122 Pull requests merged by 30 people

• Release preparation for version 2.22.3

  #20165 merged Aug 4, 2025

• Rust: Fix two bad joins introduced by magic

  #20161 merged Aug 4, 2025

• Rust: Add type inference test cases resembling missing call targets in SQLx.

  #20160 merged Aug 4, 2025

• C++: Static variables are initialized to zero or null by compiler

  #20129 merged Aug 4, 2025

• Rust: Add metric for DCA and debug predicates for type that reach the length limit

  #20147 merged Aug 4, 2025

• C++: Expose SSA definitions from dataflow

  #20149 merged Aug 1, 2025

• Kotlin: Support 2.2.20-beta2

  #20141 merged Jul 31, 2025

• Rust: Implement type inference for closures and calls to closures

  #20130 merged Jul 30, 2025

• SSA: Update data flow integration and BarrierGuard interface to use GuardValue.

  #20132 merged Jul 30, 2025

• Java: Move extractorInformationSkipKey predicate to library pack

  #20134 merged Jul 29, 2025

• Rust: Type inference for impl trait types with type parameters

  #20119 merged Jul 28, 2025

• Copilot: Remove the formatting instructions, as they're confusing CCR.

  #20128 merged Jul 28, 2025

• Rust: Fix type inference for trait objects for traits with associated types

  #20122 merged Jul 26, 2025

• Rust: Update DotDotCheck to use getCanonicalPath

  #19804 merged Jul 25, 2025

• Rust: Replace QL model for Clone with MaD

  #20124 merged Jul 25, 2025

• Python: Modernise raise-not-implemented query

  #20086 merged Jul 24, 2025

• Kotlin: Add Kotlin 2.2.20 support

  #20114 merged Jul 24, 2025

• Python: Minor documantation updates to several quality queries

  #20052 merged Jul 24, 2025

• Rust: Implement type inference for trait objects/dyn types

  #20084 merged Jul 24, 2025

• C++: Add some more Windows specific memory copy models

  #20115 merged Jul 23, 2025

• Shared: Improve sensitive data heuristics

  #20024 merged Jul 23, 2025

• Rust: Diff-informed queries: phase 3 (non-trivial locations)

  #20081 merged Jul 23, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated

  #20109 merged Jul 23, 2025

• C++: Add more barriers to cpp/overrun-write

  #20107 merged Jul 23, 2025

• Rust: Type inference refactor and improve join orders

  #20076 merged Jul 23, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20113 merged Jul 23, 2025

• Swift: Diff-informed queries: phase 3 (non-trivial locations)

  #20082 merged Jul 23, 2025

• Release preparation for version 2.22.2

  #20112 merged Jul 23, 2025

• Revert "Release preparation for version 2.22.2"

  #20110 merged Jul 23, 2025

• Rust: Type inference for tuples

  #20041 merged Jul 23, 2025

• Kotlin: Run the tests with 2.2.0

  #20031 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20106 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20105 merged Jul 22, 2025

• Revert "Release preparation for version 2.22.2"

  #20104 merged Jul 22, 2025

• Rust: new query rust/hardcoded-crytographic-value

  #18943 merged Jul 22, 2025

• Post-release preparation for codeql-cli-2.22.2

  #20103 merged Jul 22, 2025

• Release preparation for version 2.22.2

  #20100 merged Jul 22, 2025

• Rust: Path resolution associated type fix

  #20096 merged Jul 22, 2025

• Revert post-release preparation for codeql-cli-2.22.2

  #20099 merged Jul 21, 2025

• Rust: Refactor PathTypeMention

  #20094 merged Jul 21, 2025

• Java: Update qhelp: SnakeYaml is safe from version 2.0

  #20018 merged Jul 21, 2025

• Java: Improve more join-orders

  #20092 merged Jul 21, 2025

• Java: Diff-informed queries: phase 3 (non-trivial locations)

  #20077 merged Jul 21, 2025

• Java: Fix accidental CP in CFG for asserts.

  #20091 merged Jul 21, 2025

• Java: Improve several join-orders

  #20088 merged Jul 18, 2025

• Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

  #20083 merged Jul 18, 2025

• Update CSV framework coverage reports

  #20087 merged Jul 18, 2025

• Java: Add AnnotatedExitNodes to the CFG.

  #19885 merged Jul 17, 2025

• Ql4ql: Quality query tagging.

  #19931 merged Jul 17, 2025

• fix qhelp files

  #19707 merged Jul 17, 2025

• Java: allow the definition of java/unsafe-deserialization sinks using data extensions

  #20067 merged Jul 17, 2025

• Overlay: Enable overlay compilation for Java

  #19872 merged Jul 17, 2025

• Make a proper shared library out of the concept related libraries

  #19984 merged Jul 17, 2025

• Go: Fix compilation of DataFlowImplConsistency.qll

  #20053 merged Jul 17, 2025

• C#: Improve some existing manual models.

  #19940 merged Jul 17, 2025

• C++: Support the spaceship operator in the IR

  #20069 merged Jul 16, 2025

• C++: Add test that shows that IR generation for <=> is broken

  #20068 merged Jul 16, 2025

• C++: Don't wrap calls through function pointers in FunctionWithWrappers

  #20066 merged Jul 16, 2025

• C++: Fix typeid IR translation

  #20060 merged Jul 16, 2025

• Make web.config match case insensitive

  #20061 merged Jul 16, 2025

• C#: Make web.config match case insensitive (with change note)

  #20065 merged Jul 16, 2025

• feat: add getASupertype() predicate in ValueOrRefType.

  #20008 merged Jul 16, 2025

• Rust: Make rust/summary/query-sinks less noisy

  #20042 merged Jul 16, 2025

• C++: Reduce duplication in cpp/uncontrolled-process-operation

  #20059 merged Jul 15, 2025

• Golang: Mark filepath.IsLocal as a tainted-path sanitizer guard

  #20056 merged Jul 15, 2025

• C++: Add test showing that the IR translation for typeid is broken

  #20058 merged Jul 15, 2025

• Overlay: Add XML and Java property discarding

  #20011 merged Jul 15, 2025

• Java: Restrict results to source literals.

  #20054 merged Jul 15, 2025

• Java: use overlayChangedFiles in discard prediactes

  #20049 merged Jul 15, 2025

• C++: Fix global variable dataflow FP

  #20040 merged Jul 14, 2025

• JavaScript: Ignore outDirs that would exclude everything

  #20030 merged Jul 14, 2025

• Kotlin: tweak plugin test

  #20039 merged Jul 14, 2025

• Rust: Rename type inference test inline expectation tag

  #20037 merged Jul 14, 2025

• Ruby: enable overlay compilation

  #19731 merged Jul 14, 2025

• Rust: Update legacy MaD models 3

  #19946 merged Jul 14, 2025

• Kotlin: Update regex patterns to use raw string notation

  #20034 merged Jul 14, 2025

• Bump golang.org/x/tools from 0.34.0 to 0.35.0 in /go/extractor in the extractor-dependencies group

  #20035 merged Jul 14, 2025

• Actions: Fix Critical Artifact poisoning False Positive

  #19388 merged Jul 14, 2025

• C++: Fix C++20 concept related class extensions

  #20026 merged Jul 13, 2025

• Go: Add Head and Client.Head from net/http as request forgery sinks

  #20000 merged Jul 11, 2025

• Java: add extra sink for java/unsafe-deserialization

  #20025 merged Jul 11, 2025

• Rust: add more type inference tests for patterns and a simple one for a closure call

  #20029 merged Jul 11, 2025

• Python: Support type annotations in call graph

  #19672 merged Jul 11, 2025

• Rust: Remove Resolvable.resolvesAsItem

  #20027 merged Jul 11, 2025

• C++: Better dataflow for function objects

  #20023 merged Jul 11, 2025

• C++: Do not alert on unreachable code in cpp/incorrect-string-type-conversion

  #20014 merged Jul 11, 2025

• Rust: Type inference for pattern matching

  #20020 merged Jul 11, 2025

• Support approximate related locations

  #19943 merged Jul 11, 2025

• Rust: Fix type inference for library parameters

  #19658 merged Jul 11, 2025

• Rust: Disambiguate associated function calls

  #19995 merged Jul 10, 2025

• C++: Add dataflow predicate for checking if a node is the final value of a parameter

  #20017 merged Jul 10, 2025

• Ruby: add overlay annotations to AST/CFG/SSA layers

  #19989 merged Jul 10, 2025

• C++: Add more thread creation models

  #20016 merged Jul 10, 2025

• Rust: Update legacy MaD models 2

  #19942 merged Jul 10, 2025

• Rust: Add more test cases for sensitive data

  #20002 merged Jul 10, 2025

• Rust: Update legacy MaD models 4

  #19948 merged Jul 10, 2025

• Java: Add query to detect non-case labels in switch statements

  #19998 merged Jul 10, 2025

• Rust: Fix bad join

  #20015 merged Jul 10, 2025

• Bump golang.org/x/mod from 0.25.0 to 0.26.0 in /go/extractor in the extractor-dependencies group

  #20009 merged Jul 10, 2025

• Rust: add test cases for basic unwrapping and pattern matching

  #20003 merged Jul 10, 2025

• QL4QL: Discard predicates are always alive

  #20013 merged Jul 10, 2025

• Download GitHub database: fix gh invocation

  #10923 merged Jul 10, 2025

• Rust: fix missing canonical paths for trait impls on builtin numeric types

  #20001 merged Jul 10, 2025

• C++: Fix some typos in recent change notes

  #20010 merged Jul 10, 2025

• Rust: Add type inference test cases for tuples.

  #20004 merged Jul 10, 2025

• Rust: set SHA256s in MODULE.bazel

  #19999 merged Jul 9, 2025

• Rust: Adjust the inferred type of string literals

  #19996 merged Jul 8, 2025

• Java: Add query to detect special characters in string literals

  #19875 merged Jul 8, 2025

• Java: Add 'Useless serialization member in record class' query

  #19950 merged Jul 8, 2025

• Rust: Improve type inference for for loops and range expressions

  #19971 merged Jul 8, 2025

• Java: Use MaD in log injection test

  #19997 merged Jul 8, 2025

• Post-release preparation for codeql-cli-2.22.2

  #19994 merged Jul 7, 2025

• Rust: Add type inference inline expectations for all function calls

  #19993 merged Jul 7, 2025

• Rust: path resolution: handle items in extern blocks

  #19988 merged Jul 7, 2025

• Release preparation for version 2.22.2

  #19992 merged Jul 7, 2025

• Merge pull request #19956 from github/redsun82/java-fix-tests

  #19987 merged Jul 7, 2025

• Improve query docs for java/java-util-concurrent-scheduledthreadpoolexecutor

  #19991 merged Jul 7, 2025

• C++: Output CopyValue in the IR when there is a non-transparent conversion

  #19976 merged Jul 7, 2025

• C++: Rename a changenote file

  #19990 merged Jul 7, 2025

• Ruby/QL: add discard predicates for locations

  #19963 merged Jul 7, 2025

• Rust: Remove source vs library deduplication logic

  #19577 merged Jul 7, 2025

• Rust: Fix SSA inconsistencies

  #19975 merged Jul 7, 2025

43 Pull requests opened by 16 people

• Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

  #20006 opened Jul 9, 2025

• Experiment: Make all data flow incremental

  #20028 opened Jul 11, 2025

• Python: Modernize 3 quality queries for comparison methods

  #20038 opened Jul 14, 2025

• Shared: Overhaul the AlertFiltering QLDoc

  #20047 opened Jul 14, 2025

• JS: Exclude patched libraries from `xml-bomb` sink

  #20048 opened Jul 15, 2025

• Rust: upgrade to rust 1.88 and rust-analyzer 0.0.294

  #20055 opened Jul 15, 2025

• Update Go Path Injection Sanitizer and Sink

  #20064 opened Jul 16, 2025

• Actions: Diff-informed queries: phase 3 (non-trivial locations)

  #20072 opened Jul 17, 2025

• C++: Diff-informed queries: phase 3 (non-trivial locations)

  #20073 opened Jul 17, 2025

• C#: Diff-informed queries: phase 3 (non-trivial locations)

  #20074 opened Jul 17, 2025

• Go: Diff-informed queries: phase 3 (non-trivial locations)

  #20075 opened Jul 17, 2025

• JS: Diff-informed queries: phase 3 (non-trivial locations)

  #20078 opened Jul 17, 2025

• Python: Diff-informed queries: phase 3 (non-trivial locations)

  #20079 opened Jul 17, 2025

• Ruby: Diff-informed queries: phase 3 (non-trivial locations)

  #20080 opened Jul 17, 2025

• C#: Allow implicit collection reads in sinks nodes.

  #20089 opened Jul 18, 2025

• Java: Add `previous-id` and adjust tags for `java/garbage-collection` and `java/run-finalizers-on-exit`

  #20095 opened Jul 19, 2025

• Java: Add support to `ModuleImportDeclaration`

  #20097 opened Jul 21, 2025

• Fix #19294, Ruby NetHttpRequest improvements

  #20101 opened Jul 21, 2025

• Java: Add support to Compact Source Files

  #20116 opened Jul 23, 2025

• Python: Modernize Unexpected Raise In Special Method query

  #20120 opened Jul 24, 2025

• Guards: Improve support for wrapped guards

  #20121 opened Jul 24, 2025

• C++: Fix missing global variable flow

  #20126 opened Jul 25, 2025

• Java: Improve a couple of join-orders

  #20127 opened Jul 25, 2025

• Rust: Support blanket implementations

  #20133 opened Jul 28, 2025

• JS: Modeling of `aws-sdk` clients*

  #20135 opened Jul 28, 2025

• Java: Add test for flexible constructor support

  #20136 opened Jul 29, 2025

• Rust: New Query rust/cleartext-storage-database

  #20137 opened Jul 29, 2025

• C++: Fix missing guard conditions for C++ code

  #20138 opened Jul 29, 2025

• Rust: Improve handling of where clauses in type inference and path resolution

  #20140 opened Jul 30, 2025

• Python: Modernise Superclass attribute shadows subclass method query

  #20142 opened Jul 30, 2025

• Rust: Don't use constraint implementations for type parameters

  #20143 opened Jul 30, 2025

• C++: Fix missing `bool` -> `int` conversions in C code

  #20145 opened Jul 30, 2025

• JS: Move cors-misconfiguration query from experimental to Security

  #20146 opened Jul 31, 2025

• JS: Exclude environment variables from `js/regex-injection` query by default

  #20148 opened Jul 31, 2025

• Rust: Update BadCtorInitialization.ql to use getCanonicalPath.

  #20150 opened Jul 31, 2025

• JS: Enhance command injection detection for CLI argument parsing libraries

  #20151 opened Aug 1, 2025

• C++: Remove redundants casts from IR

  #20154 opened Aug 1, 2025

• Rust: Add predicate for certain type information

  #20155 opened Aug 2, 2025

• C++: Value numbering for casts that only modify specifiers

  #20156 opened Aug 2, 2025

• C#: Include constructors in `ValueOrRefType.hasCallable`

  #20158 opened Aug 4, 2025

• Python: Add jump steps for global variable nested field access

  #20162 opened Aug 4, 2025

• Java: Assume normal termination in post-dominance.

  #20163 opened Aug 4, 2025

• Rust: Fix bad join

  #20164 opened Aug 4, 2025

18 Issues closed by 9 people

• github-recovery-codes.txt.

  #20157 closed Aug 4, 2025

• Spread unidentified

  #19914 closed Jul 26, 2025

• Python: Aiopg.qll misses some SQL injection sinks in aiopg

  #20111 closed Jul 24, 2025

• Rust: Remove sourceModelDeprecated, summaryModelDeprecated and sinkModelDeprecated.

  #20108 closed Jul 23, 2025

• [Java] Flag calls to jdk.internal.misc.Unsafe

  #20070 closed Jul 18, 2025

• Error running codeql database analyze go

  #19890 closed Jul 17, 2025

• Take a look! 📌

  #20063 closed Jul 16, 2025

• General issue: How to make QL scripts support accepting command-line arguments

  #20050 closed Jul 16, 2025

• CodeQL try to check unknown commit

  #20062 closed Jul 16, 2025

• [removed]

  #20046 closed Jul 15, 2025

• [removed]

  #20045 closed Jul 15, 2025

• General issue [removed]

  #20044 closed Jul 15, 2025

• C# ReturnStmt (and other statements) doesn't return any getExpr() nor any getAChild() since v2.21.1

  #20033 closed Jul 14, 2025

• - Add rake task to verify <<next>> placeholders are replaced when VERSION changes

  #20036 closed Jul 14, 2025

• False positive

  #20022 closed Jul 11, 2025

• Rust: Learn from other security products

  #20007 closed Jul 10, 2025

• False positive

  #19986 closed Jul 7, 2025

• Thanks! Already integrated, will see...

  #19980 closed Jul 5, 2025

16 Issues opened by 14 people

• How to write CodeQL rules?

  #20159 opened Aug 4, 2025

• False positive "use of implicit PendingIntents" alert

  #20153 opened Aug 1, 2025

• False positives for py/file-not-closed even when using `with` statements

  #20152 opened Aug 1, 2025

• Java SSRF Findings

  #20144 opened Jul 30, 2025

• CWE 134

  #20131 opened Jul 28, 2025

• For an abstract class in the CodeQL source code, how can I quickly find all the classes that extend this abstract class from the CodeQL library?

  #20125 opened Jul 25, 2025

• CWE-918 (SSRF) - Java - False Positive Justification

  #20117 opened Jul 23, 2025

• CodeQL detected code written in `some language`, but not any written in GitHub Actions. Confirm that there is some source code for GitHub Actions in the project.

  #20102 opened Jul 21, 2025

• UnvalidatedDynamicMethodCall query does not detect flow inside try/catch

  #20098 opened Jul 21, 2025

• False positive: Full server-side request forgery

  #20093 opened Jul 18, 2025

• General issue - When using `--build-mode=none`, Windows builds produce `Extraction error: 'MsvcCompiler' object has no attribute 'clangpp'`

  #20071 opened Jul 17, 2025

• False positive: go/zipslip when `filepath.IsLocal` is already used

  #20043 opened Jul 14, 2025

• General issue: Find the annotated type of a C# base interface

  #20032 opened Jul 11, 2025

• [Rust] weird behavior in dataflow when trying to select a specific node

  #19983 opened Jul 5, 2025

• [Rust] macro expansion failed warnings 2

  #19982 opened Jul 5, 2025

• Problem installing local package

  #19979 opened Jul 4, 2025

19 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 commented on Jul 24, 2025 • 10 new comments

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 commented on Jul 17, 2025 • 9 new comments

• Rust: Update SqlxQuery, SqlxExecute to use getCanonicalPath

  #19802 commented on Jul 31, 2025 • 6 new comments

• Just: introduce common "verbs"

  #19978 commented on Jul 18, 2025 • 0 new comments

• Rust: Rework type inference for impl Trait in return position

  #19954 commented on Jul 11, 2025 • 0 new comments

• Rust: upgrade `rust-analyzer` to 0.0.289

  #19930 commented on Jul 7, 2025 • 0 new comments

• C#: Insecure Certificate Validation.

  #17603 commented on Jul 17, 2025 • 0 new comments

• Idea/Feature request: codeql as MCP Server

  #19150 commented on Jul 29, 2025 • 0 new comments

• Question: C# analysis without building the code, on Azure DevOps

  #16070 commented on Jul 29, 2025 • 0 new comments

• Better explain how to exclude paths for compiled languages

  #8689 commented on Jul 28, 2025 • 0 new comments

• [python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

  #19900 commented on Jul 25, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jul 23, 2025 • 0 new comments

• False positive - Log entries created from user input (cs/log-forging)

  #15824 commented on Jul 21, 2025 • 0 new comments

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 commented on Jul 21, 2025 • 0 new comments

• ShellEscape aint always escaping shells

  #19906 commented on Jul 10, 2025 • 0 new comments

• CodeQL Docs: SnakeYaml is now secure by default

  #19664 commented on Jul 10, 2025 • 0 new comments

• [Rust] macro expansion failed warnings

  #19966 commented on Jul 7, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented on Jul 7, 2025 • 0 new comments

• Solidity code

  #19972 commented on Jul 4, 2025 • 0 new comments