28 Pull requests merged by 18 people

• Go: promote html-template-escaping-bypass-xss

  #19386 merged Jun 6, 2025

• Bump the extractor-dependencies group in /go/extractor with 2 updates

  #19683 merged Jun 6, 2025

• Update CSV framework coverage reports

  #19673 merged Jun 5, 2025

• Actions: Make Env non-abstract

  #19675 merged Jun 5, 2025

• C++: accept new test results after changes

  #19533 merged Jun 5, 2025

• Rust: Remove external locations in tests using post-processing

  #19669 merged Jun 4, 2025

• Rust: add documentation for AST nodes

  #19630 merged Jun 4, 2025

• JS: new Quality query - Unhandled errors in .pipe() chain

  #19544 merged Jun 4, 2025

• C++: Update expected test results and compiler version documentation after frontend update

  #18931 merged Jun 4, 2025

• Go: Add BigQuery as a sink for SQLi queries #2

  #19561 merged Jun 4, 2025

• Quantum: Add base classes for OpenSSL EVP methods

  #19607 merged Jun 3, 2025

• C++: Add support for getting literals in using declarations

  #19603 merged Jun 3, 2025

• Docs: Add changelog entry for CodeQL 2.21.4 release

  #19643 merged Jun 3, 2025

• Ripunzip: update to 2.0.2

  #19644 merged Jun 3, 2025

• JS: Mark AngularJS $location as client-side remote flow source

  #19587 merged Jun 3, 2025

• C++: Fix typo in downgrade script

  #19652 merged Jun 3, 2025

• Rust: restrict line and file counts to include only extracted source files

  #19616 merged Jun 3, 2025

• Rust: Extend jump-to-def to include paths and mod file; imports

  #19605 merged Jun 3, 2025

• Quantum: Add OpenSSL key agreement instances and consumers

  #19632 merged Jun 2, 2025

• Rust: Refactor type equality

  #19624 merged Jun 2, 2025

• Quantum: Added signature input nodes to signature verify operation nodes

  #19623 merged Jun 2, 2025

• CI: remove deprecated windows-2019 usage

  #19642 merged Jun 2, 2025

• JS: Add URL constructor taint tracking for request forgery

  #19634 merged Jun 2, 2025

• Quantum: Add initial qltests for OpenSSL modeling

  #19564 merged Jun 2, 2025

• Fix user-facing casing of NuGet

  #19638 merged Jun 2, 2025

• Python: Add Pandas SQLi sinks

  #19594 merged Jun 2, 2025

• Rust: Also take the std prelude into account when resolving paths

  #19611 merged Jun 2, 2025

• Rust: skip unexpanded stuff in library emission

  #19585 merged Jun 2, 2025

28 Pull requests opened by 14 people

• JS: Deprecate type extraction

  #19640 opened Jun 2, 2025

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 opened Jun 2, 2025

• Rust: extract `hasImplementation` on functions and consts

  #19649 opened Jun 3, 2025

• Add `cs/string-concatenation-in-loop` to the quality suite

  #19650 opened Jun 3, 2025

• Rust: emit `Const` bodies in library mode

  #19651 opened Jun 3, 2025

• Go: fix models through redefined types

  #19653 opened Jun 3, 2025

• Go: fix `DefinedType.getBaseType`

  #19654 opened Jun 3, 2025

• JS: ClientRequests Axios Instance support

  #19655 opened Jun 3, 2025

• Add `client-response` Threat Model and update JS ClientsRequests

  #19656 opened Jun 3, 2025

• Rust: Simple type inference for index expressions

  #19657 opened Jun 3, 2025

• Rust: Fix type inference for library parameters

  #19658 opened Jun 3, 2025

• Actions: mass enable diff-informed data flow

  #19659 opened Jun 3, 2025

• Go: mass enable diff-informed data flow

  #19660 opened Jun 3, 2025

• C#: mass enable diff-informed data flow

  #19661 opened Jun 3, 2025

• Swift: mass enable diff-informed data flow

  #19662 opened Jun 3, 2025

• C++: mass enable diff-informed data flow

  #19663 opened Jun 3, 2025

• Rust: Use QL computed canonical paths in MaD `Field` tokens

  #19667 opened Jun 4, 2025

• Python: Support type annotations in call graph

  #19672 opened Jun 4, 2025

• Rust: regenerate MaD files using DCA

  #19674 opened Jun 5, 2025

• Fixes in cpp/global-use-before-init

  #19676 opened Jun 5, 2025

• Go: Improve two class names and add some helper predicates

  #19677 opened Jun 5, 2025

• Swift: Update to Swift 6.1.2

  #19678 opened Jun 5, 2025

• C++: Update stats file after changes to DCA source suite

  #19679 opened Jun 5, 2025

• JavaScript: Don't extract obviously generated files

  #19680 opened Jun 5, 2025

• Ruby: add support for extracting overlay databases

  #19684 opened Jun 6, 2025

• Rust: Data flow through overloaded operators

  #19685 opened Jun 6, 2025

• C++: Add boolean for explicit lambda parameter lists

  #19686 opened Jun 6, 2025

• C++: Support the `__mfp8` floating point type

  #19688 opened Jun 6, 2025

10 Issues closed by 5 people

• General issue

  #19697 closed Jun 7, 2025

• +62 878-4125-6375

  #19696 closed Jun 7, 2025

• +62 878-4125-6375

  #19695 closed Jun 7, 2025

• [Java] Issue resolving dependences

  #19458 closed Jun 6, 2025

• BDD node limit of 2^^25 reached on Type erasure

  #19648 closed Jun 5, 2025

• Actions: Identifying keywords like `with`, `shell`

  #19629 closed Jun 5, 2025

• Vulnerable Python code is not detected by CWE-094 rule

  #14347 closed Jun 5, 2025

• C++: Multi-Level Member Function Calls Not Modeled as DataFlow::Node

  #19457 closed Jun 4, 2025

• How to speed up the execution

  #19471 closed Jun 4, 2025

• CodeQL DB missing half the source C files, getting compiled with no errors.

  #19066 closed Jun 3, 2025

8 Issues opened by 8 people

• Code scanning doesn't run on pull request in organization repo

  #19698 opened Jun 8, 2025

• False Positive: "Statement has no effect" on Airflow task chaining with >> operator

  #19687 opened Jun 6, 2025

• False positive: Env var is from config, not vault, and contains the name of another env var

  #19681 opened Jun 5, 2025

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 opened Jun 4, 2025

• Kotlin language database create bug?

  #19670 opened Jun 4, 2025

• can i still use old api for codeql？

  #19668 opened Jun 4, 2025

• C/C++: `Gotostmt` also matches `__leave` keyword

  #19666 opened Jun 4, 2025

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 opened Jun 3, 2025

23 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Quantum: Initial support for BouncyCastle signature algorithms

  #19568 commented on Jun 5, 2025 • 24 new comments

• JS: QL-side type/name resolution for TypeScript and JSDoc

  #19078 commented on Jun 4, 2025 • 12 new comments

• JS: Improve `useless-expression` query to avoid duplicate alerts on compound expressions

  #19579 commented on Jun 3, 2025 • 4 new comments

• Rust: Make `SummarizedCallable` extend `Function` instead of `string`

  #19268 commented on Jun 4, 2025 • 3 new comments

• Rust: update supported languages and frameworks

  #19280 commented on Jun 6, 2025 • 3 new comments

• Quantum: OpenSSL signatures

  #19628 commented on Jun 5, 2025 • 2 new comments

• Rust: Type inference for `.await` expressions

  #19584 commented on Jun 4, 2025 • 2 new comments

• Rust: upgrade `rust-analyzer` to 0.0.285

  #19524 commented on Jun 5, 2025 • 2 new comments

• Add script to add overlay annotations

  #19631 commented on Jun 6, 2025 • 1 new comment

• Rust: Path resolution for `extern crate`s

  #19614 commented on Jun 4, 2025 • 0 new comments

• C++: Generate flow summaries for `curl/curl`

  #19596 commented on Jun 2, 2025 • 0 new comments

• C#: Improve `cs/dereference-*` queries and add to the Code Quality suite.

  #19589 commented on Jun 4, 2025 • 0 new comments

• Diff-informed queries via primary/secondary abstractions

  #19586 commented on Jun 2, 2025 • 0 new comments

• Rust: Remove source vs library deduplication logic

  #19577 commented on Jun 2, 2025 • 0 new comments

• Rust: move body skipping logic to code generation

  #19559 commented on Jun 3, 2025 • 0 new comments

• Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages

  #19530 commented on Jun 6, 2025 • 0 new comments

• Add Microsoft to trusted actions owner

  #19450 commented on Jun 5, 2025 • 0 new comments

• temp

  #18230 commented on Jun 2, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented on Jun 4, 2025 • 0 new comments

• False positive: Go / MongoDB Find method

  #19537 commented on Jun 4, 2025 • 0 new comments

• Java: static field access of unknown class breaks dataflow (build-mode=none)

  #19597 commented on Jun 4, 2025 • 0 new comments

• [Bug] Spurious `remote: error: GH013: Repository rule violations found for refs/heads/trunk.` `remote: - Code scanning is waiting for results from CodeQL for the commit`

  #19459 commented on Jun 3, 2025 • 0 new comments

• Add support for Swift 6.1 / Xcode 16.3 with Autobuild

  #19522 commented on Jun 2, 2025 • 0 new comments