CodeQL 2.20.1 (2025-01-09)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.20.1 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 22 security queries have been added with this release.
CodeQL CLI¶
Improvements¶
Automatic installation of dependencies for C++ autobuild is now supported on Ubuntu 24.04.
The CLI will now warn if it detects that it is installed in a location where it is likely to cause performance issues. This includes: user home, desktop, downloads, or the file system root.
You can avoid this warning by setting the
CODEQL_ALLOW_INSTALLATION_ANYWHERE
environment variable totrue
.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
The “Returning stack-allocated memory” query (
cpp/return-stack-allocated-memory
) no longer produces results if there is an extraction error in the returned expression.The “Badly bounded write” query (
cpp/badly-bounded-write
) no longer produces results if there is an extraction error in the type of the output buffer.The “Too few arguments to formatting function” query (
cpp/wrong-number-format-arguments
) no longer produces results if an argument has an extraction error.The “Wrong type of arguments to formatting function” query (
cpp/wrong-type-format-argument
) no longer produces results when an argument type has an extraction error.Added dataflow models and flow sources for Microsoft’s Active Template Library (ATL).
C#¶
The
ExternalApi
andTestLibrary
modules have been moved to the library pack.
New Queries¶
Python¶
The Server Side Template Injection query (
py/template-injection
), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.
Actions¶
Initial public preview release
Language Libraries¶
Breaking Changes¶
Java/Kotlin¶
The class
ControlFlowNode
(and by extensionBasicBlock
) is no longer directly equatable toExpr
andStmt
. Any queries that have been exploiting these equalities, for example by using casts, will need minor updates in order to fix any compilation errors. Conversions can be inserted in either direction depending on what is most convenient. Available conversions includeExpr.getControlFlowNode()
,Stmt.getControlFlowNode()
,ControlFlowNode.asExpr()
,ControlFlowNode.asStmt()
, andControlFlowNode.asCall()
. Exit nodes were until now modelled as aControlFlowNode
equal to its enclosingCallable
; these are now instead modelled by the classControlFlow::ExitNode
.
Major Analysis Improvements¶
Swift¶
Upgraded to allow analysis of Swift 6.0.2.
Minor Analysis Improvements¶
C/C++¶
The
Guards
library (semmle.code.cpp.controlflow.Guards
) has been improved to recognize more guard conditions.
C#¶
C# 13: Added QL library support for collection like type
params
parameters.Added
remote
flow source models for properties of Blazor components annotated with any of the following attributes fromMicrosoft.AspNetCore.Components
:[SupplyParameterFromForm]
[SupplyParameterFromQuery]
Added the constructor and explicit cast operator of
Microsoft.AspNetCore.Components.MarkupString
as anhtml-injection
sink. This will help catch cross-site scripting resulting from usingMarkupString
.Added flow summaries for the
Microsoft.AspNetCore.Mvc.Controller::View
method.The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
The C# extractor now supports basic extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
Golang¶
Added a
commandargs
local source model for theos.Args
variable.
Java/Kotlin¶
Added
java.io.File.getName()
as a path injection sanitizer.The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
Added a sink for “Server-side request forgery” (
java/ssrf
) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
Python¶
Added modeling of
fastapi.Request
andstarlette.requests.Request
as sources of untrusted input, and modeling of tainted data flow out of these request objects.
Deprecated APIs¶
C/C++¶
The
TemplateParameter
class, representing C++ type template parameters has been deprecated. UseTypeTemplateParameter
instead.
New Features¶
C/C++¶
New classes
SizeofPackExprOperator
andSizeofPackTypeOperator
were introduced, which represent the C++sizeof...
operator taking expressions and type arguments, respectively.A new class
TemplateTemplateParameterInstantiation
was introduced, which represents instantiations of template template parameters.A new predicate
getAnInstantiation
was added to theTemplateTemplateParameter
class, which yields instantiations of template template parameters.The
getTemplateArgumentType
andgetTemplateArgumentValue
predicates of theDeclaration
class now also yield template arguments of template template parameters.A new class
NonTypeTemplateParameter
was introduced, which represents C++ non-type template parameters.A new class
TemplateParameterBase
was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
Python¶
Added support for parameter annotations in API graphs. This means that in a function definition such as
def foo(x: Bar): ...
, you can now use thegetInstanceFromAnnotation()
method to step fromBar
tox
. In addition to this, thegetAnInstance
method now also includes instances arising from parameter annotations.
Actions¶
Initial public preview release