CodeQL 2.16.3 (2024-02-22)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.16.3 runs a total of 408 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Bug Fixes¶
- Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead.
New Features¶
A new extractor option has been added to the Python extractor:
python_executable_name. You can use this option to override the default process the extractor uses to find and select a Python executable. Pass one of--extractor-option python_executable_name=pyor--extractor-option python_executable_name=pythonor--extractor-option python_executable_name=python3to commands that run the extractor, for example:codeql database create.On Windows machines, the Python extractor will expect to find
py.exeon the systemPATHby default. If the Python executable has a different name, you can set the new extractor option to override this value and look forpython.exeorpython3.exe.For more information about using the extractor option with the CodeQL CLI, see Extractor options.
Security Updates¶
- Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the security advisory for more information.
Query Packs¶
Bug Fixes¶
JavaScript/TypeScript¶
- The left operand of the
&&operator no longer propagates data flow by default.
Major Analysis Improvements¶
Golang¶
- The query “Use of a hardcoded key for signing JWT” (
go/hardcoded-key) has been promoted from experimental to the main query pack. Its results will now appear by default as part ofgo/hardcoded-credentials. This query was originally submitted as an experimental query by @porcupineyhairs.
Java¶
- The sinks of the queries
java/path-injectionandjava/path-injection-localhave been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.
Minor Analysis Improvements¶
C/C++¶
- The “non-constant format string” query (
cpp/non-constant-format) has been updated to produce fewer false positives. - Added dataflow models for the
gettextfunction variants.
C#¶
- Added sanitizers for relative URLs,
List.Contains(), and checking the.Hostproperty on an URI to thecs/web/unvalidated-url-redirectionquery.
Java¶
- The sanitizer for the path injection queries has been improved to handle more cases where
equalsis used to check an exact path match. - The query
java/unvalidated-url-redirectionnow sanitizes results following the same logic as the queryjava/ssrf. URLs where the destination cannot be controlled externally are no longer reported.
New Queries¶
Golang¶
- The query “Missing JWT signature check” (
go/missing-jwt-signature-check) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @am0o0.
Java¶
- Added a new query
java/android/insecure-local-authenticationfor finding uses of biometric authentication APIs that do not make use of aKeyStore-backed key and thus may be bypassed.
Swift¶
- Added a new experimental query,
swift/unsafe-unpacking, that detects unpacking user controlled zips without validating the destination file path is within the destination directory.
Language Libraries¶
Minor Analysis Improvements¶
C#¶
- C# 12: The QL and data flow library now support primary constructors.
- Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching.
Java¶
- An extension point for sanitizers of the query
java/unvalidated-url-redirectionhas been added. - Added models for the following packages:
- java.io
- java.lang
- java.net
- java.net.http
- java.nio.file
- java.util.zip
- javax.servlet
- org.apache.commons.io
- org.apache.hadoop.fs
- org.apache.hadoop.fs.s3a
- org.eclipse.jetty.client
- org.gradle.api.file
JavaScript/TypeScript¶
- The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.
Python¶
- The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.
- Added modeling of the
psycopgPyPI package as a SQL database library.
Ruby¶
- Raw output ERB tags of the form
<%== ... %>are now recognised as cross-site scripting sinks. - The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.
Swift¶
- The name “certification” is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like “clear-text-logging” which look for sensitive data.