CodeQL 2.19.3 (2024-11-07)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.19.3 runs a total of 427 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).

CodeQL CLI¶

Bug Fixes¶

Fixed a bug where using codeql database import to combine multiple non-empty databases may produce a corrupted database. (The bug does not affect using codeql database finalize --additional-dbs to combine multiple databases.)
Fixed a bug where uses of a QlBuiltins::ExtensionId variable that was not bound to a value could be incorrectly accepted in some cases. In many cases, this would result in a crash.
CodeQL would sometimes refuse to run with more than around 1,500 GB of RAM available, complaining that having so much memory was “unrealistic”. The amount of memory CodeQL is able to make any meaningful use of still tops out at about that value, but it will now gracefully accept that so large computers do in fact exist.
Fixed a bug in command-line parsing where a misspelled option could sometimes be misinterpreted as, e.g., the name of a query to run. Now every command-line argument that begins with a dash is assumed to be intended as an option (unless it comes after the -- separator), and an appropriate error is emitted if that is not a recognized one.

The build command in codeql database trace-command is exempted from this for historical reasons, but we strongly recommend putting a -- before the entire build command there, in case a future codeql version starts recognizing options that you intended to be part of the build command.

Miscellaneous¶

The CodeQL Bundle is now available as an artifact that is compressed using Zstandard. This artifact is smaller and faster to decompress than the original, gzip-compressed bundle. The CodeQL bundle is a tar archive containing tools, scripts, and various CodeQL-specific files.

If you are currently using the CodeQL Bundle, you may want to consider switching to the Zstandard variant of the bundle. You can download the new form of the CodeQL Bundle from the codeql-action releases page by selecting the appropriate bundle with the .zst extension. The gzip-compressed bundles will continue to be available for backwards compatibility.

Query Packs¶

Minor Analysis Improvements¶

C/C++¶

Remove results from the cpp/wrong-type-format-argument (“Wrong type of arguments to formatting function”) query if the argument is the return value of an implicitly declared function.

C#¶

C#: The method string.ReplaceLineEndings(string) is now considered a sanitizer for the cs/log-forging query.

Python¶

Improved modelling for the pycurl framework.

Language Libraries¶

Major Analysis Improvements¶

C#¶

The generated .NET 8 runtime models have been updated.

Java/Kotlin¶

Java: The generated JDK 17 models have been updated.

Minor Analysis Improvements¶

C/C++¶

The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.

Golang¶

The AST viewer now shows type parameter declarations in the correct place in the AST.

Java/Kotlin¶

Java build-mode=none extraction now packages the Maven plugin used to examine project dependencies. This means that dependency identification is more likely to succeed, and therefore analysis quality may rise, in scenarios where Maven Central is not reachable.

Python¶

Added partial support for the copy.replace method, added in Python 3.13.
Added support for type parameter defaults, as specified in PEP-696.

New Features¶

C/C++¶

Added a new predicate DataFlow::getARuntimeTarget for getting a function that may be invoked by a Call expression. Unlike Call.getTarget this new predicate may also resolve function pointers.
Added the predicate mayBeFromImplicitlyDeclaredFunction() to the Call class to represent calls that may be the return value of an implicitly declared C function.
Added the predicate getAnExplicitDeclarationEntry() to the Function class to get a FunctionDeclarationEntry that is not implicit.
Added classes RequiresExpr, SimpleRequirementExpr, TypeRequirementExpr, CompoundRequirementExpr, and NestedRequirementExpr to represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur in requires expressions.

JavaScript/TypeScript¶

Added support for custom threat-models, which can be used in most of our taint-tracking queries, see our documentation for more details.