Esben Sparre Andreasen

If you modify the codeql search path appropriately, you can use your own extractor in the action. We do not document how though. (See https://github.com/github/codeql-ql/blob/main/.github/workflows/nightly-changes.yml#L82)

> I know this can be seen as a controversial addition I would like rein this in as much as possible. Perhaps some of our [unpromoted route handlers](https://github.com/github/codeql-javascript-team/issues?q=is%3Aissue+is%3Aopen+label%3A%22Topic%3Aroute+handlers%22+) can inspire...

Taking one step back: I think it is preferable to avoid having queries that surface our misparses to end-users. Suggestions: - wait with merging the Ruby/Java versions of the query,...

We would love to have benchmark entries for your CVEs (this is highly related to #67, #68, by the way), and your example looks reasonably close to being useful (see...

> The data is indeed coming from the Android Security Bulletins. Oh wow, and you have the commit information for most/all of them? Do you have a ballpark estimate of...

> I see your point here. Another option would be to have a fast/complete set of CVEs for quick experiments where all information is present while a bigger dataset with...

> Actually, I started to a small PoC for it but they are some repositories missing in the mirror. Any chance you may know who is in charge of this...

> How do we pinpoint a specific line of code which should be flagged by a static analysis tool for this CVE ? Oh, this is a problem. I thought...

I like the suggestion. This would make it much easier to get started. --- Here are my thoughts on the design (I am not pointing my finger at anyone specific...

I have some additional thoughts on this: - I think `install` is better than `auto-install` naming wise - I would prefer to support arbitrary installers (still implemented as JavaScript) -...