|
| 1 | +.. _codeql-cli-2.20.2: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.20.2 (2025-01-22) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.20.2 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Bug Fixes |
| 23 | +~~~~~~~~~ |
| 24 | + |
| 25 | +* Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results. |
| 26 | + |
| 27 | +Improvements |
| 28 | +~~~~~~~~~~~~ |
| 29 | + |
| 30 | +* :code:`codeql database create` and :code:`codeql database finalize` now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following: |
| 31 | + |
| 32 | + .. code-block:: text |
| 33 | + |
| 34 | + UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321] |
| 35 | + |
| 36 | +* Added the :code:`.bitLength()` method to :code:`QlBuiltins::BigInt`. |
| 37 | + |
| 38 | +Query Packs |
| 39 | +----------- |
| 40 | + |
| 41 | +Bug Fixes |
| 42 | +~~~~~~~~~ |
| 43 | + |
| 44 | +Java/Kotlin |
| 45 | +""""""""""" |
| 46 | + |
| 47 | +* Classes that define a :code:`writeReplace` method are no longer flagged by the :code:`java/missing-no-arg-constructor-on-serializable` query on the assumption they are unlikely to be deserialized using the default algorithm. |
| 48 | +* The query "Use of a broken or risky cryptographic algorithm" (:code:`java/weak-cryptographic-algorithm`) now gives the reason why the cryptographic algorithm is considered weak. |
| 49 | + |
| 50 | +JavaScript/TypeScript |
| 51 | +""""""""""""""""""""" |
| 52 | + |
| 53 | +* Fixed a TypeScript extractor crash that would occur when encountering an export specifier whose local specifier was a string literal. |
| 54 | + |
| 55 | +Major Analysis Improvements |
| 56 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 57 | + |
| 58 | +JavaScript/TypeScript |
| 59 | +""""""""""""""""""""" |
| 60 | + |
| 61 | +* The :code:`js/xss-through-dom` query now recognises sources of DOM input originating from Angular templates. |
| 62 | + |
| 63 | +Minor Analysis Improvements |
| 64 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 65 | + |
| 66 | +C/C++ |
| 67 | +""""" |
| 68 | + |
| 69 | +* Added dataflow models for :code:`SysAllocString` and related functions. |
| 70 | +* The :code:`cpp/badly-bounded-write`, :code:`cpp/equality-on-floats`, :code:`cpp/short-global-name`, :code:`cpp/static-buffer-overflow`, :code:`cpp/too-few-arguments`, :code:`cpp/useless-expression`, :code:`cpp/world-writable-file-creation` queries no longer produce alerts on files created by CMake to test the build configuration. |
| 71 | + |
| 72 | +Language Libraries |
| 73 | +------------------ |
| 74 | + |
| 75 | +Major Analysis Improvements |
| 76 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 77 | + |
| 78 | +JavaScript/TypeScript |
| 79 | +""""""""""""""""""""" |
| 80 | + |
| 81 | +* All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript. |
| 82 | + This is a significant change and users may consequently observe differences in the alerts generated by the analysis. |
| 83 | + |
| 84 | +Minor Analysis Improvements |
| 85 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 86 | + |
| 87 | +C/C++ |
| 88 | +""""" |
| 89 | + |
| 90 | +* :code:`DefaultOptions::exits` now holds for C23 functions with the :code:`_Noreturn` or :code:`___Noreturn__` attribute. |
| 91 | + |
| 92 | +C# |
| 93 | +"" |
| 94 | + |
| 95 | +* Added extractor support for extracting implicit :code:`ToString` calls in binary :code:`+` expressions and string interpolation expressions. |
| 96 | +* The Razor source generator invocation in :code:`build-mode:none` extraction has been changed to use relative file paths instead of absolute ones. |
| 97 | +* C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint :code:`allows ref struct`. Added extractor support for the type parameter constraint :code:`notnull`. |
| 98 | + |
| 99 | +Golang |
| 100 | +"""""" |
| 101 | + |
| 102 | +* :code:`database` local source models have been added for the Beego ORM package. |
| 103 | +* :code:`database` local source models have been added for the :code:`github.com/jmoiron/sqlx` package. |
| 104 | +* Added :code:`database` source models for database methods from the :code:`gorm.io/gorm` package. |
| 105 | +* :code:`database` local source models have been added for the :code:`database/sql` and :code:`database/sql/driver` packages. |
| 106 | + |
| 107 | +Java/Kotlin |
| 108 | +""""""""""" |
| 109 | + |
| 110 | +* :code:`JavacTool`\ -based compiler interception no longer requires an :code:`--add-opens` directive when :code:`FileObject.toUri` is accessible. |
| 111 | +* :code:`JavacTool`\ -based compiler interception no longer throws an exception visible to the program using :code:`JavacTool` on failure to extract a file path from a passed :code:`JavaFileObject`. |
| 112 | +* :code:`JavacTool`\ -based compiler interception now supports files that don't simply wrap a :code:`file://` URL, such as a source file inside a JAR, or an in-memory file, but which do implement :code:`getCharContent`. |
| 113 | + |
| 114 | +JavaScript/TypeScript |
| 115 | +""""""""""""""""""""" |
| 116 | + |
| 117 | +* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. |
| 118 | + |
| 119 | +Python |
| 120 | +"""""" |
| 121 | + |
| 122 | +* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. |
| 123 | +* Additional taint steps through methods of :code:`lxml.etree.Element` and :code:`lxml.etree.ElementTree` objects from the :code:`lxml` PyPI package have been modeled. |
| 124 | + |
| 125 | +Ruby |
| 126 | +"""" |
| 127 | + |
| 128 | +* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. |
| 129 | +* Types are now being tracked in data flow, but only when the type of an object is obvious from the context. For example, :code:`C.new` has guaranteed type :code:`C`, while in :code:`def add(x, y) { x + y }` we cannot assign a type to :code:`x + y` (it could, for instance, be both :code:`String` and :code:`Integer`). Tracking types allows us to remove false-positive results when type incompatibility can be established. |
| 130 | + |
| 131 | +Swift |
| 132 | +""""" |
| 133 | + |
| 134 | +* The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. |
| 135 | + |
| 136 | +Deprecated APIs |
| 137 | +~~~~~~~~~~~~~~~ |
| 138 | + |
| 139 | +JavaScript/TypeScript |
| 140 | +""""""""""""""""""""" |
| 141 | + |
| 142 | +* Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working. |
| 143 | + See more information in the `migration guide <https://codeql.github.com/docs/codeql-language-guides/migrating-javascript-dataflow-queries>`__. |
| 144 | + |
| 145 | +New Features |
| 146 | +~~~~~~~~~~~~ |
| 147 | + |
| 148 | +C/C++ |
| 149 | +""""" |
| 150 | + |
| 151 | +* Add a new predicate :code:`getAnIndirectBarrier` to the parameterized module :code:`InstructionBarrierGuard` in :code:`semmle.code.cpp.dataflow.new.DataFlow` for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the :code:`getAnIndirectBarrier` predicate on the parameterized module :code:`BarrierGuard`. |
| 152 | +* A new predicate :code:`getDecltype` was added to the :code:`ProxyClass` class, which yields the decltype for the proxy class. |
| 153 | +* Template classes that are of :code:`struct` type are now also instances of the :code:`Struct` class. |
| 154 | +* Template classes that are of :code:`union` type are now also instances of the :code:`Union` class. |
| 155 | +* A new abstract class :code:`ConfigurationTestFile` (:code:`semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile`) was introduced, which represents files created to test the build configuration. A subclass :code:`CmakeTryCompileFile` of :code:`ConfigurationTestFile` was also introduced, which represents files created by CMake to test the build configuration. |
| 156 | +* New predicates :code:`getARequiresClause`, :code:`getTemplateRequiresClause` and :code:`getFunctionRequiresClause` were added to the :code:`FunctionDeclarationEntry` class, which yield the requires clauses when the entry represents a function template declaration with requires clauses. |
| 157 | +* A new predicate :code:`getRequiresClause` was added to the :code:`TypeDeclarationEntry` class, which yields the requires clause when the entry represents a class template declaration with a requires clause. |
| 158 | +* A new predicate :code:`getRequiresClause` was added to the :code:`VariableDeclarationEntry` class, which yields the requires clause when the entry represents a variable template declaration with a requires clause. |
| 159 | +* A new predicate :code:`getTypeConstraint` was added to the :code:`TypeTemplateParameter` class, which yields the type constraint of the parameter if it exists. |
| 160 | +* A new class :code:`VariableTemplateSpecialization` was introduced, which represents explicit specializations of variable templates. |
| 161 | +* A new predicate :code:`isSpecialization` was added to the :code:`Variable` class, which holds if the variable is a template specialization. |
| 162 | +* A new class :code:`ConceptIdExpr` was introduced, which represents C++20 concept id expressions. |
| 163 | +* A new class :code:`Concept` was introduced, which represents C++20 concepts. |
| 164 | +* The :code:`getTemplateArgumentType` and :code:`getTemplateArgumentValue` predicates of the :code:`Declaration` class now also yield template arguments of concepts. |
| 165 | +* A new class :code:`ConstevalIfStmt` was introduced, which represents the C++23 :code:`if consteval` and :code:`if ! consteval` statements. |
| 166 | + |
| 167 | +Java/Kotlin |
| 168 | +""""""""""" |
| 169 | + |
| 170 | +* The Java and Kotlin extractors now support :code:`CODEQL_PATH_TRANSFORMER`. :code:`SEMMLE_PATH_TRANSFORMER` is still supported, but deprecated. |
0 commit comments