CodeQL 2.18.2 (2024-08-13)¶

Contents

Security Coverage
CodeQL CLI
- Deprecations
- Miscellaneous
Query Packs
Language Libraries

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.18.2 runs a total of 423 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 3 security queries have been added with this release.

CodeQL CLI¶

Deprecations¶

Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.

Miscellaneous¶

The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.3.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

Fixed false positives in the cpp/memory-may-not-be-freed (“Memory may not be freed”) query involving class methods that returned an allocated field of that class being misidentified as allocators.
The cpp/incorrectly-checked-scanf (“Incorrect return-value check for a ‘scanf’-like function”) query now produces fewer false positive results.
The cpp/incorrect-allocation-error-handling (“Incorrect allocation-error handling”) query no longer produces occasional false positive results inside template instantiations.
The cpp/suspicious-allocation-size (“Not enough memory allocated for array of pointer type”) query no longer produces false positives on “variable size” structs.

Java/Kotlin¶

Variables names containing the string “tokenizer” (case-insensitively) are no longer sources for the java/sensitive-log query. They normally relate to things like java.util.StringTokenizer, which are not sensitive information. This should fix some false positive alerts.
The query “Unused classes and interfaces” (java/unused-reference-type) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with @test.
Alerts about exposing exception.getMessage() in servlet responses are now split out of java/stack-trace-exposure into its own query java/error-message-exposure.
Added the extensible abstract class SensitiveLoggerSource. Now this class can be extended to add more sources to the java/sensitive-log query or for customizations overrides.

Python¶

Added models of streamlit PyPI package.

Swift¶

The swift/constant-salt (“Use of constant salts”) query now considers string concatenation and interpolation as a barrier. As a result, there will be fewer false positive results from this query involving constructed strings.
The swift/constant-salt (“Use of constant salts”) query message now contains a link to the source node.

New Queries¶

Python¶

The py/cookie-injection query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input.

Ruby¶

Added a new query, rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.

Query Metadata Changes¶

C/C++¶

The precision of cpp/unsigned-difference-expression-compared-zero (“Unsigned difference expression compared to zero”) has been increased to high. As a result, it will be run by default as part of the Code Scanning suite.

Language Libraries¶

Breaking Changes¶

Java/Kotlin¶

The Java and Kotlin extractors no longer support the SOURCE_ARCHIVE and TRAP_FOLDER legacy environment variable.

Major Analysis Improvements¶

Java/Kotlin¶

We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called “reverse-dns”. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.

Minor Analysis Improvements¶

C/C++¶

The controlling expression of a constexpr if is now always recognized as an unevaluated expression.
Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
A UsingEnumDeclarationEntry class has been added for C++ using enum declarations. As part of this, synthesized UsingDeclarationEntrys are no longer emitted for individual enumerators of the referenced enumeration.

Java/Kotlin¶

Added flow through some methods of the class java.net.URL by ensuring that the fields of a URL are tainted.
Added path-injection sinks for org.apache.tools.ant.taskdefs.Property.setFile and org.apache.tools.ant.taskdefs.Property.setResource.
Adds models for request handlers using the org.lastaflute.web web framework.

Python¶

Added support for DictionaryElement[<key>] and DictionaryElementAny when Customizing Library Models for sourceModel (see https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/)

Swift¶

The model for FileManager no longer considers methods that return paths on the file system as taint sources. This is because these sources have been found to produce results of low value.
An error in the model for URL.withUnsafeFileSystemRepresentation(_:) has been corrected. This may result in new data flow paths being found during analysis.

New Features¶

C/C++¶

A getTemplateClass predicate was added to the DeductionGuide class to get the class template for which the deduction guide is a guide.
An isExplicit predicate was added to the Function class that determines whether the function was declared as explicit.
A getExplicitExpr predicate was added to the Function class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
A isDestroyingDeleteDeallocation predicate was added to the NewOrNewArrayExpr and DeleteOrDeleteArrayExpr classes to indicate whether the deallocation function is a destroying delete.

Java/Kotlin¶

Java support for build-mode: none is now out of beta, and generally available.