CodeQL 2.9.1 (2022-05-05)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.9.1 runs a total of 327 security queries when configured with the Default suite (covering 140 CWE). The Extended suite enables an additional 103 queries (covering 29 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
There are no user-facing CLI changes in this release.
Query Packs¶
Minor Analysis Improvements¶
Java¶
- Query
java/insecure-cookieno longer produces a false positive ifcookie.setSecure(...)is called passing a constant that always equalstrue.
JavaScript/TypeScript¶
- The call graph now deals more precisely with calls to accessors (getters and setters). Previously, calls to static accessors were not resolved, and some method calls were incorrectly seen as calls to an accessor. Both issues have been fixed.
New Queries¶
C/C++¶
- An new query
cpp/external-entity-expansionhas been added. The query detects XML objects that are vulnerable to external entity expansion (XXE) attacks.
Ruby¶
- Added a new query,
rb/insecure-download. The query finds cases where executables and other sensitive files are downloaded over an insecure connection, which may allow for man-in-the-middle attacks. - Added a new query,
rb/regex/missing-regexp-anchor, which finds regular expressions which are improperly anchored. Validations using such expressions are at risk of being bypassed. - Added a new query,
rb/incomplete-sanitization. The query finds string transformations that do not replace or escape all occurrences of a meta-character.
Language Libraries¶
Bug Fixes¶
Java¶
- The QL class
JumpStmthas been made the superclass ofBreakStmt,ContinueStmtandYieldStmt. This allows directly using its inherited predicates without having to explicitly cast toJumpStmtfirst.
Breaking Changes¶
C/C++¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
C#¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
Java¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
Python¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
Ruby¶
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
Minor Analysis Improvements¶
C/C++¶
- More Windows pool allocation functions are now detected as
AllocationFunctions. - The
semmle.code.cpp.commons.Bufferlibrary has been enhanced to handle array members of classes that do not specify a size.
Java¶
- Improved the data flow support for the Android class
SharedPreferences$Editor. Specifically, the fluent logic of some of its methods is now taken into account when calculating data flow.- Added flow sources and steps for JMS versions 1 and 2.
- Added flow sources and steps for RabbitMQ.
- Added flow steps for
java.io.DataInputandjava.io.ObjectInputimplementations.
- Added data-flow models for the Spring Framework component
spring-beans.