Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
CodeQL 2.22.4 runs a total of 478 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.
There are no user-facing CLI changes in this release.
- The
cpp/short-global-namequery will no longer give alerts for instantiations of template variables, only for the template itself. - Fixed a false positive in
cpp/overflow-bufferwhen the type of the destination buffer is a reference to a class/struct type.
- The
js/regex-injectionquery no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category.
- Added a new query,
rust/cleartext-storage-database, for detecting cases where sensitive information is stored non-encrypted in a database.
- Made the following changes to
NetHttpRequest- Adds
connectionNode, like other Ruby HTTP clients - Makes
requestNodeandconnectionNodepublic so subclasses can use them - Adds detection of
Net::HTTP.start, a common way to make HTTP requests in Ruby
- Adds
- Added library models for the relevant method calls under
jakarta.servlet.ServletRequestandjakarta.servlet.http.HttpServletRequestas remote flow sources.
- The guards libraries (
semmle.code.cpp.controlflow.Guardsandsemmle.code.cpp.controlflow.IRGuards) have been improved to recognize more guards. - Improved dataflow through global variables in the new dataflow library (
semmle.code.cpp.dataflow.new.DataFlowandsemmle.code.cpp.dataflow.new.TaintTracking). Queries based on these libraries will produce more results on codebases with many global variables. - The global value numbering library (
semmle.code.cpp.valuenumbering.GlobalValueNumberingandsemmle.code.cpp.ir.ValueNumbering) has been improved so more expressions are assigned the same value number.
- Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for
java/dereferenced-value-may-be-null.
- Improved modeling of command-line argument parsing libraries arg, args, command-line-args and commander
letchains inifandwhileare now supported, as well asif letguards inmatchexpressions.- Added more detail to models of
postgres,rusqlite,sqlxandtokio-postgres. This may improve query results, particularly forrust/sql-injectionandrust/cleartext-storage-database.