CodeQL 2.14.4 (2023-09-12)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.14.4 runs a total of 394 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 129 queries (covering 35 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
Potentially Breaking Changes¶
- The CodeQL CLI no longer supports the
SEMMLE_JAVA_ARGSenvironment variable. All previous versions of the CodeQL CLI perform command substitution on theSEMMLE_JAVA_ARGSvalue (for example, replacing'$(echo foo)'with'foo') when starting a new Java virtual machine, which, depending on the execution environment, may have security implications. Users are advised to check their environments for possibleSEMMLE_JAVA_ARGSmisuse.
Bug Fixes¶
codeql database init(andgithub/codeql-action/init@v2on GitHub Actions) should no longer hang or crash for traced languages on 64-bit Windows machines when certain antivirus software is installed.- During
codeql pack createandcodeql pack publish, a source version of a pack coming from--additional-packscan explicitly be used to override a requested pack version even if this source version is incompatible with the requested version in the pack file. Previously, this would fail with a confusing error message. - Fixed a bug where
codeql database interpret-resultshangs when a path query produces a result that has no paths from source to sink.
New Features¶
- The Java extractor now supports files that use Lombok.
Miscellaneous¶
- The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
Query Packs¶
Bug Fixes¶
JavaScript/TypeScript¶
- Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias.
Minor Analysis Improvements¶
C/C++¶
- The “Comparison where assignment was intended” query (
cpp/compare-where-assign-meant) no longer reports comparisons that appear in macro expansions. - Some queries that had repeated results corresponding to different levels of indirection for
argvnow only have a single result. - The
cpp/non-constant-formatquery no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
Java¶
- The queries “Resolving XML external entity in user-controlled data” (
java/xxe) and “Resolving XML external entity in user-controlled data from local source” (java/xxe-local) now recognize sinks in the MDHT library.
JavaScript/TypeScript¶
- Files larger than 10 MB are no longer be extracted or analyzed.
- Imports can now be resolved in more cases, where a non-constant string expression is passed to a
require()call.
Python¶
- Improved Reflected server-side cross-site scripting (
py/reflective-xss) query to not alert on data passed toflask.jsonify. Since these HTTP responses are returned with mime-typeapplication/json, they do not pose a security risk for XSS. - Updated path explanations for
@kind path-problemqueries to always include left hand side of assignments, making paths easier to understand.
New Queries¶
C/C++¶
- Added a new query,
cpp/invalid-pointer-deref, to detect out-of-bounds pointer reads and writes.
Java¶
- Added the
java/trust-boundary-violationquery to detect trust boundary violations between HTTP requests and the HTTP session. Also added thetrust-boundary-violationsink kind for sinks which may cross a trust boundary, such as calls to theHttpSession#setAttributemethod.
Ruby¶
- Added a new experimental query,
rb/improper-ldap-auth, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass.
Swift¶
- Added new query “Incomplete regular expression for hostnames” (
swift/incomplete-hostname-regexp). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected.
Language Libraries¶
Minor Analysis Improvements¶
C/C++¶
deleteanddelete[]are now modeled as calls to the relevantoperator deletein the IR. In the case of a dynamic delete call a new instructionVirtualDeleteFunctionAddressis used to represent a function that dispatches to the correct delete implementation.- Only the 2 level indirection of
argv(corresponding to**argv) is consided forFlowSource.
C#¶
- The
--nostdlibextractor option for the standalone extractor has been removed.
Golang¶
- Added http.Error to XSS sanitzers.
Java¶
- Fixed the MaD signature specifications to use proper nested type names.
- Added new sanitizer to Java command injection model
- Added more dataflow models for JAX-RS.
- The predicate
JaxWsEndpoint::getARemoteMethodno longer requires the result to be annotated with@WebMethod. Instead, the requirements listed in the JAX-RPC Specification 1.1 for required parameter and return types are used. Applications using JAX-RS may see an increase in results.
Python¶
- Regular expressions containing multiple parse mode flags are now interpretted correctly. For example
"(?is)abc.*"with both theiandsflags. - Added
shlex.quoteas a sanitizer for thepy/shell-command-constructed-from-inputquery.
Swift¶
- Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library.
- Added flow models of collection
.withContiguous[Mutable]StorageIfAvailable,.withUnsafe[Mutable]BufferPointerand.withUnsafe[Mutable]Bytesmethods.