CodeQL documentation
CodeQL resources

CodeQL 2.9.2 (2022-05-16)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.9.2 runs a total of 330 security queries when configured with the Default suite (covering 141 CWE). The Extended suite enables an additional 104 queries (covering 29 more CWE). 4 security queries have been added with this release.

CodeQL CLI

Bug Fixes

  • Fixed a bug that could make it unpredictable whether the QL compiler reports problems about query metadata tags, and thereby make codeql test run fail spuriously in some cases.

New Features

  • The tables produced by codeql database analyze summarizing the results of any diagnostic and metric queries that were run now exclude the results of queries tagged telemetry.
  • Uploading SARIF results using the codeql github upload-results command now has a timeout of 5 minutes.
  • Downloading CodeQL packs using the codeql pack download, codeql pack install and related commands now have a timeout of 5 minutes and will retry 3 times before failing. Similar behavior has been added to the codeql pack publish command.
  • The codeql generate log-summary command will now print progress updates to stderr.

Removed Features

  • The table printed by codeql database analyze to summarize the results of metric queries that were part of the analysis now reports a single row per metric name independently of the verbosity level of the command. Previously, at higher verbosity levels, this table would contain multiple rows for metric names with multiple values.

Query Packs

Minor Analysis Improvements

C/C++

  • The “XML external entity expansion” (cpp/external-entity-expansion) query has been extended to support a broader selection of XML libraries and interfaces.

Java

  • Query java/insecure-cookie now tolerates setting a cookie’s secure flag to request.isSecure(). This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
  • The query java/non-https-urls has been simplified and no longer requires its sinks to be MethodAccesses.
  • The logic to detect WebViews with JavaScript (and optionally file access) enabled in the query java/android/unsafe-android-webview-fetch has been improved.

New Queries

JavaScript/TypeScript

  • The js/missing-origin-check query has been added. It highlights “message” event handlers that do not check the origin of the event.

    The query previously existed as the experimental js/missing-postmessageorigin-verification query.

Python

  • “XML external entity expansion” (py/xxe). Results will appear by default. This query was based on an experimental query by @jorgectf.
  • “XML internal entity expansion” (py/xml-bomb). Results will appear by default. This query was based on an experimental query by @jorgectf.
  • The query “CSRF protection weakened or disabled” (py/csrf-protection-disabled) has been implemented. Its results will now appear by default.

Query Metadata Changes

Java

  • Query java/predictable-seed now has a tag for CWE-337.

Language Libraries

Bug Fixes

Ruby

  • The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.

Breaking Changes

Python

  • The imports made available from import python are no longer exposed under DataFlow:: after doing import semmle.python.dataflow.new.DataFlow, for example using DataFlow::Add will now cause a compile error.

Minor Analysis Improvements

Java

  • Added models for the libraries OkHttp and Retrofit.
  • Add taint models for the following File methods:
    • File::getAbsoluteFile
    • File::getCanonicalFile
    • File::getAbsolutePath
    • File::getCanonicalPath
  • Added a flow step for toString calls on tainted android.text.Editable objects.
  • Added a data flow step for tainted Android intents that are sent to other activities and accessed there via getIntent().
  • Added modeling of MyBatis (org.apache.ibatis) Providers, resulting in additional sinks for the queries java/ognl-injection, java/sql-injection, java/sql-injection-local and java/concatenated-sql-query.

JavaScript/TypeScript

  • The cash library is now modelled as an alias for JQuery.

    Sinks and sources from cash should now be handled by all XSS queries.

  • Added the Selection api as a DOM text source in the js/xss-through-dom query.

  • The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.

  • The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.

Python

  • The modeling of request.files in Flask has been fixed, so we now properly handle assignments to local variables (such as files = request.files; files['key'].filename).
  • Added taint propagation for io.StringIO and io.BytesIO. This addition was originally submitted as part of an experimental query by @jorgectf.

Deprecated APIs

JavaScript/TypeScript

  • The ReflectedXss, StoredXss, XssThroughDom, and ExceptionXss modules from Xss.qll have been deprecated.

    Use the Customizations.qll file belonging to the query instead.

New Features

Java

  • A number of new classes and methods related to the upcoming Kotlin support have been added. These are not yet stable, as Kotlin support is still under development.
    • File::isSourceFile
    • File::isJavaSourceFile
    • File::isKotlinSourceFile
    • Member::getKotlinType
    • Element::isCompilerGenerated
    • Expr::getKotlinType
    • LambdaExpr::isKotlinFunctionN
    • Callable::getReturnKotlinType
    • Callable::getParameterKotlinType
    • Method::isLocal
    • Method::getKotlinName
    • Field::getKotlinType
    • Modifiable::isSealedKotlin
    • Modifiable::isInternal
    • Variable::getKotlinType
    • LocalVariableDecl::getKotlinType
    • Parameter::getKotlinType
    • Parameter::isExtensionParameter
    • Compilation class
    • Diagnostic class
    • KtInitializerAssignExpr class
    • ValueEQExpr class
    • ValueNEExpr class
    • ValueOrReferenceEqualsExpr class
    • ValueOrReferenceNotEqualsExpr class
    • ReferenceEqualityTest class
    • CastingExpr class
    • SafeCastExpr class
    • ImplicitCastExpr class
    • ImplicitNotNullExpr class
    • ImplicitCoercionToUnitExpr class
    • UnsafeCoerceExpr class
    • PropertyRefExpr class
    • NotInstanceOfExpr class
    • ExtensionReceiverAccess class
    • WhenExpr class
    • WhenBranch class
    • ClassExpr class
    • StmtExpr class
    • StringTemplateExpr class
    • NotNullExpr class
    • TypeNullPointerException class
    • KtComment class
    • KtCommentSection class
    • KotlinType class
    • KotlinNullableType class
    • KotlinNotnullType class
    • KotlinTypeAlias class
    • Property class
    • DelegatedProperty class
    • ExtensionMethod class
    • KtInitializerNode class
    • KtLoopStmt class
    • KtBreakContinueStmt class
    • KtBreakStmt class
    • KtContinueStmt class
    • ClassObject class
    • CompanionObject class
    • LiveLiteral class
    • LiveLiteralMethod class
    • CastConversionContext renamed to CastingConversionContext
  • The QL class ValueDiscardingExpr has been added, representing expressions for which the value of the expression as a whole is discarded.
  • © GitHub, Inc.
  • Terms
  • Privacy