CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.24.3, which adds support for Java 26 and includes various improvements that enhance the accuracy of your code scanning results.

Language and framework support

Java/Kotlin

  • CodeQL now supports Java 26.
  • Java analysis now selects the Java version to use based on the Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.

JavaScript/TypeScript

  • We’ve added support for React components wrapped by observer from mobx-react and mobx-react-lite.

Query changes

Python

  • We’ve added a new full SSRF sanitization barrier from the new AntiSSRF library.
  • When a guard such as isSafe(x) is defined, we now also automatically handle isSafe(x) == true and isSafe(x) != false.

Ruby

  • We now track taint flow through Shellwords.escape and Shellwords.shellescape for all queries except command injection, for which they are sanitizers.

Java/Kotlin

  • We’ve expanded modeling that previously only worked for Java EE packages beginning with javax to also cover packages beginning with jakarta. This may lead to increased number of alerts for packages using the jakarta namespace.

Rust

  • We’ve added support for neutral models (extensible: neutralModel) to control where generated source, sink, and flow summary models apply.

C/C++

  • We’ve improved the cpp/leap-year/unchecked-after-arithmetic-year-modification query to address large numbers of false positives.

C#

  • C# 14: We’ve added support for the field keyword in properties.

For a full list of changes, please refer to the complete changelog for version 2.24.3. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.3 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.