CodeQL documentation

CodeQL 2.5.3 (2021-04-30)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.5.3 runs a total of 239 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE).


Bug Fixes

  • Ensure the correct URL is generated during codeql github upload-results for GitHub Enterprise Server.

New Features

  • When tracing a C/C++ build, the C compiler entries in compiler-settings must now specify order compiler,extractor. The default configuration already does this, so no change is necessary if using the default configuration.
  • codeql database analyze and codeql database interpret-results now report the results of summary metric queries in the <run>.properties.metricResults property of the SARIF output. Summary metric queries describe metrics about the code analyzed by CodeQL. They are identified by the query metadata @kind metric and @tag summary. For example, see the lines of code summary metric query for C++.
  • codeql database analyze and codeql database interpret-results now calculate an automation ID and add it to the resulting SARIF. In SARIF v2.1.0, this field is runs[] In SARIF v2, this field is runs[].automationLogicalId. In SARIF v1, this field is runs[].automationId. By default, this automation ID will be derived from the database language and the operating system of the machine that performed the run. It can be set explicitly using a new --sarif-category option.
  • In query metadata, @kind alert and @kind path-alert are now recognized as (more accurate) synonyms of @kind problem and @kind path-problem, respectively.
  • Diagnostic queries are now permitted by the metadata verifier. They are identified by @kind diagnostic metadata. Currently the result patterns of diagnostic queries are not verified. This will change in a future CLI release.
  • © GitHub, Inc.
  • Terms
  • Privacy