CodeQL 2.9.3 (2022-05-31)¶
Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.9.3 runs a total of 335 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 5 security queries have been added with this release.
CodeQL CLI¶
Bug Fixes¶
- Fixed a bug where precompiled CodeQL packages in the CodeQL bundle were being recompiled if they were in a read-only directory.
- Fixed a bug where new versions of the VS Code extension wouldn’t run two queries in parallel against one database.
New Features¶
Users can now use CodeQL Packaging Beta to publish and download CodeQL packs on GitHub Enterprise Server (GHES) versions 3.6 and later.
To authenticate to a package registry on GHES 3.6+, first create a
~/.codeql/qlconfig.yml
file. For example, the following file specifies that all CodeQL packages should be uploaded to the GHES instance with the hostnameGHE_HOSTNAME
:registries: - packages: '*' url: https://containers.GHE_HOSTNAME/v2/
You can now download public packages from GHES using
codeql pack download
.To publish any package or download private packages, authenticate to GHES by specifying registry/token pairs in the
CODEQL_REGISTRIES_AUTH
environment variable. You can authenticate using either a GitHub Apps token or a personal access token. For example,https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2
will authenticate the CLI to theGHEHOSTNAME1
andGHEHOSTNAME2
GHES instances.
Query Packs¶
Major Analysis Improvements¶
Golang¶
- The query “Incorrect conversion between integer types” has been improved to treat
math.MaxUint
andmath.MaxInt
as the values they would be on a 32-bit architecture. This should lead to fewer false positive results.
Minor Analysis Improvements¶
C/C++¶
- The “XML external entity expansion” (
cpp/external-entity-expansion
) query precision has been increased tohigh
. - The
cpp/unused-local-variable
no longer ignores functions that includeif
andswitch
statements with C++17-style initializers.
Golang¶
- Fixed sanitization by calls to
strings.Replace
andstrings.ReplaceAll
in queriesgo/log-injection
andgo/unsafe-quoting
.
Java/Kotlin¶
- Query
java/sensitive-log
has received several improvements.- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
New Queries¶
Golang¶
- A new query “Log entries created from user input” (
go/log-injection
) has been added. The query reports user-provided data reaching calls to logging methods. - A new query Log entries created from user input (
go/log-injection
) has been added. The query reports user-provided data reaching calls to logging methods. - Added a new query,
go/unexpected-nil-value
, to find calls toWrap
frompkg/errors
where the error argument is always nil.
Java/Kotlin¶
- Two new queries “Inefficient regular expression” (
java/redos
) and “Polynomial regular expression used on uncontrolled data” (java/polynomial-redos
) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.
JavaScript/TypeScript¶
- The
js/actions/command-injection
query has been added. It highlights GitHub Actions workflows that may allow an attacker to execute arbitrary code in the workflow. The query previously existed an experimental query. - A new query
js/insecure-temporary-file
has been added. The query detects the creation of temporary files that may be accessible by others users. The query is not run by default.
Python¶
- The query “PAM authorization bypass due to incorrect usage” (
py/pam-auth-bypass
) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @porcupineyhairs.
Language Libraries¶
Bug Fixes¶
Golang¶
Function
’s predicategetACall
now returns more results in some situations. It now always returns callers that may call a method indirectly via an interface method that it implements. Previously this only happened if the method was in the source code being analysed.
Breaking Changes¶
Python¶
API::moduleImport
no longer has any results for dotted names, such asAPI::moduleImport("foo.bar")
. UsingAPI::moduleImport("foo.bar").getMember("baz").getACall()
previously worked if the Python code wasfrom foo.bar import baz; baz()
, but not if the code wasimport foo.bar; foo.bar.baz()
– we are making this change to ensure the approach that can handle all cases is always used.
Minor Analysis Improvements¶
Golang¶
- Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.
- The method predicate
getACalleeIncludingExternals
onDataFlow::CallNode
and the functionviableCallable
inDataFlowDispatch
now also work for calls to functions via a variable, where the function can be determined using local flow.
Java/Kotlin¶
- Fixed a sanitizer of the query
java/android/intent-redirection
. Now, for an intent to be considered safe against intent redirection, both its package name and class name must be checked.
JavaScript/TypeScript¶
- The
isLibaryFile
predicate fromClassifyFiles.qll
has been renamed toisLibraryFile
to fix a typo.
Ruby¶
- Support for data flow through instance variables has been added.
- Support of the safe navigation operator (
&.
) has been added; there is a new predicateMethodCall.isSafeNavigation()
.
Deprecated APIs¶
C/C++¶
- The
AnalysedString
class in theStringAnalysis
module has been replaced withAnalyzedString
, to follow our style guide. The old name still exists as a deprecated alias.
Golang¶
- The
codeql/go-upgrades
CodeQL pack has been removed. All database upgrade scripts have been merged into thecodeql/go-all
CodeQL pack.
Java/Kotlin¶
- The QL class
FloatingPointLiteral
has been renamed toFloatLiteral
.
New Features¶
C/C++¶
- A
getInitialization
predicate was added to theConstexprIfStmt
,IfStmt
, andSwitchStmt
classes that yields the C++17-style initializer of theif
orswitch
statement when it exists.
Golang¶
- Go 1.18 generics are now extracted and can be explored using the new CodeQL classes
TypeParamDecl
,GenericFunctionInstantiationExpr
,GenericTypeInstantiationExpr
,TypeSetTerm
, andTypeSetLiteralType
, as well as using new predicates defined on the existingInterfaceType
. Class- and predicate-level documentation can be found in the Go CodeQL library reference.