CodeQL documentation

CodeQL 2.18.3 (2024-08-28)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.18.3 runs a total of 425 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

There are no user-facing CLI changes in this release.

Query Packs

Minor Analysis Improvements

C/C++

  • The cpp/uncontrolled-allocation-size (“Uncontrolled allocation size”) query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.

C#

  • Attributes in the System.Runtime.CompilerServices namespace are ignored when checking if a declaration requires documentation comments.
  • C# build-mode none analyses now report a warning on the CodeQL status page when there are significant analysis problems – defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.

JavaScript/TypeScript

  • Message events in the browser are now properly classified as client-side taint sources. Previously they were incorrectly classified as server-side taint sources, which resulted in some alerts being reported by the wrong query, such as server-side URL redirection instead of client-side URL redirection.

Swift

  • False positive results from the swift/cleartext-transmission (“Cleartext transmission of sensitive information”) query involving tel:, mailto: and similar URLs have been fixed.

New Queries

Python

  • The py/cookie-injection query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being set without the Secure, HttpOnly, or SameSite attributes set to secure values.

Language Libraries

Bug Fixes

Golang

  • Fixed an issue where io/ioutil.WriteFile’s non-path arguments incorrectly generated go/path-injection alerts when untrusted data was written to a file, or controlled the file’s mode.

Java/Kotlin

  • Fixed an issue where analysis in build-mode: none may very occasionally throw a CoderMalfunctionError while resolving dependencies provided by a build system (Maven or Gradle), which could cause some dependency resolution and consequently alerts to vary unpredictably from one run to another.
  • Fixed an issue where Java analysis in build-mode: none would fail to resolve dependencies using the executable-war Maven artifact type.
  • Fixed an issue where analysis in build-mode: none may fail to resolve dependencies of Gradle projects where the dependency uses a non-empty artifact classifier – for example, someproject-1.2.3-tests.jar, which has the classifier tests.

Major Analysis Improvements

C#

  • Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.

Minor Analysis Improvements

C#

  • Added some new local source models. Most prominently System.IO.Path.GetTempPath and System.Environment.GetFolderPath. This might produce more alerts, if the local threat model is enabled.
  • The extractor has been changed to not skip source files that have already been seen. This has an impact on source files that are compiled multiple times in the build process. Source files with conditional compilation preprocessor directives (such as #if) are now extracted for each set of preprocessor symbols that are used during the build process.

Java/Kotlin

  • Threat-model for System.in changed from commandargs to newly created stdin (both subgroups of local).

Shared Libraries

Deprecated APIs

Dataflow Analysis

  • The source/sink grouping feature of the data flow library has been removed. It was introduced primarily for debugging, but has not proven useful.
  • © GitHub, Inc.
  • Terms
  • Privacy