CodeQL 2.10.3 (2022-08-15)¶

Contents

Security Coverage
CodeQL CLI
- New Features
- Miscellaneous
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.10.3 runs a total of 342 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.

CodeQL CLI¶

New Features¶

When called with --start-tracing, the codeql database init command now accepts extractor options for the indirect tracing environment via --extractor-option. Users should continue to specify extractor options for direct tracing environments by passing them to codeql database trace-command invocations.

Miscellaneous¶

The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.

Query Packs¶

Major Analysis Improvements¶

Java/Kotlin¶

The query java/sensitive-log has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.

Minor Analysis Improvements¶

C/C++¶

The query cpp/bad-strncpy-size now covers more strncpy-like functions than before, including strxfrm`(:code:`_l), wcsxfrm`(:code:`_l), and stpncpy. Users of this query may see an increase in results.

Golang¶

The query go/path-injection no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.

Java/Kotlin¶

The query java/path-injection now recognises vulnerable APIs defined using the SinkModelCsv class with the create-file type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.

New Queries¶

Java/Kotlin¶

A new query “Android WebView that accepts all certificates” (java/improper-webview-certificate-validation) has been added. This query finds implementations of WebViewClients that accept all certificates in the case of an SSL error.

Language Libraries¶

Major Analysis Improvements¶

C/C++¶

The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.

Minor Analysis Improvements¶

Java/Kotlin¶

Improved analysis of the Android class AsyncTask so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
Added a data-flow model for the setProperty method of java.util.Properties. Additional results may be found where relevant data is stored in and then retrieved from a Properties instance.

Python¶

Change .getASubclass() on API::Node so it allows to follow subclasses even if the class has a class decorator.

Ruby¶

Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as rb/sql-injection and rb/stored-xss.
Calls to ActiveRecord::Base.create and ActiveRecord::Base.update are now recognised as write accesses.
Arguments to Mime::Type#match? and Mime::Type#=~ are now recognised as regular expression sources.

New Features¶

C/C++¶

Added a predicate getValueConstant to AttributeArgument that yields the argument value as an Expr when the value is a constant expression.
A new class predicate MustFlowConfiguration::allowInterproceduralFlow has been added to the semmle.code.cpp.ir.dataflow.MustFlow library. The new predicate can be overridden to disable interprocedural flow.
Added subclasses of BuiltInOperations for __builtin_bit_cast, __builtin_shuffle, __has_unique_object_representations, __is_aggregate, and __is_assignable.