CodeQL 2.17.0 (2024-04-04)¶

Contents

Security Coverage
CodeQL CLI
Query Packs
Language Libraries
Shared Libraries
- Minor Analysis Improvements

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.17.0 runs a total of 410 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE).

CodeQL CLI¶

Deprecations¶

The --[no-]analysis-summary-v2 and --[no-]new-analysis-summary options that were used to enable (or disable) improved summary information printed at the end of a codeql database analyze invocation are no longer supported. Improved summary information is now enabled for all invocations.
Support for overwriting default CodeQL SARIF run properties using the --sarif-run-property command line option has been removed. This removes the ability to overwrite the semmle.formatSpecifier, metricResults, and codeqlConfigSummary properties in the SARIF run file.

Improvements¶

TRAP import (a part of codeql database create and codeql database finalize) now performs better in low-memory situations. (Put another way, it now needs less RAM to achieve the same performance as before.)
The worst-case performance of transitive closure computation (using the + or * postfix operators or the fastTC higher-order primitive in QL) has been greatly improved.

Miscellaneous¶

The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.2.

Query Packs¶

Major Analysis Improvements¶

C#¶

The Stored variants of some queries (cs/stored-command-line-injection, cs/web/stored-xss, cs/stored-ldap-injection, cs/xml/stored-xpath-injection, cs/second-order-sql-injection) have been removed. If you were using these queries, their results can be restored by enabling the file and database threat models in your threat model configuration.

Java¶

The java/missing-case-in-switch query now gives only a single alert for each switch statement, giving some examples of the missing cases as well as a count of how many are missing.

Minor Analysis Improvements¶

C/C++¶

The “Missing return-value check for a ‘scanf’-like function” query (cpp/missing-check-scanf) has been converted to a path-problem query.
The “Potentially uninitialized local variable” query (cpp/uninitialized-local) has been converted to a path-problem query.
Added models for GLib allocation and deallocation functions.

C#¶

The alert message of cs/wrong-compareto-signature has been changed to remove unnecessary element references.
Data flow queries that track flow from local flow sources now use the current threat model configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses remote flow sources. The changed queries are cs/code-injection, cs/resource-injection, cs/sql-injection, and cs/uncontrolled-format-string.

Golang¶

The query go/hardcoded-credentials no longer discards string literals based on “weak password” heuristics.
The query go/sql-injection now recognizes more sinks in the package github.com/Masterminds/squirrel.

Java¶

Variables named tokenImage are no longer sources for the java/sensitive-log query. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts.
Added sanitizers for relative URLs, List.contains(), and checking the host of a URI to the java/ssrf and java/unvalidated-url-redirection queries.

JavaScript/TypeScript¶

The call graph has been improved, leading to more alerts for data flow based queries.

New Queries¶

C/C++¶

Added a new query, cpp/type-confusion, to detect casts to invalid types.

Golang¶

The query “Slice memory allocation with excessive size value” (go/uncontrolled-allocation-size) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @Malayke.

Java¶

The query java/unsafe-url-forward-dispatch-load has been promoted from experimental to the main query pack as java/unvalidated-url-forward. Its results will now appear by default. This query was originally submitted as an experimental query by @haby0 and by @luchua-bc.

Query Metadata Changes¶

C/C++¶

@precision medium metadata was added to the cpp/boost/tls-settings-misconfiguration and cpp/boost/use-of-deprecated-hardcoded-security-protocol queries, and these queries are now included in the security-extended suite. The @name metadata of these queries were also updated.

JavaScript/TypeScript¶

The @precision of the js/unsafe-external-link has been reduced to low to reflect the fact that modern browsers do not expose the opening window for such links. This mitigates the potential security risk of having a link with target="_blank".

Language Libraries¶

Breaking Changes¶

C#¶

The CIL extractor has been deleted and the corresponding extractor option cil has been removed. It is no longer possible to do CIL extraction.
The QL library C# classes no longer extend their corresponding DotNet classes. Furthermore, CIL related data flow functionality has been deleted and all DotNet and CIL related classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.

Java¶

The Java extractor no longer supports the ODASA_SNAPSHOT legacy environment variable.

Major Analysis Improvements¶

JavaScript/TypeScript¶

Added support for TypeScript 5.4.

Swift¶

Upgraded to Swift 5.10
New AST node is extracted: ThenStmt

Minor Analysis Improvements¶

C/C++¶

Added destructors for temporary objects with extended lifetimes to the intermediate representation.

C#¶

Added new source models for the Dapper package. These models can be enabled by enabling the database threat model.
Additional models have been added for System.IO. These are primarily source models with the file threat model, and summaries related to reading from a file or stream.
Support for C# 12 / .NET8.
Added the windows-registry source kind and threat model to represent values which come from the registry on Windows.
The models for System.Net.Http.HttpRequestMessage have been modified to better model the flow of tainted URIs.
The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the commandargs and environment threat models.
The cs/assembly-path-injection query has been modified so that it’s sources rely on ThreatModelFlowSource. In order to restore results from command line arguments, you should enable the commandargs threat model.
The models for System.IO.TextReader have been modified to better model the flow of tainted text from a TextReader.

Golang¶

The CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO option, which speeds up retrieval of dependency information, is now on by default. This was originally an external contribution by @xhd2015.
Added dataflow sources for the package gopkg.in/macaron.v1.

Java¶

Increased the precision of some dataflow models of the class java.net.URL by distinguishing the parts of a URL.
The Java extractor and QL libraries now support Java 22, including support for anonymous variables, lambda parameters and patterns.
Pattern cases with multiple patterns and that fall through to or from other pattern cases are now supported. The PatternCase class gains the new getPatternAtIndex and getAPattern predicates, and deprecates getPattern.
Added a path-injection sink for the open methods of the android.os.ParcelFileDescriptor class.

Ruby¶

Data flow is now tracked through ActiveRecord scopes.
Modeled instances of ActionDispatch::Http::UploadedFile that can be obtained from element reads of ActionController::Parameters, with calls to original_filename, content_type, and read now propagating taint from their receiver.
The second argument, subquery_name, of the ActiveRecord::QueryMethods::from method, is now recognized as an sql injection sink.
Calls to Typhoeus::Request.new are now considered as instances of the Http::Client::Request concept, with the response body being treated as a remote flow source.
New command injection sinks have been added, including Process.spawn, Process.exec, Terrapin::CommandLine and the open4 gem.

New Features¶

C/C++¶

Added a TaintInheritingContent class that can be extended to model taint flowing from a qualifier to a field.
Added a predicate GuardCondition.comparesEq/4 to query whether an expression is compared to a constant.
Added a predicate GuardCondition.ensuresEq/4 to query whether a basic block is guarded by an expression being equal to a constant.
Added a predicate GuardCondition.comparesLt/4 to query whether an expression is compared to a constant.
Added a predicate GuardCondition.ensuresLt/4 to query whether a basic block is guarded by an expression being less than a constant.
Added a predicate GuardCondition.valueControls to query whether a basic block is guarded by a particular case of a switch statement.

Shared Libraries¶

Minor Analysis Improvements¶

Dataflow Analysis¶

Path explanations now include flow that goes through callbacks passed into library functions. For example, if map is a library function, then in result = map(xs, x => x + 1) we will now include the step from x to x + 1 in the path explanation, instead of going directly from xs to result. Note that this change does not affect actual query results, but only how path explanations are computed.