CodeQL 2.11.2 (2022-10-25)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.11.2 runs a total of 357 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 5 security queries have been added with this release.

CodeQL CLI¶

Breaking Changes¶

Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack, then you must explicitly include it using the include property in the top-level qlpack.yml file.

For example, if your package structure looks like this:
```
qlpack.yml
nested-pack
   ∟ qlpack.yml
     query.ql
```
then the contents of nested-pack will not be included by default within the published package. To include nested-pack, add an entry like this to the top level qlpack.yml file:
```
include:
  - nested-pack/**
```

Bug Fixes¶

Using the --codescanning-config=<file> option in codeql database init will now correctly process the paths and pathsIgnore properties of the configuration file in a way that is identical to the behavior of the codeql-action. Previously, paths or pathsIgnore entries that end in /** or start with / were incorrectly rejected by the CLI.
Fixed a bug where the --compilation-cache option to codeql pack publish and codeql pack create was being ignored when creating a query pack. Now, the indicated cache is used when pre-compiling the queries in it.
Fixed a bug that would make the “Show DIL” command in the VSCode extension display nothing.

Miscellaneous¶

Emit a detailed warning if package resolution fails, the legacy --search-path option is provided, and there is at least one referenced pack that does not use legacy package resolution. In this case, --additional-packs should be used to extend the search to additional directories, instead of --search-path.

Query Packs¶

Bug Fixes¶

Python¶

Fixed how flask.request is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as from flask import request, will now be shown as the first step in a path explanation.

Minor Analysis Improvements¶

C/C++¶

The “Unterminated variadic call” (cpp/unterminated-variadic-call) query has been tuned to produce fewer false positive results.
Fixed false positives from the “Unused static function” (cpp/unused-static-function) query in files that had errors during compilation.

Golang¶

The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

JavaScript/TypeScript¶

Removed some false positives from the js/file-system-race query by requiring that the file-check dominates the file-access.
Improved taint tracking through JSON.stringify in cases where a tainted value is stored somewhere in the input object.

Python¶

Added model of cx_Oracle, oracledb, phonenixdb and pyodbc PyPI packages as a SQL interface following PEP249, resulting in additional sinks for py/sql-injection.
Added model of executemany calls on PEP-249 compliant database APIs, resulting in additional sinks for py/sql-injection.
Added model of pymssql PyPI package as a SQL interface following PEP249, resulting in additional sinks for py/sql-injection.
The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

Ruby¶

HTTP response header and body writes via ActionDispatch::Response are now recognized.
The rb/path-injection query now treats the file: argument of the Rails render method as a sink.
The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

New Queries¶

C/C++¶

Added a new medium-precision query, cpp/comma-before-misleading-indentation, which detects instances of whitespace that have readability issues.

Java/Kotlin¶

Added a new query, java/android/incomplete-provider-permissions, to detect if an Android ContentProvider is not protected with a correct set of permissions.
A new query “Uncontrolled data used in content resolution” (java/androd/unsafe-content-uri-resolution) has been added. This query finds paths from user-provided data to URI resolution operations in Android’s ContentResolver without previous validation or sanitization.

Ruby¶

Added a new query, rb/non-constant-kernel-open, to detect uses of Kernel.open and related methods with non-constant values.
Added a new query, rb/sensitive-get-query, to detect cases where sensitive data is read from the query parameters of an HTTP GET request.

Language Libraries¶

Minor Analysis Improvements¶

Java/Kotlin¶

Added support for common patterns involving Stream.collect and common collectors like Collectors.toList().
The class TypeVariable now also extends Modifiable.
Added data flow steps for tainted Android intents that are sent to services and receivers.
Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.

Python¶

Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by getMember rather than getASubscript.
Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if foo is matched by API node A, then "key" in foo["key"] will be matched by the API node A.getIndex(). This can be used to track the origin of the index.
Added member predicate getSubscriptAt(API::Node index) to API::Node. Like getASubscript(), this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the index parameter.
Added convenience predicate getSubscript("key") to obtain a subscript at a specific index, when the index happens to be a statically known string.

Ruby¶

The hashing algorithms from Digest and OpenSSL::Digest are now recognized and can be flagged by the rb/weak-cryptographic-algorithm query.
More sources of remote input arising from methods on ActionDispatch::Request are now recognized.
The response value returned by the Faraday#run_request method is now also considered a source of remote input.
ActiveJob::Serializers.deserialize is considered to be a code execution sink.
Calls to params in ActionMailer classes are now treated as sources of remote user input.
Taint flow through ActionController::Parameters is tracked more accurately.

Deprecated APIs¶

Java/Kotlin¶

Deprecated ContextStartActivityMethod. Use StartActivityMethod instead.

New Features¶

Java/Kotlin¶

Added a new predicate, hasIncompletePermissions, in the AndroidProviderXmlElement class. This predicate detects if a provider element does not provide both read and write permissions.