CodeQL 2.18.2 (2024-08-13)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.18.2 runs a total of 423 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
Deprecations¶
- Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.
Miscellaneous¶
- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.3.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
- Fixed false positives in the
cpp/memory-may-not-be-freed
(“Memory may not be freed”) query involving class methods that returned an allocated field of that class being misidentified as allocators. - The
cpp/incorrectly-checked-scanf
(“Incorrect return-value check for a ‘scanf’-like function”) query now produces fewer false positive results. - The
cpp/incorrect-allocation-error-handling
(“Incorrect allocation-error handling”) query no longer produces occasional false positive results inside template instantiations. - The
cpp/suspicious-allocation-size
(“Not enough memory allocated for array of pointer type”) query no longer produces false positives on “variable size”struct
s.
Java/Kotlin¶
- Variables names containing the string “tokenizer” (case-insensitively) are no longer sources for the
java/sensitive-log
query. They normally relate to things likejava.util.StringTokenizer
, which are not sensitive information. This should fix some false positive alerts. - The query “Unused classes and interfaces” (
java/unused-reference-type
) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with@test
. - Alerts about exposing
exception.getMessage()
in servlet responses are now split out ofjava/stack-trace-exposure
into its own queryjava/error-message-exposure
. - Added the extensible abstract class
SensitiveLoggerSource
. Now this class can be extended to add more sources to thejava/sensitive-log
query or for customizations overrides.
Python¶
- Added models of
streamlit
PyPI package.
Swift¶
- The
swift/constant-salt
(“Use of constant salts”) query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings. - The
swift/constant-salt
(“Use of constant salts”) query message now contains a link to the source node.
New Queries¶
Python¶
- The
py/cookie-injection
query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input.
Ruby¶
- Added a new query,
rb/weak-sensitive-data-hashing
, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
Language Libraries¶
Breaking Changes¶
Java/Kotlin¶
- The Java and Kotlin extractors no longer support the
SOURCE_ARCHIVE
andTRAP_FOLDER
legacy environment variable.
Major Analysis Improvements¶
Java/Kotlin¶
- We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called “reverse-dns”. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.
Minor Analysis Improvements¶
C/C++¶
- The controlling expression of a
constexpr if
is now always recognized as an unevaluated expression. - Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
- A
UsingEnumDeclarationEntry
class has been added for C++using enum
declarations. As part of this, synthesizedUsingDeclarationEntry
s are no longer emitted for individual enumerators of the referenced enumeration.
Java/Kotlin¶
- Added flow through some methods of the class
java.net.URL
by ensuring that the fields of a URL are tainted. - Added path-injection sinks for
org.apache.tools.ant.taskdefs.Property.setFile
andorg.apache.tools.ant.taskdefs.Property.setResource
. - Adds models for request handlers using the
org.lastaflute.web
web framework.
Python¶
- Added support for
DictionaryElement[<key>]
andDictionaryElementAny
when Customizing Library Models forsourceModel
(see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/)
Swift¶
- The model for
FileManager
no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value. - An error in the model for
URL.withUnsafeFileSystemRepresentation(_:)
has been corrected. This may result in new data flow paths being found during analysis.
New Features¶
C/C++¶
- A
getTemplateClass
predicate was added to theDeductionGuide
class to get the class template for which the deduction guide is a guide. - An
isExplicit
predicate was added to theFunction
class that determines whether the function was declared as explicit. - A
getExplicitExpr
predicate was added to theFunction
class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit. - A
isDestroyingDeleteDeallocation
predicate was added to theNewOrNewArrayExpr
andDeleteOrDeleteArrayExpr
classes to indicate whether the deallocation function is a destroying delete.
Java/Kotlin¶
- Java support for
build-mode: none
is now out of beta, and generally available.