49 Pull requests merged by 19 people

• Java: Update the CFG for assert statements to make them proper guards.

  #19733 merged Jun 13, 2025

• Python: Modernize iter not returning self query

  #19554 merged Jun 13, 2025

• JS: Promote js/template-syntax-in-string-literal to the Code Quality suite.

  #19726 merged Jun 13, 2025

• Rust: Model String -> str implicit conversion in type inference

  #19737 merged Jun 13, 2025

• Rust: Use hasImplementation in path resolution

  #19745 merged Jun 13, 2025

• Add black pre-commit hook

  #19712 merged Jun 12, 2025

• Rust: Use QL computed canonical paths in MaD Field tokens

  #19667 merged Jun 12, 2025

• Rust: extract hasImplementation on functions and consts

  #19649 merged Jun 12, 2025

• Rust: Data flow through overloaded operators

  #19685 merged Jun 12, 2025

• Shared: Add elaborate QL doc to TypeInference.qll

  #19727 merged Jun 12, 2025

• JS: Promote js/suspicious-method-name-declaration to the Code Quality suite.

  #19741 merged Jun 12, 2025

• Rust: fix typo in README.md

  #19742 merged Jun 12, 2025

• Rust: Also apply adjustedAccessType in RelevantAccess

  #19729 merged Jun 12, 2025

• Rust: Add another type inference debug predicate

  #19728 merged Jun 12, 2025

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages (#2)

  #19738 merged Jun 12, 2025

• Rust: Generate canonical paths for builtins

  #19732 merged Jun 12, 2025

• Rust: move body skipping logic to code generation

  #19559 merged Jun 12, 2025

• Rust: Simple type inference for index expressions

  #19657 merged Jun 12, 2025

• Update precision java concatenated command line

  #19723 merged Jun 12, 2025

• Rust: Update RegexInjectionExtensions to use getCanonicalPath.

  #19735 merged Jun 12, 2025

• Changedocs 2.22.0

  #19740 merged Jun 11, 2025

• C++: Add boolean for explicit lambda parameter lists

  #19686 merged Jun 11, 2025

• fixing some improperly escaped URLs

  #19739 merged Jun 11, 2025

• Rust: Adjust the taint reach metric for better stability.

  #19718 merged Jun 11, 2025

• Rust: Fix various bad joins

  #19725 merged Jun 11, 2025

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 merged Jun 11, 2025

• C#: Improve cs/dereference-* queries and add to the Code Quality suite.

  #19589 merged Jun 11, 2025

• Rust: Implement type inference for ref expression as type equality

  #19724 merged Jun 11, 2025

• Rust: regenerate MaD files using DCA

  #19674 merged Jun 11, 2025

• JS: Promote js/regex/duplicate-in-character-class to quality

  #19711 merged Jun 11, 2025

• Rust: Fix bad join

  #19714 merged Jun 11, 2025

• Actions: Improve Bash parsing performance on command and string interpolations

  #19701 merged Jun 10, 2025

• Rust: Use get(An){Arg,Param} helper predicates

  #19717 merged Jun 10, 2025

• C++: Add basic Aarch64 Neon IR test

  #19715 merged Jun 10, 2025

• Rust: Model futures-io, rustls, futures-rustls

  #19626 merged Jun 10, 2025

• C#: Freeze quality queries in the security-and-quality suite.

  #19713 merged Jun 10, 2025

• Rust: add Callable::getParam and CallExprBase::getArg shortcuts

  #19708 merged Jun 10, 2025

• JS: Improve useless-expression query to avoid duplicate alerts on compound expressions

  #19579 merged Jun 10, 2025

• Rust: Type inference for .await expressions

  #19584 merged Jun 10, 2025

• Rust: fix crate graph test

  #19710 merged Jun 10, 2025

• Rust: Path resolution for extern crates

  #19614 merged Jun 10, 2025

• C++: Support the __mfp8 floating point type

  #19688 merged Jun 10, 2025

• Add cs/string-concatenation-in-loop to the quality suite

  #19650 merged Jun 10, 2025

• Post-release preparation for codeql-cli-2.22.0

  #19704 merged Jun 9, 2025

• Release preparation for version 2.22.0

  #19703 merged Jun 9, 2025

• CI: Expand list of packs/languages for change note validation

  #19700 merged Jun 9, 2025

• Swift: Update to Swift 6.1.2

  #19678 merged Jun 9, 2025

• Merge rc/3.18 back to main

  #19699 merged Jun 9, 2025

• C++: Update stats file after changes to DCA source suite

  #19679 merged Jun 9, 2025

24 Pull requests opened by 17 people

• Rust: New query rust/access-after-lifetime-ended

  #19702 opened Jun 9, 2025

• Quantum: Add OpenSSL signature models (Pawel Platek)

  #19705 opened Jun 9, 2025

• fix qhelp files

  #19707 opened Jun 9, 2025

• Python: Modernize the init-calls-subclass query

  #19709 opened Jun 10, 2025

• C#: Add `cs/gethashcode-is-not-defined` to the Code Quality suite.

  #19716 opened Jun 10, 2025

• Ruby: generate overlay discard predicates

  #19719 opened Jun 10, 2025

• Enhance `cpp/overflow-calculated` - detect out-of-bounds write caused by passing the buffer size in bytes (using sizeof) instead of the number of elements to wcsftime, allowing the function to overrun the allocated buffer.

  #19722 opened Jun 10, 2025

• Update qhelp style guide for markdown format

  #19730 opened Jun 11, 2025

• Ruby: enable overlay compilation

  #19731 opened Jun 11, 2025

• C++: Add support to `__leave`

  #19734 opened Jun 11, 2025

• JS: Promote `js/loop-iteration-skipped-due-to-shifting` to the Code Quality suite

  #19743 opened Jun 12, 2025

• MaD generator: use `--threads=0` and 2GB per thread for `--ram` by default

  #19744 opened Jun 12, 2025

• C++: Use SEH exception edges in IR and generate SEH exception edges for calls in `__try`, `__except`, and `__finally` blocks

  #19746 opened Jun 12, 2025

• Add CI workflow to check overlay annotations

  #19747 opened Jun 13, 2025

• Rust: regenerate models

  #19748 opened Jun 13, 2025

• Rust: Disambiguate some method calls based on argument types

  #19749 opened Jun 13, 2025

• JS: remove `encodeURI` from sanitizer list of request forgery

  #19750 opened Jun 13, 2025

• Rust: Type inference for macro expressions

  #19751 opened Jun 13, 2025

• C++: Add more MaD summaries

  #19753 opened Jun 13, 2025

• Rust: Type inference for `for` loops and array expressions

  #19754 opened Jun 13, 2025

• Rust: Temporarily disable type information to flow into operands

  #19755 opened Jun 13, 2025

• Rust: Type inference uses defaults for type parameters

  #19756 opened Jun 13, 2025

• Actions: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19757 opened Jun 13, 2025

• C#: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19758 opened Jun 13, 2025

6 Issues opened by 6 people

• Taint step for the Gradio framework

  #19752 opened Jun 13, 2025

• Extraction error with tsg-python

  #19736 opened Jun 11, 2025

• CodeQL unable to find out sources of a chosen dataflow node in Javascript

  #19720 opened Jun 10, 2025

• Add new state: Unicode compatibility normalization

  #19706 opened Jun 9, 2025

• Code scanning doesn't run on pull request in organization repo

  #19698 opened Jun 8, 2025

• False Positive: "Statement has no effect" on Airflow task chaining with >> operator

  #19687 opened Jun 6, 2025

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jun 12, 2025 • 19 new comments

• C#: mass enable diff-informed data flow

  #19661 commented on Jun 12, 2025 • 7 new comments

• Add QL for QL query to warn about possible non-inlining across overlay frontier

  #19590 commented on Jun 11, 2025 • 6 new comments

• Swift: mass enable diff-informed data flow

  #19662 commented on Jun 12, 2025 • 4 new comments

• Add `client-response` Threat Model and update JS ClientsRequests

  #19656 commented on Jun 10, 2025 • 4 new comments

• Rust: update docs

  #19280 commented on Jun 13, 2025 • 3 new comments

• Ruby: add support for extracting overlay databases

  #19684 commented on Jun 12, 2025 • 2 new comments

• JavaScript: Don't extract obviously generated files

  #19680 commented on Jun 10, 2025 • 2 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 13, 2025 • 2 new comments

• JS: ClientRequests Axios Instance support

  #19655 commented on Jun 11, 2025 • 1 new comment

• Java: Queries for thread-safe classes

  #19539 commented on Jun 10, 2025 • 0 new comments

• Add script to add overlay annotations

  #19631 commented on Jun 11, 2025 • 0 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 13, 2025 • 0 new comments

• Rust: upgrade `rust-analyzer` to 0.0.285

  #19524 commented on Jun 12, 2025 • 0 new comments

• Rust: emit `Const` bodies in library mode

  #19651 commented on Jun 12, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on Jun 12, 2025 • 0 new comments

• Rust: Fix type inference for library parameters

  #19658 commented on Jun 13, 2025 • 0 new comments

• Actions: mass enable diff-informed data flow

  #19659 commented on Jun 11, 2025 • 0 new comments

• Go: mass enable diff-informed data flow

  #19660 commented on Jun 11, 2025 • 0 new comments

• Ruby NetHttpRequest improvements

  #19294 commented on Jun 10, 2025 • 0 new comments

• [Java] Dataflow through object

  #18680 commented on Jun 10, 2025 • 0 new comments

• C++: mass enable diff-informed data flow

  #19663 commented on Jun 11, 2025 • 0 new comments

• Fixes in cpp/global-use-before-init

  #19676 commented on Jun 12, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 7, 2025 • 0 new comments

• C/C++: `Gotostmt` also matches `__leave` keyword

  #19666 commented on Jun 7, 2025 • 0 new comments