213 Pull requests merged by 41 people

• Java: Improve several join-orders

  #20088 merged Jul 18, 2025

• Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

  #20083 merged Jul 18, 2025

• Update CSV framework coverage reports

  #20087 merged Jul 18, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 merged Jul 17, 2025

• Ql4ql: Quality query tagging.

  #19931 merged Jul 17, 2025

• fix qhelp files

  #19707 merged Jul 17, 2025

• Java: allow the definition of java/unsafe-deserialization sinks using data extensions

  #20067 merged Jul 17, 2025

• Overlay: Enable overlay compilation for Java

  #19872 merged Jul 17, 2025

• Make a proper shared library out of the concept related libraries

  #19984 merged Jul 17, 2025

• Go: Fix compilation of DataFlowImplConsistency.qll

  #20053 merged Jul 17, 2025

• C#: Improve some existing manual models.

  #19940 merged Jul 17, 2025

• C++: Support the spaceship operator in the IR

  #20069 merged Jul 16, 2025

• C++: Add test that shows that IR generation for <=> is broken

  #20068 merged Jul 16, 2025

• C++: Don't wrap calls through function pointers in FunctionWithWrappers

  #20066 merged Jul 16, 2025

• C++: Fix typeid IR translation

  #20060 merged Jul 16, 2025

• Make web.config match case insensitive

  #20061 merged Jul 16, 2025

• C#: Make web.config match case insensitive (with change note)

  #20065 merged Jul 16, 2025

• feat: add getASupertype() predicate in ValueOrRefType.

  #20008 merged Jul 16, 2025

• Rust: Make rust/summary/query-sinks less noisy

  #20042 merged Jul 16, 2025

• C++: Reduce duplication in cpp/uncontrolled-process-operation

  #20059 merged Jul 15, 2025

• Golang: Mark filepath.IsLocal as a tainted-path sanitizer guard

  #20056 merged Jul 15, 2025

• C++: Add test showing that the IR translation for typeid is broken

  #20058 merged Jul 15, 2025

• Overlay: Add XML and Java property discarding

  #20011 merged Jul 15, 2025

• Java: Restrict results to source literals.

  #20054 merged Jul 15, 2025

• Java: use overlayChangedFiles in discard prediactes

  #20049 merged Jul 15, 2025

• C++: Fix global variable dataflow FP

  #20040 merged Jul 14, 2025

• JavaScript: Ignore outDirs that would exclude everything

  #20030 merged Jul 14, 2025

• Kotlin: tweak plugin test

  #20039 merged Jul 14, 2025

• Rust: Rename type inference test inline expectation tag

  #20037 merged Jul 14, 2025

• Ruby: enable overlay compilation

  #19731 merged Jul 14, 2025

• Rust: Update legacy MaD models 3

  #19946 merged Jul 14, 2025

• Kotlin: Update regex patterns to use raw string notation

  #20034 merged Jul 14, 2025

• Bump golang.org/x/tools from 0.34.0 to 0.35.0 in /go/extractor in the extractor-dependencies group

  #20035 merged Jul 14, 2025

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 merged Jul 14, 2025

• C++: Fix C++20 concept related class extensions

  #20026 merged Jul 13, 2025

• Go: Add Head and Client.Head from net/http as request forgery sinks

  #20000 merged Jul 11, 2025

• Java: add extra sink for java/unsafe-deserialization

  #20025 merged Jul 11, 2025

• Rust: add more type inference tests for patterns and a simple one for a closure call

  #20029 merged Jul 11, 2025

• Python: Support type annotations in call graph

  #19672 merged Jul 11, 2025

• Rust: Remove Resolvable.resolvesAsItem

  #20027 merged Jul 11, 2025

• C++: Better dataflow for function objects

  #20023 merged Jul 11, 2025

• C++: Do not alert on unreachable code in cpp/incorrect-string-type-conversion

  #20014 merged Jul 11, 2025

• Rust: Type inference for pattern matching

  #20020 merged Jul 11, 2025

• Support approximate related locations

  #19943 merged Jul 11, 2025

• Rust: Fix type inference for library parameters

  #19658 merged Jul 11, 2025

• Rust: Disambiguate associated function calls

  #19995 merged Jul 10, 2025

• C++: Add dataflow predicate for checking if a node is the final value of a parameter

  #20017 merged Jul 10, 2025

• Ruby: add overlay annotations to AST/CFG/SSA layers

  #19989 merged Jul 10, 2025

• C++: Add more thread creation models

  #20016 merged Jul 10, 2025

• Rust: Update legacy MaD models 2

  #19942 merged Jul 10, 2025

• Rust: Add more test cases for sensitive data

  #20002 merged Jul 10, 2025

• Rust: Update legacy MaD models 4

  #19948 merged Jul 10, 2025

• Java: Add query to detect non-case labels in switch statements

  #19998 merged Jul 10, 2025

• Rust: Fix bad join

  #20015 merged Jul 10, 2025

• Bump golang.org/x/mod from 0.25.0 to 0.26.0 in /go/extractor in the extractor-dependencies group

  #20009 merged Jul 10, 2025

• Rust: add test cases for basic unwrapping and pattern matching

  #20003 merged Jul 10, 2025

• QL4QL: Discard predicates are always alive

  #20013 merged Jul 10, 2025

• Download GitHub database: fix gh invocation

  #10923 merged Jul 10, 2025

• Rust: fix missing canonical paths for trait impls on builtin numeric types

  #20001 merged Jul 10, 2025

• C++: Fix some typos in recent change notes

  #20010 merged Jul 10, 2025

• Rust: Add type inference test cases for tuples.

  #20004 merged Jul 10, 2025

• Rust: set SHA256s in MODULE.bazel

  #19999 merged Jul 9, 2025

• Rust: Adjust the inferred type of string literals

  #19996 merged Jul 8, 2025

• Java: Add query to detect special characters in string literals

  #19875 merged Jul 8, 2025

• Java: Add 'Useless serialization member in record class' query

  #19950 merged Jul 8, 2025

• Rust: Improve type inference for for loops and range expressions

  #19971 merged Jul 8, 2025

• Java: Use MaD in log injection test

  #19997 merged Jul 8, 2025

• Post-release preparation for codeql-cli-2.22.2

  #19994 merged Jul 7, 2025

• Rust: Add type inference inline expectations for all function calls

  #19993 merged Jul 7, 2025

• Rust: path resolution: handle items in extern blocks

  #19988 merged Jul 7, 2025

• Release preparation for version 2.22.2

  #19992 merged Jul 7, 2025

• Merge pull request #19956 from github/redsun82/java-fix-tests

  #19987 merged Jul 7, 2025

• Improve query docs for java/java-util-concurrent-scheduledthreadpoolexecutor

  #19991 merged Jul 7, 2025

• C++: Output CopyValue in the IR when there is a non-transparent conversion

  #19976 merged Jul 7, 2025

• C++: Rename a changenote file

  #19990 merged Jul 7, 2025

• Ruby/QL: add discard predicates for locations

  #19963 merged Jul 7, 2025

• Rust: Remove source vs library deduplication logic

  #19577 merged Jul 7, 2025

• Rust: Fix SSA inconsistencies

  #19975 merged Jul 7, 2025

• Java/Ruby/Rust/QL: add overlayChangedFiles relation to dbscheme

  #19896 merged Jul 4, 2025

• Ruby: Fix typo in query message

  #19977 merged Jul 4, 2025

• Rust: Handle more explicit type arguments in type inference

  #19847 merged Jul 4, 2025

• C++: Add glibc flow summaries

  #19973 merged Jul 4, 2025

• Overlay: Mark RefType.getAStrictAncestor overlay[caller?]

  #19968 merged Jul 4, 2025

• Add changelog entry for CodeQL CLI version 2.22.1

  #19893 merged Jul 3, 2025

• C++: Add test showing we miss the operands of postfix crement in dataflow

  #19970 merged Jul 3, 2025

• C++: Add glibc to the list of bulk generation targets

  #19969 merged Jul 3, 2025

• Rust: Update legacy MaD models 1

  #19934 merged Jul 3, 2025

• Overlay: Fix Java overlay compilation regressions

  #19962 merged Jul 3, 2025

• Rust: format

  #19967 merged Jul 3, 2025

• C++: Uncomment cases in the dbscheme

  #15233 merged Jul 3, 2025

• C++: Add glibc to bulk_generation_targets.yml

  #19960 merged Jul 3, 2025

• JS: Disable type extraction

  #19640 merged Jul 3, 2025

• Rust: Speed up use of Location.contains

  #19961 merged Jul 3, 2025

• Rust: refactor ast-generator to have all customization at the start

  #19861 merged Jul 3, 2025

• C++: Add flow summaries for CreateThread and friends

  #19955 merged Jul 2, 2025

• Rust: fix macro expansion in library code

  #19945 merged Jul 2, 2025

• Go: remove language tests from workflows

  #19781 merged Jul 2, 2025

• Java: disable failing maven fetches expectations for now

  #19956 merged Jul 2, 2025

• C++: Remove QLtest related comment from integration test

  #19952 merged Jul 2, 2025

• C++: Move builtin function identification to its own table

  #19947 merged Jul 2, 2025

• Rust: add trailing newline to rust-cwe.md

  #19951 merged Jul 2, 2025

• Rust: Disambiguate more method calls based on argument types

  #19927 merged Jul 2, 2025

• Fixes in cpp/global-use-before-init

  #19676 merged Jul 1, 2025

• C++: Remove unused external_package tables from the dbscheme

  #19938 merged Jul 1, 2025

• Rust: add to generate-code-scanning-query-list.py and shared-code-metrics.py scripts

  #19939 merged Jul 1, 2025

• Rust: Apply inherent method prioritization inside type inference loop

  #19903 merged Jul 1, 2025

• Rust: Assume prelude is always available in path resolution

  #19936 merged Jul 1, 2025

• Fix markdown query help formatting

  #19892 merged Jul 1, 2025

• Ruby: Do not compute StringlikeLiteralImpl.getStringValue for large strings

  #19926 merged Jul 1, 2025

• C++: synchronize dbscheme

  #19935 merged Jul 1, 2025

• Go/Ruby/Python: Freeze quality queries in security-and-quality.

  #19891 merged Jul 1, 2025

• Rust: make AssocItem and ExternItem subclasses of Item

  #19873 merged Jul 1, 2025

• C++: fix (no string representation) for ConstructorInit

  #19907 merged Jul 1, 2025

• C++: Add Arm64 change note

  #19933 merged Jun 30, 2025

• Python: Allow use of match as an identifier

  #19895 merged Jun 30, 2025

• Java: update java/call-to-thread-run

  #19175 merged Jun 30, 2025

• Codegen: improve implementation of generated parent/child relationship

  #19866 merged Jun 30, 2025

• Rust: Fix variable capture inconsistencies

  #19916 merged Jun 30, 2025

• C++: Sync the product-flow field flow branch limits with the default one

  #19904 merged Jun 30, 2025

• Overlay: Add manual Java overlay annotations & discard predicates

  #19813 merged Jun 30, 2025

• Improve NestJS sources and dependency injection

  #19769 merged Jun 30, 2025

• Improve TypeORM model

  #19762 merged Jun 30, 2025

• C++: Merge the location tables

  #17581 merged Jun 30, 2025

• Rust: New query rust/access-after-lifetime-ended

  #19702 merged Jun 30, 2025

• Create copilot-instructions.md

  #19899 merged Jun 30, 2025

• Update CSV framework coverage reports

  #19910 merged Jun 30, 2025

• Overlay: Add CI workflow to check overlay annotations

  #19780 merged Jun 30, 2025

• Crypto: Refactor OpenSSL operation step data-flow logic

  #19880 merged Jun 27, 2025

• Overlay: Add missing overlay[caller?] annotation

  #19901 merged Jun 27, 2025

• Overlay: Add overlay annotation to shared lib

  #19898 merged Jun 27, 2025

• C++: Pretty print MaD ids in test output

  #19894 merged Jun 27, 2025

• Rust: Cache DataFlow::Node.{toString,getLocation}

  #19886 merged Jun 27, 2025

• C#: Models for Microsoft.Data.SqlClient.

  #19877 merged Jun 27, 2025

• Java, Ruby: add missing .qlref tests

  #19888 merged Jun 27, 2025

• Rust: Data flow through trait methods

  #19881 merged Jun 27, 2025

• Java: Diff-informed CleartextStorageCookie.ql

  #19846 merged Jun 27, 2025

• Kaspersv/overlay java annotations

  #19887 merged Jun 27, 2025

• Overlay: Add overlay annotations to Java & shared libraries

  #19779 merged Jun 27, 2025

• Python: Improve performance of FileNotClosed query by using basic block reachability

  #19641 merged Jun 26, 2025

• C++: Support SQL Injection sinks for Oracle Call Interface (OCI)

  #19832 merged Jun 26, 2025

• Crypto: Fix QL-for-QL alerts and refactor type standardization

  #19814 merged Jun 26, 2025

• Ruby/Rust/QL: simplify generation of overlay-related tables/predicates

  #19878 merged Jun 26, 2025

• Java: Add java/javautilconcurrentscheduledthreadpoolexecutor query for zero thread pool size

  #19844 merged Jun 26, 2025

• Codegen: use one generated test file per directory

  #19874 merged Jun 26, 2025

• Java: Fix assert CFG by properly tagging the false successor.

  #19883 merged Jun 26, 2025

• Guards: Refactor EqualityTest interface.

  #19884 merged Jun 26, 2025

• C++: Update stats file after DCA and extractor changes

  #19870 merged Jun 26, 2025

• Shared/Java: Add shared Guards library and switch Java to use it.

  #19573 merged Jun 26, 2025

• Go: Avoid using deprecated class

  #19882 merged Jun 26, 2025

• Go: fix DefinedType.getBaseType

  #19654 merged Jun 25, 2025

• Go: Improve two class names and add some helper predicates

  #19677 merged Jun 25, 2025

• Rust: refactor pre_emit! and post_emit! to a trait

  #19851 merged Jun 25, 2025

• Java: convert remaining java-code-scanning.qls query tests to .qlref

  #19842 merged Jun 25, 2025

• Rust: fix parallel execution of tests using the nightly toolchain

  #19876 merged Jun 25, 2025

• Ruby: generate overlay discard predicates

  #19719 merged Jun 25, 2025

• Ruby: add support for extracting overlay databases

  #19684 merged Jun 25, 2025

• JS: moved execa out of experimental

  #19858 merged Jun 25, 2025

• Use regex to match overlay annotations

  #19871 merged Jun 25, 2025

• JS: Remove legacy actions queries

  #19849 merged Jun 25, 2025

• JS: Model React 'use' and 'use server'

  #19852 merged Jun 25, 2025

• C++: Handle explicitly instantiated templates

  #16075 merged Jun 25, 2025

• pick-kotlin-version.py: tolerate warnings

  #19865 merged Jun 24, 2025

• QLDoc scripts: Fix overly permissive regex ranges

  #19867 merged Jun 24, 2025

• C++: Support more complex 16-bit float types

  #19862 merged Jun 24, 2025

• Convert remaining {go,swift,ruby}-code-scanning.qls query tests to .qlref

  #19817 merged Jun 24, 2025

• Post-release preparation for codeql-cli-2.22.1

  #19864 merged Jun 24, 2025

• Rust: Type inference for for loops and array expressions

  #19754 merged Jun 24, 2025

• QL4QL: Extend ql/inline-overlay-caller

  #19863 merged Jun 24, 2025

• Release preparation for version 2.22.1

  #19860 merged Jun 24, 2025

• Rust: enable change-note check

  #19853 merged Jun 24, 2025

• JS: Remote mention of Element MaD token

  #19859 merged Jun 24, 2025

• Rust: Add type inference for overloaded index expressions

  #19833 merged Jun 24, 2025

• JS: ClientRequests Axios Instance support

  #19655 merged Jun 24, 2025

• C++: Handle Arm SVE in the IR

  #19845 merged Jun 24, 2025

• JS: Explicitly Mark Sinon Package as Non RegExp

  #19854 merged Jun 24, 2025

• Overlay: Add script to help maintain overlay annotations

  #19778 merged Jun 24, 2025

• Rust: regenerate models after rust-analyzer update

  #19848 merged Jun 24, 2025

• Rust: upgrade rust-analyzer to 0.0.288

  #19524 merged Jun 23, 2025

• Rust: Add SatisfiesConstraintInput module in shared type inference

  #19829 merged Jun 23, 2025

• Rust: Take derive macros into account in is{In,From}MacroExpansion

  #19850 merged Jun 23, 2025

• Rust: Avoid overlapping path resolution consistency checks

  #19825 merged Jun 23, 2025

• Java: Remove java/deprecated-call from the Code Quality suite.

  #19843 merged Jun 23, 2025

• Rust: Update PoemHandlerParam to use getCanonicalPath

  #19801 merged Jun 23, 2025

• JS: Update Fastify tld

  #19822 merged Jun 23, 2025

• Rust: update docs for public preview

  #19280 merged Jun 23, 2025

• C#: Add another test for MissingAccessControl.ql

  #19826 merged Jun 23, 2025

• Rust: expand derive macros

  #19824 merged Jun 23, 2025

• MaD generator: use --threads=0 and 2GB per thread for --ram by default

  #19744 merged Jun 23, 2025

• Rust: adapt model generation to new format

  #19819 merged Jun 23, 2025

• C++: Update expected test results after extractor changes

  #19837 merged Jun 22, 2025

• Rust: expand attribute macros on AssocItem and ExternItem

  #19823 merged Jun 20, 2025

• Rust: limit number of diagnostics to 100 per trap file

  #19774 merged Jun 20, 2025

• Rust: yet another tentative fix to test flakiness

  #19836 merged Jun 20, 2025

• JavaScript: Don't extract obviously generated files

  #19680 merged Jun 20, 2025

• JS: Improve Express middleware taint tracking

  #19784 merged Jun 20, 2025

• Rust: Path resolution for crate::{self as foo}

  #19816 merged Jun 20, 2025

• Rust: fix nightly toolchain version for tests using it

  #19828 merged Jun 20, 2025

• Rust: Fix type inference for explicit dereference with * to the Deref trait

  #19820 merged Jun 20, 2025

• JS: Promote js/loop-iteration-skipped-due-to-shifting to the Code Quality suite

  #19743 merged Jun 20, 2025

• JS: Mass promotion of queries to quality status

  #19776 merged Jun 20, 2025

• Update qhelp style guide for markdown format

  #19730 merged Jun 20, 2025

• Java: Tag quality queries with quality and sub-category

  #19799 merged Jun 19, 2025

• Rust: backport Cargo.lock fixes for CI

  #19821 merged Jun 19, 2025

• Python: Tag quality queries with quality and sub category.

  #19812 merged Jun 19, 2025

• Update query-metadata-style-guide.md

  #19815 merged Jun 19, 2025

• Go: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19760 merged Jun 19, 2025

• C++: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19759 merged Jun 19, 2025

• Actions: mass-enable diff-informed queries phase 2 - getASelected{Source,Sink}Location() { none() }

  #19757 merged Jun 19, 2025

• Ruby: mass enable diff-informed data flow none() location overrides

  #19798 merged Jun 19, 2025

• JS: remove encodeURI from sanitizer list of request forgery

  #19750 merged Jun 19, 2025

• Python: Fix integration test

  #19818 merged Jun 19, 2025

• Java: mass enable diff-informed data flow + none() overrides

  #19795 merged Jun 19, 2025

• Go: Update tags for high precision quality queries

  #19763 merged Jun 19, 2025

41 Pull requests opened by 20 people

• Update Go version in tests to `1.25.0-rc.1`

  #19827 opened Jun 20, 2025

• Bump `rules_go` to `0.55.1`

  #19831 opened Jun 20, 2025

• Quantum: Initial support for C#

  #19905 opened Jun 27, 2025

• Quantum: Refactor OpenSSL padding modeling

  #19908 opened Jun 27, 2025

• Python: Update `tree-sitter` dependency

  #19929 opened Jun 30, 2025

• Rust: upgrade `rust-analyzer` to 0.0.289

  #19930 opened Jun 30, 2025

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 opened Jun 30, 2025

• Signature model refactor

  #19944 opened Jul 1, 2025

• Rust: Rework type inference for impl Trait in return position

  #19954 opened Jul 2, 2025

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 opened Jul 2, 2025

• Just: introduce common "verbs"

  #19978 opened Jul 4, 2025

• Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

  #20006 opened Jul 9, 2025

• Java: Update qhelp: SnakeYaml is safe from version 2.0

  #20018 opened Jul 10, 2025

• Shared: Improve sensitive data heuristics

  #20024 opened Jul 11, 2025

• Experiment: Make all data flow incremental

  #20028 opened Jul 11, 2025

• Kotlin: Run the tests with 2.2.0

  #20031 opened Jul 11, 2025

• Python: Modernize 3 quality queries for comparison methods

  #20038 opened Jul 14, 2025

• Rust: Type inference for tuples

  #20041 opened Jul 14, 2025

• Shared: Overhaul the AlertFiltering QLDoc

  #20047 opened Jul 14, 2025

• JS: Exclude patched libraries from `xml-bomb` sink

  #20048 opened Jul 15, 2025

• Rust: Do not let type info flow into a let statement identifier when …

  #20051 opened Jul 15, 2025

• Python: Minor documantation updates to several quality queries

  #20052 opened Jul 15, 2025

• Rust: upgrade to rust 1.88 and rust-analyzer 0.0.294

  #20055 opened Jul 15, 2025

• Java: Accept new test result after extractor upgrade

  #20057 opened Jul 15, 2025

• Update Go Path Injection Sanitizer and Sink

  #20064 opened Jul 16, 2025

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 opened Jul 17, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 opened Jul 17, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 opened Jul 17, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 opened Jul 17, 2025

• Rust: Type inference refactor and improve join orders

  #20076 opened Jul 17, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 opened Jul 17, 2025

• JS: Diff-informed queries: phase 3 (non-trivial locations)

  #20078 opened Jul 17, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 opened Jul 17, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 opened Jul 17, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 opened Jul 17, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 opened Jul 17, 2025

• Rust: Implement type inference for trait objects/`dyn` types

  #20084 opened Jul 17, 2025

• Python: Modernise raise-not-implemented query

  #20086 opened Jul 17, 2025

• C#: Allow implicit collection reads in sinks nodes.

  #20089 opened Jul 18, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 opened Jul 18, 2025

• Java: Improve more join-orders

  #20092 opened Jul 18, 2025

22 Issues closed by 10 people

• [Java] Flag calls to jdk.internal.misc.Unsafe

  #20070 closed Jul 18, 2025

• Error running codeql database analyze go

  #19890 closed Jul 17, 2025

• Take a look! 📌

  #20063 closed Jul 16, 2025

• General issue: How to make QL scripts support accepting command-line arguments

  #20050 closed Jul 16, 2025

• CodeQL try to check unknown commit

  #20062 closed Jul 16, 2025

• [removed]

  #20046 closed Jul 15, 2025

• [removed]

  #20045 closed Jul 15, 2025

• General issue [removed]

  #20044 closed Jul 15, 2025

• C# ReturnStmt (and other statements) doesn't return any getExpr() nor any getAChild() since v2.21.1

  #20033 closed Jul 14, 2025

• - Add rake task to verify <<next>> placeholders are replaced when VERSION changes

  #20036 closed Jul 14, 2025

• False positive

  #20022 closed Jul 11, 2025

• Rust: Learn from other security products

  #20007 closed Jul 10, 2025

• False positive

  #19986 closed Jul 7, 2025

• Thanks! Already integrated, will see...

  #19980 closed Jul 5, 2025

• Package content not clear

  #19958 closed Jul 4, 2025

• CodeQL CLI prints warning for valid config file

  #16147 closed Jul 3, 2025

• False positive

  #19949 closed Jul 2, 2025

• Extraction error with tsg-python

  #19736 closed Jun 30, 2025

• Gg

  #19913 closed Jun 30, 2025

• Add support for Oracle Call Interface (OCI) to C/C++ coverage

  #19764 closed Jun 26, 2025

• Unique IDs for C++ Functions

  #15342 closed Jun 25, 2025

• Go: False positive when use sync.Map

  #18916 closed Jun 23, 2025

23 Issues opened by 20 people

• False positive: Full server-side request forgery

  #20093 opened Jul 18, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 opened Jul 17, 2025

• False positive: go/zipslip when `filepath.IsLocal` is already used

  #20043 opened Jul 14, 2025

• General issue: Find the annotated type of a C# base interface

  #20032 opened Jul 11, 2025

• [Rust] weird behavior in dataflow when trying to select a specific node

  #19983 opened Jul 5, 2025

• [Rust] macro expansion failed warnings 2

  #19982 opened Jul 5, 2025

• Problem installing local package

  #19979 opened Jul 4, 2025

• Solidity code

  #19972 opened Jul 3, 2025

• [Rust] macro expansion failed warnings

  #19966 opened Jul 3, 2025

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 opened Jun 30, 2025

• Spread unidentified

  #19914 opened Jun 30, 2025

• Feature request: overwrite existing database, but ask first

  #19909 opened Jun 27, 2025

• ShellEscape aint always escaping shells

  #19906 opened Jun 27, 2025

• Flask ImmutableMultiDict type cannot be accurately determined when calling to_dict

  #19902 opened Jun 27, 2025

• [python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

  #19900 opened Jun 27, 2025

• Error running query java.util.concurrent.CompletionException:

  #19869 opened Jun 25, 2025

• False positive

  #19856 opened Jun 24, 2025

• Code QL not finding sql server injection attack

  #19855 opened Jun 23, 2025

• Ruby: Error parsing embedded multiline blocks

  #19841 opened Jun 23, 2025

• how to filter out this situation？

  #19838 opened Jun 21, 2025

• [actions] Add detection for workflow_dispatch TOCTOU

  #19835 opened Jun 20, 2025

• False positive: Critical Artifact poisoning

  #19834 opened Jun 20, 2025

• [cpp] Check whether path between function A and function B exists

  #19830 opened Jun 20, 2025

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jul 17, 2025 • 6 new comments

• Improve data flow in the `async` package

  #19770 commented on Jun 26, 2025 • 2 new comments

• Add lodash GroupBy as taint step

  #19768 commented on Jun 26, 2025 • 2 new comments

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 commented on Jun 25, 2025 • 0 new comments

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jul 4, 2025 • 0 new comments

• Handling of axios in functions and making axios create function recur…

  #19337 commented on Jun 20, 2025 • 0 new comments

• Rust: new query rust/hardcoded-crytographic-value

  #18943 commented on Jun 24, 2025 • 0 new comments

• C#: Insecure Certificate Validation.

  #17603 commented on Jul 17, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Jul 17, 2025 • 0 new comments

• Idea/Feature request: codeql as MCP Server

  #19150 commented on Jul 14, 2025 • 0 new comments

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 commented on Jul 10, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented on Jul 7, 2025 • 0 new comments

• Better explain how to exclude paths for compiled languages

  #8689 commented on Jul 3, 2025 • 0 new comments

• General issue [Azure DevOps Pipeline]: pipeline is stuck at "Starting evaluation of codeql/csharp-queries/Telemetry/UnsupportedExternalAPIs.ql." step

  #15059 commented on Jul 3, 2025 • 0 new comments

• Why doesn't CodeQL support auditing PHP

  #12376 commented on Jul 2, 2025 • 0 new comments

• python false positive Clear-text logging of sensitive information

  #13538 commented on Jul 1, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jul 1, 2025 • 0 new comments

• General issue Go. Why isn't the following code recognized as a source in a global data stream?

  #19807 commented on Jun 25, 2025 • 0 new comments

• Kotlin language database create bug?

  #19670 commented on Jun 24, 2025 • 0 new comments