CodeQL documentation

CodeQL 2.12.1 (2023-01-23)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.12.1 runs a total of 384 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 120 queries (covering 31 more CWE). 23 security queries have been added with this release.


New Features

  • Added a new command-line flag --expect-discarded-cache, which gives a hint to the evaluator that the evaluation cache will be discarded after analysis completes. This allows it to avoid some unnecessary writes to the cache, for predicates that aren’t needed by the query/suite being evaluated.

Query Packs

Minor Analysis Improvements


  • The cpp/no-space-for-terminator and cpp/uncontrolled-allocation-size queries have been enhanced with heuristic detection of allocations. These queries now find more results.


  • Replacing “r” or “n” using the functions strings.ReplaceAll, strings.Replace, strings.Replacer.Replace and strings.Replacer.WriteString has been added as a sanitizer for the queries “Log entries created from user input”.
  • The functions strings.Replacer.Replace and strings.Replacer.WriteString have been added as sanitizers for the query “Potentially unsafe quoting”.


  • The name, description and alert message for the query java/concatenated-sql-query have been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query’s files have been renamed from SqlUnescaped.ql and SqlUnescapedLib.qll to SqlConcatenated.ql and SqlConcatenatedLib.qll respectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remains java/concatenated-sql-query, so alerts should not be re-raised as a result of this change.


  • The rb/unsafe-deserialization query now recognizes input from STDIN as a source.

New Queries


  • Added a new query java/android/websettings-allow-content-access to detect Android WebViews which do not disable access to content:// urls.


  • Added a new query, rb/unsafe-code-construction, to detect libraries that unsafely construct code from their inputs.

Language Libraries

Major Analysis Improvements


  • Added library support for generic attributes (also for CIL extracted attributes).
  • cil.ConstructedType::getName was changed to include printing of the type arguments.

Minor Analysis Improvements


  • Attributes on methods in CIL are now extracted (Bugfix).
  • Support for static virtual and static abstract interface members.
  • Support for operators in interface definitions.
  • C# 11: Added support for the unsigned right shift >>> and unsigned right shift assignment >>>= operators.
  • Query id’s have been aligned such that they are prefixed with cs instead of csharp.


  • Added sink models for the constructors of org.springframework.jdbc.object.MappingSqlQuery and org.springframework.jdbc.object.MappingSqlQueryWithParameters.
  • Added more dataflow models for frequently-used JDK APIs.
  • Removed summary model for java.lang.String#endsWith(String) and added neutral model for this API.
  • Added additional taint step for java.lang.String#endsWith(String) to ConditionalBypassFlowConfig.
  • Added AllowContentAccessMethod to represent the setAllowContentAccess method of the android.webkit.WebSettings class.
  • Added an external flow source for the parameters of methods annotated with android.webkit.JavascriptInterface.
  • © GitHub, Inc.
  • Terms
  • Privacy