CodeQL 2.17.2 (2024-05-07)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.17.2 runs a total of 413 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
Improvements¶
When uploading a SARIF file to GitHub using
codeql github upload-results, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the--no-wait-for-processingflag.By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the
--wait-for-processing-timeoutoption.The build tracer is no longer enabled when using the
nonebuild mode to analyze a compiled language, thus improving performance.
Known Issues¶
The beta support for analyzing Swift in this release and all previous releases requires
g++-13when running on Linux. Users analyzing Swift using theubuntu-latest,ubuntu-22.04, orubuntu-20.04runner images for GitHub Actions should update their workflows to installg++-13. For more information, see the runner images announcement.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
The “Uncontrolled data used in path expression” query (
cpp/path-injection) query produces fewer near-duplicate results.The “Global variable may be used before initialization” query (
cpp/global-use-before-init) no longer raises an alert on global variables that are initialized when they are declared.The “Inconsistent null check of pointer” query (
cpp/inconsistent-nullness-testing) query no longer raises an alert when the guarded check is in a macro expansion.
Golang¶
The query
go/incomplete-hostname-regexpnow recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.Added some more barriers to flow for
go/incorrect-integer-conversionto reduce false positives, especially around type switches.
JavaScript/TypeScript¶
The JavaScript extractor will on longer report syntax errors related to “strict mode”. Files containing such errors are now being fully analyzed along with other sources files. This improves our support for source files that technically break the “strict mode” rules, but where a build steps transforms the code such that it ends up working at runtime.
Language Libraries¶
Breaking Changes¶
C/C++¶
Deleted the deprecated
GlobalValueNumberingImpl.qllimplementation.
C#¶
Deleted the deprecated
getAssemblyNamepredicate from theOperatorclass. UsegetFunctionNameinstead.Deleted the deprecated
LShiftOperator,RShiftOperator,AssignLShiftExpr,AssignRShiftExpr,LShiftExpr, andRShiftExpraliases.Deleted the deprecated
getCallableDescriptionpredicate from theExternalApiDataNodeclass. UsehasQualifiedNameinstead.
Golang¶
Deleted the deprecated
CsvRemoteSourcealias. UseMaDRemoteSourceinstead.
Java/Kotlin¶
Deleted the deprecated
AssignLShiftExpr,AssignRShiftExpr,AssignURShiftExpr,LShiftExpr,RShiftExpr, andURShiftExpraliases.
JavaScript/TypeScript¶
Deleted the deprecated
getInputpredicate from theCryptographicOperationclass. UsegetAnInputinstead.Deleted the deprecated
RegExpPatternsmodule fromRegexp.qll.Deleted the deprecated
semmle/javascript/security/BadTagFilterQuery.qll,semmle/javascript/security/OverlyLargeRangeQuery.qll,semmle/javascript/security/regexp/RegexpMatching.qll, andSecurity/CWE-020/HostnameRegexpShared.qllfiles.
Python¶
Deleted the deprecated
RegExpPatternsmodule fromRegexp.qll.Deleted the deprecated
Security/CWE-020/HostnameRegexpShared.qllfile.
Ruby¶
Deleted the deprecated
RegExpPatternsmodule fromRegexp.qll.Deleted the deprecated
security/cwe-020/HostnameRegexpShared.qllfile.
Minor Analysis Improvements¶
C/C++¶
Source models have been added for the standard library function
getc(and variations).Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
Parameters of functions without definitions now have
ParameterNodes.The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
C#¶
Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
JavaScript/TypeScript¶
Improved detection of whether a file uses CommonJS module system.
Deprecated APIs¶
Golang¶
To make Go consistent with other language libraries, the
UntrustedFlowSourcename has been deprecated throughout. UseRemoteFlowSourceinstead, which replaces it.Where modules have classes named
UntrustedFlowAsSource, these are also deprecated and theSourceclass in the same module or theRemoteFlowSourceclass should be used instead.
Python¶
Renamed the
StrConstclass toStringLiteral, for greater consistency with other languages. TheStrConstandStrclasses are now deprecated and will be removed in a future release.
New Features¶
C/C++¶
Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See
dataflow/ExternalFlow.qllfor documentation and specification of the model format, andmodels/implementations/ZMQ.qllfor a simple example of models. Importing models from.ymlis not yet supported.