CodeQL 2.18.0 (2024-07-11)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.18.0 runs a total of 415 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE). 1 security query has been added with this release.

CodeQL CLI¶

Breaking Changes¶

A number of breaking changes have been made to the C and C++ CodeQL test environment as used by codeql test run:
- The test environment no longer defines any GNU-specific builtin macros. If these macros are still needed by a test, please define them via semmle-extractor-options.
- The --force-recompute option is no longer directly supported by semmle-extractor-options. Instead, --edg --force-recompute should be specified.
- The --gnu_version and --microsoft_version options that can be specified via semmle-extractor-options are now synonyms, and only one should be specified as part of semmle-extractor-options. Furthermore, is also no longer possible to specify these options via the following syntax.
  - --edg --gnu_version --edg <version number>, and
  - --edg --microsoft_version --edg <version number>
  The shorter --gnu_version <version number> and --microsoft_version <version number> should be used.
The --build_error_dir and --predefined_macros command line options have been removed from the C/C++ extractor. It has never been possible to pass these options through the CLI, but some customers with advanced setups may have been passing them through internal undocumented interfaces. Passing the option --build_error_dir did not have any effect, and it is safe to remove the option. The --predefined_macros option should have been unnecessary, as long as the extractor was invoked with the --mimic option.

Bug Fixes¶

Where a MacOS unsigned binary cannot be signed, CodeQL will now continue trying to trace compiler invocations created by that process and its children. In particular this means that Bazel builds on MacOS are now traceable.
Fixed a bug where test discovery would fail if there is a syntax error in a qlpack file. Now, a warning message will be printed and discovery will continue.

Improvements¶

Introduced the --include-logs option to the codeql database bundle command. This new feature allows users to include logs in the generated database bundle, allowing for a more complete treatment of the bundle, and bringing the tool capabilities up-to-speed with the documentation.
codeql database init and codeql database create now support the --force-overwrite option. When this option is specified, the command will delete the specified database directory even if it does not look like a database directory. This option is only recommended for automation. For directcommand line commands, it is recommended to use the --overwrite option, which includes extra protection and will refuse to delete a directory that does not look like a database directory.
Extract .xsaccess, *.xsjs and *.xsjslib files for SAP HANA XS as Javascript.
We have updated many compiler error messages and warnings to improve their readability and standardize their grammar. Where necessary, please use the --learn option for the codeql test run command.

Known Issues¶

Compilation of QL queries is about 30% slower than in previous releases. This only affects users who write custom queries, and only at compilation time, not at run time. This regression will be fixed in the upcoming 2.18.1 release.

Query Packs¶

Major Analysis Improvements¶

Java/Kotlin¶

The query java/weak-cryptographic-algorithm no longer alerts about RSA/ECB algorithm strings.

Minor Analysis Improvements¶

Java/Kotlin¶

The query java/tainted-permissions-check now uses threat models. This means that local sources are no longer included by default for this query, but can be added by enabling the local threat model.
Added more org.apache.commons.io.FileUtils-related sinks to the path injection query.

JavaScript/TypeScript¶

Added a new experimental query, js/cors-misconfiguration, which detects misconfigured CORS HTTP headers in the cors and apollo libraries.

Python¶

Adding Python support for Hardcoded Credentials as Models as Data
Additional sanitizers have been added to the py/full-ssrf and py/partial-ssrf queries for methods that verify a string contains only a certain set of characters, such as .isalnum() as well as regular expression tests.

Language Libraries¶

Bug Fixes¶

Golang¶

Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as io.copy(SomeGlobal, ...) or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved.

Java/Kotlin¶

Support for codeql test run for Kotlin sources has been fixed.

Major Analysis Improvements¶

JavaScript/TypeScript¶

Added support for TypeScript 5.5.

Minor Analysis Improvements¶

C/C++¶

The queries “Potential double free” (cpp/double-free) and “Potential use after free” (cpp/use-after-free) now produce fewer false positives.
The “Guards” library (semmle.code.cpp.controlflow.Guards) now also infers guards from calls to the builtin operation __builtin_expect. As a result, some queries may produce fewer false positives.

Golang¶

DataFlow queries which previously used RemoteFlowSource to define their sources have been modified to instead use ThreatModelFlowSource. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to RemoteFlowSource, so there should be no change in results for users using the default.
Added the ThreatModelFlowSource class to FlowSources.qll. The ThreatModelFlowSource class can be used to include sources which match the current threat model configuration. This is the first step in supporting threat modeling for Go.

Java/Kotlin¶

Added models for the following packages:
- io.undertow.server.handlers.resource
- jakarta.faces.context
- javax.faces.context
- javax.servlet
- org.jboss.vfs
- org.springframework.core.io
A bug has been fixed in the heuristic identification of uncertain control flow, which is used to filter data flow in order to improve performance and reduce false positives. This fix means that slightly more code is identified and hence pruned from data flow.
Excluded reverse DNS from the loopback address as a source of untrusted data.

JavaScript/TypeScript¶

Enabled type-tracking to follow content through array methods
Improved modeling of Array.prototype.splice for when it is called with more than two arguments

Python¶

A number of Python queries now support sinks defined using data extensions. The format of data extensions for Python has been documented.

Ruby¶

Element references with blocks, such as foo[:bar] { |x| puts x}, are now parsed correctly.
The CleartextSources.qll library, used by rb/clear-text-logging-sensitive-data and rb/clear-text-logging-sensitive-data, has been updated to consider heuristics for additional categories of sensitive data.

New Features¶

C/C++¶

The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See dataflow/ExternalFlow.qll for the updated documentation and specification for the model format.
It is now possible to extend the classes AllocationFunction and DeallocationFunction via data extensions. Extensions of these classes should be added to the lib/ext/allocation and lib/ext/deallocation directories respectively.