CodeQL documentation

CodeQL 2.8.1 (2022-02-15)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.8.1 runs a total of 306 security queries when configured with the Default suite (covering 137 CWE). The Extended suite enables an additional 95 queries (covering 30 more CWE). 10 security queries have been added with this release.


Bug Fixes

  • Fixed a bug that would sometimes lead to query evaluation on M1-based Macs to crash with Did not preallocate enough memory error.

New Features

  • Commands that find or run queries now allow you to refer to queries within a named CodeQL pack. For example:

    # Analyze a database using all queries in the experimental/Security folder within the codeql/cpp-queries
    # CodeQL query pack.
    codeql database analyze --format=sarif-latest --output=results <db> \
    # Analyse using only the RedundantNullCheckParam.ql query in the codeql/cpp-queries CodeQL query pack.
    codeql database analyze --format=sarif-latest --output=results <db> \
        'codeql/cpp-queries:experimental/Likely Bugs/RedundantNullCheckParam.ql'
    # Analyse using the cpp-security-and-quality.qls query suite in the codeql/cpp-queries CodeQL query pack.
    codeql database analyze --format=sarif-latest --output=results <db> \
    # Analyse using the cpp-security-and-quality.qls query suite from a version of the codeql/cpp-queries pack
    # that is >= 0.0.3 and < 0.1.0 (the highest compatible version will be chosen).
    # All valid semver ranges are allowed. See
    codeql database analyze --format=sarif-latest --output=results <db> \

    The complete way to specify a set of queries is in the form scope/name@range:path, where:

    • scope/name is the qualified name of a CodeQL pack.

    • range is a semver range.

    • path is a file system path

      If a scope/name is specified, the range and path are optional. A missing range implies the latest version of the specified pack. A missing path implies the default query suite of the specified pack.

      The path can be one of a *.ql query file, a directory containing one or more queries, or a .qls query suite file. If there is no pack name specified, then a path must be provided, and will be interpreted relative to the current working directory of the current process.

      If a scope/name and path are specified, then the path cannot be absolute. It is considered relative to the root of the CodeQL pack.

      The relevant commands are:

      • codeql database analyze
      • codeql database run-queries
      • codeql execute queries
      • codeql resolve queries

Query Packs

Bug Fixes


  • The View AST functionality no longer prints detailed information about regular expressions, greatly improving performance.

Minor Analysis Improvements


  • The “Cleartext transmission of sensitive information” (cpp/cleartext-transmission) query has been further improved to reduce false positive results, and upgraded from medium to high precision.
  • The “Cleartext transmission of sensitive information” (cpp/cleartext-transmission) query now finds more results, where a password is stored in a struct field or class member variable.
  • The cpp/cleartext-storage-file query has been improved, removing false positives where data is written to a standard output stream.
  • The cpp/cleartext-storage-buffer query has been updated to use the semmle.code.cpp.dataflow.TaintTracking library.
  • The cpp/world-writable-file-creation query now only detects open and openat calls with the O_CREAT or O_TMPFILE flag.

New Queries


  • Added a new query, cpp/open-call-with-mode-argument, to detect when open or openat is called with the O_CREAT or O_TMPFILE flag but when the mode argument is omitted.


  • A new query “Cleartext storage of sensitive information using a local database on Android” (java/android/cleartext-storage-database) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.


  • A new query, js/unsafe-code-construction, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution. The query is not run by default.
  • A new query js/file-system-race has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
  • A new query js/jwt-missing-verification has been added. The query detects applications that don’t verify JWT tokens.
  • The js/insecure-dependency query has been added. It detects dependencies that are downloaded using an unencrypted connection.

Language Libraries

Major Analysis Improvements


  • Added support for C# 10 lambda improvements
    • Explicit return types on lambda expressions.
    • Lambda expression can be tagged with method and return value attributes.
  • Added support for C# 10 Extended property patterns.
  • Return value attributes are extracted.
  • The QL Attribute class now has subclasses for each kind of attribute.
  • © GitHub, Inc.
  • Terms
  • Privacy