CodeQL 2.8.4 (2022-03-29)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.8.4 runs a total of 315 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 99 queries (covering 29 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
Bug Fixes¶
- Fixed an error where running out of memory during query evaluation would cause
codeql
to exit with status 34 instead of the 99 that is documented for this condition. - Fixed a bug in our handling of Clang’s header maps, which caused missing files for Xcode-based projects on macOS (e.g. WebKit).
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
- The
cpp/overflow-destination
,cpp/unclear-array-index-validation
, andcpp/uncontrolled-allocation-size
queries have been modernized and converted topath-problem
queries and provide more true positive results. - The
cpp/system-data-exposure
query has been increased frommedium
tohigh
precision, following a number of improvements to the query logic.
Java/Kotlin¶
- Updated “Local information disclosure in a temporary directory” (
java/local-temp-file-or-directory-information-disclosure
) to remove false-positives when OS is properly used as logical guard.
JavaScript/TypeScript¶
- Fixed an issue that would sometimes prevent the data-flow analysis from finding flow paths through a function that stores its result on an object. This may lead to more results for the security queries.
New Queries¶
Java/Kotlin¶
- The query “Insertion of sensitive information into log files” (
java/sensitive-logging
) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @luchua-bc.
Ruby¶
- Added a new query,
rb/clear-text-storage-sensitive-data
. The query finds cases where sensitive information, such as user credentials, are stored as cleartext. - Added a new query,
rb/incomplete-hostname-regexp
. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.
Language Libraries¶
Breaking Changes¶
C/C++¶
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
C#¶
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
Java/Kotlin¶
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
Python¶
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
Ruby¶
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
Minor Analysis Improvements¶
C/C++¶
DefaultOptions::exits
now holds for C11 functions with the_Noreturn
ornoreturn
specifier.hasImplicitCopyConstructor
andhasImplicitCopyAssignmentOperator
now correctly handle implicitly-deleted operators in templates.- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
C#¶
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Java/Kotlin¶
- Added new guards
IsWindowsGuard
,IsSpecificWindowsVariant
,IsUnixGuard
, andIsSpecificUnixVariant
to detect OS specific guards. - Added a new predicate
getSystemProperty
that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API’s, Google Guava, Apache Commons, Apache IO, etc.). - Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (
java.sql
), Hikari Connection Pool, JDBI and Spring JDBC. - Re-removed support for
CharacterLiteral
fromCompileTimeConstantExpr.getStringValue()
to restore the convention that that predicate only applies toString
-typed constants. - All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
JavaScript/TypeScript¶
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Python¶
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
Ruby¶
getConstantValue()
now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal"\n"
,getConstantValue().getString()
previously returned a QL string with two characters, a backslash followed byn
; now it returns the single-character string “n” (U+000A, known as newline).getConstantValue().getInt()
previously returned incorrect values for integers larger than 231-1 (the largest value that can be represented by the QLint
type). It now returns no result in those cases.- Added
OrmWriteAccess
concept to model data written to a database using an object-relational mapping (ORM) library.
Deprecated APIs¶
C/C++¶
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
C#¶
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Java/Kotlin¶
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
JavaScript/TypeScript¶
- Some predicates from
DefUse.qll
,DataFlow.qll
,TaintTracking.qll
,DOM.qll
,Definitions.qll
that weren’t used by any query have been deprecated. The documentation for each predicate points to an alternative. - Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Python¶
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Ruby¶
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
New Features¶
C/C++¶
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.
C#¶
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.
Java/Kotlin¶
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.
Python¶
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.
Ruby¶
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.