Overview

35 Pull requests merged by19 people

• Java: Improve several join-orders

  #20088 mergedJul 18, 2025

• Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

  #20083 mergedJul 18, 2025

• Update CSV framework coverage reports

  #20087 mergedJul 18, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 mergedJul 17, 2025

• Ql4ql: Quality query tagging.

  #19931 mergedJul 17, 2025

• fix qhelp files

  #19707 mergedJul 17, 2025

• Java: allow the definition ofjava/unsafe-deserialization sinks using data extensions

  #20067 mergedJul 17, 2025

• Overlay: Enable overlay compilation for Java

  #19872 mergedJul 17, 2025

• Make a proper shared library out of the concept related libraries

  #19984 mergedJul 17, 2025

• Go: Fix compilation of DataFlowImplConsistency.qll

  #20053 mergedJul 17, 2025

• C#: Improve some existing manual models.

  #19940 mergedJul 17, 2025

• C++: Support the spaceship operator in the IR

  #20069 mergedJul 16, 2025

• C++: Add test that shows that IR generation for<=> is broken

  #20068 mergedJul 16, 2025

• C++: Don't wrap calls through function pointers inFunctionWithWrappers

  #20066 mergedJul 16, 2025

• C++: Fix typeid IR translation

  #20060 mergedJul 16, 2025

• Make web.config match case insensitive

  #20061 mergedJul 16, 2025

• C#: Make web.config match case insensitive (with change note)

  #20065 mergedJul 16, 2025

• feat: add getASupertype() predicate in ValueOrRefType.

  #20008 mergedJul 16, 2025

• Rust: Make rust/summary/query-sinks less noisy

  #20042 mergedJul 16, 2025

• C++: Reduce duplication incpp/uncontrolled-process-operation

  #20059 mergedJul 15, 2025

• Golang: Mark filepath.IsLocal as a tainted-path sanitizer guard

  #20056 mergedJul 15, 2025

• C++: Add test showing that the IR translation fortypeid is broken

  #20058 mergedJul 15, 2025

• Overlay: Add XML and Java property discarding

  #20011 mergedJul 15, 2025

• Java: Restrict results to source literals.

  #20054 mergedJul 15, 2025

• Java: useoverlayChangedFiles in discard prediactes

  #20049 mergedJul 15, 2025

• C++: Fix global variable dataflow FP

  #20040 mergedJul 14, 2025

• #"2025-07-14T15:36:31Z">Jul 14, 2025

• Kotlin: tweak plugin test

  #20039 mergedJul 14, 2025

• Rust: Rename type inference test inline expectation tag

  #20037 mergedJul 14, 2025

• Ruby: enable overlay compilation

  #19731 mergedJul 14, 2025

• Rust: Update legacy MaD models 3

  #19946 mergedJul 14, 2025

• Kotlin: Update regex patterns to use raw string notation

  #20034 mergedJul 14, 2025

• Bump golang.org/x/tools from 0.34.0 to 0.35.0 in /go/extractor in the extractor-dependencies group

  #20035 mergedJul 14, 2025

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 mergedJul 14, 2025

• C++: Fix C++20 concept related class extensions

  #20026 mergedJul 13, 2025

25 Pull requests opened by10 people

• Python: Modernize 3 quality queries for comparison methods

  #20038 openedJul 14, 2025

• Rust: Type inference for tuples

  #20041 openedJul 14, 2025

• Shared: Overhaul the AlertFiltering QLDoc

  #20047 openedJul 14, 2025

• JS: Exclude patched libraries from `xml-bomb` sink

  #20048 openedJul 15, 2025

• Rust: Do not let type info flow into a let statement identifier when …

  #20051 openedJul 15, 2025

• Python: Minor documantation updates to several quality queries

  #20052 openedJul 15, 2025

• Rust: upgrade to rust 1.88 and rust-analyzer 0.0.294

  #20055 openedJul 15, 2025

• Java: Accept new test result after extractor upgrade

  #20057 openedJul 15, 2025

• Update Go Path Injection Sanitizer and Sink

  #20064 openedJul 16, 2025

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 openedJul 17, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 openedJul 17, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 openedJul 17, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 openedJul 17, 2025

• Rust: Type inference refactor and improve join orders

  #20076 openedJul 17, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 openedJul 17, 2025

• JS: Diff-informed queries: phase 3 (non-trivial locations)

  #20078 openedJul 17, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 openedJul 17, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 openedJul 17, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 openedJul 17, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 openedJul 17, 2025

• Rust: Implement type inference for trait objects/`dyn` types

  #20084 openedJul 17, 2025

• Python: Modernise raise-not-implemented query

  #20086 openedJul 17, 2025

• C#: Allow implicit collection reads in sinks nodes.

  #20089 openedJul 18, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 openedJul 18, 2025

• Java: Improve more join-orders

  #20092 openedJul 18, 2025

10 Issues closed by5 people

• [Java] Flag calls to jdk.internal.misc.Unsafe

  #20070 closedJul 18, 2025

• Error running codeql database analyze go

  #19890 closedJul 17, 2025

• Take a look! 📌

  #20063 closedJul 16, 2025

• General issue: How to make QL scripts support accepting command-line arguments

  #20050 closedJul 16, 2025

• CodeQL try to check unknown commit

  #20062 closedJul 16, 2025

• [removed]

  #20046 closedJul 15, 2025

• [removed]

  #20045 closedJul 15, 2025

• General issue [removed]

  #20044 closedJul 15, 2025

• C# ReturnStmt (and other statements) doesn't return any getExpr() nor any getAChild() since v2.21.1

  #20033 closedJul 14, 2025

• - Add rake task to verify <<next>> placeholders are replaced when VERSION changes

  #20036 closedJul 14, 2025

3 Issues opened by3 people

• False positive: Full server-side request forgery

  #20093 openedJul 18, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 openedJul 17, 2025

• False positive: go/zipslip when `filepath.IsLocal` is already used

  #20043 openedJul 14, 2025

12 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

  #20006 commented onJul 18, 2025 • 7 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented onJul 17, 2025 • 3 new comments

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 commented onJul 17, 2025 • 3 new comments

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented onJul 18, 2025 • 2 new comments

• Idea/Feature request: codeql as MCP Server

  #19150 commented onJul 14, 2025 • 0 new comments

• General issue: Find the annotated type of a C# base interface

  #20032 commented onJul 16, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented onJul 17, 2025 • 0 new comments

• Spread unidentified

  #19914 commented onJul 19, 2025 • 0 new comments

• C#: Insecure Certificate Validation.

  #17603 commented onJul 17, 2025 • 0 new comments

• Just: introduce common "verbs"

  #19978 commented onJul 18, 2025 • 0 new comments

• Java: Update qhelp: SnakeYaml is safe from version 2.0

  #20018 commented onJul 15, 2025 • 0 new comments

• Shared: Improve sensitive data heuristics

  #20024 commented onJul 17, 2025 • 0 new comments