CodeQL 2.12.0 (2023-01-10)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.12.0 runs a total of 365 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 116 queries (covering 32 more CWE). 8 security queries have been added with this release.

CodeQL CLI¶

Breaking Changes¶

The --[no-]count-lines option to codeql database create and related commands that was deprecated in 2.11.1 has been removed. Users of this option should instead pass --[no-]calculate-baseline.

Bug Fixes¶

Fixed a bug where the codeql pack install command would fail if a CodeQL configuration file is used and the --additional-packs option is specified.

New Features¶

Query packs created by codeql pack create, codeql pack bundle, and codeql pack release now contain precompiled queries in a new format that aims to be compatible with future (and, to a certain extent, past) releases of the CodeQL CLI. Previously the precompiled queries were in a format specific to each CLI release, and all other releases would need to re-compile queries.

Published packs contain precompiled queries in files with a .qlx extension located next to each query’s .ql source file. In case of differences between the .ql and .qlx files, the .qlx file takes priority when evaluating queries from the command line, so if you need to modify a published pack, be sure to delete the .qlx files first.

A new --precompile flag to codeql query compile can be used to construct *.qlx file explicitly, but in all usual cases it should be enough to rely on codeql pack create doing the right thing.
The codeql database init command now accepts a PAT that allows you to download queries from external, private repositories when using the --codescanning-config <config-file> option. For example, you can specify the following queries block in the config file, which will checkout the main branch of the codeql-test/my-private-repository repository and evaluate any queries found in that repository:
```
queries:
  - codeql-test/my-private-repository@main
```
If the repository is private, you can add a --external-repository-token-stdin option and supply a PAT with appropriate permissions via standard input. For more information on queries and external repositories in Code Scanning, see Using queries in QL packs.
The baseline information produced by codeql database init and codeql database create now accounts for paths and paths-ignore configuration.
In the VS Code extension, recursive calls will be marked with inlay hints. These can be disabled with the global inlay hints setting (editor.inlayHints.enabled). If you just want to disable them for codeql the settings can be scoped to just codeql files (language id is ql). See Language Specific Editor Settings in the VS Code documentation for more information.
The CLI now gives a more helpful error message when asked to run queries on a database that has not been finalized.

Query Packs¶

Bug Fixes¶

C#¶

Fixes a bug where the Owin.qll framework library will look for “URI” instead of “Uri” in the OwinRequest class.

Minor Analysis Improvements¶

C/C++¶

The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.
The cpp/missing-check-scanf query no longer reports the free’ing of scanf output variables as potential reads.

C#¶

The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.
The extensible predicates for Models as Data have been renamed (the ext prefix has been removed). As an example, extSummaryModel has been renamed to summaryModel.

Golang¶

The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.

Java/Kotlin¶

The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.
The extensible predicates for Models as Data have been renamed (the ext prefix has been removed). As an example, extSummaryModel has been renamed to summaryModel.
The query java/misnamed-type is now enabled for Kotlin.
The query java/non-serializable-field is now enabled for Kotlin.
Fixed an issue in the query java/android/implicit-pendingintents by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
The query java/maven/non-https-url no longer alerts about disabled repositories.

JavaScript/TypeScript¶

The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.

Python¶

The analysis/AlertSuppression.ql query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new # codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy # lgtm and # lgtm[query-id] comments can now also be placed on the line before an alert.
Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the Use of weak cryptographic key (py/weak-crypto-key) query.
Added modeling of getpass.getpass as a source of passwords, which will be an additional source for py/clear-text-logging-sensitive-data, py/clear-text-storage-sensitive-data, and py/weak-sensitive-data-hashing.

Ruby¶

The AlertSuppression.ql query has been updated to support the new # codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy # lgtm and # lgtm[query-id] comments can now also be placed on the line before an alert.
Extended the rb/kernel-open query with following sinks: IO.write, IO.binread, IO.binwrite, IO.foreach, IO.readlines, and URI.open.

New Queries¶

C#¶

Added a new query, csharp/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.

Java/Kotlin¶

Added a new query, java/summary/generated-vs-manual-coverage, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
Added a new query, java/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.
Added a new query, java/android/missing-certificate-pinning, to find network calls where certificate pinning is not implemented.
Added a new query, java/android-webview-addjavascriptinterface, to detect the use of addJavascriptInterface, which can lead to cross-site scripting.
Added a new query, java/android-websettings-file-access, to detect configurations that enable file system access in Android WebViews.
Added a new query, java/android-websettings-javascript-enabled, to detect if JavaScript execution is enabled in an Android WebView.
The query java/regex-injection has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @edvraa.

Ruby¶

Added a new query, rb/stack-trace-exposure, to detect exposure of stack-traces to users via HTTP responses.

Language Libraries¶

Bug Fixes¶

Golang¶

Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

Java/Kotlin¶

We now correctly handle empty block comments, like /**/. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.

Python¶

except* is now supported.
The result of Try.getAHandler and Try.getHandler(<index>) is no longer of type ExceptStmt, as handlers may also be ExceptGroupStmts (After Python 3.11 introduced PEP 654). Instead, it is of the new type ExceptionHandler of which ExceptStmt and ExceptGroupStmt are subtypes. To support selecting only one type of handler, Try.getANormalHandler and Try.getAGroupHandler have been added. Existing uses of Try.getAHandler for which it is important to select only normal handlers, will need to be updated to Try.getANormalHandler.

Breaking Changes¶

C/C++¶

The predicates in the MustFlow::Configuration class used by the MustFlow library (semmle.code.cpp.ir.dataflow.MustFlow) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.

Golang¶

The signature of allowImplicitRead on DataFlow::Configuration and TaintTracking::Configuration has changed from allowImplicitRead(DataFlow::Node node, DataFlow::Content c) to allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).

Major Analysis Improvements¶

Python¶

The PAM authorization bypass due to incorrect usage (py/pam-auth-bypass) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.

Ruby¶

Flow through initialize constructors is now taken into account. For example, in
```
class C
  def initialize(x)
    @field = x
  end
end

C.new(y)
```
there will be flow from y to the field @field on the constructed C object.

Minor Analysis Improvements¶

C/C++¶

The ArgvSource flow source now uses the second parameter of main as its source instead of the uses of this parameter.
The ArgvSource flow source has been generalized to handle cases where the argument vector of main is not named argv.
The getaddrinfo function is now recognized as a flow source.
The secure_getenv and _wgetenv functions are now recognized as local flow sources.
The scanf and fscanf functions and their variants are now recognized as flow sources.
Deleted the deprecated getName and getShortName predicates from the Folder class.

C#¶

C# 11: Added support for list- and slice patterns in the extractor.
Deleted the deprecated getNameWithoutBrackets predicate from the ValueOrRefType class in Type.qll.
Element::hasQualifiedName/1 has been deprecated. Use hasQualifiedName/2 or hasQualifiedName/3 instead.
Added TCP/UDP sockets as taint sources.

Golang¶

The predicate getNumParameter on FuncTypeExpr has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. getNumParameterDecl has been introduced to preserve this functionality.
The definition of mayHaveSideEffects for ReturnStmt was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances globalValueNumber may have incorrectly treated two values as the same when they were in fact distinct.
Queries that care about SQL, such as go/sql-injection, now recognise SQL-consuming functions belonging to the gorqlite and GoFrame packages.
rsync has been added to the list of commands which may evaluate its parameters as a shell command.

Java/Kotlin¶

Added more dataflow models for frequently-used JDK APIs.
The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The ExtensionMethod::getExtensionReceiverParameterIndex predicate has been introduced to facilitate getting the correct extension parameter index.
The query java/insecure-cookie now uses global dataflow to track secure cookies being set to the HTTP response object.
The library PathSanitizer.qll has been improved to detect more path validation patterns in Kotlin.
Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the lib/ext folder.
Added a taint model for the method java.nio.file.Path.getParent.
Fixed a problem in the taint model for the method java.nio.file.Paths.get.
Deleted the deprecated LocalClassDeclStmtNode and LocalClassDeclStmt classes from PrintAst.qll and Statement.qll respectively.
Deleted the deprecated getLocalClass predicate from LocalTypeDeclStmt, and the deprecated getLocalClassDeclStmt predicate from LocalClassOrInterface.
Added support for Android Manifest <activity-aliases> elements in data flow sources.

JavaScript/TypeScript¶

Deleted the deprecated Instance class from the Vue module.
Deleted the deprecated VHtmlSourceWrite class from DomBasedXssQuery.qll.
Deleted all the deprecated [QueryName].qll files from the javascript/ql/lib/semmle/javascript/security/dataflow folder, use the corresponding [QueryName]Query.qll files instead.
The ReDoS libraries in semmle.code.javascript.security.regexp has been moved to a shared pack inside the shared/ folder, and the previous location has been deprecated.

Python¶

Added subprocess.getoutput and subprocess.getoutputstatus as new command injection sinks for the StdLib.
The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
Deleted the deprecated importNode predicate from the DataFlowUtil.qll file.
Deleted the deprecated features from PEP249.qll that were not inside the PEP249 module.
Deleted the deprecated werkzeug from the Werkzeug module in Werkzeug.qll.
Deleted the deprecated methodResult predicate from PEP249::Cursor.

Ruby¶

Calls to Kernel.load, Kernel.require, Kernel.autoload are now modeled as sinks for path injection.
Calls to mail and inbound_mail in ActionMailbox controllers are now considered sources of remote input.
Calls to GlobalID::Locator.locate and its variants are now recognized as instances of OrmInstantiation.
Data flow through the ActiveSupport extensions Enumerable#index_with, Enumerable#pick, Enumerable#pluck and Enumerable#sole are now modeled.
When resolving a method call, the analysis now also searches in sub-classes of the receiver’s type.
Taint flow is now tracked through many common JSON parsing and generation methods.
The ReDoS libraries in codeql.ruby.security.regexp has been moved to a shared pack inside the shared/ folder, and the previous location has been deprecated.
String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.

Deprecated APIs¶

C/C++¶

Deprecated semmle.code.cpp.ir.dataflow.DefaultTaintTracking. Use semmle.code.cpp.ir.dataflow.TaintTracking.
Deprecated semmle.code.cpp.security.TaintTrackingImpl. Use semmle.code.cpp.ir.dataflow.TaintTracking.
Deprecated semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl. Use semmle.code.cpp.valuenumbering.GlobalValueNumbering, which exposes the same API.

Golang¶

The BarrierGuard class has been deprecated. Such barriers and sanitizers can now instead be created using the new BarrierGuard parameterized module.

New Features¶

JavaScript/TypeScript¶

Improved support for Restify framework, leading to more results when scanning applications developed with this framework.
Added support for the Spife framework.

Shared Libraries¶

Minor Analysis Improvements¶

Type Trackers¶

Initial release. Includes a parameterized module implementing type-trackers.

QL Detective Tutorial¶

Initial release. Contains the library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries.

Utility Classes¶

Initial release. Includes common utility classes and modules: Unit, Boolean, and Option.