39 Pull requests merged by 17 people

• Rust: make MacroStmts expressions

  #19335 merged May 3, 2025

• Swift: Support new Swift 6.1 AST elements

  #19420 merged May 2, 2025

• Rust: Remove visibility check in path resolution

  #19431 merged May 2, 2025

• Rust: extract declarations of builtin types

  #19421 merged May 2, 2025

• JS: Modeling of ShellJS functions

  #19422 merged May 2, 2025

• Shared: Re-factor summary, source and sink model generators into separate modules.

  #19382 merged May 2, 2025

• Add code quality suite selector and use that in the code quality suites

  #19413 merged May 2, 2025

• Python: modeling of hdbcli

  #19444 merged May 1, 2025

• Rust: Strengthen modeling of the Clone trait

  #19442 merged May 1, 2025

• C++: Limit flow through sinks and sources in cpp/upcast-array-pointer-arithmetic

  #19434 merged May 1, 2025

• python: model send_header from http.server

  #19432 merged May 1, 2025

• Misc: Add script for calculating totals for a MRVA run

  #18449 merged May 1, 2025

• Fix cwe tags to include leading zero

  #19429 merged May 1, 2025

• Merge back 2.21.2 release branch

  #19441 merged May 1, 2025

• JS: Modeling of fastify

  #19439 merged May 1, 2025

• Rust: Type inference for ? expressions

  #19367 merged May 1, 2025

• Docs: Fix escaping in 2.21.0 changelog

  #19437 merged May 1, 2025

• Actions: Retroactively add GA changenote

  #19436 merged May 1, 2025

• Rust: Use type inference to insert implicit borrows and derefs

  #19419 merged May 1, 2025

• C++: Turn header variant tests that use PCH files into integration tests

  #19410 merged Apr 30, 2025

• Rust: Add type inference debug predicates

  #19425 merged Apr 30, 2025

• Ruby: disable diff-informed mode on regex queries

  #19416 merged Apr 30, 2025

• Rust: Crate graph extraction workarounds

  #19362 merged Apr 30, 2025

• JS: Better type-tracking through Promise.all()

  #19412 merged Apr 30, 2025

• C++: Do not limit second level scopes to the top-level

  #19269 merged Apr 30, 2025

• Codegen: make missing codeql error clearer

  #19418 merged Apr 30, 2025

• Python: Improve performance of FileNotClosed query by using an explicit fastTC

  #19411 merged Apr 30, 2025

• Revert "Bazel: update rules_kotlin to 2.1.3"

  #19414 merged Apr 29, 2025

• Rust: Extract SelfParams from crate graph

  #19369 merged Apr 29, 2025

• JS: Added support for fastify.addHook

  #19300 merged Apr 29, 2025

• Bazel: update rules_kotlin to 2.1.3

  #19385 merged Apr 29, 2025

• C#/Java/Rust: Change the tag for the model generator debugging queries.

  #19408 merged Apr 29, 2025

• Python: Tweak LoopVariableCapture for performance

  #19325 merged Apr 29, 2025

• C#: Add cs/equality-on-floats to the Code Quality suite.

  #19396 merged Apr 29, 2025

• Shared: Use isSink/1 in PropagateFlowConfig

  #19404 merged Apr 29, 2025

• Fix spelling/wording in qhelp for rb/uninitialized-local-variable

  #19400 merged Apr 29, 2025

• Add query suite inclusion tests for cpp, python

  #19390 merged Apr 29, 2025

• JS: Tolerate trailing commas in JSON objects

  #19393 merged Apr 29, 2025

• C++: Add use-after-free FP tests

  #19397 merged Apr 29, 2025

22 Pull requests opened by 13 people

• python: make content sets an IPA type

  #19407 opened Apr 29, 2025

• Shared: Generate more value-preserving summaries

  #19409 opened Apr 29, 2025

• Bump chrono from 0.4.40 to 0.4.41 in /ql

  #19415 opened Apr 30, 2025

• Python: Extract files in hidden dirs by default

  #19424 opened Apr 30, 2025

• Adding comprehensive docs for customizing `actions/unpinned-tag` query

  #19427 opened Apr 30, 2025

• QL tests: run with --check-diff-informed

  #19428 opened Apr 30, 2025

• Shared: Generate more value-preserving flow summaries

  #19433 opened Apr 30, 2025

• Rust: Update generated models for core and std

  #19440 opened May 1, 2025

• Shared: Generate more value-preserving flow summaries

  #19443 opened May 1, 2025

• JS: Generate flow summaries from summaryModels; only generate steps as a fallback

  #19445 opened May 1, 2025

• Rust: Model std::net and tokio `fs`, `io`, `net`

  #19446 opened May 1, 2025

• Ruby printAst: fix order for synth children of real parents

  #19448 opened May 1, 2025

• Rust: Update query severities

  #19449 opened May 1, 2025

• Add Microsoft to trusted actions owner

  #19450 opened May 1, 2025

• Shared: Remove the language-specific model generator scripts

  #19452 opened May 2, 2025

• Redsun82/kotlin 2.2.0 support

  #19453 opened May 2, 2025

• Rust: Add Operation class

  #19454 opened May 2, 2025

• Rust: Use the new 'quality' tag.

  #19455 opened May 2, 2025

• Add new stubs definitions to System.Web and System.Net

  #19456 opened May 2, 2025

• Add Actix framework modeling and import to Frameworks.qll

  #19461 opened May 5, 2025

• Update changelogs for CodeQL CLI 2.21.2

  #19462 opened May 5, 2025

• Bump golang.org/x/tools from 0.32.0 to 0.33.0 in /go/extractor in the extractor-dependencies group

  #19463 opened May 6, 2025

2 Issues closed by 2 people

• False positive - 'Vulnerable package' is not the package version resolved

  #19435 closed May 1, 2025

• Missing C/C++ DataFlow/TaintTracking edges for fields accessed through pointers

  #19405 closed Apr 29, 2025

5 Issues opened by 5 people

• [Bug] Spurious `remote: error: GH013: Repository rule violations found for refs/heads/trunk.` `remote: - Code scanning is waiting for results from CodeQL for the commit`

  #19459 opened May 3, 2025

• [Java] Issue resolving dependences

  #19458 opened May 3, 2025

• C++: Multi-Level Member Function Calls Not Modeled as DataFlow::Node

  #19457 opened May 2, 2025

• Support alternate solution for bazel based C++ builds

  #19447 opened May 1, 2025

• Windows: AccessDeniedException during `codeql database create` TRAP finalization (`pools/0` move fails)

  #19438 opened May 1, 2025

22 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• JS: Overhaul import resolution

  #19391 commented on May 2, 2025 • 15 new comments

• Rust: Support non-universal `impl` blocks

  #19372 commented on May 5, 2025 • 14 new comments

• Rust: expand attribute macros

  #19334 commented on May 2, 2025 • 10 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on May 2, 2025 • 7 new comments

• C#: Improve precision of `cs/uncontrolled-format-string`.

  #19271 commented on Apr 30, 2025 • 4 new comments

• Misc: Add script creating DCA source suites from MRVA

  #19232 commented on May 1, 2025 • 3 new comments

• Add support for Kotlin 2.2.0; drop Kotlin 1.5.x

  #19402 commented on May 2, 2025 • 1 new comment

• Change definition of `getFactoryNodeInternal`

  #19359 commented on May 5, 2025 • 1 new comment

• Rust: update supported languages and frameworks

  #19280 commented on May 2, 2025 • 1 new comment

• .qll Contribution for Sink Detection

  #19403 commented on May 4, 2025 • 0 new comments

• Go: promote `html-template-escaping-bypass-xss`

  #19386 commented on May 1, 2025 • 0 new comments

• JS: Merge `ES6Class` to `FunctionStyleClass`

  #19356 commented on May 2, 2025 • 0 new comments

• Handling of axios in functions and making axios create function recur…

  #19337 commented on May 1, 2025 • 0 new comments

• JS: Port `firebase` to data as models

  #19316 commented on May 1, 2025 • 0 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on May 2, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on May 1, 2025 • 0 new comments

• Ruby: Avoid a forced CP.

  #18927 commented on Apr 29, 2025 • 0 new comments

• Error downloading packs with corporate certificate in chain

  #13132 commented on May 5, 2025 • 0 new comments

• Code scanning results should be visible to everyone, not only those with write permission on the repository

  #11021 commented on May 2, 2025 • 0 new comments

• False positives in cpp/user-after-free

  #19387 commented on May 1, 2025 • 0 new comments

• Swift: Xcode 16.2 - could not build module

  #19284 commented on Apr 29, 2025 • 0 new comments

• False positive in C/C++ dead code detection

  #19399 commented on Apr 29, 2025 • 0 new comments