CodeQL 2.7.5 (2022-01-17)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.7.5 runs a total of 289 security queries when configured with the Default suite (covering 127 CWE). The Extended suite enables an additional 88 queries (covering 31 more CWE). 4 security queries have been added with this release.
CodeQL CLI¶
Deprecations¶
- The CodeQL Action versions up to and including version 1.0.22 are now deprecated for use with CodeQL CLI 2.7.5 and later. The CLI will emit a warning if it detects that it is being used by a deprecated version of the codeql-action. This warning will become a fatal error with version 2.8.0 of the CLI.
Documentation¶
The documentation for the
--trace-process-levelflag ofcodeql database init(which is used with indirect build tracing on Windows) was erroneous.The help text previously claimed that
--trace-process-level=1would inject CodeQL’s build tracer into the calling process. This is actually what--trace-process-level=0achieves. The help text has now been corrected to match the actual (unchanged) behavior.Also, some log messages incorrectly stated which process CodeQL was injected into. These have also been corrected.
New Features¶
The
codeql github upload-resultscommand will now print the API response body in JSON format if a--format=jsonflag is given. Otherwise the command will print the URL of the SARIF upload. This URL can be used to get status information for the upload.See also: https://docs.github.com/en/rest/reference/code-scanning
Miscellaneous¶
- For commands that run queries, the
--timeoutoption now controls the maximal time it may take to evaluate a “layer” of a query rather than a “stage”. There are usually many “layers” in each “stage”, but it is usually a single one of the layers in a stage that uses most of the time, so there is no need to reduce existing timeout values as a result of this change.
Query Packs¶
Minor Analysis Improvements¶
Java/Kotlin¶
- The
java/constant-comparisonquery no longer raises false alerts regarding comparisons with Unicode surrogate character literals.
JavaScript/TypeScript¶
- Support for handlebars templates has improved. Raw interpolation tags of the form
{{& ... }}are now recognized, as well as whitespace-trimming tags like{{~ ... }}. - Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are
expressandfastify. js/missing-token-validationhas been made more precise, yielding both fewer false positives and more true positives.
Python¶
- Added modeling of many functions from the
osmodule that uses file system paths, such asos.stat,os.chdir,os.mkdir, and so on. All of these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query. - Added modeling of the
tempfilemodule for creating temporary files and directories, such as the functionstempfile.NamedTemporaryFileandtempfile.TemporaryDirectory. Thesuffix,prefix, anddirarguments are all vulnerable to path-injection, and these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query. - Extended the modeling of FastAPI such that
fastapi.responses.FileResponseare consideredFileSystemAccess, making them sinks for the Uncontrolled data used in path expression (py/path-injection) query. - Added modeling of the
posixpath,ntpath, andgenericpathmodules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query. - Added modeling of
wsgiref.simple_serverapplications, leading to new remote flow sources. - To support the new SSRF queries, the PyPI package
requestshas been modeled, along withhttp.client.HTTP[S]Connectionfrom the standard library.
New Queries¶
C/C++¶
- A new query
cpp/certificate-not-checkedhas been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries. - A new query
cpp/certificate-result-conflationhas been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
Python¶
- Two new queries have been added for detecting Server-side request forgery (SSRF). Full server-side request forgery (
py/full-ssrf) will only alert when the URL is fully user-controlled, and Partial server-side request forgery (py/partial-ssrf) will alert when any part of the URL is user-controlled. Onlypy/full-ssrfwill be run by default.
Language Libraries¶
Bug Fixes¶
Java/Kotlin¶
CharacterLiteral’sgetCodePointValuepredicate now returns the correct value for UTF-16 surrogates.- The
RangeAnalysismodule now properly handles comparisons with Unicode surrogate character literals.
Major Analysis Improvements¶
Java/Kotlin¶
- Data flow now propagates taint from remote source
Parametertypes to read steps of their fields (e.g.tainted.publicFieldortainted.getField()). This also applies to their subtypes and the types of their fields, recursively.
Minor Analysis Improvements¶
Python¶
- Added modeling of many functions from the
osmodule that uses file system paths, such asos.stat,os.chdir,os.mkdir, and so on. - Added modeling of the
tempfilemodule for creating temporary files and directories, such as the functionstempfile.NamedTemporaryFileandtempfile.TemporaryDirectory. - Extended the modeling of FastAPI such that custom subclasses of
fastapi.APIRouterare recognized. - Extended the modeling of FastAPI such that
fastapi.responses.FileResponseare consideredFileSystemAccess. - Added modeling of the
posixpath,ntpath, andgenericpathmodules for path operations (although these are not supposed to be used), resulting in new sinks. - Added modeling of
wsgiref.simple_serverapplications, leading to new remote flow sources.