CodeQL 2.10.2 (2022-08-02)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
Breaking Changes¶
- The option
--compiler-spec
tocodeql database create
(andcodeql database trace-command
) no longer works. It is replaced by--extra-tracing-config
, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. Seetools/tracer/base.lua
for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub support and request an escalation to engineering.
Potentially Breaking Changes¶
- Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.
Deprecations¶
- The experimental
codeql resolve ml-models
command has been deprecated. Advanced users calling this command should use the newcodeql resolve extensions
command instead.
New Features¶
- The
codeql github upload-results
command now supports a--merge
option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended only for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.
Query Packs¶
Breaking Changes¶
Python¶
- Contextual queries and the query libraries they depend on have been moved to the
codeql/python-all
package.
New Queries¶
JavaScript/TypeScript¶
- A new query “Case-sensitive middleware path” (
js/case-sensitive-middleware-path
) has been added. It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
Ruby¶
- Added a new experimental query,
rb/manually-checking-http-verb
, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow. - Added a new experimental query,
rb/weak-params
, to detect cases when the rails strong parameters pattern isn’t followed and values flow into persistent store writes.
Language Libraries¶
Bug Fixes¶
C/C++¶
- Under certain circumstances a variable declaration that is not also a definition could be associated with a
Variable
that did not have the definition as aVariableDeclarationEntry
. This is now fixed, and a uniqueVariable
will exist that has both the declaration and the definition as aVariableDeclarationEntry
.
Minor Analysis Improvements¶
Java/Kotlin¶
- The JUnit5 version of
AssertNotNull
is now recognized, which removes related false positives in the nullness queries. - Added data flow models for
java.util.Scanner
.
Ruby¶
- Calls to
Arel.sql
are now recognised as propagating taint from their argument. - Calls to
ActiveRecord::Relation#annotate
are now recognized asSqlExecution
s so that it will be considered as a sink for queries like rb/sql-injection.