19 Pull requests merged by 12 people

• Java: Improve several join-orders

  #20088 merged Jul 18, 2025

• Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

  #20083 merged Jul 18, 2025

• Update CSV framework coverage reports

  #20087 merged Jul 18, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 merged Jul 17, 2025

• Ql4ql: Quality query tagging.

  #19931 merged Jul 17, 2025

• fix qhelp files

  #19707 merged Jul 17, 2025

• Java: allow the definition of java/unsafe-deserialization sinks using data extensions

  #20067 merged Jul 17, 2025

• Overlay: Enable overlay compilation for Java

  #19872 merged Jul 17, 2025

• Make a proper shared library out of the concept related libraries

  #19984 merged Jul 17, 2025

• Go: Fix compilation of DataFlowImplConsistency.qll

  #20053 merged Jul 17, 2025

• C#: Improve some existing manual models.

  #19940 merged Jul 17, 2025

• C++: Support the spaceship operator in the IR

  #20069 merged Jul 16, 2025

• C++: Add test that shows that IR generation for <=> is broken

  #20068 merged Jul 16, 2025

• C++: Don't wrap calls through function pointers in FunctionWithWrappers

  #20066 merged Jul 16, 2025

• C++: Fix typeid IR translation

  #20060 merged Jul 16, 2025

• Make web.config match case insensitive

  #20061 merged Jul 16, 2025

• C#: Make web.config match case insensitive (with change note)

  #20065 merged Jul 16, 2025

• feat: add getASupertype() predicate in ValueOrRefType.

  #20008 merged Jul 16, 2025

• Rust: Make rust/summary/query-sinks less noisy

  #20042 merged Jul 16, 2025

17 Pull requests opened by 6 people

• Update Go Path Injection Sanitizer and Sink

  #20064 opened Jul 16, 2025

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 opened Jul 17, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 opened Jul 17, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 opened Jul 17, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 opened Jul 17, 2025

• Rust: Type inference refactor and improve join orders

  #20076 opened Jul 17, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 opened Jul 17, 2025

• JS: Diff-informed queries: phase 3 (non-trivial locations)

  #20078 opened Jul 17, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 opened Jul 17, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 opened Jul 17, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 opened Jul 17, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 opened Jul 17, 2025

• Rust: Implement type inference for trait objects/`dyn` types

  #20084 opened Jul 17, 2025

• Python: Modernise raise-not-implemented query

  #20086 opened Jul 17, 2025

• C#: Allow implicit collection reads in sinks nodes.

  #20089 opened Jul 18, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 opened Jul 18, 2025

• Java: Improve more join-orders

  #20092 opened Jul 18, 2025

5 Issues closed by 3 people

• [Java] Flag calls to jdk.internal.misc.Unsafe

  #20070 closed Jul 18, 2025

• Error running codeql database analyze go

  #19890 closed Jul 17, 2025

• Take a look! 📌

  #20063 closed Jul 16, 2025

• General issue: How to make QL scripts support accepting command-line arguments

  #20050 closed Jul 16, 2025

• CodeQL try to check unknown commit

  #20062 closed Jul 16, 2025

2 Issues opened by 2 people

• False positive: Full server-side request forgery

  #20093 opened Jul 18, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 opened Jul 17, 2025

12 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: Type inference for tuples

  #20041 commented on Jul 18, 2025 • 17 new comments

• Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

  #20006 commented on Jul 18, 2025 • 6 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jul 17, 2025 • 3 new comments

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 commented on Jul 17, 2025 • 3 new comments

• General issue: Find the annotated type of a C# base interface

  #20032 commented on Jul 16, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Jul 17, 2025 • 0 new comments

• C#: Insecure Certificate Validation.

  #17603 commented on Jul 17, 2025 • 0 new comments

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented on Jul 18, 2025 • 0 new comments

• Just: introduce common "verbs"

  #19978 commented on Jul 18, 2025 • 0 new comments

• Shared: Improve sensitive data heuristics

  #20024 commented on Jul 17, 2025 • 0 new comments

• JS: Exclude patched libraries from `xml-bomb` sink

  #20048 commented on Jul 16, 2025 • 0 new comments

• Java: Accept new test result after extractor upgrade

  #20057 commented on Jul 18, 2025 • 0 new comments