CodeQL 2.8.0 (2022-02-04)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.8.0 runs a total of 298 security queries when configured with the Default suite (covering 136 CWE). The Extended suite enables an additional 93 queries (covering 30 more CWE). 14 security queries have been added with this release.
CodeQL CLI¶
Breaking Changes¶
- The CodeQL Action versions up to and including version 1.0.22 are not compatible with the CodeQL CLI 2.8.0 and later. The CLI will emit an error if it detects that it is being used by an incompatible version of the codeql-action.
Bug Fixes¶
- Fixed a bug where
codeql resolve upgradesignores the--target-dbschemeoption.
New Features¶
A new extractor option has been added to the Java extractor. The flag
--extractor-option exclude='<glob>'allows specifying a glob that describes which paths need to be excluded from extraction but still need to be compiled. This is useful when some files are necessary for a successful build but are uninteresting for analysis.See also: https://codeql.github.com/docs/codeql-cli/extractor-options/
Summary metrics can now associate messages with their results, for instance to report the name and number of uses of a particular API endpoint within a repository. To associate messages with summary metrics, define a query with
@kind metricand@tags summarymetadata and use either thelocation, message, valueor themessage, valueresults pattern.
Query Packs¶
Major Analysis Improvements¶
Python¶
- User names and other account information is no longer considered to be sensitive data for the queries
py/clear-text-logging-sensitive-dataandpy/clear-text-storage-sensitive-data, since this lead to many false positives.
Minor Analysis Improvements¶
C/C++¶
- Fix an issue with the
cpp/declaration-hides-variablequery where it would report variables that are unnamed in a database. - The
cpp/cleartext-storage-filequery has been upgraded with non-local taint flow and has been converted to apath-problemquery. - The
cpp/return-stack-allocated-memoryquery has been improved to produce fewer false positives. The query has also been converted to apath-problemquery. - The “Cleartext transmission of sensitive information” (
cpp/cleartext-transmission) query has been improved in several ways to reduce false positive results. - The “Potential improper null termination” (
cpp/improper-null-termination) query now produces fewer false positive results around control flow branches and loops. - Added exception for GLib’s gboolean to cpp/ambiguously-signed-bit-field. This change reduces the number of false positives in the query.
Ruby¶
- The query
rb/csrf-protection-disabledhas been extended to find calls to the Rails methodprotect_from_forgerythat may weaken CSRF protection.
New Queries¶
C/C++¶
- The
securitytag has been added to thecpp/return-stack-allocated-memoryquery. As a result, its results will now appear by default. - The “Uncontrolled data in arithmetic expression” (cpp/uncontrolled-arithmetic) query has been enhanced to reduce false positive results and its @precision increased to high.
- A new
cpp/very-likely-overrunning-writequery has been added to the default query suite for C/C++. The query reports some results that were formerly flagged bycpp/overrunning-write.
Java¶
- A new query “Use of implicit PendingIntents” (
java/android/pending-intents) has been added. This query finds implicit and mutablePendingIntentssent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects. - Two new queries, “Android fragment injection” (
java/android/fragment-injection) and “Android fragment injection in PreferenceActivity” (java/android/fragment-injection-preference-activity) have been added. These queries find exported Android activities that instantiate and host fragments created from user-provided data. Such activities are vulnerable to access control bypass and expose the Android application to unintended effects. - The query “
TrustManagerthat accepts all certificates” (java/insecure-trustmanager) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @intrigus-lgtm. - The query “Log Injection” (
java/log-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally submitted as an experimental query by @porcupineyhairs and @dellalibera. - A new query “Intent URI permission manipulation” (
java/android/intent-uri-permission-manipulation) has been added. This query finds Android components that return unmodified, received Intents to the calling applications, which can provide unintended access to internal content providers of the victim application. - A new query “Cleartext storage of sensitive information in the Android filesystem” (
java/android/cleartext-storage-filesystem) has been added. This query finds instances of sensitive data being stored in local files without encryption, which may expose it to attackers or malicious applications. - The query “Cleartext storage of sensitive information using
SharedPreferenceson Android” (java/android/cleartext-storage-shared-prefs) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - The query “Unsafe certificate trust” (
java/unsafe-cert-trust) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc.
JavaScript/TypeScript¶
- A new query
js/samesite-none-cookiehas been added. The query detects when the SameSite attribute is set to None on a sensitive cookie. - A new query
js/empty-password-in-configuration-filehas been added. The query detects empty passwords in configuration files. The query is not run by default.
Ruby¶
- Added a new query,
rb/weak-cookie-configuration. The query finds cases where cookie configuration options are set to values that may make an application more vulnerable to certain attacks.
Language Libraries¶
Major Analysis Improvements¶
C#¶
- Added support for the following C# 10 features.
- Record structs.
- Improvements of structure types.
- Instance parameterless constructor in a structure type.
- Enhance
WithExprin QL to supportstructsand anonymous classes.
- Global using directives.
- File-scoped namespace declaration.
- Enhanced #line pragma.
Minor Analysis Improvements¶
C/C++¶
FormatLiteral::getMaxConvertedLengthnow uses range analysis to provide a more accurate length for integers formatted with%x
C#¶
- The query
cs/local-shadows-memberno longer highlights parameters ofrecordtypes.
Deprecated APIs¶
C/C++¶
- The
codeql/cpp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/cpp-allCodeQL pack.
C#¶
- The
codeql/csharp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/csharp-allCodeQL pack.
Java¶
- The
codeql/java-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/java-allCodeQL pack.
JavaScript/TypeScript¶
- The
codeql/javascript-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/javascript-allCodeQL pack.
Python¶
- Moved the files defining regex injection configuration and customization, instead of
import semmle.python.security.injection.RegexInjectionplease useimport semmle.python.security.dataflow.RegexInjection(the same forRegexInjectionCustomizations). - The
codeql/python-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/python-allCodeQL pack.