats file after changes to DCA source suite

  #19679 merged Jun 9, 2025

• Go: promote html-template-escaping-bypass-xss

  #19386 merged Jun 6, 2025

• Bump the extractor-dependencies group in /go/extractor with 2 updates

  #19683 merged Jun 6, 2025

• Update CSV framework coverage reports

  #19673 merged Jun 5, 2025

• Actions: Make Env non-abstract

  #19675 merged Jun 5, 2025

• C++: accept new test results after changes

  #19533 merged Jun 5, 2025

19 Pull requests opened by 15 people

• JavaScript: Don't extract obviously generated files

  #19680 opened Jun 5, 2025

• Ruby: add support for extracting overlay databases

  #19684 opened Jun 6, 2025

• Rust: Data flow through overloaded operators

  #19685 opened Jun 6, 2025

• Rust: New query rust/access-after-lifetime-ended

  #19702 opened Jun 9, 2025

• Quantum: Add OpenSSL signature models (Pawel Platek)

  #19705 opened Jun 9, 2025

• fix qhelp files

  #19707 opened Jun 9, 2025

• [Draft] Python: Modernize the init-calls-subclass query

  #19709 opened Jun 10, 2025

• Add `black` pre-commit hook

  #19712 opened Jun 10, 2025

• C#: Add `cs/gethashcode-is-not-defined` to the Code Quality suite.

  #19716 opened Jun 10, 2025

• Ruby: generate overlay discard predicates

  #19719 opened Jun 10, 2025

• Enhance `cpp/overflow-calculated` - detect out-of-bounds write caused by passing the buffer size in bytes (using sizeof) instead of the number of elements to wcsftime, allowing the function to overrun the allocated buffer.

  #19722 opened Jun 10, 2025

• JS: Promote `js/template-syntax-in-string-literal` to the Code Quality suite.

  #19726 opened Jun 11, 2025

• Shared: Add elaborate QL doc to `TypeInference.qll`

  #19727 opened Jun 11, 2025

• Update qhelp style guide for markdown format

  #19730 opened Jun 11, 2025

• Ruby: enable overlay compilation

  #19731 opened Jun 11, 2025

• Java: Update the CFG for assert statements to make them proper guards.

  #19733 opened Jun 11, 2025

• C++: Add support to `__leave`

  #19734 opened Jun 11, 2025

• Rust: Model `String` -> `str` implicit conversion in type inference

  #19737 opened Jun 11, 2025

• JS: Promote `js/suspicious-method-name-declaration` to the Code Quality suite.

  #19741 opened Jun 12, 2025

4 Issues closed by 4 people

• [Java] Issue resolving dependences

  #19458 closed Jun 6, 2025

• BDD node limit of 2^^25 reached on Type erasure

  #19648 closed Jun 5, 2025

• Actions: Identifying keywords like `with`, `shell`

  #19629 closed Jun 5, 2025

• Vulnerable Python code is not detected by CWE-094 rule

  #14347 closed Jun 5, 2025

6 Issues opened by 6 people

• Extraction error with tsg-python

  #19736 opened Jun 11, 2025

• CodeQL unable to find out sources of a chosen dataflow node in Javascript

  #19720 opened Jun 10, 2025

• Add new state: Unicode compatibility normalization

  #19706 opened Jun 9, 2025

• Code scanning doesn't run on pull request in organization repo

  #19698 opened Jun 8, 2025

• False Positive: "Statement has no effect" on Airflow task chaining with >> operator

  #19687 opened Jun 6, 2025

• False positive: Env var is from config, not vault, and contains the name of another env var

  #19681 opened Jun 5, 2025

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C#: mass enable diff-informed data flow

  #19661 commented on Jun 12, 2025 • 7 new comments

• Add QL for QL query to warn about possible non-inlining across overlay frontier

  #19590 commented on Jun 11, 2025 • 6 new comments

• Rust: Use QL computed canonical paths in MaD `Field` tokens

  #19667 commented on Jun 12, 2025 • 5 new comments

• Swift: mass enable diff-informed data flow

  #19662 commented on Jun 12, 2025 • 5 new comments

• Add `client-response` Threat Model and update JS ClientsRequests

  #19656 commented on Jun 10, 2025 • 4 new comments

• Rust: update docs

  #19280 commented on Jun 10, 2025 • 3 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 10, 2025 • 2 new comments

• Go: mass enable diff-informed data flow

  #19660 commented on Jun 11, 2025 • 1 new comment

• Add script to add overlay annotations

  #19631 commented on Jun 11, 2025 • 1 new comment

• JS: ClientRequests Axios Instance support

  #19655 commented on Jun 11, 2025 • 1 new comment

• Fixes in cpp/global-use-before-init

  #19676 commented on Jun 12, 2025 • 0 new comments

• C++: mass enable diff-informed data flow

  #19663 commented on Jun 11, 2025 • 0 new comments

• Actions: mass enable diff-informed data flow

  #19659 commented on Jun 11, 2025 • 0 new comments

• Rust: Fix type inference for library parameters

  #19658 commented on Jun 11, 2025 • 0 new comments

• Rust: extract `hasImplementation` on functions and consts

  #19649 commented on Jun 12, 2025 • 0 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 11, 2025 • 0 new comments

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jun 12, 2025 • 0 new comments

• Java: Queries for thread-safe classes

  #19539 commented on Jun 10, 2025 • 0 new comments

• Add Microsoft to trusted actions owner

  #19450 commented on Jun 5, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on Jun 12, 2025 • 0 new comments

• Ruby NetHttpRequest improvements

  #19294 commented on Jun 10, 2025 • 0 new comments

• [Java] Dataflow through object

  #18680 commented on Jun 10, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 7, 2025 • 0 new comments

• C/C++: `Gotostmt` also matches `__leave` keyword

  #19666 commented on Jun 7, 2025 • 0 new comments