CodeQL 2.11.4 (2022-11-24)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.11.4 runs a total of 361 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 112 queries (covering 32 more CWE). 4 security queries have been added with this release.
CodeQL CLI¶
Potentially Breaking Changes¶
- CodeQL 2.11.1 to 2.11.3 contained a bug in indirect build tracing on Windows when using
codeql database initwith the--trace-process-levelflag. In these versions, when--trace-process-levelwas set to a value greater than zero, (or left at the default value of 1), CodeQL attempted to inject its build tracer at a higher level in the process tree than the requested process level. This could lead to errors of the form “No source code found” or “Process tree ended before reaching required level”. From 2.11.4 onwards, the CodeQL build tracer is injected at the requested process level.
Deprecations¶
- The
--[no-]fast-compilationoption tocodeql test runis now deprecated.
New Features¶
- Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLINtotruein the environment.
Query Packs¶
Bug Fixes¶
JavaScript/TypeScript¶
- Fixed a bug that would cause the extractor to crash when an
importtype is used in theextendsclause of aninterface. - Fixed an issue with multi-line strings in YAML files being associated with an invalid location, causing alerts related to such strings to appear at the top of the YAML file.
Minor Analysis Improvements¶
JavaScript/TypeScript¶
- Added support for
@hapi/glueand Hapi plugins to theframeworks/Hapi.qlllibrary.
Ruby¶
- The
rb/sql-injectionquery now considers consider SQL constructions, such as calls toArel.sql, as sinks.
New Queries¶
Java¶
- The query
java/insufficient-key-sizehas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - Added a new query,
java/android/sensitive-keyboard-cache, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
Ruby¶
- Added a new query,
rb/shell-command-constructed-from-input, to detect libraries that unsafely construct shell commands from their inputs.
Language Libraries¶
Minor Analysis Improvements¶
C#¶
- The
[Summary|Sink|Source]ModelCsvclasses have been deprecated and Models as Data models are defined as data extensions instead.
Java¶
- The ReDoS libraries in
semmle.code.java.security.regexphas been moved to a shared pack inside theshared/folder, and the previous location has been deprecated. - Added data flow summaries for tainted Android intents sent to activities via
Activity.startActivities.
Python¶
- The ReDoS libraries in
semmle.code.python.security.regexphave been moved to a shared pack inside theshared/folder, and the previous location has been deprecated.
Ruby¶
- Data flow through the
ActiveSupportextensionEnumerable#index_byis now modeled. - The
codeql.ruby.Conceptslibrary now has aSqlConstructionclass, in addition to the existingSqlExecutionclass. - Calls to
Arel.sqlare now modeled as instances of the newSqlConstructionconcept. - Arguments to RPC endpoints (public methods) on subclasses of
ActionCable::Channel::Baseare now recognized as sources of remote user input. - Taint flow through the
ActiveSupportextensionsHash#reverse_mergeandHash:reverse_merge!, and their aliases, is now modeled more generally, where previously it was only modeled in the context ofActionControllerparameters. - Calls to
loggerinActiveSupportactions are now recognised as logger instances. - Calls to
send_datainActiveSupportactions are recognised as HTTP responses. - Calls to
body_streaminActiveSupportactions are recognised as HTTP request accesses. - The
ActiveSupportextensionsObject#tryandObject#try!are now recognised as code executions.
New Features¶
Java¶
- Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLINtotruein the environment. - The new
string Compilation.getInfo(string)predicate provides access to some information about compilations.