|
| 1 | +.. _codeql-cli-2.16.3: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.16.3 (2024-02-22) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.16.3 runs a total of 408 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release. |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Bug Fixes |
| 23 | +~~~~~~~~~ |
| 24 | + |
| 25 | +* Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead. |
| 26 | + |
| 27 | +New Features |
| 28 | +~~~~~~~~~~~~ |
| 29 | + |
| 30 | +* A new extractor option has been added to the Python extractor: :code:`python_executable_name`. |
| 31 | + You can use this option to override the default process the extractor uses to find and select a Python executable. |
| 32 | + Pass one of :code:`--extractor-option python_executable_name=py` or :code:`--extractor-option python_executable_name=python` or :code:`--extractor-option python_executable_name=python3` to commands that run the extractor, for example: :code:`codeql database create`. |
| 33 | + |
| 34 | + On Windows machines, the Python extractor will expect to find :code:`py.exe` on the system :code:`PATH` by default. |
| 35 | + If the Python executable has a different name, you can set the new extractor option to override this value and look for :code:`python.exe` or :code:`python3.exe`. |
| 36 | + |
| 37 | + For more information about using the extractor option with the CodeQL CLI, see `Extractor options <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options>`__. |
| 38 | + |
| 39 | +Security Updates |
| 40 | +~~~~~~~~~~~~~~~~ |
| 41 | + |
| 42 | +* Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the |
| 43 | + \ `security advisory <https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph>`__ for more information. |
| 44 | + |
| 45 | +Query Packs |
| 46 | +----------- |
| 47 | + |
| 48 | +Bug Fixes |
| 49 | +~~~~~~~~~ |
| 50 | + |
| 51 | +JavaScript/TypeScript |
| 52 | +""""""""""""""""""""" |
| 53 | + |
| 54 | +* The left operand of the :code:`&&` operator no longer propagates data flow by default. |
| 55 | + |
| 56 | +Major Analysis Improvements |
| 57 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 58 | + |
| 59 | +Golang |
| 60 | +"""""" |
| 61 | + |
| 62 | +* The query "Use of a hardcoded key for signing JWT" (:code:`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of :code:`go/hardcoded-credentials`. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/9378>`__. |
| 63 | + |
| 64 | +Java |
| 65 | +"""" |
| 66 | + |
| 67 | +* The sinks of the queries :code:`java/path-injection` and :code:`java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries. |
| 68 | + |
| 69 | +Minor Analysis Improvements |
| 70 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 71 | + |
| 72 | +C/C++ |
| 73 | +""""" |
| 74 | + |
| 75 | +* The "non-constant format string" query (:code:`cpp/non-constant-format`) has been updated to produce fewer false positives. |
| 76 | +* Added dataflow models for the :code:`gettext` function variants. |
| 77 | + |
| 78 | +C# |
| 79 | +"" |
| 80 | + |
| 81 | +* Added sanitizers for relative URLs, :code:`List.Contains()`, and checking the :code:`.Host` property on an URI to the :code:`cs/web/unvalidated-url-redirection` query. |
| 82 | + |
| 83 | +Java |
| 84 | +"""" |
| 85 | + |
| 86 | +* The sanitizer for the path injection queries has been improved to handle more cases where :code:`equals` is used to check an exact path match. |
| 87 | +* The query :code:`java/unvalidated-url-redirection` now sanitizes results following the same logic as the query :code:`java/ssrf`. URLs where the destination cannot be controlled externally are no longer reported. |
| 88 | + |
| 89 | +New Queries |
| 90 | +~~~~~~~~~~~ |
| 91 | + |
| 92 | +Golang |
| 93 | +"""""" |
| 94 | + |
| 95 | +* The query "Missing JWT signature check" (:code:`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @am0o0 <https://github.com/github/codeql/pull/14075>`__. |
| 96 | + |
| 97 | +Java |
| 98 | +"""" |
| 99 | + |
| 100 | +* Added a new query :code:`java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a :code:`KeyStore`\ -backed key and thus may be bypassed. |
| 101 | + |
| 102 | +Swift |
| 103 | +""""" |
| 104 | + |
| 105 | +* Added a new experimental query, :code:`swift/unsafe-unpacking`, that detects unpacking user controlled zips without validating the destination file path is within the destination directory. |
| 106 | + |
| 107 | +Query Metadata Changes |
| 108 | +~~~~~~~~~~~~~~~~~~~~~~ |
| 109 | + |
| 110 | +Java |
| 111 | +"""" |
| 112 | + |
| 113 | +* The :code:`security-severity` score of the query :code:`java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation. |
| 114 | + |
| 115 | +Language Libraries |
| 116 | +------------------ |
| 117 | + |
| 118 | +Minor Analysis Improvements |
| 119 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 120 | + |
| 121 | +C# |
| 122 | +"" |
| 123 | + |
| 124 | +* C# 12: The QL and data flow library now support primary constructors. |
| 125 | +* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching. |
| 126 | + |
| 127 | +Java |
| 128 | +"""" |
| 129 | + |
| 130 | +* An extension point for sanitizers of the query :code:`java/unvalidated-url-redirection` has been added. |
| 131 | + |
| 132 | +* Added models for the following packages: |
| 133 | + |
| 134 | + * java.io |
| 135 | + * java.lang |
| 136 | + * java.net |
| 137 | + * java.net.http |
| 138 | + * java.nio.file |
| 139 | + * java.util.zip |
| 140 | + * javax.servlet |
| 141 | + * org.apache.commons.io |
| 142 | + * org.apache.hadoop.fs |
| 143 | + * org.apache.hadoop.fs.s3a |
| 144 | + * org.eclipse.jetty.client |
| 145 | + * org.gradle.api.file |
| 146 | + |
| 147 | +JavaScript/TypeScript |
| 148 | +""""""""""""""""""""" |
| 149 | + |
| 150 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 151 | + |
| 152 | +Python |
| 153 | +"""""" |
| 154 | + |
| 155 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 156 | +* Added modeling of the :code:`psycopg` PyPI package as a SQL database library. |
| 157 | + |
| 158 | +Ruby |
| 159 | +"""" |
| 160 | + |
| 161 | +* Raw output ERB tags of the form :code:`<%== ... %>` are now recognised as cross-site scripting sinks. |
| 162 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 163 | + |
| 164 | +Swift |
| 165 | +""""" |
| 166 | + |
| 167 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 168 | + |
| 169 | +Deprecated APIs |
| 170 | +~~~~~~~~~~~~~~~ |
| 171 | + |
| 172 | +Java |
| 173 | +"""" |
| 174 | + |
| 175 | +* The :code:`PathCreation` class in :code:`PathCreation.qll` has been deprecated. |
| 176 | + |
| 177 | +New Features |
| 178 | +~~~~~~~~~~~~ |
| 179 | + |
| 180 | +C/C++ |
| 181 | +""""" |
| 182 | + |
| 183 | +* A :code:`getInitialization` predicate was added to the :code:`RangeBasedForStmt` class that yields the C++20-style initializer of the range-based :code:`for` statement when it exists. |
| 184 | + |
| 185 | +Shared Libraries |
| 186 | +---------------- |
| 187 | + |
| 188 | +Breaking Changes |
| 189 | +~~~~~~~~~~~~~~~~ |
| 190 | + |
| 191 | +Dataflow Analysis |
| 192 | +""""""""""""""""" |
| 193 | + |
| 194 | +* The :code:`edges` predicate contained in :code:`PathGraph` now contains two additional columns for propagating model provenance information. This is primarily an internal change without any impact on any APIs, except for specialised queries making use of :code:`MergePathGraph` in conjunction with custom :code:`PathGraph` implementations. Such queries will need to be updated to reference the two new columns. This is expected to be very rare, as :code:`MergePathGraph` is an advanced feature, but it is a breaking change for any such affected queries. |
0 commit comments