CodeQL 2.14.0 (2023-07-13)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.14.0 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Potentially Breaking Changes¶
- The legacy option
--search-pathwill now be used, if provided, when searching for the dependencies of packages that have no lock file. - CodeQL query packs that specify their dependencies using the legacy
libraryPathDependenciesproperty inqlpack.yml/codeql-pack.ymlfiles are no longer permitted to contain acodeql-pack.lock.ymllock file. This will lead to a compilation error. This change is intended to prevent confusing behavior arising from a mix of legacy (unversioned) and modern (versioned) package dependencies. To fix this error, either delete the lock file, or convertlibraryPathDependenciestodependencies. - CodeQL CLI commands that create packages or update package lock files, such as
codeql pack publishandcodeql pack create, will no longer work on query packs that specify their dependencies using the legacylibraryPathDependenciesproperty. To fix this error, convertlibraryPathDependenciestodependencies.
Bug Fixes¶
- Fixed super calls on final base classes (or final aliases) so that they are now dispatched the same way as super calls on instanceof supertypes.
- Fixed a bug where running
codeql database finalizewith a large number of threads would fail due to running out of file descriptors. - Fixed a bug where
codeql database create --overwritewould not work with database clusters. - Fixed a bug where the CodeQL documentation coverage statistics were incorrect.
- Fixed a bug where the generated CodeQL libarary documentation could generate invalid uris on windows.
Deprecations¶
Missing override annotations on class member predicates now raise errors rather than warnings. This is to avoid confusion with the shadowing behaviour in the presence of final member predicates.
class Foo extends Base { final predicate foo() { ... } predicate bar() { ... } } class Bar extends Foo { // This method shadows Foo::foo. predicate foo() { ... } // This used to override Foo::bar with a warning, now raises error. predicate bar() { ... } }
Improvements¶
- Unqualified imports can now be marked as deprecated to indicate that the import may be removed in the future. Usage of names only reachable through deprecated imports will generate deprecation warnings.
- Classes declared inside a parameterized modules can final extend parameters of the module as well as types that are declared outside the parameterized module.
- Fields are fully functional when extending types from within a module instantiation.
- Files with a
.yamlextension will now be included in compiled CodeQL packs. Previously, files with this extension were excluded even though.ymlfiles were included. - When interpreting results (e.g., using
bqrs interpretordatabase interpret-results), extra placeholders in alert messages are treated as normal text. Previously, results with more placeholders than placeholder values were skipped. - Windows users of the CodeQL extension for VS Code will see faster start times.
- In VS Code, errors in the current file are rechecked when dependencies change.
- In VS Code, autocomplete in large QL files is now faster.
- Member predicates can shadow final member predicates of the same arity even when the signatures are not fully matching.
Query Packs¶
Bug Fixes¶
C#¶
- The query “Arbitrary file write during zip extraction (“Zip Slip”)” (
cs/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
Golang¶
- The query “Arbitrary file write during zip extraction (“zip slip”)” (
go/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
Java/Kotlin¶
- The query “Arbitrary file write during archive extraction (“Zip Slip”)” (
java/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
JavaScript/TypeScript¶
- The query “Arbitrary file write during zip extraction (“Zip Slip”)” (
js/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
Python¶
- The query “Arbitrary file write during archive extraction (“Zip Slip”)” (
py/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
Ruby¶
- The experimental query “Arbitrary file write during zipfile/tarfile extraction” (
ruby/zipslip) has been renamed to “Arbitrary file access during archive extraction (“Zip Slip”).”
Swift¶
- Functions and methods modeled as flow summaries are no longer shown in the path of
path-problemqueries. This results in more succinct paths for most security queries.
Minor Analysis Improvements¶
C/C++¶
- The
cpp/comparison-with-wider-typequery now correctly handles relational operations on signed operators. As a result the query may find more results.
Java/Kotlin¶
- New models have been added for
org.apache.commons.lang. - The query
java/unsafe-deserializationhas been updated to take into accountSerialKiller, a library used to prevent deserialization of arbitrary classes.
Ruby¶
- Fixed a bug in how
map_filtercalls are analyzed. Previously, such calls would appear to the return the receiver of the call, but now the return value of the callback is properly taken into account.
Language Libraries¶
Breaking Changes¶
Swift¶
- The
BraceStmtAST node’sAstNode getElement(index)member predicate no longer returnsVarDecls after thePatternBindingDeclthat declares them. Instead, a newVarDecl getVariable(index)predicate has been introduced for accessing the variables declared in aBraceStmt.
Major Analysis Improvements¶
C#¶
- The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
Java/Kotlin¶
- The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
Minor Analysis Improvements¶
C/C++¶
- Deleted the deprecated
getURLpredicate from theContainer,Folder, andFileclasses. Use thegetLocationpredicate instead.
C#¶
- Additional support for
command-injection,ldap-injection,log-injection, andurl-redirectionsink kinds for Models as Data.
Golang¶
- When a result of path query flows through a function modeled using
DataFlow::FunctionModelorTaintTracking::FunctionModel, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.
Java/Kotlin¶
- Added automatically-generated dataflow models for
javax.portlet. - Added a missing summary model for the method
java.net.URL.toString. - Added automatically-generated dataflow models for the following frameworks and libraries:
hudsonjenkinsnet.sf.jsonstapler
- Added more models for the Hudson framework.
- Added more models for the Stapler framework.
JavaScript/TypeScript¶
- Added models for the Webix Framework.
Python¶
- Deleted many models that used the old dataflow library, the new models can be found in the
python/ql/lib/semmle/python/frameworksfolder. - More precise modeling of several container functions (such as
sorted,reversed) and methods (such asset.add,list.append). - Added modeling of taint flow through the template argument of
flask.render_template_stringandflask.stream_template_string. - Deleted many deprecated predicates and classes with uppercase
API,HTTP,XSS,SQL, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getName()predicate from theContainerclass, usegetAbsolutePath()instead. - Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
- Deleted many deprecated predicates in
PointsTo.qll. - Deleted many deprecated files from the
semmle.python.securitypackage. - Deleted the deprecated
BottleRoutePointToExtensionclass fromExtensions.qll. - Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
Ruby¶
- More kinds of rack applications are now recognized.
- Rack::Response instances are now recognized as potential responses from rack applications.
- HTTP redirect responses from Rack applications are now recognized as a potential sink for open redirect alerts.
- Additional sinks for
rb/unsafe-deserializationhave been added. This includes various methods from theyamlandplistgems, which deserialize YAML and Property List data, respectively.
Swift¶
- Added a data flow model for
swap(_:_:).
Deprecated APIs¶
Golang¶
- The
LogInjection::Configurationtaint flow configuration class has been deprecated. Use theLogInjection::Flowmodule instead.
Java/Kotlin¶
- The
ExecCallableclass inExternalProcess.qllhas been deprecated.
Ruby¶
- The
Configurationtaint flow configuration class fromcodeql.ruby.security.InsecureDownloadQueryhas been deprecated. Use theFlowmodule instead.
New Features¶
C/C++¶
- The
ProductFlow::StateConfigSigsignature now includes default predicates forisBarrier1,isBarrier2,isAdditionalFlowStep1, andisAdditionalFlowStep1. Hence, it is no longer needed to providenone()implementations of these predicates if they are not needed.
Python¶
- It is now possible to specify flow summaries in the format “MyPkg;Member[list_map];Argument[1].ListElement;Argument[0].Parameter[0];value”
Swift¶
- Added new libraries
Regex.qllandRegexTreeView.qllfor reasoning about regular expressions in Swift code and places where they are evaluated.