CodeQL 2.18.2 (2024-08-13)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.18.2 runs a total of 423 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 3 security queries have been added with this release.
CodeQL CLI¶
Deprecations¶
Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.
Miscellaneous¶
The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.3.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
Fixed false positives in the
cpp/memory-may-not-be-freed(“Memory may not be freed”) query involving class methods that returned an allocated field of that class being misidentified as allocators.The
cpp/incorrectly-checked-scanf(“Incorrect return-value check for a ‘scanf’-like function”) query now produces fewer false positive results.The
cpp/incorrect-allocation-error-handling(“Incorrect allocation-error handling”) query no longer produces occasional false positive results inside template instantiations.The
cpp/suspicious-allocation-size(“Not enough memory allocated for array of pointer type”) query no longer produces false positives on “variable size”structs.
Java/Kotlin¶
Variables names containing the string “tokenizer” (case-insensitively) are no longer sources for the
java/sensitive-logquery. They normally relate to things likejava.util.StringTokenizer, which are not sensitive information. This should fix some false positive alerts.The query “Unused classes and interfaces” (
java/unused-reference-type) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with@test.Alerts about exposing
exception.getMessage()in servlet responses are now split out ofjava/stack-trace-exposureinto its own queryjava/error-message-exposure.Added the extensible abstract class
SensitiveLoggerSource. Now this class can be extended to add more sources to thejava/sensitive-logquery or for customizations overrides.
Python¶
Added models of
streamlitPyPI package.
Swift¶
The
swift/constant-salt(“Use of constant salts”) query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings.The
swift/constant-salt(“Use of constant salts”) query message now contains a link to the source node.
New Queries¶
Python¶
The
py/cookie-injectionquery, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input.
Ruby¶
Added a new query,
rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
Query Metadata Changes¶
C/C++¶
The precision of
cpp/unsigned-difference-expression-compared-zero(“Unsigned difference expression compared to zero”) has been increased tohigh. As a result, it will be run by default as part of the Code Scanning suite.
Language Libraries¶
Breaking Changes¶
Java/Kotlin¶
The Java and Kotlin extractors no longer support the
SOURCE_ARCHIVEandTRAP_FOLDERlegacy environment variable.
Major Analysis Improvements¶
Java/Kotlin¶
We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called “reverse-dns”. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.
Minor Analysis Improvements¶
C/C++¶
The controlling expression of a
constexpr ifis now always recognized as an unevaluated expression.Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
A
UsingEnumDeclarationEntryclass has been added for C++using enumdeclarations. As part of this, synthesizedUsingDeclarationEntrys are no longer emitted for individual enumerators of the referenced enumeration.
Java/Kotlin¶
Added flow through some methods of the class
java.net.URLby ensuring that the fields of a URL are tainted.Added path-injection sinks for
org.apache.tools.ant.taskdefs.Property.setFileandorg.apache.tools.ant.taskdefs.Property.setResource.Adds models for request handlers using the
org.lastaflute.webweb framework.
Python¶
Added support for
DictionaryElement[<key>]andDictionaryElementAnywhen Customizing Library Models forsourceModel(see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/)
Swift¶
The model for
FileManagerno longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value.An error in the model for
URL.withUnsafeFileSystemRepresentation(_:)has been corrected. This may result in new data flow paths being found during analysis.
New Features¶
C/C++¶
A
getTemplateClasspredicate was added to theDeductionGuideclass to get the class template for which the deduction guide is a guide.An
isExplicitpredicate was added to theFunctionclass that determines whether the function was declared as explicit.A
getExplicitExprpredicate was added to theFunctionclass that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.A
isDestroyingDeleteDeallocationpredicate was added to theNewOrNewArrayExprandDeleteOrDeleteArrayExprclasses to indicate whether the deallocation function is a destroying delete.
Java/Kotlin¶
Java support for
build-mode: noneis now out of beta, and generally available.