CodeQL documentation
CodeQL resources

CodeQL 2.23.5 (2025-11-13)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.23.5 runs a total of 483 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release.

CodeQL CLI

Breaking Changes

  • In order to make a @kind path-problem query diff-informed, the getASelectedSourceLocation and getASelectedSinkLocation predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink in addition to any other locations that are selected by the query. See the QLdoc for more details.

Query Packs

Minor Analysis Improvements

C#

  • the cs/web/missing-x-frame-options query now correctly handles configuration nested in root <location> elements.

Java/Kotlin

  • Calls to String.matches are now treated as sanitizers for the java/ssrf query.

Python

  • The py/insecure-cookie query has been split into multiple queries; with py/insecure-cookie checking for cases in which Secure flag is not set, py/client-exposed-cookie checking for cases in which the HttpOnly flag is not set, and the py/samesite-none query checking for cases in which the SameSite attribute is set to None. These queries also now only alert for cases in which the cookie is detected to contain sensitive data.

Rust

  • The “Low Rust analysis quality” query (rust/diagnostic/database-quality), used by the tool status page, has been extended with a measure of successful type inference.

New Queries

Java/Kotlin

  • The java/sensitive-cookie-not-httponly query has been promoted from experimental to the main query pack.

  • Added a new query, java/escaping, to detect values escaping from classes marked as @ThreadSafe.

  • Added a new query, java/not-threadsafe, to detect data races in classes marked as @ThreadSafe.

  • Added a new query, java/safe-publication, to detect unsafe publication in classes marked as @ThreadSafe.

Language Libraries

Breaking Changes

Swift

  • The OpenedArchetypeType class has been renamed as ExistentialArchetypeType.

  • The OtherAvailabilitySpec class has been removed. Use AvailabilitySpec::isWildcard instead.

  • The PlatformVersionAvailabilitySpec has been removed. Use AvailabilitySpec::getPlatform and AvailabilitySpec::getVersion instead.

Major Analysis Improvements

C#

  • The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for cs/inefficient-containskey and cs/stringbuilder-creation-in-loop. Two queries stand out as being significantly affected with great improvements: cs/dereferenced-value-may-be-null has been completely rewritten which removes a very significant number of false positives. Furthermore, cs/constant-condition has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, cs/dereferenced-value-may-be-null has been changed from a path-problem query to a problem query, so paths are no longer reported for this query.

Swift

  • Upgraded to allow analysis of Swift 6.2.

  • Support for experimental Embedded Swift has been dropped.

Rust

  • Resolution of calls to functions has been improved in a number of ways, to make it more aligned with the behavior of the Rust compiler. This may impact queries that rely on call resolution, such as data flow queries.

  • Added basic models for the actix-web web framework.

Minor Analysis Improvements

C#

  • Added tracer support for macOS and Linux when the .NET CLI (dotnet) directly invokes the C# compiler (csc). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms.

  • The extraction of location information for source code entities has been updated to use star IDs (* IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication.

Rust

  • Added ExtractedFile::hasSemantics and ExtractedFile::isSkippedByCompilation predicates.

  • Generalized some existing models to improve data flow.

  • Added models for the mysql and mysql_async libraries.

Deprecated APIs

C#

  • The class AbstractValue in the Guards library has been deprecated and replaced with the class GuardValue.

New Features

Python

  • Initial support for incremental Python databases via codeql database create --overlay-base/--overlay-changes.

Swift

  • Added AST nodes UsingDecl, UnsafeExpr, and InlineArrayType that correspond to new nodes in Swift 6.2.

  • Added new predicates isDistributedGet, isRead2, isModify2, and isInit to the Accessor class that correspond to new accessors in Swift 6.2.

  • Added a new predicate isApply to the KeyPathComponent class that corresponds to method and initializer key path components in Swift 6.2.

  • © GitHub, Inc.
  • Terms
  • Privacy