CodeQL 2.20.2 (2025-01-22)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.20.2 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).
CodeQL CLI¶
Bug Fixes¶
Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results.
Improvements¶
codeql database create
andcodeql database finalize
now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following:UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321]
Added the
.bitLength()
method toQlBuiltins::BigInt
.
Query Packs¶
Bug Fixes¶
Java/Kotlin¶
Classes that define a
writeReplace
method are no longer flagged by thejava/missing-no-arg-constructor-on-serializable
query on the assumption they are unlikely to be deserialized using the default algorithm.The query “Use of a broken or risky cryptographic algorithm” (
java/weak-cryptographic-algorithm
) now gives the reason why the cryptographic algorithm is considered weak.
JavaScript/TypeScript¶
Fixed a TypeScript extractor crash that would occur when encountering an export specifier whose local specifier was a string literal.
Major Analysis Improvements¶
JavaScript/TypeScript¶
The
js/xss-through-dom
query now recognises sources of DOM input originating from Angular templates.
Minor Analysis Improvements¶
C/C++¶
Added dataflow models for
SysAllocString
and related functions.The
cpp/badly-bounded-write
,cpp/equality-on-floats
,cpp/short-global-name
,cpp/static-buffer-overflow
,cpp/too-few-arguments
,cpp/useless-expression
,cpp/world-writable-file-creation
queries no longer produce alerts on files created by CMake to test the build configuration.
Language Libraries¶
Major Analysis Improvements¶
JavaScript/TypeScript¶
All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript. This is a significant change and users may consequently observe differences in the alerts generated by the analysis.
Minor Analysis Improvements¶
C/C++¶
DefaultOptions::exits
now holds for C23 functions with the_Noreturn
or___Noreturn__
attribute.
C#¶
Added extractor support for extracting implicit
ToString
calls in binary+
expressions and string interpolation expressions.The Razor source generator invocation in
build-mode:none
extraction has been changed to use relative file paths instead of absolute ones.C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint
allows ref struct
. Added extractor support for the type parameter constraintnotnull
.
Golang¶
database
local source models have been added for the Beego ORM package.database
local source models have been added for thegithub.com/jmoiron/sqlx
package.Added
database
source models for database methods from thegorm.io/gorm
package.database
local source models have been added for thedatabase/sql
anddatabase/sql/driver
packages.
Java/Kotlin¶
JavacTool
-based compiler interception no longer requires an--add-opens
directive whenFileObject.toUri
is accessible.JavacTool
-based compiler interception no longer throws an exception visible to the program usingJavacTool
on failure to extract a file path from a passedJavaFileObject
.JavacTool
-based compiler interception now supports files that don’t simply wrap afile://
URL, such as a source file inside a JAR, or an in-memory file, but which do implementgetCharContent
.
JavaScript/TypeScript¶
The sensitive data library has been improved so that
snake_case
style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
Python¶
The sensitive data library has been improved so that
snake_case
style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.Additional taint steps through methods of
lxml.etree.Element
andlxml.etree.ElementTree
objects from thelxml
PyPI package have been modeled.
Ruby¶
The sensitive data library has been improved so that
snake_case
style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.Types are now being tracked in data flow, but only when the type of an object is obvious from the context. For example,
C.new
has guaranteed typeC
, while indef add(x, y) { x + y }
we cannot assign a type tox + y
(it could, for instance, be bothString
andInteger
). Tracking types allows us to remove false-positive results when type incompatibility can be established.
Swift¶
The sensitive data library has been improved so that
snake_case
style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
Deprecated APIs¶
JavaScript/TypeScript¶
Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working. See more information in the migration guide.
New Features¶
C/C++¶
Add a new predicate
getAnIndirectBarrier
to the parameterized moduleInstructionBarrierGuard
insemmle.code.cpp.dataflow.new.DataFlow
for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to thegetAnIndirectBarrier
predicate on the parameterized moduleBarrierGuard
.A new predicate
getDecltype
was added to theProxyClass
class, which yields the decltype for the proxy class.Template classes that are of
struct
type are now also instances of theStruct
class.Template classes that are of
union
type are now also instances of theUnion
class.A new abstract class
ConfigurationTestFile
(semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile
) was introduced, which represents files created to test the build configuration. A subclassCmakeTryCompileFile
ofConfigurationTestFile
was also introduced, which represents files created by CMake to test the build configuration.New predicates
getARequiresClause
,getTemplateRequiresClause
andgetFunctionRequiresClause
were added to theFunctionDeclarationEntry
class, which yield the requires clauses when the entry represents a function template declaration with requires clauses.A new predicate
getRequiresClause
was added to theTypeDeclarationEntry
class, which yields the requires clause when the entry represents a class template declaration with a requires clause.A new predicate
getRequiresClause
was added to theVariableDeclarationEntry
class, which yields the requires clause when the entry represents a variable template declaration with a requires clause.A new predicate
getTypeConstraint
was added to theTypeTemplateParameter
class, which yields the type constraint of the parameter if it exists.A new class
VariableTemplateSpecialization
was introduced, which represents explicit specializations of variable templates.A new predicate
isSpecialization
was added to theVariable
class, which holds if the variable is a template specialization.A new class
ConceptIdExpr
was introduced, which represents C++20 concept id expressions.A new class
Concept
was introduced, which represents C++20 concepts.The
getTemplateArgumentType
andgetTemplateArgumentValue
predicates of theDeclaration
class now also yield template arguments of concepts.A new class
ConstevalIfStmt
was introduced, which represents the C++23if consteval
andif ! consteval
statements.
Java/Kotlin¶
The Java and Kotlin extractors now support
CODEQL_PATH_TRANSFORMER
.SEMMLE_PATH_TRANSFORMER
is still supported, but deprecated.