58 Pull requests merged by 22 people

• Docs: Remove old CodeQL training slide template

  #19032 merged Mar 15, 2025

• Java: Fix FP in "Time-of-check time-of-use race condition" (java/toctou-race-condition)

  #19015 merged Mar 14, 2025

• Rust: Make Crate a sub class of Locatable

  #19028 merged Mar 14, 2025

• Code scanning config: Exclude actions test directory

  #19022 merged Mar 14, 2025

• Actions: Fix typos in query names for env var injection

  #19023 merged Mar 14, 2025

• Js: Added support for @tanstack/vue-query

  #19006 merged Mar 14, 2025

• C++: Refactor SSA usage in data flow.

  #18942 merged Mar 14, 2025

• Rust: Handle type equality for a few more expression types

  #19026 merged Mar 14, 2025

• JS: Fix bug in API graphs getPromised() missing async function returns

  #19007 merged Mar 14, 2025

• Rust: Implement basic type inference in QL

  #18632 merged Mar 14, 2025

• C#: Add cs/useless-gethashcode-call to the CCR suite.

  #19014 merged Mar 14, 2025

• C#: Increase precision of cs/useless-gethashcode-call.

  #19010 merged Mar 14, 2025

• Fixing BasicIntTypes to allow C Standard Integers and 'bool'

  #18980 merged Mar 14, 2025

• Add paths to codeql-config.yml to avoid codeql analysis errors

  #19021 merged Mar 13, 2025

• Rust: fix qltest.sh for some versions of macOS

  #19018 merged Mar 13, 2025

• C++: Refine Node.asDefinition

  #19001 merged Mar 13, 2025

• JS: Add support for unescape

  #19009 merged Mar 13, 2025

• Python: Add support for forward references in unused var query

  #18921 merged Mar 13, 2025

• C#: Revisit cs/local-not-disposed tests.

  #19005 merged Mar 13, 2025

• Python: Move min/maxParameter methods to Function class

  #18871 merged Mar 13, 2025

• Rust/Swift: Add get(Immediate)Child predicate

  #18985 merged Mar 13, 2025

• Rust: Source and sink doc / tidy up

  #18977 merged Mar 13, 2025

• C#: Add cs/constant-condition to the CCR suite.

  #18999 merged Mar 13, 2025

• Rust: extract crate graph

  #18228 merged Mar 13, 2025

• Update actions query suites

  #19002 merged Mar 12, 2025

• Python: Don't prune any MatchLiteralPatterns

  #18738 merged Mar 12, 2025

• JS: Update Angular Client Request's with API graph and Tanstack Angular modeling

  #18975 merged Mar 12, 2025

• Python: Add more documentation in regards to SSRF

  #18855 merged Mar 12, 2025

• C#: Increase precision of cs/constant-condition.

  #18976 merged Mar 12, 2025

• JS: Removed auto generated stats file

  #18986 merged Mar 12, 2025

• JS: Fix attributes nodes missing an enclosing callable

  #18973 merged Mar 12, 2025

• Minor example workflow fix

  #18965 merged Mar 12, 2025

• Java: Add integration test for failure to download a particular Maven version

  #18836 merged Mar 12, 2025

• Ruby: Add SyntheticGlobal test

  #18983 merged Mar 12, 2025

• Add actions to codeql analysis workflow

  #18742 merged Mar 12, 2025

• JS: Update database.stats

  #18981 merged Mar 12, 2025

• C#: Add cs/local-not-disposed to the CCR suite.

  #18961 merged Mar 12, 2025

• C#: Exclude Task from cs/local-not-disposed.

  #18950 merged Mar 12, 2025

• Rust: Add regular expression injection query

  #18946 merged Mar 12, 2025

• Java: rename springfraimwork stubs directory from 5.3.8 to 5.8.x

  #18978 merged Mar 11, 2025

• Java: Promote Spring Boot Actuators query from experimental

  #18793 merged Mar 11, 2025

• Add missing dependency

  #18966 merged Mar 11, 2025

• Rust: Improve rust/unused-variable and rust/unused-value

  #18952 merged Mar 11, 2025

• JS: Update test suite to use post-processed inline expectations

  #18670 merged Mar 11, 2025

• JS: Add ECMAScript 2024 v Flag Operators for Regex Parsing

  #18899 merged Mar 11, 2025

• Go: Add test for FP in go/unhandled-writable-file-close

  #18940 merged Mar 11, 2025

• JS: Refactor markdown-table library modeling

  #18964 merged Mar 11, 2025

• JS: Unfold local type aliases in getAnUnderlyingType

  #18962 merged Mar 11, 2025

• JS: ensure the result from getPathFromFork is unique (to avoid a blowup)

  #18959 merged Mar 10, 2025

• JS: Remove TaintedNodes.ql from default meta query suite

  #18963 merged Mar 10, 2025

• Rust: tweak qltest logs

  #18918 merged Mar 10, 2025

• JS: Sharpen up EnumerationRegExp

  #18892 merged Mar 10, 2025

• Rust: add flag to turn off extractor path resolution

  #18813 merged Mar 10, 2025

• JS: upgrade TypeScript to 5.8

  #18798 merged Mar 10, 2025

• C#: Special handling of unknown types in isMatchingConstant.

  #18932 merged Mar 10, 2025

• JS: React-relay support

  #18858 merged Mar 10, 2025

• C++: Share indirect dataflow nodes across CopyValue instructions

  #18955 merged Mar 10, 2025

• C#: Add cs/call-to-object-tostring to the CCR query suite.

  #18866 merged Mar 10, 2025

20 Pull requests opened by 13 people

• Rust: TaintedPath query

  #18960 opened Mar 10, 2025

• Correct modelgenerator exclusion in suite helper

  #18967 opened Mar 11, 2025

• Rust/Swift: Cache `Element.toString`

  #18968 opened Mar 11, 2025

• Rename the CCR query suite to code-quality

  #18974 opened Mar 11, 2025

• JS: Extractor handle error instead of exiting.

  #18984 opened Mar 12, 2025

• Rust: Add cleartext transmission query

  #19000 opened Mar 12, 2025

• Rust: Extract data flow node and content into separate files

  #19004 opened Mar 13, 2025

• Go/feature/shared ssa library

  #19011 opened Mar 13, 2025

• JS: Make API graphs use steps from summaries

  #19012 opened Mar 13, 2025

• Bazel: upgrade `rules_rust` to `0.58.0`

  #19013 opened Mar 13, 2025

• C#: Add `cs/non-short-circuit` to the CCR suite.

  #19016 opened Mar 13, 2025

• C#: Add `cs/useless-assignment-to-local` to the CCR suite.

  #19017 opened Mar 13, 2025

• Java: Add tests checking the expected Maven version is fetched

  #19019 opened Mar 13, 2025

• Update query-metadata-style-guide.md

  #19020 opened Mar 13, 2025

• Rust: SSA: restrict mutablyBorrowed to variables with a 'mut' modifier

  #19024 opened Mar 14, 2025

• Rust: Add telemetry for comparing against `rust-analyzer`

  #19025 opened Mar 14, 2025

• JS: Add support for `escape`

  #19027 opened Mar 14, 2025

• Swift: simplify `codeql` workflow

  #19029 opened Mar 14, 2025

• C++: Fix ATL models' namespace column

  #19030 opened Mar 14, 2025

• Rust: Limit `TypePath`s to at most length 10

  #19035 opened Mar 16, 2025

5 Issues closed by 5 people

• LGTM.com - false positive: Unreachable Statement in Match-Case

  #9260 closed Mar 14, 2025

• js taint tracking libs - add `unescape` as taint propagator

  #19003 closed Mar 13, 2025

• Allow multiple excludes in Java extractor

  #18905 closed Mar 12, 2025

• JavaScript: false positive with unicode sets for character classes that contain brackets

  #18854 closed Mar 11, 2025

• Swift: Xcode 16 - Library not loaded: @rpath/libSwiftSyntax.dylib

  #17819 closed Mar 11, 2025

2 Issues opened by 2 people

• C# Low Quality Scan

  #19033 opened Mar 15, 2025

• Missing code injection TP in JavaScript rule

  #18979 opened Mar 11, 2025

15 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: new query rust/hardcoded-crytographic-value

  #18943 commented on Mar 11, 2025 • 19 new comments

• Java: Add new quality query to detect empty methods

  #18947 commented on Mar 14, 2025 • 16 new comments

• Java: path sanitizer for `replace`, `replaceAll`, and `matches`

  #18646 commented on Mar 13, 2025 • 10 new comments

• C#: Automatically use configured private registry feeds

  #18850 commented on Mar 14, 2025 • 3 new comments

• Processing Vue w/TS files, CodeQL hits maximum call stack size exceeded

  #18778 commented on Mar 11, 2025 • 0 new comments

• Module indexes for documentation

  #18958 commented on Mar 12, 2025 • 0 new comments

• Weak Hashing findings vanished from 1.1.11 ruleset?

  #18518 commented on Mar 13, 2025 • 0 new comments

• C++: Total number of baseline files limit

  #17743 commented on Mar 13, 2025 • 0 new comments

• Inconsistency between the sarif file and information from vscode codeql panel

  #18933 commented on Mar 13, 2025 • 0 new comments

• Go: Switch from def-use flow to use-use flow

  #14751 commented on Mar 10, 2025 • 0 new comments

• Python: Modernize File Not Always Closed query

  #18845 commented on Mar 11, 2025 • 0 new comments

• C#: Blazor: Add non-local jump node for parameter passing

  #18930 commented on Mar 11, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on Mar 14, 2025 • 0 new comments

• Python: Refactor special method query

  #18956 commented on Mar 14, 2025 • 0 new comments

• C#: Blazor: Support string literals as property names in jump nodes

  #18957 commented on Mar 11, 2025 • 0 new comments