CodeQL documentation

CodeQL 2.8.2 (2022-02-28)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.8.2 runs a total of 308 security queries when configured with the Default suite (covering 139 CWE). The Extended suite enables an additional 99 queries (covering 30 more CWE). 6 security queries have been added with this release.

CodeQL CLI

Breaking Changes

New Features

  • The CodeQL CLI is now compatible with Windows 11 and Windows Server 2022, including building databases for compiled languages.

Query Packs

Breaking Changes

Java/Kotlin

  • Add more classes to Netty request/response splitting. Change identification to java/netty-http-request-or-response-splitting. Identify request splitting differently from response splitting in query results. Support additional classes:
    • io.netty.handler.codec.http.CombinedHttpHeaders
    • io.netty.handler.codec.http.DefaultHttpRequest
    • io.netty.handler.codec.http.DefaultFullHttpRequest

Minor Analysis Improvements

JavaScript/TypeScript

New Queries

Java/Kotlin

  • A new query titled “Local information disclosure in a temporary directory” (java/local-temp-file-or-directory-information-disclosure) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.

JavaScript/TypeScript

  • A new query, js/functionality-from-untrusted-source, has been added to the query suite. It finds DOM elements that load functionality from untrusted sources, like script or iframe elements using http links. The query is run by default.

Python

  • The query “LDAP query built from user-controlled sources” (py/ldap-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @jorgectf.
  • The query “Log Injection” (py/log-injection) has been promoted from experimental to the main query pack. Its results will now appear when security-extended is used. This query was originally submitted as an experimental query by @haby0.

Ruby

  • Added a new query, rb/clear-text-logging-sensitive-data. The query finds cases where sensitive information, such as user credentials, are logged as cleartext.

Query Metadata Changes

C#

  • The precision of hardcoded credentials queries (cs/hardcoded-credentials and cs/hardcoded-connection-string-credentials) have been downgraded to medium.

JavaScript/TypeScript

  • The js/request-forgery query previously flagged both server-side and client-side request forgery, but these are now handled by two different queries:
    • js/request-forgery is now specific to server-side request forgery. Its precision has been raised to high and is now shown by default (it was previously in the security-extended suite).
    • js/client-side-request-forgery is specific to client-side request forgery. This is technically a new query but simply flags a subset of what the old query did. This has precision medium and is part of the security-extended suite.

Deprecated Classes

C/C++

  • The CodeDuplication.Copy, CodeDuplication.DuplicateBlock, and CodeDuplication.SimilarBlock classes have been deprecated.

Language Libraries

Minor Analysis Improvements

Ruby

  • Added FileSystemWriteAccess concept to model data written to the filesystem.

Deprecated APIs

Python

  • The old points-to based modeling has been deprecated. Use the new type-tracking/API-graphs based modeling instead.

New Features

C/C++

  • Added a isStructuredBinding predicate to the Variable class which holds when the variable is declared as part of a structured binding declaration.

Java/Kotlin

  • Added predicates ClassOrInterface.getAPermittedSubtype and isSealed exposing information about sealed classes.
  • © 2024 GitHub, Inc.
  • Terms
  • Privacy