CodeQL 2.8.3 (2022-03-14)¶

Contents

Security Coverage
CodeQL CLI
- New Features
- Miscellaneous
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.8.3 runs a total of 312 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 99 queries (covering 29 more CWE). 4 security queries have been added with this release.

CodeQL CLI¶

New Features¶

Executable binaries for Windows are now digitally signed by a GitHub certificate.

Miscellaneous¶

The evaluator logs produced by --evaluator-log now default to the maximum verbosity level and will therefore contain more information (and, accordingly, grow larger). The verbosity level can still be configured with --evaluator-log-level. In particular, --evaluator-log-level=1 will restore the previous default behavior.

Query Packs¶

Breaking Changes¶

C/C++¶

The deprecated queries cpp/duplicate-block, cpp/duplicate-function, cpp/duplicate-class, cpp/duplicate-file, cpp/mostly-duplicate-function,:code:cpp/similar-file, cpp/duplicated-lines-in-files have been removed.

Minor Analysis Improvements¶

C/C++¶

The “Failure to use HTTPS URLs” (cpp/non-https-url) has been improved reducing false positive results, and its precision has been increased to ‘high’.
The cpp/system-data-exposure query has been modernized and has converted to a path-problem query. There are now fewer false positive results.

C#¶

Casts to dynamic are excluded from the useless upcasts check (cs/useless-upcast).
The C# extractor now accepts an extractor option buildless, which is used to decide what type of extraction that should be performed. If true then buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added via codeql database create --language=csharp -Obuildless=true ....
The C# extractor now accepts an extractor option trap.compression, which is used to decide the compression format for TRAP files. The legal values are brotli (default), gzip or none. The option is added via codeql database create --language=csharp -Otrap.compression=value ....

New Queries¶

C/C++¶

A new query titled “Use of expired stack-address” (cpp/using-expired-stack-address) has been added. This query finds accesses to expired stack-allocated memory that escaped via a global variable.
A new cpp/insufficient-key-size query has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.

Python¶

The query “XPath query built from user-controlled sources” (py/xpath-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @porcupineyhairs.

Deprecated Predicates and Classes¶

C/C++¶

The predicates and classes in the CodeDuplication library have been deprecated.

Language Libraries¶

Breaking Changes¶

C#¶

The C# extractor no longer supports the following legacy environment variables:

ODASA_BUILD_ERROR_DIR
ODASA_CSHARP_LAYOUT
ODASA_SNAPSHOT
SEMMLE_DIST
SEMMLE_EXTRACTOR_OPTIONS
SEMMLE_PLATFORM_TOOLS
SEMMLE_PRESERVE_SYMLINKS
SOURCE_ARCHIVE
TRAP_FOLDER

codeql test run now extracts source code recursively from sub folders. This may break existing tests that have other tests in nested sub folders, as those will now get the nested test code included.

Major Analysis Improvements¶

JavaScript/TypeScript¶

Added support for TypeScript 4.6.

Minor Analysis Improvements¶

C/C++¶

Many queries now support structured bindings, as structured bindings are now handled in the IR translation.

Java/Kotlin¶

Add support for CharacterLiteral in CompileTimeConstantExpr.getStringValue()

JavaScript/TypeScript¶

Added sources from the jszip library to the js/zipslip query.

Python¶

Added new SSRF sinks for httpx, pycurl, urllib, urllib2, urllib3, and libtaxii. This improvement was submitted by @haby0.
The regular expression parser now groups sequences of normal characters. This reduces the number of instances of RegExpNormalChar.
Fixed taint propagation for attribute assignment. In the assignment x.foo = tainted we no longer treat the entire object x as tainted, just because the attribute foo contains tainted data. This leads to slightly fewer false positives.
Improved analysis of attributes for data-flow and taint tracking queries, so getattr/setattr are supported, and a write to an attribute properly stops flow for the old value in that attribute.
Added post-update nodes (DataFlow::PostUpdateNode) for arguments in calls that can’t be resolved.

Ruby¶

The Regex class is now an abstract class that extends StringlikeLiteral with implementations for RegExpLiteral and string literals that ‘flow’ into functions that are known to interpret string arguments as regular expressions such as Regex.new and String.match.
The regular expression parser now groups sequences of normal characters. This reduces the number of instances of RegExpNormalChar.

New Features¶

Java/Kotlin¶

Added hasDescendant(RefType anc, Type sub)
Added RefType.getADescendant()
Added RefType.getAStrictAncestor()