- The
kindquery metadata was changed todiagnosticoncs/compilation-error,cs/compilation-message,cs/extraction-error, andcs/extraction-message.
- The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called
provenancehas been introduced, where the allowed values aremanualandgenerated. The value used to indicate whether a model as been written by hand (manual) or create by the CSV model generator (generated). - All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
- Casts to
dynamicare excluded from the useless upcasts check (cs/useless-upcast). - The C# extractor now accepts an extractor option
buildless, which is used to decide what type of extraction that should be performed. Iftruethen buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added viacodeql database create --language=csharp -Obuildless=true .... - The C# extractor now accepts an extractor option
trap.compression, which is used to decide the compression format for TRAP files. The legal values arebrotli(default),gzipornone. The option is added viacodeql database create --language=csharp -Otrap.compression=value ....
- The precision of hardcoded credentials queries (
cs/hardcoded-credentialsandcs/hardcoded-connection-string-credentials) have been downgraded to medium.