CodeQL 2.14.2 (2023-08-11)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.14.2 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
Breaking Changes¶
The functionality provided by the
codeql execute query-serversubcommand has been removed. The subcommand now responds to all JSON RPC requests with an error response. Correspondingly, this release is no longer compatible with versions of the CodeQL extension for Visual Studio Code prior to 1.7.6.This change also breaks third-party CodeQL IDE integrations that still rely on the
codeql execute query-serversubcommand. Maintainers of such CodeQL IDE integrations should migrate to thecodeql execute query-server2subcommand at the earliest opportunity.
Bug Fixes¶
- Fixed bug that made the
--warnings=hideoption do nothing incodeql database analyzeand other commands that evaluate queries.
Improvements¶
- Switched from prefix filtering of autocomplete suggestions in the language server to client-side filtering. This improves autocomplete suggestions in contexts with an autocompletion prefix.
- The CodeQL language server now checks query metadata for errors. This allows Visual Studio Code users to see errors in their query metadata without needing to compile the query.
Query Packs¶
Minor Analysis Improvements¶
Java/Kotlin¶
- The sanitizer in
java/potentially-weak-cryptographic-algorithmhas been improved, so the query may yield additional results.
New Queries¶
Ruby¶
- Added a new experimental query,
rb/ldap-injection, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
Swift¶
- Added new query “Command injection” (
swift/command-line-injection). The query finds places where user input is used to execute system commands without proper escaping. - Added new query “Bad HTML filtering regexp” (
swift/bad-tag-filter). This query finds regular expressions that match HTML tags in a way that is not robust and can easily lead to security issues.
Language Libraries¶
Breaking Changes¶
C/C++¶
- The
shouldPrintFunctionpredicate fromPrintAstConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed. - The
shouldPrintFunctionpredicate fromPrintIRConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed.
Major Analysis Improvements¶
C/C++¶
- The
PrintASTlibrary now also prints global and namespace variables and their initializers.
Swift¶
- Added
DataFlow::ArrayContent, which will provide more accurate flow through arrays.
Minor Analysis Improvements¶
C/C++¶
- The
_Float128xtype is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
Golang¶
- Logrus’
WithContextmethods are no longer treated as if they output the values stored in that context to a log message.
Java/Kotlin¶
- Fixed a typo in the
StdlibRandomSourceclass inRandomDataSource.qll, which caused the class to improperly model calls to thenextBytesmethod. Queries relying onStdlibRandomSourcemay see an increase in results. - Improved the precision of virtual dispatch of
java.io.InputStreammethods. Now, calls to these methods will not dispatch to arbitrary implementations ofInputStreamif there is a high-confidence alternative (like a models-as-data summary). - Added more dataflow steps for
java.io.InputStreams that wrap otherjava.io.InputStreams. - Added models for the Struts 2 framework.
- Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.
JavaScript/TypeScript¶
- Added
log-injectionas a customizable sink kind for log injection.
Swift¶
- Flow through forced optional unwrapping (
!) is modelled more accurately. - Added flow models for
Sequence.withContiguousStorageIfAvailable. - Added taint flow for
NSUserActivity.referrerURL.