CodeQL documentation

CodeQL 2.17.2 (2024-05-07)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.17.2 runs a total of 413 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 1 security query has been added with this release.



  • When uploading a SARIF file to GitHub using codeql github upload-results, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the --no-wait-for-processing flag.

    By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the --wait-for-processing-timeout option.

  • The build tracer is no longer enabled when using the none build mode to analyze a compiled language, thus improving performance.

Known Issues

  • The beta support for analyzing Swift in this release and all previous releases requires g++-13 when running on Linux. Users analyzing Swift using the ubuntu-latest, ubuntu-22.04, or ubuntu-20.04 runner images for GitHub Actions should update their workflows to install g++-13. For more information, see the runner images announcement.

Query Packs

Minor Analysis Improvements


  • The “Uncontrolled data used in path expression” query (cpp/path-injection) query produces fewer near-duplicate results.
  • The “Global variable may be used before initialization” query (cpp/global-use-before-init) no longer raises an alert on global variables that are initialized when they are declared.
  • The “Inconsistent null check of pointer” query (cpp/inconsistent-nullness-testing) query no longer raises an alert when the guarded check is in a macro expansion.


  • The query go/incomplete-hostname-regexp now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
  • Added some more barriers to flow for go/incorrect-integer-conversion to reduce false positives, especially around type switches.


  • The JavaScript extractor will on longer report syntax errors related to “strict mode”. Files containing such errors are now being fully analyzed along with other sources files. This improves our support for source files that technically break the “strict mode” rules, but where a build steps transforms the code such that it ends up working at runtime.

Language Libraries

Breaking Changes


  • Deleted the deprecated GlobalValueNumberingImpl.qll implementation.


  • Deleted the deprecated getAssemblyName predicate from the Operator class. Use getFunctionName instead.
  • Deleted the deprecated LShiftOperator, RShiftOperator, AssignLShiftExpr, AssignRShiftExpr, LShiftExpr, and RShiftExpr aliases.
  • Deleted the deprecated getCallableDescription predicate from the ExternalApiDataNode class. Use hasQualifiedName instead.


  • Deleted the deprecated CsvRemoteSource alias. Use MaDRemoteSource instead.


  • Deleted the deprecated AssignLShiftExpr, AssignRShiftExpr, AssignURShiftExpr, LShiftExpr, RShiftExpr, and URShiftExpr aliases.


  • Deleted the deprecated getInput predicate from the CryptographicOperation class. Use getAnInput instead.
  • Deleted the deprecated RegExpPatterns module from Regexp.qll.
  • Deleted the deprecated semmle/javascript/security/BadTagFilterQuery.qll, semmle/javascript/security/OverlyLargeRangeQuery.qll, semmle/javascript/security/regexp/RegexpMatching.qll, and Security/CWE-020/HostnameRegexpShared.qll files.


  • Deleted the deprecated RegExpPatterns module from Regexp.qll.
  • Deleted the deprecated Security/CWE-020/HostnameRegexpShared.qll file.


  • Deleted the deprecated RegExpPatterns module from Regexp.qll.
  • Deleted the deprecated security/cwe-020/HostnameRegexpShared.qll file.

Minor Analysis Improvements


  • Source models have been added for the standard library function getc (and variations).
  • Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
  • Parameters of functions without definitions now have ParameterNodes.
  • The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.


  • Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.


  • Improved detection of whether a file uses CommonJS module system.

Deprecated APIs


  • To make Go consistent with other language libraries, the UntrustedFlowSource name has been deprecated throughout. Use RemoteFlowSource instead, which replaces it.
  • Where modules have classes named UntrustedFlowAsSource, these are also deprecated and the Source class in the same module or the RemoteFlowSource class should be used instead.


  • Renamed the StrConst class to StringLiteral, for greater consistency with other languages. The StrConst and Str classes are now deprecated and will be removed in a future release.

New Features


  • Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See dataflow/ExternalFlow.qll for documentation and specification of the model format, and models/implementations/ZMQ.qll for a simple example of models. Importing models from .yml is not yet supported.

Shared Libraries

Major Analysis Improvements

Dataflow Analysis

  • The data flow library performs heuristic filtering of code paths that have a high degree of control-flow uncertainty for improved performance in cases that are deemed unlikely to yield true positive flow paths. This filtering can be controlled with the fieldFlowBranchLimit predicate in configurations. Two bugs have been fixed in relation to this: Some cases of high uncertainty were not being correctly identified. This fix improves performance in certain scenarios. Another group of cases of low uncertainty were also being misidentified, which led to false negatives. Taken together, we generally expect some additional query results with more true positives and fewer false positives.
  • © GitHub, Inc.
  • Terms
  • Privacy