CodeQL documentation

CodeQL 2.11.3 (2022-11-11)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.11.3 runs a total of 358 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 1 security query has been added with this release.


Breaking Changes

  • The codeql pack ls --format json deep plumbing command now returns only the name and version properties for each found pack.

Potentially Breaking Changes

  • codeql pack download, codeql pack install, and codeql pack add will ignore CodeQL packs with pre-release versions, unless the --allow-prerelease option is passed to the command. This brings these commands into alignment with codeql pack publish that will avoid publishing CodeQL packs with pre-release versions unless the --allow-prerelease option is specified. Pre-release versions have the following format: X.Y.Z-qualifier where X, Y, and Z are respectively the major, minor, and patch number. qualifier is the pre-release version. For more information about pre-releases, see the Semantic Versioning specification.


  • The --[no-]fast-compilation option to codeql query compile is now deprecated.

New Features

  • codeql resolve files and codeql database index-files have a new --find-any option, which finds at most one match.


  • The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the StringSubstitutor class that the recently disclosed CVE-2022-42889 vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability.
  • The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.

Query Packs

Minor Analysis Improvements


  • Fixed a bug in cpp/jsf/av-rule-76 that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.


  • Query go/clear-text-logging now excludes GetX methods of protobuf Message structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.


  • Added sources for user defined path and query parameters in Next.js.
  • The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.


  • The rb/weak-cryptographic-algorithm has been updated to no longer report uses of hash functions such as MD5 and SHA1 even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.

New Queries


  • Added a new query, js/second-order-command-line-injection, to detect shell commands that may execute arbitrary code when the user has control over the arguments to a command-line program. This currently flags up unsafe invocations of git and hg.

Language Libraries

Minor Analysis Improvements


  • Fixed bugs in the FormatLiteral class that were causing getMaxConvertedLength and related predicates to return no results when the format literal was %e, %f or %g and an explicit precision was specified.


  • There was a bug in TaintTracking::localTaint and TaintTracking::localTaintStep such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
  • Instantiations using are now recognized as part of FaradayHttpRequests, meaning they will be considered as sinks for queries such as rb/request-forgery.
  • Taint flow is now tracked through extension methods on Hash, String and Object provided by ActiveSupport.
  • © GitHub, Inc.
  • Terms
  • Privacy