Skip to content

Commit 41ee84b

Browse files
authored
Merge pull request #18591 from github/changedocs/2.20.3
Add changelog entries for CodeQL CLI versions 2.20.1 to 2.20.3
2 parents d3d3cce + a76e9a4 commit 41ee84b

File tree

4 files changed

+370
-0
lines changed

4 files changed

+370
-0
lines changed
Lines changed: 166 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,166 @@
1+
.. _codeql-cli-2.20.1:
2+
3+
==========================
4+
CodeQL 2.20.1 (2025-01-09)
5+
==========================
6+
7+
.. contents:: Contents
8+
:depth: 2
9+
:local:
10+
:backlinks: none
11+
12+
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
13+
14+
Security Coverage
15+
-----------------
16+
17+
CodeQL 2.20.1 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 22 security queries have been added with this release.
18+
19+
CodeQL CLI
20+
----------
21+
22+
Improvements
23+
~~~~~~~~~~~~
24+
25+
* Automatic installation of dependencies for C++ autobuild is now supported on Ubuntu 24.04.
26+
27+
* The CLI will now warn if it detects that it is installed in a location where it is likely to cause performance issues. This includes: user home, desktop, downloads, or the file system root.
28+
29+
You can avoid this warning by setting the :code:`CODEQL_ALLOW_INSTALLATION_ANYWHERE` environment variable to :code:`true`.
30+
31+
Query Packs
32+
-----------
33+
34+
Minor Analysis Improvements
35+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
36+
37+
C/C++
38+
"""""
39+
40+
* The "Returning stack-allocated memory" query (:code:`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression.
41+
* The "Badly bounded write" query (:code:`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.
42+
* The "Too few arguments to formatting function" query (:code:`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error.
43+
* The "Wrong type of arguments to formatting function" query (:code:`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.
44+
* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL).
45+
46+
C#
47+
""
48+
49+
* The :code:`ExternalApi` and :code:`TestLibrary` modules have been moved to the library pack.
50+
51+
New Queries
52+
~~~~~~~~~~~
53+
54+
Python
55+
""""""
56+
57+
* The Server Side Template Injection query (:code:`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.
58+
59+
Actions
60+
"""""""
61+
62+
* Initial public preview release
63+
64+
Language Libraries
65+
------------------
66+
67+
Breaking Changes
68+
~~~~~~~~~~~~~~~~
69+
70+
Java/Kotlin
71+
"""""""""""
72+
73+
* The class :code:`ControlFlowNode` (and by extension :code:`BasicBlock`) is no longer directly equatable to :code:`Expr` and :code:`Stmt`. Any queries that have been exploiting these equalities, for example by using casts, will need minor updates in order to fix any compilation errors. Conversions can be inserted in either direction depending on what is most convenient. Available conversions include :code:`Expr.getControlFlowNode()`, :code:`Stmt.getControlFlowNode()`,
74+
:code:`ControlFlowNode.asExpr()`, :code:`ControlFlowNode.asStmt()`, and
75+
:code:`ControlFlowNode.asCall()`. Exit nodes were until now modelled as a
76+
:code:`ControlFlowNode` equal to its enclosing :code:`Callable`\ ; these are now instead modelled by the class :code:`ControlFlow::ExitNode`.
77+
78+
Major Analysis Improvements
79+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
80+
81+
Swift
82+
"""""
83+
84+
* Upgraded to allow analysis of Swift 6.0.2.
85+
86+
Minor Analysis Improvements
87+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
88+
89+
C/C++
90+
"""""
91+
92+
* The :code:`Guards` library (:code:`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.
93+
94+
C#
95+
""
96+
97+
* C# 13: Added QL library support for *collection* like type :code:`params` parameters.
98+
* Added :code:`remote` flow source models for properties of Blazor components annotated with any of the following attributes from :code:`Microsoft.AspNetCore.Components`\ :
99+
100+
* :code:`[SupplyParameterFromForm]`
101+
* :code:`[SupplyParameterFromQuery]`
102+
103+
* Added the constructor and explicit cast operator of :code:`Microsoft.AspNetCore.Components.MarkupString` as an :code:`html-injection` sink. This will help catch cross-site scripting resulting from using :code:`MarkupString`.
104+
* Added flow summaries for the :code:`Microsoft.AspNetCore.Mvc.Controller::View` method.
105+
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
106+
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
107+
108+
Golang
109+
""""""
110+
111+
* Added a :code:`commandargs` local source model for the :code:`os.Args` variable.
112+
113+
Java/Kotlin
114+
"""""""""""
115+
116+
* Added :code:`java.io.File.getName()` as a path injection sanitizer.
117+
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
118+
* Added a sink for "Server-side request forgery" (:code:`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
119+
120+
Python
121+
""""""
122+
123+
* Added modeling of :code:`fastapi.Request` and :code:`starlette.requests.Request` as sources of untrusted input,
124+
and modeling of tainted data flow out of these request objects.
125+
126+
Deprecated APIs
127+
~~~~~~~~~~~~~~~
128+
129+
C/C++
130+
"""""
131+
132+
* The :code:`TemplateParameter` class, representing C++ type template parameters has been deprecated. Use :code:`TypeTemplateParameter` instead.
133+
134+
New Features
135+
~~~~~~~~~~~~
136+
137+
C/C++
138+
"""""
139+
140+
* New classes :code:`SizeofPackExprOperator` and :code:`SizeofPackTypeOperator` were introduced, which represent the C++ :code:`sizeof...` operator taking expressions and type arguments, respectively.
141+
* A new class :code:`TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
142+
* A new predicate :code:`getAnInstantiation` was added to the :code:`TemplateTemplateParameter` class, which yields instantiations of template template parameters.
143+
* The :code:`getTemplateArgumentType` and :code:`getTemplateArgumentValue` predicates of the :code:`Declaration` class now also yield template arguments of template template parameters.
144+
* A new class :code:`NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.
145+
* A new class :code:`TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
146+
147+
Python
148+
""""""
149+
150+
* Added support for parameter annotations in API graphs. This means that in a function definition such as :code:`def foo(x: Bar): ...`, you can now use the :code:`getInstanceFromAnnotation()` method to step from :code:`Bar` to :code:`x`. In addition to this, the :code:`getAnInstance` method now also includes instances arising from parameter annotations.
151+
152+
Actions
153+
"""""""
154+
155+
* Initial public preview release
156+
157+
Shared Libraries
158+
----------------
159+
160+
Minor Analysis Improvements
161+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
162+
163+
Dataflow Analysis
164+
"""""""""""""""""
165+
166+
* Added a module :code:`DataFlow::DeduplicatePathGraph` that can be used to avoid generating duplicate path explanations in queries that use flow state.
Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
.. _codeql-cli-2.20.2:
2+
3+
==========================
4+
CodeQL 2.20.2 (2025-01-22)
5+
==========================
6+
7+
.. contents:: Contents
8+
:depth: 2
9+
:local:
10+
:backlinks: none
11+
12+
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
13+
14+
Security Coverage
15+
-----------------
16+
17+
CodeQL 2.20.2 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).
18+
19+
CodeQL CLI
20+
----------
21+
22+
Bug Fixes
23+
~~~~~~~~~
24+
25+
* Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results.
26+
27+
Improvements
28+
~~~~~~~~~~~~
29+
30+
* :code:`codeql database create` and :code:`codeql database finalize` now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following:
31+
32+
.. code-block:: text
33+
34+
UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321]
35+
36+
* Added the :code:`.bitLength()` method to :code:`QlBuiltins::BigInt`.
37+
38+
Query Packs
39+
-----------
40+
41+
Bug Fixes
42+
~~~~~~~~~
43+
44+
Java/Kotlin
45+
"""""""""""
46+
47+
* Classes that define a :code:`writeReplace` method are no longer flagged by the :code:`java/missing-no-arg-constructor-on-serializable` query on the assumption they are unlikely to be deserialized using the default algorithm.
48+
* The query "Use of a broken or risky cryptographic algorithm" (:code:`java/weak-cryptographic-algorithm`) now gives the reason why the cryptographic algorithm is considered weak.
49+
50+
JavaScript/TypeScript
51+
"""""""""""""""""""""
52+
53+
* Fixed a TypeScript extractor crash that would occur when encountering an export specifier whose local specifier was a string literal.
54+
55+
Major Analysis Improvements
56+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
57+
58+
JavaScript/TypeScript
59+
"""""""""""""""""""""
60+
61+
* The :code:`js/xss-through-dom` query now recognises sources of DOM input originating from Angular templates.
62+
63+
Minor Analysis Improvements
64+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
65+
66+
C/C++
67+
"""""
68+
69+
* Added dataflow models for :code:`SysAllocString` and related functions.
70+
* The :code:`cpp/badly-bounded-write`, :code:`cpp/equality-on-floats`, :code:`cpp/short-global-name`, :code:`cpp/static-buffer-overflow`, :code:`cpp/too-few-arguments`, :code:`cpp/useless-expression`, :code:`cpp/world-writable-file-creation` queries no longer produce alerts on files created by CMake to test the build configuration.
71+
72+
Language Libraries
73+
------------------
74+
75+
Major Analysis Improvements
76+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
77+
78+
JavaScript/TypeScript
79+
"""""""""""""""""""""
80+
81+
* All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript.
82+
This is a significant change and users may consequently observe differences in the alerts generated by the analysis.
83+
84+
Minor Analysis Improvements
85+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
86+
87+
C/C++
88+
"""""
89+
90+
* :code:`DefaultOptions::exits` now holds for C23 functions with the :code:`_Noreturn` or :code:`___Noreturn__` attribute.
91+
92+
C#
93+
""
94+
95+
* Added extractor support for extracting implicit :code:`ToString` calls in binary :code:`+` expressions and string interpolation expressions.
96+
* The Razor source generator invocation in :code:`build-mode:none` extraction has been changed to use relative file paths instead of absolute ones.
97+
* C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint :code:`allows ref struct`. Added extractor support for the type parameter constraint :code:`notnull`.
98+
99+
Golang
100+
""""""
101+
102+
* :code:`database` local source models have been added for the Beego ORM package.
103+
* :code:`database` local source models have been added for the :code:`github.com/jmoiron/sqlx` package.
104+
* Added :code:`database` source models for database methods from the :code:`gorm.io/gorm` package.
105+
* :code:`database` local source models have been added for the :code:`database/sql` and :code:`database/sql/driver` packages.
106+
107+
Java/Kotlin
108+
"""""""""""
109+
110+
* :code:`JavacTool`\ -based compiler interception no longer requires an :code:`--add-opens` directive when :code:`FileObject.toUri` is accessible.
111+
* :code:`JavacTool`\ -based compiler interception no longer throws an exception visible to the program using :code:`JavacTool` on failure to extract a file path from a passed :code:`JavaFileObject`.
112+
* :code:`JavacTool`\ -based compiler interception now supports files that don't simply wrap a :code:`file://` URL, such as a source file inside a JAR, or an in-memory file, but which do implement :code:`getCharContent`.
113+
114+
JavaScript/TypeScript
115+
"""""""""""""""""""""
116+
117+
* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
118+
119+
Python
120+
""""""
121+
122+
* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
123+
* Additional taint steps through methods of :code:`lxml.etree.Element` and :code:`lxml.etree.ElementTree` objects from the :code:`lxml` PyPI package have been modeled.
124+
125+
Ruby
126+
""""
127+
128+
* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
129+
* Types are now being tracked in data flow, but only when the type of an object is obvious from the context. For example, :code:`C.new` has guaranteed type :code:`C`, while in :code:`def add(x, y) { x + y }` we cannot assign a type to :code:`x + y` (it could, for instance, be both :code:`String` and :code:`Integer`). Tracking types allows us to remove false-positive results when type incompatibility can be established.
130+
131+
Swift
132+
"""""
133+
134+
* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
135+
136+
Deprecated APIs
137+
~~~~~~~~~~~~~~~
138+
139+
JavaScript/TypeScript
140+
"""""""""""""""""""""
141+
142+
* Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working.
143+
See more information in the `migration guide <https://codeql.github.com/docs/codeql-language-guides/migrating-javascript-dataflow-queries>`__.
144+
145+
New Features
146+
~~~~~~~~~~~~
147+
148+
C/C++
149+
"""""
150+
151+
* Add a new predicate :code:`getAnIndirectBarrier` to the parameterized module :code:`InstructionBarrierGuard` in :code:`semmle.code.cpp.dataflow.new.DataFlow` for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the :code:`getAnIndirectBarrier` predicate on the parameterized module :code:`BarrierGuard`.
152+
* A new predicate :code:`getDecltype` was added to the :code:`ProxyClass` class, which yields the decltype for the proxy class.
153+
* Template classes that are of :code:`struct` type are now also instances of the :code:`Struct` class.
154+
* Template classes that are of :code:`union` type are now also instances of the :code:`Union` class.
155+
* A new abstract class :code:`ConfigurationTestFile` (:code:`semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile`) was introduced, which represents files created to test the build configuration. A subclass :code:`CmakeTryCompileFile` of :code:`ConfigurationTestFile` was also introduced, which represents files created by CMake to test the build configuration.
156+
* New predicates :code:`getARequiresClause`, :code:`getTemplateRequiresClause` and :code:`getFunctionRequiresClause` were added to the :code:`FunctionDeclarationEntry` class, which yield the requires clauses when the entry represents a function template declaration with requires clauses.
157+
* A new predicate :code:`getRequiresClause` was added to the :code:`TypeDeclarationEntry` class, which yields the requires clause when the entry represents a class template declaration with a requires clause.
158+
* A new predicate :code:`getRequiresClause` was added to the :code:`VariableDeclarationEntry` class, which yields the requires clause when the entry represents a variable template declaration with a requires clause.
159+
* A new predicate :code:`getTypeConstraint` was added to the :code:`TypeTemplateParameter` class, which yields the type constraint of the parameter if it exists.
160+
* A new class :code:`VariableTemplateSpecialization` was introduced, which represents explicit specializations of variable templates.
161+
* A new predicate :code:`isSpecialization` was added to the :code:`Variable` class, which holds if the variable is a template specialization.
162+
* A new class :code:`ConceptIdExpr` was introduced, which represents C++20 concept id expressions.
163+
* A new class :code:`Concept` was introduced, which represents C++20 concepts.
164+
* The :code:`getTemplateArgumentType` and :code:`getTemplateArgumentValue` predicates of the :code:`Declaration` class now also yield template arguments of concepts.
165+
* A new class :code:`ConstevalIfStmt` was introduced, which represents the C++23 :code:`if consteval` and :code:`if ! consteval` statements.
166+
167+
Java/Kotlin
168+
"""""""""""
169+
170+
* The Java and Kotlin extractors now support :code:`CODEQL_PATH_TRANSFORMER`. :code:`SEMMLE_PATH_TRANSFORMER` is still supported, but deprecated.

0 commit comments

Comments
 (0)