CodeQL 2.14.3 (2023-08-25)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.14.3 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE).
CodeQL CLI¶
Breaking Changes¶
The
<run>.tool.extensionsproperty in the SARIF generated bycodeql database analyzenow contains the following packs:- The containing query pack for each query that was evaluated.
- Each model pack that was specified via the
--model-packsoption, regardless of whether that model pack affected any of the evaluated queries.
Library packs are no longer included in the list.
Previously, this property contained every query and library pack that was available on the search path, regardless of whether that pack was used during the evaluation.
Miscellaneous¶
- The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
- When
codeql testgenerates.actualfiles, they will in some cases list the query predicates in a different order than past versions. There is no need to update.expectedfiles, ascodeql testsorts their results accordingly before diffing. However, when there are genuine changes in expected results, the generated.actualfile can show additional changes against the.expecteddue to the reordering.
Language Libraries¶
Bug Fixes¶
Python¶
- Fixed the computation of locations for imports with aliases in jump-to-definition.
Major Analysis Improvements¶
Java¶
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
Swift¶
- Added
DataFlow::CollectionContent, which will enable more accurate flow through collections.
Minor Analysis Improvements¶
C#¶
- The query library for
cs/hardcoded-credentialsnow excludes benign properties such asUserNameClaimTypeandAllowedUserNameCharactersfromMicrosoft.AspNetCore.Identityoptions classes.
Java¶
- Modified the
getSecureAlgorithmNamepredicate inEncryption.qllto also includeSHA-256andSHA-512. Previously only the versions of the names without dashes were considered secure. - Add support for
WithElementandWithoutElementfor MaD access paths.
Python¶
- Support analyzing packages (folders with python code) that do not have
__init__.pyfiles, although this is technically required, we see real world projects that don’t have this. - Added modeling of AWS Lambda handlers that can be identified with
AWS::Serverless::Functionin YAML files, where the event parameter is modeled as a remote-flow-source. - Improvements of the
aiohttpmodels including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.
Ruby¶
- Flow between positional arguments and splat parameters (
*args) is now tracked more precisely. - Flow between splat arguments (
*args) and positional parameters is now tracked more precisely.
Swift¶
- Added local flow sources for
UITextInputand related classes. - Flow through forced optional unwrapping (
!) on the left side of assignment now works in most cases. Type.getNamenow gets the name of the type alone without any enclosing types. UseType.getFullNamefor the old behaviour.