CodeQL 2.5.5 (2021-05-17)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.5.5 runs a total of 248 security queries when configured with the Default suite (covering 112 CWE). The Extended suite enables an additional 72 queries (covering 26 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Potentially Breaking Changes¶
- When scanning the disk for QL packs and extractors, directories of the form
.../SOMETHING/SOMETHING.testproj(where the twoSOMETHINGare identical) will now be ignored. Names of this form are used bycodeql test runfor ephemeral test databases, which can sometimes contain files that confuse QL compilations.
Bug Fixes¶
- When using the
--sarif-group-rules-by-packflag to place the SARIF rule object for each query underneath its corresponding query pack inruns[].tool.extensions, theruleproperty of result objects can now be used to look up the rule within therulesproperty of the appropriate query pack inruns[].tool.extensions. Previously, rule lookup for result objects in the SARIF output was not well-defined when the--sarif-group-rules-by-packflag was passed.
New Features¶
- Query writers can now optionally use
@severityin place of@problem.severityin the metadata for alert queries. SARIF consumers should continue to consume this severity information using therule.defaultConfiguration.levelproperty for SARIF v2.1.0, and corresponding properties for other versions of SARIF. They should not depend on the value stored in therule.propertiesproperty bag, since this will contain either@problem.severityor@severitybased on exactly what was written in the query metadata. - When exporting analysis results to SARIF v2.1.0, results and metric results now contain a reporting descriptor reference object that specifies the rule that produced them. For metric results, this new property replaces the
metricproperty. codeql database analyzenow outputs a table that summarizes the results of metric queries that were part of the analysis. This can be suppressed by passing the--no-print-metrics-summaryflag.