CodeQL documentation

CodeQL 2.8.4 (2022-03-29)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.8.4 runs a total of 315 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 99 queries (covering 29 more CWE). 3 security queries have been added with this release.

CodeQL CLI

Bug Fixes

  • Fixed an error where running out of memory during query evaluation would cause codeql to exit with status 34 instead of the 99 that is documented for this condition.
  • Fixed a bug in our handling of Clang’s header maps, which caused missing files for Xcode-based projects on macOS (e.g. WebKit).

Query Packs

Minor Analysis Improvements

C/C++

  • The cpp/overflow-destination, cpp/unclear-array-index-validation, and cpp/uncontrolled-allocation-size queries have been modernized and converted to path-problem queries and provide more true positive results.
  • The cpp/system-data-exposure query has been increased from medium to high precision, following a number of improvements to the query logic.

Java/Kotlin

  • Updated “Local information disclosure in a temporary directory” (java/local-temp-file-or-directory-information-disclosure) to remove false-positives when OS is properly used as logical guard.

JavaScript/TypeScript

  • Fixed an issue that would sometimes prevent the data-flow analysis from finding flow paths through a function that stores its result on an object. This may lead to more results for the security queries.

New Queries

Java/Kotlin

Ruby

  • Added a new query, rb/clear-text-storage-sensitive-data. The query finds cases where sensitive information, such as user credentials, are stored as cleartext.
  • Added a new query, rb/incomplete-hostname-regexp. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.

Language Libraries

Breaking Changes

C/C++

  • The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

C#

  • The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

Java/Kotlin

  • The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

Python

  • The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

Ruby

  • The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

Minor Analysis Improvements

C/C++

  • DefaultOptions::exits now holds for C11 functions with the _Noreturn or noreturn specifier.
  • hasImplicitCopyConstructor and hasImplicitCopyAssignmentOperator now correctly handle implicitly-deleted operators in templates.
  • All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

C#

  • All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

Java/Kotlin

  • Added new guards IsWindowsGuard, IsSpecificWindowsVariant, IsUnixGuard, and IsSpecificUnixVariant to detect OS specific guards.
  • Added a new predicate getSystemProperty that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API’s, Google Guava, Apache Commons, Apache IO, etc.).
  • Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (java.sql), Hikari Connection Pool, JDBI and Spring JDBC.
  • Re-removed support for CharacterLiteral from CompileTimeConstantExpr.getStringValue() to restore the convention that that predicate only applies to String-typed constants.
  • All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

JavaScript/TypeScript

  • All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

Python

  • All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

Ruby

  • getConstantValue() now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal "\n", getConstantValue().getString() previously returned a QL string with two characters, a backslash followed by n; now it returns the single-character string “n” (U+000A, known as newline).
  • getConstantValue().getInt() previously returned incorrect values for integers larger than 231-1 (the largest value that can be represented by the QL int type). It now returns no result in those cases.
  • Added OrmWriteAccess concept to model data written to a database using an object-relational mapping (ORM) library.

Deprecated APIs

C/C++

  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

C#

  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

Java/Kotlin

  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

JavaScript/TypeScript

  • Some predicates from DefUse.qll, DataFlow.qll, TaintTracking.qll, DOM.qll, Definitions.qll that weren’t used by any query have been deprecated. The documentation for each predicate points to an alternative.
  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
  • Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

Python

  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
  • Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

Ruby

  • Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

New Features

C/C++

  • The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.

C#

  • The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.

Java/Kotlin

  • The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.

Python

  • The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.

Ruby

  • The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.
  • © GitHub, Inc.
  • Terms
  • Privacy