CodeQL documentation

CodeQL 2.15.4 (2023-12-11)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.15.4 runs a total of 401 security queries when configured with the Default suite (covering 159 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).


New Features

  • Java 21 is now fully supported, including support for new language features such as pattern switches and record patterns.


  • Parallelism in the evaluator has been improved, resulting in faster analysis when running with many threads, particularly for large databases.

Query Packs

Breaking Changes


  • The cpp/tainted-format-string-through-global query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from cpp/tainted-format-string.

Minor Analysis Improvements


  • Modelled additional flow steps to track flow from a View call in an MVC controller to the corresponding Razor View (.cshtml) file, which may result in additional results for queries such as cs/web/xss.


  • Added django URLs to detected “safe” URL patterns in js/unsafe-external-link.


  • Added additional sinks for the “Uncontrolled format string” (swift/uncontrolled-format-string) query. Some of these sinks are heuristic (imprecise) in nature.
  • Added heuristic (imprecise) sinks for the “Database query built from user-controlled sources” (swift/sql-injection) query.

New Queries


  • Added a new query, cpp/use-of-string-after-lifetime-ends, to detect calls to c_str on strings that will be destroyed immediately.

Language Libraries

Bug Fixes


  • A bug has been fixed that meant that value flow through a slice expression was not tracked correctly. Taint flow was tracked correctly.

Minor Analysis Improvements


  • The diagnostic query java/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Java files, now considers any Java file seen during extraction, even one with some errors, to be extracted / scanned.
  • Switch cases using binding patterns and case null[, default] are now supported. Classes PatternCase and NullDefaultCase are introduced to represent new kinds of case statement.
  • Both switch cases and instanceof expressions using record patterns are now supported. The new class RecordPatternExpr is introduced to represent record patterns, and InstanceOfExpr gains getPattern to replace getLocalVariableDeclExpr.
  • The control-flow graph and therefore dominance information regarding switch blocks in statement context but with an expression rule (e.g. switch(...) { case 1 -> System.out.println("Hello world!") }) has been fixed. This reduces false positives and negatives from various queries relating to functions featuring such statements.


  • Added models for the sqlite and better-sqlite3 npm packages.
  • TypeScript 5.3 is now supported.


  • Added support for tarfile extraction filters as defined in PEP-706. In particular, calls to TarFile.extract, and TarFile.extractall are no longer considered to be sinks for the py/tarslip query if a sufficiently safe filter is provided.
  • Added modeling of *args and **kwargs as routed-parameters in request handlers for django/flask/FastAPI/tornado.
  • Added support for type parameters in function and class definitions, as well as the new Python 3.12 type alias statement.
  • Added taint-flow modeling for regular expressions with re module from the standard library.


  • Improved modeling for ActiveRecords update_all method


  • Extracts Swift’s DiscardStmt and MaterizliePackExpr
  • Expanded and improved flow models for Set and Sequence.
  • Added imprecise flow sources matching initializers such as init(contentsOfFile:).
  • Extracts MacroDecl and some related information

New Features


  • Added an isPrototyped predicate to Function that holds when the function has a prototype.
  • © GitHub, Inc.
  • Terms
  • Privacy