CodeQL 2.17.3 (2024-05-17)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.17.3 runs a total of 414 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Improvements¶
- The language server that our IDE integration is built on now defaults to fine-grained dependency tracking for incremental error-checking after file changes. This slightly improves the latency of refreshing errors after local source code edits and will enable significant speedups in the future.
- We now properly handle globs (such as
folder/**/*.py
) inpaths
configuration to specify what files to include for Python analysis (see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan). - TRAP import (a part of
codeql database create
andcodeql database finalize
) now supports allocating 2^32 IDs during the import process. The previous limit was 2^31 IDs.
Query Packs¶
New Queries¶
C/C++¶
- Added a new query,
cpp/iterator-to-expired-container
, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.
Python¶
- The
py/header-injection
query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack and renamed topy/http-response-splitting
. This query finds instances of http header injection / response splitting vulnerabilities.
Language Libraries¶
Breaking Changes¶
Java/Kotlin¶
- The Java extractor no longer supports the
ODASA_JAVA_LAYOUT
,ODASA_TOOLS
andODASA_HOME
legacy environment variables. - The Java extractor no longer supports the
ODASA_BUILD_ERROR_DIR
legacy environment variable.
Major Analysis Improvements¶
Python¶
- Added modeling of the
pyramid
framework, leading to new remote flow sources and sinks.
Minor Analysis Improvements¶
Golang¶
- Fixed a bug that stopped built-in functions from being referenced using the predicate
hasQualifiedName
because technically they do not belong to any package. Now you can use the empty string as the package, e.g.f.hasQualifiedName("", "len")
. - Fixed a bug that stopped data flow models for built-in functions from having any effect because the package “” was not parsed correctly.
- Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.