• CodeQL »
• CodeQL overview »
• CodeQL change logs »

CodeQL 2.20.5 (2025-02-20)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.20.5 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 34 more CWE). 4 security queries have been added with this release.

CodeQL CLI

Breaking Changes

• Removed support for QlBuiltins::BigInts in the avg() aggregate.

• A number of breaking changes have been made to the C and C++ CodeQL test environment as used by codeql test run:

  • The -Xclang-only=<arg> option is no longer supported by semmle-extractor-options. Instead, when either --clang or --clang_version is specified the option should be replaced by <arg> only, otherwise the option should be omitted.

  • The --sys_include <arg> and --preinclude <arg> options are no longer supported by semmle-extractor-options. Instead, --edg <option_name> --edg <arg> should be specified.

  • The -idirafter <arg> option is no longer supported by semmle-extractor-options. Instead, --edg --sys_include --edg <arg> should be specified.

  • The -imacros <arg> option is no longer supported by semmle-extractor-options. Instead, --edg --preinclude_macros --edg <arg> should be specified.

  • The /FI <arg> option is no longer supported by semmle-extractor-options. Instead, --edg --preinclude --edg <arg> should be specified.

  • The -Wreserved-user-defined-literal, -Wno-reserved-user-defined-literal, -fwritable-strings, /Zc:rvalueCast, /Zc:rvalueCast-, and /Zc:wchar_t- options are no longer supported by semmle-extractor-options. Instead, --edg --reserved_user_defined_literal, --edg --no-reserved_user_defined_literal, --edg --no_const_string_literals, --edg --no_preserve_lvalues_with_same_type_casts, --edg --preserve_lvalues_with_same_type_casts, and --edg --no_wchar_t_keyword should be specified, respectively.

  • The /Fo <arg> option is no longer supported by semmle-extractor-options. The option should be omitted.

Query Packs

Bug Fixes

JavaScript/TypeScript

• Fixed a recently-introduced bug that prevented taint tracking through URLSearchParams objects. The original behaviour has been restored and taint should once again be tracked through such objects.

• Fixed a rare issue that would occur when a function declaration inside a block statement was referenced before it was declared. Such code is reliant on legacy web semantics, which is non-standard but nevertheless implemented by most engines. CodeQL now takes legacy web semantics into account and resolves references to these functions correctly.

• Fixed a bug that would cause parse errors in .jsx files in rare cases where the file contained syntax that was misinterpreted as Flow syntax.

Breaking Changes

GitHub Actions

• The following queries have been removed from the code-scanning and security-extended suites. Any existing alerts for these queries will be closed automatically.

  • actions/if-expression-always-true/critical

  • actions/if-expression-always-true/high

  • actions/unnecessary-use-of-advanced-config

• The following query has been moved from the code-scanning suite to the security-extended suite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use the security-extended suite.

  • actions/unpinned-tag

• The following queries have been added to the security-extended suite.

  • actions/unversioned-immutable-action

  • actions/envpath-injection/medium

  • actions/envvar-injection/medium

  • actions/code-injection/medium

  • actions/artifact-poisoning/medium

  • actions/untrusted-checkout/medium

Minor Analysis Improvements

Golang

• Added github.com/gorilla/mux.Vars to path sanitizers (disabled if github.com/gorilla/mix.Router.SkipClean has been called).

GitHub Actions

• Fixed false positives in the query actions/unpinned-tag (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container’s SHA256 digest.

New Queries

Java/Kotlin

• Added a new query, java/csrf-unprotected-request-type, to detect Cross-Site Request Forgery (CSRF) vulnerabilities due to using HTTP request types that are not default-protected from CSRF.

Language Libraries

Bug Fixes

Python

• Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes.

• Using the break and continue keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case.

Minor Analysis Improvements

C#

• Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.

• C# 13: Add generated models for .NET 9.

• The models for System.Net.Http.HttpRequestMessage and System.UriBuilder have been modified to better model the flow of tainted URIs.

• Blazor [Parameter] fields bound to a variable from the route specified in the @page directive are now modeled as remote flow sources.

Golang

• Taint models have been added for the weak package, which was added in Go 1.24.

• Taint models have been added for the interfaces TextAppender and BinaryAppender in the encoding package, which were added in Go 1.24.

JavaScript/TypeScript

• Added support for regular expressions using the v flag.

Deprecated APIs

C#

• The predicates immediatelyControls and controls on the ConditionBlock class have been deprecated in favor of the newly added dominatingEdge predicate.

Golang

• The class NamedType has been deprecated. Use the new class DefinedType instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.

• The member predicate getNamedType on GoMicro::ServiceInterfaceType has been deprecated. Use the new member predicate getDefinedType instead.

• The member predicate getNamedType on Twirp::ServiceInterfaceType has been deprecated. Use the new member predicate getDefinedType instead.

Ruby

• The predicates immediatelyControls and controls on the ConditionBlock class have been deprecated in favor of the newly added dominatingEdge predicate.

Swift

• The predicates immediatelyControls and controls on the ConditionBlock class have been deprecated in favor of the newly added dominatingEdge predicate.

New Features

GitHub Actions

• The “Unpinned tag for a non-immutable Action in workflow” query (actions/unpinned-tag) now supports expanding the trusted action owner list using data extensions (extensible: trustedActionsOwnerDataModel). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see Creating a CodeQL Model Pack.

• © GitHub, Inc.
• Terms
• Privacy