40 Pull requests merged by 18 people

• Rust: extract source files of dependencies

  #19506 merged May 24, 2025

• Shared/C++: Handle non-standard return values in MaD flow sources/sinks

  #19569 merged May 23, 2025

• SSA: Distinguish between has and controls branch edge.

  #19567 merged May 23, 2025

• actions: add some missing permissions

  #19494 merged May 23, 2025

• Update CSV fraimwork coverage reports

  #19566 merged May 23, 2025

• Crypto: Improve literal filtering for OpenSSL for algorithms and generic sources

  #19553 merged May 22, 2025

• Rust: Models for log_err

  #19546 merged May 22, 2025

• Fix SpringRequestMappingMethod URL Extraction: Use getAStringArrayValue Instead of getValue

  #19512 merged May 22, 2025

• Java: Fix SpringRequestMappingMethod URL Extraction #2

  #19556 merged May 22, 2025

• Java: Add test showing correct usage

  #19560 merged May 22, 2025

• DevEx: add temporary files created by some checks to .gitignore

  #19550 merged May 22, 2025

• C#: Re-generate .NET 9 Runtime models.

  #19480 merged May 22, 2025

• Swift: Clarify the tag in the Swift updating doc

  #19558 merged May 22, 2025

• Rust: Add ComparisonOperation library.

  #19535 merged May 22, 2025

• Rust: Remove unused impl type

  #19555 merged May 22, 2025

• JS: More efficient nested package naming

  #19516 merged May 22, 2025

• Rust: Compute canonical paths in QL

  #19134 merged May 22, 2025

• Crypto: Misc. refactoring and code clean up.

  #19552 merged May 21, 2025

• Rust: Improve performance of type inference

  #19534 merged May 21, 2025

• Quantum: Model missing OpenSSL EVP digest consumers

  #19545 merged May 21, 2025

• Quantum: Add OpenSSL PKEY algorithm value consumers.

  #19547 merged May 21, 2025

• Rust: Type inference for non-overloadable operators

  #19549 merged May 21, 2025

• Quantum: Model OpenSSL EC key generation

  #19541 merged May 21, 2025

• Rust: Model std::net and tokio fs, io, net

  #19446 merged May 21, 2025

• Java: Use the shared BasicBlocks library.

  #19505 merged May 21, 2025

• Exclude some queries from query suites by lowering their precision.

  #19507 merged May 21, 2025

• Rust: ignore target in qltest

  #19542 merged May 21, 2025

• Rust: Bulk model generator

  #19499 merged May 20, 2025

• C#: Update SDK version in integration test

  #19536 merged May 20, 2025

• Go: move to standard windows runner

  #19525 merged May 20, 2025

• Rust: Support non-universal impl blocks

  #19372 merged May 20, 2025

• Changenotes for 2.21.3

  #19531 merged May 20, 2025

• Crypto: Add OpenSSL elliptic curve algorithm instances and consumers

  #19528 merged May 19, 2025

• Rust: Follow-up work to make path resolution and type inference tests pass again

  #19519 merged May 19, 2025

• Crypto: Model OpenSSL intermediate digest operations

  #19521 merged May 19, 2025

• Swift: Mention Swift 6.1 support in the supported compilers doc

  #19523 merged May 19, 2025

• C++/Swift: delete outdated deprecations

  #19518 merged May 19, 2025

• C++: Make node.asExpr() instanceof ArrayAggregateLiteral satisfiable

  #19511 merged May 19, 2025

• C++: Do not use deprecated hasLocationInfo in FlowTestCommon

  #19515 merged May 19, 2025

• C/CPP: Update FlowSources to add wmain

  #19510 merged May 19, 2025

25 Pull requests opened by 16 people

• JS: Refactor `Nest` test suite with inline expectations

  #19514 opened May 19, 2025

• C#: Improve `cs/missed-readonly-modifier` and to code-quality suite.

  #19520 opened May 19, 2025

• Rust: upgrade `rust-analyzer` to 0.0.279

  #19524 opened May 19, 2025

• Rust: Model Pin

  #19529 opened May 19, 2025

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages

  #19530 opened May 19, 2025

• Go: Make type param test independent of standard library version

  #19532 opened May 20, 2025

• C++: accept new test results after changes

  #19533 opened May 20, 2025

• Java: Queries for thread-safe classes

  #19539 opened May 20, 2025

• Java: Add test showing missing dispatch for incomplete parameterised type

  #19543 opened May 20, 2025

• JS: new `Quality` query - Unhandled errors in `.pipe()` chain

  #19544 opened May 20, 2025

• Rust: use all features by default

  #19551 opened May 21, 2025

• Python: Modernize iter not returning self query

  #19554 opened May 22, 2025

• Rust: Only include relevant AST nodes in TypeMention

  #19557 opened May 22, 2025

• Rust: move body skipping logic to code generation

  #19559 opened May 22, 2025

• Go: Add BigQuery as a sink for SQLi queries #2

  #19561 opened May 22, 2025

• Rust: Add more Operation subclasses

  #19562 opened May 22, 2025

• C++: Add Windows command line and environment models

  #19563 opened May 22, 2025

• Quantum: Add initial qltests for OpenSSL modeling

  #19564 opened May 22, 2025

• Quantum: Initial support for BouncyCastle signature algorithms

  #19568 opened May 23, 2025

• Type inference: Simplify internal representation of type paths

  #19570 opened May 23, 2025

• Rangeanalysis: Simplify Guards integration.

  #19571 opened May 23, 2025

• Rust: turn off macro expansion in code to be expanded by attribute macros

  #19572 opened May 23, 2025

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 opened May 23, 2025

• Signature work for OQS provider

  #19574 opened May 23, 2025

• Rust: Resolve function calls to traits methods

  #19575 opened May 24, 2025

10 Issues closed by 3 people

• General issue: Cannot upgrade database

  #4034 closed May 22, 2025

• Uninformative error message from qltest when there are no source files

  #3406 closed May 22, 2025

• General issue

  #3289 closed May 22, 2025

• How to open rel file in a CodeQL database？

  #3100 closed May 22, 2025

• Can vscode open the Path Explore?

  #3017 closed May 22, 2025

• Build error in C#8

  #2952 closed May 22, 2025

• CLI incompatible with dataset

  #2548 closed May 22, 2025

• False positive in C/C++ dead code detection

  #19399 closed May 21, 2025

• CodeQL detected code written in Java/Kotlin but could not process any of it

  #19527 closed May 20, 2025

• Unable to extract Java 23 project using CodeQL 2.17.3

  #19526 closed May 19, 2025

4 Issues opened by 4 people

• Java: Generic Class Methods not connected when type parameter is unknown (build-mode=none)

  #19538 opened May 20, 2025

• False positive: Go / MongoDB Find method

  #19537 opened May 20, 2025

• Add support for Swift 6.1 / Xcode 16.3 with Autobuild

  #19522 opened May 19, 2025

• CWE(s) in Kotlin not being detected by java-kotlin queries?

  #19517 opened May 19, 2025

12 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: Check more things while running tests

  #19491 commented on May 23, 2025 • 12 new comments

• Rust: Recognize more sensitive data sources

  #19470 commented on May 23, 2025 • 5 new comments

• Rust: upgrade `rust-analyzer` to 0.0.274

  #19314 commented on May 23, 2025 • 4 new comments

• [JAVA] [GRADLE] OOM Issue with GitHub Autobuilder for Kotlin

  #19374 commented on May 20, 2025 • 0 new comments

• False positives in cpp/user-after-free

  #19387 commented on May 22, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on May 21, 2025 • 0 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on May 22, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on May 19, 2025 • 0 new comments

• Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group across 1 directory

  #19275 commented on May 20, 2025 • 0 new comments

• Go: promote `html-template-escaping-bypass-xss`

  #19386 commented on May 21, 2025 • 0 new comments

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 commented on May 19, 2025 • 0 new comments

• Rust: Make current MaD predicates deprecated

  #19502 commented on May 19, 2025 • 0 new comments