github · aibaars · Sep 5, 2025 · Sep 5, 2025
@@ -31,7 +31,7 @@ jobs:
       with:
         python-version: 3.8
     - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
       uses: ./codeql/.github/actions/fetch-codeql
     - name: Build code scanning query list
       run: |

@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
           npm build
 
       - uses: completely/fakeaction@v2

@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
           npm build
 
       - uses: completely/fakeaction@v2

@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
           npm build
 
       - uses: completely/fakeaction@v2

@@ -625,7 +625,7 @@ Then the evaluation of the ``depth`` predicate proceeds as follows:
 +-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | **Stage** | **depth**                                  | **Comments**                                                                                                                                                             |
 +===========+============================================+==========================================================================================================================================================================+
-| 0         |                                            | We always begin with the empty set.                                                                                                                                      |
+| 0         |                                            | We always begin with the empty set.                                                                                                                                      |
 +-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | 1         | ``(0, b), (0, d), (0, e)``                 | The nodes with no children have depth 0. The recursive step for **a** and **c** fails to produce a value, since some of their children do not have values for ``depth``. |
 +-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

@@ -1,2 +1,2 @@
 lgtm,codescanning
-* The extractor now only extracts go.mod files belonging to extracted packages. In particular, vendored go.mod files will no longer be extracted unless the vendored package is explicitly passed to the extractor. This will remove unexpected `GoModExpr` and similar expressions seen by queries.
+* The extractor now only extracts go.mod files belonging to extracted packages. In particular, vendored go.mod files will no longer be extracted unless the vendored package is explicitly passed to the extractor. This will remove unexpected `GoModExpr` and similar expressions seen by queries.
@@ -28,7 +28,7 @@ class Architecture extends string {
   }
 
   /**
-   * Gets the integer and pointer type width for this architecture.
+   * Gets the integer and pointer type width for this architecture.
    *
    * As of the time of writing, this appears to always be identical -- there aren't
    * Go architectures with 64-bit pointers but 32-bit ints, for example.

@@ -994,7 +994,7 @@ module Public {
   class ComponentReadNode extends ReadNode {
     override IR::ComponentReadInstruction insn;
 
-    /** Gets the data-flow node representing the base from which the field or element is read. */
+    /** Gets the data-flow node representing the base from which the field or element is read. */
     Node getBase() { result = DataFlow::instructionNode(insn.getBase()) }
   }
 

@@ -109,7 +109,7 @@ module Beego {
 
     override string getAContentType() {
       // Super-method provides content-types for `Body`, which requires us to search
-      // for `ContentType` and `Header` calls against the same `BeegoOutput` instance
+      // for `ContentType` and `Header` calls against the same `BeegoOutput` instance
       result = super.getAContentType()
       or
       // Specifically describe methods that set the content-type and body in one operation:

@@ -22,7 +22,7 @@ the returned pointer.</p>
 
 <sample src="MissingErrorCheck.go" />
 
-<p>The corrected version of <code>user</code> checks <code>err</code> before using <code>ptr</code>.</p>
+<p>The corrected version of <code>user</code> checks <code>err</code> before using <code>ptr</code>.</p>
 
 <sample src="MissingErrorCheckGood.go" />
 

@@ -22,7 +22,7 @@ predicate isNil(DataFlow::Node node) { node = Builtin::nil().getARead() }
 /**
  * Matches if `call` may return a nil pointer alongside an error value.
  *
- * This is both an over- and under-estimate: over in that we assume opaque functions may use this
+ * This is both an over- and under-estimate: over in that we assume opaque functions may use this
  * convention, and under in that functions with bodies are only recognized if they use a literal
  * `nil` for the pointer return value at some return site.
  */

@@ -211,7 +211,7 @@ module TlsInsecureCipherSuitesFlow = TaintTracking::Global<TlsInsecureCipherSuit
 
 /**
  * Holds if an insecure TLS cipher suite flows from `source` to `sink`, where `sink`
- * is written to the CipherSuites list of a `tls.Config` instance. `message` describes
+ * is written to the CipherSuites list of a `tls.Config` instance. `message` describes
  * the exact problem found.
  */
 predicate isInsecureTlsCipherFlow(

@@ -297,7 +297,7 @@ func testUtilsPropagators(c *beego.Controller) {
 	c.CustomAbort(500, utils.SlicePad(untainted, 10, genericFiles[0])[0].(*multipart.FileHeader).Filename)
 	c.CustomAbort(500, utils.SlicePad(genericFiles, 10, untainted[0])[0].(*multipart.FileHeader).Filename)
 	c.CustomAbort(500, utils.SliceRand(genericFiles).(*multipart.FileHeader).Filename)
-	// Note this is misnamed -- it's a map operation, not a reduce
+	// Note this is misnamed -- it's a map operation, not a reduce
 	c.CustomAbort(500, utils.SliceReduce(genericFiles, func(x interface{}) interface{} { return x })[0].(*multipart.FileHeader).Filename)
 	c.CustomAbort(500, utils.SliceShuffle(genericFiles)[0].(*multipart.FileHeader).Filename)
 	c.CustomAbort(500, utils.SliceUnique(genericFiles)[0].(*multipart.FileHeader).Filename)

@@ -26,19 +26,19 @@ type MyRoute struct {
 // Implement some request handlers on that Controller exhibiting some common problems:
 
 func (c MyRoute) Handler1() revel.Result {
-	// GOOD: the Render function is likely to properly escape the user-controlled parameter.
+	// GOOD: the Render function is likely to properly escape the user-controlled parameter.
 	return c.Render("someviewparam", c.Params.Form.Get("someField"))
 }
 
 func (c MyRoute) Handler2() revel.Result {
-	// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
+	// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
 	buf := &bytes.Buffer{}
 	buf.WriteString(c.Params.Form.Get("someField"))
 	return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf'
 }
 
 func (c MyRoute) Handler3() revel.Result {
-	// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
+	// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
 	// means it will be given a safe content-type.
 	buf := &bytes.Buffer{}
 	buf.WriteString(c.Params.Form.Get("someField"))

@@ -178,7 +178,7 @@ added by extending ``Dataflow::SourceNode::Range``. Some of its subclasses can s
 extended. For example, ``DataFlow::ModuleImportNode`` models module imports, and ``DataFlow::ClassNode`` models
 class definitions. The former provides default implementations covering CommonJS, AMD, and ECMAScript
 2015 modules, while the latter handles ECMAScript 2015 classes, as well as traditional function-based
-classes. You can extend their corresponding ``::Range`` classes to add support for other module or
+classes. You can extend their corresponding ``::Range`` classes to add support for other module or
 class systems.
 
 Type inference

@@ -1,7 +1,7 @@
 const axios = require('axios');
 
 export const handler = async (req, res, next) => {
-  const { target } = req.body;
+  const { target } = req.body;
 
   try {
     // BAD: `target` is controlled by the attacker

@@ -2,7 +2,7 @@ const axios = require('axios');
 const validator = require('validator');
 
 export const handler = async (req, res, next) => {
-  const { target } = req.body;
+  const { target } = req.body;
 
   if (!validator.isAlphanumeric(target)) {
     return next(new Error('Bad request'));

@@ -1,9 +1,9 @@
 type Mapped<MK extends string = ''> = {
-        [mk in MK]: string
+        [mk in MK]: string
     };
 
 export function fn(ev: Mapped) {
-    const props: Mapped = {
-        ...ev
-    };
+    const props: Mapped = {
+        ...ev
+    };
 }
@@ -1,9 +1,9 @@
 type Mapped<MK extends string = ';'> = {
-        [mk in MK]: string
+        [mk in MK]: string
     };
 
 export function fn(ev: Mapped) {
-    const props: Mapped = {
-        ...ev
-    };
+    const props: Mapped = {
+        ...ev
+    };
 }
diff --git a/misc/scripts/shared-code-metrics.py b/misc/scripts/shared-code-metrics.py
@@ -159,7 +159,7 @@ def link(self):
 
     def containsDirectory(self, dir):
         return self.path.parent.parts == dir.parts[:len(self.path.parent.parts)]
-        # dir.startsWith(self.path.parent)
+        # dir.startsWith(self.path.parent)
 
     # Constructs a list of transitive depedencies of this package.
     def calculateDependencies(self, packageNameMap):

@@ -174,7 +174,7 @@
 { let @unaryop.node = (ast-node @unaryop "UnaryOp") }
 
 (exec_statement) @exec
-{ let @exec.node = (ast-node @exec "Exec") }
+{ let @exec.node = (ast-node @exec "Exec") }
 
 (print_statement) @print
 { let @print.node = (ast-node @print "Print") }
@@ -3040,7 +3040,7 @@
     if some @is_kwarg {
         attr (@lambda.function -> @name.node) kwonlyargs = (named-child-index @param)
     }
-    else { 
+    else { 
         attr (@lambda.function -> @name.node) args = (named-child-index @param)
     }
 
@@ -3153,7 +3153,7 @@
     if some @is_kwarg {
         attr (@funcdef.function -> @name.node) kwonlyargs = (named-child-index @param)
     }
-    else { 
+    else { 
         attr (@funcdef.function -> @name.node) args = (named-child-index @param)
     }
 
@@ -3284,7 +3284,7 @@
     attr (@last.node) func = @exp.node
     edge @last.node -> @funcdef.funcexpr
     attr (@last.node -> @funcdef.funcexpr) positional_args = 0
-    attr (@last.node) _location_end = (location-end @exp)
+    attr (@last.node) _location_end = (location-end @exp)
 }
 
 (decorated_definition
@@ -3296,7 +3296,7 @@
     attr (@last.node) func = @exp.node
     edge @last.node -> @class.class_expr
     attr (@last.node -> @class.class_expr) positional_args = 0
-    attr (@last.node) _location_end = (location-end @exp)
+    attr (@last.node) _location_end = (location-end @exp)
 }
 
 ;;; Type parameters

@@ -1 +1 @@
-known_attr = [1000] #$ writes=known_attr
+known_attr = [1000] #$ writes=known_attr
@@ -35,7 +35,7 @@ def set_foo(some_class_instance): # $ tracked=foo
     some_class_instance.foo = tracked # $ tracked=foo tracked
 
 def test_set_x():
-    x = SomeClass() # $ MISSING: tracked=foo
+    x = SomeClass() # $ MISSING: tracked=foo
     set_foo(x) # $ MISSING: tracked=foo
     print(x.foo) # $ MISSING: tracked=foo tracked
 
@@ -51,7 +51,7 @@ def test_create_with_foo():
 
 def test_global_attribute_assignment():
     global global_var
-    global_var.foo = tracked # $ tracked tracked=foo
+    global_var.foo = tracked # $ tracked tracked=foo
 
 def test_global_attribute_read():
     x = global_var.foo # $ tracked tracked=foo
@@ -61,7 +61,7 @@ def test_local_attribute_assignment():
     # In this case, we don't want flow going to the `ModuleVariableNode` for `local_var` 
     # (which is referenced in `test_local_attribute_read`).
     local_var = object() # $ tracked=foo
-    local_var.foo = tracked # $ tracked tracked=foo
+    local_var.foo = tracked # $ tracked tracked=foo
 
 def test_local_attribute_read():
     x = local_var.foo
@@ -129,7 +129,7 @@ def dunder_dict_indirect_write():
     x = SomeClass() # $ MISSING: tracked=foo
     x.__dict__[attr] = tracked # $tracked MISSING: tracked=foo
     y = x.foo # $ MISSING: tracked tracked=foo
-    do_stuff(y) # $ MISSING: tracked
+    do_stuff(y) # $ MISSING: tracked
 
 def dunder_dict_indirect_read():
     attr = "foo"
@@ -153,7 +153,7 @@ def __init__(self): # $ tracked=foo
     def print_foo(self): # $ MISSING: tracked=foo
         print(self.foo) # $ MISSING: tracked=foo tracked
 
-    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
+    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
         print(self.foo) # $ MISSING: tracked=foo tracked
 
 instance = MyClass2()
@@ -170,7 +170,7 @@ def print_self(self): # $ tracked=foo
     def print_foo(self): # $ tracked=foo
         print(self.foo) # $ tracked=foo tracked
 
-    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
+    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
         print(self.foo) # $ MISSING: tracked=foo tracked
 
 instance = MyClass3() # $ tracked=foo

@@ -1,6 +1,6 @@
 def generate_password()
   chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
-  # BAD: rand is not cryptographically secure
+  # BAD: rand is not cryptographically secure
   password = (1..10).collect { chars[rand(chars.size)] }.join
 end
 

@@ -2,7 +2,7 @@
 
 def generate_password_1(length)
   chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
-  # BAD: rand is not cryptographically secure
+  # BAD: rand is not cryptographically secure
   password = (1..length).collect { chars[rand(chars.size)] }.join
 end
 

@@ -46,7 +46,7 @@ def user_params
     def create4
         x = params[:user]
         x.permit!
-        User.new(x) # BAD
+        User.new(x) # BAD
         User.new(x.permit(:name,:address)) # GOOD
         User.new(params.permit(user: {})) # BAD
         User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		known_attr = [1000] #$ writes=known_attr
		known_attr = [1000] #$ writes=known_attr