CodeQL 2.8.2 (2022-02-28)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.8.2 runs a total of 308 security queries when configured with the Default suite (covering 139 CWE). The Extended suite enables an additional 99 queries (covering 30 more CWE). 6 security queries have been added with this release.
CodeQL CLI¶
Breaking Changes¶
- The support for the output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) that were deprecated in 2.7.1 has been removed. If you need this functionality, please file a public issue against https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub Support and request an escalation to engineering.
New Features¶
- The CodeQL CLI is now compatible with Windows 11 and Windows Server 2022, including building databases for compiled languages.
Query Packs¶
Breaking Changes¶
Java¶
- Add more classes to Netty request/response splitting. Change identification to
java/netty-http-request-or-response-splitting. Identify request splitting differently from response splitting in query results. Support additional classes:io.netty.handler.codec.http.CombinedHttpHeadersio.netty.handler.codec.http.DefaultHttpRequestio.netty.handler.codec.http.DefaultFullHttpRequest
Minor Analysis Improvements¶
JavaScript/TypeScript¶
- Added dataflow through the
snapdragonlibrary.
New Queries¶
Java¶
- A new query titled “Local information disclosure in a temporary directory” (
java/local-temp-file-or-directory-information-disclosure) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.
JavaScript/TypeScript¶
- A new query,
js/functionality-from-untrusted-source, has been added to the query suite. It finds DOM elements that load functionality from untrusted sources, likescriptoriframeelements usinghttplinks. The query is run by default.
Python¶
- The query “LDAP query built from user-controlled sources” (
py/ldap-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @jorgectf. - The query “Log Injection” (
py/log-injection) has been promoted from experimental to the main query pack. Its results will now appear whensecurity-extendedis used. This query was originally submitted as an experimental query by @haby0.
Ruby¶
- Added a new query,
rb/clear-text-logging-sensitive-data. The query finds cases where sensitive information, such as user credentials, are logged as cleartext.
Query Metadata Changes¶
C#¶
- The precision of hardcoded credentials queries (
cs/hardcoded-credentialsandcs/hardcoded-connection-string-credentials) have been downgraded to medium.
JavaScript/TypeScript¶
- The
js/request-forgeryquery previously flagged both server-side and client-side request forgery, but these are now handled by two different queries:js/request-forgeryis now specific to server-side request forgery. Its precision has been raised tohighand is now shown by default (it was previously in thesecurity-extendedsuite).js/client-side-request-forgeryis specific to client-side request forgery. This is technically a new query but simply flags a subset of what the old query did. This has precisionmediumand is part of thesecurity-extendedsuite.