Supported languages and frameworks¶
View the languages, libraries, and frameworks supported in the latest version of CodeQL.
Languages and compilers¶
The current versions of the CodeQL CLI (changelog, releases), CodeQL library packs (source), and CodeQL bundle (releases) support the following languages and compilers.
| Language | Variants | Compilers | Extensions |
|---|---|---|---|
| C/C++ | C89, C99, C11, C18, C++98, C++03, C++11, C++14, C++17, C++20 [1] | Clang (and clang-cl [2]) extensions (up to Clang 12.0), GNU extensions (up to GCC 11.1), Microsoft extensions (up to VS 2019), Arm Compiler 5 [3] |
.cpp, .c++, .cxx, .hpp, .hh, .h++, .hxx, .c, .cc, .h |
| C# | C# up to 10.0 | Microsoft Visual Studio up to 2019 with .NET up to 4.8, .NET Core up to 3.1 .NET 5, .NET 6 |
.sln, .csproj, .cs, .cshtml, .xaml |
| Go (aka Golang) | Go up to 1.20 | Go 1.11 or more recent | .go |
| Java | Java 7 to 20 [4] | javac (OpenJDK and Oracle JDK), Eclipse compiler for Java (ECJ) [5] |
.java |
| Kotlin [6] | Kotlin 1.5.0 to 1.8.20 | kotlinc | .kt |
| JavaScript | ECMAScript 2022 or lower | Not applicable | .js, .jsx, .mjs, .es, .es6, .htm, .html, .xhtm, .xhtml, .vue, .hbs, .ejs, .njk, .json, .yaml, .yml, .raml, .xml [7] |
| Python [8] | 2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 | Not applicable | .py |
| Ruby [9] | up to 3.1 | Not applicable | .rb, .erb, .gemspec, Gemfile |
| TypeScript [10] | 2.6-4.9 | Standard TypeScript compiler | .ts, .tsx, .mts, .cts |
| [1] | C++20 support is currently in beta. Supported for GCC on Linux only. Modules are not supported. |
| [2] | Support for the clang-cl compiler is preliminary. |
| [3] | Support for the Arm Compiler (armcc) is preliminary. |
| [4] | Builds that execute on Java 7 to 20 can be analyzed. The analysis understands Java 20 standard language features. |
| [5] | ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin. |
| [6] | Kotlin support is currently in beta. |
| [7] | JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files. |
| [8] | The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python. |
| [9] | Requires glibc 2.17. |
| [10] | TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default. |
Frameworks and libraries¶
The current versions of the CodeQL library and query packs (source) have been explicitly checked against the libraries and frameworks listed below.
Tip
If you’re interested in other libraries or frameworks, you can extend the analysis to cover them. For example, by extending the data flow libraries to include data sources and sinks for additional libraries or frameworks.
C and C++ built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/cpp-queries (changelog, source)
and the CodeQL library pack codeql/cpp-all (changelog, source).
| Name | Category |
|---|---|
| Bloomberg Standard Library | Utility library |
| Berkeley socket API library | Network communicator |
| string.h | String library |
C# built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/csharp-queries (changelog, source)
and the CodeQL library pack codeql/csharp-all (changelog, source).
| Name | Category |
|---|---|
| ASP.NET | Web application framework |
| ASP.NET Core | Web application framework |
| ASP.NET Razor templates | Web application framework |
| Dapper | Database ORM |
| EntityFramework | Database ORM |
| EntityFramework Core | Database ORM |
| Json.NET | Serialization |
| NHibernate | Database ORM |
| WinForms | User interface |
Go built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/go-queries (changelog, source)
and the CodeQL library pack codeql/go-all (changelog, source).
| Name | Category |
|---|---|
| beego | Web/logging/database framework |
| Chi | Web framework |
| Couchbase (gocb and go-couchbase) | Database |
| Echo | Web framework |
| Gin | Web framework |
| glog | Logging library |
| go-pg | Database |
| go-restful | Web application framework |
| go-sh | Utility library |
| go-spew | Logging library |
| GoKit | Microservice toolkit |
| Gokogiri | XPath library |
| golang.org/x/crypto/ssh | Network communicator |
| golang.org/x/net/websocket | Network communicator |
| goproxy | HTTP proxy library |
| Gorilla mux | HTTP request router and dispatcher |
| Gorilla websocket | Network communicator |
| GORM | Database |
| GoWebsocket | Network communicator |
| goxpath | XPath library |
| htmlquery | XPath library |
| json-iterator | Serialization |
| jsonpatch | Serialization |
| jsonquery | XPath library |
| klog | Logging library |
| Logrus | Logging library |
| Macaron | Web framework |
| mongo | Database |
| nhooyr.io/websocket | Network communicator |
| protobuf | Serialization |
| Revel | Web framework |
| sqlx | Database |
| SendGrid | Email library |
| Squirrel | Database |
| ws | Network communicator |
| xmlpath | XPath library |
| xmlquery | XPath library |
| xpath | XPath library |
| xpathparser | XPath library |
| yaml | Serialization |
| zap | Logging library |
Java and Kotlin built-in support¶
Note
CodeQL analysis for Kotlin is currently in beta. During the beta, analysis of Kotlin code, and the accompanying documentation, will not be as comprehensive as for other languages.
Provided by the current versions of the
CodeQL query pack codeql/java-queries (changelog, source)
and the CodeQL library pack codeql/java-all (changelog, source).
| Name | Category |
|---|---|
| Apache Commons Lang | Utility library |
| Apache Commons Collections | Data structure utility library |
| Apache HTTP components | Network communicator |
| Guava | Utility and collections library |
| Hibernate | Database |
| iBatis / MyBatis | Database |
| Jackson | Serialization |
| JSON-java | Serialization |
| Java Persistence API (JPA) | Database |
| JaxRS | Jakarta EE API specification |
| JDBC | Database |
| Protobuf | Serialization |
| Kryo deserialization | Serialization |
| SnakeYaml | Serialization |
| Spring JDBC | Database |
| Spring MVC | Web application framework |
| Struts | Web application framework |
| Thrift | RPC framework |
| XStream | Serialization |
JavaScript and TypeScript built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/javascript-queries (changelog, source)
and the CodeQL library pack codeql/javascript-all (changelog, source).
| Name | Category |
|---|---|
| angular (modern version) | HTML framework |
| angular.js (legacy version) | HTML framework |
| axios | Network communicator |
| browser | Runtime environment |
| EJS | templating language |
| electron | Runtime environment |
| express | Server |
| Fastify | Server |
| handlebars | templating language |
| hapi | Server |
| hogan | templating language |
| jquery | Utility library |
| koa | Server |
| lodash | Utility library |
| mongodb | Database |
| mssql | Database |
| mustache | templating language |
| mysql | Database |
| node | Runtime environment |
| nest.js | Server |
| nunjucks | templating language |
| postgres | Database |
| ramda | Utility library |
| react | HTML framework |
| react native | HTML framework |
| request | Network communicator |
| restify | Server |
| sequelize | Database |
| socket.io | Network communicator |
| sqlite3 | Database |
| superagent | Network communicator |
| swig | templating language |
| underscore | Utility library |
| vue | HTML framework |
Python built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/python-queries (changelog, source)
and the CodeQL library pack codeql/python-all (changelog, source).
| Name | Category |
|---|---|
| aiohttp.web | Web framework |
| Django | Web framework |
| djangorestframework | Web framework |
| FastAPI | Web framework |
| Flask | Web framework |
| Tornado | Web framework |
| Twisted | Web framework |
| Flask-Admin | Web framework |
| starlette | Asynchronous Server Gateway Interface (ASGI) |
| python-ldap | Lightweight Directory Access Protocol (LDAP) |
| ldap3 | Lightweight Directory Access Protocol (LDAP) |
| httpx | HTTP client |
| pycurl | HTTP client |
| requests | HTTP client |
| urllib | HTTP client |
| urllib2 | HTTP client |
| urllib3 | HTTP client |
| dill | Serialization |
| PyYAML | Serialization |
| ruamel.yaml | Serialization |
| simplejson | Serialization |
| toml | Serialization |
| ujson | Serialization |
| fabric | Utility library |
| idna | Utility library |
| invoke | Utility library |
| jmespath | Utility library |
| multidict | Utility library |
| pydantic | Utility library |
| yarl | Utility library |
| aioch | Database |
| aiomysql | Database |
| aiopg | Database |
| asyncpg | Database |
| clickhouse-driver | Database |
| cx_Oracle | Database |
| mysql-connector-python | Database |
| mysql-connector | Database |
| MySQL-python | Database |
| mysqlclient | Database |
| oracledb | Database |
| phoenixdb | Database |
| psycopg2 | Database |
| pyodbc | Database |
| pymssql | Database |
| PyMySQL | Database |
| sqlite3 | Database |
| Flask-SQLAlchemy | Database ORM |
| peewee | Database ORM |
| SQLAlchemy | Database ORM |
| cryptography | Cryptography library |
| pycryptodome | Cryptography library |
| pycryptodomex | Cryptography library |
| rsa | Cryptography library |
| MarkupSafe | Escaping Library |
| libtaxii | TAXII utility library |
| libxml2 | XML processing library |
| lxml | XML processing library |
| xmltodict | XML processing library |
Ruby built-in support¶
Provided by the current versions of the
CodeQL query pack codeql/ruby-queries (changelog, source)
and the CodeQL library pack codeql/ruby-all (changelog, source).
| Name | Category |
|---|---|
| excon | HTTP client |
| faraday | HTTP client |
| http_client | HTTP client |
| httparty | HTTP client |
| libxml-ruby | XML processing library |
| nokogiri | XML processing library |
| open-uri | HTTP client |
| posix-spawn | Utility library |
| rest-client | HTTP client |
| Ruby on Rails | Web framework |
| rubyzip | Compression library |
| typhoeus | HTTP client |