CodeQL documentation
CodeQL resources

CodeQL 2.15.2 (2023-11-13)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.15.2 runs a total of 399 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.

CodeQL CLI

Breaking Changes

  • C++ extraction has been updated to output more accurate C++ value categories. This may cause unexpected alerts on databases extracted with an up-to-date CodeQL when the queries are part of a query pack that was compiled with an earlier CodeQL. To resolve this, please recompile the query pack with the latest CodeQL.

Bug Fixes

  • Fixed a bug where codeql github upload-results would report a 403 error when attempting to upload to a GitHub Enterprise Server instance.

  • Fixed a bug in Python extraction where UTF-8 characters would cause logging to fail on systems with non-UTF-8 default system encoding (for example, Windows systems).

  • The resolve qlpacks --kind extension command no longer resolves extensions packs from the search path. This matches the behavior of resolve extensions-by-pack and will ensure that extensions which are resolved by resolve qlpacks --kind extension can also be resolved by resolve extensions-by-pack.

New Features

  • codeql database analyze and codeql database interpret-results can now output human-readable analysis summaries in a new format. This format provides file coverage information and improves the way that diagnostic messages are displayed. The new format also includes a link to the tool status page when the GITHUB_SERVER_URL and GITHUB_REPOSITORY environment variables are set. Note that that page only exists on GitHub.com, or in GitHub Enterprise Server version 3.9.0 or later. To enable this new format, pass the --analysis-summary-v2 flag.

  • CodeQL now supports distinguishing file coverage information between related languages C and C++, Java and Kotlin, and JavaScript and TypeScript. By default, file coverage information for each of these pairs of languages is grouped together. To enable specific file coverage information for these languages, pass the --sublanguage-file-coverage flag when initializing the database (with codeql database create or codeql database init) and when analyzing the database (with codeql database analyze or codeql database interpret-results). If you are uploading results to a GitHub instance, this flag requires GitHub.com or GitHub Enterprise Server version 3.12 or later.

  • All CLI commands now support --common-caches, which controls the location of the cached data that is persisted between several runs of the CLI, such as downloaded QL packs and compiled query plans.

Improvements

  • Model packs that are used in an analysis will now be included in an output SARIF results file. All model packs now include the isCodeQLModelPack: true property in their tool component property bag.

  • The default formatting of DIL now more closely resembles equivalent QL code.

Query Packs

Minor Analysis Improvements

Golang

  • The query go/incorrect-integer-conversion now correctly recognizes more guards of the form if val <= x to protect a conversion uintX(val).

Java/Kotlin

  • java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged lines-of-code. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts.

  • The query java/spring-disabled-csrf-protection has been improved to detect more ways of disabling CSRF in Spring.

JavaScript/TypeScript

  • Added modeling for importing express-rate-limit using a named import.

Language Libraries

Bug Fixes

Golang

  • Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing Callable. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.

Breaking Changes

C/C++

  • The Container and Folder classes now derive from ElementBase instead of Locatable, and no longer expose the getLocation predicate. Use getURL instead.

Minor Analysis Improvements

C/C++

  • More field accesses are identified as ImplicitThisFieldAccess.

  • Added support for new floating-point types in C23 and C++23.

Golang

Java/Kotlin

  • Java classes MethodAccess, LValue and RValue were renamed to MethodCall, VarWrite and VarRead respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced.

  • New class NewClassExpr was added to represent specifically an explicit new ClassName(...) invocation, in contrast to ClassInstanceExpr which also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference.

  • Added up to date models related to Spring Framework 6’s org.springframework.http.ResponseEntity.

  • Added models for the following packages:

    • com.alibaba.fastjson2

    • javax.management

    • org.apache.http.client.utils

Python

  • Added support for functions decorated with contextlib.contextmanager.

  • Namespace packages in the form of regular packages with missing __init__.py-files are now allowed. This enables the analysis to resolve modules and functions inside such packages.

Swift

  • Improved support for flow through captured variables that properly adheres to inter-procedural control flow.

  • Added children of UnspecifiedElement, which will be present only in certain downgraded databases.

  • Collection content is now automatically read at taint flow sinks. This removes the need to define an allowImplicitRead predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now.

  • Added taint models for StringProtocol.appendingFormat and String.decodeCString.

  • Added taint flow models for members of Substring.

  • Added taint flow models for RawRepresentable.

  • The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries.

  • Added models of StringProtocol and NSString methods that evaluate regular expressions.

  • Flow through ‘open existential expressions’, implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source.

New Features

C/C++

  • Added a new class AdditionalCallTarget for specifying additional call targets.

Shared Libraries

Bug Fixes

Dataflow Analysis

  • The API for debugging flow using partial flow has changed slightly. Instead of using module Partial = FlowExploration<limit/0> and choosing between Partial::partialFlow and Partial::partialFlowRev, you now choose between module Partial = FlowExplorationFwd<limit/0> and module Partial = FlowExplorationRev<limit/0>, and then always use Partial::partialFlow.

Minor Analysis Improvements

Range Analysis

  • Initial release. Moves the range analysis library into its own qlpack.

New Features

Utility Classes

  • Added FilePath API for normalizing filepaths.

  • © GitHub, Inc.
  • Terms
  • Privacy