CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.25.2, which brings a new Kotlin version update, various accuracy improvements, and a set of security severity score adjustments across multiple languages.

Language and framework support

Java/Kotlin

  • Kotlin versions up to 2.3.20 are now supported for analysis.
  • The java/tainted-arithmetic query no longer flags arithmetic expressions used directly as an operand of a comparison in if-condition bounds-checking patterns, reducing false positives.
  • The java/potentially-weak-cryptographic-algorithm query no longer flags Elliptic Curve algorithms, HMAC-based algorithms, or PBKDF2 key derivation as potentially insecure, reducing false positives for this query.

C/C++

  • Reduced false positives in the cpp/suspicious-add-sizeof, cpp/wrong-type-format-argument, and cpp/integer-multiplication-cast-to-long queries.

Query changes

C#

  • The cs/constant-condition query has been simplified to produce fewer false positives. As a result, the cs/constant-comparison query has been removed, since cs/constant-condition now covers those results.

Security severity updates

We’ve updated @security-severity scores across several languages to better align log injection and XSS queries with their actual impact:

  • C/C++: cpp/cgi-xss increased from medium (6.1) to high (7.8).
  • C#: cs/log-forging reduced from high (7.8) to medium (6.1); cs/web/xss increased from medium (6.1) to high (7.8).
  • Go: go/log-injection reduced from high (7.8) to medium (6.1); go/html-template-escaping-bypass-xss, go/reflected-xss, and go/stored-xss increased from medium (6.1) to high (7.8).
  • Java/Kotlin: java/log-injection reduced from high (7.8) to medium (6.1); java/android/webview-addjavascriptinterface, java/android/websettings-javascript-enabled, and java/xss increased from medium (6.1) to high (7.8).
  • Python: py/log-injection reduced from high (7.8) to medium (6.1); py/jinja2/autoescape-false and py/reflective-xss increased from medium (6.1) to high (7.8).
  • Ruby: rb/log-injection reduced from high (7.8) to medium (6.1); rb/reflected-xss, rb/stored-xss, and rb/html-constructed-from-input increased from medium (6.1) to high (7.8).
  • Swift: swift/unsafe-webview-fetch increased from medium (6.1) to high (7.8).
  • Rust: rust/log-injection increased from low (2.6) to medium (6.1); rust/xss increased from medium (6.1) to high (7.8).

For a full list of changes, please refer to the complete changelog for version 2.25.2. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.25.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.