|
| 1 | +.. _codeql-cli-2.23.5: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.23.5 (2025-11-13) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.23.5 runs a total of 483 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release. |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Breaking Changes |
| 23 | +~~~~~~~~~~~~~~~~ |
| 24 | + |
| 25 | +* In order to make a :code:`@kind path-problem` query diff-informed, the :code:`getASelectedSourceLocation` and :code:`getASelectedSinkLocation` predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink *in addition to* any other locations that are selected by the query. See the `QLdoc <https://github.com/github/codeql/blob/d122534398c5eb9182a23a9ad65caa5937d627b5/shared/dataflow/codeql/dataflow/DataFlow.qll#L474>`__ for more details. |
| 26 | + |
| 27 | +Query Packs |
| 28 | +----------- |
| 29 | + |
| 30 | +Minor Analysis Improvements |
| 31 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 32 | + |
| 33 | +C# |
| 34 | +"" |
| 35 | + |
| 36 | +* the :code:`cs/web/missing-x-frame-options` query now correctly handles configuration nested in root :code:`<location>` elements. |
| 37 | + |
| 38 | +Java/Kotlin |
| 39 | +""""""""""" |
| 40 | + |
| 41 | +* Calls to :code:`String.matches` are now treated as sanitizers for the :code:`java/ssrf` query. |
| 42 | + |
| 43 | +Python |
| 44 | +"""""" |
| 45 | + |
| 46 | +* The :code:`py/insecure-cookie` query has been split into multiple queries; with :code:`py/insecure-cookie` checking for cases in which :code:`Secure` flag is not set, :code:`py/client-exposed-cookie` checking for cases in which the :code:`HttpOnly` flag is not set, and the :code:`py/samesite-none` query checking for cases in which the :code:`SameSite` attribute is set to :code:`None`. These queries also now only alert for cases in which the cookie is detected to contain sensitive data. |
| 47 | + |
| 48 | +Rust |
| 49 | +"""" |
| 50 | + |
| 51 | +* The "Low Rust analysis quality" query (:code:`rust/diagnostic/database-quality`), used by the tool status page, has been extended with a measure of successful type inference. |
| 52 | + |
| 53 | +New Queries |
| 54 | +~~~~~~~~~~~ |
| 55 | + |
| 56 | +Java/Kotlin |
| 57 | +""""""""""" |
| 58 | + |
| 59 | +* The :code:`java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack. |
| 60 | +* Added a new query, :code:`java/escaping`, to detect values escaping from classes marked as :code:`@ThreadSafe`. |
| 61 | +* Added a new query, :code:`java/not-threadsafe`, to detect data races in classes marked as :code:`@ThreadSafe`. |
| 62 | +* Added a new query, :code:`java/safe-publication`, to detect unsafe publication in classes marked as :code:`@ThreadSafe`. |
| 63 | + |
| 64 | +Language Libraries |
| 65 | +------------------ |
| 66 | + |
| 67 | +Breaking Changes |
| 68 | +~~~~~~~~~~~~~~~~ |
| 69 | + |
| 70 | +Swift |
| 71 | +""""" |
| 72 | + |
| 73 | +* The :code:`OpenedArchetypeType` class has been renamed as :code:`ExistentialArchetypeType`. |
| 74 | +* The :code:`OtherAvailabilitySpec` class has been removed. Use :code:`AvailabilitySpec::isWildcard` instead. |
| 75 | +* The :code:`PlatformVersionAvailabilitySpec` has been removed. Use :code:`AvailabilitySpec::getPlatform` and :code:`AvailabilitySpec::getVersion` instead. |
| 76 | + |
| 77 | +Major Analysis Improvements |
| 78 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 79 | + |
| 80 | +C# |
| 81 | +"" |
| 82 | + |
| 83 | +* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for :code:`cs/inefficient-containskey` and :code:`cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: :code:`cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, :code:`cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, :code:`cs/dereferenced-value-may-be-null` has been changed from a :code:`path-problem` query to a :code:`problem` query, so paths are no longer reported for this query. |
| 84 | + |
| 85 | +Swift |
| 86 | +""""" |
| 87 | + |
| 88 | +* Upgraded to allow analysis of Swift 6.2. |
| 89 | +* Support for experimental Embedded Swift has been dropped. |
| 90 | + |
| 91 | +Rust |
| 92 | +"""" |
| 93 | + |
| 94 | +* Resolution of calls to functions has been improved in a number of ways, to make it more aligned with the behavior of the Rust compiler. This may impact queries that rely on call resolution, such as data flow queries. |
| 95 | +* Added basic models for the :code:`actix-web` web framework. |
| 96 | + |
| 97 | +Minor Analysis Improvements |
| 98 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 99 | + |
| 100 | +C# |
| 101 | +"" |
| 102 | + |
| 103 | +* Added tracer support for macOS and Linux when the .NET CLI (:code:`dotnet`) directly invokes the C# compiler (:code:`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms. |
| 104 | +* The extraction of location information for source code entities has been updated to use star IDs (:code:`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication. |
| 105 | + |
| 106 | +Rust |
| 107 | +"""" |
| 108 | + |
| 109 | +* Added :code:`ExtractedFile::hasSemantics` and :code:`ExtractedFile::isSkippedByCompilation` predicates. |
| 110 | +* Generalized some existing models to improve data flow. |
| 111 | +* Added models for the :code:`mysql` and :code:`mysql_async` libraries. |
| 112 | + |
| 113 | +Deprecated APIs |
| 114 | +~~~~~~~~~~~~~~~ |
| 115 | + |
| 116 | +C# |
| 117 | +"" |
| 118 | + |
| 119 | +* The class :code:`AbstractValue` in the :code:`Guards` library has been deprecated and replaced with the class :code:`GuardValue`. |
| 120 | + |
| 121 | +New Features |
| 122 | +~~~~~~~~~~~~ |
| 123 | + |
| 124 | +Python |
| 125 | +"""""" |
| 126 | + |
| 127 | +* Initial support for incremental Python databases via :code:`codeql database create --overlay-base`\ /\ :code:`--overlay-changes`. |
| 128 | + |
| 129 | +Swift |
| 130 | +""""" |
| 131 | + |
| 132 | +* Added AST nodes :code:`UsingDecl`, :code:`UnsafeExpr`, and :code:`InlineArrayType` that correspond to new nodes in Swift 6.2. |
| 133 | +* Added new predicates :code:`isDistributedGet`, :code:`isRead2`, :code:`isModify2`, and :code:`isInit` to the :code:`Accessor` class that correspond to new accessors in Swift 6.2. |
| 134 | +* Added a new predicate :code:`isApply` to the :code:`KeyPathComponent` class that corresponds to method and initializer key path components in Swift 6.2. |
0 commit comments