github / codeql Public

29 Pull requests merged by 16 people

• C++: add some more range analysis tests

  #7267 merged Nov 30, 2021

• Update CSV framework coverage reports

  #7266 merged Nov 30, 2021

• C++: New query for SSL result conflation

  #7242 merged Nov 30, 2021

• Java: Ratpack HTTP Framework Additional Modeling

  #7007 merged Nov 29, 2021

• Python: Fix some query-ids

  #7101 merged Nov 29, 2021

• Python/C#: Add CWE-1333 to redos queries

  #7089 merged Nov 29, 2021

• Python: Add test with custom django json response (FP)

  #7046 merged Nov 29, 2021

• JS/Py: Fix cleartext logging CWEs

  #7233 merged Nov 29, 2021

• C#: Only include effectively public declarations in flow summaries

  #7255 merged Nov 29, 2021

• C#: Update the Microsoft.NETCore.App stub

  #7230 merged Nov 29, 2021

• C#: Initial implementation of csv printing in FlowSummaries test

  #7178 merged Nov 29, 2021

• Data flow: Introduce `ConsistencyConfiguration` class

  #7237 merged Nov 26, 2021

• Range analysis and useless-comparison query: don't treat all unicode surrogates as if they are U+FFFD

  #7239 merged Nov 26, 2021

• Note that FEATURE_SECURE_PROCESSING isn't a sufficient defence against XXE

  #7240 merged Nov 25, 2021

• JS: [Internal only] Add ML models specification to ATM query pack definition

  #7244 merged Nov 25, 2021

• Data flow: Performance tuning

  #7232 merged Nov 25, 2021

• C#: Enable SSA consistency queries

  #7185 merged Nov 25, 2021

• Document XXE sanitisation policy

  #7229 merged Nov 25, 2021

• JS: add explicit this to all member calls

  #6873 merged Nov 24, 2021

• Java: CWE-400 - Query to detect uncontrolled thread resource consumption

  #6717 merged Nov 24, 2021

• Ruby: fix CI jobs after removal of `.codeql-manifest.json`

  #7222 merged Nov 24, 2021

• JS/PY/RB: get ReDoSUtil in sync for ruby

  #7173 merged Nov 24, 2021

• Python: Model `wsgiref.simple_server` applications

  #7131 merged Nov 24, 2021

• Python/Ruby: Remove owasp tags

  #7145 merged Nov 24, 2021

• C++: Hide some IR dataflow nodes

  #7226 merged Nov 24, 2021

• Python: Model `posixpath` and `os.stat`

  #7143 merged Nov 24, 2021

• Java: Add diagnostic query for framework coverage

  #7181 merged Nov 24, 2021

• C++: take IR Operand locations from definitions

  #7188 merged Nov 23, 2021

• Ruby: add regex injection query

  #6978 merged Nov 23, 2021

15 Pull requests opened by 12 people

• Python: FastAPI improvements

  #7228 opened Nov 24, 2021

• C#: Enable data-flow consistency queries

  #7231 opened Nov 24, 2021

• C++: New query for SSL certificates not checked

  #7243 opened Nov 25, 2021

• All langs: apply the explicit-this patch to all remaining code

  #7245 opened Nov 26, 2021

• Python: Support flow through `import *`

  #7246 opened Nov 26, 2021

• Fix ruby incorrect version in documentation

  #7249 opened Nov 27, 2021

• Python: add insecureRandomness

  #7252 opened Nov 28, 2021

• C#: Use .NET Core Nuget package stub i test

  #7257 opened Nov 29, 2021

• Java: Unsafe Hash Query

  #7258 opened Nov 29, 2021

• Python: Add more path-injection sinks from `os` and `tempfile` modules

  #7259 opened Nov 29, 2021

• Data flow: Introduce `ParameterPosition` and `ArgumentPosition`

  #7260 opened Nov 29, 2021

• Release preparation for version 2.7.3

  #7265 opened Nov 29, 2021

• Java: Produce diffs for model generator changes

  #7268 opened Nov 30, 2021

• C#: Update the make_stubs_nuget script

  #7269 opened Nov 30, 2021

• Dataflow: Stage 2 refactor

  #7270 opened Nov 30, 2021

1 Issue closed by 1 person

• Java false positive: XXE via XMLInputFactory

  #7199 closed Nov 26, 2021

10 Issues opened by 8 people

• [JavaScript] Repeated invocations leads to type tracking false negatives

  #7261 opened Nov 29, 2021

• LGTM.com - false positive: py/unreachable-statement after context manager with while True loop

  #7256 opened Nov 29, 2021

• LGTM.com - false positive (Function <F> should return a value of type enable_if_t but does not return a value here)

  #7248 opened Nov 27, 2021

• LGTM.com - false positive

  #7241 opened Nov 25, 2021

• LGTM.com - false positive

  #7238 opened Nov 25, 2021

• LGTM.com - false positive

  #7235 opened Nov 24, 2021

• LGTM.com - false positive

  #7234 opened Nov 24, 2021

• CodeQL Cli - false positive - Missing Dispose call on local IDisposable on MemoryStream

  #7227 opened Nov 24, 2021

• How to suppress "module import itself" in python

  #7224 opened Nov 24, 2021

• [JavaScript] TaintTracking cannot track tainted values out of callback functions

  #7221 opened Nov 23, 2021

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Ruby: pattern matching

  #7154 commented on Nov 30, 2021 • 57 new comments

• [Java] CWE-089 MyBatis Mapper Sql Injection

  #6319 commented on Nov 30, 2021 • 22 new comments

• Java: CWE-470 - Queries to detect Fragment Injection in Android applications

  #6923 commented on Nov 26, 2021 • 19 new comments

• C/C++: LGTM.com run failed on PR but CI succeeds after changes to CMakeLists.txt

  #7055 commented on Nov 29, 2021 • 2 new comments

• JS: Add routing trees library

  #7049 commented on Nov 24, 2021 • 2 new comments

• JS/PY/RB: support a limited number of ranges for ReDoS analysis

  #7097 commented on Nov 30, 2021 • 2 new comments

• fix request for cpp exceptions

  #7177 commented on Nov 24, 2021 • 2 new comments

• LGTM.com - false positive - undeclared functions from the Python C API

  #7214 commented on Nov 23, 2021 • 1 new comment

• [Javascript] CWE-348: Client supplied ip used in security check

  #6864 commented on Nov 29, 2021 • 1 new comment

• Ruby: Add support for GraphQL

  #7126 commented on Nov 28, 2021 • 1 new comment

• Move upgrades into standard library packs

  #7166 commented on Nov 25, 2021 • 1 new comment

• JS: Make the edges of API-graphs into IPA types

  #7180 commented on Nov 29, 2021 • 1 new comment

• [JavaScript] Another limited case for tainting objects with methods

  #7106 commented on Nov 29, 2021 • 0 new comments

• General issue - JavaScript data flow analysis

  #5177 commented on Nov 30, 2021 • 0 new comments

• Java: Promote Log Injection from experimental

  #7054 commented on Nov 26, 2021 • 0 new comments

• Ruby: Cache more predicates

  #7090 commented on Nov 23, 2021 • 0 new comments

• Multiple scopes for neighborhood feature

  #7196 commented on Nov 24, 2021 • 0 new comments

• Ruby: Flow through arrays/enumerables

  #7198 commented on Nov 29, 2021 • 0 new comments

• JS: Add support for TypeScript 4.5

  #7216 commented on Nov 29, 2021 • 0 new comments