35 Pull requests merged by 15 people

• C++: Add some more Windows specific memory copy models

  #20115 merged Jul 23, 2025

• Shared: Improve sensitive data heuristics

  #20024 merged Jul 23, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 merged Jul 23, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated

  #20109 merged Jul 23, 2025

• C++: Add more barriers to cpp/overrun-write

  #20107 merged Jul 23, 2025

• Rust: Type inference refactor and improve join orders

  #20076 merged Jul 23, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20113 merged Jul 23, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 merged Jul 23, 2025

• Release preparation for version 2.22.2

  #20112 merged Jul 23, 2025

• Revert "Release preparation for version 2.22.2"

  #20110 merged Jul 23, 2025

• Rust: Type inference for tuples

  #20041 merged Jul 23, 2025

• Kotlin: Run the tests with 2.2.0

  #20031 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20106 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20105 merged Jul 22, 2025

• Revert "Release preparation for version 2.22.2"

  #20104 merged Jul 22, 2025

• Rust: new query rust/hardcoded-crytographic-value

  #18943 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20103 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20100 merged Jul 22, 2025

• Rust: Path resolution associated type fix

  #20096 merged Jul 22, 2025

• Revert post-release preparation for codeql-cli-2.22.2

  #20099 merged Jul 21, 2025

• Rust: Refactor PathTypeMention

  #20094 merged Jul 21, 2025

• Java: Update qhelp: SnakeYaml is safe from version 2.0

  #20018 merged Jul 21, 2025

• Java: Improve more join-orders

  #20092 merged Jul 21, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 merged Jul 21, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 merged Jul 21, 2025

• Java: Improve several join-orders

  #20088 merged Jul 18, 2025

• Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

  #20083 merged Jul 18, 2025

• Update CSV framework coverage reports

  #20087 merged Jul 18, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 merged Jul 17, 2025

• Ql4ql: Quality query tagging.

  #19931 merged Jul 17, 2025

• fix qhelp files

  #19707 merged Jul 17, 2025

• Java: allow the definition of java/unsafe-deserialization sinks using data extensions

  #20067 merged Jul 17, 2025

• Overlay: Enable overlay compilation for Java

  #19872 merged Jul 17, 2025

• Make a proper shared library out of the concept related libraries

  #19984 merged Jul 17, 2025

• Go: Fix compilation of DataFlowImplConsistency.qll

  #20053 merged Jul 17, 2025

15 Pull requests opened by 8 people

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 opened Jul 17, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 opened Jul 17, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 opened Jul 17, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 opened Jul 17, 2025

• JS: Diff-informed queries: phase 3 (non-trivial locations)

  #20078 opened Jul 17, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 opened Jul 17, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 opened Jul 17, 2025

• Rust: Implement type inference for trait objects/`dyn` types

  #20084 opened Jul 17, 2025

• Python: Modernise raise-not-implemented query

  #20086 opened Jul 17, 2025

• C#: Allow implicit collection reads in sinks nodes.

  #20089 opened Jul 18, 2025

• Java: Add `previous-id` and adjust tags for `java/garbage-collection` and `java/run-finalizers-on-exit`

  #20095 opened Jul 19, 2025

• Java: Add support to `ModuleImportDeclaration`

  #20097 opened Jul 21, 2025

• Fix #19294, Ruby NetHttpRequest improvements

  #20101 opened Jul 21, 2025

• Kotlin: Add Kotlin 2.2.20 support

  #20114 opened Jul 23, 2025

• Java: Add support to Compact Source Files

  #20116 opened Jul 23, 2025

4 Issues closed by 4 people

• Python: Aiopg.qll misses some SQL injection sinks in aiopg

  #20111 closed Jul 24, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated.

  #20108 closed Jul 23, 2025

• [Java] Flag calls to jdk.internal.misc.Unsafe

  #20070 closed Jul 18, 2025

• Error running codeql database analyze go

  #19890 closed Jul 17, 2025

5 Issues opened by 5 people

• CWE-918 (SSRF) - Java - False Positive Justification

  #20117 opened Jul 23, 2025

• CodeQL detected code written in `some language`, but not any written in GitHub Actions. Confirm that there is some source code for GitHub Actions in the project.

  #20102 opened Jul 21, 2025

• UnvalidatedDynamicMethodCall query does not detect flow inside try/catch

  #20098 opened Jul 21, 2025

• False positive: Full server-side request forgery

  #20093 opened Jul 18, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 opened Jul 17, 2025

12 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

  #20006 commented on Jul 19, 2025 • 4 new comments

• Update Go Path Injection Sanitizer and Sink

  #20064 commented on Jul 21, 2025 • 4 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jul 17, 2025 • 2 new comments

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 commented on Jul 17, 2025 • 1 new comment

• Spread unidentified

  #19914 commented on Jul 19, 2025 • 0 new comments

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 commented on Jul 21, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Jul 21, 2025 • 0 new comments

• Question: C# analysis without building the code, on Azure DevOps

  #16070 commented on Jul 22, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jul 23, 2025 • 0 new comments

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented on Jul 21, 2025 • 0 new comments

• Just: introduce common "verbs"

  #19978 commented on Jul 18, 2025 • 0 new comments

• Python: Minor documantation updates to several quality queries

  #20052 commented on Jul 23, 2025 • 0 new comments