35 Pull requests merged by 16 people

• Ruby: generate overlay discard predicates

  #19719 merged Jun 25, 2025

• Ruby: add support for extracting overlay databases

  #19684 merged Jun 25, 2025

• JS: moved execa out of experimental

  #19858 merged Jun 25, 2025

• Use regex to match overlay annotations

  #19871 merged Jun 25, 2025

• JS: Remove legacy actions queries

  #19849 merged Jun 25, 2025

• JS: Model React 'use' and 'use server'

  #19852 merged Jun 25, 2025

• C++: Handle explicitly instantiated templates

  #16075 merged Jun 25, 2025

• pick-kotlin-version.py: tolerate warnings

  #19865 merged Jun 24, 2025

• QLDoc scripts: Fix overly permissive regex ranges

  #19867 merged Jun 24, 2025

• C++: Support more complex 16-bit float types

  #19862 merged Jun 24, 2025

• Convert remaining {go,swift,ruby}-code-scanning.qls query tests to .qlref

  #19817 merged Jun 24, 2025

• Post-release preparation for codeql-cli-2.22.1

  #19864 merged Jun 24, 2025

• Rust: Type inference for for loops and array expressions

  #19754 merged Jun 24, 2025

• QL4QL: Extend ql/inline-overlay-caller

  #19863 merged Jun 24, 2025

• Release preparation for version 2.22.1

  #19860 merged Jun 24, 2025

• Rust: enable change-note check

  #19853 merged Jun 24, 2025

• JS: Remote mention of Element MaD token

  #19859 merged Jun 24, 2025

• Rust: Add type inference for overloaded index expressions

  #19833 merged Jun 24, 2025

• JS: ClientRequests Axios Instance support

  #19655 merged Jun 24, 2025

• C++: Handle Arm SVE in the IR

  #19845 merged Jun 24, 2025

• JS: Explicitly Mark Sinon Package as Non RegExp

  #19854 merged Jun 24, 2025

• Overlay: Add script to help maintain overlay annotations

  #19778 merged Jun 24, 2025

• Rust: regenerate models after rust-analyzer update

  #19848 merged Jun 24, 2025

• Rust: upgrade rust-analyzer to 0.0.288

  #19524 merged Jun 23, 2025

• Rust: Add SatisfiesConstraintInput module in shared type inference

  #19829 merged Jun 23, 2025

• Rust: Take derive macros into account in is{In,From}MacroExpansion

  #19850 merged Jun 23, 2025

• Rust: Avoid overlapping path resolution consistency checks

  #19825 merged Jun 23, 2025

• Java: Remove java/deprecated-call from the Code Quality suite.

  #19843 merged Jun 23, 2025

• Rust: Update PoemHandlerParam to use getCanonicalPath

  #19801 merged Jun 23, 2025

• JS: Update Fastify tld

  #19822 merged Jun 23, 2025

• Rust: update docs for public preview

  #19280 merged Jun 23, 2025

• C#: Add another test for MissingAccessControl.ql

  #19826 merged Jun 23, 2025

• Rust: expand derive macros

  #19824 merged Jun 23, 2025

• MaD generator: use --threads=0 and 2GB per thread for --ram by default

  #19744 merged Jun 23, 2025

• Rust: adapt model generation to new format

  #19819 merged Jun 23, 2025

14 Pull requests opened by 7 people

• Java: convert remaining `java-code-scanning.qls` query tests to `.qlref`

  #19842 opened Jun 23, 2025

• Java: Add `java/javautilconcurrentscheduledthreadpoolexecutor` query for zero thread pool size

  #19844 opened Jun 23, 2025

• Java: Diff-informed CleartextStorageCookie.ql

  #19846 opened Jun 23, 2025

• Rust: Handle more explicit type arguments in type inference

  #19847 opened Jun 23, 2025

• Rust: refactor `pre_emit!` and `post_emit!` to a trait

  #19851 opened Jun 23, 2025

• DataFlow: Run overlay-informed if not diff-informed

  #19857 opened Jun 24, 2025

• Rust: refactor `ast-generator` to have all customization at the start

  #19861 opened Jun 24, 2025

• Codegen: improve implementation of generated parent/child relationship

  #19866 opened Jun 24, 2025

• C++: Update stats file after DCA and extractor changes

  #19870 opened Jun 25, 2025

• Overlay: Enable overlay compilation for Java

  #19872 opened Jun 25, 2025

• Rust: make `AssocItem` and `ExternItem` subclasses of `Item`

  #19873 opened Jun 25, 2025

• Codegen: use one generated test file per directory

  #19874 opened Jun 25, 2025

• Java: Add query to detect special characters in string literals

  #19875 opened Jun 25, 2025

• Rust: fix parallel execution of tests using the nightly toolchain

  #19876 opened Jun 25, 2025

2 Issues closed by 2 people

• Unique IDs for C++ Functions

  #15342 closed Jun 25, 2025

• Go: False positive when use sync.Map

  #18916 closed Jun 23, 2025

5 Issues opened by 5 people

• Error running query java.util.concurrent.CompletionException:

  #19869 opened Jun 25, 2025

• Variable shadows a function in python extractor telemetry code

  #19868 opened Jun 24, 2025

• False positive

  #19856 opened Jun 24, 2025

• Code QL not finding sql server injection attack

  #19855 opened Jun 23, 2025

• Ruby: Error parsing embedded multiline blocks

  #19841 opened Jun 23, 2025

26 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 commented on Jun 25, 2025 • 29 new comments

• Overlay: Add manual Java overlay annotations & discard predicates

  #19813 commented on Jun 25, 2025 • 5 new comments

• Overlay: Add overlay annotations to Java & shared libraries

  #19779 commented on Jun 25, 2025 • 4 new comments

• Improve data flow in the `async` package

  #19770 commented on Jun 25, 2025 • 2 new comments

• Improve NestJS sources and dependency injection

  #19769 commented on Jun 25, 2025 • 1 new comment

• Add lodash GroupBy as taint step

  #19768 commented on Jun 25, 2025 • 1 new comment

• Rust: New query rust/access-after-lifetime-ended

  #19702 commented on Jun 24, 2025 • 1 new comment

• C++: Support SQL Injection sinks for Oracle Call Interface (OCI)

  #19832 commented on Jun 24, 2025 • 0 new comments

• Update Go version in tests to `1.25.0-rc.1`

  #19827 commented on Jun 23, 2025 • 0 new comments

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 commented on Jun 25, 2025 • 0 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jun 25, 2025 • 0 new comments

• Go: remove language tests from workflows

  #19781 commented on Jun 23, 2025 • 0 new comments

• Overlay: Add CI workflow to check overlay annotations

  #19780 commented on Jun 25, 2025 • 0 new comments

• Improve TypeORM model

  #19762 commented on Jun 25, 2025 • 0 new comments

• Ruby: enable overlay compilation

  #19731 commented on Jun 25, 2025 • 0 new comments

• Fixes in cpp/global-use-before-init

  #19676 commented on Jun 23, 2025 • 0 new comments

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 commented on Jun 23, 2025 • 0 new comments

• JS: Deprecate type extraction

  #19640 commented on Jun 25, 2025 • 0 new comments

• Rust: new query rust/hardcoded-crytographic-value

  #18943 commented on Jun 24, 2025 • 0 new comments

• [actions] Add detection for workflow_dispatch TOCTOU

  #19835 commented on Jun 25, 2025 • 0 new comments

• General issue Go. Why isn't the following code recognized as a source in a global data stream?

  #19807 commented on Jun 25, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 24, 2025 • 0 new comments

• how to filter out this situation？

  #19838 commented on Jun 24, 2025 • 0 new comments

• Extraction error with tsg-python

  #19736 commented on Jun 24, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jun 24, 2025 • 0 new comments

• Add support for Oracle Call Interface (OCI) to C/C++ coverage

  #19764 commented on Jun 24, 2025 • 0 new comments