CodeQL documentation

CodeQL 2.21.4 (2025-06-02)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.21.4 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE).

CodeQL CLI

Deprecations

  • The clang_vector_types, clang_attributes, and flax-vector-conversions command line options have been removed from the C/C++ extractor. These options were introduced as workarounds to frontend limitations in earlier versions of the extractor and are no longer needed when calling the extractor directly.

Miscellaneous

  • The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.7.

Query Packs

Minor Analysis Improvements

C/C++

  • Added flow model for the SQLite and OpenSSL libraries. This may result in more alerts when running queries on codebases that use these libraries.

C#

  • The precision of the query cs/missed-readonly-modifier has been improved. Some false positives related to static fields and struct type fields have been removed.

  • The queries cs/password-in-configuration, cs/hardcoded-credentials and cs/hardcoded-connection-string-credentials have been removed from all query suites.

  • The precision of the query cs/gethashcode-is-not-defined has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant e1.Equals(e2) implies e1.GetHashCode() == e2.GetHashCode() are taken into account.

  • The precision of the query cs/uncontrolled-format-string has been improved (false negative reduction). Calls to System.Text.CompositeFormat.Parse are now considered a format like method call.

Golang

  • The query go/hardcoded-credentials has been removed from all query suites.

Java/Kotlin

  • The query java/hardcoded-credential-api-call has been removed from all query suites.

JavaScript/TypeScript

  • The queries js/hardcoded-credentials and js/password-in-configuration-file have been removed from all query suites.

Python

  • The query py/hardcoded-credentials has been removed from all query suites.

Ruby

  • The query rb/hardcoded-credentials has been removed from all query suites.

Swift

  • The queries swift/hardcoded-key and swift/constant-password have been removed from all query suites.

GitHub Actions

  • The query actions/missing-workflow-permissions is now aware of the minimal permissions needed for the actions deploy-pages, delete-package-versions, ai-inference. This should lead to better alert messages and better fix suggestions.

Language Libraries

Bug Fixes

C/C++

  • Fixed a problem where asExpr() on DataFlow::Node would never return ArrayAggregateLiterals.

  • Fixed a problem where asExpr() on DataFlow::Node would never return ClassAggregateLiterals.

Ruby

  • Bug Fixes

  • The Ruby printAst.qll library now orders AST nodes slightly differently: child nodes that do not literally appear in the source code, but whose parent nodes do, are assigned a deterministic order based on a combination of source location and logical order within the parent. This fixes the non-deterministic ordering that sometimes occurred depending on evaluation order. The effect may also be visible in downstream uses of the printAst library, such as the AST view in the VSCode extension.

Breaking Changes

C/C++

  • Deleted the deprecated userInputArgument predicate and its convenience accessor from the Security.qll.

  • Deleted the deprecated userInputReturned predicate and its convenience accessor from the Security.qll.

  • Deleted the deprecated userInputReturn predicate from the Security.qll.

  • Deleted the deprecated isUserInput predicate and its convenience accessor from the Security.qll.

  • Deleted the deprecated userInputArgument predicate from the SecurityOptions.qll.

  • Deleted the deprecated userInputReturned predicate from the SecurityOptions.qll.

Swift

  • Deleted the deprecated parseContent predicate from the ExternalFlow.qll.

  • Deleted the deprecated hasLocationInfo predicate from the DataFlowPublic.qll.

  • Deleted the deprecated SummaryComponent class from the FlowSummary.qll.

  • Deleted the deprecated SummaryComponentStack class from the FlowSummary.qll.

  • Deleted the deprecated SummaryComponent module from the FlowSummary.qll.

  • Deleted the deprecated SummaryComponentStack module from the FlowSummary.qll.

  • Deleted the deprecated RequiredSummaryComponentStack class from the FlowSummary.qll.

Minor Analysis Improvements

C#

  • The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).

JavaScript/TypeScript

  • Improved analysis for ES6 classes mixed with function prototypes, leading to more accurate call graph resolution.

Python

  • The Python extractor now extracts files in hidden directories by default. If you would like to skip files in hidden directories, add paths-ignore: ["**/.*/**"] to your Code Scanning config. If you would like to skip all hidden files, you can use paths-ignore: ["**/.*"]. When using the CodeQL CLI for extraction, specify the configuration (creating the configuration file if necessary) using the --codescanning-config option.

Ruby

  • Captured variables are currently considered live when the capturing function exits normally. Now they are also considered live when the capturing function exits via an exception.

Swift

  • Updated to allow analysis of Swift 6.1.1.

  • TypeValueExpr experimental AST leaf is now implemented in the control flow library

Deprecated APIs

Java/Kotlin

  • The predicate getValue() on SpringRequestMappingMethod is now deprecated. Use getAValue() instead.

  • Java now uses the shared BasicBlock library. This means that the names of several member predicates have been changed to align with the names used in other languages. The old predicates have been deprecated. The BasicBlock class itself no longer extends ControlFlowNode - the predicate getFirstNode can be used to fix any QL code that somehow relied on this.

New Features

C/C++

  • Added local flow source models for ReadFile, ReadFileEx, MapViewOfFile, MapViewOfFile2, MapViewOfFile3, MapViewOfFile3FromApp, MapViewOfFileEx, MapViewOfFileFromApp, MapViewOfFileNuma2, and NtReadFile.

  • Added the pCmdLine arguments of WinMain and wWinMain as local flow sources.

  • Added source models for GetCommandLineA, GetCommandLineW, GetEnvironmentStringsA, GetEnvironmentStringsW, GetEnvironmentVariableA, and GetEnvironmentVariableW.

  • Added summary models for CommandLineToArgvA and CommandLineToArgvW.

  • Added support for wmain as part of the ArgvSource model.

Shared Libraries

Breaking Changes

Static Single Assignment (SSA)

  • Adjusted the Guards interface in the SSA data flow integration to distinguish hasBranchEdge from controlsBranchEdge. Any breakage can be fixed by implementing one with the other as a reasonable fallback solution.

  • © GitHub, Inc.
  • Terms
  • Privacy