Bugs fixed

• Fixed a bug where using codeql database import to combine multiple non-empty databases may produce a corrupted database. (The bug does not affect using codeql database finalize --additional-dbs to combine multiple databases.)
• Fixed a bug where uses of a QlBuiltins::ExtensionId variable that was not bound to a value could be incorrectly accepted in some cases. In many cases, this would result in a crash.
• CodeQL would sometimes refuse to run with more than around 1,500 GB of RAM available, complaining that having so much memory was "unrealistic". The amount of memory CodeQL is able to make any meaningful use of still tops out at about that value, but it will now gracefully accept that so large computers do in fact exist.
• Fixed a bug in command-line parsing where a misspelled option could sometimes be misinterpreted as, e.g., the name of a query to run. Now every command-line argument that begins with a dash is assumed to be intended as an option (unless it comes after the -- separator), and an appropriate error is emitted if that is not a recognized one.

Miscellaneous

• The CodeQL Bundle is now available as an artifact that is compressed using Zstandard. This artifact is smaller and faster to decompress than the original, gzip-compressed bundle. The CodeQL bundle is a tar archive containing tools, scripts, and various CodeQL-specific files.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.3.

Release 2.19.2 (2024-10-21)

Potentially breaking changes

• The Python extractor will no longer extract the standard library by default, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. It will for a while be possible to force extraction of the standard library by setting the environment variable CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB to 1.

Bugs fixed

• The 2.19.1 release contained a bug in the query evaluator that under rare conditions could lead to wrong alerts or resource exhaustion. Although we have never seen the problem outside of internal testing, we encourage users on 2.19.1 to upgrade to 2.19.2.

Miscellaneous

• The database relation sourceLocationPrefix is changed for databases created with
  codeql test run. Instead of containing the path of the enclosing qlpack, it now
  contains the actual path of the test, similar to if one had run codeql database create
  on the test folder. For example, for a test such as
  <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref we now populate
  sourceLocationPrefix with <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/
  instead of <checkout>/cpp/ql/test/. This change typically impacts calls to
  File.getRelativePath(), and may as a result change the expected test output.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.2.

New Features

• The command codeql generate query-help now supports Markdown help files.
  The Markdown help format is commonly used in custom CodeQL query packs.

• Added a new command, codeql resolve packs. This command shows each step in the
  pack search process, including what packs were found in each step. With the
  --show-hidden-packs option, it can also show details on which packs were hidden
  by packs found earlier in the search sequence.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.1.

Improvements

• codeql database analyze and codeql database interpret-results now support
  the --sarif-run-property option. You can provide this option when using a SARIF
  output format to add a key-value pair to the property bag of the run object.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.0.

New Features

• C# support for build-mode: none is now out of beta, and generally available.
• Go 1.23 is now supported.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.4.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.3.

Deprecations

• Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.3.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.2.

Security Updates

• Resolves CVE-2023-4759, an arbitrary file overwrite in Eclipse JGit that can be triggered when using untrusted third-party queries from a git repository. See the security advisory for more information.
• The following dependencies have been updated. These updates include security fixes in the respective libraries that prevent out-of-bounds accesses or denial-of-service in scenarios where untrusted files are processed. These scenarios are not likely to be encountered in most uses of CodeQL and code scanning, and only apply to advanced use cases where precompiled query packs, database ZIP files, or database TRAP files are obtained from untrusted sources and then processed on a trusted machine.
  • airlift/aircompressor is updated to version 0.27.
  • Apache Ant is updated to version 1.10.11.
  • Apache Commons Compress is updated to version 1.26.0.
  • Apache Commons IO is updated to version 2.15.1.
  • Apache Commons Lang3 is updated to version 3.14.0.
  • jsoup is updated to version 1.15.3.
  • Logback is updated to version 1.2.13.
  • Snappy is updated to version 0.5.

New features

• The experimental type QlBuiltins::BigInt of arbitrary-precision integers has been introduced. To opt in to this API, compile your queries with --allow-experimental=bigint. Big integers can be constructed using the .toBigInt() methods of int and string.
• codeql test run now supports postprocessing of test results. When .qlref files specify a path to a postprocess query, then this is evaluated after the test query to transform the test outputs prior to concatenating them into the actual results.

Improvements

• The 30% QL query compilation slowdown noted in 2.18.0 has been fixed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.1.

Breaking changes

• A number of breaking changes have been made to the C and C++ CodeQL
  test environment as used by codeql test run:

  • The test environment no longer defines any GNU-specific builtin
    macros. If these macros are still needed by a test, please define
    them via semmle-extractor-options.

  • The --force-recompute option is no longer directly supported by
    semmle-extractor-options. Instead, --edg --force-recompute
    should be specified.

  • The --gnu_version and --microsoft_version options that can be
    specified via semmle-extractor-options are now synonyms, and only
    one should be specified as part of semmle-extractor-options.
    Furthermore, is also no longer possible to specify these options
    via the following syntax.

    • --edg --gnu_version --edg <version number>, and
    • --edg --microsoft_version --edg <version number>

    The shorter --gnu_version <version number> and
    --microsoft_version <version number> should be used.

• The --build_error_dir and --predefined_macros command line options
  have been removed from the C/C++ extractor. It has never been possible
  to pass these options through the CLI, but some customers with advanced
  setups may have been passing them through internal undocumented interfaces.
  Passing the option --build_error_dir did not have any effect, and it
  is safe to remove the option. The --predefined_macros option should
  have been unnecessary, as long as the extractor was invoked with the
  --mimic option.

Regressions

• Compilation of QL queries is about 30% slower than in previous releases. This
  only affects users who write custom queries, and only at compilation time, not
  at run time. This regression will be fixed in the upcoming 2.18.1 release.

Improvements

• Introduced the --include-logs option to the codeql database bundle
  command. This new feature allows users to include logs in the generated
  database bundle, allowing for a more complete treatment of the bundle, and
  bringing the tool capabilities up-to-speed with the documentation.
• Extract .xsaccess, *.xsjs and *.xsjslib files for SAP HANA XS as
  Javascript.

Bugs fixed

• Where a MacOS unsigned binary cannot be signed, CodeQL will now continue
  trying to trace compiler invocations created by that process and its
  children. In particular this means that Bazel builds on MacOS are now
  traceable.
• Fixed a bug where test discovery would fail if there is a syntax error in a
  qlpack file. Now, a warning message will be printed and discovery will
  continue.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.0.

New features

• Beta support is now available for analyzing C# codebases without needing a working build. To use
  this, pass the --build-mode none option to codeql database create.

Improvements

• The --model-packs option is now publicly available. This option allows commands like codeql database analyze
  to accept a list of model packs that are used to augment the analysis of all queries involved in the analysis.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.6.