CodeQL documentation
CodeQL resources

CodeQL 2.20.0 (2024-12-09)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.20.0 runs a total of 432 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).

CodeQL CLI

New Features

  • The QlBuiltins::BigInt type of arbitrary precision integers is generally available and no longer hidden behind the --allow-experimental=bigint CLI feature flag.

Known Issues

  • The Windows executable for this release is labeled with an incorrect version number within its properties: the version number should be 2.20.0 rather than 2.19.4. codeql version reports the correct version number.

Miscellaneous

  • Backslashes are now escaped when writing output in the Graphviz DOT format (--format=dot).
  • The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.5.

Query Packs

Minor Analysis Improvements

C/C++

  • The “Call to function with fewer arguments than declared parameters” query (cpp/too-few-arguments) no longer produces results if the function has been implicitly declared.

C#

  • csharp/diagnostic/database-quality has been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.

Golang

  • Added value flow models for functions in the slices package which do not involve the iter package.

Java/Kotlin

  • Added SHA-384 to the list of secure hashing algorithms. As a result the java/potentially-weak-cryptographic-algorithm query should no longer flag up uses of SHA-384.
  • Added SHA3 to the list of secure hashing algorithms. As a result the java/potentially-weak-cryptographic-algorithm query should no longer flag up uses of SHA3.
  • The java/weak-cryptographic-algorithm query has been updated to no longer report uses of hash functions such as MD5 and SHA1 even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. The java/potentially-weak-cryptographic-algorithm query has been updated to report these uses instead.

New Queries

C/C++

  • Added a new high-precision quality query, cpp/guarded-free, which detects useless NULL pointer checks before calls to free. A variation of this query was originally contributed as an experimental query by @mario-campos.

Language Libraries

Bug Fixes

Golang

  • Fixed a bug which meant that promoted fields and methods were missing when the embedded parent was not promoted due to a name clash.

Python

  • Fixed a problem with the control-flow graph construction, where writing case True: or case False: would cause parts of the graph to be pruned by mistake.

Breaking Changes

C/C++

C#

Golang

Java/Kotlin

Python

Ruby

Swift

Major Analysis Improvements

JavaScript/TypeScript

  • The js/incomplete-sanitization query now also checks regular expressions constructed using new RegExp(..). Previously it only checked regular expression literals.
  • Regular expression-based sanitisers implemented with new RegExp(..) are now detected in more cases.
  • Regular expression related queries now account for unknown flags.

Minor Analysis Improvements

C#

  • Added support for data-flow through member accesses of objects with dynamic types.
  • Only extract public and protected members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using Field-based summaries may need to be changed to SyntheticField-based flows if they reference private fields.
  • Added Microsoft.AspNetCore.Components.NagivationManager::Uri as a remote flow source, since this value may contain user-specified values.
  • Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
    • System.Web.HttpUtility::ParseQueryString
    • Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery
    • Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery
  • Added js-interop sinks for the InvokeAsync and InvokeVoidAsync methods of Microsoft.JSInterop.IJSRuntime, which can run arbitrary JavaScript.

Golang

  • A call to a method whose name starts with “Debug”, “Error”, “Fatal”, “Info”, “Log”, “Output”, “Panic”, “Print”, “Trace”, “Warn” or “With” defined on an interface whose name ends in “logger” or “Logger” is now considered a LoggerCall. In particular, it is a sink for go/clear-text-logging and go/log-injection. This may lead to some more alerts in those queries.

Java/Kotlin

  • Calling coll.contains(x) is now a taint sanitizer (for any query) for the value x, where coll is a collection of constants.

JavaScript/TypeScript

  • Added taint-steps for String.prototype.toWellFormed.
  • Added taint-steps for Map.groupBy and Object.groupBy.
  • Added taint-steps for Array.prototype.findLast.
  • Added taint-steps for Array.prototype.findLastIndex.

Deprecated APIs

C/C++

  • The NonThrowingFunction class (semmle.code.cpp.models.interfaces.NonThrowing.NonThrowingFunction) has been deprecated. Please use the NonCppThrowingFunction class instead.

Shared Libraries

Breaking Changes

Utility Classes

  • Deleted the old deprecated inline expectation test API that was based on the InlineExpectationsTest class.
  • © GitHub, Inc.
  • Terms
  • Privacy