|
| 1 | +.. _codeql-cli-2.16.3: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.16.3 (2024-02-22) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.16.3 runs a total of 408 security queries when configured with the Default suite (covering 160 CWE). The Extended suite enables an additional 131 queries (covering 34 more CWE). 2 security queries have been added with this release. |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Bug Fixes |
| 23 | +~~~~~~~~~ |
| 24 | + |
| 25 | +* Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead. |
| 26 | + |
| 27 | +New Features |
| 28 | +~~~~~~~~~~~~ |
| 29 | + |
| 30 | +* A new extractor option has been added to the Python extractor. |
| 31 | + Pass one of :code:`--extractor-option python_executable_name=py` or :code:`--extractor-option python_executable_name=python` or :code:`--extractor-option python_executable_name=python3` to :code:`codeql database create` (or :code:`codeql database trace-command` or, |
| 32 | + for indirect tracing, :code:`codeql database init`) to override the default Python executable search and selection behavior of the Python extractor. For example, on Windows machines, the Python extractor will expect to find :code:`py.exe` on the system :code:`PATH` by default. |
| 33 | + Setting this extractor option or environment variable allows overriding this behavior to look for a different name. |
| 34 | + |
| 35 | + More detail can be found in `the extractor option documentation <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options>`__. |
| 36 | + |
| 37 | +Security Updates |
| 38 | +~~~~~~~~~~~~~~~~ |
| 39 | + |
| 40 | +* Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the |
| 41 | + \ `security advisory <https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph>`__ for more information. |
| 42 | + |
| 43 | +Query Packs |
| 44 | +----------- |
| 45 | + |
| 46 | +Bug Fixes |
| 47 | +~~~~~~~~~ |
| 48 | + |
| 49 | +JavaScript/TypeScript |
| 50 | +""""""""""""""""""""" |
| 51 | + |
| 52 | +* The left operand of the :code:`&&` operator no longer propagates data flow by default. |
| 53 | + |
| 54 | +Major Analysis Improvements |
| 55 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 56 | + |
| 57 | +Golang |
| 58 | +"""""" |
| 59 | + |
| 60 | +* The query "Use of a hardcoded key for signing JWT" (:code:`go/hardcoded-key`) has been promoted from experimental to the main query pack. Its results will now appear by default as part of :code:`go/hardcoded-credentials`. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/9378>`__. |
| 61 | + |
| 62 | +Java |
| 63 | +"""" |
| 64 | + |
| 65 | +* The sinks of the queries :code:`java/path-injection` and :code:`java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries. |
| 66 | + |
| 67 | +Minor Analysis Improvements |
| 68 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 69 | + |
| 70 | +C/C++ |
| 71 | +""""" |
| 72 | + |
| 73 | +* The "non-constant format string" query (:code:`cpp/non-constant-format`) has been updated to produce fewer false positives. |
| 74 | +* Added dataflow models for the :code:`gettext` function variants. |
| 75 | + |
| 76 | +C# |
| 77 | +"" |
| 78 | + |
| 79 | +* Added sanitizers for relative URLs, :code:`List.Contains()`, and checking the :code:`.Host` property on an URI to the :code:`cs/web/unvalidated-url-redirection` query. |
| 80 | + |
| 81 | +Java |
| 82 | +"""" |
| 83 | + |
| 84 | +* The sanitizer for the path injection queries has been improved to handle more cases where :code:`equals` is used to check an exact path match. |
| 85 | +* The query :code:`java/unvalidated-url-redirection` now sanitizes results following the same logic as the query :code:`java/ssrf`. URLs the destination of which cannot be externally controlled will not be reported anymore. |
| 86 | + |
| 87 | +New Queries |
| 88 | +~~~~~~~~~~~ |
| 89 | + |
| 90 | +Golang |
| 91 | +"""""" |
| 92 | + |
| 93 | +* The query "Missing JWT signature check" (:code:`go/missing-jwt-signature-check`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @am0o0 <https://github.com/github/codeql/pull/14075>`__. |
| 94 | + |
| 95 | +Java |
| 96 | +"""" |
| 97 | + |
| 98 | +* Added a new query :code:`java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a :code:`KeyStore`\ -backed key and thus may be bypassed. |
| 99 | + |
| 100 | +Swift |
| 101 | +""""" |
| 102 | + |
| 103 | +* Added a new experimental query, :code:`swift/unsafe-unpacking`, that detects unpacking user controlled zips without validating the destination file path is within the destination directory. |
| 104 | + |
| 105 | +Query Metadata Changes |
| 106 | +~~~~~~~~~~~~~~~~~~~~~~ |
| 107 | + |
| 108 | +Java |
| 109 | +"""" |
| 110 | + |
| 111 | +* The :code:`security-severity` score of the query :code:`java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation. |
| 112 | + |
| 113 | +Language Libraries |
| 114 | +------------------ |
| 115 | + |
| 116 | +Minor Analysis Improvements |
| 117 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 118 | + |
| 119 | +C# |
| 120 | +"" |
| 121 | + |
| 122 | +* C# 12: The QL and data flow library now support primary constructors. |
| 123 | +* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching. |
| 124 | + |
| 125 | +Java |
| 126 | +"""" |
| 127 | + |
| 128 | +* An extension point for sanitizers of the query :code:`java/unvalidated-url-redirection` has been added. |
| 129 | + |
| 130 | +* Added models for the following packages: |
| 131 | + |
| 132 | + * java.io |
| 133 | + * java.lang |
| 134 | + * java.net |
| 135 | + * java.net.http |
| 136 | + * java.nio.file |
| 137 | + * java.util.zip |
| 138 | + * javax.servlet |
| 139 | + * org.apache.commons.io |
| 140 | + * org.apache.hadoop.fs |
| 141 | + * org.apache.hadoop.fs.s3a |
| 142 | + * org.eclipse.jetty.client |
| 143 | + * org.gradle.api.file |
| 144 | + |
| 145 | +JavaScript/TypeScript |
| 146 | +""""""""""""""""""""" |
| 147 | + |
| 148 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 149 | + |
| 150 | +Python |
| 151 | +"""""" |
| 152 | + |
| 153 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 154 | +* Added modeling of the :code:`psycopg` PyPI package as a SQL database library. |
| 155 | + |
| 156 | +Ruby |
| 157 | +"""" |
| 158 | + |
| 159 | +* Raw output ERB tags of the form :code:`<%== ... %>` are now recognised as cross-site scripting sinks. |
| 160 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 161 | + |
| 162 | +Swift |
| 163 | +""""" |
| 164 | + |
| 165 | +* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data. |
| 166 | + |
| 167 | +Deprecated APIs |
| 168 | +~~~~~~~~~~~~~~~ |
| 169 | + |
| 170 | +Java |
| 171 | +"""" |
| 172 | + |
| 173 | +* The :code:`PathCreation` class in :code:`PathCreation.qll` has been deprecated. |
| 174 | + |
| 175 | +New Features |
| 176 | +~~~~~~~~~~~~ |
| 177 | + |
| 178 | +C/C++ |
| 179 | +""""" |
| 180 | + |
| 181 | +* A :code:`getInitialization` predicate was added to the :code:`RangeBasedForStmt` class that yields the C++20-style initializer of the range-based :code:`for` statement when it exists. |
| 182 | + |
| 183 | +Shared Libraries |
| 184 | +---------------- |
| 185 | + |
| 186 | +Breaking Changes |
| 187 | +~~~~~~~~~~~~~~~~ |
| 188 | + |
| 189 | +Dataflow Analysis |
| 190 | +""""""""""""""""" |
| 191 | + |
| 192 | +* The :code:`edges` predicate contained in :code:`PathGraph` now contains two additional columns for propagating model provenance information. This is primarily an internal change without any impact on any APIs, except for specialised queries making use of :code:`MergePathGraph` in conjunction with custom :code:`PathGraph` implementations. Such queries will need to be updated to reference the two new columns. This is expected to be very rare, as :code:`MergePathGraph` is an advanced feature, but it is a breaking change for any such affected queries. |
0 commit comments