40 Pull requests merged by 20 people

• Post-release preparation for codeql-cli-2.21.2

  #19401 merged Apr 28, 2025

• Java: Remove erroneously-committed query

  #19398 merged Apr 28, 2025

• JS: Improved modeling of aws-sdk

  #19364 merged Apr 28, 2025

• Release preparation for version 2.21.2

  #19395 merged Apr 28, 2025

• C++: Fix missing summaries in MaD generation

  #19383 merged Apr 28, 2025

• Follow-up fixes to #19376

  #19394 merged Apr 28, 2025

• Shared: Model generator cleanup.

  #19311 merged Apr 28, 2025

• Swift: Clarify how the LFS artifacts should be updated

  #19381 merged Apr 28, 2025

• C#: Fix CFG for fall-through switch statements

  #19380 merged Apr 28, 2025

• Go: Support private registries via GOPROXY

  #19248 merged Apr 25, 2025

• Swift: add more debug logs

  #19384 merged Apr 25, 2025

• Actions: Exclude model-generator queries from query suites

  #19376 merged Apr 25, 2025

• Add query suite integration tests for swift, actions, csharp, go, javascript, ruby, rust

  #19355 merged Apr 25, 2025

• Python: disable diff-informed PolynomialReDoS.ql

  #19379 merged Apr 25, 2025

• Rust: Path resolution performance tweaks

  #19358 merged Apr 25, 2025

• Swift: make extractor compile again after 6.1 upgrade

  #19315 merged Apr 25, 2025

• C++: Add exception for build-mode-none in various queries

  #19368 merged Apr 24, 2025

• Update list of supported platforms

  #19363 merged Apr 24, 2025

• Go: remove invalid toolchain version diagnostics

  #19370 merged Apr 24, 2025

• Dataflow: Make default field flow branch limit configurable per language

  #19361 merged Apr 24, 2025

• C++: Claim beta support for C23 and C++23

  #19365 merged Apr 24, 2025

• C#: Join order fix

  #19327 merged Apr 24, 2025

• C++: Support C23 typeof and typeof_unqual

  #19290 merged Apr 24, 2025

• C#: Improve cs/invalid-string-formatting and add to the Code Quality suite.

  #19148 merged Apr 24, 2025

• Shared: Match line information on Alert and Sink locations.

  #19354 merged Apr 24, 2025

• Rust: Remove unnecessary predicate.

  #19353 merged Apr 23, 2025

• Rust: Take where clauses into account in path resolution

  #19193 merged Apr 23, 2025

• C++: Instantiate model generation library

  #19295 merged Apr 23, 2025

• QL4QL: Restrict ql/qlref-inline-expectations to (path-)problem queries

  #19272 merged Apr 23, 2025

• C#: Relax condition for authorize attributes on cs/web/missing-function-level-access-control.

  #19302 merged Apr 23, 2025

• Shared: Fix join in FileSystem.qll

  #19345 merged Apr 23, 2025

• changedocs from 2.21.1 release

  #19348 merged Apr 22, 2025

• Java: Add new quality query to detect finalize calls

  #19075 merged Apr 22, 2025

• Java: Add new quality query to detect missing @Nested annotation in JUnit5 tests

  #19094 merged Apr 22, 2025

• Swift: Make file checking in tests more strict

  #19347 merged Apr 22, 2025

• Swift: Make file checking in integration tests more strict

  #19346 merged Apr 22, 2025

• Swift: Make file checking in tests more strict

  #19344 merged Apr 22, 2025

• Ruby: Make module graph queries avoid relying on evalaution order.

  #19116 merged Apr 22, 2025

• Docs: Fix typo in code sample

  #19296 merged Apr 22, 2025

• JS: Fix missing flow into rest pattern lvalue

  #19283 merged Apr 22, 2025

21 Pull requests opened by 16 people

• JS: Merge `ES6Class` to `FunctionStyleClass`

  #19356 opened Apr 23, 2025

• actions: Add some missing permissions

  #19357 opened Apr 23, 2025

• Change definition of `getFactoryNodeInternal`

  #19359 opened Apr 23, 2025

• Rust: Crate graph extraction workarounds

  #19362 opened Apr 24, 2025

• Qlucie trigger

  #19366 opened Apr 24, 2025

• Rust: Type inference for `?` expressions

  #19367 opened Apr 24, 2025

• Rust: Extract `SelfParam`s from crate graph

  #19369 opened Apr 24, 2025

• Rust: Support non-universal `impl` blocks

  #19372 opened Apr 24, 2025

• Shared: Re-factor summary, source and sink model generators into separate modules.

  #19382 opened Apr 25, 2025

• Bazel: update `rules_kotlin` to 2.1.3

  #19385 opened Apr 25, 2025

• Go: promote `html-template-escaping-bypass-xss`

  #19386 opened Apr 25, 2025

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 opened Apr 25, 2025

• Add query suite inclusion tests for cpp, python

  #19390 opened Apr 28, 2025

• JS: Update import resolution

  #19391 opened Apr 28, 2025

• Rust: Model `impl` shadowing

  #19392 opened Apr 28, 2025

• JS: Tolerate trailing commas in JSON objects

  #19393 opened Apr 28, 2025

• C#: Add `cs/equality-on-floats` to the Code Quality suite.

  #19396 opened Apr 28, 2025

• C++: Add use-after-free FP tests

  #19397 opened Apr 28, 2025

• Fix spelling/wording in qhelp for `rb/uninitialized-local-variable`

  #19400 opened Apr 28, 2025

• Add support for Kotlin 2.2.0

  #19402 opened Apr 28, 2025

• .qll Contribution for Sink Detection

  #19403 opened Apr 28, 2025

5 Issues closed by 5 people

• False positive

  #19389 closed Apr 27, 2025

• Rust: Add tokio::fs sinks for path-injection

  #19373 closed Apr 24, 2025

• How to parse JSON file in code using CodeQL?

  #19351 closed Apr 24, 2025

• External predicate recording multiple values

  #19140 closed Apr 23, 2025

• False positive

  #19338 closed Apr 22, 2025

4 Issues opened by 4 people

• False positive in C/C++ dead code detection

  #19399 opened Apr 28, 2025

• False positives in cpp/user-after-free

  #19387 opened Apr 25, 2025

• [JAVA] [GRADLE] OOM Issue with GitHub Autobuilder for Kotlin

  #19374 opened Apr 24, 2025

• Support Kotlin 2.2.0-Beta

  #19349 opened Apr 22, 2025

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: expand attribute macros

  #19334 commented on Apr 28, 2025 • 7 new comments

• Python: Remove imprecise container steps

  #17493 commented on Apr 24, 2025 • 3 new comments

• Python: Tweak LoopVariableCapture for performance

  #19325 commented on Apr 28, 2025 • 2 new comments

• Rust: make MacroStmts expressions

  #19335 commented on Apr 22, 2025 • 1 new comment

• Handling of axios in functions and making axios create function recur…

  #19337 commented on Apr 22, 2025 • 0 new comments

• JS: Port `firebase` to data as models

  #19316 commented on Apr 24, 2025 • 0 new comments

• JS: Added support for `fastify.addHook`

  #19300 commented on Apr 28, 2025 • 0 new comments

• JS: Add class harness to recover localFieldStep edges

  #19287 commented on Apr 28, 2025 • 0 new comments

• C#: Improve precision of `cs/uncontrolled-format-string`.

  #19271 commented on Apr 24, 2025 • 0 new comments

• C++: Do not limit second level scopes to the top-level

  #19269 commented on Apr 28, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on Apr 22, 2025 • 0 new comments

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 commented on Apr 24, 2025 • 0 new comments

• Misc: Add script for calculating totals for a MRVA run

  #18449 commented on Apr 22, 2025 • 0 new comments

• Swift: Xcode 16.2 - could not build module

  #19284 commented on Apr 28, 2025 • 0 new comments

• Java: Detecting flow through throw - catch statements

  #19336 commented on Apr 28, 2025 • 0 new comments

• How to write a cross-function isAdditionalFlowStep while preserving context sensitive dataflow.

  #19308 commented on Apr 28, 2025 • 0 new comments

• Python: Inconsistent behaviour of the getAMember and getMember predicates

  #19297 commented on Apr 24, 2025 • 0 new comments

• False positive: missing-function-level-access-control with custom Authorize attribute

  #19279 commented on Apr 23, 2025 • 0 new comments

• False positive for the rule `actions/pr-on-self-hosted-runner`

  #19331 commented on Apr 22, 2025 • 0 new comments