41 Pull requests merged by 18 people

• C++: Add word missing from change note

  #18281 merged Dec 16, 2024

• C++: Fix some FPs in cpp/missing-check-scanf (third attempt!)

  #18207 merged Dec 16, 2024

• Rust: extract isRef for SelfParam

  #18294 merged Dec 16, 2024

• C#: Add html-injection sinks for Blazor MarkupString

  #18278 merged Dec 16, 2024

• C#: Add summary for Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelper::TypeCheck<T>

  #18280 merged Dec 16, 2024

• Swift: improve diagnostics for OS incompatibility

  #18289 merged Dec 16, 2024

• Bazel: add a test wrapper around installation scripts

  #18276 merged Dec 16, 2024

• Rust: Fix semantic merge conflicts

  #18297 merged Dec 16, 2024

• Fix failing tests on main.

  #18293 merged Dec 16, 2024

• Move test utilities to the query pack.

  #17968 merged Dec 16, 2024

• Rust: Flow through captured variables

  #18270 merged Dec 16, 2024

• Go: Make models-as-data source models for variadic parameters work

  #18275 merged Dec 15, 2024

• Swift: remove linux from standard pack

  #18282 merged Dec 13, 2024

• Misc: Look up remote name instead of using origin in misc/prepare-db-upgrade.sh

  #18266 merged Dec 13, 2024

• Go: Model os.Args as a commandargs source

  #18284 merged Dec 13, 2024

• KE2: Upgrade to Kotlin 2.1.0; restore basic type parameter and type argument extraction

  #18215 merged Dec 13, 2024

• Swift: make extractor compilable with Swift 6

  #17699 merged Dec 13, 2024

• C++: Fix small PrintAST and PrintIR issue

  #18277 merged Dec 12, 2024

• JS: Use TaintedUrlSuffix in ClientSideUrlRedirect

  #18203 merged Dec 12, 2024

• Data flow: Remove unused column from flowThroughOutOfCall

  #18263 merged Dec 12, 2024

• Rust: Weak encryption algorithm query.

  #18226 merged Dec 12, 2024

• C#: Fix some new compiler warnings

  #18246 merged Dec 12, 2024

• C#: Remove false-positive reflection calls in dataflow

  #18269 merged Dec 12, 2024

• Java: Make separate classes for different control flow node kinds

  #17996 merged Dec 12, 2024

• C#: Update global.json for cshtml_standalone_flowsteps.

  #18267 merged Dec 12, 2024

• Java: add SSRF sink model for the third parameter of RestTemplate.getForObject

  #18153 merged Dec 11, 2024

• Java: add File.getName as a path injection sanitizer

  #18214 merged Dec 11, 2024

• Dataflow: Simplify references to access paths from prior stage.

  #18258 merged Dec 11, 2024

• Go: Improve data flow out of variadic parameter

  #18235 merged Dec 11, 2024

• Rust: Models-as-data for flow summaries

  #18231 merged Dec 11, 2024

• JS: Migrate away from FlowLabel class in TaintedPath

  #18204 merged Dec 11, 2024

• Kotlin: git-ignore .testproj directories in tests

  #18268 merged Dec 11, 2024

• Upgrade bazel to 8.0.0.

  #18257 merged Dec 11, 2024

• Update codeql unified changelog

  #18209 merged Dec 11, 2024

• Make scripts executable

  #18247 merged Dec 11, 2024

• Java: IPA the CFG (second try)

  #17970 merged Dec 10, 2024

• C++: Consider writes to arrays as uncertain

  #18251 merged Dec 10, 2024

• C#: Enable Semmle.Util.Tests.

  #18248 merged Dec 10, 2024

• KE2: extractExpressionStmt can be used with null statements

  #18254 merged Dec 10, 2024

• Python: Promote Template Injection query from experimental

  #17922 merged Dec 10, 2024

• Update CSV framework coverage reports

  #18255 merged Dec 10, 2024

16 Pull requests opened by 13 people

• Brodes/seh flow phase3.2 add load store seh exceptions

  #18260 opened Dec 10, 2024

• C++: Add more MaD models for ATL string classes

  #18261 opened Dec 10, 2024

• C++: Use SEH exception edges in IR and generate SEH exception edges for calls in `__try`, `__except`, and `__finally` blocks

  #18262 opened Dec 10, 2024

• JS: Migrate all queries to proper flow states and deprecate FlowLabel

  #18265 opened Dec 11, 2024

• Just test PoC

  #18273 opened Dec 12, 2024

• Go: extract explicit alias types

  #18283 opened Dec 13, 2024

• Update CSV framework coverage reports

  #18285 opened Dec 14, 2024

• [DRAFT] Java: add CSRF query

  #18288 opened Dec 16, 2024

• Rust: Fix two bad joins

  #18290 opened Dec 16, 2024

• Rust: Data flow improvements to unlock flow in sqlx test

  #18291 opened Dec 16, 2024

• Rust: Never skip assignment LHS in data flow

  #18292 opened Dec 16, 2024

• Rust: update rust-analyzer

  #18295 opened Dec 16, 2024

• Experiment with merging PathGraph and GlobalFlowSig

  #18296 opened Dec 16, 2024

• Rust: Add support for MaD sources and sinks with access paths

  #18298 opened Dec 16, 2024

• Java: Deprecate experimental queries.

  #18299 opened Dec 16, 2024

• Rust: Query for access to a dangling pointer

  #18300 opened Dec 16, 2024

2 Issues closed by 2 people

• F

  #18286 closed Dec 14, 2024

• False positive

  #18272 closed Dec 12, 2024

2 Issues opened by 2 people

• Unable to validate code scanning workflow: error: getWorkflow() failed

  #18279 opened Dec 12, 2024

• codeql pack download microsoft/[email protected] fail

  #18264 opened Dec 11, 2024

15 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C#: Add csharp cors query

  #18120 commented on Dec 17, 2024 • 31 new comments

• Shared: Add DataFlow::DeduplicatePathGraph

  #14350 commented on Dec 16, 2024 • 8 new comments

• Brodes/seh flow phas3.1 add basic seh edges

  #18253 commented on Dec 10, 2024 • 8 new comments

• Data flow: Rework reverse flow through parameters

  #18109 commented on Dec 13, 2024 • 6 new comments

• Rust: extract crate graph

  #18228 commented on Dec 16, 2024 • 6 new comments

• [JS]: Adding express-validator support

  #18252 commented on Dec 12, 2024 • 1 new comment

• [Java] - Limiting Flows Based on Patterns

  #18050 commented on Dec 10, 2024 • 0 new comments

• Swift: Xcode 16 - Library not loaded: @rpath/libSwiftSyntax.dylib

  #17819 commented on Dec 11, 2024 • 0 new comments

• C++ extraction aborted for compiler invocation when using std::format

  #18244 commented on Dec 16, 2024 • 0 new comments

• Python: Add type-tracking flow for class (instance) attributes

  #16670 commented on Dec 10, 2024 • 0 new comments

• Java: FileUpload Support MaD

  #17590 commented on Dec 10, 2024 • 0 new comments

• Go: `template/text.Template` execution methods: support reading arbitrary content

  #17701 commented on Dec 16, 2024 • 0 new comments

• Go: `database` local source models

  #17905 commented on Dec 13, 2024 • 0 new comments

• C#: Default subtypes to true.

  #18060 commented on Dec 10, 2024 • 0 new comments

• Python: Model additional flow steps for the lxml framework

  #18185 commented on Dec 12, 2024 • 0 new comments