CodeQL documentation
CodeQL resources

CodeQL 2.13.0 (2023-04-20)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.13.0 runs a total of 388 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 124 queries (covering 30 more CWE). 2 security queries have been added with this release.

CodeQL CLI

Potentially Breaking Changes

  • In codeql pack add, the dependency that is added to the qlpack.yml file will now allow any version of the pack that is compatible with the specified version (^version) in the following cases:

    • When no version is specified (codeql pack add codeql/cpp-all).
    • When the version is specified as latest (codeql pack add codeql/cpp-all@latest).
    • When a single version is specified (codeql pack add codeql/cpp-all@1.0.0).

    The ^version dependency allows any version of that pack with no breaking changes since version. For example, ^1.2.3 would allow versions 1.2.3, 1.2.5, and 1.4.0, but not 2.0.0, because changing the major version number to 2 indicates a breaking change.

    Using ^version ensures that the added pack is not needlessly constrained to an exact version by default.

  • Upper-case variable names are no longer accepted by the QL compiler.

    Such variable names have produced a deprecation warning since release 2.9.2 (released 2022-05-16), so QL code that compiles without warnings with a recent release of the CLI should still work.

Deprecations

  • The possibility to omit override annotations on class member predicates that override a base class predicate has been deprecated. This is to avoid confusion with shadowing behaviour in the presence of final member predicates.

    class Foo extends Base {
  final predicate foo() { ... }

  predicate bar() { ... }

  predicate baz() { ... }
}

class Bar extends Foo {
  // This method shadows Foo::foo.
  predicate foo() { ... }

  // This used to override Foo::bar with a warning, is now deprecated.
  predicate bar() { ... }

  // This correctly overrides Foo::baz
  override predicate baz() { ... }
}

New Features

  • codeql database analyze and related commands now export file coverage information by default. GHAS customers using CodeQL in third-party CI systems will now see file coverage information on the tool status page without needing to modify their CI workflows.

Known Issues

  • We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with codeql github upload-results. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1. For more information, see the “Known issues” section for CodeQL 2.12.6.

Query Packs

Bug Fixes

JavaScript/TypeScript

  • Fixed a bug where a destructuring pattern could not be parsed if it had a property named get or set with a default value.

Python

  • Nonlocal variables are excluded from alerts.

Minor Analysis Improvements

C/C++

  • The query cpp/tainted-arithmetic now also flags possible overflows in arithmetic assignment operations.

C#

  • The query cs/web/debug-binary now disregards the debug attribute in case there is a transformation that removes it.

Golang

  • The receiver arguments of net/http.Header.Set and .Del are no longer flagged by query go/untrusted-data-to-external-api.

JavaScript/TypeScript

  • The DisablingCertificateValidation.ql query has been updated to check createServer from https for disabled certificate validation.
  • Improved the model of jQuery to account for XSS sinks where the HTML string is provided via a callback. This may lead to more results for the js/xss query.
  • The js/weak-cryptographic-algorithm query now flags cryptograhic operations using a weak block mode, such as AES-ECB.

New Queries

C/C++

  • The query cpp/redundant-null-check-simple has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.

Java/Kotlin

  • The query java/insecure-ldap-auth has been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally submitted as an experimental query by @luchua-bc

Ruby

  • Added a new experimental query, rb/server-side-template-injection, to detect cases where user input may be embedded into a template’s code in an unsafe manner.

Language Libraries

Bug Fixes

C/C++

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

C#

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

Golang

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

Java/Kotlin

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

Python

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular, DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

Ruby

  • Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

Breaking Changes

C/C++

  • The internal SsaConsistency module has been moved from SSAConstruction to SSAConsitency, and the deprecated SSAConsistency module has been removed.

Major Analysis Improvements

JavaScript/TypeScript

  • Added support for TypeScript 5.0.

Minor Analysis Improvements

C/C++

  • The BufferAccess library (semmle.code.cpp.security.BufferAccess) no longer matches buffer accesses inside unevaluated contexts (such as inside sizeof or decltype expressions). As a result, queries using this library may see fewer false positives.

Java/Kotlin

  • Fixed a bug in the regular expression used to identify sensitive information in SensitiveActions::getCommonSensitiveInfoRegex. This may affect the results of the queries java/android/sensitive-communication, java/android/sensitive-keyboard-cache, and java/sensitive-log.
  • Added a summary model for the java.lang.UnsupportedOperationException(String) constructor.
  • The filenames embedded in Compilation.toString() now use / as the path separator on all platforms.
  • Added models for the following packages:
    • java.lang
    • java.net
    • java.nio.file
    • java.io
    • java.lang.module
    • org.apache.commons.httpclient.util
    • org.apache.commons.io
    • org.apache.http.client
    • org.eclipse.jetty.client
    • com.google.common.io
    • kotlin.io
  • Added the TaintedPathQuery.qll library to provide the TaintedPathFlow and TaintedPathLocalFlow taint-tracking modules to reason about tainted path vulnerabilities.
  • Added the ZipSlipQuery.qll library to provide the ZipSlipFlow taint-tracking module to reason about zip-slip vulnerabilities.
  • Added the InsecureBeanValidationQuery.qll library to provide the BeanValidationFlow taint-tracking module to reason about bean validation vulnerabilities.
  • Added the XssQuery.qll library to provide the XssFlow taint-tracking module to reason about cross site scripting vulnerabilities.
  • Added the LdapInjectionQuery.qll library to provide the LdapInjectionFlow taint-tracking module to reason about LDAP injection vulnerabilities.
  • Added the ResponseSplittingQuery.qll library to provide the ResponseSplittingFlow taint-tracking module to reason about response splitting vulnerabilities.
  • Added the ExternallyControlledFormatStringQuery.qll library to provide the ExternallyControlledFormatStringFlow taint-tracking module to reason about externally controlled format string vulnerabilities.
  • Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by java/index-out-of-bounds and java/constant-comparison.
  • A new models as data sink kind command-injection has been added.
  • The queries java/command-line-injection and java/concatenated-command-line now can be extended using the command-injection models as data sink kind.
  • Added more sink and summary dataflow models for the following packages:
    • java.net
    • java.nio.file
    • javax.imageio.stream
    • javax.naming
    • javax.servlet
    • org.geogebra.web.full.main
    • hudson
    • hudson.cli
    • hudson.lifecycle
    • hudson.model
    • hudson.scm
    • hudson.util
    • hudson.util.io
  • Added the extensible abstract class JndiInjectionSanitizer. Now this class can be extended to add more sanitizers to the java/jndi-injection query.
  • Added a summary model for the nativeSQL method of the java.sql.Connection interface.
  • Added sink and summary dataflow models for the Jenkins and Netty frameworks.
  • The Models as Data syntax for selecting the qualifier has been changed from -1 to this (e.g. Argument[-1] is now written as Argument[this]).
  • Added sources and flow step models for the Netty framework up to version 4.1.
  • Added more dataflow models for frequently-used JDK APIs.

JavaScript/TypeScript

  • router.push and router.replace in Next.js are now considered as XSS sink.
  • The crypto-js module in CryptoLibraries.qll now supports progressive hashing with algo.update().

Python

  • Added modeling of SQL execution in the packages sqlite3.dbapi2, cassandra-driver, aiosqlite, and the functions sqlite3.Connection.executescript/sqlite3.Cursor.executescript and asyncpg.connection.connect().
  • Fixed module resolution so we allow imports of definitions that have had an attribute assigned to it, such as class Foo; Foo.bar = 42.

Ruby

  • Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby 3.1 and 3.2.
  • The clear-text storage (rb/clear-text-storage-sensitive-data) and logging (rb/clear-text-logging-sensitive-data) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.
  • Accesses of params in Sinatra applications are now recognized as HTTP input accesses.
  • Data flow is tracked from Sinatra route handlers to ERB files.
  • Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.

Deprecated APIs

C/C++

  • The single-parameter predicates ArrayOrVectorAggregateLiteral.getElementExpr and ClassAggregateLiteral.getFieldExpr have been deprecated in favor of ArrayOrVectorAggregateLiteral.getAnElementExpr and ClassAggregateLiteral.getAFieldExpr.
  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
  • The SslContextCallAbstractConfig, SslContextCallConfig, SslContextCallBannedProtocolConfig, SslContextCallTls12ProtocolConfig, SslContextCallTls13ProtocolConfig, SslContextCallTlsProtocolConfig, SslContextFlowsToSetOptionConfig, SslOptionConfig dataflow configurations from BoostorgAsio have been deprecated. Please use SslContextCallConfigSig, SslContextCallGlobal, SslContextCallFlow, SslContextCallBannedProtocolFlow, SslContextCallTls12ProtocolFlow, SslContextCallTls13ProtocolFlow, SslContextCallTlsProtocolFlow, SslContextFlowsToSetOptionFlow.

C#

  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.

Golang

  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.

Java/Kotlin

  • The execTainted predicate in CommandLineQuery.qll has been deprecated and replaced with the predicate execIsTainted.
  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
  • The WebViewDubuggingQuery library has been renamed to WebViewDebuggingQuery to fix the typo in the file name. WebViewDubuggingQuery is now deprecated.

Python

  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.

Ruby

  • The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.

New Features

C/C++

  • Added overridable predicates getSizeExpr and getSizeMult to the BufferAccess class (semmle.code.cpp.security.BufferAccess.qll). This makes it possible to model a larger class of buffer reads and writes using the library.

Java/Kotlin

  • Predicates Compilation.getExpandedArgument and Compilation.getAnExpandedArgument has been added.
  • © GitHub, Inc.
  • Terms
  • Privacy