- The
kind
query metadata was changed todiagnostic
oncs/compilation-error
,cs/compilation-message
,cs/extraction-error
, andcs/extraction-message
.
- The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called
provenance
has been introduced, where the allowed values aremanual
andgenerated
. The value used to indicate whether a model as been written by hand (manual
) or create by the CSV model generator (generated
). - All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
- Casts to
dynamic
are excluded from the useless upcasts check (cs/useless-upcast
). - The C# extractor now accepts an extractor option
buildless
, which is used to decide what type of extraction that should be performed. Iftrue
then buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added viacodeql database create --language=csharp -Obuildless=true ...
. - The C# extractor now accepts an extractor option
trap.compression
, which is used to decide the compression format for TRAP files. The legal values arebrotli
(default),gzip
ornone
. The option is added viacodeql database create --language=csharp -Otrap.compression=value ...
.
- The precision of hardcoded credentials queries (
cs/hardcoded-credentials
andcs/hardcoded-connection-string-credentials
) have been downgraded to medium.