CodeQL documentation

CodeQL 2.10.2 (2022-08-02)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.


Breaking Changes

  • The option --compiler-spec to codeql database create (and codeql database trace-command) no longer works. It is replaced by --extra-tracing-config, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. See tools/tracer/base.lua for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in, or open a private ticket with GitHub support and request an escalation to engineering.

Potentially Breaking Changes

  • Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.


  • The experimental codeql resolve ml-models command has been deprecated. Advanced users calling this command should use the new codeql resolve extensions command instead.

New Features

  • The codeql github upload-results command now supports a --merge option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended only for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.

Query Packs

Breaking Changes


  • Contextual queries and the query libraries they depend on have been moved to the codeql/python-all package.

New Queries


  • A new query “Case-sensitive middleware path” (js/case-sensitive-middleware-path) has been added. It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.


  • Added a new experimental query, rb/manually-checking-http-verb, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
  • Added a new experimental query, rb/weak-params, to detect cases when the rails strong parameters pattern isn’t followed and values flow into persistent store writes.

Language Libraries

Bug Fixes


  • Under certain circumstances a variable declaration that is not also a definition could be associated with a Variable that did not have the definition as a VariableDeclarationEntry. This is now fixed, and a unique Variable will exist that has both the declaration and the definition as a VariableDeclarationEntry.

Minor Analysis Improvements


  • The JUnit5 version of AssertNotNull is now recognized, which removes related false positives in the nullness queries.
  • Added data flow models for java.util.Scanner.


  • Calls to Arel.sql are now recognised as propagating taint from their argument.
  • Calls to ActiveRecord::Relation#annotate are now recognized as SqlExecutions so that it will be considered as a sink for queries like rb/sql-injection.

New Features


  • The QL predicate Expr::getUnderlyingExpr has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
  • © GitHub, Inc.
  • Terms
  • Privacy