CodeQL documentation

CodeQL 2.16.3 (2024-02-22)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.16.3 runs a total of 408 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

Bug Fixes

  • Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead.

New Features

  • A new extractor option has been added to the Python extractor: python_executable_name. You can use this option to override the default process the extractor uses to find and select a Python executable. Pass one of --extractor-option python_executable_name=py or --extractor-option python_executable_name=python or --extractor-option python_executable_name=python3 to commands that run the extractor, for example: codeql database create.

    On Windows machines, the Python extractor will expect to find py.exe on the system PATH by default. If the Python executable has a different name, you can set the new extractor option to override this value and look for python.exe or python3.exe.

    For more information about using the extractor option with the CodeQL CLI, see Extractor options.

Security Updates

  • Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the security advisory for more information.

Query Packs

Bug Fixes

JavaScript/TypeScript

  • The left operand of the && operator no longer propagates data flow by default.

Major Analysis Improvements

Golang

  • The query “Use of a hardcoded key for signing JWT” (go/hardcoded-key) has been promoted from experimental to the main query pack. Its results will now appear by default as part of go/hardcoded-credentials. This query was originally submitted as an experimental query by @porcupineyhairs.

Java/Kotlin

  • The sinks of the queries java/path-injection and java/path-injection-local have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.

Minor Analysis Improvements

C/C++

  • The “non-constant format string” query (cpp/non-constant-format) has been updated to produce fewer false positives.
  • Added dataflow models for the gettext function variants.

C#

  • Added sanitizers for relative URLs, List.Contains(), and checking the .Host property on an URI to the cs/web/unvalidated-url-redirection query.

Java/Kotlin

  • The sanitizer for the path injection queries has been improved to handle more cases where equals is used to check an exact path match.
  • The query java/unvalidated-url-redirection now sanitizes results following the same logic as the query java/ssrf. URLs where the destination cannot be controlled externally are no longer reported.

New Queries

Golang

  • The query “Missing JWT signature check” (go/missing-jwt-signature-check) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @am0o0.

Java/Kotlin

  • Added a new query java/android/insecure-local-authentication for finding uses of biometric authentication APIs that do not make use of a KeyStore-backed key and thus may be bypassed.

Swift

  • Added a new experimental query, swift/unsafe-unpacking, that detects unpacking user controlled zips without validating the destination file path is within the destination directory.

Query Metadata Changes

Java/Kotlin

  • The security-severity score of the query java/relative-path-command has been reduced to better adjust it to the specific conditions needed for exploitation.

Language Libraries

Minor Analysis Improvements

C#

  • C# 12: The QL and data flow library now support primary constructors.
  • Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching.

Java/Kotlin

  • An extension point for sanitizers of the query java/unvalidated-url-redirection has been added.
  • Added models for the following packages:
    • java.io
    • java.lang
    • java.net
    • java.net.http
    • java.nio.file
    • java.util.zip
    • javax.servlet
    • org.apache.commons.io
    • org.apache.hadoop.fs
    • org.apache.hadoop.fs.s3a
    • org.eclipse.jetty.client
    • org.gradle.api.file

JavaScript/TypeScript

  • The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.

Python

  • The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.
  • Added modeling of the psycopg PyPI package as a SQL database library.

Ruby

  • Raw output ERB tags of the form <%== ... %> are now recognised as cross-site scripting sinks.
  • The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.

Swift

  • The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.

Deprecated APIs

Java/Kotlin

  • The PathCreation class in PathCreation.qll has been deprecated.

New Features

C/C++

  • A getInitialization predicate was added to the RangeBasedForStmt class that yields the C++20-style initializer of the range-based for statement when it exists.

Shared Libraries

Breaking Changes

Dataflow Analysis

  • The edges predicate contained in PathGraph now contains two additional columns for propagating model provenance information. This is primarily an internal change without any impact on any APIs, except for specialised queries making use of MergePathGraph in conjunction with custom PathGraph implementations. Such queries will need to be updated to reference the two new columns. This is expected to be very rare, as MergePathGraph is an advanced feature, but it is a breaking change for any such affected queries.
  • © GitHub, Inc.
  • Terms
  • Privacy