CodeQL 2.16.4 (2024-03-11)¶

Contents

Security Coverage
CodeQL CLI
Query Packs
- Minor Analysis Improvements
- New Queries
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.16.4 runs a total of 409 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 132 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI¶

Potentially Breaking Changes¶

A number of internal command line options (--builtin_functions_file, --clang_builtin_functions, --disable-objc-default-synthesize-properties, --list_builtin_functions, --memory-limit-bytes, --mimic_config, and --objc) has been removed from the C/C++ extractor. It has never been possible to pass these options through the CLI itself, but some customers with advanced setups may have been passing them through internal undocumented interfaces. All of the removed options were already no-ops, and will now generate errors.

The --verbosity command line option has also been removed. The option was an alias for --codeql-verbosity, which should be used instead.

Bug Fixes¶

When parsing user-authored YAML files such as codeql-pack.yml, qlpack.yml, codeql-workspace.yml, and any YAML file defining a data extension, unquoted string values starting with a * character are now correctly interpreted as YAML aliases. Previously, they were interpreted as strings, but with the first character skipped.

If you see a parse error similar to while scanning an alias... unexpected character found *(42),it likely means that you need to add quotes around the indicated string value. The most common cause is unquoted glob patterns that start with *, such as include: **/*.yml, which will need to be quoted as include: "**/*.yml".

Improvements¶

The frontend of the C/C++ extractor has been updated, improving the extractor’s reliability and increasing its ability to extract source code.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

The “non-constant format string” query (cpp/non-constant-format) has been converted to a path-problem query.
The new C/C++ dataflow and taint-tracking libraries (semmle.code.cpp.dataflow.new.DataFlow and semmle.code.cpp.dataflow.new.TaintTracking) now implicitly assume that dataflow and taint modelled via DataFlowFunction and TaintFunction always fully overwrite their buffers and thus act as flow barriers. As a result, many dataflow and taint-tracking queries now produce fewer false positives. To remove this assumption and go back to the previous behavior for a given model, one can override the new isPartialWrite predicate.

C#¶

Most data flow queries that track flow from remote flow sources now use the current threat model configuration instead. This doesn’t lead to any changes in the produced alerts (as the default configuration is remote flow sources) unless the threat model configuration is changed. The changed queries are cs/code-injection, cs/command-line-injection, cs/user-controlled-bypass, cs/count-untrusted-data-external-api, cs/untrusted-data-to-external-api, cs/ldap-injection, cs/log-forging, cs/xml/missing-validation, cs/redos, cs/regex-injection, cs/resource-injection, cs/sql-injection, cs/path-injection, cs/unsafe-deserialization-untrusted-input, cs/web/unvalidated-url-redirection, cs/xml/insecure-dtd-handling, cs/xml/xpath-injection, cs/web/xss, and cs/uncontrolled-format-string.

Java¶

To reduce the number of false positives in the query “Insertion of sensitive information into log files” (java/sensitive-log), variables with names that contain “null” (case-insensitively) are no longer considered sources of sensitive information.

Ruby¶

Calls to Object#method, Object#public_method and Object#singleton_method with untrusted data are now recognised as sinks for code injection.
Added additional request sources for Ruby on Rails.

New Queries¶

Java¶

Added a new query java/android/insecure-local-key-gen for finding instances of keys generated for biometric authentication in an insecure way.

Python¶

The query py/nosql-injection for finding NoSQL injection vulnerabilities is now part of the default security suite.

Language Libraries¶

Bug Fixes¶

Golang¶

Fixed dataflow out of a map using a range statement.

Java¶

Fixed the Java autobuilder overriding the version of Maven used by a project when the Maven wrapper mvnw is in use and the maven-wrapper.jar file is not present in the repository.
Some flow steps related to android.text.Editable.toString that were accidentally disabled have been re-enabled.

Swift¶

Fixed an issue where TypeDecl.getFullName would get stuck in an loop and fail when minor database inconsistencies are present.

Major Analysis Improvements¶

C#¶

Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
We no longer make use of CodeQL database stats, which may affect join-orders in custom queries. It is therefore recommended to test performance of custom queries after upgrading to this version.

Golang¶

We have significantly improved the Go autobuilder to understand a greater range of project layouts, which allows Go source files to be analysed that could previously not be processed.
Go 1.22 has been included in the range of supported Go versions.

Minor Analysis Improvements¶

C/C++¶

Added destructors for named objects to the intermediate representation.

C#¶

C# 12: Add QL library support (ExperimentalAttribute) for the experimental attribute.
C# 12: Add extractor and QL library support for ref readonly parameters.
C#: The table expr_compiler_generated has been deleted and its content has been added to compiler_generated.
Data flow via get only properties like public object Obj { get; } is now captured by the data flow library.

Java¶

Java expressions with erroneous types (e.g. the result of a call whose callee couldn’t be resolved during extraction) are now given a CodeQL ErrorType more often.

Python¶

Fixed missing flow for dictionary updates (d[<key>] = ...) when <key> is a string constant not used in dictionary literals or as name of keyword-argument.
Fixed flow for iterable unpacking (a,b = my_tuple) when it occurs on top-level (module) scope.

Ruby¶

Calls to I18n.translate as well as Rails helper translate methods now propagate taint from their keyword arguments. The Rails translate methods are also recognized as XSS sanitizers when using keys marked as html safe.
Calls to Arel::Nodes::SqlLiteral.new are now modeled as instances of the SqlConstruction concept, as well as propagating taint from their argument.
Additional arguments beyond the first of calls to the ActiveRecord methods select, reselect, order, reorder, joins, group, and pluck are now recognized as sql injection sinks.
Calls to several methods of ActiveRecord::Connection, such as ActiveRecord::Connection#exec_query, are now recognized as SQL executions, including those via subclasses.