CodeQL 2.15.0 (2023-10-11)¶

Contents

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.15.0 runs a total of 397 security queries when configured with the Default suite (covering 157 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.

CodeQL CLI¶

Bug Fixes¶

Fixed an issue with analyzing Python projects using Python 3.12.

Deprecations¶

pragma[assume_small_delta] is now deprecated. The pragma has no effect and should be removed.
Missing override annotations on class fields now raise errors rather than warnings. This is to avoid confusion with the shadowing behavior in the presence of final fields.
The CodeQL CLI no longer supports ML-powered alerts. For more information, including details of our work in the AI-powered security technology space, see “CodeQL code scanning deprecates ML-powered alerts.”

New Features¶

The output of codeql version --format json now includes a features property. Each key in the map identifies a feature of the CodeQL CLI. The value for a key is always true. Going forward, whenever a significant new feature is added to the CodeQL CLI, a corresponding entry will be added to the features map. This is intended to make it easier for tools that invoke the CodeQL CLI to know if the particular version of the CLI they are invoking supports a given feature, without having to know exactly what CLI version introduced that feature.

Improvements¶

You can now specify the CodeQL languages C/C++, Java/Kotlin, and JavaScript/TypeScript using --language c-cpp, --language java-kotlin, and --language javascript-typescript respectively. These new CodeQL language names convey more clearly what languages each CodeQL language will analyze.

You can also reference these CodeQL languages via their secondary language names (C/C++ via --language c or --language cpp, Java/Kotlin via --language java or --language kotlin, and JavaScript/TypeScript via --language javascript or --language typescript), however we recommend you refer to them via the new primary CodeQL language names for improved clarity.
CodeQL now respects custom home directories set by the $HOME environment variable on MacOS and Linux and %USERPROFILE% on Windows. When set, CodeQL will use the variable’s value to change the default location of downloaded packages and the global compilation cache.
This release improves the quality of file coverage information for repositories that vendor their dependencies. This is currently supported for Go and JavaScript projects.

QL Language¶

The QL language now has two new methods codePointAt and codePointCount on the string type. The methods both return integers and act the same as the similarly named Java methods on strings. For example, "abc".codePointAt(2) is 99 and ("a" + 128512.toUnicode() + "c").codePointAt(1) is a 128512.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

The queries cpp/double-free and cpp/use-after-free find fewer false positives in cases where a non-returning function is called.
The number of duplicated dataflow paths reported by queries has been significantly reduced.

Python¶

Improved URL redirection from remote source (py/url-redirection) query to not alert when URL has been checked with django.utils.http. url_has_allowed_host_and_scheme.
Extended the py/command-line-injection query with sinks from Python’s asyncio module.

Ruby¶

Built-in Ruby queries now use the new DataFlow API.

Swift¶

Adder barriers for numeric type values to the injection-like queries, to reduce false positive results where the user input that can be injected is constrainted to a numerical value. The queries updated by this change are: “Predicate built from user-controlled sources” (swift/predicate-injection), “Database query built from user-controlled sources” (swift/sql-injection), “Uncontrolled format string” (swift/uncontrolled-format-string), “JavaScript Injection” (swift/unsafe-js-eval) and “Regular expression injection” (swift/regex-injection).
Added additional taint steps to the swift/cleartext-transmission, swift/cleartext-logging and swift/cleartext-storage-preferences queries to identify data within sensitive containers. This is similar to an existing additional taint step in the swift/cleartext-storage-database query.
Added new logging sinks to the swift/cleartext-logging query.
Added sqlite3 and SQLite.swift path injection sinks for the swift/path-injection query.

New Queries¶

C#¶

Added a new query, cs/web/insecure-direct-object-reference, to find instances of missing authorization checks for resources selected by an ID parameter.

Python¶

The query py/nosql-injection for finding NoSQL injection vulnerabilities is now available in the default security suite.

Query Metadata Changes¶

C/C++¶

The cpp/double-free query has been further improved to reduce false positives and its precision has been increased from medium to high.
The cpp/use-after-free query has been further improved to reduce false positives and its precision has been increased from medium to high.

Language Libraries¶

Bug Fixes¶

Java¶

The regular expressions library no longer incorrectly matches mode flag characters against the input.

Python¶

Subterms of regular expressions encoded as single-line string literals now have better source-location information.

Swift¶

The regular expressions library no longer incorrectly matches mode flag characters against the input.

Major Analysis Improvements¶

Ruby¶

Improved support for flow through captured variables that properly adheres to inter-procedural control flow.

Swift¶

The predicates getABaseType, getABaseTypeDecl, getADerivedType and getADerivedTypeDecl on Type and TypeDecl now behave more usefully and consistently. They now explore through type aliases used in base class declarations, and include protocols added in extensions.

To examine base class declarations at a low level without these enhancements, use TypeDecl.getInheritedType.

Type.getABaseType (only) previously resolved a type alias it was called directly on. This behaviour no longer exists. To find any base type of a type that could be an alias, the construct Type.getUnderlyingType().getABaseType*() is recommended.

Minor Analysis Improvements¶

C/C++¶

Functions that do not return due to calling functions that don’t return (e.g. exit) are now detected as non-returning in the IR and dataflow.
Treat functions that reach the end of the function as returning in the IR. They used to be treated as unreachable but it is allowed in C.
The DataFlow::asDefiningArgument predicate now takes its argument from the range starting at 1 instead of 2. Queries that depend on the single-parameter version of DataFlow::asDefiningArgument should have their arguments updated accordingly.

Golang¶

Added Numeric and Boolean types to SQL injection sanitzers.

Java¶

Fixed a control-flow bug where case rule statements would incorrectly include a fall-through edge.
Added support for default cases as proper guards in switch expressions to match switch statements.
Improved the class ArithExpr of the Overflow.qll module to also include compound operators. Because of this, new alerts may be raised in queries related to overflows/underflows.
Added new dataflow models for the Apache CXF framework.
Regular expressions containing multiple parse mode flags are now interpretted correctly. For example "(?is)abc.*" with both the i and s flags.

Python¶

Django Rest Framework better handles custom ModelViewSet classes functions
Regular expression fragments residing inside implicitly concatenated strings now have better location information.

Swift¶

Modelled varargs function in NSString more accurately.
Modelled CustomStringConvertible.description and CustomDebugStringConvertible.debugDescription, replacing ad-hoc models of these properties on derived classes.
The regular expressions library now accepts a wider range of mode flags in a regular expression mode flag group (such as (?u)). The (?w) flag has been renamed from “UNICODE” to “UNICODEBOUNDARY”, and the (?u) flag is called “UNICODE” in the libraries.
Renamed TypeDecl.getBaseType/1 to getInheritedType.
Flow through writes via keypaths is now supported by the data flow library.
Added flow through variadic arguments, and the getVaList function.
Added flow steps through Dictionary keys and values.
Added taint models for Numeric conversions.

Deprecated APIs¶

Swift¶

The ArrayContent type in the data flow library has been deprecated and made an alias for the CollectionContent type, to better reflect the hierarchy of the Swift standard library. Uses of ArrayElement in model files will be interpreted as referring to CollectionContent.

New Features¶

Java¶

Kotlin versions up to 1.9.20 are now supported.

Shared Libraries¶

Major Analysis Improvements¶

Dataflow Analysis¶

Added support for type-based call edge pruning. This removes data flow call edges that are incompatible with the set of flow paths that reach it based on type information. This improves dispatch precision for constructs like lambdas, Object.toString() calls, and the visitor pattern. For now this is only enabled for Java and C#.

Minor Analysis Improvements¶

Dataflow Analysis¶

The isBarrierIn and isBarrierOut predicates in DataFlow::StateConfigSig now have overloaded variants that block a specific FlowState.