CodeQL documentation

CodeQL 2.13.1 (2023-05-03)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.13.1 runs a total of 389 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 2 security queries have been added with this release.


Bug Fixes

  • Fixed a bug in codeql database upload-results where the subcommand would fail with “A fatal error occurred: Invalid SARIF.”, reporting an InvalidDefinitionException. This issue occurred when the SARIF file contained certain kinds of diagnostic information.


  • The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.7.

Query Packs

Bug Fixes


  • Fixes an issue that would cause TypeScript extraction to hang in rare cases when extracting code containing recursive generic type aliases.

Minor Analysis Improvements


  • Additional sinks modelling writes to unencrypted local files have been added to ExternalLocationSink, used by the cs/cleartext-storage and cs/exposure-of-sensitive-information queries.


  • Improved the call graph to better handle the case where a function is stored on a plain object and subsequently copied to a new host object via an extend call.

New Queries


  • A new query cpp/double-free has been added. The query finds possible cases of deallocating the same pointer twice. The precision of the query has been set to “medium”.
  • The query cpp/use-after-free has been modernized and assigned the precision “medium”. The query finds cases of where a pointer is dereferenced after its memory has been deallocated.

Language Libraries

Major Analysis Improvements


  • The Yaml.qll library was moved into a shared library pack named codeql/yaml to make it possible for other languages to re-use it. This change should be backwards compatible for existing JavaScript queries.

Minor Analysis Improvements


  • Taking a slice is now considered a sanitizer for SafeUrlFlow.


  • Changed some models of Spring’s FileCopyUtils.copy to be path injection sinks instead of summaries.
  • Added models for the following packages:
    • java.nio.file
  • Added models for Apache HttpComponents versions 4 and 5.
  • Added sanitizers that recognize line breaks to the query java/log-injection.
  • Added new flow steps for java.util.StringJoiner.


  • Added support for querying the contents of YAML files.

Deprecated APIs


  • The sensitiveResultReceiver predicate in SensitiveResultReceiverQuery.qll has been deprecated and replaced with isSensitiveResultReceiver in order to use the new dataflow API.

Shared Libraries

Minor Analysis Improvements

YAML Data Analysis

  • Initial release. Extracted YAML related code into a library pack to share code between languages.
  • © GitHub, Inc.
  • Terms
  • Privacy