48 Pull requests merged by 18 people

• Rust: Handle more explicit type arguments in type inference

  #19847 merged Jul 4, 2025

• C++: Add glibc flow summaries

  #19973 merged Jul 4, 2025

• Overlay: Mark RefType.getAStrictAncestor overlay[caller?]

  #19968 merged Jul 4, 2025

• Add changelog entry for CodeQL CLI version 2.22.1

  #19893 merged Jul 3, 2025

• C++: Add test showing we miss the operands of postfix crement in dataflow

  #19970 merged Jul 3, 2025

• C++: Add glibc to the list of bulk generation targets

  #19969 merged Jul 3, 2025

• Rust: Update legacy MaD models 1

  #19934 merged Jul 3, 2025

• Overlay: Fix Java overlay compilation regressions

  #19962 merged Jul 3, 2025

• Rust: format

  #19967 merged Jul 3, 2025

• C++: Uncomment cases in the dbscheme

  #15233 merged Jul 3, 2025

• C++: Add glibc to bulk_generation_targets.yml

  #19960 merged Jul 3, 2025

• JS: Disable type extraction

  #19640 merged Jul 3, 2025

• Rust: Speed up use of Location.contains

  #19961 merged Jul 3, 2025

• Rust: refactor ast-generator to have all customization at the start

  #19861 merged Jul 3, 2025

• C++: Add flow summaries for CreateThread and friends

  #19955 merged Jul 2, 2025

• Rust: fix macro expansion in library code

  #19945 merged Jul 2, 2025

• Go: remove language tests from workflows

  #19781 merged Jul 2, 2025

• Java: disable failing maven fetches expectations for now

  #19956 merged Jul 2, 2025

• C++: Remove QLtest related comment from integration test

  #19952 merged Jul 2, 2025

• C++: Move builtin function identification to its own table

  #19947 merged Jul 2, 2025

• Rust: add trailing newline to rust-cwe.md

  #19951 merged Jul 2, 2025

• Rust: Disambiguate more method calls based on argument types

  #19927 merged Jul 2, 2025

• Fixes in cpp/global-use-before-init

  #19676 merged Jul 1, 2025

• C++: Remove unused external_package tables from the dbscheme

  #19938 merged Jul 1, 2025

• Rust: add to generate-code-scanning-query-list.py and shared-code-metrics.py scripts

  #19939 merged Jul 1, 2025

• Rust: Apply inherent method prioritization inside type inference loop

  #19903 merged Jul 1, 2025

• Rust: Assume prelude is always available in path resolution

  #19936 merged Jul 1, 2025

• Fix markdown query help formatting

  #19892 merged Jul 1, 2025

• Ruby: Do not compute StringlikeLiteralImpl.getStringValue for large strings

  #19926 merged Jul 1, 2025

• C++: synchronize dbscheme

  #19935 merged Jul 1, 2025

• Go/Ruby/Python: Freeze quality queries in security-and-quality.

  #19891 merged Jul 1, 2025

• Rust: make AssocItem and ExternItem subclasses of Item

  #19873 merged Jul 1, 2025

• C++: fix (no string representation) for ConstructorInit

  #19907 merged Jul 1, 2025

• C++: Add Arm64 change note

  #19933 merged Jun 30, 2025

• Python: Allow use of match as an identifier

  #19895 merged Jun 30, 2025

• Java: update java/call-to-thread-run

  #19175 merged Jun 30, 2025

• Codegen: improve implementation of generated parent/child relationship

  #19866 merged Jun 30, 2025

• Rust: Fix variable capture inconsistencies

  #19916 merged Jun 30, 2025

• C++: Sync the product-flow field flow branch limits with the default one

  #19904 merged Jun 30, 2025

• Overlay: Add manual Java overlay annotations & discard predicates

  #19813 merged Jun 30, 2025

• Improve NestJS sources and dependency injection

  #19769 merged Jun 30, 2025

• Improve TypeORM model

  #19762 merged Jun 30, 2025

• C++: Merge the location tables

  #17581 merged Jun 30, 2025

• Rust: New query rust/access-after-lifetime-ended

  #19702 merged Jun 30, 2025

• Create copilot-instructions.md

  #19899 merged Jun 30, 2025

• Update CSV framework coverage reports

  #19910 merged Jun 30, 2025

• Overlay: Add CI workflow to check overlay annotations

  #19780 merged Jun 30, 2025

• Crypto: Refactor OpenSSL operation step data-flow logic

  #19880 merged Jun 27, 2025

23 Pull requests opened by 14 people

• Quantum: Refactor OpenSSL padding modeling

  #19908 opened Jun 27, 2025

• Python: Update `tree-sitter` dependency

  #19929 opened Jun 30, 2025

• Rust: upgrade `rust-analyzer` to 0.0.289

  #19930 opened Jun 30, 2025

• Ql4ql: Quality query tagging.

  #19931 opened Jun 30, 2025

• [Draft] Python: Modernize 4 queries for missing/multiple calls to init/del methods

  #19932 opened Jun 30, 2025

• EXPERIMENT: Test overlay fixes

  #19937 opened Jul 1, 2025

• C#: Improve some existing manual models.

  #19940 opened Jul 1, 2025

• C++: accept new test results after extractor changes

  #19941 opened Jul 1, 2025

• Rust: Update legacy MaD models 2

  #19942 opened Jul 1, 2025

• Support approximate related locations

  #19943 opened Jul 1, 2025

• Signature model refactor

  #19944 opened Jul 1, 2025

• Rust: Update legacy MaD models 3

  #19946 opened Jul 1, 2025

• Rust: Update legacy MaD models 4

  #19948 opened Jul 1, 2025

• Java: Add 'Useless serialization member in record class' query

  #19950 opened Jul 2, 2025

• Rust: Rework type inference for impl Trait in return position

  #19954 opened Jul 2, 2025

• Diff-informed queries: phase 3 (non-trivial locations)

  #19957 opened Jul 2, 2025

• Ruby/QL: add discard predicates for locations

  #19963 opened Jul 3, 2025

• Experiment: Overlay: Mark RefType.getAStrictAncestor global

  #19964 opened Jul 3, 2025

• Experiment: Overlay: Mark RefType.getAStrictAncestor caller?

  #19965 opened Jul 3, 2025

• Rust: Improve type inference for `for` loops and range expressions

  #19971 opened Jul 3, 2025

• C++: Refine comment by removing outdate workaround reference

  #19974 opened Jul 4, 2025

• Rust: Fix SSA inconsistencies

  #19975 opened Jul 4, 2025

• C++: Output `CopyValue` in the IR when there is a non-transparent conversion

  #19976 opened Jul 4, 2025

5 Issues closed by 3 people

• Package content not clear

  #19958 closed Jul 4, 2025

• CodeQL CLI prints warning for valid config file

  #16147 closed Jul 3, 2025

• False positive

  #19949 closed Jul 2, 2025

• Extraction error with tsg-python

  #19736 closed Jun 30, 2025

• Gg

  #19913 closed Jun 30, 2025

6 Issues opened by 6 people

• Solidity code

  #19972 opened Jul 3, 2025

• [Rust] macro expansion failed warnings

  #19966 opened Jul 3, 2025

• CodeQL Python query runs extremely slow on medium-sized project using TaintTracking::Global

  #19928 opened Jun 30, 2025

• Spread unidentified

  #19914 opened Jun 30, 2025

• Feature request: overwrite existing database, but ask first

  #19909 opened Jun 27, 2025

• ShellEscape aint always escaping shells

  #19906 opened Jun 27, 2025

17 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Java: Add query to detect special characters in string literals

  #19875 commented on Jul 3, 2025 • 21 new comments

• Quantum: Initial support for C#

  #19905 commented on Jul 4, 2025 • 20 new comments

• Java/Ruby/Rust/QL: add `overlayChangedFiles` relation to dbscheme

  #19896 commented on Jul 4, 2025 • 3 new comments

• Overlay: Enable overlay compilation for Java

  #19872 commented on Jun 30, 2025 • 0 new comments

• fix qhelp files

  #19707 commented on Jul 3, 2025 • 0 new comments

• Rust: Fix type inference for library parameters

  #19658 commented on Jul 2, 2025 • 0 new comments

• Rust: Remove source vs library deduplication logic

  #19577 commented on Jul 4, 2025 • 0 new comments

• Quantum: Support for BouncyCastle signature algorithms and block cipher modes

  #19568 commented on Jul 4, 2025 • 0 new comments

• Better explain how to exclude paths for compiled languages

  #8689 commented on Jul 3, 2025 • 0 new comments

• General issue [Azure DevOps Pipeline]: pipeline is stuck at "Starting evaluation of codeql/csharp-queries/Telemetry/UnsupportedExternalAPIs.ql." step

  #15059 commented on Jul 3, 2025 • 0 new comments

• Why doesn't CodeQL support auditing PHP

  #12376 commented on Jul 2, 2025 • 0 new comments

• python false positive Clear-text logging of sensitive information

  #13538 commented on Jul 1, 2025 • 0 new comments

• [python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

  #19900 commented on Jul 1, 2025 • 0 new comments

• False positive

  #19856 commented on Jul 1, 2025 • 0 new comments

• Code scanning is waiting for results from CodeQL; CodeQL is stuck

  #19671 commented on Jul 1, 2025 • 0 new comments

• C++: request for support more C++ features to avoid failures in CodeQL compile

  #16652 commented on Jun 30, 2025 • 0 new comments

• Flask ImmutableMultiDict type cannot be accurately determined when calling to_dict

  #19902 commented on Jun 27, 2025 • 0 new comments