Skip to content

Easily customize code scanning using CodeQL model packs for Java (beta)

With CodeQL model packs for Java, users can improve their code scanning results by ensuring that any custom Java libraries and frameworks used by their codebase are recognised by CodeQL.

The out-of-the-box CodeQL threat models provide great coverage for identifying large numbers of potential vulnerabilities in GitHub repositories using code scanning. We are continually working to improve CodeQL's ability to recognize and track potential sources of untrusted data to potentially-vulnerable locations ('sinks'). To do that, we keep a close eye on the most widely-used open-source libraries and frameworks. That way, CodeQL can recognize untrusted data that enters an application through, for example, commonly-used web frameworks. We are even using advances in AI to boost our threat modeling efforts and help developers write even more secure code.

There will always be cases which are not covered by CodeQL's standard threat models, such as custom-built or inner-sourced frameworks and libraries. Using CodeQL's new model pack functionality for Java (beta), security teams and security-conscious developers can create custom models that help CodeQL detect and flag additional security vulnerabilities. These custom model packs work seamlessly in GitHub code scanning, which means developers get the most relevant code scanning alerts during their day-to-day work.

CodeQL model packs are part of the CodeQL package management ecosystem. The packs contain structured data which describe whether a method within a library is a taint source, sink, or propagator (also known as a flow summary). You can create CodeQL model packs for Java using the CodeQL model editor, a new feature in the CodeQL extension for VS Code. The CodeQL model editor includes support for:

  • identifying methods in your codebase that aren't recognised by the standard CodeQL analysis
  • interactively classifying those methods as a source, sink, or summary
  • automatically generating a CodeQL model pack that can be easily added to code scanning.

For more information about using CodeQL model packs in code scanning, see:

For more information about using the CodeQL model editor, see Using the CodeQL model editor.

After a successful public beta, we're launching support for Bitbucket Server and Bitbucket Data Center migrations in GitHub Enterprise Importer.

You can now easily use GitHub Enterprise Importer to migrate your source code, revision history, pull requests, reviews and comments when moving to GitHub from your self-hosted Bitbucket instance.

To learn more about the benefits of switching from Bitbucket to GitHub, check our brand new blog post.

For a step-by-step guide on migrating from Bitbucket Server or Bitbucket Data Center, check out "Migrating repositories from Bitbucket Server to GitHub Enterprise Cloud" in the GitHub Docs.

If you have feedback or questions, please join our Community Discussion.

See more

GitHub Actions Importer now supports migrations from Bitbucket, Bamboo Server, and Bamboo Data Center. Companies using those tools can plan, test, and automate the migration of pipelines to GitHub Actions more easily than ever before.

GitHub Actions Importer is available via the GitHub CLI or IssueOps. To get started, please visit our docs. For questions and feedback, check out the GitHub Actions Importer community.

See more