Supported languages and frameworks¶
View the languages, libraries, and frameworks supported in the latest version of CodeQL.
Languages and compilers¶
CodeQL supports the following languages and compilers.
| Language | Variants | Compilers | Extensions |
|---|---|---|---|
| C/C++ | C89, C99, C11, C18, C++98, C++03, C++11, C++14, C++17, C++20 [1] | Clang (and clang-cl [2]) extensions (up to Clang 12.0), GNU extensions (up to GCC 11.1), Microsoft extensions (up to VS 2019), Arm Compiler 5 [3] |
.cpp, .c++, .cxx, .hpp, .hh, .h++, .hxx, .c, .cc, .h |
| C# | C# up to 9.0 | Microsoft Visual Studio up to 2019 with .NET up to 4.8, .NET Core up to 3.1 .NET 5 |
.sln, .csproj, .cs, .cshtml, .xaml |
| Go (aka Golang) | Go up to 1.16 | Go 1.11 or more recent | .go |
| Java | Java 7 to 16 [4] | javac (OpenJDK and Oracle JDK), Eclipse compiler for Java (ECJ) [5] |
.java |
| JavaScript | ECMAScript 2021 or lower | Not applicable | .js, .jsx, .mjs, .es, .es6, .htm, .html, .xhtm, .xhtml, .vue, .hbs, .ejs, .njk, .json, .yaml, .yml, .raml, .xml [6] |
| Python | 2.7, 3.5, 3.6, 3.7, 3.8, 3.9 | Not applicable | .py |
| Ruby [7] | up to 3.0.2 | Not applicable | .rb, .erb, .gemspec, Gemfile |
| TypeScript [8] | 2.6-4.5 | Standard TypeScript compiler | .ts, .tsx |
| [1] | C++20 support is currently in beta. Supported for GCC on Linux only. Modules are not supported. |
| [2] | Support for the clang-cl compiler is preliminary. |
| [3] | Support for the Arm Compiler (armcc) is preliminary. |
| [4] | Builds that execute on Java 7 to 16 can be analyzed. The analysis understands Java 16 standard language features. |
| [5] | ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin. |
| [6] | JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files. |
| [7] | Requires glibc 2.17. |
| [8] | TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM. |
Frameworks and libraries¶
The libraries and queries in the current version of CodeQL have been explicitly checked against the libraries and frameworks listed below.
Tip
If you’re interested in other libraries or frameworks, you can extend the analysis to cover them. For example, by extending the data flow libraries to include data sources and sinks for additional libraries or frameworks.
C and C++ built-in support¶
| Name | Category |
|---|---|
| Bloomberg Standard Library | Utility library |
| Berkeley socket API library | Network communicator |
| string.h | String library |
C# built-in support¶
| Name | Category |
|---|---|
| ASP.NET | Web application framework |
| ASP.NET Core | Web application framework |
| ASP.NET Razor templates | Web application framework |
| Dapper | Database ORM |
| EntityFramework | Database ORM |
| EntityFramework Core | Database ORM |
| Json.NET | Serialization |
| NHibernate | Database ORM |
| WinForms | User interface |
Go built-in support¶
| Name | Category |
|---|---|
| beego | Web/logging/database framework |
| Chi | Web framework |
| Couchbase (gocb and go-couchbase) | Database |
| Echo | Web framework |
| Gin | Web framework |
| glog | Logging library |
| go-pg | Database |
| go-restful | Web application framework |
| go-sh | Utility library |
| go-spew | Logging library |
| GoKit | Microservice toolkit |
| Gokogiri | XPath library |
| golang.org/x/crypto/ssh | Network communicator |
| golang.org/x/net/websocket | Network communicator |
| goproxy | HTTP proxy library |
| Gorilla mux | HTTP request router and dispatcher |
| Gorilla websocket | Network communicator |
| GORM | Database |
| GoWebsocket | Network communicator |
| goxpath | XPath library |
| htmlquery | XPath library |
| json-iterator | Serialization |
| jsonpatch | Serialization |
| jsonquery | XPath library |
| klog | Logging library |
| Logrus | Logging library |
| Macaron | Web framework |
| mongo | Database |
| nhooyr.io/websocket | Network communicator |
| protobuf | Serialization |
| Revel | Web framework |
| sqlx | Database |
| SendGrid | Email library |
| Squirrel | Database |
| ws | Network communicator |
| xmlpath | XPath library |
| xmlquery | XPath library |
| xpath | XPath library |
| xpathparser | XPath library |
| yaml | Serialization |
| zap | Logging library |
Java built-in support¶
| Name | Category |
|---|---|
| Apache Commons Lang | Utility library |
| Apache Commons Collections | Data structure utility library |
| Apache HTTP components | Network communicator |
| Guava | Utility and collections library |
| Hibernate | Database |
| iBatis / MyBatis | Database |
| Jackson | Serialization |
| JSON-java | Serialization |
| Java Persistence API (JPA) | Database |
| JaxRS | Jakarta EE API specification |
| JDBC | Database |
| Protobuf | Serialization |
| Kryo deserialization | Serialization |
| SnakeYaml | Serialization |
| Spring JDBC | Database |
| Spring MVC | Web application framework |
| Struts | Web application framework |
| Thrift | RPC framework |
| XStream | Serialization |
JavaScript and TypeScript built-in support¶
| Name | Category |
|---|---|
| angular (modern version) | HTML framework |
| angular.js (legacy version) | HTML framework |
| axios | Network communicator |
| browser | Runtime environment |
| EJS | templating language |
| electron | Runtime environment |
| express | Server |
| handlebars | templating language |
| hapi | Server |
| hogan | templating language |
| jquery | Utility library |
| koa | Server |
| lodash | Utility library |
| mongodb | Database |
| mssql | Database |
| mustache | templating language |
| mysql | Database |
| node | Runtime environment |
| nest.js | Server |
| nunjucks | templating language |
| postgres | Database |
| ramda | Utility library |
| react | HTML framework |
| react native | HTML framework |
| request | Network communicator |
| sequelize | Database |
| socket.io | Network communicator |
| sqlite3 | Database |
| superagent | Network communicator |
| swig | templating language |
| underscore | Utility library |
| vue | HTML framework |
Python built-in support¶
| Name | Category |
|---|---|
| aiohttp.web | Web framework |
| Django | Web framework |
| djangorestframework | Web framework |
| FastAPI | Web framework |
| Flask | Web framework |
| Tornado | Web framework |
| Twisted | Web framework |
| Flask-Admin | Web framework |
| starlette | Asynchronous Server Gateway Interface (ASGI) |
| requests | HTTP client |
| dill | Serialization |
| PyYAML | Serialization |
| ruamel.yaml | Serialization |
| simplejson | Serialization |
| toml | Serialization |
| ujson | Serialization |
| fabric | Utility library |
| idna | Utility library |
| invoke | Utility library |
| jmespath | Utility library |
| multidict | Utility library |
| pydantic | Utility library |
| yarl | Utility library |
| aioch | Database |
| aiomysql | Database |
| aiopg | Database |
| asyncpg | Database |
| clickhouse-driver | Database |
| mysql-connector-python | Database |
| mysql-connector | Database |
| MySQL-python | Database |
| mysqlclient | Database |
| psycopg2 | Database |
| sqlite3 | Database |
| Flask-SQLAlchemy | Database ORM |
| peewee | Database ORM |
| SQLAlchemy | Database ORM |
| cryptography | Cryptography library |
| pycryptodome | Cryptography library |
| pycryptodomex | Cryptography library |
| rsa | Cryptography library |
| MarkupSafe | Escaping Library |