CodeQL documentation

CodeQL 2.11.1 (2022-10-11)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.11.1 runs a total of 354 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 1 security query has been added with this release.


Breaking Changes

  • Pack installation using the CodeQL Packaging beta will now fail if a compatible version cannot be found. This replaces the previous behavior where codeql pack download and related commands would instead install the latest version of the pack in this situation.

Bug Fixes

  • It is no longer an error to call codeql pack create <path> with a <path> option pointing to a file name. The CLI will walk up the directory tree and run the command in the first directory containing the qlpack.yml or codeql-pack.yml file.
  • Fixed a concurrency error observed when using codeql database import or codeql database finalize with multiple threads and multiple additional databases on a C++ codebase.


  • The --[no-]count-lines option to codeql database create and related commands is now deprecated and will be removed in a future release of the CodeQL CLI (earliest 2.12.0). It is replaced by --[no-]calculate-baseline to reflect the additional baseline information that is now captured as of this release.

New Features

  • Subcommands that compile QL accept a new --no-release-compatibility option. It does nothing for now, but in the future it will be used to control a trade-off between query performance and compatibility with older/newer releases of the QL evaluator.

  • codeql database analyze and related commands now support absolute paths containing the @ or : characters when specifying which queries to run. To reference a query file, directory, or suite whose path contains a literal @ or :, prefix the query specifier with path:, for example:

    codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql

Query Packs

Minor Analysis Improvements


  • The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.


  • The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.


  • The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
  • PathSanitizer.qll has been promoted from experimental to the main query pack. This sanitizer was originally submitted as part of an experimental query by @luchua-bc.
  • The queries java/path-injection, java/path-injection-local and java/zipslip now use the sanitizers provided by PathSanitizer.qll.


  • The rb/xxe query has been updated to add the following sinks for XML external entity expansion:
    1. Calls to parse XML using LibXML when its default_substitute_entities option is enabled.
    2. Uses of the Rails methods ActiveSupport::XmlMini.parse, Hash.from_xml, and Hash.from_trusted_xml when ActiveSupport::XmlMini is configured to use LibXML as its backend, and its default_substitute_entities option is enabled.

New Queries


  • Added a new query, java/android/webview-debugging-enabled, to detect instances of WebView debugging being enabled in production builds.

Language Libraries

Minor Analysis Improvements


  • DateTime expressions are now considered simple type sanitizers. This affects a wide range of security queries.
  • ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.


  • Added support for BeegoInput.RequestBody as a source of untrusted data.


  • Added external flow sources for the intents received in exported Android services.


  • Several of the SQL and NoSQL library models have improved, leading to more results for the js/sql-injection query, and in some cases the js/missing-rate-limiting query.


  • Added the ability to refer to subscript operations in the API graph. It is now possible to write response().getMember("cookies").getASubscript() to find code like resp.cookies["key"] (assuming response returns an API node for response objects).
  • Added modeling of creating Flask responses with flask.jsonify.


  • The following classes have been moved from codeql.ruby.frameworks.ActionController to codeql.ruby.frameworks.Rails:
    • ParamsCall, now accessed as Rails::ParamsCall.
    • CookieCall, now accessed as Rails::CookieCall.
  • The following classes have been moved from codeql.ruby.frameworks.ActionView to codeql.ruby.frameworks.Rails:
    • HtmlSafeCall, now accessed as Rails::HtmlSafeCall.
    • HtmlEscapeCall, now accessed as Rails::HtmlEscapeCall.
    • RenderCall, now accessed as Rails::RenderCall.
    • RenderToCall, now accessed as Rails::RenderToCall.
  • Subclasses of ActionController::Metal are now recognised as controllers.
  • ActionController::DataStreaming::send_file is now recognized as a FileSystemAccess.
  • Various XSS sinks in the ActionView library are now recognized.
  • Calls to ActiveRecord::Base.create are now recognized as model instantiations.
  • Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
  • MethodBase now has two new predicates related to visibility: isPublic and isProtected. These hold, respectively, if the method is public or protected.
  • © GitHub, Inc.
  • Terms
  • Privacy