CodeQL 2.15.3 (2023-11-22)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.15.3 runs a total of 401 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Bug Fixes¶
Fixed an internal error in the compiler when arguments to the
codePointCountstring primitive were not bound.Fixed a bug where
codeql database finalizewould fail if a database under construction was moved between machines betweencodeql database initandcodeql database finalize. This should now work, as long as both commands are run by the same release of the CodeQL CLI and the extractors used are the ones bundled with the CLI.Fixed a bug where
codeql database run-querieswould fail in some circumstances when the database path included an@.
New Features¶
codeql database analyzenow defaults to include markdown query help for all custom queries with help files available. To change the default behaviour you can pass the new flag--sarif-include-query-help, which provides the optionsalways(which includes query help for all queries),custom_queries_only(the default) andnever(which does not include query help for any query). The existing flag--sarif-add-query-helphas been deprecated and will be removed in a future release.The new (advanced) command-line option
--[no-]linkage-aware-importdisables the linkage-awareness phase ofcodeql dataset import, as a quick fix (at the expense of database completeness) for C++ projects where this part of database creation consumes too much memory. This option is available in the commandsdatabase create,database finalize,database import,dataset import,test extract, andtest run.The CodeQL language server now provides basic support for Rename, and you can now use the Rename Symbol functionality in Visual Studio Code for CodeQL. The current Rename support is less a refactoring tool and more a labor-saving device. You may have to perform some manual edits after using Rename, but it should still be faster and less work than renaming a symbol manually.
Improvements¶
The Find References feature in the CodeQL language server now supports all CodeQL identifiers and offers improved performance compared to CodeQL CLI 2.14 releases.
The compiler generates shorter human-readable DIL and RA relation names. Due to use of an extended character set, full VS Code support for short relation names requires VS Code extension 1.9.4 or newer.
codeql database createandcodeql database finalizenow log more diagnostic information during database finalization, including the size of each relation, their total size, and the rate at which they were written to disk.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
The
cpp/uninitialized-localquery has been improved to produce fewer false positives.
C#¶
CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the
cilextractor option totrueor by setting the environment variable$CODEQL_EXTRACTOR_CSHARP_OPTION_CILtotrue. This is the first step towards sun-setting the CIL extractor entirely.
Java/Kotlin¶
The query
java/unsafe-deserializationhas been improved to detect insecure calls toObjectMessage.getObjectin JMS.
Python¶
Added modeling of more
FileSystemAccessin packagescherrypy,aiofile,aiofiles,anyio,sanic,starlette,baize, andio. This will mainly affect the Uncontrolled data used in path expression (py/path-injection) query.
Swift¶
Added additional sinks for the “Uncontrolled data used in path expression” (
swift/path-injection) query. Some of these sinks are heuristic (imprecise) in nature.Fixed an issue where some Realm database sinks were not being recognized for the
swift/cleartext-storage-databasequery.
New Queries¶
Swift¶
Added new query “System command built from user-controlled sources” (
swift/command-line-injection) for Swift. This query detects system commands built from user-controlled sources without sufficient validation. The query was previously contributed to the ‘experimental’ directory by @maikypedia but will now run by default for all code scanning users.Added a new query “Missing regular expression anchor” (
swift/missing-regexp-anchor) for Swift. This query detects regular expressions without anchors that can be vulnerable to bypassing.
Query Metadata Changes¶
JavaScript/TypeScript¶
Lower the security severity of log-injection to medium.
Increase the security severity of XSS to high.
Language Libraries¶
Bug Fixes¶
Golang¶
A bug has been fixed that meant that value flow through an array was not tracked correctly in some circumstances. Taint flow was tracked correctly.
Breaking Changes¶
C/C++¶
The expressions
AssignPointerAddExprandAssignPointerSubExprare no longer subtypes ofAssignBitwiseOperation.
Major Analysis Improvements¶
Swift¶
Added Swift 5.9.1 support
New AST node is extracted:
SingleValueStmtExpr
Minor Analysis Improvements¶
C/C++¶
The “Returning stack-allocated memory” (
cpp/return-stack-allocated-memory) query now also detects returning stack-allocated memory allocated by calls toalloca,strdupa, andstrndupa.Added models for
strlcpyandstrlcat.Added models for the
sprintfvariants from theStrSafe.hheader.Added SQL API models for
ODBC.Added taint models for
reallocand related functions.
C#¶
The predicate
UnboundGeneric::getNamenow prints the number of type parameters as a`Nsuffix, instead of a<,...,>suffix. For example, the unbound generic typeSystem.Collections.Generic.IList<T>is printed asIList`1instead ofIList<>.The predicates
hasQualifiedName,getQualifiedName, andgetQualifiedNameWithTypeshave been deprecated, and are instead replaced byhasFullyQualifiedName,getFullyQualifiedName, andgetFullyQualifiedNameWithTypes, respectively. The new predicates use the same format for unbound generic types as mentioned above.These changes also affect models-as-data rows that refer to a field or a property belonging to a generic type. For example, instead of writing
extensions: - addsTo: pack: codeql/csharp-all extensible: summaryModel data: - ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
one now writes
extensions: - addsTo: pack: codeql/csharp-all extensible: summaryModel data: - ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair`2.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair`2.Key]", "value", "manual"]
The models-as-data format for types and methods with type parameters has been changed to include the names of the type parameters. For example, instead of writing
extensions: - addsTo: pack: codeql/csharp-all extensible: summaryModel data: - ["System.Collections.Generic", "IList<>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"] - ["System.Linq", "Enumerable", False, "Select<,>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
one now writes
extensions: - addsTo: pack: codeql/csharp-all extensible: summaryModel data: - ["System.Collections.Generic", "IList<T>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"] - ["System.Linq", "Enumerable", False, "Select<TSource,TResult>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
Golang¶
Added the gin-contrib/cors library to the experimental query “CORS misconfiguration” (
go/cors-misconfiguration).
Java/Kotlin¶
The types
java.util.SequencedCollection,SequencedSetandSequencedMap, as well as the relatedCollections.unmodifiableSequenced*methods are now modelled. This means alerts may be raised relating to data flow through these types and methods.
Python¶
Added basic flow for attributes defined on classes, when the attribute lookup is on a direct reference to that class (so not instance, cls parameter, or self parameter). Example: class definition
class Foo: my_tuples = (dangerous, safe)and usageSINK(Foo.my_tuples[0]).
Swift¶
AST and types related to parameter packs are now extracted
Added taint flow models for the
NSString.enumerate*methods.Generalized the data flow model for subscript writes (
a[index] = b) so that it applies to subscripts on all kinds of objects, not just arrays.Fixed a bug where some flow sinks at field accesses were not being correctly identified.
Added indexed
getVariabletoCaptureListExpr, improving its AST printing and data flow.Added flow models for
Stringmethods involving closures such asString.withUTF8(_:).AST and types related to move semantics (
copy,consume,_borrow) are now extracted
Deprecated APIs¶
Java/Kotlin¶
In
SensitiveApi.qll,javaApiCallablePasswordParam,javaApiCallableUsernameParam,javaApiCallableCryptoKeyParam, andotherApiCallableCredentialParampredicates have been deprecated. They have been replaced with a new classCredentialsSinkNodeand its child classesPasswordSink,UsernameSink, andCryptoKeySink. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.