CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.23.0, which introduces a new Rust security query, promotes a Java Spring Boot security query, and includes a faster Rust extractor.

Language and framework support

  • C/C++: Added flow summaries for the Microsoft::WRL::ComPtr member functions. The new dataflow and taint-tracking library now resolves virtual function calls more precisely. This results in fewer false positives when running these queries on C++ projects.

  • C#: Fixed a bug in the data flow analysis, which means that flow through calls using the base qualifier may now be tracked more accurately. The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives.

  • Rust: Removed path resolution from the Rust extractor, making extraction faster and more reliable. We also improved the modeling of the std::fs, async_std::fs, and tokio::fs libraries, which may cause more alerts to be found by Rust injection queries, particularly rust/path-injection.

Query changes

We have also made improvements and additions to queries across several languages:

  • Java:
    • Promoted the query java/insecure-spring-actuator-config from experimental to the main query pack as java/spring-boot-exposed-actuators-config. This query detects exposure of Spring Boot actuators through configuration files, and its results will now appear by default. Thank you to @luchua-bc who submitted the original experimental query!
    • Fixed a bug that was causing false negatives in rare cases in the query java/dereferenced-value-may-be-null.
    • Removed the java/empty-statement query that was subsumed by the java/empty-block query.
  • Python:
    • Modernized the py/unexpected-raise-in-special-method query so it produces additional results in cases where the exception is only raised conditionally.
    • Modernized the queries py/incomplete-ordering, py/inconsistent-equality, and py/equals-hash-mismatch with improved documentation. They no longer produce alerts for problems specific to Python 2.
  • Rust:
    • Added a new query for Rust, rust/log-injection, for detecting cases where log entries could be forged by a malicious user.

For a full list of changes, please refer to the complete changelog for version 2.23.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.23.0 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.