CodeQL documentation

CodeQL 2.6.3 (2021-10-06)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.6.3 runs a total of 274 security queries when configured with the Default suite (covering 120 CWE). The Extended suite enables an additional 81 queries (covering 28 more CWE).


Potentially Breaking Changes

  • The option --compiler-spec accepted by some subcommands of codeql database is deprecated. It will be removed in a later version (earliest 2.7.0). If you need this option, please file a public issue in, or open a private ticket with GitHub support and request an escalation to engineering.

  • By default, databases created using the CodeQL CLI will now have their underlying datasets finalized, meaning that no further data can be subsequently imported into them. This change should not affect most users.

  • The codeql resolve qlref command will now throw an error when the target is ambiguous. The qlref resolution rules are now as follows:

    1. If the target of a qlref is in the same qlpack, then that target is always returned.
    2. If multiple targets of the qlref are found in dependent packs, this is an error.

    Previously, the command would have arbitrarily chosen one of the targets and ignored any ambiguities.

Bug Fixes

  • Linux/MacOS: When tracing a build that involves an execvp/execvpe (Linux-only)/posix_spawnp syscall where PATH was not set in the environment, CodeQL sometimes would break the build. Now, CodeQL uses the correct, platform-specific fallback for PATH instead.
  • Linux/MacOS: When tracing a build that involves an execvpe (Linux-only)/posix_spawnp syscall, the PATH lookup of the executable wrongly took place in the environment provided via envp, instead of the environment of the process calling execvpe/posix_spawnp. Now, the correct environment is used for the PATH lookup.
  • A bug where query compilation would sometimes fail with a StackOverflowError when compiling a query that uses instanceof has now been fixed.

New Features

  • The codeql query compile command now accepts a --keep-going or -k option, which indicates that the compiler should continue compiling queries even if one of the queries has a compile error in it.
  • CLI commands now run default queries if none are specified. If no queries are specified, the codeql database analyze, codeql database run-queries, and codeql database interpret-results commands will now run the default suite for the language being analyzed.
  • codeql pack publish now copies the published package to the local package cache. In addition to publishing to a remote repository, the codeql pack publish command will also copy the published package to the local package cache.
  • © GitHub, Inc.
  • Terms
  • Privacy