CodeQL documentation
CodeQL resources

CodeQL 2.21.3 (2025-05-15)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.21.3 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE).

CodeQL CLI

Miscellaneous

  • Windows binaries for the CodeQL CLI are now built with /guard:cf, enabling Control Flow Guard.

Query Packs

Minor Analysis Improvements

C#

  • Changed the precision of the cs/equality-on-floats query from medium to high.

JavaScript/TypeScript

  • Type information is now propagated more precisely through Promise.all() calls, leading to more resolved calls and more sources and sinks being detected.

Query Metadata Changes

C/C++

  • The tag external/cwe/cwe-14 has been removed from cpp/memset-may-be-deleted and the tag external/cwe/cwe-014 has been added.

  • The tag external/cwe/cwe-20 has been removed from cpp/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cpp/count-untrusted-data-external-api-ir and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cpp/untrusted-data-to-external-api-ir and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cpp/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cpp/late-check-of-function-argument and the tag external/cwe/cwe-020 has been added.

C#

  • The tag external/cwe/cwe-13 has been removed from cs/password-in-configuration and the tag external/cwe/cwe-013 has been added.

  • The tag external/cwe/cwe-11 has been removed from cs/web/debug-binary and the tag external/cwe/cwe-011 has been added.

  • The tag external/cwe/cwe-16 has been removed from cs/web/large-max-request-length and the tag external/cwe/cwe-016 has been added.

  • The tag external/cwe/cwe-16 has been removed from cs/web/request-validation-disabled and the tag external/cwe/cwe-016 has been added.

  • The tag external/cwe/cwe-20 has been removed from cs/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cs/serialization-check-bypass and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from cs/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-12 has been removed from cs/web/missing-global-error-handler and the tag external/cwe/cwe-012 has been added.

Golang

  • The tag external/cwe/cwe-20 has been removed from go/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from go/incomplete-hostname-regexp and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from go/regex/missing-regexp-anchor and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from go/suspicious-character-in-regex and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from go/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from go/untrusted-data-to-unknown-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-90 has been removed from go/ldap-injection and the tag external/cwe/cwe-090 has been added.

  • The tag external/cwe/cwe-74 has been removed from go/dsn-injection and the tag external/cwe/cwe-074 has been added.

  • The tag external/cwe/cwe-74 has been removed from go/dsn-injection-local and the tag external/cwe/cwe-074 has been added.

  • The tag external/cwe/cwe-79 has been removed from go/html-template-escaping-passthrough and the tag external/cwe/cwe-079 has been added.

Java/Kotlin

  • The tag external/cwe/cwe-20 has been removed from java/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from java/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-93 has been removed from java/netty-http-request-or-response-splitting and the tag external/cwe/cwe-093 has been added.

JavaScript/TypeScript

  • The tag external/cwe/cwe-79 has been removed from js/disabling-electron-websecurity and the tag external/cwe/cwe-079 has been added.

  • The tag external/cwe/cwe-20 has been removed from js/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from js/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from js/untrusted-data-to-external-api-more-sources and the tag external/cwe/cwe-020 has been added.

Python

  • The tags security/cwe/cwe-94 and security/cwe/cwe-95 have been removed from py/use-of-input and the tags external/cwe/cwe-094 and external/cwe/cwe-095 have been added.

  • The tag external/cwe/cwe-20 has been removed from py/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from py/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from py/cookie-injection and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-20 has been removed from py/incomplete-url-substring-sanitization and the tag external/cwe/cwe-020 has been added.

  • The tag external/cwe/cwe-94 has been removed from py/js2py-rce and the tag external/cwe/cwe-094 has been added.

Ruby

  • The precision of rb/useless-assignment-to-local has been adjusted from medium to high.

  • The tag external/cwe/cwe-94 has been removed from rb/server-side-template-injection and the tag external/cwe/cwe-094 has been added.

Language Libraries

Bug Fixes

C/C++

  • Fixed an infinite loop in semmle.code.cpp.rangeanalysis.new.RangeAnalysis when computing ranges in very large and complex function bodies.

Minor Analysis Improvements

JavaScript/TypeScript

  • Enhanced modeling of the fastify framework to support the all route handler method.

  • Improved modeling of the shelljs and async-shelljs libraries by adding support for the which, cmd, asyncExec and env.

  • Added support for the fastify addHook method.

Python

  • Added modeling for the hdbcli PyPI package as a database library implementing PEP 249.

  • Added header write model for send_header in http.server.

New Features

Java/Kotlin

  • Kotlin versions up to 2.2.0x are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0).

Swift

  • Added AST nodes UnsafeCastExpr, TypeValueExpr, IntegerType, and BuiltinFixedArrayType that correspond to new nodes added by Swift 6.1.

  • © GitHub, Inc.
  • Terms
  • Privacy