CodeQL 2.21.4 (2025-06-02)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.21.4 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).
CodeQL CLI¶
Deprecations¶
The
clang_vector_types
,clang_attributes
, andflax-vector-conversions
command line options have been removed from the C/C++ extractor. These options were introduced as workarounds to frontend limitations in earlier versions of the extractor and are no longer needed when calling the extractor directly.
Miscellaneous¶
The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.7.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
Added flow model for the
SQLite
andOpenSSL
libraries. This may result in more alerts when running queries on codebases that use these libraries.
C#¶
The precision of the query
cs/missed-readonly-modifier
has been improved. Some false positives related to static fields and struct type fields have been removed.The queries
cs/password-in-configuration
,cs/hardcoded-credentials
andcs/hardcoded-connection-string-credentials
have been removed from all query suites.The precision of the query
cs/gethashcode-is-not-defined
has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariante1.Equals(e2)
impliese1.GetHashCode() == e2.GetHashCode()
are taken into account.The precision of the query
cs/uncontrolled-format-string
has been improved (false negative reduction). Calls toSystem.Text.CompositeFormat.Parse
are now considered a format like method call.
Golang¶
The query
go/hardcoded-credentials
has been removed from all query suites.
Java/Kotlin¶
The query
java/hardcoded-credential-api-call
has been removed from all query suites.
JavaScript/TypeScript¶
The queries
js/hardcoded-credentials
andjs/password-in-configuration-file
have been removed from all query suites.
Python¶
The query
py/hardcoded-credentials
has been removed from all query suites.
Ruby¶
The query
rb/hardcoded-credentials
has been removed from all query suites.
Swift¶
The queries
swift/hardcoded-key
andswift/constant-password
have been removed from all query suites.
GitHub Actions¶
The query
actions/missing-workflow-permissions
is now aware of the minimal permissions needed for the actionsdeploy-pages
,delete-package-versions
,ai-inference
. This should lead to better alert messages and better fix suggestions.
Language Libraries¶
Bug Fixes¶
C/C++¶
Fixed a problem where
asExpr()
onDataFlow::Node
would never returnArrayAggregateLiteral
s.Fixed a problem where
asExpr()
onDataFlow::Node
would never returnClassAggregateLiteral
s.
Ruby¶
Bug Fixes
The Ruby printAst.qll library now orders AST nodes slightly differently: child nodes that do not literally appear in the source code, but whose parent nodes do, are assigned a deterministic order based on a combination of source location and logical order within the parent. This fixes the non-deterministic ordering that sometimes occurred depending on evaluation order. The effect may also be visible in downstream uses of the printAst library, such as the AST view in the VSCode extension.
Breaking Changes¶
C/C++¶
Deleted the deprecated
userInputArgument
predicate and its convenience accessor from theSecurity.qll
.Deleted the deprecated
userInputReturned
predicate and its convenience accessor from theSecurity.qll
.Deleted the deprecated
userInputReturn
predicate from theSecurity.qll
.Deleted the deprecated
isUserInput
predicate and its convenience accessor from theSecurity.qll
.Deleted the deprecated
userInputArgument
predicate from theSecurityOptions.qll
.Deleted the deprecated
userInputReturned
predicate from theSecurityOptions.qll
.
Swift¶
Deleted the deprecated
parseContent
predicate from theExternalFlow.qll
.Deleted the deprecated
hasLocationInfo
predicate from theDataFlowPublic.qll
.Deleted the deprecated
SummaryComponent
class from theFlowSummary.qll
.Deleted the deprecated
SummaryComponentStack
class from theFlowSummary.qll
.Deleted the deprecated
SummaryComponent
module from theFlowSummary.qll
.Deleted the deprecated
SummaryComponentStack
module from theFlowSummary.qll
.Deleted the deprecated
RequiredSummaryComponentStack
class from theFlowSummary.qll
.
Minor Analysis Improvements¶
C#¶
The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
JavaScript/TypeScript¶
Improved analysis for
ES6 classes
mixed withfunction prototypes
, leading to more accurate call graph resolution.
Python¶
The Python extractor now extracts files in hidden directories by default. If you would like to skip files in hidden directories, add
paths-ignore: ["**/.*/**"]
to your Code Scanning config. If you would like to skip all hidden files, you can usepaths-ignore: ["**/.*"]
. When using the CodeQL CLI for extraction, specify the configuration (creating the configuration file if necessary) using the--codescanning-config
option.
Ruby¶
Captured variables are currently considered live when the capturing function exits normally. Now they are also considered live when the capturing function exits via an exception.
Swift¶
Updated to allow analysis of Swift 6.1.1.
TypeValueExpr
experimental AST leaf is now implemented in the control flow library
Deprecated APIs¶
Java/Kotlin¶
The predicate
getValue()
onSpringRequestMappingMethod
is now deprecated. UsegetAValue()
instead.Java now uses the shared
BasicBlock
library. This means that the names of several member predicates have been changed to align with the names used in other languages. The old predicates have been deprecated. TheBasicBlock
class itself no longer extendsControlFlowNode
- the predicategetFirstNode
can be used to fix any QL code that somehow relied on this.
New Features¶
C/C++¶
Added local flow source models for
ReadFile
,ReadFileEx
,MapViewOfFile
,MapViewOfFile2
,MapViewOfFile3
,MapViewOfFile3FromApp
,MapViewOfFileEx
,MapViewOfFileFromApp
,MapViewOfFileNuma2
, andNtReadFile
.Added the
pCmdLine
arguments ofWinMain
andwWinMain
as local flow sources.Added source models for
GetCommandLineA
,GetCommandLineW
,GetEnvironmentStringsA
,GetEnvironmentStringsW
,GetEnvironmentVariableA
, andGetEnvironmentVariableW
.Added summary models for
CommandLineToArgvA
andCommandLineToArgvW
.Added support for
wmain
as part of the ArgvSource model.