CodeQL documentation
CodeQL resources

CodeQL 2.21.0 (2025-04-03)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.21.0 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE). 1 security query has been added with this release.

CodeQL CLI

Miscellaneous

  • On macOS the CODEQL_TRACER_RELOCATION_EXCLUDE environment variable can now be used to exclude certain paths from the tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries to be excluded.

Query Packs

Bug Fixes

JavaScript/TypeScript

  • Fixed a bug, first introduced in 2.20.3, that would prevent v-html attributes in Vue files from being flagged by the js/xss query. The original behaviour has been restored and the v-html attribute is once again functioning as a sink for the js/xss query.

  • Fixed a bug that would in rare cases cause some regexp-based checks to be seen as generic taint sanitisers, even though the underlying regexp is not restrictive enough. The regexps are now analysed more precisely, and unrestrictive regexp checks will no longer block taint flow.

  • Fixed a recently-introduced bug that caused js/server-side-unvalidated-url-redirection to ignore valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.

Python

  • The py/unused-global-variable now no longer flags variables that are only used in forward references (e.g. the Foo in def bar(x: "Foo"): ...).

GitHub Actions

  • Fixed typos in the query and alert titles for the queries actions/envpath-injection/critical, actions/envpath-injection/medium, actions/envvar-injection/critical, and actions/envvar-injection/medium.

Major Analysis Improvements

Java/Kotlin

  • Updated the java/unreleased-lock query so that it no longer report alerts in cases where a boolean variable is used to track lock state.

Minor Analysis Improvements

C/C++

  • Fixed a bug in the models for Microsoft’s Active Template Library (ATL).

  • The query “Use of basic integral type” (cpp/jpl-c/basic-int-types) no longer produces alerts for the standard fixed width integer types (int8_t, uint8_t, etc.), and the _Bool and bool types.

C#

  • Improved dependency resolution in build-mode: none extraction to handle failing dotnet restore processes that managed to download a subset of the dependencies before the failure.

  • Increase query precision for cs/useless-gethashcode-call by not flagging calls to GetHashCode on uint, long and ulong.

  • Increase query precision for cs/constant-condition and allow the use of discards in switch/case statements and also take the condition (if any) into account.

  • The cs/local-not-disposed query no longer flags un-disposed tasks as this is often not needed (explained here).

  • Increase query precision for cs/useless-assignment-to-local and cs/constant-condition when unknown types are involved (mostly relevant for build-mode: none databases).

  • Don’t consider an if-statement to be useless in cs/useless-if-statement if there is at least a comment.

Golang

  • False positives in “Log entries created from user input” (go/log-injection) and “Clear-text logging of sensitive information” (go/clear-text-logging) which involved the verb %T in a format specifier have been fixed. As a result, some users may also see more alerts from the “Use of constant state value in OAuth 2.0 URL” (go/constant-oauth2-state) query.

Java/Kotlin

  • Fixed a false positive in “Time-of-check time-of-use race condition” (java/toctou-race-condition) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.

  • Overrides of BroadcastReceiver::onReceive with no statements in their body are no longer considered unverified by the java/improper-intent-verification query. This will reduce false positives from onReceive methods which do not perform any actions.

Python

  • The py/special-method-wrong-signature has been modernized and rewritten to no longer rely on outdated APIs. Moreover, the query no longer flags cases where a default value is never used, as these alerts were rarely useful.

New Queries

C#

  • Added a new query, csharp/path-combine, to recommend against the Path.Combine method due to it silently discarding its earlier parameters if later parameters are rooted.

Java/Kotlin

  • Added a new quality query, java/empty-method, to detect empty methods.

  • The query java/spring-boot-exposed-actuators has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the CodeQL Community Packs. This query was originally submitted as an experimental query by @ggolawski.

Swift

  • Added a new summary query counting the total number of extracted AST nodes.

Language Libraries

Bug Fixes

Java/Kotlin

  • In build-mode: none where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.

  • Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.

  • Java build-mode none no longer fails when a required version of Gradle cannot be downloaded using the gradle wrapper command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.

  • Java build-mode none no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.

  • Java build-mode none now correctly uses Maven dependency information on Windows platforms.

Python

  • MatchLiteralPatterns such as case None: ... are now never pruned from the extracted source code. This fixes some situations where code was wrongly identified as unreachable.

GitHub Actions

  • The query actions/code-injection/medium now produces alerts for injection vulnerabilities on pull_request events.

Major Analysis Improvements

JavaScript/TypeScript

  • Added support for TypeScript 5.8.

Minor Analysis Improvements

C#

  • The models for System.Uri have been modified to better model the flow of tainted URIs.

  • Modeled parameter passing between Blazor parent and child components.

Golang

  • We no longer track taint into a sync.Map via the key of a key-value pair, since we do not model any way in which keys can be read from a sync.Map.

  • database source models have been added for v1 and v2 of the github.com/couchbase/gocb package.

  • Added database source models for the github.com/Masterminds/squirrel ORM package.

Java/Kotlin

  • Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.

  • Added a path injection sanitizer for calls to java.lang.String.matches, java.lang.String.replace, and java.lang.String.replaceAll that make sure ‘/’, ‘', ‘..’ are not in the path.

JavaScript/TypeScript

  • Added support for additional fs-extra methods as sinks in path-injection queries.

  • Added support for the newer version of Hapi with the @hapi/hapi import and server function.

  • Improved modeling of the node:fs module: await-ed calls to read and readFile are now supported.

  • Added support for the @sap/hana-client, @sap/hdbext and hdb packages.

  • Enhanced axios support with new methods (postForm, putForm, patchForm, getUri, create) and added support for interceptors.request and interceptors.response.

  • Improved support for got package with Options, paginate() and extend()

  • Added support for the ApolloServer class from @apollo/server and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.

  • Improved support for superagent to handle the case where the package is directly called as a function, or via the .del() or .agent() method.

  • Added support for the underscore.string package.

  • Added additional flow step for unescape() and escape().

  • Added support for the @tanstack/vue-query package.

  • Added taint-steps for unescape().

  • Added support for the @tanstack/angular-query-experimental package.

  • Improved support for the @angular/common/http package, detecting outgoing HTTP requests in more cases.

  • Improved the modeling of the markdown-table package to ensure it handles nested arrays properly.

  • Added support for the react-relay library.

Python

  • Added the methods getMinArguments and getMaxArguments to the Function class. These return the minimum and maximum positional arguments that the given function accepts.

New Features

C/C++

  • Added Node.asUncertainDefinition and Node.asCertainDefinition to the DataFlow::Node class for querying whether a definition overwrites the entire destination buffer.

JavaScript/TypeScript

  • Extraction now supports regular expressions with the v flag, using the new operators:

    • Intersection &&

    • Subtraction --

    • q quoted string

  • © GitHub, Inc.
  • Terms
  • Privacy