CodeQL documentation

CodeQL 2.20.4 (2025-02-06)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.20.4 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).

CodeQL CLI

Bug Fixes

  • Fixed a bug where CodeQL for Java would fail with an SSL exception while trying to download maven.

New Features

  • Using the actions language (for analysis of GitHub Actions workflows) no longer requires the CODEQL_ENABLE_EXPERIMENTAL_FEATURES environment variable to be set. Support for analysis of GitHub Actions workflows remains in public preview.

Miscellaneous

  • The build of the logback-core library that is used for logging in the CodeQL CLI has been updated to version 1.3.15.

Query Packs

Bug Fixes

JavaScript/TypeScript

  • Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a .vue file, but where it could not be associated with any tsconfig.json file. Previously the embedded code was not extracted in this case, but should now be extracted properly.

Major Analysis Improvements

JavaScript/TypeScript

  • Improved support for NestJS applications that make use of dependency injection with custom providers. Calls to methods on an injected service should now be resolved properly.

  • TypeScript extraction is now better at analyzing projects where the main tsconfig.json file does not include any source files, but references other tsconfig.json-like files that do include source files.

  • The js/incorrect-suffix-check query now recognises some good patterns of the form origin.indexOf("." + allowedOrigin) that were previously falsely flagged.

  • Added a new threat model kind called view-component-input, which can enabled with advanced setup. When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value. Some users may prefer this as a “defense in depth” option but note that it may result in false positives. Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.

Minor Analysis Improvements

C/C++

  • The “Wrong type of arguments to formatting function” query (cpp/wrong-type-format-argument) now produces fewer FPs if the formatting function has multiple definitions.

  • The “Call to memory access function may overflow buffer” query (cpp/overflow-buffer) now produces fewer FPs involving non-static member variables.

C#

  • All experimental queries have been deprecated. The queries are instead available as part of the default query suite in CodeQL-Community-Packs.

Java/Kotlin

  • All experimental queries have been deprecated. The queries are instead available as part of the default query suite in CodeQL-Community-Packs.

Language Libraries

Bug Fixes

GitHub Actions

  • Fixed data for vulnerable versions of actions/download-artifact and rlespinasse/github-slug-action (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).

  • Improved untrustedGhCommandDataModel regex for gh pr view and Bash taint analysis in GitHub Actions.

Breaking Changes

C/C++

  • Deleted the deprecated getAllocatorCall predicate from DeleteOrDeleteArrayExpr, use getDeallocatorCall instead.

C#

  • Deleted the deprecated getInstanceType predicate from the UnboundGenericType class.

  • Deleted the deprecated getElement predicate from the Node class in ControlFlowGraph.qll, use getAstNode instead.

Golang

  • Deleted the deprecated describeBitSize predicate from IncorrectIntegerConversionLib.qll

Java/Kotlin

  • Deleted the deprecated isLValue and isRValue predicates from the VarAccess class, use isVarWrite and isVarRead respectively instead.

  • Deleted the deprecated getRhs predicate from the VarWrite class, use getASource instead.

  • Deleted the deprecated LValue and RValue classes, use VarWrite and VarRead respectively instead.

  • Deleted a lot of deprecated classes ending in *Access, use the corresponding *Call classes instead.

  • Deleted a lot of deprecated predicates ending in *Access, use the corresponding *Call predicates instead.

  • Deleted the deprecated EnvInput and DatabaseInput classes from FlowSources.qll, use the threat models feature instead.

  • Deleted some deprecated API predicates from SensitiveApi.qll, use the Sink classes from that file instead.

Python

  • Deleted the old deprecated TypeTracking library.

  • Deleted the deprecated classRef predicate from the FieldStorage module, use subclassRef instead.

  • Deleted a lot of deprecated modules and predicates from Stdlib.qll, use API-graphs directly instead.

Ruby

  • Deleted the deprecated getCallNode predicate from API::Node, use asCall() instead.

  • Deleted the deprecated getASubclass, getAnImmediateSubclass, getASuccessor, getAPredecessor, getASuccessor, getDepth, and getPath predicates from API::Node.

  • Deleted the deprecated Root, Use, and Def classes from ApiGraphs.qll.

  • Deleted the deprecated Label module from ApiGraphs.qll.

  • Deleted the deprecated getAUse, getAnImmediateUse, getARhs, and getAValueReachingRhs predicates from API::Node, use getAValueReachableFromSource, asSource, asSink, and getAValueReachingSink instead.

  • Deleted the deprecated getAVariable predicate from the ExprNode class, use getVariable instead.

  • Deleted the deprecated getAPotentialFieldAccessMethod predicate from the ActiveRecordModelClass class.

  • Deleted the deprecated ActiveRecordModelClassMethodCall class from ActiveRecord.qll, use ActiveRecordModelClass.getClassNode().trackModule().getMethod() instead.

  • Deleted the deprecated PotentiallyUnsafeSqlExecutingMethodCall class from ActiveRecord.qll, use the SqlExecution concept instead.

  • Deleted the deprecated ModelClass and ModelInstance classes from ActiveResource.qll, use ModelClassNode and ModelClassNode.getAnInstanceReference() instead.

  • Deleted the deprecated Collection class from ActiveResource.qll, use CollectionSource instead.

  • Deleted the deprecated ServiceInstantiation and ClientInstantiation classes from Twirp.qll.

  • Deleted a lot of deprecated dataflow modules from *Query.qll files.

  • Deleted the old deprecated TypeTracking library.

Swift

  • Deleted the deprecated ArrayContent class from the dataflow library, use CollectionContent instead.

  • Deleted the deprecated getOptionsInput, getRegexInput, and getStringInput predicates from the regexp library, use getAnOptionsInput, getRegexInputNode, and getStringInputNode instead.

Major Analysis Improvements

JavaScript/TypeScript

  • Added new XSS sink where innerHTML or outerHTML is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter

Minor Analysis Improvements

C#

  • C# 13: Added MaD models for some overload implementations using ReadOnlySpan parameters (like String.Format(System.String, System.ReadOnlySpan<System.Object>))).

  • C# 13: Added support for the overload resolution priority attribute (OverloadResolutionPriority). Usages of the attribute and the corresponding priority can be found using the QL class SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute.

  • C# 13: Added support for partial properties and indexers.

Golang

  • Models-as-data models using “Parameter”, “Parameter[n]” or “Parameter[n1..n2]” as the output now work correctly.

  • By implementing ImplicitFieldReadNode it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.

  • The Template.Execute[Template] methods of the text/template package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when the text/template package is in use.

  • Added the rs cors library to the CorsMisconfiguration.ql query

Java/Kotlin

  • We now allow classes which don’t have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.

Python

  • Additional data flow models for the builtin functions map, filter, zip, and enumerate have been added.

New Features

C/C++

  • A new predicate getOffsetInClass was added to the Field class, which computes the byte offset of a field relative to a given Class.

  • New classes PreprocessorElifdef and PreprocessorElifndef were introduced, which represents the C23/C++23 #elifdef and #elifndef preprocessor directives.

  • A new class TypeLibraryImport was introduced, which represents the #import preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.

Shared Libraries

Breaking Changes

Dataflow Analysis

  • Deleted the deprecated Make and MakeWithState modules, use Global and GlobalWithState instead.

  • Deleted the deprecated hasFlow, hasFlowPath, hasFlowTo, and hasFlowToExpr predicates, use flow, flowPath, flowTo, and flowToExpr respectively instead.

Control Flow Analysis

  • Added a basic block construction as part of the library. This is currently considered an internal unstable API. The input signature to the control flow graph now requires two additional predicates: idOfAstNode and idOfCfgScope.

Type Trackers

  • Deleted the deprecated ConsistencyChecks module.

  • © GitHub, Inc.
  • Terms
  • Privacy