CodeQL 2.20.4 (2025-02-06)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.20.4 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).
CodeQL CLI¶
Bug Fixes¶
Fixed a bug where CodeQL for Java would fail with an SSL exception while trying to download
maven
.
New Features¶
Using the
actions
language (for analysis of GitHub Actions workflows) no longer requires theCODEQL_ENABLE_EXPERIMENTAL_FEATURES
environment variable to be set. Support for analysis of GitHub Actions workflows remains in public preview.
Miscellaneous¶
The build of the logback-core library that is used for logging in the CodeQL CLI has been updated to version 1.3.15.
Query Packs¶
Bug Fixes¶
JavaScript/TypeScript¶
Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a
.vue
file, but where it could not be associated with anytsconfig.json
file. Previously the embedded code was not extracted in this case, but should now be extracted properly.
Major Analysis Improvements¶
JavaScript/TypeScript¶
Improved support for NestJS applications that make use of dependency injection with custom providers. Calls to methods on an injected service should now be resolved properly.
TypeScript extraction is now better at analyzing projects where the main
tsconfig.json
file does not include any source files, but references othertsconfig.json
-like files that do include source files.The
js/incorrect-suffix-check
query now recognises some good patterns of the formorigin.indexOf("." + allowedOrigin)
that were previously falsely flagged.Added a new threat model kind called
view-component-input
, which can enabled with advanced setup. When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value. Some users may prefer this as a “defense in depth” option but note that it may result in false positives. Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
Minor Analysis Improvements¶
C/C++¶
The “Wrong type of arguments to formatting function” query (
cpp/wrong-type-format-argument
) now produces fewer FPs if the formatting function has multiple definitions.The “Call to memory access function may overflow buffer” query (
cpp/overflow-buffer
) now produces fewer FPs involving non-static member variables.
C#¶
All experimental queries have been deprecated. The queries are instead available as part of the default query suite in CodeQL-Community-Packs.
Java/Kotlin¶
All experimental queries have been deprecated. The queries are instead available as part of the default query suite in CodeQL-Community-Packs.
Language Libraries¶
Bug Fixes¶
GitHub Actions¶
Fixed data for vulnerable versions of
actions/download-artifact
andrlespinasse/github-slug-action
(following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).Improved
untrustedGhCommandDataModel
regex forgh pr view
and Bash taint analysis in GitHub Actions.
Breaking Changes¶
C/C++¶
Deleted the deprecated
getAllocatorCall
predicate fromDeleteOrDeleteArrayExpr
, usegetDeallocatorCall
instead.
C#¶
Deleted the deprecated
getInstanceType
predicate from theUnboundGenericType
class.Deleted the deprecated
getElement
predicate from theNode
class inControlFlowGraph.qll
, usegetAstNode
instead.
Golang¶
Deleted the deprecated
describeBitSize
predicate fromIncorrectIntegerConversionLib.qll
Java/Kotlin¶
Deleted the deprecated
isLValue
andisRValue
predicates from theVarAccess
class, useisVarWrite
andisVarRead
respectively instead.Deleted the deprecated
getRhs
predicate from theVarWrite
class, usegetASource
instead.Deleted the deprecated
LValue
andRValue
classes, useVarWrite
andVarRead
respectively instead.Deleted a lot of deprecated classes ending in
*Access
, use the corresponding*Call
classes instead.Deleted a lot of deprecated predicates ending in
*Access
, use the corresponding*Call
predicates instead.Deleted the deprecated
EnvInput
andDatabaseInput
classes fromFlowSources.qll
, use the threat models feature instead.Deleted some deprecated API predicates from
SensitiveApi.qll
, use the Sink classes from that file instead.
Python¶
Deleted the old deprecated TypeTracking library.
Deleted the deprecated
classRef
predicate from theFieldStorage
module, usesubclassRef
instead.Deleted a lot of deprecated modules and predicates from
Stdlib.qll
, use API-graphs directly instead.
Ruby¶
Deleted the deprecated
getCallNode
predicate fromAPI::Node
, useasCall()
instead.Deleted the deprecated
getASubclass
,getAnImmediateSubclass
,getASuccessor
,getAPredecessor
,getASuccessor
,getDepth
, andgetPath
predicates fromAPI::Node
.Deleted the deprecated
Root
,Use
, andDef
classes fromApiGraphs.qll
.Deleted the deprecated
Label
module fromApiGraphs.qll
.Deleted the deprecated
getAUse
,getAnImmediateUse
,getARhs
, andgetAValueReachingRhs
predicates fromAPI::Node
, usegetAValueReachableFromSource
,asSource
,asSink
, andgetAValueReachingSink
instead.Deleted the deprecated
getAVariable
predicate from theExprNode
class, usegetVariable
instead.Deleted the deprecated
getAPotentialFieldAccessMethod
predicate from theActiveRecordModelClass
class.Deleted the deprecated
ActiveRecordModelClassMethodCall
class fromActiveRecord.qll
, useActiveRecordModelClass.getClassNode().trackModule().getMethod()
instead.Deleted the deprecated
PotentiallyUnsafeSqlExecutingMethodCall
class fromActiveRecord.qll
, use theSqlExecution
concept instead.Deleted the deprecated
ModelClass
andModelInstance
classes fromActiveResource.qll
, useModelClassNode
andModelClassNode.getAnInstanceReference()
instead.Deleted the deprecated
Collection
class fromActiveResource.qll
, useCollectionSource
instead.Deleted the deprecated
ServiceInstantiation
andClientInstantiation
classes fromTwirp.qll
.Deleted a lot of deprecated dataflow modules from
*Query.qll
files.Deleted the old deprecated TypeTracking library.
Swift¶
Deleted the deprecated
ArrayContent
class from the dataflow library, useCollectionContent
instead.Deleted the deprecated
getOptionsInput
,getRegexInput
, andgetStringInput
predicates from the regexp library, usegetAnOptionsInput
,getRegexInputNode
, andgetStringInputNode
instead.
Major Analysis Improvements¶
JavaScript/TypeScript¶
Added new XSS sink where
innerHTML
orouterHTML
is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
Minor Analysis Improvements¶
C#¶
C# 13: Added MaD models for some overload implementations using
ReadOnlySpan
parameters (likeString.Format(System.String, System.ReadOnlySpan<System.Object>))
).C# 13: Added support for the overload resolution priority attribute (
OverloadResolutionPriority
). Usages of the attribute and the corresponding priority can be found using the QL classSystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute
.C# 13: Added support for partial properties and indexers.
Golang¶
Models-as-data models using “Parameter”, “Parameter[n]” or “Parameter[n1..n2]” as the output now work correctly.
By implementing
ImplicitFieldReadNode
it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.The
Template.Execute[Template]
methods of thetext/template
package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when thetext/template
package is in use.Added the rs cors library to the CorsMisconfiguration.ql query
Java/Kotlin¶
We now allow classes which don’t have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
Python¶
Additional data flow models for the builtin functions
map
,filter
,zip
, andenumerate
have been added.
New Features¶
C/C++¶
A new predicate
getOffsetInClass
was added to theField
class, which computes the byte offset of a field relative to a givenClass
.New classes
PreprocessorElifdef
andPreprocessorElifndef
were introduced, which represents the C23/C++23#elifdef
and#elifndef
preprocessor directives.A new class
TypeLibraryImport
was introduced, which represents the#import
preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.