CodeQL documentation

CodeQL 2.12.5 (2023-03-21)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.12.5 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 2 security queries have been added with this release.

CodeQL CLI

Bug Fixes

  • Fix a bug in codeql query run where queries whose path contain colons cannot be run.

New Features

  • The codeql pack install command now accepts a --additional-packs option. This option takes a list of directories to search for locally available packs when resolving which packs to install. Any pack that is found locally through --additional-packs will override any other version of a pack found in the package registry. Locally resolved packs are not added to the lock file.

    Because the use of --additional-packs when running codeql pack install makes running queries dependent on the local state of the machine initially invoking codeql pack install, a warning is emitted if any pack is found outside of the package registry. This warning can be suppressed by using the --no-strict-mode option.

Query Packs

Minor Analysis Improvements

JavaScript/TypeScript

  • The following queries now recognize HTML sanitizers as propagating taint: js/sql-injection, js/path-injection, js/server-side-unvalidated-url-redirection, js/client-side-unvalidated-url-redirection, and js/request-forgery.

Deprecated Queries

C/C++

  • The NetworkToBufferSizeConfiguration and UntrustedDataToExternalApiConfig dataflow configurations have been deprecated. Please use NetworkToBufferSizeFlow and UntrustedDataToExternalApiFlow.
  • The LeapYearCheckConfiguration, FiletimeYearArithmeticOperationCheckConfiguration, and PossibleYearArithmeticOperationCheckConfiguration dataflow configurations have been deprecated. Please use LeapYearCheckFlow, FiletimeYearArithmeticOperationCheckFlow and PossibleYearArithmeticOperationCheckFlow.

New Queries

Java/Kotlin

  • Added a new query, java/android/arbitrary-apk-installation, to detect installation of APKs from untrusted sources.

Python

  • Added a new query, py/shell-command-constructed-from-input, to detect libraries that unsafely construct shell commands from their inputs.

Ruby

  • Added a new query, rb/zip-slip, to detect arbitrary file writes during extraction of zip/tar archives.

Language Libraries

Breaking Changes

C/C++

  • The semmle.code.cpp.commons.Buffer and semmle.code.cpp.commons.NullTermination libraries no longer expose semmle.code.cpp.dataflow.DataFlow. Please import semmle.code.cpp.dataflow.DataFlow directly.

Major Analysis Improvements

C/C++

  • A new C/C++ dataflow library (semmle.code.cpp.dataflow.new.DataFlow) has been added. The new library behaves much more like the dataflow library of other CodeQL supported languages by following use-use dataflow paths instead of def-use dataflow paths. The new library also better supports dataflow through indirections, and new predicates such as Node::asIndirectExpr have been added to facilitate working with indirections.

    The semmle.code.cpp.ir.dataflow.DataFlow library is now identical to the new semmle.code.cpp.dataflow.new.DataFlow library.

  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

C#

  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

Golang

  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

Java/Kotlin

  • Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom List.contains implementations when the best inferrable type at the call site is simply List.
  • Added more sink and summary dataflow models for the following packages:
    • java.io
    • java.lang
    • java.sql
    • javafx.scene.web
    • org.apache.commons.compress.archivers.tar
    • org.apache.http.client.utils
    • org.codehaus.cargo.container.installer
  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

Python

  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

Ruby

  • The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

Minor Analysis Improvements

C/C++

  • Deleted the deprecated hasGeneratedCopyConstructor and hasGeneratedCopyAssignmentOperator predicates from the Folder class.
  • Deleted the deprecated getPath and getFolder predicates from the XmlFile class.
  • Deleted the deprecated getMustlockFunction, getTrylockFunction, getLockFunction, and getUnlockFunction predicates from the MutexType class.
  • Deleted the deprecated getPosInBasicBlock predicate from the SubBasicBlock class.
  • Deleted the deprecated getExpr predicate from the PointerDereferenceExpr class.
  • Deleted the deprecated getUseInstruction and getDefinitionInstruction predicates from the Operand class.
  • Deleted the deprecated isInParameter, isInParameterPointer, and isInQualifier predicates from the FunctionInput class.
  • Deleted the deprecated isOutParameterPointer, isOutQualifier, isOutReturnValue, and isOutReturnPointer predicate from the FunctionOutput class.
  • Deleted the deprecated 3-argument isGuardPhi predicate from the RangeSsaDefinition class.

C#

  • Deleted the deprecated getPath and getFolder predicates from the XmlFile class.
  • Deleted the deprecated getAssertionIndex, and getAssertedParameter predicates from the AssertMethod class.
  • Deleted the deprecated OverridableMethod and OverridableAccessor classes.
  • The unsafe predicate for Modifiable has been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant for unsafe declarations extracted from assemblies.

Java/Kotlin

  • Deleted the deprecated getPath and getFolder predicates from the XmlFile class.
  • Deleted the deprecated getRepresentedString predicate from the StringLiteral class.
  • Deleted the deprecated ServletWriterSource class.
  • Deleted the deprecated getGroupID, getArtefactID, and artefactMatches predicates from the MavenRepoJar class.

JavaScript/TypeScript

  • Deleted the deprecated getPath and getFolder predicates from the XmlFile class.
  • Deleted the deprecated getId from the Function, NamespaceDefinition, and ImportEqualsDeclaration classes.
  • Deleted the deprecated flowsTo predicate from the HTTP::Servers::RequestSource and HTTP::Servers::ResponseSource class.
  • Deleted the deprecated getEventName predicate from the SocketIO::ReceiveNode, SocketIO::SendNode, SocketIOClient::SendNode classes.
  • Deleted the deprecated RateLimitedRouteHandlerExpr and RouteHandlerExpressionWithRateLimiter classes.
  • Import assertions are now supported. Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.

Python

  • Deleted the deprecated getPath and getFolder predicates from the XmlFile class.

Ruby

  • Data flow through initialize methods is now taken into account also when the receiver of a new call is an (implicit or explicit) self.
  • The Active Record query methods reorder and count_by_sql are now recognized as SQL executions.
  • Calls to ActiveRecord::Connection#execute, including those via subclasses, are now recognized as SQL executions.
  • Data flow through ActionController::Parameters#require is now tracked properly.
  • The severity of parse errors was reduced to warning (previously error).
  • Deleted the deprecated getQualifiedName predicate from the ConstantWriteAccess class.
  • Deleted the deprecated getWhenBranch and getAWhenBranch predicates from the CaseExpr class.
  • Deleted the deprecated Self, PatternParameter, Pattern, VariablePattern, TuplePattern, and TuplePatternParameter classes.

Deprecated APIs

C/C++

  • The WriteConfig taint tracking configuration has been deprecated. Please use WriteFlow.

New Features

C/C++

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

C#

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

Golang

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

Java/Kotlin

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

Python

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

Ruby

  • Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.
  • © GitHub, Inc.
  • Terms
  • Privacy