Skip to content

Merge upstream codeql-cli/latest. #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dilanbhalla merged 541 commits into from
Feb 23, 2026
Merged

Merge upstream codeql-cli/latest. #331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
541 commits
Select commit Hold shift + click to select a range
4543c66
Python: Prepare `LocalSourceNode` for locality
tausbn Jan 9, 2026
30ce406
Python: Remove global restriction on `ModuleVariableNode`
tausbn Jan 9, 2026
ac5a744
Python: Fix tests
tausbn Jan 12, 2026
7fccc23
Python: Make `ExtractedArgumentNode` local
tausbn Jan 26, 2026
6113d4b
Python: Fix test issues
tausbn Jan 26, 2026
3f71812
Python: Make capturing closure arguments synthetic and non-global
tausbn Jan 29, 2026
fb6175d
Python: Fix consistency test failures
tausbn Jan 29, 2026
958c798
Python: Accept dataflow test changes
tausbn Jan 29, 2026
1b5ed12
Log and emit diagnostic if incorrectly named files are found
mbg Jan 30, 2026
1aba0b2
Add integration test
mbg Jan 30, 2026
3e07196
Fix missing negation
mbg Jan 30, 2026
ad2aa6d
Accept expected diagnostic output
mbg Jan 30, 2026
1667051
Merge pull request #21239 from MathiasVP/logical-binary-fix-guards-cpp
MathiasVP Jan 30, 2026
454d13b
Remove element check
mbg Jan 30, 2026
0222159
Specify vulnerable args instead of safe ones
owen-mc Jan 30, 2026
5204255
Merge pull request #21234 from owen-mc/python/convert-sanitizers-to-mad
owen-mc Jan 30, 2026
8aa1bff
Add `AstNode.getEnclosingBlock()`
owen-mc Feb 1, 2026
9a00c75
Merge pull request #21236 from github/mbg/csharp/fix-registry-feeds
mbg Feb 2, 2026
fe06345
C#: Add more tests for `InsecureDirectObjectReference.ql`
hvitved Feb 2, 2026
1857683
Rust: Minor tweaks and improvements
paldepind Feb 2, 2026
0567864
Rust: Make module private
paldepind Feb 2, 2026
4a04f7b
Merge pull request #21243 from hvitved/csharp/insecure-object-tests
hvitved Feb 2, 2026
0db542e
Release preparation for version 2.24.1
invalid-email-address Feb 2, 2026
38fcc61
Fix formatting in Kotlin changelog
henrymercer Feb 2, 2026
6b78313
Merge pull request #21245 from github/release-prep/2.24.1
henrymercer Feb 2, 2026
5f1fd57
Fix formatting of Kotlin version ranges
henrymercer Feb 2, 2026
57c2208
Merge pull request #21246 from github/henrymercer/kotlin/version-rang…
henrymercer Feb 2, 2026
1a6b2b9
Fix capitalization of MySQL
henrymercer Feb 2, 2026
8b03608
Merge pull request #21188 from paldepind/rust/self-path-assoc
paldepind Feb 2, 2026
95afe61
Rust: Add path resolution tests
paldepind Feb 2, 2026
99b498b
Rust: Resolve `Self` paths in type definitions
paldepind Feb 2, 2026
fedb946
Merge pull request #21248 from github/henrymercer/fix-mysql-typo
henrymercer Feb 2, 2026
7ddfa80
Merge branch 'main' into azure_python_sdk_url_summary_upstream
bdrodes Feb 2, 2026
73d06f2
Post-release preparation for codeql-cli-2.24.1
invalid-email-address Feb 2, 2026
b16f1d3
Rust: Fix bad join
hvitved Feb 2, 2026
a57c6cd
Add `EmitPrivateRegistryUsed`
mbg Feb 2, 2026
29930fa
Track active proxy configurations
mbg Feb 2, 2026
6d67e41
Move private registry sources out of `util` package
mbg Feb 2, 2026
30b30d6
Emit the new diagnostic
mbg Feb 2, 2026
e712e62
Merge pull request #21250 from github/post-release-prep/codeql-cli-2.…
henrymercer Feb 2, 2026
8de37fe
Rust: Add tests with `as` paths
paldepind Feb 2, 2026
d0e30d1
Rust: Resolve `as` paths to trait
paldepind Feb 2, 2026
9fc2a54
Rust: Accept changes to expected files for consistency checks
paldepind Feb 2, 2026
cbbc057
Fix singular/plural wording and add test
mbg Feb 2, 2026
d079671
Align `testItems` with what `getEnvVars` does
mbg Feb 2, 2026
e00390d
Merge pull request #21224 from owen-mc/go/use-shared-basic-block-lib
owen-mc Feb 2, 2026
6fbf727
Merge pull request #21251 from hvitved/rust/fix-bad-join
hvitved Feb 2, 2026
d5c4a19
Apply suggestions from code review
mbg Feb 3, 2026
1791c1f
Rust: Add test with path resolution inconsistency
paldepind Feb 3, 2026
d72d8b6
Rust: Fix inconsistency by skipping `Self` in use globs
paldepind Feb 3, 2026
208cf71
C++: Add tests with tests for remote flow sources from the Win32 API …
MathiasVP Feb 3, 2026
cbc2dbc
C++: Add flow sources and summary models.
MathiasVP Feb 3, 2026
5531ef9
C++: Accept test changes.
MathiasVP Feb 3, 2026
7ef96e3
C++: Add taint-inheriting reads from the Winhttp structs.
MathiasVP Feb 3, 2026
40a5813
C++: Accept test changes.
MathiasVP Feb 3, 2026
32b86ec
C++: Add change note.
MathiasVP Feb 3, 2026
092d254
C++: Fix Copilot comments.
MathiasVP Feb 3, 2026
389cd5d
Cfg: Extract CFG pretty-printing code.
aschackmull Feb 3, 2026
8e39ed0
Merge pull request #21252 from github/mbg/go/private-registry-diagnostic
mbg Feb 3, 2026
2d61fc5
Java: Add support for "View CFG".
aschackmull Feb 3, 2026
571f21b
C#: Emit diagnostic if private registries are configured
mbg Feb 3, 2026
62fb38d
Python: Rename `otherArgs` to `implicitArgumentNode`
tausbn Feb 3, 2026
4973523
C#: Fix CSRF query to check antiforgery attributes on base classes
redsun82 Feb 4, 2026
5e6e64b
Java: Rename UnaryExpr.getExpr to getOperand.
aschackmull Feb 4, 2026
3f08ff8
Pretty print models in test
owen-mc Feb 4, 2026
dca10f8
C#: Add extended_type to the DB scheme.
michaelnebel Feb 4, 2026
c68cd58
C#: Add parameter marker interface, allow a type to a parent for para…
michaelnebel Feb 4, 2026
60bb9a9
C#: Move some populate methods and location writing methods.
michaelnebel Feb 4, 2026
36fa0a2
Java: Rename getTrueExpr/getFalseExpr on ConditionalExpr to getThen/g…
aschackmull Feb 4, 2026
55ea55a
Merge pull request #21247 from paldepind/rust/self-types
paldepind Feb 4, 2026
6f40ac1
Java: Rename ReturnStmt.getResult to getExpr.
aschackmull Feb 4, 2026
4fcf3fb
Java: Make loop classes extend LoopStmt and use getBody instead of ge…
aschackmull Feb 4, 2026
2d02908
Java: Add change note.
aschackmull Feb 4, 2026
544931f
Merge pull request #21266 from owen-mc/python/pretty-print-models-in-…
owen-mc Feb 4, 2026
52dc581
Merge branch 'main' into rust/as-path-trait
paldepind Feb 4, 2026
cd73dcf
Merge branch 'main' into azure_python_sdk_url_summary_upstream
bdrodes Feb 4, 2026
0a88425
Python: Altering SSRF MaD to use 'request-forgery' tag. Update to tes…
bdrodes Feb 4, 2026
83adf79
Cfg: Fix compilation.
aschackmull Feb 4, 2026
32fe12a
Java: Delay deprecation a bit.
aschackmull Feb 5, 2026
81977f1
Cfg: qldoc + overlay fixups.
aschackmull Feb 5, 2026
e4daeec
Merge pull request #21268 from aschackmull/java/view-cfg
aschackmull Feb 5, 2026
11003e6
Java: Fix qldoc
aschackmull Feb 5, 2026
29e0174
Merge pull request #21267 from aschackmull/java/rename-misc
aschackmull Feb 5, 2026
476df7d
Merge pull request #21260 from MathiasVP/add-windows-remote-flow-sources
MathiasVP Feb 5, 2026
f79bd3f
C#: accept location changes in test
redsun82 Feb 5, 2026
1203da1
Merge pull request #21253 from paldepind/rust/as-path-trait
hvitved Feb 5, 2026
e26c199
C/C++ overlay: use files table instead of `overlayChangedFiles` for o…
IdrissRio Feb 2, 2026
025f733
Rust: Move some overloading tests into a separate file
hvitved Jan 29, 2026
1df3adf
Merge pull request #21244 from github/idrissrio/cpp/overlay/changes-json
IdrissRio Feb 5, 2026
05bef12
Merge pull request #21265 from github/redsun82/csharp-csrf-inheritance
redsun82 Feb 5, 2026
c62d95a
Rust: More type inference tests
hvitved Jan 30, 2026
2764d69
Rust: Merge `Input1` and `Input2` modules
hvitved Jan 26, 2026
68c1a3d
Python: Fix syntax error when `=` is used as a format fill character
tausbn Feb 5, 2026
bac356c
Python: Regenerate parser files
tausbn Feb 5, 2026
12ee930
Python: Add tests
tausbn Feb 5, 2026
8c27437
Python: Bump extractor version and add change note
tausbn Feb 5, 2026
ab505e3
C#: Add class for making synthetic parameter entities.
michaelnebel Feb 4, 2026
edfdc98
C#: Extract extension types and members. Replacing invocations to sta…
michaelnebel Feb 4, 2026
9a4a6cf
C#: Add ExtensionType to the QL library.
michaelnebel Feb 4, 2026
b9f36f3
C#: Add extension callable and accessor classes.
michaelnebel Feb 4, 2026
5e02a86
C#: Add extension call classes.
michaelnebel Feb 4, 2026
e831c80
C#: Replace extension parameter access with the corresponding synthet…
michaelnebel Feb 4, 2026
849823e
C#: Add dispatch logic for calling extensions accessors as methods.
michaelnebel Feb 4, 2026
c040daa
C#: Add extensions test.
michaelnebel Feb 4, 2026
6cbe000
C#: Add PrintAst test for extensions.
michaelnebel Feb 4, 2026
4b6a53b
C#: Add extension data flow test.
michaelnebel Feb 4, 2026
bd3e4d3
C#: Add MaD tests for extensions.
michaelnebel Feb 4, 2026
02e4a8b
C#: Add change-note.
michaelnebel Feb 5, 2026
5adc9f8
Merge pull request #21274 from github/tausbn/python-fix-parsing-of-fo…
tausbn Feb 5, 2026
2dc7576
Rust: Rework call disambiguation logic
hvitved Jan 26, 2026
32aaac2
Rust: Add type inference regression test
hvitved Jan 26, 2026
d57a42a
C++: Make 'getChildCount' more robust by counting indexes instead of …
MathiasVP Feb 5, 2026
ac1987f
Update python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md
bdrodes Feb 5, 2026
2c05624
Merge pull request #21280 from MathiasVP/make-getChildCount-more-robust
MathiasVP Feb 6, 2026
62a6b59
C#: Add test cases for lambda parameter modifiers.
michaelnebel Feb 6, 2026
e550d49
C#: Update parameter modifiers test to include lambda expression from…
michaelnebel Feb 6, 2026
6c355a1
C#: Update test expected output.
michaelnebel Feb 6, 2026
d5827b5
Kotlin: Support Kotlin 2.3.10
andersfugmann Feb 2, 2026
38830dd
Bazel: fix Rust deps patching for semver build metadata
github-actions[bot] Feb 6, 2026
c5179e4
Kotlin: Add change note for supporting 2.3.10
andersfugmann Feb 6, 2026
8459eec
Moving the SsrfSink concept into Concepts.qll, and renaming to HttpCl…
bdrodes Feb 6, 2026
48db24d
Merge pull request #21287 from github/redsun82/fix-rust-deps-patching
redsun82 Feb 6, 2026
353cd31
update codeql documentation
invalid-email-address Feb 6, 2026
552976d
Update codeql-cli-2.19.1.rst
jonjanego Feb 6, 2026
79ad064
Fix formatting in Kotlin version support note
jonjanego Feb 6, 2026
bf6568b
Fix formatting for Kotlin version support note
jonjanego Feb 6, 2026
c40d784
Update codeql-cli-2.23.1.rst
jonjanego Feb 6, 2026
5bf2d94
Fix formatting in changelog for Go path injection query
jonjanego Feb 6, 2026
1c43cea
Merge branch 'main' into codeql-spark-run-21760759512
jonjanego Feb 6, 2026
d0bd845
Merge pull request #21291 from github/codeql-spark-run-21760759512
jonjanego Feb 6, 2026
90401b3
Merge pull request #21254 from owen-mc/go/astnode-get-enclosing-block
owen-mc Feb 6, 2026
fe94b3b
C#: Address review comments.
michaelnebel Feb 9, 2026
bcdbd6e
C#: Use the fully qualified name for the extension type when printing…
michaelnebel Feb 9, 2026
d9fea15
C#: Update MaD models for extension members.
michaelnebel Feb 9, 2026
eff9f99
C#: Update test expected output.
michaelnebel Feb 9, 2026
71e8730
Merge pull request #21263 from github/mbg/csharp/registry-diagnostic
mbg Feb 9, 2026
109d802
Rust: Fix bug in `inferMethodCallTypeSelf`
hvitved Feb 9, 2026
b5e3168
Merge pull request #21286 from github/andersfugmann/kotlin_2.3.10-no-…
igfoo Feb 9, 2026
42d2de8
C#: Add DB upgrade script.
michaelnebel Feb 9, 2026
3e914f7
C#: Add DB downgrade script.
michaelnebel Feb 9, 2026
bee1718
QL4QL: Allow Impl classes to implement getAPrimaryQLClass with non Im…
michaelnebel Feb 9, 2026
5ad42f8
Merge pull request #20563 from microsoft/azure_python_sdk_url_summary…
yoff Feb 9, 2026
c5f6820
C++ overlay: Add trap_filename, source_file_uses_trap, in_trap
igfoo Feb 5, 2026
9a5128f
C++: Add up/downgrade scripts
igfoo Feb 6, 2026
6235eda
C++: Update stats
igfoo Feb 6, 2026
16539b4
Address review comments
hvitved Feb 9, 2026
6611978
Update rust/ql/lib/codeql/rust/internal/typeinference/DerefChain.qll
hvitved Feb 9, 2026
ba3fc0a
update csharp MaD for System.Web.HttpUtility for tainted URIs
LWSimpkins Feb 9, 2026
fe10fb3
add changenote
LWSimpkins Feb 9, 2026
677949e
Fix typo in change note
LWSimpkins Feb 9, 2026
e172cb3
Bump the extractor-dependencies group in /go/extractor with 2 updates
dependabot[bot] Feb 10, 2026
c3ac202
Merge pull request #21217 from hvitved/rust/type-inference-perf
hvitved Feb 10, 2026
78c262c
Merge pull request #21297 from hvitved/rust/type-inference-fix-bug
paldepind Feb 10, 2026
0cd5366
Rust: Add type inference test for associated type acces on a type par…
paldepind Feb 5, 2026
624ee18
Rust: Implement support for associated types accessed on type parameters
paldepind Feb 5, 2026
a033057
Rust: Fix a bad join
paldepind Feb 9, 2026
eee4014
Merge pull request #21300 from github/dependabot/go_modules/go/extrac…
mbg Feb 10, 2026
5634395
Rust: Speedup type inference for `Trait::function()` calls
hvitved Feb 10, 2026
518fb44
Go: Bump toolchain to `1.25.7`
mbg Feb 10, 2026
55e5bc4
Rust: Add `telemtry` tags to queries
hvitved Feb 10, 2026
f2d3bc0
Merge pull request #21302 from github/mbg/go/bump-to-1.25.7
owen-mc Feb 10, 2026
25b836b
C#: Apply suggestions from code review
michaelnebel Feb 10, 2026
5116b0c
Java: Add delayed deprecation annotation.
aschackmull Feb 10, 2026
c15ad31
Merge pull request #21220 from michaelnebel/csharp14/extension
michaelnebel Feb 10, 2026
ece8585
Merge pull request #21285 from michaelnebel/csharp14/implicittypedlam…
michaelnebel Feb 10, 2026
564a3bd
Rust: Simplify `inferMethodCallTypeSelf`
hvitved Feb 10, 2026
49f24ca
Rust: Avoid using `regexpCapture` with multiple capture groups
hvitved Feb 10, 2026
00acff2
Merge pull request #21281 from igfoo/igfoo/discarding
igfoo Feb 10, 2026
f60d759
Avoid non-trivially shadowing string.toString()
ginsbach Feb 10, 2026
8955fd0
Merge pull request #21303 from hvitved/rust/add-telemetry-tags
hvitved Feb 10, 2026
e00e3a8
Update Go version in tests to 1.26.0
jketema Jan 12, 2026
50ed0af
Go: Bump `maxGoVersion` to 1.26
jketema Jan 20, 2026
22e9b42
Go: Add change note
jketema Jan 20, 2026
700543b
Go: Update supported versions to include 1.26
jketema Jan 20, 2026
26ef332
Test builtins like standard library
owen-mc Jan 21, 2026
22e9c21
Add failing tests for newly added functions
owen-mc Jan 21, 2026
e1bddd9
Model newly added functions
owen-mc Jan 21, 2026
936c4cc
Fix edge case in MaD validation
owen-mc Jan 22, 2026
f01d584
Update to 1.26.0
owen-mc Feb 10, 2026
542d463
restore ~ in action.yml version
owen-mc Feb 10, 2026
766dc94
Merge pull request #21150 from github/jketema/go-1.26
owen-mc Feb 11, 2026
cfa62ae
Merge pull request #21304 from aschackmull/java/deprecation-followup
aschackmull Feb 11, 2026
0ac1bc4
Merge pull request #21299 from microsoft/lwsimpkins/csharp-mad-httput…
michaelnebel Feb 11, 2026
2b10c8a
Rust: Fix gramar in qldoc
paldepind Feb 11, 2026
2fa71f0
Rust: Add examples with associated type accessed on associated type
paldepind Feb 11, 2026
89e9a25
Rust: Distinguish path resolution expectations from type inference ex…
hvitved Feb 6, 2026
37af38e
Merge pull request #21282 from hvitved/rust/path-resolution/type-infe…
hvitved Feb 11, 2026
36c3084
Merge pull request #21305 from hvitved/rust/type-inference-speedup
hvitved Feb 11, 2026
9ed2261
Merge pull request #21306 from github/ginsbach/avoid-nontrivially-sha…
ginsbach Feb 11, 2026
287a871
Rust: Apply suggestions from code review
paldepind Feb 11, 2026
6c67475
Rust: Minor tweaks in type inference
paldepind Feb 11, 2026
bed1ec8
Enhance path validation recommendations
smowton Feb 11, 2026
522e4d6
Merge pull request #21273 from paldepind/rust/tp-assoc
paldepind Feb 11, 2026
e6dbd52
Add `RegexExecution` in `Concepts.qll`
owen-mc Feb 9, 2026
44eeee5
Add and improve classes for regex-related methods
owen-mc Feb 10, 2026
fa3fba4
Use new regex-related classes (no functional change)
owen-mc Feb 10, 2026
a22fd39
Use RegexExecution in sanitizer definitions (expands scope)
owen-mc Feb 10, 2026
1ee5728
Add missing QLDoc
owen-mc Feb 11, 2026
6a8204d
"dataflow" -> "data flow" in QLDoc
owen-mc Feb 11, 2026
b14ece7
C++: Add range analysis test demonstrating missing measuring bounds.
MathiasVP Feb 11, 2026
9596b7b
C++: No need to compute this TC.
MathiasVP Feb 11, 2026
fea07eb
Add changed framework coverage reports
github-actions[bot] Feb 12, 2026
76ed386
Merge pull request #21315 from github/workflow/coverage/update
michaelnebel Feb 12, 2026
a27d20d
Rust: Add test cases for binary operator at start of line
paldepind Feb 12, 2026
90a16cf
Merge pull request #21314 from MathiasVP/remove-tc
MathiasVP Feb 12, 2026
a4dd4f9
C++: Also compute type bounds for accesses of an enum type.
MathiasVP Feb 11, 2026
6dd6bdd
C++: Add more terms to make range analysis test timeout.
MathiasVP Feb 11, 2026
2dc91a5
C++: Lower the treshold for max number of bounds to 2^29.
MathiasVP Feb 11, 2026
5c53677
Java: Deprecate UnreachableBlocks.
aschackmull Feb 12, 2026
a945f15
Merge pull request #21317 from aschackmull/java/deprecate-unreachable…
aschackmull Feb 12, 2026
218585b
Ruby: Add additonal tests with operators at the start of lines
paldepind Feb 12, 2026
5f970d9
Rewordings per copilot
smowton Feb 12, 2026
3e5c2dd
Merge pull request #21308 from github/smowton/admin/path-injection-us…
tausbn Feb 12, 2026
7d17454
Merge pull request #21138 from github/tausbn/python-prepare-for-overl…
tausbn Feb 12, 2026
bf02e47
Rust: Comment out tests with parse errors
paldepind Feb 12, 2026
d0999e3
Add failing test for @Pattern validation
owen-mc Feb 12, 2026
bfe26c1
Add @Pattern as RegexExecution => SSRF sanitizer
owen-mc Feb 12, 2026
c539c2f
Add change note
owen-mc Feb 12, 2026
5bdf550
Fix QLDocs
owen-mc Feb 12, 2026
106254b
Improve QLDocs
owen-mc Feb 13, 2026
953ff9f
PatternAnnotation.getString() should only be field reads
owen-mc Feb 13, 2026
1fefa98
Rename `RegexMatch` and only include expressions
owen-mc Feb 13, 2026
3c161f9
Make contract of RegexMatch clear
owen-mc Feb 13, 2026
c709958
Put imports implementing abstract classes in private module
owen-mc Feb 13, 2026
2e0f244
Improve QLDoc on `RegexMatch.getName()`
owen-mc Feb 13, 2026
ca4c988
Remove redundant variable
owen-mc Feb 13, 2026
90befa0
Add failing test for Matcher.matches() edge case
owen-mc Feb 14, 2026
8f8f4c2
Fix Matcher.matches edge case
owen-mc Feb 14, 2026
d6b71a3
Extend RegexMatch framework to allow for MatcherMatchesCall edge case
owen-mc Feb 15, 2026
16ddb56
Small refactor for stylistic consistency
owen-mc Feb 14, 2026
6f609a5
Merge pull request #21316 from paldepind/ruby/binary-of-at-start-of-line
paldepind Feb 16, 2026
47a9f87
Merge pull request #21310 from owen-mc/java/regex-execution
owen-mc Feb 16, 2026
149f3ed
Merge pull request #21301 from hvitved/rust/type-inference-trait-call…
hvitved Feb 16, 2026
84be851
Update cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
MathiasVP Feb 16, 2026
bfbb2ee
C++: Add a test showing that we infer a lower and upper bound for par…
MathiasVP Feb 16, 2026
5ccd61a
C++: Respond to review comments.
MathiasVP Feb 16, 2026
7d2b40c
Merge pull request #21313 from MathiasVP/range-analysis-lower-bound-a…
jketema Feb 16, 2026
146fc7a
Add failing log injection test for @Pattern validation
owen-mc Feb 14, 2026
6c0c1d5
Refactor logInjectionGuard part 1
owen-mc Feb 14, 2026
60e58f8
Refactor logInjectionGuard part 2
owen-mc Feb 14, 2026
924bb92
Expand log injection sanitizer guards to non-annotation regex matches
owen-mc Feb 14, 2026
9fc95f5
Expand log injection sanitizers to annotation regex matches
owen-mc Feb 14, 2026
94f1d94
Rename `MethodCall ma` to `mc`
owen-mc Feb 14, 2026
597be6a
Add change note
owen-mc Feb 14, 2026
cf73d96
Update test results (remove SPURIOUS annotations)
owen-mc Feb 16, 2026
7742a56
Merge pull request #21326 from owen-mc/java/log-injection-regex-match
owen-mc Feb 16, 2026
ef04f92
Release preparation for version 2.24.2
invalid-email-address Feb 16, 2026
fb67f93
Merge pull request #21330 from github/release-prep/2.24.2
mbg Feb 16, 2026
065ff29
manual merge
ropwareJB Feb 23, 2026
80deee8
PS: Fixup PowerShell after https://github.com/github/codeql/pull/21051.
MathiasVP Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
1 change: 1 addition & 0 deletions .github/workflows/ql-for-ql-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
tools: nightly
- uses: ./.github/actions/os-version
id: os_version
### Build the extractor ###
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/ql-for-ql-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
tools: nightly
- uses: ./.github/actions/os-version
id: os_version
- uses: actions/cache@v3
Expand Down Expand Up @@ -75,6 +76,7 @@ jobs:
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
tools: nightly
- uses: ./.github/actions/os-version
id: os_version
- uses: actions/cache@v3
Expand Down
21 changes: 6 additions & 15 deletions MODULE.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.8.1")
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1")
bazel_dep(name = "gazelle", version = "0.40.0")
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
Expand Down Expand Up @@ -221,10 +221,6 @@ use_repo(
kotlin_extractor_deps,
"codeql_kotlin_defaults",
"codeql_kotlin_embeddable",
"kotlin-compiler-1.6.0",
"kotlin-compiler-1.6.20",
"kotlin-compiler-1.7.0",
"kotlin-compiler-1.7.20",
"kotlin-compiler-1.8.0",
"kotlin-compiler-1.9.0-Beta",
"kotlin-compiler-1.9.20-Beta",
Expand All @@ -234,10 +230,7 @@ use_repo(
"kotlin-compiler-2.1.20-Beta1",
"kotlin-compiler-2.2.0-Beta1",
"kotlin-compiler-2.2.20-Beta2",
"kotlin-compiler-embeddable-1.6.0",
"kotlin-compiler-embeddable-1.6.20",
"kotlin-compiler-embeddable-1.7.0",
"kotlin-compiler-embeddable-1.7.20",
"kotlin-compiler-2.3.0",
"kotlin-compiler-embeddable-1.8.0",
"kotlin-compiler-embeddable-1.9.0-Beta",
"kotlin-compiler-embeddable-1.9.20-Beta",
Expand All @@ -247,10 +240,7 @@ use_repo(
"kotlin-compiler-embeddable-2.1.20-Beta1",
"kotlin-compiler-embeddable-2.2.0-Beta1",
"kotlin-compiler-embeddable-2.2.20-Beta2",
"kotlin-stdlib-1.6.0",
"kotlin-stdlib-1.6.20",
"kotlin-stdlib-1.7.0",
"kotlin-stdlib-1.7.20",
"kotlin-compiler-embeddable-2.3.0",
"kotlin-stdlib-1.8.0",
"kotlin-stdlib-1.9.0-Beta",
"kotlin-stdlib-1.9.20-Beta",
Expand All @@ -260,14 +250,15 @@ use_repo(
"kotlin-stdlib-2.1.20-Beta1",
"kotlin-stdlib-2.2.0-Beta1",
"kotlin-stdlib-2.2.20-Beta2",
"kotlin-stdlib-2.3.0",
)

go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
go_sdk.download(version = "1.25.0")
go_sdk.download(version = "1.26.0")

go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
use_repo(go_deps, "com_github_stretchr_testify", "org_golang_x_mod", "org_golang_x_tools")

ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")

Expand Down
10 changes: 10 additions & 0 deletions actions/ql/lib/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 0.4.28

No user-facing changes.

## 0.4.27

### Bug Fixes

* Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length.

## 0.4.26

### Major Analysis Improvements
Expand Down
5 changes: 5 additions & 0 deletions actions/ql/lib/change-notes/released/0.4.27.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## 0.4.27

### Bug Fixes

* Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length.
3 changes: 3 additions & 0 deletions actions/ql/lib/change-notes/released/0.4.28.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 0.4.28

No user-facing changes.
2 changes: 1 addition & 1 deletion actions/ql/lib/codeql-pack.release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.26
lastReleaseVersion: 0.4.28
4 changes: 2 additions & 2 deletions actions/ql/lib/codeql/actions/ast/internal/Ast.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ string getADelimitedExpression(YamlString s, int offset) {
// not just the last (greedy match) or first (reluctant match).
result =
s.getValue()
.regexpFind("\\$\\{\\{(?:[^}]|}(?!}))*\\}\\}", _, offset)
.regexpCapture("(\\$\\{\\{(?:[^}]|}(?!}))*\\}\\})", 1)
.regexpFind("\\$\\{\\{(?:[^}]|}(?!}))*+\\}\\}", _, offset)
.regexpCapture("(\\$\\{\\{(?:[^}]|}(?!}))*+\\}\\})", 1)
.trim()
}

Expand Down
2 changes: 1 addition & 1 deletion actions/ql/lib/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.26
version: 0.4.28
library: true
warnOnImplicitThis: true
dependencies:
Expand Down
8 changes: 8 additions & 0 deletions actions/ql/src/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
## 0.6.20

No user-facing changes.

## 0.6.19

No user-facing changes.

## 0.6.18

No user-facing changes.
Expand Down
3 changes: 3 additions & 0 deletions actions/ql/src/change-notes/released/0.6.19.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 0.6.19

No user-facing changes.
3 changes: 3 additions & 0 deletions actions/ql/src/change-notes/released/0.6.20.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 0.6.20

No user-facing changes.
2 changes: 1 addition & 1 deletion actions/ql/src/codeql-pack.release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.18
lastReleaseVersion: 0.6.20
2 changes: 1 addition & 1 deletion actions/ql/src/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.18
version: 0.6.20
library: false
warnOnImplicitThis: true
groups: [actions, queries]
Expand Down
0 ...rary-tests/.github/workflows/commands.yml → ...ests/basic/.github/workflows/commands.yml
View file
Open in desktop
File renamed without changes.
0 ...ts/.github/workflows/expression_nodes.yml → ...ic/.github/workflows/expression_nodes.yml
View file
Open in desktop
File renamed without changes.
0 ...-tests/.github/workflows/many_strings.yml → .../basic/.github/workflows/many_strings.yml
View file
Open in desktop
File renamed without changes.
0 ...ary-tests/.github/workflows/multiline.yml → ...sts/basic/.github/workflows/multiline.yml
View file
Open in desktop
File renamed without changes.
0 ...ry-tests/.github/workflows/multiline2.yml → ...ts/basic/.github/workflows/multiline2.yml
View file
Open in desktop
File renamed without changes.
0 ...ts/.github/workflows/poisonable_steps.yml → ...ic/.github/workflows/poisonable_steps.yml
View file
Open in desktop
File renamed without changes.
0 ...library-tests/.github/workflows/shell.yml → ...y-tests/basic/.github/workflows/shell.yml
View file
Open in desktop
File renamed without changes.
0 .../library-tests/.github/workflows/test.yml → ...ry-tests/basic/.github/workflows/test.yml
View file
Open in desktop
File renamed without changes.
0 ...s/ql/test/library-tests/commands.expected → ...est/library-tests/basic/commands.expected
View file
Open in desktop
File renamed without changes.
0 actions/ql/test/library-tests/commands.ql → ...s/ql/test/library-tests/basic/commands.ql
View file
Open in desktop
File renamed without changes.
0 ...t/library-tests/poisonable_steps.expected → ...ary-tests/basic/poisonable_steps.expected
View file
Open in desktop
File renamed without changes.
0 ...ql/test/library-tests/poisonable_steps.ql → ...t/library-tests/basic/poisonable_steps.ql
View file
Open in desktop
File renamed without changes.
0 actions/ql/test/library-tests/test.expected → ...ql/test/library-tests/basic/test.expected
View file
Open in desktop
File renamed without changes.
0 actions/ql/test/library-tests/test.ql → actions/ql/test/library-tests/basic/test.ql
View file
Open in desktop
File renamed without changes.
0 .../test/library-tests/workflowenum.expected → ...library-tests/basic/workflowenum.expected
View file
Open in desktop
File renamed without changes.
0 ...ons/ql/test/library-tests/workflowenum.ql → .../test/library-tests/basic/workflowenum.ql
View file
Open in desktop
File renamed without changes.
Loading
Loading