Generated SBOM files will now include a package URL when a manifest file includes a range

June 11, 2024

Until this release, when a manifest file included a version range of a package (e.g. version < 3), when GitHub generated an SBOM for that package, it would not include a package URL (purl). We have improved SBOM generation so that now, when a manifest file references a package in a range, we will include the purl, but not the version field, which is an optional element in the specification. This will result in more complete data than we'd previously generated in the SBOM, helping users more clearly identify the packages being used in their repository.

CodeQL 2.17.4: Autofixes for Extended queries, faster C++ PR scans

June 11, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.4 has been released and has now been rolled out to code scanning users on GitHub.com.

This changelog combines significant updates from the release of CodeQL 2.17.2,2.17.3, and 2.17.4:

Copilot-powered autofixes are now available for queries that are part of the Extended query suite for languages supported by autofix (JS/TS, Go, Java, C#, Ruby, Python).
All the local query variants have been removed from Java. Their behaviour can be replicated by using local threat models.
Better caching for C++ analyses on pull requests improves scan times by a median 12%.
Added support for C/C++ ZeroMQ (ZMQ) library, the Python pyramid framework and gradio package.
A new query cpp/iterator-to-expired-containerto detect the creation of iterator owned by temporary objects that are about to be destroyed.
The py/header-injection query has been promoted to the main query pack and renamed to py/http-response-splitting.

For a full list of changes, please refer to the complete changelog for versions 2.17.2, 2.17.3, and 2.17.4. All new functionality will also be included in GHES 3.14. Users of GHES 3.13 or older can upgrade their CodeQL version.

See more See more

Account picker updates for OAuth and GitHub App sign-in

June 7, 2024

apps

For security and convenience, we’ve updated how the account picker can be triggered during sign-in to an OAuth or GitHub Application. Some apps will see it all of the time, while all apps are able to trigger it manually.

Native apps (an app with a callback URI that doesn’t lead to an https:// destination) will now always receive the account picker to ensure that users get an opportunity to verify the application and change accounts if need be.

We’ve also added support for the standard prompt parameter with the select_account argument, which an app can provide during the OAuth authorization request to /authorize. This parameter forces the account picker to appear during authentication, interrupting what can otherwise be an instant authentication flow. We recommend using this parameter to better support multiple accounts at once in your app, if a user indicates they want to use another account in your app.

To force the account picker, append the following alongside your client ID and redirect URI parameters when you send the user to GitHub to sign in: &prompt=select_account.

As before, users with multiple signed in accounts will always see the account picker on each authentication.

To learn more about query parameters in the OAuth flow, see Authorizing OAuth Apps and Generating a user access token for a GitHub App.

See more See more

View all changes