CodeQL documentation

CodeQL 2.12.2 (2023-02-07)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.12.2 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 121 queries (covering 31 more CWE). 2 security queries have been added with this release.


Bug Fixes

  • Fixed a QL evaluator bug introduced in release 2.12.1 which could in certain rare cases lead to wrong analysis results.
  • Fixed handling of -Xclang <arg> arguments passed to the clang compiler which could cause missing extractions for C++ code bases.
  • Fixed a bug where the --overwrite option was failing for database clusters.


  • The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.6.

Query Packs

New Queries


  • Added a new query, java/android/sensitive-result-receiver, to find instances of sensitive data being leaked to an untrusted ResultReceiver.


  • Added a new query, rb/html-constructed-from-input, to detect libraries that unsafely construct HTML from their inputs.

Language Libraries

Major Analysis Improvements


  • Add extractor and library support for UTF-8 encoded strings.
  • The StringLiteral class includes UTF-8 encoded strings.
  • In the DB Scheme @string_literal_expr is renamed to @utf16_string_literal_expr.

Minor Analysis Improvements


  • C# 11: Added extractor support for ref fields in ref struct declarations.


  • Added sink models for the createQuery, createNativeQuery, and createSQLQuery methods of the org.hibernate.query.QueryProducer interface.


  • Added sinks from the node-pty library to the js/code-injection query.


  • Data flowing from the locals argument of a Rails render call is now tracked to uses of that data in an associated view.
  • Access to headers stored in the env of Rack requests is now recognized as a source of remote input.
  • Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
  • © GitHub, Inc.
  • Terms
  • Privacy