Contents
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶CodeQL 2.7.5 runs a total of 289 security queries when configured with the Default suite (covering 127 CWE). The Extended suite enables an additional 88 queries (covering 31 more CWE). 4 security queries have been added with this release.
CodeQL CLI¶ Deprecations¶The CodeQL Action versions up to and including version 1.0.22 are now deprecated for use with CodeQL CLI 2.7.5 and later. The CLI will emit a warning if it detects that it is being used by a deprecated version of the codeql-action. This warning will become a fatal error with version 2.8.0 of the CLI.
The documentation for the --trace-process-level flag of codeql database init (which is used with indirect build tracing on Windows) was erroneous.
The help text previously claimed that --trace-process-level=1 would inject CodeQL’s build tracer into the calling process. This is actually what --trace-process-level=0 achieves. The help text has now been corrected to match the actual (unchanged) behavior.
Also, some log messages incorrectly stated which process CodeQL was injected into. These have also been corrected.
The codeql github upload-results command will now print the API response body in JSON format if a --format=json flag is given. Otherwise the command will print the URL of the SARIF upload. This URL can be used to get status information for the upload.
See also: https://docs.github.com/en/rest/reference/code-scanning
For commands that run queries, the --timeout option now controls the maximal time it may take to evaluate a “layer” of a query rather than a “stage”. There are usually many “layers” in each “stage”, but it is usually a single one of the layers in a stage that uses most of the time, so there is no need to reduce existing timeout values as a result of this change.
TypeScript 4.5 is now supported.
The java/constant-comparison query no longer raises false alerts regarding comparisons with Unicode surrogate character literals.
Support for handlebars templates has improved. Raw interpolation tags of the form {{& ... }} are now recognized, as well as whitespace-trimming tags like {{~ ... }}.
Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are express and fastify.
js/missing-token-validation has been made more precise, yielding both fewer false positives and more true positives.
Added modeling of many functions from the os module that uses file system paths, such as os.stat, os.chdir, os.mkdir, and so on. All of these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
Added modeling of the tempfile module for creating temporary files and directories, such as the functions tempfile.NamedTemporaryFile and tempfile.TemporaryDirectory. The suffix, prefix, and dir arguments are all vulnerable to path-injection, and these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
Extended the modeling of FastAPI such that fastapi.responses.FileResponse are considered FileSystemAccess, making them sinks for the Uncontrolled data used in path expression (py/path-injection) query.
Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.
To support the new SSRF queries, the PyPI package requests has been modeled, along with http.client.HTTP[S]Connection from the standard library.
A new query cpp/certificate-not-checked has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
A new query cpp/certificate-result-conflation has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
Two new queries have been added for detecting Server-side request forgery (SSRF). Full server-side request forgery (py/full-ssrf) will only alert when the URL is fully user-controlled, and Partial server-side request forgery (py/partial-ssrf) will alert when any part of the URL is user-controlled. Only py/full-ssrf will be run by default.
CharacterLiteral‘s getCodePointValue predicate now returns the correct value for UTF-16 surrogates.
The RangeAnalysis module now properly handles comparisons with Unicode surrogate character literals.
Data flow now propagates taint from remote source Parameter types to read steps of their fields (e.g. tainted.publicField or tainted.getField()). This also applies to their subtypes and the types of their fields, recursively.
Added modeling of many functions from the os module that uses file system paths, such as os.stat, os.chdir, os.mkdir, and so on.
Added modeling of the tempfile module for creating temporary files and directories, such as the functions tempfile.NamedTemporaryFile and tempfile.TemporaryDirectory.
Extended the modeling of FastAPI such that custom subclasses of fastapi.APIRouter are recognized.
Extended the modeling of FastAPI such that fastapi.responses.FileResponse are considered FileSystemAccess.
Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks.
Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.
ConstantWriteAccess.getQualifiedName() has been deprecated in favor of getAQualifiedName() which can return multiple possible qualified names for a given constant write access.
TypeScript 4.5 is now supported.
A new library, Customizations.qll, has been added, which allows for global customizations that affect all queries.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4