CodeQL 2.23.1 adds support for Java 25, TypeScript 5.9 and Swift 6.1.3
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.23.1, which includes the following:
- Added support for Java 25, TypeScript 5.9, and Swift 6.1.3
- Introduced a new server-side request forgery (SSRF) query for Rust
- Modernized several Python quality queries
- Improved Java null dereference analysis and JavaScript data flow and framework modeling
Language and framework support
- Java / Kotlin: Added support for Java 25, including compact source files (JEP 512) and module import declarations.
-
JavaScript / TypeScript: Added support for TypeScript 5.9.
-
Swift: Added support for analyzing projects using Swift 6.1.3.
Query changes
We have also made improvements and additions to queries across several languages:
- Rust: Added a new security query
rust/request-forgeryto detect server-side request forgery (SSRF) vulnerabilities. -
Java: Reimplemented
java/dereferenced-value-may-be-nullreducing false positives. -
JavaScript / TypeScript: Promoted the query
js/cors-permissive-configurationfrom experimental status into the default security suite. This query can detect misconfiguration of CORS HTTP headers that can lead to leaks of secret credentials. -
Python: Modernized the queries
py/missing-call-to-init,py/missing-calls-to-del,py/multiple-calls-to-init, andpy/multiple-calls-to-del, resulting in more precise results, clearer messages, and updated documentation. -
Go:
- The
go/path-injectionquery now detects sanitization patterns that prepend\to paths, improving accuracy. - Adjusted path injection query so the second argument to
os.CreateTempis no longer treated as a sink due to proper sanitization performed by Go.
- The
- C/C++: Reduced the precision of
cpp/wrong-type-format-argument,cpp/comparison-with-wider-type,cpp/integer-multiplication-cast-to-long,cpp/implicit-function-declaration, andcpp/suspicious-add-sizeoffrom high to medium and moved them to the security extended query suite. This will close all alerts identified by these queries if a default query suite is used. The alerts can be brought back by enabling the security extended query suite. -
C#: Improved
cs/call-to-object-tostringto suppress false positives for enum types.
For GitHub Actions, file coverage information is now surfaced on the code scanning tool status page, improving observability of analysis completeness.
For a full list of changes, please refer to the complete changelog for version 2.23.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.23.1 will also be included in a GitHub Enterprise Server (GHES) 3.20 release. If you use an older version of GHES, you can manually upgrade your CodeQL version.