CodeQL 2.15.4 (2023-12-11)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.15.4 runs a total of 401 security queries when configured with the Default suite (covering 159 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).
CodeQL CLI¶
New Features¶
- Java 21 is now fully supported, including support for new language features such as pattern switches and record patterns.
Improvements¶
- Parallelism in the evaluator has been improved, resulting in faster analysis when running with many threads, particularly for large databases.
Query Packs¶
Breaking Changes¶
C/C++¶
- The
cpp/tainted-format-string-through-globalquery has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts fromcpp/tainted-format-string.
Minor Analysis Improvements¶
C#¶
- Modelled additional flow steps to track flow from a
Viewcall in an MVC controller to the corresponding Razor View (.cshtml) file, which may result in additional results for queries such ascs/web/xss.
JavaScript/TypeScript¶
- Added django URLs to detected “safe” URL patterns in
js/unsafe-external-link.
Swift¶
- Added additional sinks for the “Uncontrolled format string” (
swift/uncontrolled-format-string) query. Some of these sinks are heuristic (imprecise) in nature. - Added heuristic (imprecise) sinks for the “Database query built from user-controlled sources” (
swift/sql-injection) query.
Language Libraries¶
Bug Fixes¶
Golang¶
- A bug has been fixed that meant that value flow through a slice expression was not tracked correctly. Taint flow was tracked correctly.
Minor Analysis Improvements¶
Java¶
- The diagnostic query
java/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Java files, now considers any Java file seen during extraction, even one with some errors, to be extracted / scanned. - Switch cases using binding patterns and
case null[, default]are now supported. ClassesPatternCaseandNullDefaultCaseare introduced to represent new kinds of case statement. - Both switch cases and instanceof expressions using record patterns are now supported. The new class
RecordPatternExpris introduced to represent record patterns, andInstanceOfExprgainsgetPatternto replacegetLocalVariableDeclExpr. - The control-flow graph and therefore dominance information regarding switch blocks in statement context but with an expression rule (e.g.
switch(...) { case 1 -> System.out.println("Hello world!") }) has been fixed. This reduces false positives and negatives from various queries relating to functions featuring such statements.
JavaScript/TypeScript¶
- Added models for the
sqliteandbetter-sqlite3npm packages. - TypeScript 5.3 is now supported.
Python¶
- Added support for tarfile extraction filters as defined in PEP-706. In particular, calls to
TarFile.extract, andTarFile.extractallare no longer considered to be sinks for thepy/tarslipquery if a sufficiently safe filter is provided. - Added modeling of
*argsand**kwargsas routed-parameters in request handlers for django/flask/FastAPI/tornado. - Added support for type parameters in function and class definitions, as well as the new Python 3.12 type alias statement.
- Added taint-flow modeling for regular expressions with
remodule from the standard library.
Ruby¶
- Improved modeling for
ActiveRecordsupdate_allmethod
Swift¶
- Extracts Swift’s
DiscardStmtandMaterizliePackExpr - Expanded and improved flow models for
SetandSequence. - Added imprecise flow sources matching initializers such as
init(contentsOfFile:). - Extracts
MacroDecland some related information