From 353cd31ce6516ad6aa28e17f73846587ba0df7d0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 6 Feb 2026 18:09:49 +0000 Subject: [PATCH 1/6] update codeql documentation --- .../codeql-changelog/codeql-cli-2.19.1.rst | 2 +- .../codeql-changelog/codeql-cli-2.21.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.22.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.23.1.rst | 4 +- .../codeql-changelog/codeql-cli-2.24.1.rst | 132 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 6 files changed, 138 insertions(+), 5 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.1.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index f2948d0db67c..39d4d36537cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0\ *x* are now supported. +* Kotlin versions up to 2.1.0*x* are now supported. Python """""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index 71a8e3a68240..fffe94c04b80 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 4f1d34ff2ddd..8e5a18a0c74a 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2\ *x* are now supported. +* Kotlin versions up to 2.2.2*x* are now supported. diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index ff22a3f647cf..27f1eee84edc 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. Java/Kotlin """"""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.1.rst new file mode 100644 index 000000000000..71a2b3fb47ec --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.1.rst @@ -0,0 +1,132 @@ +.. _codeql-cli-2.24.1: + +========================== +CodeQL 2.24.1 (2026-02-05) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.24.1 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Miscellaneous +~~~~~~~~~~~~~ + +* The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code. + +Language Libraries +------------------ + +Bug Fixes +~~~~~~~~~ + +C/C++ +""""" + +* Fixed a bug in the :code:`GuardCondition` library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using :code:`GuardCondition` may see improved results. +* Fixed a bug which caused :code:`Node.asDefinition()` to not have a result for certain assignments. + +Java/Kotlin +""""""""""" + +* Kotlin: The Kotlin extractor now registers as the last IR generation extension, ensuring that code generated by other compiler plugins (such as kotlinx.serialization) is correctly captured. + +GitHub Actions +"""""""""""""" + +* Fixed a crash when analysing a :code:`${{ ... }}` expression over around 300 characters in length. + +Breaking Changes +~~~~~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* Support for Kotlin 1.6.x and 1.7.x series has been dropped + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* The :code:`Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries :code:`cpp/static-buffer-overflow`, :code:`cpp/overflow-buffer`, :code:`cpp/badly-bounded-write`, :code:`cpp/overrunning-write`, :code:`cpp/overrunning-write-with-float`, and :code:`cpp/very-likely-overrunning-write` will report fewer false positives on such databases. +* Added :code:`taint` summary models and :code:`sql-injection` barrier models for the MySQL :code:`mysql_real_escape_string` and :code:`mysql_real_escape_string_quote` escaping functions. +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. + +C# +"" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. +* C# 14: Support for null-conditional assignments (such as :code:`c?.Prop = p`). Furthermore, the :code:`MaybeNullExpr` class now takes null-conditional access (such as :code:`?.`) into account when modeling potential null values. + +Golang +"""""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. + +Java/Kotlin +""""""""""" + +* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy :code:`com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new :code:`org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions. +* The query :code:`java/unreleased-lock` no longer applies to lock types with names ending in "Pool", as these typically manage a collection of resources and the :code:`lock` and :code:`unlock` methods typically only lock one resource at a time. This may lead to a reduction in false positives. +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. +* When Maven-compatible private package registries are configured for an organisation for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories. CodeQL previously already configured Maven to use them as regular package repositories. This should now allow Maven plugins to be obtained from private registries. + +JavaScript/TypeScript +""""""""""""""""""""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. + +Python +"""""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. +* Added experimental query :code:`py/prompt-injection` to detect potential prompt injection vulnerabilities in code using LLMs. +* Added taint flow model and type model for :code:`agents` and :code:`openai` modules. +* Remote flow sources for the :code:`websockets` package have been modeled. + +Ruby +"""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. + +Swift +""""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. + +Rust +"""" + +* The predicate :code:`SummarizedCallable.propagatesFlow` has been extended with the columns :code:`Provenance p` and :code:`boolean isExact`, and as a consequence the predicates :code:`SummarizedCallable.hasProvenance` and :code:`SummarizedCallable.hasExactModel` have been removed. +* Added type inference support for the :code:`FnMut(..) -> ..` and :code:`Fn(..) -> ..` traits. They now work in type parameter bounds and are implemented by closures. + +New Features +~~~~~~~~~~~~ + +C/C++ +""""" + +* Added a subclass :code:`Embed` of :code:`PreprocessorDirective` for C23 and C++26 :code:`#embed` preprocessor directives. +* Added modules :code:`DataFlow::ParameterizedBarrierGuard` and :code:`DataFlow::ParameterizedInstructionBarrierGuard`. These modules provide the same features as :code:`DataFlow::BarrierGuard` and :code:`DataFlow::InstructionBarrierGuard`, but allow for an additional parameter to support properly using them in dataflow configurations that uses flow states. + +Java/Kotlin +""""""""""" + +* Kotlin versions up to 2.3.0 are now supported. + +Python +"""""" + +* It is now possible to refer to list elements in the Python models-as-data language, via the :code:`ListElement` path. diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index fbdaac4a7d8f..318366d1e69d 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Fri, 6 Feb 2026 12:11:49 -0600 Subject: [PATCH 2/6] Update codeql-cli-2.19.1.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index 39d4d36537cf..f2948d0db67c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0*x* are now supported. +* Kotlin versions up to 2.1.0\ *x* are now supported. Python """""" From 79ad064a93cb2af28cb73ef49f9dcde0efdcbc96 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Fri, 6 Feb 2026 12:12:16 -0600 Subject: [PATCH 3/6] Fix formatting in Kotlin version support note --- .../codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index fffe94c04b80..71a8e3a68240 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" From bf6568b9280203c40ba3f203881eeea90cd6a635 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Fri, 6 Feb 2026 12:12:55 -0600 Subject: [PATCH 4/6] Fix formatting for Kotlin version support note --- .../codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 8e5a18a0c74a..4f1d34ff2ddd 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2*x* are now supported. +* Kotlin versions up to 2.2.2\ *x* are now supported. From c40d784a4d981ab7f9266d1c3fd73697640bbef5 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Fri, 6 Feb 2026 12:13:34 -0600 Subject: [PATCH 5/6] Update codeql-cli-2.23.1.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 27f1eee84edc..241b1a8f9d8b 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! Python """""" From 5bf2d9442e0550e6d11a2dc6e0f42490fcc020ba Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Fri, 6 Feb 2026 12:14:03 -0600 Subject: [PATCH 6/6] Fix formatting in changelog for Go path injection query --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 241b1a8f9d8b..ff22a3f647cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. Java/Kotlin """""""""""