CodeQL 2.15.3 (2023-11-22)¶

Contents

Security Coverage
CodeQL CLI
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.15.3 runs a total of 401 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.

CodeQL CLI¶

Bug Fixes¶

Fixed an internal error in the compiler when arguments to the codePointCount string primitive were not bound.
Fixed a bug where codeql database finalize would fail if a database under construction was moved between machines between codeql database init and codeql database finalize. This should now work, as long as both commands are run by the same release of the CodeQL CLI and the extractors used are the ones bundled with the CLI.
Fixed a bug where codeql database run-queries would fail in some circumstances when the database path included an @.

New Features¶

codeql database analyze now defaults to include markdown query help for all custom queries with help files available. To change the default behaviour you can pass the new flag --sarif-include-query-help, which provides the options always (which includes query help for all queries), custom_queries_only (the default) and never (which does not include query help for any query). The existing flag --sarif-add-query-help has been deprecated and will be removed in a future release.
The new (advanced) command-line option --[no-]linkage-aware-import disables the linkage-awareness phase of codeql dataset import, as a quick fix (at the expense of database completeness) for C++ projects where this part of database creation consumes too much memory. This option is available in the commands database create, database finalize, database import, dataset import, test extract, and test run.
The CodeQL language server now provides basic support for Rename, and you can now use the Rename Symbol functionality in Visual Studio Code for CodeQL. The current Rename support is less a refactoring tool and more a labor-saving device. You may have to perform some manual edits after using Rename, but it should still be faster and less work than renaming a symbol manually.

Improvements¶

The Find References feature in the CodeQL language server now supports all CodeQL identifiers and offers improved performance compared to CodeQL CLI 2.14 releases.
The compiler generates shorter human-readable DIL and RA relation names. Due to use of an extended character set, full VS Code support for short relation names requires VS Code extension 1.9.4 or newer.
codeql database create and codeql database finalize now log more diagnostic information during database finalization, including the size of each relation, their total size, and the rate at which they were written to disk.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

The cpp/uninitialized-local query has been improved to produce fewer false positives.

C#¶

CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the cil extractor option to true or by setting the environment variable $CODEQL_EXTRACTOR_CSHARP_OPTION_CIL to true. This is the first step towards sun-setting the CIL extractor entirely.

Java¶

The query java/unsafe-deserialization has been improved to detect insecure calls to ObjectMessage.getObject in JMS.

Python¶

Added modeling of more FileSystemAccess in packages cherrypy, aiofile, aiofiles, anyio, sanic, starlette, baize, and io. This will mainly affect the Uncontrolled data used in path expression (py/path-injection) query.

Swift¶

Added additional sinks for the “Uncontrolled data used in path expression” (swift/path-injection) query. Some of these sinks are heuristic (imprecise) in nature.
Fixed an issue where some Realm database sinks were not being recognized for the swift/cleartext-storage-database query.

New Queries¶

Swift¶

Added new query “System command built from user-controlled sources” (swift/command-line-injection) for Swift. This query detects system commands built from user-controlled sources without sufficient validation. The query was previously contributed to the ‘experimental’ directory by @maikypedia but will now run by default for all code scanning users.
Added a new query “Missing regular expression anchor” (swift/missing-regexp-anchor) for Swift. This query detects regular expressions without anchors that can be vulnerable to bypassing.

Query Metadata Changes¶

JavaScript/TypeScript¶

Lower the security severity of log-injection to medium.
Increase the security severity of XSS to high.

Language Libraries¶

Bug Fixes¶

Golang¶

A bug has been fixed that meant that value flow through an array was not tracked correctly in some circumstances. Taint flow was tracked correctly.

Breaking Changes¶

C/C++¶

The expressions AssignPointerAddExpr and AssignPointerSubExpr are no longer subtypes of AssignBitwiseOperation.

Major Analysis Improvements¶

Swift¶

Added Swift 5.9.1 support
New AST node is extracted: SingleValueStmtExpr

Minor Analysis Improvements¶

C/C++¶

The “Returning stack-allocated memory” (cpp/return-stack-allocated-memory) query now also detects returning stack-allocated memory allocated by calls to alloca, strdupa, and strndupa.
Added models for strlcpy and strlcat.
Added models for the sprintf variants from the StrSafe.h header.
Added SQL API models for ODBC.
Added taint models for realloc and related functions.

C#¶

The predicate UnboundGeneric::getName now prints the number of type parameters as a `N suffix, instead of a <,...,> suffix. For example, the unbound generic type System.Collections.Generic.IList<T> is printed as IList`1 instead of IList<>.
The predicates hasQualifiedName, getQualifiedName, and getQualifiedNameWithTypes have been deprecated, and are instead replaced by hasFullyQualifiedName, getFullyQualifiedName, and getFullyQualifiedNameWithTypes, respectively. The new predicates use the same format for unbound generic types as mentioned above.

These changes also affect models-as-data rows that refer to a field or a property belonging to a generic type. For example, instead of writing

extensions:
  - addsTo:
      pack: codeql/csharp-all
      extensible: summaryModel
      data:
        - ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]

one now writes

extensions:
  - addsTo:
      pack: codeql/csharp-all
      extensible: summaryModel
      data:
        - ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair`2.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair`2.Key]", "value", "manual"]

The models-as-data format for types and methods with type parameters has been changed to include the names of the type parameters. For example, instead of writing

extensions:
  - addsTo:
      pack: codeql/csharp-all
      extensible: summaryModel
      data:
        - ["System.Collections.Generic", "IList<>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
        - ["System.Linq", "Enumerable", False, "Select<,>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]

one now writes

extensions:
  - addsTo:
      pack: codeql/csharp-all
      extensible: summaryModel
      data:
        - ["System.Collections.Generic", "IList<T>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
        - ["System.Linq", "Enumerable", False, "Select<TSource,TResult>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]

Golang¶

Added the gin-contrib/cors library to the experimental query “CORS misconfiguration” (go/cors-misconfiguration).

Java¶

The types java.util.SequencedCollection, SequencedSet and SequencedMap, as well as the related Collections.unmodifiableSequenced* methods are now modelled. This means alerts may be raised relating to data flow through these types and methods.

Python¶

Added basic flow for attributes defined on classes, when the attribute lookup is on a direct reference to that class (so not instance, cls parameter, or self parameter). Example: class definition class Foo: my_tuples = (dangerous, safe) and usage SINK(Foo.my_tuples[0]).

Swift¶

AST and types related to parameter packs are now extracted
Added taint flow models for the NSString.enumerate* methods.
Generalized the data flow model for subscript writes (a[index] = b) so that it applies to subscripts on all kinds of objects, not just arrays.
Fixed a bug where some flow sinks at field accesses were not being correctly identified.
Added indexed getVariable to CaptureListExpr, improving its AST printing and data flow.
Added flow models for String methods involving closures such as String.withUTF8(_:).
AST and types related to move semantics (copy, consume, _borrow) are now extracted

Deprecated APIs¶

Java¶

In SensitiveApi.qll, javaApiCallablePasswordParam, javaApiCallableUsernameParam, javaApiCallableCryptoKeyParam, and otherApiCallableCredentialParam predicates have been deprecated. They have been replaced with a new class CredentialsSinkNode and its child classes PasswordSink, UsernameSink, and CryptoKeySink. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.