CodeQL 2.10.3 (2022-08-15)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.10.3 runs a total of 342 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
CodeQL CLI¶
New Features¶
- When called with
--start-tracing
, thecodeql database init
command now accepts extractor options for the indirect tracing environment via--extractor-option
. Users should continue to specify extractor options for direct tracing environments by passing them tocodeql database trace-command
invocations.
Miscellaneous¶
- The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
Query Packs¶
Major Analysis Improvements¶
Java/Kotlin¶
- The query
java/sensitive-log
has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
Minor Analysis Improvements¶
C/C++¶
- The query
cpp/bad-strncpy-size
now covers morestrncpy
-like functions than before, includingstrxfrm`(:code:`_l
),wcsxfrm`(:code:`_l
), andstpncpy
. Users of this query may see an increase in results.
Golang¶
- The query
go/path-injection
no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
Java/Kotlin¶
- The query
java/path-injection
now recognises vulnerable APIs defined using theSinkModelCsv
class with thecreate-file
type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
Language Libraries¶
Major Analysis Improvements¶
C/C++¶
- The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
Minor Analysis Improvements¶
Java/Kotlin¶
- Improved analysis of the Android class
AsyncTask
so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps. - Added a data-flow model for the
setProperty
method ofjava.util.Properties
. Additional results may be found where relevant data is stored in and then retrieved from aProperties
instance.
Python¶
- Change
.getASubclass()
onAPI::Node
so it allows to follow subclasses even if the class has a class decorator.
Ruby¶
- Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as
rb/sql-injection
andrb/stored-xss
. - Calls to
ActiveRecord::Base.create
andActiveRecord::Base.update
are now recognised as write accesses. - Arguments to
Mime::Type#match?
andMime::Type#=~
are now recognised as regular expression sources.
New Features¶
C/C++¶
- Added a predicate
getValueConstant
toAttributeArgument
that yields the argument value as anExpr
when the value is a constant expression. - A new class predicate
MustFlowConfiguration::allowInterproceduralFlow
has been added to thesemmle.code.cpp.ir.dataflow.MustFlow
library. The new predicate can be overridden to disable interprocedural flow. - Added subclasses of
BuiltInOperations
for__builtin_bit_cast
,__builtin_shuffle
,__has_unique_object_representations
,__is_aggregate
, and__is_assignable
.