CodeQL documentation
CodeQL resources

CodeQL 2.18.1 (2024-07-25)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.18.1 runs a total of 419 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 129 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

New Features

  • The experimental type QlBuiltins::BigInt of arbitrary-precision integers has been introduced. To opt in to this API, compile your queries with --allow-experimental=bigint. Big integers can be constructed using the .toBigInt() methods of int and string. The built-in operations are:
    • comparisons: =, !=, <, <=, >, >=,
    • conversions: .toString(), .toInt(),
    • arithmetic: binary +, -, *, /, %, unary -,
    • bitwise operations: .bitAnd(BigInt), .bitOr(BigInt), .bitXor(BigInt), .bitShiftLeft(int), .bitShiftRightSigned(int), .bitNot(),
    • aggregates: min, max, (strict):code:sum, (strict):code:count, avg, rank, unique, any.
    • other: .pow(int), .abs(), .gcd(BigInt), .minimum(BigInt), .maximum(BigInt).
  • codeql test run now supports postprocessing of test results. When .qlref files specify a path to a postprocess query, then this is evaluated after the test query to transform the test outputs prior to concatenating them into the actual results.

Improvements

  • The 30% QL query compilation slowdown noted in 2.18.0 has been fixed.

Security Updates

  • Resolves CVE-2023-4759, an arbitrary file overwrite in Eclipse JGit that can be triggered when using untrusted third-party queries from a git repository. See the security advisory for more information.
  • The following dependencies have been updated. These updates include security fixes in the respective libraries that prevent out-of-bounds accesses or denial-of-service in scenarios where untrusted files are processed. These scenarios are not likely to be encountered in most uses of CodeQL and code scanning, and only apply to advanced use cases where precompiled query packs, database ZIP files, or database TRAP files are obtained from untrusted sources and then processed on a trusted machine.
    • airlift/aircompressor is updated to version 0.27.
    • Apache Ant is updated to version 1.10.11.
    • Apache Commons Compress is updated to version 1.26.0.
    • Apache Commons IO is updated to version 2.15.1.
    • Apache Commons Lang3 is updated to version 3.14.0.
    • jsoup is updated to version 1.15.3.
    • Logback is updated to version 1.2.13.
    • Snappy is updated to version 0.5.

Query Packs

Minor Analysis Improvements

C/C++

  • The cpp/unsigned-difference-expression-compared-zero (“Unsigned difference expression compared to zero”) query now produces fewer false positives.

Java/Kotlin

  • The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests which don’t define an activity, content provider or service. We also only consider files which are under a folder containing such an Android Manifest for these queries. This should remove some false positive alerts.

JavaScript/TypeScript

  • Added a new query, js/functionality-from-untrusted-domain, which detects uses in HTML and JavaScript scripts from untrusted domains, including the polyfill.io content delivery network
    • it can be extended to detect other compromised scripts using user-provided data extensions of the untrustedDomain predicate, which takes one string argument with the domain to warn on (and will warn on any subdomains too).
  • Modified existing query, js/functionality-from-untrusted-source, to allow adding this new query, but reusing the same logic
    • Added the ability to use data extensions to require SRI on CDN hostnames using the isCdnDomainWithCheckingRequired predicate, which takes one string argument of the full hostname to require SRI for.
  • Created a new library, semmle.javascript.security.FunctionalityFromUntrustedSource, to support both queries.

New Queries

JavaScript/TypeScript

  • Added a new query, js/insecure-helmet-configuration, to detect instances where Helmet middleware is configured with important security features disabled.

Query Metadata Changes

C/C++

  • The precision of cpp/iterator-to-expired-container (“Iterator to expired container”) has been increased to high. As a result, it will be run by default as part of the Code Scanning suite.
  • The precision of cpp/unsafe-strncat (“Potentially unsafe call to strncat”) has been increased to high. As a result, it will be run by default as part of the Code Scanning suite.

Language Libraries

Breaking Changes

Java/Kotlin

  • The Java extractor no longer supports the SEMMLE_DIST legacy environment variable.

Minor Analysis Improvements

Golang

  • There was a bug which meant that the built-in function clear was considered as a sanitizer in some cases when it shouldn’t have been. This has now been fixed, which may lead to more alerts.

Java/Kotlin

  • Added a path-injection sink for hudson.FilePath.exists().
  • Added summary models for org.apache.commons.io.IOUtils.toByteArray.
  • Java build-mode none analyses now only report a warning on the CodeQL status page when there are significant analysis problems– defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.

Python

  • Additional modelling to detect direct writes to the Set-Cookie header has been added for several web frameworks.

Swift

  • Additional heuristics for sensitive private information have been added to the SensitiveExprs.qll library, improving coverage for credit card and social security numbers. This may result in additional results for queries that use sensitive data such as swift/cleartext-transmission.

Deprecated APIs

Java/Kotlin

  • The predicate isAndroid from the module semmle.code.java.security.AndroidCertificatePinningQuery has been deprecated. Use semmle.code.java.frameworks.android.Android::inAndroidApplication(File) instead.

New Features

C/C++

  • Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, .qlrefs that reference path-problem queries) will need to be have their expected output updated accordingly.
  • Added subclasses of BuiltInOperations for __builtin_has_attribute, __builtin_is_corresponding_member, __builtin_is_pointer_interconvertible_with_class, __is_assignable_no_precondition_check, __is_bounded_array, __is_convertible, __is_corresponding_member, __is_nothrow_convertible, __is_pointer_interconvertible_with_class, __is_referenceable, __is_same_as, __is_trivially_copy_assignable, __is_unbounded_array, __is_valid_winrt_type, _is_win_class, __is_win_interface, __reference_binds_to_temporary, __reference_constructs_from_temporary, and __reference_converts_from_temporary.
  • The class NewArrayExpr adds a predicate getArraySize() to allow a more convenient way to access the static size of the array when the extent is missing.

Java/Kotlin

  • Kotlin support is now out of beta, and generally available
  • Kotlin versions up to 2.0.2*x* are now supported.

Swift

  • Swift support is now out of beta, and generally available.
  • © GitHub, Inc.
  • Terms
  • Privacy