|
| 1 | +.. _codeql-cli-2.18.0: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.18.0 (2024-07-11) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.18.0 runs a total of 415 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE). 1 security query has been added with this release. |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Breaking Changes |
| 23 | +~~~~~~~~~~~~~~~~ |
| 24 | + |
| 25 | +* A number of breaking changes have been made to the C and C++ CodeQL environment: |
| 26 | + |
| 27 | + * The environment no longer defines any GNU-specific builtin macros. |
| 28 | + If these macros are still needed, please define them via |
| 29 | + :code:`semmle-extractor-options`. |
| 30 | + |
| 31 | + * The :code:`--force-recompute` option is no longer directly supported by |
| 32 | + :code:`semmle-extractor-options`. Instead, :code:`--edg --force-recompute` should be specified. |
| 33 | + |
| 34 | + * The :code:`--gnu_version` and :code:`--microsoft_version` options that can be specified via :code:`semmle-extractor-options` are now synonyms, and only one should be specified as part of :code:`semmle-extractor-options`. |
| 35 | + Furthermore, is also no longer possible to specify these options via the following syntax. |
| 36 | + |
| 37 | + * :code:`--edg --gnu_version --edg <version number>`, and |
| 38 | + * :code:`--edg --microsoft_version --edg <version number>` |
| 39 | + |
| 40 | + The shorter :code:`--gnu_version <version number>` and |
| 41 | + :code:`--microsoft_version <version number>` should be used. |
| 42 | + |
| 43 | +* The :code:`--build_error_dir` and :code:`--predefined_macros` command line options have been removed from the C/C++ extractor. It has never been possible to pass these options through the CLI, but some customers with advanced setups may have been passing them through internal undocumented interfaces. |
| 44 | + Passing the option :code:`--build_error_dir` did not have any effect, and it is safe to remove the option. The :code:`--predefined_macros` option should have been unnecessary, as long as the extractor was invoked with the |
| 45 | + :code:`--mimic` option. |
| 46 | + |
| 47 | +Bug Fixes |
| 48 | +~~~~~~~~~ |
| 49 | + |
| 50 | +* Where a MacOS unsigned binary cannot be signed, CodeQL will now continue trying to trace compiler invocations created by that process and its children. In particular this means that Bazel builds on MacOS are now traceable. |
| 51 | +* Fixed a bug where test discovery would fail if there is a syntax error in a qlpack file. Now, a warning message will be printed and discovery will continue. |
| 52 | + |
| 53 | +Improvements |
| 54 | +~~~~~~~~~~~~ |
| 55 | + |
| 56 | +* Introduced the :code:`--include-logs` option to the :code:`codeql database bundle` command. This new feature allows users to include logs in the generated database bundle, allowing for a more complete treatment of the bundle, and bringing the tool capabilities up-to-speed with the documentation. |
| 57 | +* :code:`codeql database init` and :code:`codeql database create` now support the |
| 58 | + :code:`--force-overwrite` option. When this option is specified, the command will delete the specified database directory even if it does not look like a database directory. This option is only recommended for automation. For directcommand line commands, it is recommended to use the :code:`--overwrite` option, which includes extra protection and will refuse to delete a directory that does not look like a database directory. |
| 59 | +* Extract :code:`.xsaccess`, :code:`*.xsjs` and :code:`*.xsjslib` files for SAP HANA XS as Javascript. |
| 60 | +* We have updated many compiler error messages and warnings to improve their readability and standardize their grammar. |
| 61 | + Where necessary, please use the :code:`--learn` option for the :code:`codeql test run` command. |
| 62 | + |
| 63 | +Known Issues |
| 64 | +~~~~~~~~~~~~ |
| 65 | + |
| 66 | +* Compilation of QL queries is about 30% slower than in previous releases. This only affects users who write custom queries, and only at compilation time, not at run time. This regression will be fixed in the upcoming 2.18.1 release. |
| 67 | + |
| 68 | +Query Packs |
| 69 | +----------- |
| 70 | + |
| 71 | +Major Analysis Improvements |
| 72 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 73 | + |
| 74 | +Java |
| 75 | +"""" |
| 76 | + |
| 77 | +* The query :code:`java/weak-cryptographic-algorithm` no longer alerts about :code:`RSA/ECB` algorithm strings. |
| 78 | + |
| 79 | +Minor Analysis Improvements |
| 80 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 81 | + |
| 82 | +Java |
| 83 | +"""" |
| 84 | + |
| 85 | +* The query :code:`java/tainted-permissions-check` now uses threat models. This means that :code:`local` sources are no longer included by default for this query, but can be added by enabling the :code:`local` threat model. |
| 86 | +* Added more :code:`org.apache.commons.io.FileUtils`\ -related sinks to the path injection query. |
| 87 | + |
| 88 | +JavaScript/TypeScript |
| 89 | +""""""""""""""""""""" |
| 90 | + |
| 91 | +* Added a new experimental query, :code:`js/cors-misconfiguration`, which detects misconfigured CORS HTTP headers in the :code:`cors` and :code:`apollo` libraries. |
| 92 | + |
| 93 | +Python |
| 94 | +"""""" |
| 95 | + |
| 96 | +* Adding Python support for Hardcoded Credentials as Models as Data |
| 97 | +* Additional sanitizers have been added to the :code:`py/full-ssrf` and :code:`py/partial-ssrf` queries for methods that verify a string contains only a certain set of characters, such as :code:`.isalnum()` as well as regular expression tests. |
| 98 | + |
| 99 | +Language Libraries |
| 100 | +------------------ |
| 101 | + |
| 102 | +Bug Fixes |
| 103 | +~~~~~~~~~ |
| 104 | + |
| 105 | +Golang |
| 106 | +"""""" |
| 107 | + |
| 108 | +* Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as :code:`io.copy(SomeGlobal, ...)` or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved. |
| 109 | + |
| 110 | +Java |
| 111 | +"""" |
| 112 | + |
| 113 | +* Support for :code:`codeql test run` for Kotlin sources has been fixed. |
| 114 | + |
| 115 | +Major Analysis Improvements |
| 116 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 117 | + |
| 118 | +JavaScript/TypeScript |
| 119 | +""""""""""""""""""""" |
| 120 | + |
| 121 | +* Added support for TypeScript 5.5. |
| 122 | + |
| 123 | +Minor Analysis Improvements |
| 124 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 125 | + |
| 126 | +C/C++ |
| 127 | +""""" |
| 128 | + |
| 129 | +* The queries "Potential double free" (:code:`cpp/double-free`) and "Potential use after free" (:code:`cpp/use-after-free`) now produce fewer false positives. |
| 130 | +* The "Guards" library (:code:`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation :code:`__builtin_expect`. As a result, some queries may produce fewer false positives. |
| 131 | + |
| 132 | +Golang |
| 133 | +"""""" |
| 134 | + |
| 135 | +* DataFlow queries which previously used :code:`RemoteFlowSource` to define their sources have been modified to instead use :code:`ThreatModelFlowSource`. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to :code:`RemoteFlowSource`, so there should be no change in results for users using the default. |
| 136 | +* Added the :code:`ThreatModelFlowSource` class to :code:`FlowSources.qll`. The :code:`ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go. |
| 137 | + |
| 138 | +Java |
| 139 | +"""" |
| 140 | + |
| 141 | +* Added models for the following packages: |
| 142 | + |
| 143 | + * io.undertow.server.handlers.resource |
| 144 | + * jakarta.faces.context |
| 145 | + * javax.faces.context |
| 146 | + * javax.servlet |
| 147 | + * org.jboss.vfs |
| 148 | + * org.springframework.core.io |
| 149 | + |
| 150 | +* A bug has been fixed in the heuristic identification of uncertain control flow, which is used to filter data flow in order to improve performance and reduce false positives. This fix means that slightly more code is identified and hence pruned from data flow. |
| 151 | + |
| 152 | +* Excluded reverse DNS from the loopback address as a source of untrusted data. |
| 153 | + |
| 154 | +JavaScript/TypeScript |
| 155 | +""""""""""""""""""""" |
| 156 | + |
| 157 | +* Enabled type-tracking to follow content through array methods |
| 158 | +* Improved modeling of :code:`Array.prototype.splice` for when it is called with more than two arguments |
| 159 | + |
| 160 | +Python |
| 161 | +"""""" |
| 162 | + |
| 163 | +* A number of Python queries now support sinks defined using data extensions. The format of data extensions for Python has been documented. |
| 164 | + |
| 165 | +Ruby |
| 166 | +"""" |
| 167 | + |
| 168 | +* Element references with blocks, such as :code:`foo[:bar] { |x| puts x}`, are now parsed correctly. |
| 169 | +* The :code:`CleartextSources.qll` library, used by :code:`rb/clear-text-logging-sensitive-data` and :code:`rb/clear-text-logging-sensitive-data`, has been updated to consider heuristics for additional categories of sensitive data. |
| 170 | + |
| 171 | +New Features |
| 172 | +~~~~~~~~~~~~ |
| 173 | + |
| 174 | +C/C++ |
| 175 | +""""" |
| 176 | + |
| 177 | +* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See :code:`dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format. |
| 178 | +* It is now possible to extend the classes :code:`AllocationFunction` and :code:`DeallocationFunction` via data extensions. Extensions of these classes should be added to the :code:`lib/ext/allocation` and :code:`lib/ext/deallocation` directories respectively. |
0 commit comments