CodeQL 2.15.2 (2023-11-13)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.15.2 runs a total of 399 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
Breaking Changes¶
- C++ extraction has been updated to output more accurate C++ value categories. This may cause unexpected alerts on databases extracted with an up-to-date CodeQL when the queries are part of a query pack that was compiled with an earlier CodeQL. To resolve this, please recompile the query pack with the latest CodeQL.
Bug Fixes¶
- Fixed a bug where
codeql github upload-resultswould report a 403 error when attempting to upload to a GitHub Enterprise Server instance. - Fixed a bug in Python extraction where UTF-8 characters would cause logging to fail on systems with non-UTF-8 default system encoding (for example, Windows systems).
- The
resolve qlpacks --kind extensioncommand no longer resolves extensions packs from the search path. This matches the behavior ofresolve extensions-by-packand will ensure that extensions which are resolved byresolve qlpacks --kind extensioncan also be resolved byresolve extensions-by-pack.
New Features¶
codeql database analyzeandcodeql database interpret-resultscan now output human-readable analysis summaries in a new format. This format provides file coverage information and improves the way that diagnostic messages are displayed. The new format also includes a link to the tool status page when theGITHUB_SERVER_URLandGITHUB_REPOSITORYenvironment variables are set. Note that that page only exists on GitHub.com, or in GitHub Enterprise Server version 3.9.0 or later. To enable this new format, pass the--analysis-summary-v2flag.- CodeQL now supports distinguishing file coverage information between related languages C and C++, Java and Kotlin,
and JavaScript and TypeScript. By default, file coverage information for each of these pairs of languages is grouped together. To enable specific file coverage information for these languages, pass the
--sublanguage-file-coverageflag when initializing the database (withcodeql database createorcodeql database init) and when analyzing the database (withcodeql database analyzeorcodeql database interpret-results). If you are uploading results to a GitHub instance, this flag requires GitHub.com or GitHub Enterprise Server version 3.12 or later. - All CLI commands now support
--common-caches, which controls the location of the cached data that is persisted between several runs of the CLI, such as downloaded QL packs and compiled query plans.
Improvements¶
- Model packs that are used in an analysis will now be included in an output SARIF results file. All model packs now include the
isCodeQLModelPack: trueproperty in their tool component property bag. - The default formatting of DIL now more closely resembles equivalent QL code.
Query Packs¶
Minor Analysis Improvements¶
Golang¶
- The query
go/incorrect-integer-conversionnow correctly recognizes more guards of the formif val <= xto protect a conversionuintX(val).
Java/Kotlin¶
- java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged
lines-of-code. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts. - The query
java/spring-disabled-csrf-protectionhas been improved to detect more ways of disabling CSRF in Spring.
JavaScript/TypeScript¶
- Added modeling for importing
express-rate-limitusing a named import.
Language Libraries¶
Bug Fixes¶
Golang¶
- Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing
Callable. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.
Breaking Changes¶
C/C++¶
- The
ContainerandFolderclasses now derive fromElementBaseinstead ofLocatable, and no longer expose thegetLocationpredicate. UsegetURLinstead.
Minor Analysis Improvements¶
C/C++¶
- More field accesses are identified as
ImplicitThisFieldAccess. - Added support for new floating-point types in C23 and C++23.
Golang¶
- Added Request.Cookie to reflected XSS sanitizers.
Java/Kotlin¶
- Java classes
MethodAccess,LValueandRValuewere renamed toMethodCall,VarWriteandVarReadrespectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced. - New class
NewClassExprwas added to represent specifically an explicitnew ClassName(...)invocation, in contrast toClassInstanceExprwhich also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference. - Added up to date models related to Spring Framework 6’s
org.springframework.http.ResponseEntity. - Added models for the following packages:
- com.alibaba.fastjson2
- javax.management
- org.apache.http.client.utils
Python¶
- Added support for functions decorated with
contextlib.contextmanager. - Namespace packages in the form of regular packages with missing
__init__.py-files are now allowed. This enables the analysis to resolve modules and functions inside such packages.
Swift¶
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
- Added children of
UnspecifiedElement, which will be present only in certain downgraded databases. - Collection content is now automatically read at taint flow sinks. This removes the need to define an
allowImplicitReadpredicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now. - Added taint models for
StringProtocol.appendingFormatandString.decodeCString. - Added taint flow models for members of
Substring. - Added taint flow models for
RawRepresentable. - The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries.
- Added models of
StringProtocolandNSStringmethods that evaluate regular expressions. - Flow through ‘open existential expressions’, implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source.