Bugs fixed

• Fixed a bug in CodeQL analysis for GitHub Actions in the presence of a code scanning configuration file containing paths-ignore exclusion patterns but not paths inclusion patterns.
  Previously, such a configuration incorrectly led to all YAML, HTML, JSON, and JS source files being extracted, except for those filtered by paths-ignore. This in turn led to performance issues on large codebases. Now, only workflow and Action metadata YAML files relevant to the GitHub Actions analysis will be extracted, except for those filtered by paths-ignore. This matches the default behavior when no configuration file is provided.
  The handling of paths inclusion patterns is unchanged: if provided, only those paths will be considered, except for those filtered by paths-ignore.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.21.1.

Miscellaneous

• On macOS the CODEQL_TRACER_RELOCATION_EXCLUDE environment variable can now be used to exclude certain paths from the tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries to be excluded.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.21.0.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.7.

Miscellaneous

• The CodeQL XML extractor is now able to parse documents in a wider array of character sets.

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.6.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.6.

Release 2.20.5 (2025-02-20)

Breaking changes

• Removed support for QlBuiltins::BigInts in the avg() aggregate.

• A number of breaking changes have been made to the C and C++ CodeQL test environment as used by codeql test run.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.5.

New features

• Using the actions language (for analysis of GitHub Actions workflows) no longer requires
  the CODEQL_ENABLE_EXPERIMENTAL_FEATURES environment variable to be set. Support for analysis
  of GitHub Actions workflows remains in public preview.

Bugs fixed

• Fixed a bug where CodeQL for Java would fail with an SSL exception while trying to download maven.

Miscellaneous

• The build of the logback-core library that is used for logging in the CodeQL CLI has been updated to version 1.3.15.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.4.

Security Updates

• Resolves a security vulnerability where CodeQL databases or logs produced by the CodeQL CLI may contain the environment variables from the time of
  database creation. This includes any secrets stored in an environment variables. For more information, see the
  CodeQL CLI security advisory.

  All users of CodeQL should follow the advice in the CodeQL advisory mentioned above or upgrade to this version or a later version of CodeQL.

  If you are using the CodeQL Action, also see the related CodeQL Action security advisory.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.3.

Improvements

• codeql database create and codeql database finalize now write relations to disk in a new, compressed format. As a result, databases will generally take up less space on disk, whether zipped or unzipped. Note that databases in this format can only be read and analyzed using CodeQL version 2.20.1 onwards. Attempting to analyze such a database with CodeQL version 2.20.0 or older will fail, with an error message like the following:

  UnsortedExtensionalError: Tuples that were assumed to be in order are not: [123456777, 777654321, 123456777]<[777654321, 123456777, 777654321]
  

Enhancements

• Added the .bitLength() method to QlBuiltins::BigInt.

Bugs Fixed

• Fixed a bug where CodeQL would crash on rare occasions while merging SARIF files before uploading results.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.2.

Improvements

• Automatic installation of dependencies for C++ autobuild is now supported on Ubuntu 24.04.

• The CLI will now warn if it detects that it is installed in a
  location where it is likely to cause performance issues. This
  includes: user home, desktop, downloads, or the file system root.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.1.

Known issues

• The Windows executable for this release is labeled with an incorrect version number within its properties: the version number should be 2.20.0 rather than 2.19.4. codeql version reports the correct version number.

New features

• The QlBuiltins::BigInt type of arbitrary precision integers is generally available and no longer hidden behind the --allow-experimental=bigint CLI feature flag.

Miscellaneous

• Backslashes are now escaped when writing output in the Graphviz DOT format (--format=dot).
• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.5.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.0.