68 Pull requests merged by 23 people

• Ruby: generate overlay discard predicates

  #19719 merged Jun 25, 2025

• Ruby: add support for extracting overlay databases

  #19684 merged Jun 25, 2025

• JS: moved execa out of experimental

  #19858 merged Jun 25, 2025

• Use regex to match overlay annotations

  #19871 merged Jun 25, 2025

• JS: Remove legacy actions queries

  #19849 merged Jun 25, 2025

• JS: Model React 'use' and 'use server'

  #19852 merged Jun 25, 2025

• C++: Handle explicitly instantiated templates

  #16075 merged Jun 25, 2025

• pick-kotlin-version.py: tolerate warnings

  #19865 merged Jun 24, 2025

• QLDoc scripts: Fix overly permissive regex ranges

  #19867 merged Jun 24, 2025

• C++: Support more complex 16-bit float types

  #19862 merged Jun 24, 2025

• Convert remaining {go,swift,ruby}-code-scanning.qls query tests to .qlref

  #19817 merged Jun 24, 2025

• Post-release preparation for codeql-cli-2.22.1

  #19864 merged Jun 24, 2025

• Rust: Type inference for for loops and array expressions

  #19754 merged Jun 24, 2025

• QL4QL: Extend ql/inline-overlay-caller

  #19863 merged Jun 24, 2025

• Release preparation for version 2.22.1

  #19860 merged Jun 24, 2025

• Rust: enable change-note check

  #19853 merged Jun 24, 2025

• JS: Remote mention of Element MaD token

  #19859 merged Jun 24, 2025

• Rust: Add type inference for overloaded index expressions

  #19833 merged Jun 24, 2025

• JS: ClientRequests Axios Instance support

  #19655 merged Jun 24, 2025

• C++: Handle Arm SVE in the IR

  #19845 merged Jun 24, 2025

• JS: Explicitly Mark Sinon Package as Non RegExp

  #19854 merged Jun 24, 2025

• Overlay: Add script to help maintain overlay annotations

  #19778 merged Jun 24, 2025

• Rust: regenerate models after rust-analyzer update

  #19848 merged Jun 24, 2025

• Rust: upgrade rust-analyzer to 0.0.288

  #19524 merged Jun 23, 2025

• Rust: Add SatisfiesConstraintInput module in shared type inference

  #19829 merged Jun 23, 2025

• Rust: Take derive macros into account in is{In,From}MacroExpansion

  #19850 merged Jun 23, 2025

• Rust: Avoid overlapping path resolution consistency checks

  #19825 merged Jun 23, 2025

• Java: Remove java/deprecated-call from the Code Quality suite.

  #19843 merged Jun 23, 2025

• Rust: Update PoemHandlerParam to use getCanonicalPath

  #19801 merged Jun 23, 2025

• JS: Update Fastify tld

  #19822 merged Jun 23, 2025

• Rust: update docs for public preview

  #19280 merged Jun 23, 2025

• C#: Add another test for MissingAccessControl.ql

  #19826 merged Jun 23, 2025

• Rust: expand derive macros

  #19824 merged Jun 23, 2025

• MaD generator: use --threads=0 and 2GB per thread for --ram by default

  #19744 merged Jun 23, 2025

• Rust: adapt model generation to new format

  #19819 merged Jun 23, 2025

• C++: Update expected test results after extractor changes

  #19837 merged Jun 22, 2025

• Rust: expand attribute macros on AssocItem and ExternItem

  #19823 merged Jun 20, 2025

• Rust: limit number of diagnostics to 100 per trap file

  #19774 merged Jun 20, 2025

• Rust: yet another tentative fix to test flakiness

  #19836 merged Jun 20, 2025

• JavaScript: Don't extract obviously generated files

  #19680 merged Jun 20, 2025

• JS: Improve Express middleware taint tracking

  #19784 merged Jun 20, 2025

• Rust: Path resolution for crate::{self as foo}

  #19816 merged Jun 20, 2025

• Rust: fix nightly toolchain version for tests using it

  #19828 merged Jun 20, 2025

• Rust: Fix type inference for explicit dereference with * to the Deref trait

  #19820 merged Jun 20, 2025

• JS: Promote js/loop-iteration-skipped-due-to-shifting to the Code Quality suite

  #19743 merged Jun 20, 2025

• JS: Mass promotion of queries to quality status

  #19776 merged Jun 20, 2025

• Update qhelp style guide for markdown format

  #19730 merged Jun 20, 2025

• Java: Tag quality queries with quality and sub-category

  #19799 merged Jun 19, 2025

• Rust: backport Cargo.lock fixes for CI

  #19821 merged Jun 19, 2025

• Python: Tag quality queries with quality and sub category.

  #19812 merged Jun 19, 2025

• Update query-metadata-style-guide.md

  #19815 merged Jun 19, 2025

• Go: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19760 merged Jun 19, 2025

• C++: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19759 merged Jun 19, 2025

• Actions: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19757 merged Jun 19, 2025

• Ruby: mass enable diff-informed data flow none() location overrides

  #19798 merged Jun 19, 2025

• JS: remove encodeURI from sanitizer list of request forgery

  #19750 merged Jun 19, 2025

• Python: Fix integration test

  #19818 merged Jun 19, 2025

• Java: mass enable diff-informed data flow + none() overrides

  #19795 merged Jun 19, 2025

• Go: Update tags for high precision quality queries

  #19763 merged Jun 19, 2025

• Rust: Account for borrows in operators in type inference

  #19789 merged Jun 19, 2025

• QL4QL: Add test for ql/inline-overlay-caller query

  #19810 merged Jun 19, 2025

• Python: mass enable diff-informed data flow none() location overrides

  #19797 merged Jun 19, 2025

• Swift: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19761 merged Jun 19, 2025

• C#: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19758 merged Jun 19, 2025

• C++: Add Arm scalable vector type QL classes

  #19792 merged Jun 18, 2025

• Quantum: Add OpenSSL signature models

  #19705 merged Jun 18, 2025

• Python: Modernize the init-calls-subclass query

  #19709 merged Jun 18, 2025

• Kotlin: clean up alternate-version code now that v1.5.x support is dropped

  #19496 merged Jun 18, 2025

18 Pull requests opened by 10 people

• Crypto: Fix cpp-specific code scanning alert failure

  #19814 opened Jun 18, 2025

• Update Go version in tests to `1.25.0-rc.1`

  #19827 opened Jun 20, 2025

• Bump `rules_go` to `0.55.1`

  #19831 opened Jun 20, 2025

• C++: Support SQL Injection sinks for Oracle Call Interface (OCI)

  #19832 opened Jun 20, 2025

• Java: convert remaining `java-code-scanning.qls` query tests to `.qlref`

  #19842 opened Jun 23, 2025

• Java: Add `java/javautilconcurrentscheduledthreadpoolexecutor` query for zero thread pool size

  #19844 opened Jun 23, 2025

• Java: Diff-informed CleartextStorageCookie.ql

  #19846 opened Jun 23, 2025

• Rust: Handle more explicit type arguments in type inference

  #19847 opened Jun 23, 2025

• Rust: refactor `pre_emit!` and `post_emit!` to a trait

  #19851 opened Jun 23, 2025

• DataFlow: Run overlay-informed if not diff-informed

  #19857 opened Jun 24, 2025

• Rust: refactor `ast-generator` to have all customization at the start

  #19861 opened Jun 24, 2025

• Codegen: improve implementation of generated parent/child relationship

  #19866 opened Jun 24, 2025

• C++: Update stats file after DCA and extractor changes

  #19870 opened Jun 25, 2025

• Overlay: Enable overlay compilation for Java

  #19872 opened Jun 25, 2025

• Rust: make `AssocItem` and `ExternItem` subclasses of `Item`

  #19873 opened Jun 25, 2025

• Codegen: use one generated test file per directory

  #19874 opened Jun 25, 2025

• Java: Add query to detect special characters in string literals

  #19875 opened Jun 25, 2025

• Rust: fix parallel execution of tests using the nightly toolchain

  #19876 opened Jun 25, 2025

2 Issues closed by 2 people

• Unique IDs for C++ Functions

  #15342 closed Jun 25, 2025

• Go: False positive when use sync.Map

  #18916 closed Jun 23, 2025

9 Issues opened by 8 people

• Error running query java.util.concurrent.CompletionException:

  #19869 opened Jun 25, 2025

• Variable shadows a function in python extractor telemetry code

  #19868 opened Jun 24, 2025

• False positive

  #19856 opened Jun 24, 2025

• Code QL not finding sql server injection attack

  #19855 opened Jun 23, 2025

• Ruby: Error parsing embedded multiline blocks

  #19841 opened Jun 23, 2025

• how to filter out this situation？

  #19838 opened Jun 21, 2025

• [actions] Add detection for workflow_dispatch TOCTOU

  #19835 opened Jun 20, 2025

• False positive: Critical Artifact poisoning

  #19834 opened Jun 20, 2025

• [cpp] Check whether path between function A and function B exists

  #19830 opened Jun 20, 2025

26 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 commented on Jun 25, 2025 • 29 new comments

• Overlay: Add manual Java overlay annotations & discard predicates

  #19813 commented on Jun 25, 2025 • 9 new comments

• Rust: New query rust/access-after-lifetime-ended

  #19702 commented on Jun 24, 2025 • 5 new comments

• Overlay: Add overlay annotations to Java & shared libraries

  #19779 commented on Jun 25, 2025 • 4 new comments

• Improve data flow in the `async` package

  #19770 commented on Jun 25, 2025 • 2 new comments

• Improve NestJS sources and dependency injection

  #19769 commented on Jun 25, 2025 • 1 new comment

• Add lodash GroupBy as taint step

  #19768 commented on Jun 25, 2025 • 1 new comment

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 commented on Jun 25, 2025 • 0 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jun 25, 2025 • 0 new comments

• Go: remove language tests from workflows

  #19781 commented on Jun 23, 2025 • 0 new comments

• Overlay: Add CI workflow to check overlay annotations

  #19780 commented on Jun 25, 2025 • 0 new comments

• Improve TypeORM model

  #19762 commented on Jun 25, 2025 • 0 new comments

• Ruby: enable overlay compilation

  #19731 commented on Jun 25, 2025 • 0 new comments

• Fixes in cpp/global-use-before-init

  #19676 commented on Jun 23, 2025 • 0 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 23, 2025 • 0 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 25, 2025 • 0 new comments

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jun 19, 2025 • 0 new comments

• Handling of axios in functions and making axios create function recur…

  #19337 commented on Jun 20, 2025 • 0 new comments

• Rust: new query rust/hardcoded-crytographic-value

  #18943 commented on Jun 24, 2025 • 0 new comments

• General issue Go. Why isn't the following code recognized as a source in a global data stream?

  #19807 commented on Jun 25, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 24, 2025 • 0 new comments

• Extraction error with tsg-python

  #19736 commented on Jun 24, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jun 24, 2025 • 0 new comments

• Add support for Oracle Call Interface (OCI) to C/C++ coverage

  #19764 commented on Jun 24, 2025 • 0 new comments

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 commented on Jun 20, 2025 • 0 new comments

• Code scanning doesn't run on pull request in organization repo

  #19698 commented on Jun 19, 2025 • 0 new comments