CodeQL documentation

CodeQL 2.17.1 (2024-04-24)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.17.1 runs a total of 412 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 2 security queries have been added with this release.

CodeQL CLI

Deprecations

  • The --mode option and -m alias to codeql database create, codeql database cleanup, and codeql dataset cleanup has been deprecated. Instead, use the new --cache-cleanup option, which has identical behavior.

Improvements

  • Improved the diagnostic message produced when no code is processed when creating a database. If a build mode was specified using --build-mode, the message is now tailored to your build mode.

Miscellaneous

  • The scc tool used by the CodeQL CLI to calculate source code baseline information has been updated to version 3.2.0.

Query Packs

Minor Analysis Improvements

Java/Kotlin

  • The java/unknown-javadoc-parameter now accepts @param tags that apply to the parameters of a record.

JavaScript/TypeScript

  • API::Node#getInstance() now includes instances of subclasses, include transitive subclasses. The same changes applies to uses of the Instance token in data extensions.

New Queries

Ruby

  • Added a new query, rb/insecure-mass-assignment, for finding instances of mass assignment operations accepting arbitrary parameters from remote user input.
  • Added a new query, rb/csrf-protection-not-enabled, to detect cases where Cross-Site Request Forgery protection is not enabled in Ruby on Rails controllers.

Language Libraries

Minor Analysis Improvements

C#

  • Extracting suppress nullable warning expressions did not work when applied directly to a method call (like System.Console.Readline()!). This has been fixed.

Golang

  • Data flow through variables declared in statements of the form x := y.(type) at the beginning of type switches has been fixed, which may result in more alerts.
  • Added strings.ReplaceAll, http.ParseMultipartForm sanitizers and remove path sanitizer.

Java/Kotlin

  • About 6,700 summary models and 6,800 neutral summary models for the JDK that were generated using data flow have been added. This may lead to new alerts being reported.

Python

  • Improved the type-tracking capabilities (and therefore also API graphs) to allow tracking items in tuples and dictionaries.

Shared Libraries

New Features

Dataflow Analysis

  • The PathGraph result of a data flow computation has been augmented with model provenance information for each of the flow steps. Any qltests that include the edges relation in their output (for example, .qlrefs that reference path-problem queries) will need to be have their expected output updated accordingly.

Type-flow Analysis

  • Initial release. Adds a library to implement type-flow analysis.
  • © GitHub, Inc.
  • Terms
  • Privacy