CodeQL 2.22.2 (2025-07-29)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.22.2 runs a total of 474 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE).
CodeQL CLI¶
Bug Fixes¶
Fixes a bug in query suites where the
versionproperty of animportinstruction was ignored. Previously, the following query suite would not resolve tov1.0.19ofcodeql/csharp-queries. Instead it would resolve to the latest version. This is now fixed and the resolve pack version would bev1.0.19.- from: codeql/csharp-queries import: codeql-suites/csharp-security-and-quality.qls version: 1.0.19
Query Packs¶
Bug Fixes¶
C#¶
web.configandweb.release.configfiles are now recognized regardless of case. This means queriescs/web/debug-binaryandcs/web/missing-x-frame-optionsmay produce more results than before.
Breaking Changes¶
JavaScript/TypeScript¶
The
TypeandSymbolclasses have been deprecated and will be empty in newly extracted databases, since the TypeScript extractor no longer populates them. This is a breaking change for custom queries that explicitly relied on these classes. Such queries will still compile, but with deprecation warnings, and may have different query results due to type information no longer being available. We expect most custom queries will not be affected, however. If a custom query has no deprecation warnings, it should not be affected by this change. Uses ofgetType()should be rewritten to use the newgetTypeBinding()orgetNameBinding()APIs instead. If the new API is not sufficient, please consider opening an issue ingithub/codeqldescribing your use-case.
Major Analysis Improvements¶
JavaScript/TypeScript¶
The TypeScript extractor no longer relies on the TypeScript compiler for extracting type information. Instead, the information we need from types is now derived by an algorithm written in QL. This results in more robust extraction with faster extraction times, in some cases significantly faster.
Taint is now tracked through the React
usefunction.Parameters of React server functions, marked with the
"use server"directive, are now seen as taint sources.
Minor Analysis Improvements¶
C/C++¶
Due to changes in the
FunctionWithWrapperslibrary (semmle.code.cpp.security.FunctionWithWrappers) the primary alert location generated by the queriescpp/path-injection,cpp/sql-injection,cpp/tainted-format-string, andcpp/command-line-injectionmay have changed.Added flow models for the Win32 API functions
CreateThread,CreateRemoteThread, andCreateRemoteThreadEx.Improved support for dataflow through function objects and lambda expressions.
Added flow models for
pthread_createandstd::thread.The
cpp/incorrect-string-type-conversionquery no longer alerts on incorrect type conversions that occur in unreachable code.Added flow models for the GNU C Library.
Fixed a number of false positives and false negatives in
cpp/global-use-before-init. Note that this query is not part of any of the default query suites.The query
cpp/sql-injectionnow can be extended using thesql-injectionModels as Data (MaD) sink kind.
C#¶
Explicitly added summary models for all overloads of
System.Xml.XmlDictionaryReader.CreateBinaryReader. Added models for some of the methods and properties inSystem.Runtime.Serialization.SerializationInfoandSystem.Runtime.Serialization.SerializationInfoEnumerator. Updated models forSystem.Text.Encoding.GetBytes,System.Text.Encoding.GetCharsand the constructor forSystem.IO.MemoryStream. This generally improves the library modelling and thus reduces the number of false negatives.Added explicit SQL injection Models as Data models for
Microsoft.Data.SqlClient.SqlCommandandMicrosoft.Data.SqlClient.SqlDataAdapter. This reduces false negatives for the querycs/sql-injection.
Golang¶
filepath.IsLocalis now recognized as a sanitizer against path-traversal and related vulnerabilities.
Java/Kotlin¶
Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular
java/dereferenced-value-may-be-null, which now has fewer false positives, andjava/useless-null-checkandjava/constant-comparison, which gain additional true positives.
JavaScript/TypeScript¶
Removed three queries from the JS qlpack, which have been superseded by newer queries that are part of the Actions qlpack:
js/actions/pull-request-targethas been superseded byactions/untrusted-checkout/{medium,high,critical}js/actions/actions-artifact-leakhas been superseded byactions/secrets-in-artifactsjs/actions/command-injectionhas been superseded byactions/command-injection/{medium,critical}
New Queries¶
Rust¶
Added a new query,
rust/access-after-lifetime-ended, for detecting pointer dereferences after the lifetime of the pointed-to object has ended.
Language Libraries¶
Bug Fixes¶
JavaScript/TypeScript¶
The JavaScript extractor no longer ignores source files specified in the
tsconfig.jsoncompiler optionsoutDirif doing so would result in excluding all source code.
Python¶
The Python parser is now able to correctly parse expressions such as
match[1]andmatch()wherematchis not used as a keyword.
GitHub Actions¶
The
actions/artifact-poisoning/criticalandactions/artifact-poisoning/mediumqueries now exclude artifacts downloaded to$[{ runner.temp }}in addition to/tmp.
Breaking Changes¶
Ruby¶
Most classes and predicates in the AST, SSA, and control-flow-graph libraries are now annotated with
overlay[local], in preparation for incremental analysis. This could result in compiler errors for custom queries if they extend these classes. To mitigate such errors, look for ways to restructure custom QL code so it doesn’t depend on changing the behavior of standard-library classes.
Minor Analysis Improvements¶
C/C++¶
The
FunctionWithWrapperslibrary (semmle.code.cpp.security.FunctionWithWrappers) no longer considers calls through function pointers as wrapper functions.The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the
arm_neon.hheader and Neon vector types, and support for thefp8scalar type. Thearm_sve.hheader and scalable vectors are only partially supported at this point.Added support for
__fp16 _Complexand__bf16 _ComplextypesAdded
sql-injectionsink models for the Oracle Call Interface (OCI) database library functionsOCIStmtPrepareandOCIStmtPrepare2.
Golang¶
Added models for the
Headfunction and theClient.Headmethod, from thenet/httppackage, to theHttp::ClientRequestclass. This means that they will be recognized as sinks for the querygo/request-forgeryand the experimental querygo/ssrf.Previously,
DefinedType.getBaseTypegave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.
Java/Kotlin¶
The qualifiers of a calls to
readObjecton any classes that implementjava.io.ObjectInputare now recognised as sinks forjava/unsafe-deserialization. Previously this was only the case for classes which extendjava.io.ObjectInputStream.
JavaScript/TypeScript¶
Enhanced modeling for the
execalibrary, adding support for command execution methodsexecaCommand,execaCommandSync,$, and$.sync, as well as file system operations throughinputFile,pipeStdout,pipeAll, andpipeStderr.
Python¶
Type annotations such as
foo : Barare now treated by the call graph as an indication thatfoomay be an instance ofBar.
Rust¶
Type inference has been extended to support pattern matching.
Call resolution for calls to associated functions has been improved, so it now disambiguates the targets based on type information at the call sites (either type information about the arguments or about the expected return types).
Type inference has been improved for
forloops and range expressions, which improves call resolution and may ultimately lead to more query results.Implemented support for data flow through trait functions. For the purpose of data flow, calls to trait functions dispatch to all possible implementations.
AssocItemandExternItemare now proper subclasses ofItem.Added type inference for
forloops and array expressions.
Deprecated APIs¶
C/C++¶
The
UnknownDefaultLocation,UnknownExprLocation, andUnknownStmtLocationclasses have been deprecated. UseUnknownLocationinstead.
Golang¶
The class
BuiltinTypeis now deprecated. Use the new replacementBuiltinTypeEntityinstead.The class
DeclaredTypeis now deprecated. Use the new replacementDeclaredTypeEntityinstead.
Java/Kotlin¶
The module
semmle.code.java.frameworks.Castorhas been deprecated and will be removed in a future release.The module
semmle.code.java.frameworks.JYamlhas been deprecated and will be removed in a future release.The classes
UnsafeHessianInputReadObjectMethodandBurlapInputReadObjectMethodin the modulesemmle.code.java.frameworks.HessianBurlaphave been deprecated and will be removed in a future release.The class
YamlBeansReaderReadMethodin the modulesemmle.code.java.frameworks.YamlBeanshas been deprecated and will be removed in a future release.The class
MethodApacheSerializationUtilsDeserializein the modulesemmle.code.java.frameworks.apache.Langhas been deprecated and will be removed in a future release.
New Features¶
C/C++¶
Added a
isFinalValueOfParameterpredicate toDataFlow::Nodewhich holds when a dataflow node represents the final value of an output parameter of a function.
C#¶
Added a new predicate,
getASuperType(), to get a direct supertype of this type.
Java/Kotlin¶
You can now add sinks for the query “Deserialization of user-controlled data” (
java/unsafe-deserialization) using data extensions by extendingsinkModeland using the kind “unsafe-deserialization”. The existing sinks that do not require extra logic to determine if they are unsafe are now defined in this way.