151 Pull requests merged by 34 people

• Rust: make MacroStmts expressions

  #19335 merged May 3, 2025

• Swift: Support new Swift 6.1 AST elements

  #19420 merged May 2, 2025

• Rust: Remove visibility check in path resolution

  #19431 merged May 2, 2025

• Rust: extract declarations of builtin types

  #19421 merged May 2, 2025

• JS: Modeling of ShellJS functions

  #19422 merged May 2, 2025

• Shared: Re-factor summary, source and sink model generators into separate modules.

  #19382 merged May 2, 2025

• Add code quality suite selector and use that in the code quality suites

  #19413 merged May 2, 2025

• Python: modeling of hdbcli

  #19444 merged May 1, 2025

• Rust: Strengthen modeling of the Clone trait

  #19442 merged May 1, 2025

• C++: Limit flow through sinks and sources in cpp/upcast-array-pointer-arithmetic

  #19434 merged May 1, 2025

• python: model send_header from http.server

  #19432 merged May 1, 2025

• Misc: Add script for calculating totals for a MRVA run

  #18449 merged May 1, 2025

• Fix cwe tags to include leading zero

  #19429 merged May 1, 2025

• Merge back 2.21.2 release branch

  #19441 merged May 1, 2025

• JS: Modeling of fastify

  #19439 merged May 1, 2025

• Rust: Type inference for ? expressions

  #19367 merged May 1, 2025

• Docs: Fix escaping in 2.21.0 changelog

  #19437 merged May 1, 2025

• Actions: Retroactively add GA changenote

  #19436 merged May 1, 2025

• Rust: Use type inference to insert implicit borrows and derefs

  #19419 merged May 1, 2025

• C++: Turn header variant tests that use PCH files into integration tests

  #19410 merged Apr 30, 2025

• Rust: Add type inference debug predicates

  #19425 merged Apr 30, 2025

• Ruby: disable diff-informed mode on regex queries

  #19416 merged Apr 30, 2025

• Rust: Crate graph extraction workarounds

  #19362 merged Apr 30, 2025

• JS: Better type-tracking through Promise.all()

  #19412 merged Apr 30, 2025

• C++: Do not limit second level scopes to the top-level

  #19269 merged Apr 30, 2025

• Codegen: make missing codeql error clearer

  #19418 merged Apr 30, 2025

• Python: Improve performance of FileNotClosed query by using an explicit fastTC

  #19411 merged Apr 30, 2025

• Revert "Bazel: update rules_kotlin to 2.1.3"

  #19414 merged Apr 29, 2025

• Rust: Extract SelfParams from crate graph

  #19369 merged Apr 29, 2025

• JS: Added support for fastify.addHook

  #19300 merged Apr 29, 2025

• Bazel: update rules_kotlin to 2.1.3

  #19385 merged Apr 29, 2025

• C#/Java/Rust: Change the tag for the model generator debugging queries.

  #19408 merged Apr 29, 2025

• Python: Tweak LoopVariableCapture for performance

  #19325 merged Apr 29, 2025

• C#: Add cs/equality-on-floats to the Code Quality suite.

  #19396 merged Apr 29, 2025

• Shared: Use isSink/1 in PropagateFlowConfig

  #19404 merged Apr 29, 2025

• Fix spelling/wording in qhelp for rb/uninitialized-local-variable

  #19400 merged Apr 29, 2025

• Add query suite inclusion tests for cpp, python

  #19390 merged Apr 29, 2025

• JS: Tolerate trailing commas in JSON objects

  #19393 merged Apr 29, 2025

• C++: Add use-after-free FP tests

  #19397 merged Apr 29, 2025

• Post-release preparation for codeql-cli-2.21.2

  #19401 merged Apr 28, 2025

• Java: Remove erroneously-committed query

  #19398 merged Apr 28, 2025

• JS: Improved modeling of aws-sdk

  #19364 merged Apr 28, 2025

• Release preparation for version 2.21.2

  #19395 merged Apr 28, 2025

• C++: Fix missing summaries in MaD generation

  #19383 merged Apr 28, 2025

• Follow-up fixes to #19376

  #19394 merged Apr 28, 2025

• Shared: Model generator cleanup.

  #19311 merged Apr 28, 2025

• Swift: Clarify how the LFS artifacts should be updated

  #19381 merged Apr 28, 2025

• C#: Fix CFG for fall-through switch statements

  #19380 merged Apr 28, 2025

• Go: Support private registries via GOPROXY

  #19248 merged Apr 25, 2025

• Swift: add more debug logs

  #19384 merged Apr 25, 2025

• Actions: Exclude model-generator queries from query suites

  #19376 merged Apr 25, 2025

• Add query suite integration tests for swift, actions, csharp, go, javascript, ruby, rust

  #19355 merged Apr 25, 2025

• Python: disable diff-informed PolynomialReDoS.ql

  #19379 merged Apr 25, 2025

• Rust: Path resolution performance tweaks

  #19358 merged Apr 25, 2025

• Swift: make extractor compile again after 6.1 upgrade

  #19315 merged Apr 25, 2025

• C++: Add exception for build-mode-none in various queries

  #19368 merged Apr 24, 2025

• Update list of supported platforms

  #19363 merged Apr 24, 2025

• Go: remove invalid toolchain version diagnostics

  #19370 merged Apr 24, 2025

• Dataflow: Make default field flow branch limit configurable per language

  #19361 merged Apr 24, 2025

• C++: Claim beta support for C23 and C++23

  #19365 merged Apr 24, 2025

• C#: Join order fix

  #19327 merged Apr 24, 2025

• C++: Support C23 typeof and typeof_unqual

  #19290 merged Apr 24, 2025

• C#: Improve cs/invalid-string-formatting and add to the Code Quality suite.

  #19148 merged Apr 24, 2025

• Shared: Match line information on Alert and Sink locations.

  #19354 merged Apr 24, 2025

• Rust: Remove unnecessary predicate.

  #19353 merged Apr 23, 2025

• Rust: Take where clauses into account in path resolution

  #19193 merged Apr 23, 2025

• C++: Instantiate model generation library

  #19295 merged Apr 23, 2025

• QL4QL: Restrict ql/qlref-inline-expectations to (path-)problem queries

  #19272 merged Apr 23, 2025

• C#: Relax condition for authorize attributes on cs/web/missing-function-level-access-control.

  #19302 merged Apr 23, 2025

• Shared: Fix join in FileSystem.qll

  #19345 merged Apr 23, 2025

• changedocs from 2.21.1 release

  #19348 merged Apr 22, 2025

• Java: Add new quality query to detect finalize calls

  #19075 merged Apr 22, 2025

• Java: Add new quality query to detect missing @Nested annotation in JUnit5 tests

  #19094 merged Apr 22, 2025

• Swift: Make file checking in tests more strict

  #19347 merged Apr 22, 2025

• Swift: Make file checking in integration tests more strict

  #19346 merged Apr 22, 2025

• Swift: Make file checking in tests more strict

  #19344 merged Apr 22, 2025

• Ruby: Make module graph queries avoid relying on evalaution order.

  #19116 merged Apr 22, 2025

• Docs: Fix typo in code sample

  #19296 merged Apr 22, 2025

• JS: Fix missing flow into rest pattern lvalue

  #19283 merged Apr 22, 2025

• Rust: Remove the noisy models output from the dataflow/local test.

  #19305 merged Apr 17, 2025

• Rust: Make source kinds consistent with other languages

  #19333 merged Apr 17, 2025

• C++: add predicate to distinguish designator-based initializations

  #19329 merged Apr 17, 2025

• Rust: extract generic parameters, arguments and resolve bound type variables

  #19237 merged Apr 17, 2025

• Rust: Add model for str.trim

  #19310 merged Apr 17, 2025

• Rust: Model sources for std::io

  #19304 merged Apr 17, 2025

• Post-release preparation for codeql-cli-2.21.1

  #19317 merged Apr 16, 2025

• C++: add isVla predicated to ArrayType

  #19298 merged Apr 16, 2025

• C#: Adjust comments and remove compilation warnings.

  #19309 merged Apr 16, 2025

• Actions: Remove preview notice, minor help and metadata fixes

  #19307 merged Apr 16, 2025

• Release preparation for version 2.21.1

  #19301 merged Apr 15, 2025

• actions: Fix spelling error in UnmaskedSecretExposure.md

  #19312 merged Apr 15, 2025

• Rust: upgrade rust-analyzer to 0.0.273

  #19233 merged Apr 15, 2025

• Swift: extract still unextracted entities from the 6.0.2 upgrade

  #19299 merged Apr 15, 2025

• C#: Fix autobuild on macos without mono

  #19251 merged Apr 15, 2025

• Rust: allow shadowing of prelude items

  #19292 merged Apr 15, 2025

• Rust: add to CODEOWNERS

  #19282 merged Apr 15, 2025

• Rust: pick correct edition for the files

  #19291 merged Apr 14, 2025

• C#: Improve auto-builder to better detect SDK references.

  #19289 merged Apr 14, 2025

• Rust: fix workspace member aggregation when absolute path is a glob pattern

  #19293 merged Apr 14, 2025

• Rust: Query for uncontrolled allocation size

  #19171 merged Apr 14, 2025

• JS: Support for Request and NextRequest

  #19184 merged Apr 14, 2025

• ruby: refine rb/uninitialized-local-variable

  #19205 merged Apr 11, 2025

• Actions: Fix handling of paths-ignore in autobuild scripts, add integration tests for configured path filters

  #19278 merged Apr 11, 2025

• Shared: Prepare model generation for C++ adoption

  #19273 merged Apr 11, 2025

• C++: Prepare for model generation adoption

  #19274 merged Apr 11, 2025

• Rust: refine ql/test/setup.sh

  #19281 merged Apr 11, 2025

• Java: Add new quality query to detect String#replaceAll with non-regex first argument

  #19115 merged Apr 11, 2025

• JS: Taint propagation from low-level ArrayBuffer to Strings

  #19231 merged Apr 11, 2025

• JS: Refactor WebSocket to use API graphs

  #19218 merged Apr 11, 2025

• Rust: Cache tweaks

  #19246 merged Apr 10, 2025

• CodeQL docs: Fix ordering in side navigation bar for Query help

  #19270 merged Apr 10, 2025

• JS: Add support for make-dir package

  #19263 merged Apr 10, 2025

• JS: Add sinks for calls to 'new Response()'

  #19200 merged Apr 10, 2025

• Python: Modernize the Loop Variable Capture query

  #19165 merged Apr 10, 2025

• JS: Tolerate trailing commas in JSON arrays

  #19267 merged Apr 10, 2025

• Rust: Allow for crate self-references in crate graph paths

  #19265 merged Apr 9, 2025

• Ruby: Fix bad join in DeadStoreOfLocal.ql

  #19259 merged Apr 9, 2025

• Rust: Handle path attributes in path resolution

  #19216 merged Apr 9, 2025

• Update codeql-library-for-actions.rst

  #19264 merged Apr 9, 2025

• Actions: Fix invocation of autobuild PowerShell script

  #19257 merged Apr 9, 2025

• Java: Add EnumType to SimpleTypeSanitizer

  #19260 merged Apr 9, 2025

• Java: Update test expectation

  #19261 merged Apr 9, 2025

• JS: Modeling of mkdirp functions

  #19210 merged Apr 9, 2025

• Rust: Fix bad joins

  #19250 merged Apr 9, 2025

• Go: update files generated by depstubber

  #19076 merged Apr 9, 2025

• JS: Model as Data open package

  #19256 merged Apr 9, 2025

• Rust: add test setup script

  #19255 merged Apr 9, 2025

• Actions: Create initial integration test for default filters

  #19239 merged Apr 8, 2025

• Docs: Fix formatting of GitHub Actions content

  #19241 merged Apr 8, 2025

• Java: Add test to check queries not included in well-known query suites

  #19254 merged Apr 8, 2025

• Run test servers with sudo when running on macos-15

  #19252 merged Apr 8, 2025

• Java: Add explicit filtering for quality queries that should be included in security-and-quality

  #19245 merged Apr 8, 2025

• Java: add integration test for query suite contents

  #19229 merged Apr 8, 2025

• Bazel: update to 8.1.1

  #19244 merged Apr 8, 2025

• Go: Fix err instead of decErr in GetPkgsInfo

  #19249 merged Apr 8, 2025

• Rust: Associated types

  #19214 merged Apr 8, 2025

• Disable csharp tests that use nuget on macos-15

  #19234 merged Apr 8, 2025

• Rust: SSA inconsistency counts

  #19235 merged Apr 8, 2025

• Bump golang.org/x/tools from 0.31.0 to 0.32.0 in /go/extractor in the extractor-dependencies group

  #19243 merged Apr 8, 2025

• Update CSV framework coverage reports

  #19240 merged Apr 8, 2025

• Rust: Model futures::executor::block_on.

  #19095 merged Apr 7, 2025

• Java: add exclude-from-incremental tag to telemetry queries

  #19208 merged Apr 7, 2025

• Go: Add database source models for uptrace/bun and gogf/gf/database/gdb

  #19203 merged Apr 7, 2025

• ruby: add rb/useless-assignment-to-local to the code-quality suite

  #19230 merged Apr 7, 2025

• Rust: Resolve Self path in trait type of implementation

  #19227 merged Apr 7, 2025

• ruby: remove some FPs from rb/useless-assignment-to-local

  #19164 merged Apr 7, 2025

• Rust: Minor path resolution fix for ($)crate paths

  #19220 merged Apr 7, 2025

• Rust: Implement support for inference of type aliases

  #19146 merged Apr 7, 2025

• Add changelog entries for CodeQL CLI versions 2.20.7 and 2.21.0

  #19219 merged Apr 7, 2025

• Ruby: Synthesize implicit super arguments

  #19206 merged Apr 7, 2025

• Rust: Define queries more consistently and include all sinks in stats

  #19222 merged Apr 7, 2025

46 Pull requests opened by 26 people

• Misc: Add script creating DCA source suites from MRVA

  #19232 opened Apr 7, 2025

• ruby: test `rb/uninitialized-local-variable`

  #19247 opened Apr 8, 2025

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 opened Apr 10, 2025

• C#: Improve precision of `cs/uncontrolled-format-string`.

  #19271 opened Apr 10, 2025

• Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group across 1 directory

  #19275 opened Apr 10, 2025

• Fix typo in ReusableWorkflowsSinks.ql identifier

  #19277 opened Apr 10, 2025

• Rust: update supported languages and frameworks

  #19280 opened Apr 11, 2025

• [DO NOT MERGE] Prior: Test PR

  #19285 opened Apr 11, 2025

• JS: Add class harness to recover localFieldStep edges

  #19287 opened Apr 11, 2025

• force dummy change to trigger internal checks

  #19303 opened Apr 14, 2025

• Rust: upgrade `rust-analyzer` to 0.0.274

  #19314 opened Apr 15, 2025

• JS: Port `firebase` to data as models

  #19316 opened Apr 15, 2025

• Rust: expand attribute macros

  #19334 opened Apr 17, 2025

• Handling of axios in functions and making axios create function recur…

  #19337 opened Apr 19, 2025

• JS: Merge `ES6Class` to `FunctionStyleClass`

  #19356 opened Apr 23, 2025

• actions: Add some missing permissions

  #19357 opened Apr 23, 2025

• Change definition of `getFactoryNodeInternal`

  #19359 opened Apr 23, 2025

• Qlucie trigger

  #19366 opened Apr 24, 2025

• Rust: Support non-universal `impl` blocks

  #19372 opened Apr 24, 2025

• Go: promote `html-template-escaping-bypass-xss`

  #19386 opened Apr 25, 2025

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 opened Apr 25, 2025

• JS: Overhaul import resolution

  #19391 opened Apr 28, 2025

• Add support for Kotlin 2.2.0; drop Kotlin 1.5.x

  #19402 opened Apr 28, 2025

• .qll Contribution for Sink Detection

  #19403 opened Apr 28, 2025

• python: make content sets an IPA type

  #19407 opened Apr 29, 2025

• Shared: Generate more value-preserving summaries

  #19409 opened Apr 29, 2025

• Bump chrono from 0.4.40 to 0.4.41 in /ql

  #19415 opened Apr 30, 2025

• Python: Extract files in hidden dirs by default

  #19424 opened Apr 30, 2025

• Adding comprehensive docs for customizing `actions/unpinned-tag` query

  #19427 opened Apr 30, 2025

• QL tests: run with --check-diff-informed

  #19428 opened Apr 30, 2025

• Shared: Generate more value-preserving flow summaries

  #19433 opened Apr 30, 2025

• Rust: Update generated models for core and std

  #19440 opened May 1, 2025

• Shared: Generate more value-preserving flow summaries

  #19443 opened May 1, 2025

• JS: Generate flow summaries from summaryModels; only generate steps as a fallback

  #19445 opened May 1, 2025

• Rust: Model std::net and tokio `fs`, `io`, `net`

  #19446 opened May 1, 2025

• Ruby printAst: fix order for synth children of real parents

  #19448 opened May 1, 2025

• Rust: Update query severities

  #19449 opened May 1, 2025

• Add Microsoft to trusted actions owner

  #19450 opened May 1, 2025

• Shared: Remove the language-specific model generator scripts

  #19452 opened May 2, 2025

• Redsun82/kotlin 2.2.0 support

  #19453 opened May 2, 2025

• Rust: Add Operation class

  #19454 opened May 2, 2025

• Rust: Use the new 'quality' tag.

  #19455 opened May 2, 2025

• Add new stubs definitions to System.Web and System.Net

  #19456 opened May 2, 2025

• Add Actix framework modeling and import to Frameworks.qll

  #19461 opened May 5, 2025

• Update changelogs for CodeQL CLI 2.21.2

  #19462 opened May 5, 2025

• Bump golang.org/x/tools from 0.32.0 to 0.33.0 in /go/extractor in the extractor-dependencies group

  #19463 opened May 6, 2025

15 Issues closed by 14 people

• False positive - 'Vulnerable package' is not the package version resolved

  #19435 closed May 1, 2025

• Missing C/C++ DataFlow/TaintTracking edges for fields accessed through pointers

  #19405 closed Apr 29, 2025

• False positive

  #19389 closed Apr 27, 2025

• Rust: Add tokio::fs sinks for path-injection

  #19373 closed Apr 24, 2025

• How to parse JSON file in code using CodeQL?

  #19351 closed Apr 24, 2025

• External predicate recording multiple values

  #19140 closed Apr 23, 2025

• False positive

  #19338 closed Apr 22, 2025

• What's the best way to check a node exists in a flow path?

  #19330 closed Apr 17, 2025

• `@kind` metadata property not recognized by cli `database analyze`

  #19328 closed Apr 17, 2025

• [C++] Extracting files failed when creating database for chrome

  #19238 closed Apr 16, 2025

• Weak Hashing findings vanished from 1.1.11 ruleset?

  #18518 closed Apr 15, 2025

• C# Autobuild misidentifies incompatible SDK-style projects

  #19258 closed Apr 14, 2025

• CodeQL fails to run on Apple M4 Pro with "Bad CPU type in executable" error

  #19286 closed Apr 11, 2025

• C/C++: Compilation failure with 2.21.0

  #19266 closed Apr 10, 2025

• After Change fopen-flow-from-getenv.ql the sarif results is None.How do I solve this?

  #19242 closed Apr 8, 2025

18 Issues opened by 17 people

• [Bug] Spurious `remote: error: GH013: Repository rule violations found for refs/heads/trunk.` `remote: - Code scanning is waiting for results from CodeQL for the commit`

  #19459 opened May 3, 2025

• [Java] Issue resolving dependences

  #19458 opened May 3, 2025

• C++: Multi-Level Member Function Calls Not Modeled as DataFlow::Node

  #19457 opened May 2, 2025

• Support alternate solution for bazel based C++ builds

  #19447 opened May 1, 2025

• Windows: AccessDeniedException during `codeql database create` TRAP finalization (`pools/0` move fails)

  #19438 opened May 1, 2025

• False positive in C/C++ dead code detection

  #19399 opened Apr 28, 2025

• False positives in cpp/user-after-free

  #19387 opened Apr 25, 2025

• [JAVA] [GRADLE] OOM Issue with GitHub Autobuilder for Kotlin

  #19374 opened Apr 24, 2025

• Support Kotlin 2.2.0-Beta

  #19349 opened Apr 22, 2025

• Java: Detecting flow through throw - catch statements

  #19336 opened Apr 19, 2025

• False positive for the rule `actions/pr-on-self-hosted-runner`

  #19331 opened Apr 17, 2025

• How to write a cross-function isAdditionalFlowStep while preserving context sensitive dataflow.

  #19308 opened Apr 15, 2025

• Python: Inconsistent behaviour of the getAMember and getMember predicates

  #19297 opened Apr 13, 2025

• Ruby NetHttpRequest improvements

  #19294 opened Apr 11, 2025

• Python: Call analysis fails in some scenarios

  #19288 opened Apr 11, 2025

• Swift: Xcode 16.2 - could not build module

  #19284 opened Apr 11, 2025

• False positive: missing-function-level-access-control with custom Authorize attribute

  #19279 opened Apr 10, 2025

• C++: Data flow and member templates

  #19236 opened Apr 7, 2025

13 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: Remove imprecise container steps

  #17493 commented on Apr 24, 2025 • 3 new comments

• ArrayIndexOutOfBoundsException in com.semmle.inmemory.pipeline.MetaPipelineInstance.wrapWithRaDump(MetaPipelineInstance.java:204)

  #19197 commented on Apr 9, 2025 • 0 new comments

• Started to see a message on each PR about a new CodeQL configuration

  #12754 commented on Apr 10, 2025 • 0 new comments

• Export of results in the form of Alerts, nodes, etc.

  #19086 commented on Apr 11, 2025 • 0 new comments

• CPP: Result Set size

  #18667 commented on Apr 17, 2025 • 0 new comments

• Unable to validate code scanning workflow: error: getWorkflow() failed

  #18279 commented on Apr 20, 2025 • 0 new comments

• Code scanning results should be visible to everyone, not only those with write permission on the repository

  #11021 commented on May 2, 2025 • 0 new comments

• Error downloading packs with corporate certificate in chain

  #13132 commented on May 5, 2025 • 0 new comments

• Ruby: Avoid a forced CP.

  #18927 commented on Apr 29, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on May 1, 2025 • 0 new comments

• ruby: ad 'quality' tag to 'rb/unused-parameter'

  #19040 commented on Apr 9, 2025 • 0 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on May 2, 2025 • 0 new comments

• Rust: Compute canonical paths in QL

  #19134 commented on Apr 7, 2025 • 0 new comments