CodeQL 2.5.6 (2021-06-22)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.5.6 runs a total of 266 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 57 queries (covering 28 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
New Features¶
codeql database create(and the plumbing commands it comprises) now supports creating databases for a source tree with several languages while tracing a single build. This is enabled by a new--db-clusteroption. Once created, the multiple databases must be analyzed one by one.codeql database createandcodeql database initnow accept an--overwriteargument which will lead existing CodeQL databases to be overwritten.codeql database analyzenow supports “diagnostic” queries (tagged@kind diagnostic), which are intended to report information about the analysis process itself rather than problems with the analyzed code. The results of these queries will be summarized in a table printed to the terminal whencodeql database analyzefinishes.They are also included in the analysis results in SARIF output formats as notification objects so they can be displayed by subsequent tooling such as the Code Scanning user interface.
- For SARIF v2.1.0, a reporting descriptor object for each diagnostic query is output to output to
runs[].tool.driver.notifications, orruns[].tool.extensions[].notificationsif running with--sarif-group-rules-by-pack. A rule object for each diagnostic query is output toruns[].resources[].rulesfor SARIF v2, or toruns[].rulesfor SARIF v1. - Results of diagnostic queries are exported to the
runs[].invocations[].toolExecutionNotificationsproperty in SARIF v2.1.0, theruns[].invocations[].toolNotificationsproperty in SARIF v2, and theruns[].toolNotificationsproperty in SARIF v1.
SARIF v2.1.0 output will now also contain version information for query packs in
runs[].tool.extensions[].semanticVersion, if the Git commit the queries come from is known.- For SARIF v2.1.0, a reporting descriptor object for each diagnostic query is output to output to
codeql github upload-resultshas a--checkout-pathoption which will attempt to automatically configure upload target parameters. When this is given, the--commitoption will be taken from the HEAD of the checkout Git repository, and if there is precisely one remote configured in the local repository, the--repositoryand--github-urloptions will also be automatically configured.The CodeQL C++ extractor includes beta support for C++20. This is only available when building codebases with GCC on Linux. C++20 modules are not supported.