CodeQL 2.5.1 (2021-04-19)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.5.1 runs a total of 239 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE).
CodeQL CLI¶
Potentially Breaking Changes¶
The QL compiler will now reject queries where the query metadata (if present) at the top of the
.qlfile is inconsistent with the output format of the query. This check can be disabled by giving the--no-metadata-verificationflag. (The flag already existed but has not had any effect until now.)
Bug Fixes¶
Environment variables required for Java extraction are now propagated by the tracer. This may resolve issues with tracing and extraction in the context of certain build systems such as Bazel.
A number of
--check-CONDITIONoptions tocodeql database finalizeandcodeql dataset importdesigned to look for consistency errors in the intermediate “TRAP” output from extractors erroneously did nothing. They will now actually print warnings if errors are found. The warnings become fatal errors if the new--fail-on-trap-errorsoption is also given.
New Features¶
codeql resolve qlrefis a new command that takes in a.qlreffile for a CodeQL test case and returns the path of the.qlfile it references.codeql database analyzeandcodeql database interpret-resultshave a new--sarif-group-rules-by-packoption which will place the SARIF rule object for each query underneath its corresponding query pack inruns[].tool.extensions.codeql database finalizeandcodeql dataset importhave a new--fail-on-trap-errorsoption that will make database creation fail if extractors produce ill-formatted “TRAP” data for inclusion into a database. This is not enabled by default because some of the existing extractors have minor output bugs that cause the check to fail.codeql database finalizeandcodeql dataset importhave a new--check-undefined-labelsoption that enables stricter consistency checks on the “TRAP” output from extractors.
QL Language¶
supermay now be used unqualified, e.g.super.predicateName(), when the declaring class has multiple super types, as long as the call itself is unambiguous.