CodeQL 2.13.4 (2023-06-19)¶

Contents

Security Coverage
CodeQL CLI
- Bug Fixes
- New Features
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.13.4 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 1 security query has been added with this release.

CodeQL CLI¶

Bug Fixes¶

Fixed an issue where indirect build tracing did not work in Azure DevOps pipeline jobs in Windows containers. To use indirect build tracing in such environments, ensure both the --begin-tracing and --trace-process-name=CExecSvc.exe arguments are passed to codeql database init.
Improved the error message for the codeql pack create command when the pack being published has a dependency with no scope in its name.

New Features¶

Temporary files and folders created by the CodeQL CLI will now be cleaned up when each CLI command (and its internal JVM) shuts down normally.

Query Packs¶

Bug Fixes¶

Python¶

The display name (@name) of the py/unsafe-deserialization query has been updated in favor of consistency with other languages.

Minor Analysis Improvements¶

Java/Kotlin¶

The java/summary/lines-of-code query now only counts lines of Java code. The new java/summary/lines-of-code-kotlin counts lines of Kotlin code.

JavaScript/TypeScript¶

Fixed an issue where calls to a method named search would lead to false positive alerts related to regular expressions. This happened when the call was incorrectly seen as a call to String.prototype.search, since this function converts its first argument to a regular expression. The analysis is now more restrictive about when to treat search calls as regular expression sinks.

Ruby¶

Fixed a bug that would occur when an initialize method returns self or one of its parameters. In such cases, the corresponding calls to new would be associated with an incorrect return type. This could result in inaccurate call target resolution and cause false positive alerts.
Fixed an issue where calls to delete or assoc with a constant-valued argument would be analyzed imprecisely, as if the argument value was not a known constant.

Swift¶

Fixed some false positive results from the swift/string-length-conflation query, caused by imprecise sinks.

New Queries¶

C/C++¶

Added a new query, cpp/overrun-write, to detect buffer overflows in C-style functions that manipulate buffers.

Language Libraries¶

Bug Fixes¶

Swift¶

Fixed a number of inconsistencies in the abstract syntax tree (AST) and in the control-flow graph (CFG). This may lead to more results in queries that use these libraries, or libraries that depend on them (such as dataflow).

Major Analysis Improvements¶

C#¶

The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, .cshtml files and their generated .cshtml.g.cs counterparts are extracted on dotnet 6 and above.

JavaScript/TypeScript¶

Added support for TypeScript 5.1.

Swift¶

Incorporated the cross-language SensitiveDataHeuristics.qll heuristics library into the Swift SensitiveExprs.qll library. This adds a number of new heuristics enhancing detection from the library.

Minor Analysis Improvements¶

C/C++¶

Deleted the deprecated hasCopyConstructor predicate from the Class class in Class.qll.
Deleted many deprecated predicates and classes with uppercase AST, SSA, CFG, API, etc. in their names. Use the PascalCased versions instead.
Deleted the deprecated CodeDuplication.qll file.

C#¶

C#: Analysis of the dotnet test command supplied with a dll or exe file as argument no longer fails due to the addition of an erroneous -p:SharedCompilation=false argument.
Deleted the deprecated WebConfigXML, ConfigurationXMLElement, LocationXMLElement, SystemWebXMLElement, SystemWebServerXMLElement, CustomErrorsXMLElement, and HttpRuntimeXMLElement classes from WebConfig.qll. The non-deprecated names with PascalCased Xml suffixes should be used instead.
Deleted the deprecated Record class from both Types.qll and Type.qll.
Deleted the deprecated StructuralComparisonConfiguration class from StructuralComparison.qll, use sameGvn instead.
Deleted the deprecated isParameterOf predicate from the ParameterNode class.
Deleted the deprecated SafeExternalAPICallable, ExternalAPIDataNode, UntrustedDataToExternalAPIConfig, UntrustedExternalAPIDataNode, and ExternalAPIUsedWithUntrustedData classes from ExternalAPIsQuery.qll. The non-deprecated names with PascalCased Api suffixes should be used instead.
Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
- code to code-injection
- sql to sql-injection
- html to html-injection
- xss to js-injection
- remote to file-content-store

Java/Kotlin¶

Added flow through the block arguments of kotlin.io.use and kotlin.with.
Added models for the following packages:
- com.alibaba.druid.sql
- com.fasterxml.jackson.databind
- com.jcraft.jsch
- io.netty.handler.ssl
- okhttp3
- org.antlr.runtime
- org.fusesource.leveldbjni
- org.influxdb
- org.springframework.core.io
- org.yaml.snakeyaml
Deleted the deprecated getRHS predicate from the LValue class, use getRhs instead.
Deleted the deprecated getCFGNode predicate from the SsaVariable class, use getCfgNode instead.
Deleted many deprecated predicates and classes with uppercase XML, JSON, URL, API, etc. in their names. Use the PascalCased versions instead.
Added models for the following packages:
- java.lang
- java.nio.file
Added dataflow models for the Gson deserialization library.
Added models for the following packages:
- okhttp3
Added more dataflow models for the Play Framework.
Modified the models related to java.nio.file.Files.copy so that generic [Input|Output]Stream arguments are not considered file-related sinks.
Dataflow analysis has a new flow step through constructors of transitive subtypes of java.io.InputStream that wrap an underlying data source. Previously, the step only existed for direct subtypes of java.io.InputStream.
Path creation sinks modeled in PathCreation.qll have been added to the models-as-data sink kind path-injection.
Updated the regular expression in the HostnameSanitizer sanitizer in the semmle.code.java.security.RequestForgery library to better detect strings prefixed with a hostname.
Changed the android-widget Java source kind to remote. Any custom data extensions that use the android-widget source kind will need to be updated accordingly in order to continue working.
Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
- sql to sql-injection
- url-redirect to url-redirection
- xpath to xpath-injection
- ssti to template-injection
- logging to log-injection
- groovy to groovy-injection
- jexl to jexl-injection
- mvel to mvel-injection
- xslt to xslt-injection
- ldap to ldap-injection
- pending-intent-sent to pending-intents
- intent-start to intent-redirection
- set-hostname-verifier to hostname-verification
- header-splitting to response-splitting
- xss to html-injection and js-injection
- write-file to file-system-store
- create-file and read-file to path-injection
- open-url and jdbc-url to request-forgery

JavaScript/TypeScript¶

Deleted many deprecated predicates and classes with uppercase XML, JSON, URL, API, etc. in their names. Use the PascalCased versions instead.
Deleted the deprecated localTaintStep predicate from DataFlow.qll.
Deleted the deprecated stringStep, and localTaintStep predicates from TaintTracking.qll.
Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
Deleted the deprecated HtmlInjectionConfiguration and JQueryHtmlOrSelectorInjectionConfiguration classes from DomBasedXssQuery.qll, use Configuration instead.
Deleted the deprecated DefiningIdentifier class and the Definitions.qll file it was in. Use SsaDefinition instead.
Deleted the deprecated definitionReaches, localDefinitionReaches, getAPseudoDefinitionInput, nextDefAfter, and localDefinitionOverwrites predicates from DefUse.qll.
Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
- command-line-injection to command-injection
- credentials[kind] to credentials-kind
Added a support of sub modules in node_modules.

Ruby¶

Deleted many deprecated predicates and classes with uppercase URL, XSS, etc. in their names. Use the PascalCased versions instead.
Deleted the deprecated getValueText predicate from the Expr, StringComponent, and ExprCfgNode classes. Use getConstantValue instead.
Deleted the deprecated VariableReferencePattern class, use ReferencePattern instead.
Deleted all deprecated aliases in StandardLibrary.qll, use codeql.ruby.frameworks.Core and codeql.ruby.frameworks.Stdlib instead.
Support for the sequel gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
Support for the mysql2 gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
Support for the pg gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.

Swift¶

Some models for the Data class have been generalized to DataProtocol so that they apply more widely.

New Features¶

Java/Kotlin¶

Kotlin versions up to 1.9.0 are now supported.