CodeQL documentation

CodeQL 2.7.3 (2021-12-06)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.7.3 runs a total of 288 security queries when configured with the Default suite (covering 124 CWE). The Extended suite enables an additional 85 queries (covering 32 more CWE). 10 security queries have been added with this release.


Potentially Breaking Changes

  • The experimental command-line option --ml-model-path that was introduced to support internal experiments has been removed.

Bug Fixes

  • Editing support (content assist, code navigation, etc.) in files under the .github directory will now work properly. This is because files under the .github directory will now be indexed and processed by the CodeQL language server. Other hidden directories that start with . will remain un-indexed. This affects the vscode-codeql extension and any other IDE extension that uses the CodeQL language server.
  • Fixed authentication with GitHub package registries via the GITHUB_TOKEN environment variable and the --github-auth-stdin flag when downloading and publishing packs.
  • Fixed an incompatibility with glibc version 2.34 on Linux, where build tracing failed with an error message.
  • Fixed a bug where codeql generate log-summary could sometimes fail with a JsonMappingException.

New Features

  • The CodeQL CLI for Mac OS now ships with a native Java virtual machine for M1 Macs, and this will be used by default where applicable to run the CodeQL engine, thus improving performance. Rosetta 2 is still required as not all components of the CodeQL CLI are natively compiled.

  • Commands that execute queries will now exit with status code 34 if certain errors that prevent the evaluation of one or more individual queries are detected. Previously some of these errors would crash the evaluator and exit with status code 100.

    (This is currently used for “external predicate not found” errors).

Query Packs

New Queries


  • A new query cpp/non-https-url has been added for C/C++. The query flags uses of http URLs that might be better replaced with https.


  • The js/sensitive-get-query query has been added. It highlights GET requests that read sensitive information from the query string.
  • The js/insufficient-key-size query has been added. It highlights the creation of cryptographic keys with a short key size.
  • The js/session-fixation query has been added. It highlights servers that reuse a session after a user has logged in.


  • A new query (rb/request-forgery) has been added. The query finds HTTP requests made with user-controlled URLs.
  • A new query (rb/csrf-protection-disabled) has been added. The query finds cases where cross-site forgery protection is explicitly disabled.

Query Metadata Changes


  • Fixed the query ids of two queries that are meant for manual exploration: python/count-untrusted-data-external-api and python/untrusted-data-to-external-api have been changed to py/count-untrusted-data-external-api and py/untrusted-data-to-external-api.


  • The precision of “Hard-coded credentials” (rb/hardcoded-credentials) has been decreased from “high” to “medium”. This query will no longer be run and displayed by default on Code Scanning and LGTM.

Language Libraries

Bug Fixes


  • CharacterLiteral’s getCodePointValue predicate now returns the correct value for UTF-16 surrogates.
  • The RangeAnalysis module and the java/constant-comparison queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
  • The predicate Method.overrides(Method) was accidentally transitive. This has been fixed. This fix also affects Method.overridesOrInstantiates(Method) and Method.getASourceOverriddenMethod().

Major Analysis Improvements


  • Added modeling of os.stat, os.lstat, os.statvfs, os.fstat, and os.fstatvfs, which are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.
  • Added modeling of aiopg for sinks executing SQL.
  • Added modeling of HTTP requests and responses when using flask_admin (Flask-Admin PyPI package), which leads to additional remote flow sources.
  • Added modeling of the PyPI package toml, which provides encoding/decoding of TOML documents, leading to new taint-tracking steps.

New Features


  • The QL library semmle.code.cpp.commons.Exclusions now contains a predicate isFromSystemMacroDefinition for identifying code that originates from a macro outside the project being analyzed.
  • © GitHub, Inc.
  • Terms
  • Privacy