|
| 1 | +.. _codeql-cli-2.24.0: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.24.0 (2026-01-26) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.24.0 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Miscellaneous |
| 23 | +~~~~~~~~~~~~~ |
| 24 | + |
| 25 | +* The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal documentation generation commands has been updated to version |
| 26 | + \ `20260102.1 <https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20260102.1>`__. |
| 27 | +* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.9. |
| 28 | + |
| 29 | +Query Packs |
| 30 | +----------- |
| 31 | + |
| 32 | +Major Analysis Improvements |
| 33 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 34 | + |
| 35 | +JavaScript/TypeScript |
| 36 | +""""""""""""""""""""" |
| 37 | + |
| 38 | +* JavaScript files with an average line length greater than 200 are now considered minified and will no longer be analyzed. |
| 39 | + For use-cases where minified files should be analyzed, the original behavior can be restored by setting the environment variable |
| 40 | + :code:`CODEQL_EXTRACTOR_JAVASCRIPT_ALLOW_MINIFIED_FILES=true`. |
| 41 | + |
| 42 | +Minor Analysis Improvements |
| 43 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 44 | + |
| 45 | +C/C++ |
| 46 | +""""" |
| 47 | + |
| 48 | +* The :code:`cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees. |
| 49 | + |
| 50 | +C# |
| 51 | +"" |
| 52 | + |
| 53 | +* Added :code:`NHibernate.ISession.CreateSQLQuery`, :code:`NHibernate.IStatelessSession.CreateSQLQuery` and :code:`NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks. |
| 54 | +* The :code:`Missing cross-site request forgery token validation` query was extended to support ASP.NET Core. |
| 55 | + |
| 56 | +Java/Kotlin |
| 57 | +""""""""""" |
| 58 | + |
| 59 | +* Added sink models for :code:`com.couchbase` supporting SQL Injection and Hardcoded Credentials queries. |
| 60 | +* Java thread safety analysis now understands initialization to thread safe classes inside constructors. |
| 61 | + |
| 62 | +JavaScript/TypeScript |
| 63 | +""""""""""""""""""""" |
| 64 | + |
| 65 | +* The model of :code:`vue-router` now properly detects taint sources in cases where the :code:`props` property is a callback. |
| 66 | +* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in files named :code:`route` or :code:`page` appearing outside :code:`api` and :code:`pages` folders. |
| 67 | +* :code:`new Response(x)` is no longer seen as a reflected XSS sink when no :code:`content-type` header is set, since the content type defaults to :code:`text/plain`. |
| 68 | + |
| 69 | +Rust |
| 70 | +"""" |
| 71 | + |
| 72 | +* Fixed common false positives for the :code:`rust/unused-variable` and :code:`rust/unused-value` queries. |
| 73 | +* Fixed false positives from the :code:`rust/access-invalid-pointer` query, by only considering dereferences of raw pointers as sinks. |
| 74 | +* Fixed false positives from the :code:`rust/access-after-lifetime-ended` query, involving calls to trait methods. |
| 75 | +* The :code:`rust/hard-coded-cryptographic-value` query has been extended with new heuristic sinks identifying passwords, initialization vectors, nonces and salts. |
| 76 | + |
| 77 | +Query Metadata Changes |
| 78 | +~~~~~~~~~~~~~~~~~~~~~~ |
| 79 | + |
| 80 | +C# |
| 81 | +"" |
| 82 | + |
| 83 | +* Updated the :code:`name`, :code:`description`, and alert message of :code:`cs/path-combine` to have more details about why it's a problem. |
| 84 | + |
| 85 | +Language Libraries |
| 86 | +------------------ |
| 87 | + |
| 88 | +Bug Fixes |
| 89 | +~~~~~~~~~ |
| 90 | + |
| 91 | +C/C++ |
| 92 | +""""" |
| 93 | + |
| 94 | +* Fixed a bug in the :code:`DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return :code:`DataFlow::Node`\ s with incorrect indirections. If you use :code:`getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use :code:`DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results. |
| 95 | + |
| 96 | +C# |
| 97 | +"" |
| 98 | + |
| 99 | +* Fixed two issues affecting build mode :code:`none`\ : |
| 100 | + |
| 101 | + * Corrected version sorting logic when detecting the newest .NET framework to use. |
| 102 | + * Improved stability for .NET 10 compatibility. |
| 103 | + |
| 104 | +* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed. |
| 105 | + |
| 106 | +Breaking Changes |
| 107 | +~~~~~~~~~~~~~~~~ |
| 108 | + |
| 109 | +C/C++ |
| 110 | +""""" |
| 111 | + |
| 112 | +* The :code:`_Decimal32`, :code:`_Decimal64`, and :code:`_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases. |
| 113 | + |
| 114 | +Golang |
| 115 | +"""""" |
| 116 | + |
| 117 | +* The query :code:`go/unexpected-frontend-error` has been moved from the :code:`codeql/go-queries` query to the :code:`codeql-go-consistency-queries` query pack. |
| 118 | + |
| 119 | +Python |
| 120 | +"""""" |
| 121 | + |
| 122 | +* All modules that depend on the points-to analysis have now been removed from the top level :code:`python.qll` module. To access the points-to functionality, import the new :code:`LegacyPointsTo` module. This also means that some predicates have been removed from various classes, for instance :code:`Function.getFunctionObject()`. To access these predicates, import the :code:`LegacyPointsTo` module and use the :code:`FunctionWithPointsTo` class instead. Most cases follow this pattern, but there are a few exceptions: |
| 123 | + |
| 124 | + * The :code:`getLiteralObject` method on :code:`ImmutableLiteral` subclasses has been replaced with a predicate :code:`getLiteralObject(ImmutableLiteral l)` in the :code:`LegacyPointsTo` module. |
| 125 | + * The :code:`getMetrics` method on :code:`Function`, :code:`Class`, and :code:`Module` has been removed. To access metrics, import :code:`LegacyPointsTo` and use the classes :code:`FunctionMetrics`, etc. instead. |
| 126 | + |
| 127 | +Major Analysis Improvements |
| 128 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 129 | + |
| 130 | +Swift |
| 131 | +""""" |
| 132 | + |
| 133 | +* Upgraded to allow analysis of Swift 6.2.3. |
| 134 | +* Upgraded to allow analysis of Swift 6.2.2. |
| 135 | + |
| 136 | +GitHub Actions |
| 137 | +"""""""""""""" |
| 138 | + |
| 139 | +* The query :code:`actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by :code:`actions/code-injection/critical`. |
| 140 | + |
| 141 | +Minor Analysis Improvements |
| 142 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 143 | + |
| 144 | +C/C++ |
| 145 | +""""" |
| 146 | + |
| 147 | +* Some constants will now be represented by their unfolded expression trees. The :code:`isConstant` predicate of :code:`Expr` will no longer yield a result for those constants. |
| 148 | + |
| 149 | +C# |
| 150 | +"" |
| 151 | + |
| 152 | +* When a code-scanning configuration specifies the :code:`paths:` and/or :code:`paths-ignore:` settings, these are now taken into account by the C# extractor's search for :code:`.config`, :code:`.props`, XML and project files. |
| 153 | +* Updated the generated .NET “models as data” runtime models to cover .NET 10. |
| 154 | +* C# 14: Support for *implicit* span conversions in the QL library. |
| 155 | +* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and :code:`build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis. |
| 156 | +* Added autobuilder and :code:`build-mode: none` support for :code:`.slnx` solution files. |
| 157 | +* In :code:`build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere. |
| 158 | +* Added implicit reads of :code:`System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted. |
| 159 | + |
| 160 | +Golang |
| 161 | +"""""" |
| 162 | + |
| 163 | +* When a code-scanning configuration specifies the :code:`paths:` and/or :code:`paths-ignore:` settings, these are now taken into account by the Go extractor's search for :code:`.vue` and HTML files. |
| 164 | + |
| 165 | +Java/Kotlin |
| 166 | +""""""""""" |
| 167 | + |
| 168 | +* When a code-scanning configuration specifies the :code:`paths:` and/or :code:`paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files. |
| 169 | +* Additional remote flow sources from the :code:`org.springframework.web.socket` package have been modeled. |
| 170 | +* A sanitizer has been added to :code:`java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe. |
| 171 | +* URI template variables of all Spring :code:`RestTemplate` methods are now considered as request forgery sinks. Previously only the :code:`getForObject` method was considered. This may lead to more alerts for the query :code:`java/ssrf`. |
| 172 | +* Added more dataflow models of :code:`org.apache.commons.fileupload.FileItem`, :code:`javax/jakarta.servlet.http.Part` and :code:`org.apache.commons.fileupload.util.Streams`. |
| 173 | + |
| 174 | +JavaScript/TypeScript |
| 175 | +""""""""""""""""""""" |
| 176 | + |
| 177 | +* Support :code:`use cache` directives for Next.js 16. |
| 178 | +* Added :code:`PreCallGraphStep` flow model for React's :code:`useRef` hook. |
| 179 | +* Added a :code:`DomValueSource` that uses the :code:`current` property off the object returned by React's :code:`useRef` hook. |
| 180 | + |
| 181 | +Python |
| 182 | +"""""" |
| 183 | + |
| 184 | +* When a code-scanning configuration specifies the :code:`paths:` and/or :code:`paths-ignore:` settings, these are now taken into account by the Python extractor's search for YAML files. |
| 185 | +* The :code:`compression.zstd` library (added in Python 3.14) is now supported by the :code:`py/decompression-bomb` query. |
| 186 | +* Added taint flow model and type model for :code:`urllib.parseurl`. |
| 187 | +* Remote flow sources for the :code:`python-socketio` package have been modeled. |
| 188 | +* Additional models for remote flow sources for :code:`tornado.websocket.WebSocketHandler` have been added. |
| 189 | + |
| 190 | +Rust |
| 191 | +"""" |
| 192 | + |
| 193 | +* The :code:`Deref` trait is now considered during method resolution. This means that method calls on receivers implementing the :code:`Deref` trait will correctly resolve to methods defined on the target type. This may result in additional query results, especially for data flow queries. |
| 194 | +* Renamed the :code:`Adt` class to :code:`TypeItem` and moved common predicates from :code:`Struct`, :code:`Enum`, and :code:`Union` to :code:`TypeItem`. |
| 195 | +* Added models for the Axum web application framework. |
| 196 | +* Reading content of a value now carries taint if the value itself is tainted. For instance, if :code:`s` is tainted then :code:`s.field` is also tainted. This generally improves taint flow. |
| 197 | +* The call graph is now more precise for calls that target a trait function with a default implementation. This reduces the number of false positives for data flow queries. |
| 198 | +* Improved type inference for raw pointers (:code:`*const` and :code:`*mut`). This includes type inference for the raw borrow operators (:code:`&raw const` and :code:`&raw mut`) and dereferencing of raw pointers. |
| 199 | + |
| 200 | +Deprecated APIs |
| 201 | +~~~~~~~~~~~~~~~ |
| 202 | + |
| 203 | +C/C++ |
| 204 | +""""" |
| 205 | + |
| 206 | +* The :code:`OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use :code:`OverloadedArrayExpr::getArrayOffset/1` and :code:`OverloadedArrayExpr::getAnArrayOffset` instead. |
| 207 | + |
| 208 | +New Features |
| 209 | +~~~~~~~~~~~~ |
| 210 | + |
| 211 | +C/C++ |
| 212 | +""""" |
| 213 | + |
| 214 | +* Added subclasses of :code:`BuiltInOperations` for the :code:`__is_bitwise_cloneable`, :code:`__is_invocable`, and :code:`__is_nothrow_invocable` builtin operations. |
| 215 | +* Added a :code:`isThisAccess` predicate to :code:`ParamAccessForType` that holds when the access is to the implicit object parameter. |
| 216 | +* Predicates :code:`getArrayOffset/1` and :code:`getAnArrayOffset` have been added to the :code:`OverloadedArrayExpr` class to support C++23 multidimensional subscript operators. |
| 217 | + |
| 218 | +Python |
| 219 | +"""""" |
| 220 | + |
| 221 | +* The extractor now supports the new, relaxed syntax :code:`except A, B, C: ...` (which would previously have to be written as :code:`except (A, B, C): ...`) as defined in `PEP-758 <https://peps.python.org/pep-0758/>`__. This may cause changes in results for code that uses Python 2-style exception binding (:code:`except Foo, e: ...`). The more modern format, :code:`except Foo as e: ...` (available since Python 2.6) is unaffected. |
| 222 | +* The Python extractor now supports template strings as defined in `PEP-750 <https://peps.python.org/pep-0750/>`__, through the classes :code:`TemplateString` and :code:`JoinedTemplateString`. |
0 commit comments