CodeQL 2.22.4 (2025-08-21)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.22.4 runs a total of 478 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.

CodeQL CLI¶

There are no user-facing CLI changes in this release.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

The cpp/short-global-name query will no longer give alerts for instantiations of template variables, only for the template itself.
Fixed a false positive in cpp/overflow-buffer when the type of the destination buffer is a reference to a class/struct type.

JavaScript/TypeScript¶

The js/regex-injection query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the “environment” category.

New Queries¶

Rust¶

Added a new query, rust/cleartext-storage-database, for detecting cases where sensitive information is stored non-encrypted in a database.

Language Libraries¶

Bug Fixes¶

Ruby¶

Made the following changes to NetHttpRequest
- Adds connectionNode, like other Ruby HTTP clients
- Makes requestNode and connectionNode public so subclasses can use them
- Adds detection of Net::HTTP.start, a common way to make HTTP requests in Ruby

Major Analysis Improvements¶

Java/Kotlin¶

Added library models for the relevant method calls under jakarta.servlet.ServletRequest and jakarta.servlet.http.HttpServletRequest as remote flow sources.

Minor Analysis Improvements¶

C/C++¶

The guards libraries (semmle.code.cpp.controlflow.Guards and semmle.code.cpp.controlflow.IRGuards) have been improved to recognize more guards.
Improved dataflow through global variables in the new dataflow library (semmle.code.cpp.dataflow.new.DataFlow and semmle.code.cpp.dataflow.new.TaintTracking). Queries based on these libraries will produce more results on codebases with many global variables.
The global value numbering library (semmle.code.cpp.valuenumbering.GlobalValueNumbering and semmle.code.cpp.ir.ValueNumbering) has been improved so more expressions are assigned the same value number.

Golang¶

Go 1.25 is now supported.

Java/Kotlin¶

Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for java/dereferenced-value-may-be-null.

JavaScript/TypeScript¶

Improved modeling of command-line argument parsing libraries arg, args, command-line-args and commander

Rust¶

let chains in if and while are now supported, as well as if let guards in match expressions.
Added more detail to models of postgres, rusqlite, sqlx and tokio-postgres. This may improve query results, particularly for rust/sql-injection and rust/cleartext-storage-database.

© GitHub, Inc.
Terms
Privacy