30 Pull requests merged by 13 people

• Rust: Remove the noisy models output from the dataflow/local test.

  #19305 merged Apr 17, 2025

• Rust: Make source kinds consistent with other languages

  #19333 merged Apr 17, 2025

• C++: add predicate to distinguish designator-based initializations

  #19329 merged Apr 17, 2025

• Rust: extract generic parameters, arguments and resolve bound type variables

  #19237 merged Apr 17, 2025

• Rust: Add model for str.trim

  #19310 merged Apr 17, 2025

• Rust: Model sources for std::io

  #19304 merged Apr 17, 2025

• Post-release preparation for codeql-cli-2.21.1

  #19317 merged Apr 16, 2025

• C++: add isVla predicated to ArrayType

  #19298 merged Apr 16, 2025

• C#: Adjust comments and remove compilation warnings.

  #19309 merged Apr 16, 2025

• Actions: Remove preview notice, minor help and metadata fixes

  #19307 merged Apr 16, 2025

• Release preparation for version 2.21.1

  #19301 merged Apr 15, 2025

• actions: Fix spelling error in UnmaskedSecretExposure.md

  #19312 merged Apr 15, 2025

• Rust: upgrade rust-analyzer to 0.0.273

  #19233 merged Apr 15, 2025

• Swift: extract still unextracted entities from the 6.0.2 upgrade

  #19299 merged Apr 15, 2025

• C#: Fix autobuild on macos without mono

  #19251 merged Apr 15, 2025

• Rust: allow shadowing of prelude items

  #19292 merged Apr 15, 2025

• Rust: add to CODEOWNERS

  #19282 merged Apr 15, 2025

• Rust: pick correct edition for the files

  #19291 merged Apr 14, 2025

• C#: Improve auto-builder to better detect SDK references.

  #19289 merged Apr 14, 2025

• Rust: fix workspace member aggregation when absolute path is a glob pattern

  #19293 merged Apr 14, 2025

• Rust: Query for uncontrolled allocation size

  #19171 merged Apr 14, 2025

• JS: Support for Request and NextRequest

  #19184 merged Apr 14, 2025

• ruby: refine rb/uninitialized-local-variable

  #19205 merged Apr 11, 2025

• Actions: Fix handling of paths-ignore in autobuild scripts, add integration tests for configured path filters

  #19278 merged Apr 11, 2025

• Shared: Prepare model generation for C++ adoption

  #19273 merged Apr 11, 2025

• C++: Prepare for model generation adoption

  #19274 merged Apr 11, 2025

• Rust: refine ql/test/setup.sh

  #19281 merged Apr 11, 2025

• Java: Add new quality query to detect String#replaceAll with non-regex first argument

  #19115 merged Apr 11, 2025

• JS: Taint propagation from low-level ArrayBuffer to Strings

  #19231 merged Apr 11, 2025

• JS: Refactor WebSocket to use API graphs

  #19218 merged Apr 11, 2025

18 Pull requests opened by 12 people

• Rust: update supported languages and frameworks

  #19280 opened Apr 11, 2025

• JS: Fix missing flow into rest pattern lvalue

  #19283 opened Apr 11, 2025

• [DO NOT MERGE] Prior: Test PR

  #19285 opened Apr 11, 2025

• JS: Add class harness to recover localFieldStep edges

  #19287 opened Apr 11, 2025

• C++: Support C23 `typeof` and `typeof_unqual`

  #19290 opened Apr 11, 2025

• C++: Instantiate model generation library

  #19295 opened Apr 11, 2025

• Docs: Fix typo in code sample

  #19296 opened Apr 12, 2025

• JS: Added support for `fastify.addHook`

  #19300 opened Apr 14, 2025

• C#: Relax condition for authorize attributes on `cs/web/missing-function-level-access-control`.

  #19302 opened Apr 14, 2025

• force dummy change to trigger internal checks

  #19303 opened Apr 14, 2025

• Shared: Model generator cleanup.

  #19311 opened Apr 15, 2025

• Rust: upgrade `rust-analyzer` to 0.0.274

  #19314 opened Apr 15, 2025

• Swift: make extractor compile again after 6.1 upgrade

  #19315 opened Apr 15, 2025

• JS: Port `firebase` to data as models

  #19316 opened Apr 15, 2025

• Python: Tweak LoopVariableCapture for performance

  #19325 opened Apr 16, 2025

• C#: Join order fix

  #19327 opened Apr 16, 2025

• Rust: extract `getExpended` on `Item`s

  #19334 opened Apr 17, 2025

• Rust: make MacroStmts expressions

  #19335 opened Apr 17, 2025

6 Issues closed by 6 people

• What's the best way to check a node exists in a flow path?

  #19330 closed Apr 17, 2025

• `@kind` metadata property not recognized by cli `database analyze`

  #19328 closed Apr 17, 2025

• [C++] Extracting files failed when creating database for chrome

  #19238 closed Apr 16, 2025

• Weak Hashing findings vanished from 1.1.11 ruleset?

  #18518 closed Apr 15, 2025

• C# Autobuild misidentifies incompatible SDK-style projects

  #19258 closed Apr 14, 2025

• CodeQL fails to run on Apple M4 Pro with "Bad CPU type in executable" error

  #19286 closed Apr 11, 2025

6 Issues opened by 6 people

• False positive for the rule `actions/pr-on-self-hosted-runner`

  #19331 opened Apr 17, 2025

• How to write a cross-function isAdditionalFlowStep while preserving context sensitive dataflow.

  #19308 opened Apr 15, 2025

• Python: Inconsistent behaviour of the getAMember predicate

  #19297 opened Apr 13, 2025

• Ruby NetHttpRequest improvements

  #19294 opened Apr 11, 2025

• Python: Call analysis fails in some scenarios

  #19288 opened Apr 11, 2025

• Swift: Xcode 16.2 - could not build module

  #19284 opened Apr 11, 2025

13 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: Support private registries via `GOPROXY`

  #19248 commented on Apr 11, 2025 • 6 new comments

• Rust: Take `where` clauses into account in path resolution

  #19193 commented on Apr 11, 2025 • 1 new comment

• QL4QL: Restrict `ql/qlref-inline-expectations` to `(path-)problem` queries

  #19272 commented on Apr 11, 2025 • 1 new comment

• Export of results in the form of Alerts, nodes, etc.

  #19086 commented on Apr 11, 2025 • 0 new comments

• False positive: missing-function-level-access-control with custom Authorize attribute

  #19279 commented on Apr 14, 2025 • 0 new comments

• External predicate recording multiple values

  #19140 commented on Apr 15, 2025 • 0 new comments

• CPP: Result Set size

  #18667 commented on Apr 17, 2025 • 0 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on Apr 14, 2025 • 0 new comments

• Ruby: Make module graph queries avoid relying on evalaution order.

  #19116 commented on Apr 17, 2025 • 0 new comments

• C#: Improve `cs/invalid-string-formatting` and add to the Code Quality suite.

  #19148 commented on Apr 11, 2025 • 0 new comments

• C++: Do not limit second level scopes to the top-level

  #19269 commented on Apr 15, 2025 • 0 new comments

• C#: Improve precision of `cs/uncontrolled-format-string`.

  #19271 commented on Apr 11, 2025 • 0 new comments

• Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group across 1 directory

  #19275 commented on Apr 15, 2025 • 0 new comments