CodeQL documentation

CodeQL 2.20.2 (2025-01-22)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.20.2 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).

CodeQL CLI

Bug Fixes

  • Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results.

Improvements

  • codeql database create and codeql database finalize now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following:

    UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321]
    
  • Added the .bitLength() method to QlBuiltins::BigInt.

Query Packs

Bug Fixes

Java/Kotlin

  • Classes that define a writeReplace method are no longer flagged by the java/missing-no-arg-constructor-on-serializable query on the assumption they are unlikely to be deserialized using the default algorithm.

  • The query “Use of a broken or risky cryptographic algorithm” (java/weak-cryptographic-algorithm) now gives the reason why the cryptographic algorithm is considered weak.

JavaScript/TypeScript

  • Fixed a TypeScript extractor crash that would occur when encountering an export specifier whose local specifier was a string literal.

Major Analysis Improvements

JavaScript/TypeScript

  • The js/xss-through-dom query now recognises sources of DOM input originating from Angular templates.

Minor Analysis Improvements

C/C++

  • Added dataflow models for SysAllocString and related functions.

  • The cpp/badly-bounded-write, cpp/equality-on-floats, cpp/short-global-name, cpp/static-buffer-overflow, cpp/too-few-arguments, cpp/useless-expression, cpp/world-writable-file-creation queries no longer produce alerts on files created by CMake to test the build configuration.

Language Libraries

Major Analysis Improvements

JavaScript/TypeScript

  • All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript. This is a significant change and users may consequently observe differences in the alerts generated by the analysis.

Minor Analysis Improvements

C/C++

  • DefaultOptions::exits now holds for C23 functions with the _Noreturn or ___Noreturn__ attribute.

C#

  • Added extractor support for extracting implicit ToString calls in binary + expressions and string interpolation expressions.

  • The Razor source generator invocation in build-mode:none extraction has been changed to use relative file paths instead of absolute ones.

  • C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint allows ref struct. Added extractor support for the type parameter constraint notnull.

Golang

  • database local source models have been added for the Beego ORM package.

  • database local source models have been added for the github.com/jmoiron/sqlx package.

  • Added database source models for database methods from the gorm.io/gorm package.

  • database local source models have been added for the database/sql and database/sql/driver packages.

Java/Kotlin

  • JavacTool-based compiler interception no longer requires an --add-opens directive when FileObject.toUri is accessible.

  • JavacTool-based compiler interception no longer throws an exception visible to the program using JavacTool on failure to extract a file path from a passed JavaFileObject.

  • JavacTool-based compiler interception now supports files that don’t simply wrap a file:// URL, such as a source file inside a JAR, or an in-memory file, but which do implement getCharContent.

JavaScript/TypeScript

  • The sensitive data library has been improved so that snake_case style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.

Python

  • The sensitive data library has been improved so that snake_case style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.

  • Additional taint steps through methods of lxml.etree.Element and lxml.etree.ElementTree objects from the lxml PyPI package have been modeled.

Ruby

  • The sensitive data library has been improved so that snake_case style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.

  • Types are now being tracked in data flow, but only when the type of an object is obvious from the context. For example, C.new has guaranteed type C, while in def add(x, y) { x + y } we cannot assign a type to x + y (it could, for instance, be both String and Integer). Tracking types allows us to remove false-positive results when type incompatibility can be established.

Swift

  • The sensitive data library has been improved so that snake_case style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.

Deprecated APIs

JavaScript/TypeScript

  • Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working. See more information in the migration guide.

New Features

C/C++

  • Add a new predicate getAnIndirectBarrier to the parameterized module InstructionBarrierGuard in semmle.code.cpp.dataflow.new.DataFlow for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the getAnIndirectBarrier predicate on the parameterized module BarrierGuard.

  • A new predicate getDecltype was added to the ProxyClass class, which yields the decltype for the proxy class.

  • Template classes that are of struct type are now also instances of the Struct class.

  • Template classes that are of union type are now also instances of the Union class.

  • A new abstract class ConfigurationTestFile (semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile) was introduced, which represents files created to test the build configuration. A subclass CmakeTryCompileFile of ConfigurationTestFile was also introduced, which represents files created by CMake to test the build configuration.

  • New predicates getARequiresClause, getTemplateRequiresClause and getFunctionRequiresClause were added to the FunctionDeclarationEntry class, which yield the requires clauses when the entry represents a function template declaration with requires clauses.

  • A new predicate getRequiresClause was added to the TypeDeclarationEntry class, which yields the requires clause when the entry represents a class template declaration with a requires clause.

  • A new predicate getRequiresClause was added to the VariableDeclarationEntry class, which yields the requires clause when the entry represents a variable template declaration with a requires clause.

  • A new predicate getTypeConstraint was added to the TypeTemplateParameter class, which yields the type constraint of the parameter if it exists.

  • A new class VariableTemplateSpecialization was introduced, which represents explicit specializations of variable templates.

  • A new predicate isSpecialization was added to the Variable class, which holds if the variable is a template specialization.

  • A new class ConceptIdExpr was introduced, which represents C++20 concept id expressions.

  • A new class Concept was introduced, which represents C++20 concepts.

  • The getTemplateArgumentType and getTemplateArgumentValue predicates of the Declaration class now also yield template arguments of concepts.

  • A new class ConstevalIfStmt was introduced, which represents the C++23 if consteval and if ! consteval statements.

Java/Kotlin

  • The Java and Kotlin extractors now support CODEQL_PATH_TRANSFORMER. SEMMLE_PATH_TRANSFORMER is still supported, but deprecated.

  • © GitHub, Inc.
  • Terms
  • Privacy