Overview

59 Pull requests merged by24 people

• Fixes in cpp/global-use-before-init

  #19676 mergedJul 1, 2025

• C++: Remove unusedexternal_package tables from the dbscheme

  #19938 mergedJul 1, 2025

• Rust: add togenerate-code-scanning-query-list.py andshared-code-metrics.py scripts

  #19939 mergedJul 1, 2025

• Rust: Apply inherent method prioritization inside type inference loop

  #19903 mergedJul 1, 2025

• Rust: Assume prelude is always available in path resolution

  #19936 mergedJul 1, 2025

• Fix markdown query help formatting

  #19892 mergedJul 1, 2025

• Ruby: Do not computeStringlikeLiteralImpl.getStringValue for large strings

  #19926 mergedJul 1, 2025

• C++: synchronize dbscheme

  #19935 mergedJul 1, 2025

• Go/Ruby/Python: Freeze quality queries insecurity-and-quality.

  #19891 mergedJul 1, 2025

• Rust: makeAssocItem andExternItem subclasses ofItem

  #19873 mergedJul 1, 2025

• C++: fix(no string representation) forConstructorInit

  #19907 mergedJul 1, 2025

• C++: Add Arm64 change note

  #19933 mergedJun 30, 2025

• Python: Allow use ofmatch as an identifier

  #19895 mergedJun 30, 2025

• Java: updatejava/call-to-thread-run

  #19175 mergedJun 30, 2025

• Codegen: improve implementation of generated parent/child relationship

  #19866 mergedJun 30, 2025

• Rust: Fix variable capture inconsistencies

  #19916 mergedJun 30, 2025

• C++: Sync the product-flow field flow branch limits with the default one

  #19904 mergedJun 30, 2025

• Overlay: Add manual Java overlay annotations & discard predicates

  #19813 mergedJun 30, 2025

• Improve NestJS sources and dependency injection

  #19769 mergedJun 30, 2025

• Improve TypeORM model

  #19762 mergedJun 30, 2025

• C++: Merge the location tables

  #17581 mergedJun 30, 2025

• Rust: New query rust/access-after-lifetime-ended

  #19702 mergedJun 30, 2025

• Create copilot-instructions.md

  #19899 mergedJun 30, 2025

• Update CSV framework coverage reports

  #19910 mergedJun 30, 2025

• Overlay: Add CI workflow to check overlay annotations

  #19780 mergedJun 30, 2025

• Crypto: Refactor OpenSSL operation step data-flow logic

  #19880 mergedJun 27, 2025

• Overlay: Add missingoverlay[caller?] annotation

  #19901 mergedJun 27, 2025

• Overlay: Add overlay annotation to shared lib

  #19898 mergedJun 27, 2025

• C++: Pretty print MaD ids in test output

  #19894 mergedJun 27, 2025

• Rust: CacheDataFlow::Node.{toString,getLocation}

  #19886 mergedJun 27, 2025

• C#: Models for Microsoft.Data.SqlClient.

  #19877 mergedJun 27, 2025

• Java, Ruby: add missing .qlref tests

  #19888 mergedJun 27, 2025

• Rust: Data flow through trait methods

  #19881 mergedJun 27, 2025

• Java: Diff-informed CleartextStorageCookie.ql

  #19846 mergedJun 27, 2025

• Kaspersv/overlay java annotations

  #19887 mergedJun 27, 2025

• Overlay: Add overlay annotations to Java & shared libraries

  #19779 mergedJun 27, 2025

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 mergedJun 26, 2025

• C++: Support SQL Injection sinks for Oracle Call Interface (OCI)

  #19832 mergedJun 26, 2025

• Crypto: Fix QL-for-QL alerts and refactor type standardization

  #19814 mergedJun 26, 2025

• Ruby/Rust/QL: simplify generation of overlay-related tables/predicates

  #19878 mergedJun 26, 2025

• Java: Addjava/javautilconcurrentscheduledthreadpoolexecutor query for zero thread pool size

  #19844 mergedJun 26, 2025

• Codegen: use one generated test file per directory

  #19874 mergedJun 26, 2025

• Java: Fix assert CFG by properly tagging the false successor.

  #19883 mergedJun 26, 2025

• Guards: Refactor EqualityTest interface.

  #19884 mergedJun 26, 2025

• C++: Update stats file after DCA and extractor changes

  #19870 mergedJun 26, 2025

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 mergedJun 26, 2025

• Go: Avoid using deprecated class

  #19882 mergedJun 26, 2025

• Go: fixDefinedType.getBaseType

  #19654 mergedJun 25, 2025

• Go: Improve two class names and add some helper predicates

  #19677 mergedJun 25, 2025

• Rust: refactorpre_emit! andpost_emit! to a trait

  #19851 mergedJun 25, 2025

• Java: convert remainingjava-code-scanning.qls query tests to.qlref

  #19842 mergedJun 25, 2025

• Rust: fix parallel execution of tests using the nightly toolchain

  #19876 mergedJun 25, 2025

• Ruby: generate overlay discard predicates

  #19719 mergedJun 25, 2025

• Ruby: add support for extracting overlay databases

  #19684 mergedJun 25, 2025

• JS: movedexeca out of experimental

  #19858 mergedJun 25, 2025

• Use regex to match overlay annotations

  #19871 mergedJun 25, 2025

• JS: Remove legacy actions queries

  #19849 mergedJun 25, 2025

• JS: Model React 'use' and 'use server'

  #19852 mergedJun 25, 2025

• C++: Handle explicitly instantiated templates

  #16075 mergedJun 25, 2025

23 Pull requests opened by16 people

• Overlay: Enable overlay compilation for Java

  #19872 openedJun 25, 2025

• Java: Add query to detect special characters in string literals

  #19875 openedJun 25, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 openedJun 26, 2025

• Add changelog entry for CodeQL CLI version 2.22.1

  #19893 openedJun 26, 2025

• Java/Ruby/Rust/QL: add `overlayChangedFiles` relation to dbscheme

  #19896 openedJun 26, 2025

• Quantum: Initial support for C#

  #19905 openedJun 27, 2025

• Quantum: Refactor OpenSSL padding modeling

  #19908 openedJun 27, 2025

• Rust: Disambiguate more method calls based on argument types

  #19927 openedJun 30, 2025

• Python: Update `tree-sitter` dependency

  #19929 openedJun 30, 2025

• Rust: upgrade `rust-analyzer` to 0.0.289

  #19930 openedJun 30, 2025

• Ql4ql: Quality query tagging.

  #19931 openedJun 30, 2025

• [Draft] Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 openedJun 30, 2025

• Rust: Update legacy MaD models 1

  #19934 openedJun 30, 2025

• EXPERIMENT: Test overlay fixes

  #19937 openedJul 1, 2025

• C#: Improve some existing manual models.

  #19940 openedJul 1, 2025

• C++: accept new test results after extractor changes

  #19941 openedJul 1, 2025

• Rust: Update legacy MaD models 2

  #19942 openedJul 1, 2025

• Support approximate related locations

  #19943 openedJul 1, 2025

• Signature model refactor

  #19944 openedJul 1, 2025

• Rust: fix macro expansion in library code

  #19945 openedJul 1, 2025

• Rust: Update legacy MaD models 3

  #19946 openedJul 1, 2025

• C++: Move builtin function identification to its own table

  #19947 openedJul 1, 2025

• Rust: Update legacy MaD models 4

  #19948 openedJul 1, 2025

4 Issues closed by3 people

• Extraction error with tsg-python

  #19736 closedJun 30, 2025

• Gg

  #19913 closedJun 30, 2025

• Add support for Oracle Call Interface (OCI) to C/C++ coverage

  #19764 closedJun 26, 2025

• Unique IDs for C++ Functions

  #15342 closedJun 25, 2025

8 Issues opened by7 people

• False positive

  #19949 openedJul 1, 2025

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 openedJun 30, 2025

• Spread unidentified

  #19914 openedJun 30, 2025

• Feature request: overwrite existing database, but ask first

  #19909 openedJun 27, 2025

• ShellEscape aint always escaping shells

  #19906 openedJun 27, 2025

• Flask ImmutableMultiDict type cannot be accurately determined when calling to_dict

  #19902 openedJun 27, 2025

• [python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

  #19900 openedJun 27, 2025

• Error running codeql database analyze go

  #19890 openedJun 26, 2025

20 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: Handle more explicit type arguments in type inference

  #19847 commented onJul 1, 2025 • 5 new comments

• Add lodash GroupBy as taint step

  #19768 commented onJun 26, 2025 • 1 new comment

• JS: Disable type extraction

  #19640 commented onJul 1, 2025 • 1 new comment

• Rust: refactor `ast-generator` to have all customization at the start

  #19861 commented onJun 30, 2025 • 0 new comments

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 commented onJun 25, 2025 • 0 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented onJun 25, 2025 • 0 new comments

• Go: remove language tests from workflows

  #19781 commented onJun 30, 2025 • 0 new comments

• Improve data flow in the `async` package

  #19770 commented onJun 26, 2025 • 0 new comments

• Ruby: enable overlay compilation

  #19731 commented onJun 25, 2025 • 0 new comments

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented onJun 27, 2025 • 0 new comments

• C++: Uncomment `@function.kind` in the dbscheme

  #15233 commented onJul 1, 2025 • 0 new comments

• Why doesn't CodeQL support auditing PHP

  #12376 commented onJul 1, 2025 • 0 new comments

• python false positive Clear-text logging of sensitive information

  #13538 commented onJul 1, 2025 • 0 new comments

• False positive

  #19856 commented onJul 1, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented onJul 1, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented onJun 30, 2025 • 0 new comments

• Code QL not finding sql server injection attack

  #19855 commented onJun 27, 2025 • 0 new comments

• [actions] Add detection for workflow_dispatch TOCTOU

  #19835 commented onJun 25, 2025 • 0 new comments

• General issue Go. Why isn't the following code recognized as a source in a global data stream?

  #19807 commented onJun 25, 2025 • 0 new comments

• Error running query java.util.concurrent.CompletionException:

  #19869 commented onJun 25, 2025 • 0 new comments