CodeQL documentation

CodeQL 2.16.2 (2024-02-12)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.16.2 runs a total of 406 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

There are no user-facing CLI changes in this release.

Query Packs

Minor Analysis Improvements

C/C++

  • Corrected 2 false positive with cpp/incorrect-string-type-conversion: conversion of byte arrays to wchar and new array allocations converted to wchar.
  • The “Incorrect return-value check for a ‘scanf’-like function” query (cpp/incorrectly-checked-scanf) no longer reports an alert when an explicit check for EOF is added.
  • The “Incorrect return-value check for a ‘scanf’-like function” query (cpp/incorrectly-checked-scanf) now recognizes more EOF checks.
  • The “Potentially uninitialized local variable” query (cpp/uninitialized-local) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
  • The diagnostic query cpp/diagnostics/successfully-extracted-files now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.

C#

  • Added string interpolation expressions and string.Format as possible sanitizers for the cs/web/unvalidated-url-redirection query.

Ruby

  • Added new unsafe deserialization sinks for the ox gem.
  • Added an additional unsafe deserialization sink for the oj gem.

New Queries

Java/Kotlin

  • Added a new query java/android/sensitive-text to detect instances of sensitive data being exposed through text fields without being properly masked.
  • Added a new query java/android/sensitive-notification to detect instances of sensitive data being exposed through Android notifications.

Ruby

  • Added a new experimental query, rb/insecure-randomness, to detect when application uses random values that are not cryptographically secure.

Language Libraries

Bug Fixes

Python

  • Fixed the a (ASCII) inline flag not being recognized by the regular expression library.

Minor Analysis Improvements

C#

  • Added a new database relation to store compiler arguments specified inside @[...].rsp file arguments. The arguments are returned by Compilation::getExpandedArgument/1 and Compilation::getExpandedArguments/0.
  • C# 12: Added extractor, QL library and data flow support for collection expressions like [1, y, 4, .. x].
  • The C# extractor now accepts an extractor option logging.verbosity that specifies the verbosity of the logs. The option is added via codeql database create --language=csharp -Ologging.verbosity=debug ... or by setting the corresponding environment variable CODEQL_EXTRACTOR_CSHARP_OPTION_LOGGING_VERBOSITY.

Java/Kotlin

  • Added models for the following packages:
    • com.fasterxml.jackson.databind
    • javax.servlet
  • Added the java.util.Date and java.util.UUID classes to the list of types in the SimpleTypeSanitizer class in semmle.code.java.security.Sanitizers.

Python

  • Added html.escape as a sanitizer for HTML.

Ruby

  • Flow is now tracked through Rails render calls, when the argument is a ViewComponent. In this case, data flow is tracked into the accompanying .html.erb file.

New Features

C/C++

  • Added the PreprocBlock.qll library to this repository. This library offers a view of #if, #elif, #else and similar directives as a tree with navigable parent-child relationships.
  • Added a new ThrowingFunction abstract class that can be used to model an external function that may throw an exception.
  • © GitHub, Inc.
  • Terms
  • Privacy