CodeQL 2.11.3 (2022-11-11)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.11.3 runs a total of 358 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
Breaking Changes¶
- The
codeql pack ls --format jsondeep plumbing command now returns only thenameandversionproperties for each found pack.
Potentially Breaking Changes¶
codeql pack download,codeql pack install, andcodeql pack addwill ignore CodeQL packs with pre-release versions, unless the--allow-prereleaseoption is passed to the command. This brings these commands into alignment withcodeql pack publishthat will avoid publishing CodeQL packs with pre-release versions unless the--allow-prereleaseoption is specified. Pre-release versions have the following format:X.Y.Z-qualifierwhereX,Y, andZare respectively the major, minor, and patch number.qualifieris the pre-release version. For more information about pre-releases, see the Semantic Versioning specification.
Deprecations¶
- The
--[no-]fast-compilationoption tocodeql query compileis now deprecated.
New Features¶
codeql resolve filesandcodeql database index-fileshave a new--find-anyoption, which finds at most one match.
Miscellaneous¶
- The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the
StringSubstitutorclass that the recently disclosed CVE-2022-42889 vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability. - The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
- Fixed a bug in
cpp/jsf/av-rule-76that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
Golang¶
- Query
go/clear-text-loggingnow excludesGetXmethods of protobufMessagestructs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
JavaScript/TypeScript¶
- Added sources for user defined path and query parameters in
Next.js. - The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
Ruby¶
- The
rb/weak-cryptographic-algorithmhas been updated to no longer report uses of hash functions such asMD5andSHA1even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
Language Libraries¶
Minor Analysis Improvements¶
C/C++¶
- Fixed bugs in the
FormatLiteralclass that were causinggetMaxConvertedLengthand related predicates to return no results when the format literal was%e,%for%gand an explicit precision was specified.
Ruby¶
- There was a bug in
TaintTracking::localTaintandTaintTracking::localTaintStepsuch that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps. - Instantiations using
Faraday::Connection.neware now recognized as part ofFaradayHttpRequests, meaning they will be considered as sinks for queries such asrb/request-forgery. - Taint flow is now tracked through extension methods on
Hash,StringandObjectprovided byActiveSupport.