From fc6794f6dff1619e2816b7a18eb1cafb790f9a09 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Thu, 6 Mar 2025 14:12:54 -0600 Subject: [PATCH 1/6] adding 2.20.6 sitedocs --- .../codeql-changelog/codeql-cli-2.19.4.rst | 2 +- .../codeql-changelog/codeql-cli-2.20.4.rst | 6 +- .../codeql-changelog/codeql-cli-2.20.6.rst | 125 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 4 files changed, 130 insertions(+), 4 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 754b6d2c4dad..9235d63fe2cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`. +* Added taint-steps for :code:`Array.prototype.reverse`\ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index a5c9c4f222f8..f488198ea3d3 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead. -* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead. +* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. +* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files. +* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. * Deleted the old deprecated TypeTracking library. Swift diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst new file mode 100644 index 000000000000..7152c45c419c --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -0,0 +1,125 @@ +.. _codeql-cli-2.20.6: + +========================== +CodeQL 2.20.6 (2025-03-06) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.20.6 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 137 queries (covering 35 more CWE). 1 security query has been added with this release. + +CodeQL CLI +---------- + +Miscellaneous +~~~~~~~~~~~~~ + +* The CodeQL XML extractor is now able to parse documents in a wider array of character sets. + +* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.6. + +Query Packs +----------- + +Bug Fixes +~~~~~~~~~ + +GitHub Actions +"""""""""""""" + +* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query remains in the default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is available, the query will be updated to report alerts again. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* Fixed false positive alerts in the java query "Cross-site scripting" (:code:`java/xss`) when :code:`javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Improved precision of data flow through arrays, fixing some spurious flows that would sometimes cause the :code:`length` property of an array to be seen as tainted. +* Improved call resolution logic to better handle calls resolving "downwards", targeting a method declared in a subclass of the enclosing class. Data flow analysis has also improved to avoid spurious flow between unrelated classes in the class hierarchy. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* Due to changes in libraries the query "Static array access may cause overflow" (:code:`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single :code:`memset` or similar operation. +* The query "Call to memory access function may overflow buffer" (:code:`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues. + +C# +"" + +* C#: Improve precision of the query :code:`cs/call-to-object-tostring` for value tuples. + +Language Libraries +------------------ + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Added support for the :code:`response` threat model kind, which can enabled with `advanced setup `__. When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint. +* Added support for the :code:`useQuery` hook from :code:`@tanstack/react-query`. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* Modified the :code:`getBufferSize` predicate in :code:`commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class. +* Fixed an issue where the :code:`getBufferSize` predicate in :code:`commons/Buffer.qll` was returning results for references inside :code:`offsetof` expressions, which are not accesses to a buffer. + +Golang +"""""" + +* The location info for the following classes has been changed slightly to match a location that is in the database: :code:`BasicBlock`, :code:`ControlFlow::EntryNode`, :code:`ControlFlow::ExitNode`, :code:`ControlFlow::ConditionGuardNode`, :code:`IR::ImplicitLiteralElementIndexInstruction`, :code:`IR::EvalImplicitTrueInstruction`, :code:`SsaImplicitDefinition`, :code:`SsaPhiNode`. +* Added :code:`database` source models for the :code:`github.com/rqlite/gorqlite` package. +* Added :code:`database` source models for database methods from the :code:`go.mongodb.org/mongo-driver/mongo` package. + +Java/Kotlin +""""""""""" + +* Added a path injection sanitizer for the :code:`child` argument of a :code:`java.io.File` constructor if that argument does not contain path traversal sequences. + +JavaScript/TypeScript +""""""""""""""""""""" + +* The :code:`response.download()` function in :code:`express` is now recognized as a sink for path traversal attacks. + +Deprecated APIs +~~~~~~~~~~~~~~~ + +Golang +"""""" + +* The member predicate :code:`hasLocationInfo` has been deprecated on the following classes: :code:`BasicBlock`, :code:`Callable`, :code:`Content`, :code:`ContentSet`, :code:`ControlFlow::Node`, :code:`DataFlowCallable`, :code:`DataFlow::Node`, :code:`Entity`, :code:`GVN`, :code:`HtmlTemplate::TemplateStmt`, :code:`IR:WriteTarget`, :code:`SourceSinkInterpretationInput::SourceOrSinkElement`, :code:`SourceSinkInterpretationInput::InterpretNode`, :code:`SsaVariable`, :code:`SsaDefinition`, :code:`SsaWithFields`, :code:`StringOps::ConcatenationElement`, :code:`Type`, and :code:`VariableWithFields`. Use :code:`getLocation()` instead. + +New Features +~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The Java extractor and QL libraries now support Java 24. diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index aa51edced639..e53d669f3a31 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Thu, 6 Mar 2025 15:04:55 -0600 Subject: [PATCH 2/6] Update codeql-cli-2.19.4.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 9235d63fe2cf..754b6d2c4dad 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`\ +* Added taint-steps for :code:`Array.prototype.reverse`. From 1385de223fde136419903fe34c1215167719df32 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Thu, 6 Mar 2025 15:10:11 -0600 Subject: [PATCH 3/6] Update codeql-cli-2.20.4.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index f488198ea3d3..c95ae0fd44b1 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. +* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. From 3652a45a97db222927e1328f0eddf3dfa5c0ffbc Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Thu, 6 Mar 2025 15:10:42 -0600 Subject: [PATCH 4/6] Update codeql-cli-2.20.4.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index c95ae0fd44b1..05e3ab66158c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. * Deleted the old deprecated TypeTracking library. Swift From da7b9b7c20567d8ed331481b711ff3ccdf3b734e Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Thu, 6 Mar 2025 15:32:48 -0600 Subject: [PATCH 5/6] rearranging golang 1.24 support --- .../codeql-changelog/codeql-cli-2.20.5.rst | 8 ++++++++ .../codeql-changelog/codeql-cli-2.20.6.rst | 5 ----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst index 48d4ff27f0b1..855f25655ec6 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst @@ -109,6 +109,14 @@ Python * Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes. * Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case. +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + Minor Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst index 7152c45c419c..d6b934449252 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -71,11 +71,6 @@ Language Libraries Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Golang -"""""" - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - JavaScript/TypeScript """"""""""""""""""""" From 65d5e527c0fe2e67fd0a4e7ea7ae428ef581dc6f Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Thu, 6 Mar 2025 16:46:57 -0600 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index 05e3ab66158c..c3012e020c78 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. -* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. +* Deleted a lot of deprecated classes ending in :code:`*Access`, use the corresponding :code:`*Call` classes instead. +* Deleted a lot of deprecated predicates ending in :code:`*Access`, use the corresponding :code:`*Call` predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. +* Deleted a lot of deprecated dataflow modules from :code:`*Query.qll` files. * Deleted the old deprecated TypeTracking library. Swift