109 Pull requests merged by 25 people

• Rust: update README to remove experimental warning

  #20251 merged Aug 20, 2025

• Update CSV framework coverage reports

  #20244 merged Aug 20, 2025

• Rust: Update StreamCipherInit to use getCanonicalPath.

  #20238 merged Aug 19, 2025

• C++: Mark the write to fprintf's 0'th argument as partial

  #20242 merged Aug 19, 2025

• Rust: Distinguish internal/external items in path resolution

  #20191 merged Aug 19, 2025

• Guards: Cache nullGuard predicate.

  #20237 merged Aug 19, 2025

• Rust: Take transitive dependencies into account when computing canonical paths

  #20243 merged Aug 19, 2025

• Post-release preparation for codeql-cli-2.22.4

  #20241 merged Aug 18, 2025

• Release preparation for version 2.22.4

  #20240 merged Aug 18, 2025

• Rust: Remove TC from ImplTraitTypeRepr.isInReturnPos

  #20233 merged Aug 18, 2025

• C++: SloppyGlobal: Don't alert on template instantiations, only the template

  #20232 merged Aug 18, 2025

• Shared: Skip non-CFG children in StandardTree

  #20230 merged Aug 18, 2025

• Rust: Add a type inference test case resembling PathBuf.canonicalize.

  #20222 merged Aug 18, 2025

• Add data extensions for remote tainted sources

  #20228 merged Aug 18, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 merged Aug 18, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 merged Aug 18, 2025

• JS: Enhance command injection detection for CLI argument parsing libraries

  #20151 merged Aug 18, 2025

• JS: Exclude environment variables from js/regex-injection query by default

  #20148 merged Aug 18, 2025

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 merged Aug 15, 2025

• Go: Mention Go 1.25 as supported

  #20223 merged Aug 15, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 merged Aug 15, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 merged Aug 15, 2025

• C#: Replace input interpolation with environment variable

  #20229 merged Aug 15, 2025

• Rust: Handle chained let expressions

  #20203 merged Aug 14, 2025

• Java: Enable BarrierGuard wrappers

  #20183 merged Aug 14, 2025

• Rust: Remove references to getResolvedPath and getExtendedCanonicalPath

  #20224 merged Aug 14, 2025

• Rust: Update StartswithCall to use getCanonicalPath

  #20226 merged Aug 14, 2025

• C++: Improvements to IRGuards

  #20218 merged Aug 14, 2025

• Sitedocs for 2.22.3

  #20219 merged Aug 13, 2025

• Go: Update Go version to 1.25.0

  #20210 merged Aug 13, 2025

• Shared: Overhaul the AlertFiltering QLDoc

  #20047 merged Aug 13, 2025

• Bazel: regenerate cargo vendored files

  #20216 merged Aug 13, 2025

• Rust: Unify type inference for tuple indexing expressions

  #20182 merged Aug 13, 2025

• Rust: regenerate bazel files

  #20215 merged Aug 13, 2025

• Rust: Fill some gaps in our database models.

  #20208 merged Aug 13, 2025

• Fix #19294, Ruby NetHttpRequest improvements

  #20101 merged Aug 12, 2025

• Cargo: align rust toolchain version with internal repository

  #20207 merged Aug 12, 2025

• Rust: Generalize certain type inference logic

  #20179 merged Aug 12, 2025

• Fix indentation in the "Supported languages and frameworks" page

  #20196 merged Aug 11, 2025

• Actions: clarify doc for untrusted checkout

  #20204 merged Aug 11, 2025

• Rust: Remove source/library deduplication in path resolution

  #20192 merged Aug 11, 2025

• Rust: New Query rust/cleartext-storage-database

  #20137 merged Aug 11, 2025

• C++: Fix missing global variable flow

  #20126 merged Aug 11, 2025

• C++: Fix FP in cpp/overflow-buffer

  #20193 merged Aug 11, 2025

• Rust: Add rust/diagnostics/type-inference-consistency-counts.

  #20185 merged Aug 11, 2025

• Rust: Update BadCtorInitialization.ql to use getCanonicalPath.

  #20150 merged Aug 11, 2025

• C++: Value numbering for casts that only modify specifiers

  #20156 merged Aug 11, 2025

• C++: Fix missing bool -> int conversions in C code

  #20145 merged Aug 11, 2025

• Shared: Use final aliases in ConcentsShared.qll

  #20172 merged Aug 11, 2025

• Java: use java 17 in no-wrapper tests

  #20194 merged Aug 8, 2025

• Java: use java 17 in no-wrapper tests

  #20189 merged Aug 8, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 merged Aug 7, 2025

• Guards: Improve support for wrapped guards

  #20121 merged Aug 7, 2025

• JS: Generate legacy flow steps for all flow summaries

  #20169 merged Aug 6, 2025

• Rust: Improve handling of where clauses in type inference and path resolution

  #20177 merged Aug 6, 2025

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 merged Aug 6, 2025

• Rust: Add predicate for certain type information

  #20155 merged Aug 6, 2025

• Rust: Remove restriction in PathTypeMention

  #20173 merged Aug 6, 2025

• Rust: Clean up some odds and ends

  #20167 merged Aug 5, 2025

• Java: document nullness false negative as qltest

  #20171 merged Aug 5, 2025

• Java: Improve a couple of join-orders

  #20127 merged Aug 5, 2025

• Java: Assume normal termination in post-dominance.

  #20163 merged Aug 5, 2025

• C#: Include constructors in ValueOrRefType.hasCallable

  #20158 merged Aug 5, 2025

• Rust: Fix bad join

  #20164 merged Aug 5, 2025

• Post-release preparation for codeql-cli-2.22.3

  #20166 merged Aug 4, 2025

• Release preparation for version 2.22.3

  #20165 merged Aug 4, 2025

• Rust: Fix two bad joins introduced by magic

  #20161 merged Aug 4, 2025

• Rust: Add type inference test cases resembling missing call targets in SQLx.

  #20160 merged Aug 4, 2025

• C++: Static variables are initialized to zero or null by compiler

  #20129 merged Aug 4, 2025

• Rust: Add metric for DCA and debug predicates for type that reach the length limit

  #20147 merged Aug 4, 2025

• C++: Expose SSA definitions from dataflow

  #20149 merged Aug 1, 2025

• Kotlin: Support 2.2.20-beta2

  #20141 merged Jul 31, 2025

• Rust: Implement type inference for closures and calls to closures

  #20130 merged Jul 30, 2025

• SSA: Update data flow integration and BarrierGuard interface to use GuardValue.

  #20132 merged Jul 30, 2025

• Java: Move extractorInformationSkipKey predicate to library pack

  #20134 merged Jul 29, 2025

• Rust: Type inference for impl trait types with type parameters

  #20119 merged Jul 28, 2025

• Copilot: Remove the formatting instructions, as they're confusing CCR.

  #20128 merged Jul 28, 2025

• Rust: Fix type inference for trait objects for traits with associated types

  #20122 merged Jul 26, 2025

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 merged Jul 25, 2025

• Rust: Replace QL model for Clone with MaD

  #20124 merged Jul 25, 2025

• Python: Modernise raise-not-implemented query

  #20086 merged Jul 24, 2025

• Kotlin: Add Kotlin 2.2.20 support

  #20114 merged Jul 24, 2025

• Python: Minor documantation updates to several quality queries

  #20052 merged Jul 24, 2025

• Rust: Implement type inference for trait objects/dyn types

  #20084 merged Jul 24, 2025

• C++: Add some more Windows specific memory copy models

  #20115 merged Jul 23, 2025

• Shared: Improve sensitive data heuristics

  #20024 merged Jul 23, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 merged Jul 23, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated

  #20109 merged Jul 23, 2025

• C++: Add more barriers to cpp/overrun-write

  #20107 merged Jul 23, 2025

• Rust: Type inference refactor and improve join orders

  #20076 merged Jul 23, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20113 merged Jul 23, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 merged Jul 23, 2025

• Release preparation for version 2.22.2

  #20112 merged Jul 23, 2025

• Revert "Release preparation for version 2.22.2"

  #20110 merged Jul 23, 2025

• Rust: Type inference for tuples

  #20041 merged Jul 23, 2025

• Kotlin: Run the tests with 2.2.0

  #20031 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20106 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20105 merged Jul 22, 2025

• Revert "Release preparation for version 2.22.2"

  #20104 merged Jul 22, 2025

• Rust: new query rust/hardcoded-crytographic-value

  #18943 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20103 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20100 merged Jul 22, 2025

• Rust: Path resolution associated type fix

  #20096 merged Jul 22, 2025

• Revert post-release preparation for codeql-cli-2.22.2

  #20099 merged Jul 21, 2025

• Rust: Refactor PathTypeMention

  #20094 merged Jul 21, 2025

• Java: Update qhelp: SnakeYaml is safe from version 2.0

  #20018 merged Jul 21, 2025

• Java: Improve more join-orders

  #20092 merged Jul 21, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 merged Jul 21, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 merged Jul 21, 2025

30 Pull requests opened by 14 people

• Java: Add support to `ModuleImportDeclaration`

  #20097 opened Jul 21, 2025

• Java: Add support to Compact Source Files

  #20116 opened Jul 23, 2025

• Python: Modernize Unexpected Raise In Special Method query

  #20120 opened Jul 24, 2025

• Rust: Support blanket implementations

  #20133 opened Jul 28, 2025

• JS: Modeling of `aws-sdk` clients*

  #20135 opened Jul 28, 2025

• Java: Add test for flexible constructor support

  #20136 opened Jul 29, 2025

• Python: Modernise Superclass attribute shadows subclass method query

  #20142 opened Jul 30, 2025

• Rust: Don't use constraint implementations for type parameters

  #20143 opened Jul 30, 2025

• JS: Move cors-misconfiguration query from experimental to Security

  #20146 opened Jul 31, 2025

• Python: Add jump steps for global variable nested field access

  #20162 opened Aug 4, 2025

• Bump actions/download-artifact from 4 to 5

  #20175 opened Aug 6, 2025

• Java: Added new query `java/visible-for-testing-abuse`

  #20178 opened Aug 6, 2025

• Doc: Fix link to `warnOnImplicitThis` GitHub docs

  #20184 opened Aug 7, 2025

• Bump the extractor-dependencies group in /go/extractor with 2 updates

  #20188 opened Aug 8, 2025

• Java: Enhance `java/jvm-exit` query and add to quality

  #20190 opened Aug 8, 2025

• Java: port quality query `java/mocking-all-non-private-methods-means-unit-test-is-too-big`

  #20205 opened Aug 11, 2025

• Python extractor: overlay support

  #20206 opened Aug 11, 2025

• Bump rayon from 1.10.0 to 1.11.0 in /ql

  #20212 opened Aug 13, 2025

• Python: Modernize the Signature Mismatch query

  #20217 opened Aug 13, 2025

• Rust: Implement a new query for Log Injection

  #20221 opened Aug 13, 2025

• Rust: Fallback crate resolution

  #20225 opened Aug 14, 2025

• Type inference: Rename some variables

  #20234 opened Aug 15, 2025

• Rust: Model `async` return types as `dyn Future`

  #20236 opened Aug 17, 2025

• C#: Streamline MaD summaries for Byte- and Char arrays and pointers

  #20239 opened Aug 18, 2025

• Java: accept new test results after extractor update

  #20247 opened Aug 19, 2025

• Rust: Adjust jump-to-def for paths with generic arguments

  #20248 opened Aug 19, 2025

• C++: Use the shared type-tracking library for virtual dispatch resolution

  #20249 opened Aug 19, 2025

• Bazel: do not force `lld` and fix `platforms` warning

  #20250 opened Aug 19, 2025

• Add extra Customizations files

  #20252 opened Aug 19, 2025

• Shared: Add and use a signature for basic blocks

  #20253 opened Aug 20, 2025

13 Issues closed by 9 people

• "No code found during the build." after successful compilation for C++ in Visual Studio 2019

  #7365 closed Aug 18, 2025

• Superflous paths-ignore warning?

  #6845 closed Aug 18, 2025

• Default java database creation with gradle does not include all source sets

  #20227 closed Aug 14, 2025

• The “--buildmode none” not work for cpp in version 2.22.3

  #20214 closed Aug 13, 2025

• [JS] js qlpacks are not segregated and it creates a bit of an issue during rebundling/customization

  #20209 closed Aug 12, 2025

• Ruby NetHttpRequest improvements

  #19294 closed Aug 12, 2025

• Unable to generate graph with prinAst.ql and CodeQL CLI

  #20202 closed Aug 12, 2025

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 closed Aug 11, 2025

• CodeQL cannot parse HTTP annotations in decompiled C# code.

  #20170 closed Aug 6, 2025

• github-recovery-codes.txt.

  #20157 closed Aug 4, 2025

• Spread unidentified

  #19914 closed Jul 26, 2025

• Python: Aiopg.qll misses some SQL injection sinks in aiopg

  #20111 closed Jul 24, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated.

  #20108 closed Jul 23, 2025

15 Issues opened by 13 people

• Codeql pack create warning - is not an extension target of xxx

  #20211 opened Aug 12, 2025

• [Rust] Unused variable false positive in compound conditional statements

  #20201 opened Aug 10, 2025

• [Docs] Consistently refer to either `codeql-pack.yml` or `qlpack.yml`

  #20187 opened Aug 7, 2025

• Should `qlpack.yml` `compileForOverlayEval` be documented?

  #20186 opened Aug 7, 2025

• Query: increase size of code-snippet context exported in SARIF?

  #20176 opened Aug 6, 2025

• False positive in python/ql/src/Security/CWE-312/CleartextLogging.ql

  #20168 opened Aug 4, 2025

• How to write CodeQL rules?

  #20159 opened Aug 4, 2025

• False positive "use of implicit PendingIntents" alert

  #20153 opened Aug 1, 2025

• False positives for py/file-not-closed even when using `with` statements

  #20152 opened Aug 1, 2025

• Java SSRF Findings

  #20144 opened Jul 30, 2025

• CWE 134

  #20131 opened Jul 28, 2025

• For an abstract class in the CodeQL source code, how can I quickly find all the classes that extend this abstract class from the CodeQL library?

  #20125 opened Jul 25, 2025

• CWE-918 (SSRF) - Java - False Positive Justification

  #20117 opened Jul 23, 2025

• CodeQL detected code written in `some language`, but not any written in GitHub Actions. Confirm that there is some source code for GitHub Actions in the project.

  #20102 opened Jul 21, 2025

• UnvalidatedDynamicMethodCall query does not detect flow inside try/catch

  #20098 opened Jul 21, 2025

21 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: upgrade to rust-analyzer 0.0.300

  #20055 commented on Aug 19, 2025 • 26 new comments

• C#: Allow implicit collection reads in sink nodes.

  #20089 commented on Aug 20, 2025 • 3 new comments

• Update Go Path Injection Sanitizer and Sink

  #20064 commented on Jul 21, 2025 • 3 new comments

• Java: Add `previous-id` and adjust tags for `java/garbage-collection` and `java/run-finalizers-on-exit`

  #20095 commented on Aug 12, 2025 • 2 new comments

• Experiment: Make all data flow incremental

  #20028 commented on Aug 7, 2025 • 2 new comments

• Just: introduce common "verbs"

  #19978 commented on Aug 14, 2025 • 0 new comments

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented on Jul 24, 2025 • 0 new comments

• CodeQL for php

  #14000 commented on Aug 14, 2025 • 0 new comments

• Why doesn't CodeQL support auditing PHP

  #12376 commented on Aug 14, 2025 • 0 new comments

• [Rust] macro expansion failed warnings

  #19966 commented on Aug 12, 2025 • 0 new comments

• General issue - CodeQL exiting with exit code 2

  #14866 commented on Aug 7, 2025 • 0 new comments

• python false positive Clear-text logging of sensitive information

  #13538 commented on Aug 5, 2025 • 0 new comments

• Idea/Feature request: codeql as MCP Server

  #19150 commented on Jul 29, 2025 • 0 new comments

• Question: C# analysis without building the code, on Azure DevOps

  #16070 commented on Jul 29, 2025 • 0 new comments

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 commented on Jul 28, 2025 • 0 new comments

• Better explain how to exclude paths for compiled languages

  #8689 commented on Jul 28, 2025 • 0 new comments

• [python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

  #19900 commented on Jul 25, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jul 23, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Jul 21, 2025 • 0 new comments

• False positive: Full server-side request forgery

  #20093 commented on Jul 21, 2025 • 0 new comments

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 commented on Jul 21, 2025 • 0 new comments