CodeQL 2.16: Python Dependency Installation Disabled, New Queries, and Bug Fixes

CodeQL 2.16.0 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Important changes in this release include:

In July 2023, we disabled automatic dependency installation for new CodeQL code scanning setups when analyzing Python code. With the release of CodeQL 2.16.0, we have disabled dependency installation for all existing configurations as well. This change should lead to a decrease in analysis time for projects that were installing dependencies during analysis, without any significant impact on results. A fallback environment variable flag is available to ease the transition, but will be removed in CodeQL 2.17.0. No action is required for Default setup users. Advanced setup users that had previously set the setup-python-dependencies option in their CodeQL code scanning workflows are encouraged to remove it, as it no longer has any effect.

We fixed a bug that could cause CodeQL to consume more memory than configured when using the --ram flag. If you have used this flag to manually override the memory allocation limit for CodeQL, you may be able to increase it slightly to more closely match the system’s available memory. No action is required for users of the CodeQL Action (on github.com or in GHES) who are not using this flag, as memory limits are calculated automatically.

We added 2 new C/C++ queries that detect pointer lifetime issues, and identify instances where the return value of scanf is not checked correctly. We added a new Java query that detects uses of weakly random values, which an attacker may be able to predict. Furthermore, we improved the precision and fixed potential false-positives for several other queries.

The measure of scanning Go files in the code scanning UI now includes partially extracted files, as this more accurately reflects the source of extracted information even when parts of a file could not be analyzed. We will gradually roll this change out for all supported languages in the near future.

We fixed a bug that led to errors in build commands for Swift analyses on macOS that included the codesign tool.

For a full list of changes, please refer to the complete changelog for version 2.16.0 and 2.15.5.

Last month, we announced our plan to migrate from a strategy where student repositories are created from a template starter code repository to a strategy where student repositories are forked from the starter code repository.

Today, we are launching these changes as a Public Beta that you can opt-into on a per-classroom basis. You may opt-in your Classrooms by clicking the “Opt-in this classroom” button on the banner displayed at the top of the Dashboard of the Classroom you wish to opt-in.

We anticipate generally rolling out these changes to all Classrooms on June 17, 2024.

This public beta allows us to enable one of our most-requested features from teachers: the ability to change starter code after an assignment has been accepted by students. Students will be able to sync their assignment repository with the upstream starter code, allowing teachers to correct starter code mistakes or add additional content after the assignment has gone live to students.

Because there are important differences between creating a repository from a template and forking a repository, there are important changes in behavior for both new and existing assignments in GitHub Classroom. We recommend reviewing the following new behaviors and making adjustments to your assignments if necessary.

Important Changes for Classrooms in the Public Beta

  • All new accepted assignments will be forks, including existing assignments that were created with a template repository. Existing assignment repositories will not be changed, so they will not be able to sync changes from upstream.
  • Starter code assignments cannot be empty. If you are using a starter code repository without any commits, students will not be able to accept your assignment. GitHub Classroom will enforce this requirement for new assignments, but you will need to manually create an initial commit to existing empty starter code repositories in order for students to accept assignments.
  • Starter code commits will no longer be automatically squashed in student repos. A new fork includes the entire commit history of the parent repository, while a repository created from a template starts with a single commit. This can affect teachers who may have assignment solutions in the commit history of the starter code. We recommend using Git on the command line or GitHub Desktop to squash commits of starter code repositories prior to distributing assignments to students if you previously had solutions filled-in the starter code.
  • In order to enable private assignments, your organization must allow forking private repositories. Forking private repositories is not enabled for organizations by default. See managing the forking policy for your organization for information on how to enable this. During the Public Beta, our team is exploring options for automating this step.
  • Student repository visibility will be inherited from the starter code repository. Forks of public repositories cannot be made private on GitHub. As a result, if you wish to use a public template repository as starter code for an assignment where student repositories should remain private, we recommend creating a new repository from the public template and setting it to private prior to using it as starter code in a GitHub Classroom assignment. During the Public Beta, our team is exploring options to automate this step.
  • Private repositories must be in the same organization as the Classroom in order to be used as starter code. If you wish to use a private repository as starter code for an assignment that is housed under your user account or in another organization, we recommend configuring it to be a template repository and creating a new private repository from the template in the same organization as the Classroom prior to using it as starter code in a GitHub Classroom assignment. During the Public Beta, our team is exploring options to automate this extra step.
See more

Today's changelog brings you project status updates and an updated issues side panel in Projects!

🟢 Project status updates

You can now provide high level details on the status, timing, and progress of your project, directly from the project! This makes it easy to know and share with others how your work is progressing, any risks, and a history of when and why something changed, all in the same place where you're tracking your work.

You can access status updates from the Project details panel, where you can also add a short description or README with additional project information. Select Add update to give your project a Status, Start date, or Target date, along with additional details or mentioning another user or team. You can also edit, delete, or copy a link to a specific update to make it easy to share with others.

Once you add a status update to a project, you'll find it visible in the project header and the project index pages, so you can quickly find and access the high level details for all of your projects in a single place and drill in for more information.

project index page showing the description and start / end dates next to the project name

For more details, check out the documentation.

🛝 Issues side panel in Projects

Projects has an updated issues side panel which matches the design of issues reached from a repository. In addition to providing a consistent experience, this update also means that issues accessed from a project have all timeline events and include any other projects the issue is a part of, making it easier to manage issues from either a project or a repository.

The image shows a project with an open issue page in a side panel

Bug fixes and improvements

  • Fixed a bug where labels were being unexpectedly changed on issues when adding them to a project
  • Improved the workflow name editing experience by providing a dialog
  • Improved keyboard focus and navigation on the Insights and Workflows pages

✍️ Tell us what you think!

Join the conversation in the community discussion to share your feedback.

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the documentation.

See more