CodeQL 2.12.2 (2023-02-07)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.12.2 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 121 queries (covering 31 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Bug Fixes¶
- Fixed a QL evaluator bug introduced in release 2.12.1 which could in certain rare cases lead to wrong analysis results.
- Fixed handling of
-Xclang <arg>arguments passed to theclangcompiler which could cause missing extractions for C++ code bases. - Fixed a bug where the
--overwriteoption was failing for database clusters.
Miscellaneous¶
- The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.6.
Query Packs¶
Language Libraries¶
Major Analysis Improvements¶
C#¶
- Add extractor and library support for UTF-8 encoded strings.
- The
StringLiteralclass includes UTF-8 encoded strings. - In the DB Scheme
@string_literal_expris renamed to@utf16_string_literal_expr.
Minor Analysis Improvements¶
C#¶
- C# 11: Added extractor support for
reffields inref structdeclarations.
Java/Kotlin¶
- Added sink models for the
createQuery,createNativeQuery, andcreateSQLQuerymethods of theorg.hibernate.query.QueryProducerinterface.
Ruby¶
- Data flowing from the
localsargument of a Railsrendercall is now tracked to uses of that data in an associated view. - Access to headers stored in the
envof Rack requests is now recognized as a source of remote input. - Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.