CodeQL 2.19.2 (2024-10-21)¶

Contents

Security Coverage
CodeQL CLI
Query Packs
- Minor Analysis Improvements
Language Libraries
- Minor Analysis Improvements

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.19.2 runs a total of 427 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).

CodeQL CLI¶

Potentially Breaking Changes¶

The Python extractor will no longer extract the standard library by default, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. It will for a while be possible to force extraction of the standard library by setting the environment variable CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB to 1.

Bug Fixes¶

The 2.19.1 release contained a bug in the query evaluator that under rare conditions could lead to wrong alerts or resource exhaustion. Although we have never seen the problem outside of internal testing, we encourage users on 2.19.1 to upgrade to 2.19.2.

Miscellaneous¶

The database relation sourceLocationPrefix is changed for databases created with codeql test run. Instead of containing the path of the enclosing qlpack, it now contains the actual path of the test, similar to if one had run codeql database create on the test folder. For example, for a test such as <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref we now populate sourceLocationPrefix with <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/ instead of <checkout>/cpp/ql/test/. This change typically impacts calls to File.getRelativePath(), and may as a result change the expected test output.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

The cpp/unclear-array-index-validation (“Unclear validation of array index”) query has been improved to reduce false positives and increase true positives.
Fixed false positives in the cpp/uninitialized-local (“Potentially uninitialized local variable”) query if there are extraction errors in the function.
The cpp/incorrect-string-type-conversion query now produces fewer false positives caused by failure to detect byte arrays.
The cpp/incorrect-string-type-conversion query now produces fewer false positives caused by failure to recognize dynamic checks prior to possible dangerous widening.

Ruby¶

The rb/diagnostics/extraction-errors diagnostic query has been split into rb/diagnostics/extraction-errors and rb/diagnostics/extraction-warnings, counting extraction errors and warnings respectively.

Language Libraries¶

Minor Analysis Improvements¶

C/C++¶

Added taint flow model for fopen and related functions.
The SimpleRangeAnalysis library (semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis) now generates more precise ranges for calls to fgetc and getc.

Golang¶

Added member predicates StructTag.hasOwnFieldWithTag and Field.getTag, which enable CodeQL queries to examine struct field tags.
Added member predicate InterfaceType.hasPrivateMethodWithQualifiedName, which enables CodeQL queries to distinguish interfaces with matching non-exported method names that are declared in different packages, and are therefore incompatible.

Python¶

Modelled that re.finditer returns an iterable of re.Match objects. This is now understood by the API graph in many cases.
Type tracking, and hence the API graph, is now able to correctly trace through comprehensions.
More precise modelling of the dataflow through comprehensions. In particular, captured variables are now handled correctly.
Dataflow out of yield is added, allowing proper tracing through generators.
Added several models of standard library functions and classes, in anticipation of no longer extracting the standard library in a future release.

Ruby¶

The ExtractionError class has been split into ExtractionError and ExtractionWarning, reporting extraction errors and warnings respectively.