|
| 1 | +.. _codeql-cli-2.22.1: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.22.1 (2025-06-26) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.22.1 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 129 queries (covering 33 more CWE). |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +New Features |
| 23 | +~~~~~~~~~~~~ |
| 24 | + |
| 25 | +* Rust language support is now in public preview. |
| 26 | + |
| 27 | +Miscellaneous |
| 28 | +~~~~~~~~~~~~~ |
| 29 | + |
| 30 | +* The version of :code:`jgit` used by the CodeQL CLI has been updated to :code:`6.10.1.202505221210-r`. |
| 31 | + |
| 32 | +Query Packs |
| 33 | +----------- |
| 34 | + |
| 35 | +Minor Analysis Improvements |
| 36 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 37 | + |
| 38 | +C/C++ |
| 39 | +""""" |
| 40 | + |
| 41 | +* Added flow model for the following libraries: :code:`madler/zlib`, :code:`google/brotli`, :code:`libidn/libidn2`, :code:`libssh2/libssh2/`, :code:`nghttp2/nghttp2`, :code:`libuv/libuv/`, and :code:`curl/curl`. This may result in more alerts when running queries on codebases that use these libraries. |
| 42 | + |
| 43 | +C# |
| 44 | +"" |
| 45 | + |
| 46 | +* The queries :code:`cs/dereferenced-value-is-always-null` and :code:`cs/dereferenced-value-may-be-null` have been improved to reduce false positives. The queries no longer assume that expressions are dereferenced when passed as the receiver (:code:`this` parameter) to extension methods where that parameter is a nullable type. |
| 47 | + |
| 48 | +JavaScript/TypeScript |
| 49 | +""""""""""""""""""""" |
| 50 | + |
| 51 | +* The :code:`js/loop-iteration-skipped-due-to-shifting` query now has the :code:`reliability` tag. |
| 52 | +* Fixed false positives in the :code:`js/loop-iteration-skipped-due-to-shifting` query when the return value of :code:`splice` is used to decide whether to adjust the loop counter. |
| 53 | +* Fixed false positives in the :code:`js/template-syntax-in-string-literal` query where template syntax in string concatenation and "manual string interpolation" patterns were incorrectly flagged. |
| 54 | +* The :code:`js/useless-expression` query now correctly flags only the innermost expressions with no effect, avoiding duplicate alerts on compound expressions. |
| 55 | + |
| 56 | +Python |
| 57 | +"""""" |
| 58 | + |
| 59 | +* The :code:`py/iter-returns-non-self` query has been modernized, and no longer alerts for certain cases where an equivalent iterator is returned. |
| 60 | + |
| 61 | +New Queries |
| 62 | +~~~~~~~~~~~ |
| 63 | + |
| 64 | +Rust |
| 65 | +"""" |
| 66 | + |
| 67 | +* Initial public preview release. |
| 68 | + |
| 69 | +Query Metadata Changes |
| 70 | +~~~~~~~~~~~~~~~~~~~~~~ |
| 71 | + |
| 72 | +C# |
| 73 | +"" |
| 74 | + |
| 75 | +* Query metadata tags have been systematically updated for many C# queries. Primary categorization as either :code:`reliability` or :code:`maintainability`, and relevant sub-category tags such as :code:`readability`, :code:`useless-code`, :code:`complexity`, :code:`performance`, :code:`correctness`, :code:`error-handling`, and :code:`concurrency`. Aligns with the established `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__. |
| 76 | +* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`cs/uncontrolled-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact. |
| 77 | + |
| 78 | +Golang |
| 79 | +"""""" |
| 80 | + |
| 81 | +* The tag :code:`quality` has been added to multiple Go quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories. |
| 82 | +* The tag :code:`external/cwe/cwe-129` has been added to :code:`go/constant-length-comparison`. |
| 83 | +* The tag :code:`external/cwe/cwe-193` has been added to :code:`go/index-out-of-bounds`. |
| 84 | +* The tag :code:`external/cwe/cwe-197` has been added to :code:`go/shift-out-of-range`. |
| 85 | +* The tag :code:`external/cwe/cwe-248` has been added to :code:`go/redundant-recover`. |
| 86 | +* The tag :code:`external/cwe/cwe-252` has been added to :code:`go/missing-error-check` and :code:`go/unhandled-writable-file-close`. |
| 87 | +* The tag :code:`external/cwe/cwe-480` has been added to :code:`go/mistyped-exponentiation`. |
| 88 | +* The tag :code:`external/cwe/cwe-570` has been added to :code:`go/impossible-interface-nil-check` and :code:`go/comparison-of-identical-expressions`. |
| 89 | +* The tag :code:`external/cwe/cwe-571` has been added to :code:`go/negative-length-check` and :code:`go/comparison-of-identical-expressions`. |
| 90 | +* The tag :code:`external/cwe/cwe-783` has been added to :code:`go/whitespace-contradicts-precedence`. |
| 91 | +* The tag :code:`external/cwe/cwe-835` has been added to :code:`go/inconsistent-loop-direction`. |
| 92 | +* The tag :code:`error-handling` has been added to :code:`go/missing-error-check`, :code:`go/unhandled-writable-file-close`, and :code:`go/unexpected-nil-value`. |
| 93 | +* The tag :code:`useless-code` has been added to :code:`go/useless-assignment-to-field`, :code:`go/useless-assignment-to-local`, :code:`go/useless-expression`, and :code:`go/unreachable-statement`. |
| 94 | +* The tag :code:`logic` has been removed from :code:`go/index-out-of-bounds` and :code:`go/unexpected-nil-value`. |
| 95 | +* The tags :code:`call` and :code:`defer` have been removed from :code:`go/unhandled-writable-file-close`. |
| 96 | +* The tags :code:`correctness` and :code:`quality` have been reordered in :code:`go/missing-error-check` and :code:`go/unhandled-writable-file-close`. |
| 97 | +* The tag :code:`maintainability` has been changed to :code:`reliability` for :code:`go/unhandled-writable-file-close`. |
| 98 | +* The tag order has been standardized to have :code:`quality` first, followed by the top-level category (:code:`reliability` or :code:`maintainability`), then sub-category tags, and finally CWE tags. |
| 99 | +* The description text has been updated in :code:`go/whitespace-contradicts-precedence` to change "may even indicate" to "may indicate". |
| 100 | + |
| 101 | +Java/Kotlin |
| 102 | +""""""""""" |
| 103 | + |
| 104 | +* The tag :code:`quality` has been added to multiple Java quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories. |
| 105 | +* The tag :code:`external/cwe/cwe-571` has been added to :code:`java/equals-on-unrelated-types`. |
| 106 | +* The tag :code:`readability` has been added to :code:`java/missing-override-annotation`, :code:`java/deprecated-call`, :code:`java/inconsistent-javadoc-throws`, :code:`java/unknown-javadoc-parameter`, :code:`java/jdk-internal-api-access`, :code:`java/underscore-identifier`, :code:`java/misleading-indentation`, :code:`java/inefficient-empty-string-test`, :code:`java/non-static-nested-class`, :code:`inefficient-string-constructor`, and :code:`java/constants-only-interface`. |
| 107 | +* The tag :code:`useless-code` has been added to :code:`java/useless-type-test`, and :code:`java/useless-tostring-call`. |
| 108 | +* The tag :code:`complexity` has been added to :code:`java/chained-type-tests`, and :code:`java/abstract-to-concrete-cast`. |
| 109 | +* The tag :code:`error-handling` has been added to :code:`java/ignored-error-status-of-call`, and :code:`java/uncaught-number-format-exception`. |
| 110 | +* The tag :code:`correctness` has been added to :code:`java/evaluation-to-constant`, :code:`java/whitespace-contradicts-precedence`, :code:`java/empty-container`, :code:`java/string-buffer-char-init`, :code:`java/call-to-object-tostring`, :code:`java/print-array` and :code:`java/internal-representation-exposure`. |
| 111 | +* The tag :code:`performance` has been added to :code:`java/input-resource-leak`, :code:`java/database-resource-leak`, :code:`java/output-resource-leak`, :code:`java/inefficient-key-set-iterator`, :code:`java/inefficient-output-stream`, and :code:`java/inefficient-boxed-constructor`. |
| 112 | +* The tag :code:`correctness` has been removed from :code:`java/call-to-thread-run`, :code:`java/unsafe-double-checked-locking`, :code:`java/unsafe-double-checked-locking-init-order`, :code:`java/non-sync-override`, :code:`java/sync-on-boxed-types`, :code:`java/unsynchronized-getter`, :code:`java/input-resource-leak`, :code:`java/output-resource-leak`, :code:`java/database-resource-leak`, and :code:`java/ignored-error-status-of-call`. |
| 113 | +* The tags :code:`maintainability` has been removed from :code:`java/string-buffer-char-init`, :code:`java/inefficient-key-set-iterator`, :code:`java/inefficient-boxed-constructor`, and :code:`java/internal-representation-exposure`. |
| 114 | +* The tags :code:`reliability` has been removed from :code:`java/subtle-inherited-call`, :code:`java/print-array`, and :code:`java/call-to-object-tostring`. |
| 115 | +* The tags :code:`maintainability` and :code:`useless-code` have been removed from :code:`java/evaluation-to-constant`. |
| 116 | +* The tags :code:`maintainability` and :code:`readability` have been removed from :code:`java/whitespace-contradicts-precedence`. |
| 117 | +* The tags :code:`maintainability` and :code:`useless-code` have been removed from :code:`java/empty-container`. |
| 118 | +* Adjusts the :code:`@precision` from high to medium for :code:`java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded. |
| 119 | +* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`java/tainted-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact. |
| 120 | + |
| 121 | +JavaScript/TypeScript |
| 122 | +""""""""""""""""""""" |
| 123 | + |
| 124 | +* The :code:`quality` tag has been added to multiple JavaScript quality queries, with tags for :code:`reliability` or :code:`maintainability` categories and their sub-categories. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories. |
| 125 | +* Added :code:`reliability` tag to the :code:`js/suspicious-method-name-declaration` query. |
| 126 | +* Added :code:`reliability` and :code:`language-features` tags to the :code:`js/template-syntax-in-string-literal` query. |
| 127 | + |
| 128 | +Python |
| 129 | +"""""" |
| 130 | + |
| 131 | +* The tag :code:`quality` has been added to multiple Python quality queries for consistency. They have all been given a tag for one of the two top-level categories :code:`reliability` or :code:`maintainability`, and a tag for a sub-category. See `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__ for more information about these categories. |
| 132 | + |
| 133 | +Ruby |
| 134 | +"""" |
| 135 | + |
| 136 | +* Update query metadata tags for :code:`rb/database-query-in-loop` and :code:`rb/useless-assignment-to-local` to align with the established |
| 137 | + \ `Query file metadata and alert message style guide <https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags>`__. |
| 138 | + |
| 139 | +Swift |
| 140 | +""""" |
| 141 | + |
| 142 | +* Adjusts the :code:`@security-severity` from 9.3 to 7.3 for :code:`swift/uncontrolled-format-string` to align :code:`CWE-134` severity for memory safe languages to better reflect their impact. |
| 143 | + |
| 144 | +Language Libraries |
| 145 | +------------------ |
| 146 | + |
| 147 | +Bug Fixes |
| 148 | +~~~~~~~~~ |
| 149 | + |
| 150 | +C/C++ |
| 151 | +""""" |
| 152 | + |
| 153 | +* :code:`resolveTypedefs` now properly resolves typedefs for :code:`ArrayType`\ s. |
| 154 | + |
| 155 | +Minor Analysis Improvements |
| 156 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 157 | + |
| 158 | +Java/Kotlin |
| 159 | +""""""""""" |
| 160 | + |
| 161 | +* Java :code:`assert` statements are now assumed to be executed for the purpose of analysing control flow. This improves precision for a number of queries. |
| 162 | + |
| 163 | +JavaScript/TypeScript |
| 164 | +""""""""""""""""""""" |
| 165 | + |
| 166 | +* Calls to :code:`sinon.match()` are no longer incorrectly identified as regular expression operations. |
| 167 | +* Improved data flow tracking through middleware to handle default value and similar patterns. |
| 168 | +* Added :code:`req._parsedUrl` as a remote input source. |
| 169 | +* Improved taint tracking through calls to :code:`serialize-javascript`. |
| 170 | +* Removed :code:`encodeURI` and :code:`escape` functions from the sanitizer list for request forgery. |
| 171 | +* The JavaScript extractor now skips generated JavaScript files if the original TypeScript files are already present. It also skips any files in the output directory specified in the :code:`compilerOptions` part of the :code:`tsconfig.json` file. |
| 172 | +* Added support for Axios instances in the :code:`axios` module. |
| 173 | + |
| 174 | +GitHub Actions |
| 175 | +"""""""""""""" |
| 176 | + |
| 177 | +* Fixed performance issues in the parsing of Bash scripts in workflow files, |
| 178 | + which led to out-of-disk errors when analysing certain workflow files with complex interpolations of shell commands or quoted strings. |
| 179 | + |
| 180 | +Deprecated APIs |
| 181 | +~~~~~~~~~~~~~~~ |
| 182 | + |
| 183 | +C/C++ |
| 184 | +""""" |
| 185 | + |
| 186 | +* The :code:`ThrowingFunction` class (:code:`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the :code:`AlwaysSehThrowingFunction` class instead. |
| 187 | + |
| 188 | +New Features |
| 189 | +~~~~~~~~~~~~ |
| 190 | + |
| 191 | +C/C++ |
| 192 | +""""" |
| 193 | + |
| 194 | +* Added a predicate :code:`getAnAttribute` to :code:`Namespace` to retrieve a namespace attribute. |
| 195 | +* The Microsoft-specific :code:`__leave` statement is now supported. |
| 196 | +* A new class :code:`LeaveStmt` extending :code:`JumpStmt` was added to represent :code:`__leave` statements. |
| 197 | +* Added a predicate :code:`hasParameterList` to :code:`LambdaExpression` to capture whether a lambda has an explicitly specified parameter list. |
| 198 | + |
| 199 | +Rust |
| 200 | +"""" |
| 201 | + |
| 202 | +* Initial public preview release. |
0 commit comments