CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.23.2, which introduces a new Rust security query and various other improvements that enhance the accuracy of your code scanning results.

Language and framework support

  • JavaScript/TypeScript: We’ve added improved support for the graphql library. Data flow from GraphQL query sources and variables to resolver function parameters is now tracked. We’ve also added support for the aws-sdk and @aws-sdk/client-dynamodb, @aws-sdk/client-athena, @aws-sdk/client-s3, and @aws-sdk/client-rds-data packages.

  • Python: Data flow tracking through global variables now supports nested field access patterns such as global_var.obj.field. This improves the precision of taint tracking analysis when data flows through complex global variable structures.

  • Ruby: We’ve added initial modeling for the Ruby Grape framework to detect API endpoints, parameters, and headers within Grape API classes.

  • Go: CodeQL Go analysis now supports the Git Source type for private package registries. This adds to the existing support for the GOPROXY server type.

Query changes

C#

  • We’ve improved the modeling of null guards based on complex pattern expressions, which in turn improves the query cs/dereferenced-value-may-be-null by removing false positives.

Python

  • We’ve improved queries that check for unmatchable $ and ^ in regular expressions to correctly account for occurrences inside look-ahead and look-behind assertions, eliminating this source of false positives.
  • We’ve modernized the py/inheritance/signature-mismatch query. It produces more precise results and more descriptive alert messages. The py/inheritance/incorrect-overriding-signature query has been deprecated and its results have been consolidated into the py/inheritance/signature-mismatch query.

Rust

  • We’ve added a new query, rust/non-https-url, for detecting the use of non-HTTPS URLs that can be intercepted by third parties.

For a full list of changes, refer to the complete changelog for version 2.23.2. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.23.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.