CodeQL 2.21.1 (2025-04-22)¶

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage¶

CodeQL 2.21.1 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE).

CodeQL CLI¶

Bug Fixes¶

Fixed a bug in CodeQL analysis for GitHub Actions in the presence of a code scanning configuration file containing paths-ignore exclusion patterns but not paths inclusion patterns. Previously, such a configuration incorrectly led to all YAML, HTML, JSON, and JS source files being extracted, except for those filtered by paths-ignore. This in turn led to performance issues on large codebases. Now, only workflow and Action metadata YAML files relevant to the GitHub Actions analysis will be extracted, except for those filtered by paths-ignore. This matches the default behavior when no configuration file is provided. The handling of paths inclusion patterns is unchanged: if provided, only those paths will be considered, except for those filtered by paths-ignore.

Query Packs¶

Bug Fixes¶

JavaScript/TypeScript¶

Fixed a bug that would prevent extraction of tsconfig.json files when it contained an array literal with a trailing comma.

GitHub Actions¶

Alerts produced by the query actions/missing-workflow-permissions now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

Major Analysis Improvements¶

Ruby¶

The query rb/useless-assignment-to-local now comes with query help and has been tweaked to produce fewer false positives.
The query rb/uninitialized-local-variable now only produces alerts when the variable is the receiver of a method call and should produce very few false positives. It also now comes with a help file.

Minor Analysis Improvements¶

C#¶

Enums and System.DateTimeOffset are now treated as simple types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others the cs/log-forging query.
The MaD models for the .NET 9 Runtime have been re-generated after a fix related to out/ref parameters.

JavaScript/TypeScript¶

Data passed to the Response constructor is now treated as a sink for js/reflected-xss.
Slightly improved detection of DOM element references, leading to XSS results being detected in more cases.

Python¶

The py/mixed-tuple-returns query no longer flags instances where the tuple is passed into the function as an argument, as this led to too many false positives.

New Features¶

GitHub Actions¶

CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.

Language Libraries¶

Minor Analysis Improvements¶

C#¶

The alignment and format clauses in string interpolation expressions are now extracted. That is, in $"Hello {name,align:format}" name, align and format are extracted as children of the string interpolation insert {name,align:format}.
Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a nameof expression.

Golang¶

Local source models for APIs reading from databases have been added for github.com/gogf/gf/database/gdb and github.com/uptrace/bun.

Java/Kotlin¶

Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
All existing modelling and support for javax.persistence now applies to jakarta.persistence as well.

JavaScript/TypeScript¶

Data passed to the NextResponse constructor is now treated as a sink for js/reflected-xss.
Data received from NextRequest and Request is now treated as a remote user input source.
Added support for the make-dir package.
Added support for the open package.
Added taint propagation for Uint8Array, ArrayBuffer, SharedArrayBuffer and TextDecoder.decode().
Improved detection of WebSocket and SockJS usage.
Added data received from WebSocket clients as a remote flow source.
Added support for additional mkdirp methods as sinks in path-injection queries.
Added support for additional rimraf methods as sinks in path-injection queries.

Ruby¶

Calls to super without explict arguments now have their implicit arguments generated. For example, in def foo(x, y) { super } end the call to super becomes super(x, y).

New Features¶

C/C++¶

Calling conventions explicitly specified on function declarations (__cdecl, __stdcall, __fastcall, etc.) are now represented as specifiers of those declarations.
A new class CallingConventionSpecifier extending the Specifier class was introduced, which represents explicitly specified calling conventions.

GitHub Actions¶

CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.

Shared Libraries¶

Deprecated APIs¶

Static Single Assignment (SSA)¶

All references to the DefinitionExt and PhiReadNode classes in the SSA library have been deprecated. The concept of phi-read nodes is now strictly an internal implementation detail. Their sole use-case is to improve the structure of the use-use flow relation for data flow, and this use-case remains supported by the DataFlowIntegration module.