CodeQL 2.12.0 (2023-01-10)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.12.0 runs a total of 365 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 116 queries (covering 32 more CWE). 8 security queries have been added with this release.
CodeQL CLI¶
Breaking Changes¶
- The
--[no-]count-linesoption tocodeql database createand related commands that was deprecated in 2.11.1 has been removed. Users of this option should instead pass--[no-]calculate-baseline.
Bug Fixes¶
- Fixed a bug where the
codeql pack installcommand would fail if a CodeQL configuration file is used and the--additional-packsoption is specified.
New Features¶
Query packs created by
codeql pack create,codeql pack bundle, andcodeql pack releasenow contain precompiled queries in a new format that aims to be compatible with future (and, to a certain extent, past) releases of the CodeQL CLI. Previously the precompiled queries were in a format specific to each CLI release, and all other releases would need to re-compile queries.Published packs contain precompiled queries in files with a
.qlxextension located next to each query’s.qlsource file. In case of differences between the.qland.qlxfiles, the.qlxfile takes priority when evaluating queries from the command line, so if you need to modify a published pack, be sure to delete the.qlxfiles first.A new
--precompileflag tocodeql query compilecan be used to construct*.qlxfile explicitly, but in all usual cases it should be enough to rely oncodeql pack createdoing the right thing.The
codeql database initcommand now accepts a PAT that allows you to download queries from external, private repositories when using the--codescanning-config <config-file>option. For example, you can specify the following queries block in the config file, which will checkout the main branch of thecodeql-test/my-private-repositoryrepository and evaluate any queries found in that repository:queries: - codeql-test/my-private-repository@main
If the repository is private, you can add a
--external-repository-token-stdinoption and supply a PAT with appropriate permissions via standard input. For more information on queries and external repositories in Code Scanning, see Using queries in QL packs.The baseline information produced by
codeql database initandcodeql database createnow accounts forpathsandpaths-ignoreconfiguration.In the VS Code extension, recursive calls will be marked with inlay hints. These can be disabled with the global inlay hints setting (
editor.inlayHints.enabled). If you just want to disable them for codeql the settings can be scoped to just codeql files (language id isql). See Language Specific Editor Settings in the VS Code documentation for more information.The CLI now gives a more helpful error message when asked to run queries on a database that has not been finalized.
Query Packs¶
Bug Fixes¶
C#¶
- Fixes a bug where the Owin.qll framework library will look for “URI” instead of “Uri” in the OwinRequest class.
Minor Analysis Improvements¶
C/C++¶
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The
cpp/missing-check-scanfquery no longer reports the free’ing ofscanfoutput variables as potential reads.
C#¶
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel.
Golang¶
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert.
Java¶
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel. - The query
java/misnamed-typeis now enabled for Kotlin. - The query
java/non-serializable-fieldis now enabled for Kotlin. - Fixed an issue in the query
java/android/implicit-pendingintentsby which an implicit Pending Intent marked as immutable was not correctly recognized as such. - The query
java/maven/non-https-urlno longer alerts about disabled repositories.
JavaScript/TypeScript¶
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert.
Python¶
- The
analysis/AlertSuppression.qlquery has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new# codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy# lgtmand# lgtm[query-id]comments can now also be placed on the line before an alert. - Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the Use of weak cryptographic key (
py/weak-crypto-key) query. - Added modeling of
getpass.getpassas a source of passwords, which will be an additional source forpy/clear-text-logging-sensitive-data,py/clear-text-storage-sensitive-data, andpy/weak-sensitive-data-hashing.
Ruby¶
- The
AlertSuppression.qlquery has been updated to support the new# codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy# lgtmand# lgtm[query-id]comments can now also be placed on the line before an alert. - Extended the
rb/kernel-openquery with following sinks:IO.write,IO.binread,IO.binwrite,IO.foreach,IO.readlines, andURI.open.
New Queries¶
C#¶
- Added a new query,
csharp/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.
Java¶
- Added a new query,
java/summary/generated-vs-manual-coverage, to expose metrics for the number of API endpoints covered by generated versus manual MaD models. - Added a new query,
java/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase. - Added a new query,
java/android/missing-certificate-pinning, to find network calls where certificate pinning is not implemented. - Added a new query,
java/android-webview-addjavascriptinterface, to detect the use ofaddJavascriptInterface, which can lead to cross-site scripting. - Added a new query,
java/android-websettings-file-access, to detect configurations that enable file system access in Android WebViews. - Added a new query,
java/android-websettings-javascript-enabled, to detect if JavaScript execution is enabled in an Android WebView. - The query
java/regex-injectionhas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @edvraa.
Ruby¶
- Added a new query,
rb/stack-trace-exposure, to detect exposure of stack-traces to users via HTTP responses.
Language Libraries¶
Bug Fixes¶
Golang¶
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Java¶
- We now correctly handle empty block comments, like
/**/. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.
Python¶
except*is now supported.- The result of
Try.getAHandlerandTry.getHandler(<index>)is no longer of typeExceptStmt, as handlers may also beExceptGroupStmts (After Python 3.11 introduced PEP 654). Instead, it is of the new typeExceptionHandlerof whichExceptStmtandExceptGroupStmtare subtypes. To support selecting only one type of handler,Try.getANormalHandlerandTry.getAGroupHandlerhave been added. Existing uses ofTry.getAHandlerfor which it is important to select only normal handlers, will need to be updated toTry.getANormalHandler.
Breaking Changes¶
C/C++¶
- The predicates in the
MustFlow::Configurationclass used by theMustFlowlibrary (semmle.code.cpp.ir.dataflow.MustFlow) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
Golang¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
Major Analysis Improvements¶
Python¶
- The PAM authorization bypass due to incorrect usage (
py/pam-auth-bypass) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
Ruby¶
Flow through
initializeconstructors is now taken into account. For example, inclass C def initialize(x) @field = x end end C.new(y)
there will be flow from
yto the field@fieldon the constructedCobject.
Minor Analysis Improvements¶
C/C++¶
- The
ArgvSourceflow source now uses the second parameter ofmainas its source instead of the uses of this parameter. - The
ArgvSourceflow source has been generalized to handle cases where the argument vector ofmainis not namedargv. - The
getaddrinfofunction is now recognized as a flow source. - The
secure_getenvand_wgetenvfunctions are now recognized as local flow sources. - The
scanfandfscanffunctions and their variants are now recognized as flow sources. - Deleted the deprecated
getNameandgetShortNamepredicates from theFolderclass.
C#¶
- C# 11: Added support for list- and slice patterns in the extractor.
- Deleted the deprecated
getNameWithoutBracketspredicate from theValueOrRefTypeclass inType.qll. Element::hasQualifiedName/1has been deprecated. UsehasQualifiedName/2orhasQualifiedName/3instead.- Added TCP/UDP sockets as taint sources.
Golang¶
- The predicate
getNumParameteronFuncTypeExprhas been changed to actually give the number of parameters. It previously gave the number of parameter declarations.getNumParameterDeclhas been introduced to preserve this functionality. - The definition of
mayHaveSideEffectsforReturnStmtwas incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstancesglobalValueNumbermay have incorrectly treated two values as the same when they were in fact distinct. - Queries that care about SQL, such as
go/sql-injection, now recognise SQL-consuming functions belonging to thegorqliteandGoFramepackages. rsynchas been added to the list of commands which may evaluate its parameters as a shell command.
Java¶
- Added more dataflow models for frequently-used JDK APIs.
- The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The
ExtensionMethod::getExtensionReceiverParameterIndexpredicate has been introduced to facilitate getting the correct extension parameter index. - The query
java/insecure-cookienow uses global dataflow to track secure cookies being set to the HTTP response object. - The library
PathSanitizer.qllhas been improved to detect more path validation patterns in Kotlin. - Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the
lib/extfolder. - Added a taint model for the method
java.nio.file.Path.getParent. - Fixed a problem in the taint model for the method
java.nio.file.Paths.get. - Deleted the deprecated
LocalClassDeclStmtNodeandLocalClassDeclStmtclasses fromPrintAst.qllandStatement.qllrespectively. - Deleted the deprecated
getLocalClasspredicate fromLocalTypeDeclStmt, and the deprecatedgetLocalClassDeclStmtpredicate fromLocalClassOrInterface. - Added support for Android Manifest
<activity-aliases>elements in data flow sources.
JavaScript/TypeScript¶
- Deleted the deprecated
Instanceclass from theVuemodule. - Deleted the deprecated
VHtmlSourceWriteclass fromDomBasedXssQuery.qll. - Deleted all the deprecated
[QueryName].qllfiles from thejavascript/ql/lib/semmle/javascript/security/dataflowfolder, use the corresponding[QueryName]Query.qllfiles instead. - The ReDoS libraries in
semmle.code.javascript.security.regexphas been moved to a shared pack inside theshared/folder, and the previous location has been deprecated.
Python¶
- Added
subprocess.getoutputandsubprocess.getoutputstatusas new command injection sinks for the StdLib. - The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
- Deleted the deprecated
importNodepredicate from theDataFlowUtil.qllfile. - Deleted the deprecated features from
PEP249.qllthat were not inside thePEP249module. - Deleted the deprecated
werkzeugfrom theWerkzeugmodule inWerkzeug.qll. - Deleted the deprecated
methodResultpredicate fromPEP249::Cursor.
Ruby¶
- Calls to
Kernel.load,Kernel.require,Kernel.autoloadare now modeled as sinks for path injection. - Calls to
mailandinbound_mailinActionMailboxcontrollers are now considered sources of remote input. - Calls to
GlobalID::Locator.locateand its variants are now recognized as instances ofOrmInstantiation. - Data flow through the
ActiveSupportextensionsEnumerable#index_with,Enumerable#pick,Enumerable#pluckandEnumerable#soleare now modeled. - When resolving a method call, the analysis now also searches in sub-classes of the receiver’s type.
- Taint flow is now tracked through many common JSON parsing and generation methods.
- The ReDoS libraries in
codeql.ruby.security.regexphas been moved to a shared pack inside theshared/folder, and the previous location has been deprecated. - String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
Deprecated APIs¶
C/C++¶
- Deprecated
semmle.code.cpp.ir.dataflow.DefaultTaintTracking. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.security.TaintTrackingImpl. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl. Usesemmle.code.cpp.valuenumbering.GlobalValueNumbering, which exposes the same API.
Golang¶
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.