118 Pull requests merged by 31 people

• Bulk MAD generator: Support databases from DCA runs

  #19627 merged May 30, 2025

• Rust: use all features by default

  #19551 merged May 29, 2025

• Rust: Type inference for operator overloading

  #19593 merged May 29, 2025

• Rust: re-enable attribute macro expansion in library mode

  #19588 merged May 29, 2025

• QL tests: run with --check-diff-informed

  #19428 merged May 28, 2025

• Rust: delete leftover log statement

  #19612 merged May 28, 2025

• Ruby, Rust: add zstd compression option (and fix compression in Rust)

  #19613 merged May 28, 2025

• Rust: add more macro expansion tests

  #19600 merged May 28, 2025

• C++: Specify GNU version on min/max test

  #19606 merged May 28, 2025

• Go: Make type param test independent of standard library version

  #19532 merged May 28, 2025

• Go: Check more things while running tests

  #19491 merged May 28, 2025

• Rust: Also include prelude path resolution in Core

  #19580 merged May 28, 2025

• Post-release preparation for codeql-cli-2.21.4

  #19602 merged May 27, 2025

• Release preparation for version 2.21.4

  #19601 merged May 27, 2025

• Rust: Recognize more sensitive data sources

  #19470 merged May 27, 2025

• C++: Address comments from earlier Windows MaD PRs

  #19599 merged May 27, 2025

• Go: Explicitly check whether proxy env vars are empty

  #19598 merged May 27, 2025

• C++: Add missing ReadFileEx flow summary

  #19595 merged May 27, 2025

• Rust: Model Pin

  #19529 merged May 27, 2025

• Rust: add option to extract dependencies as source files

  #19583 merged May 27, 2025

• C#: Improve cs/missed-readonly-modifier and to code-quality suite.

  #19520 merged May 27, 2025

• C++: Add more Win32 flow sources

  #19591 merged May 27, 2025

• Rust: Only include relevant AST nodes in TypeMention

  #19557 merged May 27, 2025

• C++: Add Windows command line and environment models

  #19563 merged May 27, 2025

• Swift: Update to Swift 6.1.1

  #19576 merged May 27, 2025

• JS: Explicitly Filter Quality Queries for Inclusion in Security-and-Quality

  #19578 merged May 27, 2025

• Swift: Fix type string representation

  #19582 merged May 27, 2025

• Rust: Add more Operation subclasses

  #19562 merged May 27, 2025

• Rust: Resolve function calls to traits methods

  #19575 merged May 27, 2025

• Rust: turn off macro expansion in code to be expanded by attribute macros

  #19572 merged May 27, 2025

• Rangeanalysis: Simplify Guards integration.

  #19571 merged May 26, 2025

• Type inference: Simplify internal representation of type paths

  #19570 merged May 26, 2025

• Rust: extract source files of dependencies

  #19506 merged May 24, 2025

• Shared/C++: Handle non-standard return values in MaD flow sources/sinks

  #19569 merged May 23, 2025

• SSA: Distinguish between has and controls branch edge.

  #19567 merged May 23, 2025

• actions: add some missing permissions

  #19494 merged May 23, 2025

• Update CSV framework coverage reports

  #19566 merged May 23, 2025

• Crypto: Improve literal filtering for OpenSSL for algorithms and generic sources

  #19553 merged May 22, 2025

• Rust: Models for log_err

  #19546 merged May 22, 2025

• Fix SpringRequestMappingMethod URL Extraction: Use getAStringArrayValue Instead of getValue

  #19512 merged May 22, 2025

• Java: Fix SpringRequestMappingMethod URL Extraction #2

  #19556 merged May 22, 2025

• Java: Add test showing correct usage

  #19560 merged May 22, 2025

• DevEx: add temporary files created by some checks to .gitignore

  #19550 merged May 22, 2025

• C#: Re-generate .NET 9 Runtime models.

  #19480 merged May 22, 2025

• Swift: Clarify the tag in the Swift updating doc

  #19558 merged May 22, 2025

• Rust: Add ComparisonOperation library.

  #19535 merged May 22, 2025

• Rust: Remove unused impl type

  #19555 merged May 22, 2025

• JS: More efficient nested package naming

  #19516 merged May 22, 2025

• Rust: Compute canonical paths in QL

  #19134 merged May 22, 2025

• Crypto: Misc. refactoring and code clean up.

  #19552 merged May 21, 2025

• Rust: Improve performance of type inference

  #19534 merged May 21, 2025

• Quantum: Model missing OpenSSL EVP digest consumers

  #19545 merged May 21, 2025

• Quantum: Add OpenSSL PKEY algorithm value consumers.

  #19547 merged May 21, 2025

• Rust: Type inference for non-overloadable operators

  #19549 merged May 21, 2025

• Quantum: Model OpenSSL EC key generation

  #19541 merged May 21, 2025

• Rust: Model std::net and tokio fs, io, net

  #19446 merged May 21, 2025

• Java: Use the shared BasicBlocks library.

  #19505 merged May 21, 2025

• Exclude some queries from query suites by lowering their precision.

  #19507 merged May 21, 2025

• Rust: ignore target in qltest

  #19542 merged May 21, 2025

• Rust: Bulk model generator

  #19499 merged May 20, 2025

• C#: Update SDK version in integration test

  #19536 merged May 20, 2025

• Go: move to standard windows runner

  #19525 merged May 20, 2025

• Rust: Support non-universal impl blocks

  #19372 merged May 20, 2025

• Changenotes for 2.21.3

  #19531 merged May 20, 2025

• Crypto: Add OpenSSL elliptic curve algorithm instances and consumers

  #19528 merged May 19, 2025

• Rust: Follow-up work to make path resolution and type inference tests pass again

  #19519 merged May 19, 2025

• Crypto: Model OpenSSL intermediate digest operations

  #19521 merged May 19, 2025

• Swift: Mention Swift 6.1 support in the supported compilers doc

  #19523 merged May 19, 2025

• C++/Swift: delete outdated deprecations

  #19518 merged May 19, 2025

• C++: Make node.asExpr() instanceof ArrayAggregateLiteral satisfiable

  #19511 merged May 19, 2025

• C++: Do not use deprecated hasLocationInfo in FlowTestCommon

  #19515 merged May 19, 2025

• C/CPP: Update FlowSources to add wmain

  #19510 merged May 19, 2025

• C++: Add summary models for openssl and sqlite

  #19492 merged May 16, 2025

• Quantum: Expand OpenSSL cipher modeling and fix JCA false reporting of intermediate calls

  #19509 merged May 16, 2025

• C++: Minor cleanup of qltest options

  #19508 merged May 16, 2025

• C++: Make node.asExpr() instanceof ClassAggregateLiteral satisfiable

  #19501 merged May 16, 2025

• Python: Extract files in hidden dirs by default

  #19424 merged May 16, 2025

• C++: Update static call target resolution semantics in dataflow

  #19500 merged May 16, 2025

• C++: Exclude tests in model generation

  #19498 merged May 16, 2025

• C#: Improve the query cs/gethashcode-is-not-defined.

  #19497 merged May 16, 2025

• JS: Merge ES6Class to FunctionStyleClass

  #19356 merged May 16, 2025

• Rust: Fix semantic merge conflict

  #19503 merged May 16, 2025

• Ruby printAst: fix order for synth children of real parents

  #19448 merged May 15, 2025

• Adding comprehensive docs for customizing actions/unpinned-tag query

  #19427 merged May 15, 2025

• Rust: Type inference and path resolution for builtins

  #19474 merged May 15, 2025

• C++: Fix IR edge case where there are no function calls taking an argument

  #19493 merged May 15, 2025

• Rust: expand attribute macros

  #19334 merged May 14, 2025

• Go: Remove redundant code in IR::ExtractTupleElementInstruction.getResultType() and expand tests

  #19484 merged May 14, 2025

• Swift: add new TypeValueExpr to CFG

  #19490 merged May 14, 2025

• C#: Add cs/call-to-gc to the code quality suite.

  #19482 merged May 14, 2025

• Ruby: More captured exit read nodes

  #19483 merged May 14, 2025

• C#: Improve precision of cs/uncontrolled-format-string.

  #19271 merged May 14, 2025

• Shared: Generate more value-preserving flow summaries

  #19433 merged May 14, 2025

• Shared: Generate more value-preserving flow summaries

  #19443 merged May 14, 2025

• Post-release preparation for codeql-cli-2.21.3

  #19489 merged May 13, 2025

• Release preparation for version 2.21.3

  #19488 merged May 13, 2025

• Add support for Kotlin 2.2.0; drop Kotlin 1.5.x

  #19402 merged May 13, 2025

• C++: Fix infinite range analysis loop on invalid SSA

  #19477 merged May 13, 2025

• Update changelogs for CodeQL CLI 2.21.2

  #19462 merged May 13, 2025

• Rust: Add LiteralExpr sub classes

  #19475 merged May 13, 2025

• JS: Overhaul import resolution

  #19391 merged May 13, 2025

• JS: Generate flow summaries from summaryModels; only generate steps as a fallback

  #19445 merged May 13, 2025

• Rust: Add Operation class

  #19454 merged May 13, 2025

• ruby: adjust precision of rb/useless-assignment-to-local

  #19476 merged May 13, 2025

• Shared: Remove the language-specific model generator scripts

  #19452 merged May 13, 2025

• Rust: Add tests for web frameworks as taint sources

  #19466 merged May 13, 2025

• Add new stubs definitions to System.Web

  #19456 merged May 13, 2025

• Add CodeQL Quantum models and queries (Java, C++) to experimental

  #19469 merged May 12, 2025

• Rust: Update query severities

  #19449 merged May 12, 2025

• Rust: Use the new 'quality' tag.

  #19455 merged May 12, 2025

• Rust: Update generated models for core and std

  #19440 merged May 12, 2025

• Go: fix database inconsistency when receiver has alias type

  #19464 merged May 6, 2025

• Bump golang.org/x/tools from 0.32.0 to 0.33.0 in /go/extractor in the extractor-dependencies group

  #19463 merged May 6, 2025

• Rust: make MacroStmts expressions

  #19335 merged May 3, 2025

• Swift: Support new Swift 6.1 AST elements

  #19420 merged May 2, 2025

• Rust: Remove visibility check in path resolution

  #19431 merged May 2, 2025

• Rust: extract declarations of builtin types

  #19421 merged May 2, 2025

• JS: Modeling of ShellJS functions

  #19422 merged May 2, 2025

45 Pull requests opened by 25 people

• Add Actix framework modeling and import to Frameworks.qll

  #19461 opened May 5, 2025

• Fix typo from `occured` to `occurred`

  #19485 opened May 13, 2025

• Kotlin: clean up alternate-version code now that v1.5.x support is dropped

  #19496 opened May 15, 2025

• Rust: Make current MaD predicates deprecated

  #19502 opened May 15, 2025

• JS: Refactor `Nest` test suite with inline expectations

  #19514 opened May 19, 2025

• Rust: upgrade `rust-analyzer` to 0.0.281

  #19524 opened May 19, 2025

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages

  #19530 opened May 19, 2025

• C++: accept new test results after changes

  #19533 opened May 20, 2025

• Java: Queries for thread-safe classes

  #19539 opened May 20, 2025

• Java: Add test showing missing dispatch for incomplete parameterised type

  #19543 opened May 20, 2025

• JS: new `Quality` query - Unhandled errors in `.pipe()` chain

  #19544 opened May 20, 2025

• Python: Modernize iter not returning self query

  #19554 opened May 22, 2025

• Rust: move body skipping logic to code generation

  #19559 opened May 22, 2025

• Go: Add BigQuery as a sink for SQLi queries #2

  #19561 opened May 22, 2025

• Quantum: Add initial qltests for OpenSSL modeling

  #19564 opened May 22, 2025

• Quantum: Initial support for BouncyCastle signature algorithms

  #19568 opened May 23, 2025

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 opened May 23, 2025

• Rust: Remove source vs library deduplication logic

  #19577 opened May 26, 2025

• JS: Enhance `isDomProperty`

  #19579 opened May 26, 2025

• Rust: skip private items when extracting library files

  #19581 opened May 26, 2025

• Rust: Type inference for `.await` expressions

  #19584 opened May 26, 2025

• Rust: skip unexpanded stuff in library emission

  #19585 opened May 27, 2025

• Diff-informed queries via primary/secondary abstractions

  #19586 opened May 27, 2025

• JS: Mark AngularJS $location as client-side remote flow source

  #19587 opened May 27, 2025

• C#: Improve `cs/dereference-*` queries and add to the Code Quality suite.

  #19589 opened May 27, 2025

• Add QL for QL query to warn about possible non-inlining across overlay frontier

  #19590 opened May 27, 2025

• Python: Add Pandas SQLi sinks

  #19594 opened May 27, 2025

• C++: Generate flow summaries for `curl/curl`

  #19596 opened May 27, 2025

• C++: Add support for getting literals in using declarations

  #19603 opened May 28, 2025

• Rust: Extend jump-to-def to include paths and `mod file;` imports

  #19605 opened May 28, 2025

• Quantum: Add base classes for OpenSSL EVP methods

  #19607 opened May 28, 2025

• Experiment: Mark predicate inline to test QL-for-QL query

  #19609 opened May 28, 2025

• Experiment: Test QL-for-QL overlay[caller] query

  #19610 opened May 28, 2025

• Rust: Also take the `std` prelude into account when resolving paths

  #19611 opened May 28, 2025

• Rust: Path resolution for `extern crate`s

  #19614 opened May 28, 2025

• Rust: restrict line and file counts to include only extracted source files

  #19616 opened May 28, 2025

• Quantum: Added signature input nodes to signature verify operation nodes

  #19623 opened May 29, 2025

• Rust: Refactor type equality

  #19624 opened May 29, 2025

• Rust: Model futures-io, rustls, futures-rustls

  #19626 opened May 29, 2025

• Quantum: OpenSSL signatures

  #19628 opened May 29, 2025

• Rust: add documentation for AST nodes

  #19630 opened May 30, 2025

• Add script to add overlay annotations

  #19631 opened May 30, 2025

• Openssl key agreement instances and consumers

  #19632 opened May 30, 2025

• JS: Add URL constructor taint tracking for request forgery

  #19634 opened May 30, 2025

• Fix user-facing casing of NuGet

  #19638 opened Jun 2, 2025

16 Issues closed by 6 people

• General issue

  #18406 closed May 31, 2025

• JAVA:could not resolve type MethodAccess

  #19615 closed May 28, 2025

• General issue: Cannot upgrade database

  #4034 closed May 22, 2025

• Uninformative error message from qltest when there are no source files

  #3406 closed May 22, 2025

• General issue

  #3289 closed May 22, 2025

• How to open rel file in a CodeQL database？

  #3100 closed May 22, 2025

• Can vscode open the Path Explore?

  #3017 closed May 22, 2025

• Build error in C#8

  #2952 closed May 22, 2025

• CLI incompatible with dataset

  #2548 closed May 22, 2025

• False positive in C/C++ dead code detection

  #19399 closed May 21, 2025

• CodeQL detected code written in Java/Kotlin but could not process any of it

  #19527 closed May 20, 2025

• Unable to extract Java 23 project using CodeQL 2.17.3

  #19526 closed May 19, 2025

• Support Kotlin 2.2.0-Beta

  #19349 closed May 16, 2025

• v2.21.2rule error

  #19495 closed May 15, 2025

• Error downloading packages etc

  #19465 closed May 14, 2025

• C++: Data flow and member templates

  #19236 closed May 12, 2025

13 Issues opened by 11 people

• Call chain analysis exception

  #19637 opened Jun 1, 2025

• Actions: imprecise action references in model data

  #19635 opened May 30, 2025

• Actions: Identifying keywords like `with`, `shell`

  #19629 opened May 29, 2025

• Java: static field access of unknown class breaks dataflow (build-mode=none)

  #19597 opened May 27, 2025

• Java: Generic Class Methods not connected when type parameter is unknown (build-mode=none)

  #19538 opened May 20, 2025

• False positive: Go / MongoDB Find method

  #19537 opened May 20, 2025

• Add support for Swift 6.1 / Xcode 16.3 with Autobuild

  #19522 opened May 19, 2025

• CWE(s) in Kotlin not being detected by java-kotlin queries?

  #19517 opened May 19, 2025

• The strings were concatenated, making it impossible to match the path.

  #19479 opened May 13, 2025

• How to speed up the execution

  #19471 opened May 11, 2025

• [Bug] Spurious `remote: error: GH013: Repository rule violations found for refs/heads/trunk.` `remote: - Code scanning is waiting for results from CodeQL for the commit`

  #19459 opened May 3, 2025

• [Java] Issue resolving dependences

  #19458 opened May 3, 2025

• C++: Multi-Level Member Function Calls Not Modeled as DataFlow::Node

  #19457 opened May 2, 2025

20 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: promote `html-template-escaping-bypass-xss`

  #19386 commented on May 21, 2025 • 2 new comments

• Change definition of `getFactoryNodeInternal`

  #19359 commented on May 6, 2025 • 1 new comment

• Add Microsoft to trusted actions owner

  #19450 commented on May 16, 2025 • 0 new comments

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 commented on May 19, 2025 • 0 new comments

• [DO NOT MERGE] Prior: Test PR

  #19285 commented on May 15, 2025 • 0 new comments

• Rust: update supported languages and frameworks

  #19280 commented on May 2, 2025 • 0 new comments

• Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group across 1 directory

  #19275 commented on May 20, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on May 27, 2025 • 0 new comments

• Misc: Add script creating DCA source suites from MRVA

  #19232 commented on May 7, 2025 • 0 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on May 22, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on Jun 2, 2025 • 0 new comments

• CodeQL DB missing half the source C files, getting compiled with no errors.

  #19066 commented on May 27, 2025 • 0 new comments

• False positives in cpp/user-after-free

  #19387 commented on May 22, 2025 • 0 new comments

• [JAVA] [GRADLE] OOM Issue with GitHub Autobuilder for Kotlin

  #19374 commented on May 20, 2025 • 0 new comments

• Swift: Xcode 16.2 - could not build module

  #19284 commented on May 16, 2025 • 0 new comments

• `js/weak-cryptographic-algorithm`/`BrokenCryptoAlgorithm` got 25-30x slower

  #18604 commented on May 14, 2025 • 0 new comments

• CodeQL for php

  #14000 commented on May 13, 2025 • 0 new comments

• RegExpInjection takes 6 hours to scan the TypeScript repo after 2.20.2

  #18584 commented on May 12, 2025 • 0 new comments

• Error downloading packs with corporate certificate in chain

  #13132 commented on May 5, 2025 • 0 new comments

• Code scanning results should be visible to everyone, not only those with write permission on the repository

  #11021 commented on May 2, 2025 • 0 new comments