Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
CodeQL 2.22.4 runs a total of 478 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.
There are no user-facing CLI changes in this release.
The cpp/short-global-name query will no longer give alerts for instantiations of template variables, only for the template itself.
Fixed a false positive in cpp/overflow-buffer when the type of the destination buffer is a reference to a class/struct type.
The js/regex-injection query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the “environment” category.
Added a new query, rust/cleartext-storage-database, for detecting cases where sensitive information is stored non-encrypted in a database.
Made the following changes to NetHttpRequest
Adds connectionNode, like other Ruby HTTP clients
Makes requestNode and connectionNode public so subclasses can use them
Adds detection of Net::HTTP.start, a common way to make HTTP requests in Ruby
Added library models for the relevant method calls under jakarta.servlet.ServletRequest and jakarta.servlet.http.HttpServletRequest as remote flow sources.
The guards libraries (semmle.code.cpp.controlflow.Guards and semmle.code.cpp.controlflow.IRGuards) have been improved to recognize more guards.
Improved dataflow through global variables in the new dataflow library (semmle.code.cpp.dataflow.new.DataFlow and semmle.code.cpp.dataflow.new.TaintTracking). Queries based on these libraries will produce more results on codebases with many global variables.
The global value numbering library (semmle.code.cpp.valuenumbering.GlobalValueNumbering and semmle.code.cpp.ir.ValueNumbering) has been improved so more expressions are assigned the same value number.
Go 1.25 is now supported.
Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for java/dereferenced-value-may-be-null.
Improved modeling of command-line argument parsing libraries arg, args, command-line-args and commander
let chains in if and while are now supported, as well as if let guards in match expressions.
Added more detail to models of postgres, rusqlite, sqlx and tokio-postgres. This may improve query results, particularly for rust/sql-injection and rust/cleartext-storage-database.