CodeQL 2.16.2 (2024-02-12)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.16.2 runs a total of 406 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
There are no user-facing CLI changes in this release.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
- Corrected 2 false positive with
cpp/incorrect-string-type-conversion: conversion of byte arrays to wchar and new array allocations converted to wchar. - The “Incorrect return-value check for a ‘scanf’-like function” query (
cpp/incorrectly-checked-scanf) no longer reports an alert when an explicit check for EOF is added. - The “Incorrect return-value check for a ‘scanf’-like function” query (
cpp/incorrectly-checked-scanf) now recognizes more EOF checks. - The “Potentially uninitialized local variable” query (
cpp/uninitialized-local) no longer reports an alert when the local variable is used as a qualifier to a static member function call. - The diagnostic query
cpp/diagnostics/successfully-extracted-filesnow considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.
C#¶
- Added string interpolation expressions and
string.Formatas possible sanitizers for thecs/web/unvalidated-url-redirectionquery.
Ruby¶
- Added new unsafe deserialization sinks for the ox gem.
- Added an additional unsafe deserialization sink for the oj gem.
New Queries¶
Java¶
- Added a new query
java/android/sensitive-textto detect instances of sensitive data being exposed through text fields without being properly masked. - Added a new query
java/android/sensitive-notificationto detect instances of sensitive data being exposed through Android notifications.
Ruby¶
- Added a new experimental query,
rb/insecure-randomness, to detect when application uses random values that are not cryptographically secure.
Language Libraries¶
Bug Fixes¶
Python¶
- Fixed the
a(ASCII) inline flag not being recognized by the regular expression library.
Minor Analysis Improvements¶
C#¶
- Added a new database relation to store compiler arguments specified inside
@[...].rspfile arguments. The arguments are returned byCompilation::getExpandedArgument/1andCompilation::getExpandedArguments/0. - C# 12: Added extractor, QL library and data flow support for collection expressions like
[1, y, 4, .. x]. - The C# extractor now accepts an extractor option
logging.verbositythat specifies the verbosity of the logs. The option is added viacodeql database create --language=csharp -Ologging.verbosity=debug ...or by setting the corresponding environment variableCODEQL_EXTRACTOR_CSHARP_OPTION_LOGGING_VERBOSITY.
Java¶
- Added models for the following packages:
- com.fasterxml.jackson.databind
- javax.servlet
- Added the
java.util.Dateandjava.util.UUIDclasses to the list of types in theSimpleTypeSanitizerclass insemmle.code.java.security.Sanitizers.
Python¶
- Added
html.escapeas a sanitizer for HTML.
Ruby¶
- Flow is now tracked through Rails
rendercalls, when the argument is aViewComponent. In this case, data flow is tracked into the accompanying.html.erbfile.
New Features¶
C/C++¶
- Added the
PreprocBlock.qlllibrary to this repository. This library offers a view of#if,#elif,#elseand similar directives as a tree with navigable parent-child relationships. - Added a new
ThrowingFunctionabstract class that can be used to model an external function that may throw an exception.