• CodeQL »
• CodeQL overview »
• CodeQL change logs »

CodeQL 2.15.1 (2023-10-19)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.15.1 runs a total of 398 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.

CodeQL CLI

Potentially Breaking Changes

• The query server’s evaluation/trimCache command was previously equivalent to the codeql database cleanup --mode=gentle CLI command, but is now equivalent to using --mode=normal. The new meaning of the command is to clear the entire evaluation cache of a database except for predicates annotated with the cached keyword.

Bug Fixes

• Fixed a bug where the $CODEQL_JAVA_HOME environment variable was erroneously ignored for certain subsidiary Java processes started by codeql.

• Fixed a bug in the CodeQL build tracer on Apple Silicon machines that prevented database creation if System Integrity Protection was disabled.

Deprecations

• The accepted values of the --mode option for codeql database cleanup have been renamed to bring them in line with what they are called in the VSCode extension and the query server:

  • --mode=brutal is now --mode=clear.

  • --mode=normal is now --mode=trim.

  • --mode=light is now --mode=fit.

  • The old names are deprecated, but will be accepted for backwards-compatibility reasons until further notice.

Improvements

• The list of failed tests at the end of a codeql test run is now sorted lexicographically.

• The syntax of DIL now more closely resembles the QL source code that it is compiled from. In particular, conjunctions and disjunctions now use the familiar and and or keywords, and clauses are enclosed in curly braces.

Query Packs

Minor Analysis Improvements

C#

• The cs/web/insecure-direct-object-reference and cs/web/missing-function-level-access-control have been improved to better recognize attributes on generic classes.

Golang

• The query “Incorrect conversion between integer types” (go/incorrect-integer-conversion) has been improved. It can now detect parsing an unsigned integer type (like uint32) and converting it to the signed integer type of the same size (like int32), which may lead to more results. It also treats int and uint more carefully, which may lead to more results or fewer incorrect results.

Java/Kotlin

• Most data flow queries that track flow from remote flow sources now use the current threat model configuration instead. This doesn’t lead to any changes in the produced alerts (as the default configuration is remote flow sources) unless the threat model configuration is changed.

JavaScript/TypeScript

• Added the AmdModuleDefinition::Range class, making it possible to define custom aliases for the AMD define function.

Swift

• Added more new logging sinks to the swift/cleartext-logging query.

• Added sinks for the GRDB database library to the swift/hardcoded-key query.

• Added sqlite3 and SQLite.swift sinks and flow summaries for the swift/hardcoded-key query.

• Added sqlite3 and SQLite.swift sinks and flow summaries for the swift/cleartext-storage-database query.

New Queries

C/C++

• The query cpp/redundant-null-check-simple has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.

  Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.

Ruby

• Added a new experimental query, rb/jwt-empty-secret-or-algorithm, to detect when application uses an empty secret or weak algorithm.

• Added a new experimental query, rb/jwt-missing-verification, to detect when the application does not verify a JWT payload.

Language Libraries

Minor Analysis Improvements

C/C++

• Deleted the deprecated AnalysedString class, use the new name AnalyzedString.

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

C#

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

Golang

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

• Support has been added for file system access sinks in the following libraries: net/http, Afero, beego, Echo, Fiber, Gin, Iris.

• Added GoKit.qll to go.qll enabling the GoKit framework by default

Java/Kotlin

• The isBarrier, isBarrierIn, isBarrierOut, and isAdditionalFlowStep methods of the taint-tracking configurations for local queries in the ArithmeticTaintedLocalQuery, ExternallyControlledFormatStringLocalQuery, ImproperValidationOfArrayIndexQuery, NumericCastTaintedQuery, ResponseSplittingLocalQuery, SqlTaintedLocalQuery, and XssLocalQuery libraries have been changed to match their remote counterpart configurations.

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

• Deleted the deprecated getAValue predicate from the Annotation class.

• Deleted the deprecated alias FloatingPointLiteral, use FloatLiteral instead.

• Deleted the deprecated getASuppressedWarningLiteral predicate from the SuppressWarningsAnnotation class.

• Deleted the deprecated getATargetExpression predicate form the TargetAnnotation class.

• Deleted the deprecated getRetentionPolicyExpression predicate from the RetentionAnnotation class.

• Deleted the deprecated conditionCheck predicate from Preconditions.qll.

• Deleted the deprecated semmle.code.java.security.performance folder, use semmle.code.java.security.regexp instead.

• Deleted the deprecated ExternalAPI class from ExternalApi.qll, use ExternalApi instead.

• Modified the EnvInput class in semmle.code.java.dataflow.FlowSources to include environment and file source nodes. There are no changes to results unless you add source models using the environment or file source kinds.

• Added environment source models for the following methods:

  • java.lang.System#getenv

  • java.lang.System#getProperties

  • java.lang.System#getProperty

  • java.util.Properties#get

  • java.util.Properties#getProperty

• Added file source models for the following methods:

  • the java.io.FileInputStream constructor

  • hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded

  • hudson.FilePath#openInputStream

  • hudson.FilePath#read

  • hudson.FilePath#readFromOffset

  • hudson.FilePath#readToString

• Modified the DatabaseInput class in semmle.code.java.dataflow.FlowSources to include database source nodes. There are no changes to results unless you add source models using the database source kind.

• Added database source models for the following method:

  • java.sql.ResultSet#getString

JavaScript/TypeScript

• The contents of .jsp files are now extracted, and any <script> tags inside these files will be parsed as JavaScript.

• Import attributes are now supported in JavaScript code. Note that import attributes are an evolution of an earlier proposal called “import assertions”, which were implemented in TypeScript 4.5. The QL library includes new predicates named getImportAttributes() that should be used in favor of the now deprecated getImportAssertion(); in addition, the getImportAttributes() method of the DynamicImportExpr has been renamed to getImportOptions().

• Deleted the deprecated getAnImmediateUse, getAUse, getARhs, and getAValueReachingRhs predicates from the API::Node class.

• Deleted the deprecated mayReferToParameter predicate from DataFlow::Node.

• Deleted the deprecated getStaticMethod and getAStaticMethod predicates from DataFlow::ClassNode.

• Deleted the deprecated isLibaryFile predicate from ClassifyFiles.qll, use isLibraryFile instead.

• Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.

• Deleted the deprecated semmle.javascript.security.performance folder, use semmle.javascript.security.regexp instead.

• Tagged template literals have been added to DataFlow::CallNode. This allows the analysis to find flow into functions called with a tagged template literal, and the arguments to a tagged template literal are part of the API-graph in ApiGraphs.qll.

Python

• Added better support for API graphs when encountering from ... import *. For example in the code from foo import *; Bar(), we will now find a result for API::moduleImport("foo").getMember("Bar").getACall()

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

• Deleted the deprecated getAUse, getAnImmediateUse, getARhs, and getAValueReachingRhs predicates from the API::Node class.

• Deleted the deprecated fullyQualifiedToAPIGraphPath class from SubclassFinder.qll, use fullyQualifiedToApiGraphPath instead.

• Deleted the deprecated Paths.qll file.

• Deleted the deprecated semmle.python.security.performance folder, use semmle.python.security.regexp instead.

• Deleted the deprecated semmle.python.security.strings and semmle.python.web folders.

• Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the Deserializing untrusted input query (py/unsafe-deserialization). Added support for pandas.read_pickle, numpy.load and joblib.load.

Ruby

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.

• Deleted the deprecated isWeak predicate from the CryptographicOperation class.

• Deleted the deprecated getStringOrSymbol and isStringOrSymbol predicates from the ConstantValue class.

• Deleted the deprecated getAPI from the IOOrFileMethodCall class.

• Deleted the deprecated codeql.ruby.security.performance folder, use codeql.ruby.security.regexp instead.

• GraphQL enums are no longer considered remote flow sources.

Swift

• Improved taint models for Numeric types and RangeReplaceableCollections.

• The nil-coalescing operator ?? is now supported by the CFG construction and dataflow libraries.

• The data flow library now supports flow to the loop variable of for-in loops.

• The methods getIteratorVar and getNextCall have been added to the ForEachStmt class.

New Features

Java/Kotlin

• Added predicate MemberRefExpr::getReceiverExpr

• © GitHub, Inc.
• Terms
• Privacy