CodeQL documentation
CodeQL resources

CodeQL 2.14.1 (2023-07-27)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.14.1 runs a total of 392 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.

CodeQL CLI

There are no user-facing CLI changes in this release.

Query Packs

Minor Analysis Improvements

C/C++

  • The cpp/uninitialized-local query now excludes uninitialized uses that are explicitly cast to void and are expression statements. As a result, the query will report less false positives.

Java/Kotlin

  • The query “Unsafe resource fetching in Android WebView” (java/android/unsafe-android-webview-fetch) now recognizes WebViews where setJavascriptEnabled, setAllowFileAccess, setAllowUniversalAccessFromFileURLs, and/or setAllowFileAccessFromFileURLs are set inside the function block of the Kotlin apply function.

JavaScript/TypeScript

  • The fs/promises package is now recognised as an alias for require('fs').promises.
  • The js/path-injection query can now track taint through calls to path.join() with a spread argument, such as path.join(baseDir, ...args).

Python

  • Fixed modeling of aiohttp.ClientSession so we properly handle async with uses. This can impact results of server-side request forgery queries (py/full-ssrf, py/partial-ssrf).

Ruby

  • Improved resolution of calls performed on an object created with Proc.new.

New Queries

Ruby

  • Added a new experimental query, rb/xpath-injection, to detect cases where XPath statements are constructed from user input in an unsafe manner.

Swift

  • Added new query “Regular expression injection” (swift/regex-injection). The query finds places where user input is used to construct a regular expression without proper escaping.
  • Added new query “Inefficient regular expression” (swift/redos). This query finds regular expressions that require exponential time to match certain inputs and may make an application vulnerable to denial-of-service attacks.

Language Libraries

Major Analysis Improvements

Ruby

  • The API graph library (codeql.ruby.ApiGraphs) has been significantly improved, with better support for inheritance, and data-flow nodes can now be converted to API nodes by calling .track() or .backtrack() on the node. API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base are consumed by a library. See the documentation for API::Node for details and examples.

Minor Analysis Improvements

C/C++

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • The IRGuards library has improved handling of pointer addition and subtraction operations.

C#

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.

Golang

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • Parameter nodes now exist for unused parameters as well as used parameters.
  • Add support for v4 of the Go Micro framework.
  • Support for the Bun framework has been added.
  • Support for gqlgen has been added.
  • Support for the go-pg framework has been improved.

Java/Kotlin

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • Added models for Apache Commons Lang3 ToStringBuilder.reflectionToString method.
  • Added support for the Kotlin method apply.
  • Added models for the following packages:
    • java.io
    • java.lang
    • java.net
    • java.nio.channels
    • java.nio.file
    • java.util.zip
    • okhttp3
    • org.gradle.api.file
    • retrofit2

Python

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • Add support for Models as Data for Reflected XSS query
  • Parameters with a default value are now considered a DefinitionNode. This improvement was motivated by allowing type-tracking and API graphs to follow flow from such a default value to a use by a captured variable.

Ruby

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • The 'QUERY_STRING' field of a Rack env parameter is now recognized as a source of remote user input.
  • Query parameters and cookies from Rack::Response objects are recognized as potential sources of remote flow input.
  • Calls to Rack::Utils.parse_query now propagate taint.

Swift

  • Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
  • The regular expression library now understands mode flags specified by Regex methods and the NSRegularExpression initializer.
  • The regular expression library now understands mode flags specified at the beginning of a regular expression (for example (?is)).
  • Added detail to the taint model for URL.
  • Added new heuristics to SensitiveExprs.qll, enhancing detection from the library.

Deprecated APIs

C/C++

  • The library semmle.code.cpp.dataflow.DataFlow has been deprecated. Please use semmle.code.cpp.dataflow.new.DataFlow instead.

New Features

C/C++

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

C#

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

Golang

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

Java/Kotlin

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.
  • A Class.isFileClass() predicate, to identify Kotlin file classes, has been added.

Python

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

Ruby

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

Swift

  • The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

Shared Libraries

Deprecated APIs

Utility Classes

  • The InlineExpectationsTest class has been deprecated. Use TestSig and MakeTest instead.
  • © GitHub, Inc.
  • Terms
  • Privacy