CodeQL 2.13.3 (2023-05-31)¶

Contents

Security Coverage
CodeQL CLI
- Bug Fixes
- New Features
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.13.3 runs a total of 389 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE).

CodeQL CLI¶

Bug Fixes¶

Fixed a bug that could cause the compiler to infer incorrect binding sets for non-direct calls to overriding member predicates that have stronger binding sets than their root definitions.
Fixed a bug that could have caused the compiler to incorrectly infer that a class matched a type signature. The bug only affected classes with overriding member predicates that had stronger binding sets than their root definitions.
Fixed a bug where a query could not be run from VS Code when there were packs nested within sibling directories of the query.

New Features¶

This release enhances our preliminary Swift support, setting the stage for the upcoming public beta.
The codeql database bundle command now supports the --[no]-include-temp option. When enabled, this option will include the temp folder of the database directory in the zip file of the bundled database. This folder includes generated packages and queries, and query suites.
The structured log produced by codeql generate log-summary now includes a Boolean isCached field for predicate events, where a true value indicates the predicate is a wrapper implementing the cached annotation on another predicate. The wrapper depends on the underlying predicate that the annotation was found on, and will usually have the same name, but it has a separate raHash.

Query Packs¶

Bug Fixes¶

JavaScript/TypeScript¶

Fixed a spurious diagnostic warning about comments in JSON files being illegal. Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.

Major Analysis Improvements¶

JavaScript/TypeScript¶

Added taint sources from the @actions/core and @actions/github packages.
Added command-injection sinks from the @actions/exec package.

Minor Analysis Improvements¶

Java¶

The query java/groovy-injection now recognizes groovy.text.TemplateEngine.createTemplate as a sink.
The queries java/xxe and java/xxe-local now recognize the second argument of calls to XPath.evaluate as a sink.
Experimental sinks for the query “Resolving XML external entity in user-controlled data” (java/xxe) have been promoted to the main query pack. These sinks were originally submitted as part of an experimental query by @haby0.

JavaScript/TypeScript¶

The js/indirect-command-line-injection query no longer flags command arguments that cannot be interpreted as a shell string.
The js/unsafe-deserialization query no longer flags deserialization through the js-yaml library, except when it is used with an unsafe schema.
The Forge module in CryptoLibraries.qll now correctly classifies SHA-512/224, SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.

Language Libraries¶

Major Analysis Improvements¶

C/C++¶

In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.

Minor Analysis Improvements¶

C/C++¶

The StdNamespace class now also includes all inline namespaces that are children of std namespace.
The new dataflow (semmle.code.cpp.dataflow.new.DataFlow) and taint-tracking libraries (semmle.code.cpp.dataflow.new.TaintTracking) now support tracking flow through static local variables.

C#¶

The cs/log-forging, cs/cleartext-storage, and cs/exposure-of-sensitive-information queries now correctly handle unsanitized arguments to ILogger extension methods.
Updated the neutralModel extensible predicate to include a kind column.

Golang¶

Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by CallNode.getArgument(int i) and CallNode.getAnArgument(), and hence aren’t ArgumentNodes. They now have one result, which is an ImplicitVarargsSlice node. For example, a call f(a, b, c) to a function f(T...) is treated like f([]T{a, b, c}). The old behaviour is preserved by CallNode.getSyntacticArgument(int i) and CallNode.getASyntacticArgument(). CallExpr.getArgument(int i) and CallExpr.getAnArgument() are unchanged, and will still have three results in the example given.

Java¶

Added SQL injection sinks for Spring JDBC’s NamedParameterJdbcOperations.
Added models for the following packages:
- org.apache.hadoop.fs
Added the ArithmeticCommon.qll library to provide predicates for reasoning about arithmetic operations.
Added the ArithmeticTaintedLocalQuery.qll library to provide the ArithmeticTaintedLocalOverflowFlow and ArithmeticTaintedLocalUnderflowFlow taint-tracking modules to reason about arithmetic with unvalidated user input.
Added the ArithmeticTaintedQuery.qll library to provide the RemoteUserInputOverflow and RemoteUserInputUnderflow taint-tracking modules to reason about arithmetic with unvalidated user input.
Added the ArithmeticUncontrolledQuery.qll library to provide the ArithmeticUncontrolledOverflowFlow and ArithmeticUncontrolledUnderflowFlow taint-tracking modules to reason about arithmetic with uncontrolled user input.
Added the ArithmeticWithExtremeValuesQuery.qll library to provide the MaxValueFlow and MinValueFlow dataflow modules to reason about arithmetic with extreme values.
Added the BrokenCryptoAlgorithmQuery.qll library to provide the InsecureCryptoFlow taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
Added the ExecTaintedLocalQuery.qll library to provide the LocalUserInputToArgumentToExecFlow taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
Added the ExternallyControlledFormatStringLocalQuery.qll library to provide the ExternallyControlledFormatStringLocalFlow taint-tracking module to reason about format string vulnerabilities caused by local data flow.
Added the ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll library to provide the BoundedFlowSourceFlow dataflow module to reason about improper validation of code-specified sizes used for array construction.
Added the ImproperValidationOfArrayConstructionLocalQuery.qll library to provide the ImproperValidationOfArrayConstructionLocalFlow taint-tracking module to reason about improper validation of local user-provided sizes used for array construction caused by local data flow.
Added the ImproperValidationOfArrayConstructionQuery.qll library to provide the ImproperValidationOfArrayConstructionFlow taint-tracking module to reason about improper validation of user-provided size used for array construction.
Added the ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll library to provide the BoundedFlowSourceFlow data flow module to reason about about improper validation of code-specified array index.
Added the ImproperValidationOfArrayIndexLocalQuery.qll library to provide the ImproperValidationOfArrayIndexLocalFlow taint-tracking module to reason about improper validation of a local user-provided array index.
Added the ImproperValidationOfArrayIndexQuery.qll library to provide the ImproperValidationOfArrayIndexFlow taint-tracking module to reason about improper validation of user-provided array index.
Added the InsecureCookieQuery.qll library to provide the SecureCookieFlow taint-tracking module to reason about insecure cookie vulnerabilities.
Added the MaybeBrokenCryptoAlgorithmQuery.qll library to provide the InsecureCryptoFlow taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
Added the NumericCastTaintedQuery.qll library to provide the NumericCastTaintedFlow taint-tracking module to reason about numeric cast vulnerabilities.
Added the ResponseSplittingLocalQuery.qll library to provide the ResponseSplittingLocalFlow taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
Added the SqlConcatenatedQuery.qll library to provide the UncontrolledStringBuilderSourceFlow taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
Added the SqlTaintedLocalQuery.qll library to provide the LocalUserInputToArgumentToSqlFlow taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
Added the StackTraceExposureQuery.qll library to provide the printsStackExternally, stringifiedStackFlowsExternally, and getMessageFlowsExternally predicates to reason about stack trace exposure vulnerabilities.
Added the TaintedPermissionQuery.qll library to provide the TaintedPermissionFlow taint-tracking module to reason about tainted permission vulnerabilities.
Added the TempDirLocalInformationDisclosureQuery.qll library to provide the TempDirSystemGetPropertyToCreate taint-tracking module to reason about local information disclosure vulnerabilities caused by local data flow.
Added the UnsafeHostnameVerificationQuery.qll library to provide the TrustAllHostnameVerifierFlow taint-tracking module to reason about insecure hostname verification vulnerabilities.
Added the UrlRedirectLocalQuery.qll library to provide the UrlRedirectLocalFlow taint-tracking module to reason about URL redirection vulnerabilities caused by local data flow.
Added the UrlRedirectQuery.qll library to provide the UrlRedirectFlow taint-tracking module to reason about URL redirection vulnerabilities.
Added the XPathInjectionQuery.qll library to provide the XPathInjectionFlow taint-tracking module to reason about XPath injection vulnerabilities.
Added the XssLocalQuery.qll library to provide the XssLocalFlow taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
Moved the url-open-stream sink models to experimental and removed url-open-stream as a sink option from the Customizing Library Models for Java documentation.
Added models for the Apache Commons Net library.
Updated the neutralModel extensible predicate to include a kind column.
Added models for the io.jsonwebtoken library.

JavaScript/TypeScript¶

Improved the queries for injection vulnerabilities in GitHub Actions workflows (js/actions/command-injection and js/actions/pull-request-target) and the associated library semmle.javascript.Actions. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in actions/github-script. It also detects simple injections from user controlled ${{ env.name }}. Additionally to the yml extension now it also supports workflows with the yaml extension.

Python¶

Type tracking is now aware of reads of captured variables (variables defined in an outer scope). This leads to a richer API graph, and may lead to more results in some queries.
Added more content-flow/field-flow for dictionaries, by adding support for reads through mydict.get("key") and mydict.setdefault("key", value), and store steps through dict["key"] = value and mydict.setdefault("key", value).

Ruby¶

Support for the sqlite3 gem has been added. Method calls that execute queries against an SQLite3 database that may be vulnerable to injection attacks will now be recognized.

New Features¶

C/C++¶

Added an AST-based interface (semmle.code.cpp.rangeanalysis.new.RangeAnalysis) for the relative range analysis library.
A new predicate BarrierGuard::getAnIndirectBarrierNode has been added to the new dataflow library (semmle.code.cpp.dataflow.new.DataFlow) to mark indirect expressions as barrier nodes using the BarrierGuard API.