59 Pull requests merged by 20 people

• C++: Add Arm scalable vector type QL classes

  #19792 merged Jun 18, 2025

• Quantum: Add OpenSSL signature models

  #19705 merged Jun 18, 2025

• Python: Modernize the init-calls-subclass query

  #19709 merged Jun 18, 2025

• Kotlin: clean up alternate-version code now that v1.5.x support is dropped

  #19496 merged Jun 18, 2025

• Add code-quality-extended query suites

  #19808 merged Jun 18, 2025

• Rust: Add new MaD format based on QL-computed canonical paths

  #19790 merged Jun 18, 2025

• Rust: Extend jump-to-def query with method calls

  #19809 merged Jun 18, 2025

• Rust: add proc-macro capabilities to QL tests

  #19800 merged Jun 18, 2025

• C++: fix typedef resolution in ArrayType

  #19805 merged Jun 18, 2025

• C#: Mass add quality queries to the Code Quality suite.

  #19783 merged Jun 18, 2025

• Rust: Make SummarizedCallable extend Function instead of string

  #19268 merged Jun 18, 2025

• Rust: do not remove Cargo.lock file when running QL tests

  #19803 merged Jun 17, 2025

• Ruby: Update quality tags.

  #19793 merged Jun 17, 2025

• Swift: mass enable diff-informed data flow

  #19662 merged Jun 17, 2025

• Go: mass enable diff-informed data flow

  #19660 merged Jun 17, 2025

• C++: mass enable diff-informed data flow

  #19663 merged Jun 17, 2025

• C#: mass enable diff-informed data flow

  #19661 merged Jun 17, 2025

• Actions: mass enable diff-informed data flow

  #19659 merged Jun 17, 2025

• C++: Retrieve namespace attributes

  #19773 merged Jun 17, 2025

• C++: Add exception edges out of calls inside try statements

  #19787 merged Jun 17, 2025

• JS: Improve XSS detection for serialize-javascript with tainted objects

  #19771 merged Jun 17, 2025

• C#: Handle non-unique type arguments when computing generics strings

  #19782 merged Jun 17, 2025

• C#: Add cs/gethashcode-is-not-defined to the Code Quality suite.

  #19716 merged Jun 17, 2025

• Overlay: Add QL for QL query to warn about possible non-inlining across overlay frontier

  #19590 merged Jun 17, 2025

• Shared: Make sure getMadRepresentation is unique

  #19777 merged Jun 16, 2025

• C++: Generate SEH edges for pointer dereference loads/stores in __try blocks

  #19775 merged Jun 16, 2025

• Rust: add Cargo.lock files to all tests with cargo check

  #19772 merged Jun 16, 2025

• C++: Use SEH exception edges in IR and generate SEH exception edges for calls in __try blocks

  #19746 merged Jun 16, 2025

• Rust: Type inference uses defaults for type parameters

  #19756 merged Jun 16, 2025

• Rust: regenerate models

  #19748 merged Jun 16, 2025

• CI: fix python version

  #19765 merged Jun 16, 2025

• C++: Add more MaD summaries

  #19753 merged Jun 13, 2025

• C++: Add support to __leave

  #19734 merged Jun 13, 2025

• Rust: Disambiguate some method calls based on argument types

  #19749 merged Jun 13, 2025

• Rust: Temporarily disable type information to flow into operands

  #19755 merged Jun 13, 2025

• Rust: Type inference for macro expressions

  #19751 merged Jun 13, 2025

• Java: Update the CFG for assert statements to make them proper guards.

  #19733 merged Jun 13, 2025

• Python: Modernize iter not returning self query

  #19554 merged Jun 13, 2025

• JS: Promote js/template-syntax-in-string-literal to the Code Quality suite.

  #19726 merged Jun 13, 2025

• Rust: Model String -> str implicit conversion in type inference

  #19737 merged Jun 13, 2025

• Rust: Use hasImplementation in path resolution

  #19745 merged Jun 13, 2025

• Add black pre-commit hook

  #19712 merged Jun 12, 2025

• Rust: Use QL computed canonical paths in MaD Field tokens

  #19667 merged Jun 12, 2025

• Rust: extract hasImplementation on functions and consts

  #19649 merged Jun 12, 2025

• Rust: Data flow through overloaded operators

  #19685 merged Jun 12, 2025

• Shared: Add elaborate QL doc to TypeInference.qll

  #19727 merged Jun 12, 2025

• JS: Promote js/suspicious-method-name-declaration to the Code Quality suite.

  #19741 merged Jun 12, 2025

• Rust: fix typo in README.md

  #19742 merged Jun 12, 2025

• Rust: Also apply adjustedAccessType in RelevantAccess

  #19729 merged Jun 12, 2025

• Rust: Add another type inference debug predicate

  #19728 merged Jun 12, 2025

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages (#2)

  #19738 merged Jun 12, 2025

• Rust: Generate canonical paths for builtins

  #19732 merged Jun 12, 2025

• Rust: move body skipping logic to code generation

  #19559 merged Jun 12, 2025

• Rust: Simple type inference for index expressions

  #19657 merged Jun 12, 2025

• Update precision java concatenated command line

  #19723 merged Jun 12, 2025

• Rust: Update RegexInjectionExtensions to use getCanonicalPath.

  #19735 merged Jun 12, 2025

• Changedocs 2.22.0

  #19740 merged Jun 11, 2025

• C++: Add boolean for explicit lambda parameter lists

  #19686 merged Jun 11, 2025

• fixing some improperly escaped URLs

  #19739 merged Jun 11, 2025

37 Pull requests opened by 13 people

• JS: Promote `js/loop-iteration-skipped-due-to-shifting` to the Code Quality suite

  #19743 opened Jun 12, 2025

• MaD generator: use `--threads=0` and 2GB per thread for `--ram` by default

  #19744 opened Jun 12, 2025

• Add CI workflow to check overlay annotations

  #19747 opened Jun 13, 2025

• JS: remove `encodeURI` from sanitizer list of request forgery

  #19750 opened Jun 13, 2025

• Rust: Type inference for `for` loops and array expressions

  #19754 opened Jun 13, 2025

• Actions: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19757 opened Jun 13, 2025

• C#: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19758 opened Jun 13, 2025

• C++: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19759 opened Jun 13, 2025

• Go: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19760 opened Jun 13, 2025

• Swift: mass-enable diff-informed queries phase 2 - `getASelected{Source,Sink}Location() { none() }`

  #19761 opened Jun 13, 2025

• Improve TypeORM model

  #19762 opened Jun 13, 2025

• Go: Update tags for high precision quality queries

  #19763 opened Jun 13, 2025

• Add lodash GroupBy as taint step

  #19768 opened Jun 13, 2025

• Improve NestJS sources and dependency injection

  #19769 opened Jun 14, 2025

• Improve data flow in the `async` package

  #19770 opened Jun 15, 2025

• Rust: limit number of diagnostics to 100 per trap file

  #19774 opened Jun 16, 2025

• JS: Mass promotion of queries to `quality` status

  #19776 opened Jun 16, 2025

• Overlay: Add script to help maintain overlay annotations

  #19778 opened Jun 16, 2025

• Overlay: Add overlay annotations to Java & shared libraries

  #19779 opened Jun 16, 2025

• Overlay: Add CI workflow to check overlay annotations

  #19780 opened Jun 16, 2025

• Go: remove language tests from workflows

  #19781 opened Jun 16, 2025

• JS: Improve Express middleware taint tracking

  #19784 opened Jun 16, 2025

• Rust: expand attribute macros on `AssocItem`

  #19786 opened Jun 16, 2025

• Rust: Account for borrows in operators in type inference

  #19789 opened Jun 17, 2025

• Java: mass enable diff-informed data flow + `none()` overrides

  #19795 opened Jun 17, 2025

• Python: mass enable diff-informed data flow `none()` location overrides

  #19797 opened Jun 17, 2025

• Ruby: mass enable diff-informed data flow `none()` location overrides

  #19798 opened Jun 17, 2025

• Java: Tag quality queries with `quality` and sub-category

  #19799 opened Jun 17, 2025

• Rust: Update PoemHandlerParam to use getCanonicalPath

  #19801 opened Jun 17, 2025

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 opened Jun 17, 2025

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 opened Jun 17, 2025

• QL4QL: Add test for `ql/inline-overlay-caller` query

  #19810 opened Jun 18, 2025

• Python: Tag quality queries with `quality` and sub category.

  #19812 opened Jun 18, 2025

• Java: Add manual overlay annotations & discard predicates

  #19813 opened Jun 18, 2025

• Crypto: Fix cpp-specific code scanning alert failure

  #19814 opened Jun 18, 2025

• Update query-metadata-style-guide.md

  #19815 opened Jun 18, 2025

• Rust: Path resolution for `crate::{self as foo}`

  #19816 opened Jun 18, 2025

4 Issues closed by 4 people

• can i still use old api for codeql？

  #19668 closed Jun 17, 2025

• Use After Free: Tracking alias

  #18791 closed Jun 13, 2025

• False positive

  #19766 closed Jun 13, 2025

• C/C++: `Gotostmt` also matches `__leave` keyword

  #19666 closed Jun 13, 2025

5 Issues opened by 5 people

• CodeQL analysis does not detect expected command injection vulnerability

  #19811 opened Jun 18, 2025

• General issue Go. Why isn't the following code recognized as a source in a global data stream?

  #19807 opened Jun 18, 2025

• Support for `.slnx` Solution Format Not Yet Implemented

  #19767 opened Jun 13, 2025

• Add support for Oracle Call Interface (OCI) to C/C++ coverage

  #19764 opened Jun 13, 2025

• Taint step for the Gradio framework

  #19752 opened Jun 13, 2025

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jun 16, 2025 • 19 new comments

• Rust: update docs

  #19280 commented on Jun 18, 2025 • 17 new comments

• Rust: New query rust/access-after-lifetime-ended

  #19702 commented on Jun 18, 2025 • 14 new comments

• Ruby: generate overlay discard predicates

  #19719 commented on Jun 17, 2025 • 3 new comments

• Update qhelp style guide for markdown format

  #19730 commented on Jun 18, 2025 • 2 new comments

• Enhance `cpp/overflow-calculated` - detect out-of-bounds write caused by passing the buffer size in bytes (using sizeof) instead of the number of elements to wcsftime, allowing the function to overrun the allocated buffer.

  #19722 commented on Jun 13, 2025 • 1 new comment

• fix qhelp files

  #19707 commented on Jun 17, 2025 • 1 new comment

• Ruby: enable overlay compilation

  #19731 commented on Jun 17, 2025 • 0 new comments

• Ruby: add support for extracting overlay databases

  #19684 commented on Jun 12, 2025 • 0 new comments

• Fixes in cpp/global-use-before-init

  #19676 commented on Jun 16, 2025 • 0 new comments

• Rust: Fix type inference for library parameters

  #19658 commented on Jun 17, 2025 • 0 new comments

• Rust: emit `Const` bodies in library mode

  #19651 commented on Jun 12, 2025 • 0 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 18, 2025 • 0 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 13, 2025 • 0 new comments

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 commented on Jun 17, 2025 • 0 new comments

• Rust: upgrade `rust-analyzer` to 0.0.287

  #19524 commented on Jun 18, 2025 • 0 new comments

• C++: Handle explicitly instantiated templates

  #16075 commented on Jun 17, 2025 • 0 new comments

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 commented on Jun 17, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jun 17, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 17, 2025 • 0 new comments

• Call chain analysis exception

  #19637 commented on Jun 17, 2025 • 0 new comments

• [Java] Dataflow through object

  #18680 commented on Jun 17, 2025 • 0 new comments

• Actions: imprecise action references in model data

  #19635 commented on Jun 16, 2025 • 0 new comments

• Extraction error with tsg-python

  #19736 commented on Jun 12, 2025 • 0 new comments

• CodeQL unable to find out sources of a chosen dataflow node in Javascript

  #19720 commented on Jun 12, 2025 • 0 new comments