-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #18591 from github/changedocs/2.20.3
Add changelog entries for CodeQL CLI versions 2.20.1 to 2.20.3
- Loading branch information
Showing
4 changed files
with
370 additions
and
0 deletions.
There are no files selected for viewing
166 changes: 166 additions & 0 deletions
166
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.1.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,166 @@ | ||
| .. _codeql-cli-2.20.1: | ||
|
|
||
| ========================== | ||
| CodeQL 2.20.1 (2025-01-09) | ||
| ========================== | ||
|
|
||
| .. contents:: Contents | ||
| :depth: 2 | ||
| :local: | ||
| :backlinks: none | ||
|
|
||
| This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. | ||
|
|
||
| Security Coverage | ||
| ----------------- | ||
|
|
||
| CodeQL 2.20.1 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 22 security queries have been added with this release. | ||
|
|
||
| CodeQL CLI | ||
| ---------- | ||
|
|
||
| Improvements | ||
| ~~~~~~~~~~~~ | ||
|
|
||
| * Automatic installation of dependencies for C++ autobuild is now supported on Ubuntu 24.04. | ||
|
|
||
| * The CLI will now warn if it detects that it is installed in a location where it is likely to cause performance issues. This includes: user home, desktop, downloads, or the file system root. | ||
|
|
||
| You can avoid this warning by setting the :code:`CODEQL_ALLOW_INSTALLATION_ANYWHERE` environment variable to :code:`true`. | ||
|
|
||
| Query Packs | ||
| ----------- | ||
|
|
||
| Minor Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * The "Returning stack-allocated memory" query (:code:`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression. | ||
| * The "Badly bounded write" query (:code:`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer. | ||
| * The "Too few arguments to formatting function" query (:code:`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error. | ||
| * The "Wrong type of arguments to formatting function" query (:code:`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error. | ||
| * Added dataflow models and flow sources for Microsoft's Active Template Library (ATL). | ||
|
|
||
| C# | ||
| "" | ||
|
|
||
| * The :code:`ExternalApi` and :code:`TestLibrary` modules have been moved to the library pack. | ||
|
|
||
| New Queries | ||
| ~~~~~~~~~~~ | ||
|
|
||
| Python | ||
| """""" | ||
|
|
||
| * The Server Side Template Injection query (:code:`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input. | ||
|
|
||
| Actions | ||
| """"""" | ||
|
|
||
| * Initial public preview release | ||
|
|
||
| Language Libraries | ||
| ------------------ | ||
|
|
||
| Breaking Changes | ||
| ~~~~~~~~~~~~~~~~ | ||
|
|
||
| Java/Kotlin | ||
| """"""""""" | ||
|
|
||
| * The class :code:`ControlFlowNode` (and by extension :code:`BasicBlock`) is no longer directly equatable to :code:`Expr` and :code:`Stmt`. Any queries that have been exploiting these equalities, for example by using casts, will need minor updates in order to fix any compilation errors. Conversions can be inserted in either direction depending on what is most convenient. Available conversions include :code:`Expr.getControlFlowNode()`, :code:`Stmt.getControlFlowNode()`, | ||
| :code:`ControlFlowNode.asExpr()`, :code:`ControlFlowNode.asStmt()`, and | ||
| :code:`ControlFlowNode.asCall()`. Exit nodes were until now modelled as a | ||
| :code:`ControlFlowNode` equal to its enclosing :code:`Callable`\ ; these are now instead modelled by the class :code:`ControlFlow::ExitNode`. | ||
|
|
||
| Major Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Swift | ||
| """"" | ||
|
|
||
| * Upgraded to allow analysis of Swift 6.0.2. | ||
|
|
||
| Minor Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * The :code:`Guards` library (:code:`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions. | ||
|
|
||
| C# | ||
| "" | ||
|
|
||
| * C# 13: Added QL library support for *collection* like type :code:`params` parameters. | ||
| * Added :code:`remote` flow source models for properties of Blazor components annotated with any of the following attributes from :code:`Microsoft.AspNetCore.Components`\ : | ||
|
|
||
| * :code:`[SupplyParameterFromForm]` | ||
| * :code:`[SupplyParameterFromQuery]` | ||
|
|
||
| * Added the constructor and explicit cast operator of :code:`Microsoft.AspNetCore.Components.MarkupString` as an :code:`html-injection` sink. This will help catch cross-site scripting resulting from using :code:`MarkupString`. | ||
| * Added flow summaries for the :code:`Microsoft.AspNetCore.Mvc.Controller::View` method. | ||
| * The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths. | ||
| * The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features. | ||
|
|
||
| Golang | ||
| """""" | ||
|
|
||
| * Added a :code:`commandargs` local source model for the :code:`os.Args` variable. | ||
|
|
||
| Java/Kotlin | ||
| """"""""""" | ||
|
|
||
| * Added :code:`java.io.File.getName()` as a path injection sanitizer. | ||
| * The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths. | ||
| * Added a sink for "Server-side request forgery" (:code:`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL. | ||
|
|
||
| Python | ||
| """""" | ||
|
|
||
| * Added modeling of :code:`fastapi.Request` and :code:`starlette.requests.Request` as sources of untrusted input, | ||
| and modeling of tainted data flow out of these request objects. | ||
|
|
||
| Deprecated APIs | ||
| ~~~~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * The :code:`TemplateParameter` class, representing C++ type template parameters has been deprecated. Use :code:`TypeTemplateParameter` instead. | ||
|
|
||
| New Features | ||
| ~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * New classes :code:`SizeofPackExprOperator` and :code:`SizeofPackTypeOperator` were introduced, which represent the C++ :code:`sizeof...` operator taking expressions and type arguments, respectively. | ||
| * A new class :code:`TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters. | ||
| * A new predicate :code:`getAnInstantiation` was added to the :code:`TemplateTemplateParameter` class, which yields instantiations of template template parameters. | ||
| * The :code:`getTemplateArgumentType` and :code:`getTemplateArgumentValue` predicates of the :code:`Declaration` class now also yield template arguments of template template parameters. | ||
| * A new class :code:`NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters. | ||
| * A new class :code:`TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters. | ||
|
|
||
| Python | ||
| """""" | ||
|
|
||
| * Added support for parameter annotations in API graphs. This means that in a function definition such as :code:`def foo(x: Bar): ...`, you can now use the :code:`getInstanceFromAnnotation()` method to step from :code:`Bar` to :code:`x`. In addition to this, the :code:`getAnInstance` method now also includes instances arising from parameter annotations. | ||
|
|
||
| Actions | ||
| """"""" | ||
|
|
||
| * Initial public preview release | ||
|
|
||
| Shared Libraries | ||
| ---------------- | ||
|
|
||
| Minor Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Dataflow Analysis | ||
| """"""""""""""""" | ||
|
|
||
| * Added a module :code:`DataFlow::DeduplicatePathGraph` that can be used to avoid generating duplicate path explanations in queries that use flow state. |
170 changes: 170 additions & 0 deletions
170
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.2.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,170 @@ | ||
| .. _codeql-cli-2.20.2: | ||
|
|
||
| ========================== | ||
| CodeQL 2.20.2 (2025-01-22) | ||
| ========================== | ||
|
|
||
| .. contents:: Contents | ||
| :depth: 2 | ||
| :local: | ||
| :backlinks: none | ||
|
|
||
| This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. | ||
|
|
||
| Security Coverage | ||
| ----------------- | ||
|
|
||
| CodeQL 2.20.2 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). | ||
|
|
||
| CodeQL CLI | ||
| ---------- | ||
|
|
||
| Bug Fixes | ||
| ~~~~~~~~~ | ||
|
|
||
| * Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results. | ||
|
|
||
| Improvements | ||
| ~~~~~~~~~~~~ | ||
|
|
||
| * :code:`codeql database create` and :code:`codeql database finalize` now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following: | ||
|
|
||
| .. code-block:: text | ||
| UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321] | ||
| * Added the :code:`.bitLength()` method to :code:`QlBuiltins::BigInt`. | ||
|
|
||
| Query Packs | ||
| ----------- | ||
|
|
||
| Bug Fixes | ||
| ~~~~~~~~~ | ||
|
|
||
| Java/Kotlin | ||
| """"""""""" | ||
|
|
||
| * Classes that define a :code:`writeReplace` method are no longer flagged by the :code:`java/missing-no-arg-constructor-on-serializable` query on the assumption they are unlikely to be deserialized using the default algorithm. | ||
| * The query "Use of a broken or risky cryptographic algorithm" (:code:`java/weak-cryptographic-algorithm`) now gives the reason why the cryptographic algorithm is considered weak. | ||
|
|
||
| JavaScript/TypeScript | ||
| """"""""""""""""""""" | ||
|
|
||
| * Fixed a TypeScript extractor crash that would occur when encountering an export specifier whose local specifier was a string literal. | ||
|
|
||
| Major Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| JavaScript/TypeScript | ||
| """"""""""""""""""""" | ||
|
|
||
| * The :code:`js/xss-through-dom` query now recognises sources of DOM input originating from Angular templates. | ||
|
|
||
| Minor Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * Added dataflow models for :code:`SysAllocString` and related functions. | ||
| * The :code:`cpp/badly-bounded-write`, :code:`cpp/equality-on-floats`, :code:`cpp/short-global-name`, :code:`cpp/static-buffer-overflow`, :code:`cpp/too-few-arguments`, :code:`cpp/useless-expression`, :code:`cpp/world-writable-file-creation` queries no longer produce alerts on files created by CMake to test the build configuration. | ||
|
|
||
| Language Libraries | ||
| ------------------ | ||
|
|
||
| Major Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| JavaScript/TypeScript | ||
| """"""""""""""""""""" | ||
|
|
||
| * All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript. | ||
| This is a significant change and users may consequently observe differences in the alerts generated by the analysis. | ||
|
|
||
| Minor Analysis Improvements | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * :code:`DefaultOptions::exits` now holds for C23 functions with the :code:`_Noreturn` or :code:`___Noreturn__` attribute. | ||
|
|
||
| C# | ||
| "" | ||
|
|
||
| * Added extractor support for extracting implicit :code:`ToString` calls in binary :code:`+` expressions and string interpolation expressions. | ||
| * The Razor source generator invocation in :code:`build-mode:none` extraction has been changed to use relative file paths instead of absolute ones. | ||
| * C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint :code:`allows ref struct`. Added extractor support for the type parameter constraint :code:`notnull`. | ||
|
|
||
| Golang | ||
| """""" | ||
|
|
||
| * :code:`database` local source models have been added for the Beego ORM package. | ||
| * :code:`database` local source models have been added for the :code:`github.com/jmoiron/sqlx` package. | ||
| * Added :code:`database` source models for database methods from the :code:`gorm.io/gorm` package. | ||
| * :code:`database` local source models have been added for the :code:`database/sql` and :code:`database/sql/driver` packages. | ||
|
|
||
| Java/Kotlin | ||
| """"""""""" | ||
|
|
||
| * :code:`JavacTool`\ -based compiler interception no longer requires an :code:`--add-opens` directive when :code:`FileObject.toUri` is accessible. | ||
| * :code:`JavacTool`\ -based compiler interception no longer throws an exception visible to the program using :code:`JavacTool` on failure to extract a file path from a passed :code:`JavaFileObject`. | ||
| * :code:`JavacTool`\ -based compiler interception now supports files that don't simply wrap a :code:`file://` URL, such as a source file inside a JAR, or an in-memory file, but which do implement :code:`getCharContent`. | ||
|
|
||
| JavaScript/TypeScript | ||
| """"""""""""""""""""" | ||
|
|
||
| * The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. | ||
|
|
||
| Python | ||
| """""" | ||
|
|
||
| * The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. | ||
| * Additional taint steps through methods of :code:`lxml.etree.Element` and :code:`lxml.etree.ElementTree` objects from the :code:`lxml` PyPI package have been modeled. | ||
|
|
||
| Ruby | ||
| """" | ||
|
|
||
| * The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. | ||
| * Types are now being tracked in data flow, but only when the type of an object is obvious from the context. For example, :code:`C.new` has guaranteed type :code:`C`, while in :code:`def add(x, y) { x + y }` we cannot assign a type to :code:`x + y` (it could, for instance, be both :code:`String` and :code:`Integer`). Tracking types allows us to remove false-positive results when type incompatibility can be established. | ||
|
|
||
| Swift | ||
| """"" | ||
|
|
||
| * The sensitive data library has been improved so that :code:`snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. | ||
|
|
||
| Deprecated APIs | ||
| ~~~~~~~~~~~~~~~ | ||
|
|
||
| JavaScript/TypeScript | ||
| """"""""""""""""""""" | ||
|
|
||
| * Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working. | ||
| See more information in the `migration guide <https://codeql.github.com/docs/codeql-language-guides/migrating-javascript-dataflow-queries>`__. | ||
|
|
||
| New Features | ||
| ~~~~~~~~~~~~ | ||
|
|
||
| C/C++ | ||
| """"" | ||
|
|
||
| * Add a new predicate :code:`getAnIndirectBarrier` to the parameterized module :code:`InstructionBarrierGuard` in :code:`semmle.code.cpp.dataflow.new.DataFlow` for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the :code:`getAnIndirectBarrier` predicate on the parameterized module :code:`BarrierGuard`. | ||
| * A new predicate :code:`getDecltype` was added to the :code:`ProxyClass` class, which yields the decltype for the proxy class. | ||
| * Template classes that are of :code:`struct` type are now also instances of the :code:`Struct` class. | ||
| * Template classes that are of :code:`union` type are now also instances of the :code:`Union` class. | ||
| * A new abstract class :code:`ConfigurationTestFile` (:code:`semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile`) was introduced, which represents files created to test the build configuration. A subclass :code:`CmakeTryCompileFile` of :code:`ConfigurationTestFile` was also introduced, which represents files created by CMake to test the build configuration. | ||
| * New predicates :code:`getARequiresClause`, :code:`getTemplateRequiresClause` and :code:`getFunctionRequiresClause` were added to the :code:`FunctionDeclarationEntry` class, which yield the requires clauses when the entry represents a function template declaration with requires clauses. | ||
| * A new predicate :code:`getRequiresClause` was added to the :code:`TypeDeclarationEntry` class, which yields the requires clause when the entry represents a class template declaration with a requires clause. | ||
| * A new predicate :code:`getRequiresClause` was added to the :code:`VariableDeclarationEntry` class, which yields the requires clause when the entry represents a variable template declaration with a requires clause. | ||
| * A new predicate :code:`getTypeConstraint` was added to the :code:`TypeTemplateParameter` class, which yields the type constraint of the parameter if it exists. | ||
| * A new class :code:`VariableTemplateSpecialization` was introduced, which represents explicit specializations of variable templates. | ||
| * A new predicate :code:`isSpecialization` was added to the :code:`Variable` class, which holds if the variable is a template specialization. | ||
| * A new class :code:`ConceptIdExpr` was introduced, which represents C++20 concept id expressions. | ||
| * A new class :code:`Concept` was introduced, which represents C++20 concepts. | ||
| * The :code:`getTemplateArgumentType` and :code:`getTemplateArgumentValue` predicates of the :code:`Declaration` class now also yield template arguments of concepts. | ||
| * A new class :code:`ConstevalIfStmt` was introduced, which represents the C++23 :code:`if consteval` and :code:`if ! consteval` statements. | ||
|
|
||
| Java/Kotlin | ||
| """"""""""" | ||
|
|
||
| * The Java and Kotlin extractors now support :code:`CODEQL_PATH_TRANSFORMER`. :code:`SEMMLE_PATH_TRANSFORMER` is still supported, but deprecated. |
Oops, something went wrong.