CodeQL documentation

CodeQL 2.16.1 (2024-01-25)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.16.1 runs a total of 406 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 129 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

Improvements

  • When executing the codeql database init command, the CodeQL runner executable path is now stored in the CODEQL_RUNNER environment variable. Users of indirect tracing on MacOS with System Integrity Protection enabled who previously had trouble with indirect tracing should prefix their build command with this path. For example, $CODEQL_RUNNER build.sh.

QL Language

  • Name clashes between weak aliases (i.e. aliases that are not final aliases of non-final entities) of the same target no longer cause ambiguity errors.

Query Packs

Minor Analysis Improvements

C/C++

  • The cpp/include-non-header style query will now ignore the .def extension for textual header inclusions.

C#

  • Modelled additional flow steps to track flow from handler methods of a PageModel class to the corresponding Razor Page (.cshtml) file, which may result in additional results for queries such as cs/web/xss.

Golang

  • The query go/insecure-randomness now recognizes the selection of candidates from a predefined set using a weak RNG when the result is used in a sensitive operation. Also, false positives have been reduced by adding more sink exclusions for functions in the crypto package not related to cryptographic operations.
  • Added more sources and sinks to the query go/clear-text-logging.

Java/Kotlin

  • A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.

JavaScript/TypeScript

  • Added support for doT templates.

Python

  • Added modeling of YARL’s is_absolute method and checks of the netloc of a parsed URL as sanitizers for the py/url-redirection query, leading to fewer false positives.

Swift

  • The diagnostic query swift/diagnostics/successfully-extracted-files now considers any Swift file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned Swift files.

New Queries

Java/Kotlin

  • Added the java/exec-tainted-environment query, to detect the injection of environment variables names or values from remote input.

Swift

  • Added new query “Use of an inappropriate cryptographic hashing algorithm on passwords” (swift/weak-password-hashing). This query detects use of inappropriate hashing algorithms for password hashing. Some of the results of this query are new, others would previously have been reported by the “Use of a broken or weak cryptographic hashing algorithm on sensitive data” (swift/weak-sensitive-data-hashing) query.

Language Libraries

Bug Fixes

Java/Kotlin

  • Fixed regular expressions containing flags not being parsed correctly in some cases.

Minor Analysis Improvements

C/C++

  • Deleted many deprecated predicates and classes with uppercase XML, SSA, SAL, SQL, etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated StrcatFunction class, use semmle.code.cpp.models.implementations.Strcat.qll instead.

C#

  • Deleted many deprecated predicates and classes with uppercase SSL, XML, URI, SSA etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated getALocalFlowSucc predicate and TaintType class from the dataflow library.
  • Deleted the deprecated Newobj and Rethrow classes, use NewObj and ReThrow instead.
  • Deleted the deprecated getAFirstRead, hasAdjacentReads, lastRefBeforeRedef, and hasLastInputRef predicates from the SSA library.
  • Deleted the deprecated getAReachableRead predicate from the AssignableRead and VariableRead classes.
  • Deleted the deprecated hasQualifiedName predicate from the NamedElement class.
  • C# 12: Add extractor support and QL library support for inline arrays.
  • Fixed a Log forging false positive when logging the value of a nullable simple type. This fix also applies to all other queries that use the simple type sanitizer.
  • The diagnostic query cs/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned C# files, now considers any C# file seen during extraction, even one with some errors, to be extracted / scanned.
  • Added a new library semmle.code.csharp.security.dataflow.flowsources.FlowSources, which provides a new class ThreatModelFlowSource. The ThreatModelFlowSource class can be used to include sources which match the current threat model configuration.
  • A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
  • C# 12: Add extractor support for lambda expressions with parameter defaults like (int x, int y = 1) => ... and lambda expressions with a param parameter like (params int[] x) => ...).

Golang

  • Deleted many deprecated predicates and classes with uppercase TLD, HTTP, SQL, URL etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated and unused Source class from the SharedXss module of Xss.qll
  • Support for flow sources in AWS Lambda function handlers has been added.
  • Support for the fasthttp framework has been added.

Java/Kotlin

  • Deleted many deprecated predicates and classes with uppercase EJB, JMX, NFE, DNS etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated semmle/code/java/security/OverlyLargeRangeQuery.qll, semmle/code/java/security/regexp/ExponentialBackTracking.qll, semmle/code/java/security/regexp/NfaUtils.qll, and semmle/code/java/security/regexp/NfaUtils.qll files.
  • Improved models for java.lang.Throwable and java.lang.Exception, and the valueOf method of java.lang.String.
  • Added taint tracking for the following GSON methods:
    • com.google.gson.stream.JsonReader constructor
    • com.google.gson.stream.JsonWriter constructor
    • com.google.gson.JsonObject.getAsJsonArray
    • com.google.gson.JsonObject.getAsJsonObject
    • com.google.gson.JsonObject.getAsJsonPrimitive
    • com.google.gson.JsonParser.parseReader
    • com.google.gson.JsonParser.parseString
  • Added a dataflow model for java.awt.Desktop.browse(URI).

JavaScript/TypeScript

  • Deleted many deprecated predicates and classes with uppercase CPU, TLD, SSA, ASM etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated getMessageSuffix predicates in CodeInjectionCustomizations.qll.
  • Deleted the deprecated semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedData.qll file.
  • Deleted the deprecated getANonHtmlHeaderDefinition and nonHtmlContentTypeHeader predicates from ReflectedXssCustomizations.qll.
  • Deleted the deprecated semmle/javascript/security/OverlyLargeRangeQuery.qll, semmle/javascript/security/regexp/ExponentialBackTracking.qll, semmle/javascript/security/regexp/NfaUtils.qll, and semmle/javascript/security/regexp/NfaUtils.qll files.
  • Deleted the deprecated Expressions/TypoDatabase.qll file.
  • The diagnostic query js/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned JavaScript and TypeScript files, now considers any JavaScript and TypeScript file seen during extraction, even one with some errors, to be extracted / scanned.

Python

  • Deleted many deprecated predicates and classes with uppercase LDAP, HTTP, URL, CGI etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated localSourceStoreStep predicate, use flowsToStoreStep instead.
  • Deleted the deprecated iteration_defined_variable predicate from the SSA library.
  • Deleted various deprecated predicates from the points-to libraries.
  • Deleted the deprecated semmle/python/security/OverlyLargeRangeQuery.qll, semmle/python/security/regexp/ExponentialBackTracking.qll, semmle/python/security/regexp/NfaUtils.qll, and semmle/python/security/regexp/NfaUtils.qll files.
  • The diagnostic query py/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Python files, now considers any Python file seen during extraction, even one with some errors, to be extracted / scanned.

Ruby

  • Deleted many deprecated predicates and classes with uppercase HTTP, CSRF etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated getAUse and getARhs predicates from API::Node, use getASource and getASink instead.
  • Deleted the deprecated disablesCertificateValidation predicate from the Http module.
  • Deleted the deprecated ParamsCall, CookiesCall, and ActionControllerControllerClass classes from ActionController.qll, use the simarly named classes from codeql.ruby.frameworks.Rails::Rails instead.
  • Deleted the deprecated HtmlSafeCall, HtmlEscapeCall, RenderCall, and RenderToCall classes from ActionView.qll, use the simarly named classes from codeql.ruby.frameworks.Rails::Rails instead.
  • Deleted the deprecated HtmlSafeCall class from Rails.qll.
  • Deleted the deprecated codeql/ruby/security/BadTagFilterQuery.qll, codeql/ruby/security/OverlyLargeRangeQuery.qll, codeql/ruby/security/regexp/ExponentialBackTracking.qll, codeql/ruby/security/regexp/NfaUtils.qll, codeql/ruby/security/regexp/RegexpMatching.qll, and codeql/ruby/security/regexp/SuperlinearBackTracking.qll files.
  • Deleted the deprecated localSourceStoreStep predicate from TypeTracker.qll, use flowsToStoreStep instead.
  • The diagnostic query rb/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Ruby files, now considers any Ruby file seen during extraction, even one with some errors, to be extracted / scanned.

Swift

  • Swift upgraded to 5.9.2
  • The control flow graph library (codeql.swift.controlflow) has been transitioned to use the shared implementation from the codeql/controlflow qlpack. No result changes are expected due to this change.

Deprecated APIs

Golang

  • The class Fmt::AppenderOrSprinter of the Fmt.qll module has been deprecated. Use the new Fmt::AppenderOrSprinterFunc class instead. Its taint flow features have been migrated to models-as-data.

New Features

Java/Kotlin

  • Added a new library semmle.code.java.security.Sanitizers which contains a new sanitizer class SimpleTypeSanitizer, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
  • Converted definitions of isBarrier and sanitizer classes to use SimpleTypeSanitizer instead of checking if node.getType() is PrimitiveType or BoxedType.

Shared Libraries

Minor Analysis Improvements

Static Single Assignment (SSA)

  • Deleted the deprecated adjacentDefNoUncertainReads, lastRefRedefNoUncertainReads, and lastRefNoUncertainReads predicates.
  • © GitHub, Inc.
  • Terms
  • Privacy