GitHub code scanning helps open source maintainers and organizations find potential vulnerabilities in their code, before these can make their way into deployments. CodeQL, our very own analysis engine, powers the majority of those checks. Over the past few months, we have been working hard to improve the depth and breadth of our analysis to cover more CWEs, add support for a host of new language versions, and improve our platform compatibility.
Before we dive into the details: If you haven’t tried GitHub code scanning with CodeQL yet, you can enable it now on your repositories by following this guide! It’s free for open-source projects and available as part of GitHub Advanced Security for our enterprise customers.
All improvements below are available to users of GitHub code scanning on GitHub.com today, and will be part of the next GitHub Enterprise Server release (GHES version 3.5). Users of other GHES versions can also update their CodeQL version to benefit from these analysis improvements straight away.
Language Support
Today, CodeQL already supports JavaScript/TypeScript, Python, Ruby, Java, C#, Go, and C/C++. These languages are themselves under constant development, and we now support the following language versions:
- C# 10 / .NET 6,
- Python 3.10,
- Java 17, and
- TypeScript 4.5
The standard language features in those language releases are now fully supported by CodeQL.
Performance and Compatibility
For our Linux users, we have fixed an issue that caused the CodeQL CLI to be incompatible with systems running glibc version 2.34 and older.
For users of the CodeQL Apple Silicon support (beta), we are now bundling a native Java runtime for improved performance. Rosetta 2 and macOS Developer Tools are still required for other CodeQL components.
Security Coverage
The Common Weakness Enumeration (CWE) system is an industry-standard way of cataloging insecure software development patterns. CodeQL runs hundreds of queries out of the box that are able to detect an even greater number of CWEs. We went back through our existing queries, and aligned dozens of them with updated CWE IDs to give users better insight into the potential impact of a security issue when an alert is flagged up by code scanning.
We’ve added and improved detection for a large number of CWEs. These are the most significant changes:
- CWE-190 – Integer Overflow: The
cpp/uncontrolled-arithmeticquery for C/C++ detects potential user-controlled inputs to calculations that could produce an overflow condition - CWE-319 – Cleartext Transmission of Sensitive Data: The
cpp/cleartext-transmissionquery for C/C++ detects network transmissions of sensitive data without encryption - CWE-120 – Buffer Overflow: The
cpp/very-likely-overrunning-writequery for C/C++ now detects cases of out-of-bounds writes based on advanced range analysis - CWE-732 – Incorrect Permission Assignment for Critical Resource: The
cpp/open-call-with-mode-argument(and optionalcpp/world-writable-file-creation) query for C/C++ detect issues that could lead to stack memory disclosure or attacker-writable files - CWE-295 – Improper Certificate Validation: The
java/insecure-trustmanagerquery for Java now detects missing or lax certificate handling that could lead to man-in-the-middle attacks - CWE-829 – Inclusion of Functionality from Untrusted Control Sphere: The
js/insecure-dependencyquery for JavaScript/TypeScript detects dependency downloads over unencrypted communication channels - CWE-347 – Improper Verification of Cryptographic Signature: The
js/jwt-missing-verificationquery for JavaScript/TypeScript detects scenarios in which a JWT payload is not verified with a cryptographic secret or public key - CWE-918 – Server-Side Request Forgery: SSRF detection queries for Python have been improved, and now differentiate between partially and fully (
py/full-ssrf) user-controlled URLs
Behind the scenes, we’re also working on support for mobile application security, with additional support for Kotlin and Swift on our roadmap. In the meantime, we’ve also added more coverage for mobile security issues for our existing Java support:
- CWE-266 – Incorrect Privilege Assignment: The
java/android/intent-uri-permission-manipulationquery detects Intent URI permission manipulation in Android applications - CWE-470 – Use of Externally-Controlled Input to Select Classes or Code: The
java/android/fragment-injectionandjava/android/fragment-injection-preference-activityqueries detect issues that could enable malicious applications to bypass access controls - CWE-927 – Use of Implicit Intent for Sensitive Communication: The
java/android/implicit-pendingintentsquery detects potential information disclosure through the use ofPendingIntents