Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
CodeQL 2.9.2 runs a total of 330 security queries when configured with the Default suite (covering 141 CWE). The Extended suite enables an additional 104 queries (covering 29 more CWE). 4 security queries have been added with this release.
Fixed a bug that could make it unpredictable whether the QL compiler reports problems about query metadata tags, and thereby make codeql test run fail spuriously in some cases.
The tables produced by codeql database analyze summarizing the results of any diagnostic and metric queries that were run now exclude the results of queries tagged telemetry.
Uploading SARIF results using the codeql github upload-results command now has a timeout of 5 minutes.
Downloading CodeQL packs using the codeql pack download, codeql pack install and related commands now have a timeout of 5 minutes and will retry 3 times before failing. Similar behavior has been added to the codeql pack publish command.
The codeql generate log-summary command will now print progress updates to stderr.
The table printed by codeql database analyze to summarize the results of metric queries that were part of the analysis now reports a single row per metric name independently of the verbosity level of the command. Previously, at higher verbosity levels, this table would contain multiple rows for metric names with multiple values.
The “XML external entity expansion” (cpp/external-entity-expansion) query has been extended to support a broader selection of XML libraries and interfaces.
Query java/insecure-cookie now tolerates setting a cookie’s secure flag to request.isSecure(). This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
The query java/non-https-urls has been simplified and no longer requires its sinks to be MethodAccesses.
The logic to detect WebViews with JavaScript (and optionally file access) enabled in the query java/android/unsafe-android-webview-fetch has been improved.
The js/missing-origin-check query has been added. It highlights “message” event handlers that do not check the origin of the event.
The query previously existed as the experimental js/missing-postmessageorigin-verification query.
“XML external entity expansion” (py/xxe). Results will appear by default. This query was based on an experimental query by @jorgectf.
“XML internal entity expansion” (py/xml-bomb). Results will appear by default. This query was based on an experimental query by @jorgectf.
The query “CSRF protection weakened or disabled” (py/csrf-protection-disabled) has been implemented. Its results will now appear by default.
Query java/predictable-seed now has a tag for CWE-337.
The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
The imports made available from import python are no longer exposed under DataFlow:: after doing import semmle.python.dataflow.new.DataFlow, for example using DataFlow::Add will now cause a compile error.
Added models for the libraries OkHttp and Retrofit.
Add taint models for the following File methods:
File::getAbsoluteFile
File::getCanonicalFile
File::getAbsolutePath
File::getCanonicalPath
Added a flow step for toString calls on tainted android.text.Editable objects.
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via getIntent().
Added modeling of MyBatis (org.apache.ibatis) Providers, resulting in additional sinks for the queries java/ognl-injection, java/sql-injection, java/sql-injection-local and java/concatenated-sql-query.
The cash library is now modelled as an alias for JQuery.
Sinks and sources from cash should now be handled by all XSS queries.
Added the Selection api as a DOM text source in the js/xss-through-dom query.
The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
The modeling of request.files in Flask has been fixed, so we now properly handle assignments to local variables (such as files = request.files; files['key'].filename).
Added taint propagation for io.StringIO and io.BytesIO. This addition was originally submitted as part of an experimental query by @jorgectf.
The ReflectedXss, StoredXss, XssThroughDom, and ExceptionXss modules from Xss.qll have been deprecated.
Use the Customizations.qll file belonging to the query instead.
A number of new classes and methods related to the upcoming Kotlin support have been added. These are not yet stable, as Kotlin support is still under development.
File::isSourceFile
File::isJavaSourceFile
File::isKotlinSourceFile
Member::getKotlinType
Element::isCompilerGenerated
Expr::getKotlinType
LambdaExpr::isKotlinFunctionN
Callable::getReturnKotlinType
Callable::getParameterKotlinType
Method::isLocal
Method::getKotlinName
Field::getKotlinType
Modifiable::isSealedKotlin
Modifiable::isInternal
Variable::getKotlinType
LocalVariableDecl::getKotlinType
Parameter::getKotlinType
Parameter::isExtensionParameter
Compilation class
Diagnostic class
KtInitializerAssignExpr class
ValueEQExpr class
ValueNEExpr class
ValueOrReferenceEqualsExpr class
ValueOrReferenceNotEqualsExpr class
ReferenceEqualityTest class
CastingExpr class
SafeCastExpr class
ImplicitCastExpr class
ImplicitNotNullExpr class
ImplicitCoercionToUnitExpr class
UnsafeCoerceExpr class
PropertyRefExpr class
NotInstanceOfExpr class
ExtensionReceiverAccess class
WhenExpr class
WhenBranch class
ClassExpr class
StmtExpr class
StringTemplateExpr class
NotNullExpr class
TypeNullPointerException class
KtComment class
KtCommentSection class
KotlinType class
KotlinNullableType class
KotlinNotnullType class
KotlinTypeAlias class
Property class
DelegatedProperty class
ExtensionMethod class
KtInitializerNode class
KtLoopStmt class
KtBreakContinueStmt class
KtBreakStmt class
KtContinueStmt class
ClassObject class
CompanionObject class
LiveLiteral class
LiveLiteralMethod class
CastConversionContext renamed to CastingConversionContext
The QL class ValueDiscardingExpr has been added, representing expressions for which the value of the expression as a whole is discarded.