10 Pull requests merged by 9 people

• Go: promote html-template-escaping-bypass-xss

  #19386 merged Jun 6, 2025

• Bump the extractor-dependencies group in /go/extractor with 2 updates

  #19683 merged Jun 6, 2025

• Update CSV framework coverage reports

  #19673 merged Jun 5, 2025

• Actions: Make Env non-abstract

  #19675 merged Jun 5, 2025

• C++: accept new test results after changes

  #19533 merged Jun 5, 2025

• Rust: Remove external locations in tests using post-processing

  #19669 merged Jun 4, 2025

• Rust: add documentation for AST nodes

  #19630 merged Jun 4, 2025

• JS: new Quality query - Unhandled errors in .pipe() chain

  #19544 merged Jun 4, 2025

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 merged Jun 4, 2025

• Go: Add BigQuery as a sink for SQLi queries #2

  #19561 merged Jun 4, 2025

12 Pull requests opened by 8 people

• Rust: Use QL computed canonical paths in MaD `Field` tokens

  #19667 opened Jun 4, 2025

• Python: Support type annotations in call graph

  #19672 opened Jun 4, 2025

• Rust: regenerate MaD files using DCA

  #19674 opened Jun 5, 2025

• Fixes in cpp/global-use-before-init

  #19676 opened Jun 5, 2025

• Go: Improve two class names and add some helper predicates

  #19677 opened Jun 5, 2025

• Swift: Update to Swift 6.1.2

  #19678 opened Jun 5, 2025

• C++: Update stats file after changes to DCA source suite

  #19679 opened Jun 5, 2025

• JavaScript: Don't extract obviously generated files

  #19680 opened Jun 5, 2025

• Ruby: add support for extracting overlay databases

  #19684 opened Jun 6, 2025

• Rust: Data flow through overloaded operators

  #19685 opened Jun 6, 2025

• C++: Add boolean for explicit lambda parameter lists

  #19686 opened Jun 6, 2025

• C++: Support the `__mfp8` floating point type

  #19688 opened Jun 6, 2025

6 Issues closed by 4 people

• [Java] Issue resolving dependences

  #19458 closed Jun 6, 2025

• BDD node limit of 2^^25 reached on Type erasure

  #19648 closed Jun 5, 2025

• Actions: Identifying keywords like `with`, `shell`

  #19629 closed Jun 5, 2025

• Vulnerable Python code is not detected by CWE-094 rule

  #14347 closed Jun 5, 2025

• C++: Multi-Level Member Function Calls Not Modeled as DataFlow::Node

  #19457 closed Jun 4, 2025

• How to speed up the execution

  #19471 closed Jun 4, 2025

7 Issues opened by 7 people

• False Positive: "Statement has no effect" on Airflow task chaining with >> operator

  #19687 opened Jun 6, 2025

• False positive: Env var is from config, not vault, and contains the name of another env var

  #19681 opened Jun 5, 2025

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 opened Jun 4, 2025

• Kotlin language database create bug?

  #19670 opened Jun 4, 2025

• can i still use old api for codeql？

  #19668 opened Jun 4, 2025

• C/C++: `Gotostmt` also matches `__leave` keyword

  #19666 opened Jun 4, 2025

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 opened Jun 3, 2025

27 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Quantum: Initial support for BouncyCastle signature algorithms

  #19568 commented on Jun 5, 2025 • 23 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on Jun 4, 2025 • 10 new comments

• Go: mass enable diff-informed data flow

  #19660 commented on Jun 5, 2025 • 10 new comments

• Swift: mass enable diff-informed data flow

  #19662 commented on Jun 6, 2025 • 5 new comments

• Rust: update supported languages and frameworks

  #19280 commented on Jun 6, 2025 • 3 new comments

• Rust: upgrade `rust-analyzer` to 0.0.285

  #19524 commented on Jun 5, 2025 • 2 new comments

• Rust: Fix type inference for library parameters

  #19658 commented on Jun 4, 2025 • 2 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 4, 2025 • 2 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 4, 2025 • 2 new comments

• Quantum: OpenSSL signatures

  #19628 commented on Jun 5, 2025 • 2 new comments

• C++: mass enable diff-informed data flow

  #19663 commented on Jun 5, 2025 • 1 new comment

• C#: mass enable diff-informed data flow

  #19661 commented on Jun 6, 2025 • 1 new comment

• Actions: mass enable diff-informed data flow

  #19659 commented on Jun 5, 2025 • 1 new comment

• Rust: Simple type inference for index expressions

  #19657 commented on Jun 4, 2025 • 1 new comment

• Add script to add overlay annotations

  #19631 commented on Jun 6, 2025 • 1 new comment

• Rust: Path resolution for `extern crate`s

  #19614 commented on Jun 4, 2025 • 0 new comments

• C#: Improve `cs/dereference-*` queries and add to the Code Quality suite.

  #19589 commented on Jun 4, 2025 • 0 new comments

• Go: fix `DefinedType.getBaseType`

  #19654 commented on Jun 5, 2025 • 0 new comments

• JS: ClientRequests Axios Instance support

  #19655 commented on Jun 5, 2025 • 0 new comments

• Add `client-response` Threat Model and update JS ClientsRequests

  #19656 commented on Jun 5, 2025 • 0 new comments

• Rust: Type inference for `.await` expressions

  #19584 commented on Jun 4, 2025 • 0 new comments

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages

  #19530 commented on Jun 6, 2025 • 0 new comments

• Add Microsoft to trusted actions owner

  #19450 commented on Jun 5, 2025 • 0 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on Jun 4, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented on Jun 4, 2025 • 0 new comments

• False positive: Go / MongoDB Find method

  #19537 commented on Jun 4, 2025 • 0 new comments

• Java: static field access of unknown class breaks dataflow (build-mode=none)

  #19597 commented on Jun 4, 2025 • 0 new comments