CodeQL 2.9.3 (2022-05-31)¶

Contents

Security Coverage
CodeQL CLI
- Bug Fixes
- New Features
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.9.3 runs a total of 335 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 5 security queries have been added with this release.

CodeQL CLI¶

Bug Fixes¶

Fixed a bug where precompiled CodeQL packages in the CodeQL bundle were being recompiled if they were in a read-only directory.
Fixed a bug where new versions of the VS Code extension wouldn’t run two queries in parallel against one database.

New Features¶

Users can now use CodeQL Packaging Beta to publish and download CodeQL packs on GitHub Enterprise Server (GHES) versions 3.6 and later.

To authenticate to a package registry on GHES 3.6+, first create a ~/.codeql/qlconfig.yml file. For example, the following file specifies that all CodeQL packages should be uploaded to the GHES instance with the hostname GHE_HOSTNAME:
```
registries:
- packages: '*'
  url: https://containers.GHE_HOSTNAME/v2/
```
You can now download public packages from GHES using codeql pack download.

To publish any package or download private packages, authenticate to GHES by specifying registry/token pairs in the CODEQL_REGISTRIES_AUTH environment variable. You can authenticate using either a GitHub Apps token or a personal access token. For example, https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2 will authenticate the CLI to the GHEHOSTNAME1 and GHEHOSTNAME2 GHES instances.

Query Packs¶

Major Analysis Improvements¶

Golang¶

The query “Incorrect conversion between integer types” has been improved to treat math.MaxUint and math.MaxInt as the values they would be on a 32-bit architecture. This should lead to fewer false positive results.

Minor Analysis Improvements¶

C/C++¶

The “XML external entity expansion” (cpp/external-entity-expansion) query precision has been increased to high.
The cpp/unused-local-variable no longer ignores functions that include if and switch statements with C++17-style initializers.

Golang¶

Fixed sanitization by calls to strings.Replace and strings.ReplaceAll in queries go/log-injection and go/unsafe-quoting.

Java¶

Query java/sensitive-log has received several improvements.
- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.

New Queries¶

Golang¶

A new query “Log entries created from user input” (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.
A new query Log entries created from user input (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.
Added a new query, go/unexpected-nil-value, to find calls to Wrap from pkg/errors where the error argument is always nil.

Java¶

Two new queries “Inefficient regular expression” (java/redos) and “Polynomial regular expression used on uncontrolled data” (java/polynomial-redos) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.

JavaScript/TypeScript¶

The js/actions/command-injection query has been added. It highlights GitHub Actions workflows that may allow an attacker to execute arbitrary code in the workflow. The query previously existed an experimental query.
A new query js/insecure-temporary-file has been added. The query detects the creation of temporary files that may be accessible by others users. The query is not run by default.

Python¶

The query “PAM authorization bypass due to incorrect usage” (py/pam-auth-bypass) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @porcupineyhairs.

Language Libraries¶

Bug Fixes¶

Golang¶

Function’s predicate getACall now returns more results in some situations. It now always returns callers that may call a method indirectly via an interface method that it implements. Previously this only happened if the method was in the source code being analysed.

Breaking Changes¶

Python¶

API::moduleImport no longer has any results for dotted names, such as API::moduleImport("foo.bar"). Using API::moduleImport("foo.bar").getMember("baz").getACall() previously worked if the Python code was from foo.bar import baz; baz(), but not if the code was import foo.bar; foo.bar.baz() – we are making this change to ensure the approach that can handle all cases is always used.

Major Analysis Improvements¶

Ruby¶

Added data-flow support for hashes.

Minor Analysis Improvements¶

Golang¶

Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.
The method predicate getACalleeIncludingExternals on DataFlow::CallNode and the function viableCallable in DataFlowDispatch now also work for calls to functions via a variable, where the function can be determined using local flow.

Java¶

Fixed a sanitizer of the query java/android/intent-redirection. Now, for an intent to be considered safe against intent redirection, both its package name and class name must be checked.

JavaScript/TypeScript¶

The isLibaryFile predicate from ClassifyFiles.qll has been renamed to isLibraryFile to fix a typo.

Ruby¶

Support for data flow through instance variables has been added.
Support of the safe navigation operator (&.) has been added; there is a new predicate MethodCall.isSafeNavigation().

Deprecated APIs¶

C/C++¶

The AnalysedString class in the StringAnalysis module has been replaced with AnalyzedString, to follow our style guide. The old name still exists as a deprecated alias.

Golang¶

The codeql/go-upgrades CodeQL pack has been removed. All database upgrade scripts have been merged into the codeql/go-all CodeQL pack.

Java¶

The QL class FloatingPointLiteral has been renamed to FloatLiteral.

New Features¶

C/C++¶

A getInitialization predicate was added to the ConstexprIfStmt, IfStmt, and SwitchStmt classes that yields the C++17-style initializer of the if or switch statement when it exists.

Golang¶

Go 1.18 generics are now extracted and can be explored using the new CodeQL classes TypeParamDecl, GenericFunctionInstantiationExpr, GenericTypeInstantiationExpr, TypeSetTerm, and TypeSetLiteralType, as well as using new predicates defined on the existing InterfaceType. Class- and predicate-level documentation can be found in the Go CodeQL library reference.