From 63390be18583b27cd03f47d09eedf5df87f113bc Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 17 Nov 2025 14:24:35 -0600 Subject: [PATCH 1/3] Changedocs for 2.23.5 --- .../codeql-changelog/codeql-cli-2.23.1.rst | 4 +- .../codeql-changelog/codeql-cli-2.23.5.rst | 134 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 3 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index ff22a3f647cf..27f1eee84edc 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. Java/Kotlin """"""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst new file mode 100644 index 000000000000..9022a09444fc --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst @@ -0,0 +1,134 @@ +.. _codeql-cli-2.23.5: + +========================== +CodeQL 2.23.5 (2025-11-13) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.23.5 runs a total of 483 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release. + +CodeQL CLI +---------- + +Breaking Changes +~~~~~~~~~~~~~~~~ + +* In order to make a :code:`@kind path-problem` query diff-informed, the :code:`getASelectedSourceLocation` and :code:`getASelectedSinkLocation` predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink *in addition to* any other locations that are selected by the query. See the `QLdoc `__ for more details. + +Query Packs +----------- + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* the :code:`cs/web/missing-x-frame-options` query now correctly handles configuration nested in root :code:`` elements. + +Java/Kotlin +""""""""""" + +* Calls to :code:`String.matches` are now treated as sanitizers for the :code:`java/ssrf` query. + +Python +"""""" + +* The :code:`py/insecure-cookie` query has been split into multiple queries; with :code:`py/insecure-cookie` checking for cases in which :code:`Secure` flag is not set, :code:`py/client-exposed-cookie` checking for cases in which the :code:`HttpOnly` flag is not set, and the :code:`py/samesite-none` query checking for cases in which the :code:`SameSite` attribute is set to :code:`None`. These queries also now only alert for cases in which the cookie is detected to contain sensitive data. + +Rust +"""" + +* The "Low Rust analysis quality" query (:code:`rust/diagnostic/database-quality`), used by the tool status page, has been extended with a measure of successful type inference. + +New Queries +~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The :code:`java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack. +* Added a new query, :code:`java/escaping`, to detect values escaping from classes marked as :code:`@ThreadSafe`. +* Added a new query, :code:`java/not-threadsafe`, to detect data races in classes marked as :code:`@ThreadSafe`. +* Added a new query, :code:`java/safe-publication`, to detect unsafe publication in classes marked as :code:`@ThreadSafe`. + +Language Libraries +------------------ + +Breaking Changes +~~~~~~~~~~~~~~~~ + +Swift +""""" + +* The :code:`OpenedArchetypeType` class has been renamed as :code:`ExistentialArchetypeType`. +* The :code:`OtherAvailabilitySpec` class has been removed. Use :code:`AvailabilitySpec::isWildcard` instead. +* The :code:`PlatformVersionAvailabilitySpec` has been removed. Use :code:`AvailabilitySpec::getPlatform` and :code:`AvailabilitySpec::getVersion` instead. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for :code:`cs/inefficient-containskey` and :code:`cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: :code:`cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, :code:`cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, :code:`cs/dereferenced-value-may-be-null` has been changed from a :code:`path-problem` query to a :code:`problem` query, so paths are no longer reported for this query. + +Swift +""""" + +* Upgraded to allow analysis of Swift 6.2. +* Support for experimental Embedded Swift has been dropped. + +Rust +"""" + +* Resolution of calls to functions has been improved in a number of ways, to make it more aligned with the behavior of the Rust compiler. This may impact queries that rely on call resolution, such as data flow queries. +* Added basic models for the :code:`actix-web` web framework. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Added tracer support for macOS and Linux when the .NET CLI (:code:`dotnet`) directly invokes the C# compiler (:code:`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms. +* The extraction of location information for source code entities has been updated to use star IDs (:code:`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication. + +Rust +"""" + +* Added :code:`ExtractedFile::hasSemantics` and :code:`ExtractedFile::isSkippedByCompilation` predicates. +* Generalized some existing models to improve data flow. +* Added models for the :code:`mysql` and :code:`mysql_async` libraries. + +Deprecated APIs +~~~~~~~~~~~~~~~ + +C# +"" + +* The class :code:`AbstractValue` in the :code:`Guards` library has been deprecated and replaced with the class :code:`GuardValue`. + +New Features +~~~~~~~~~~~~ + +Python +"""""" + +* Initial support for incremental Python databases via :code:`codeql database create --overlay-base`\ /\ :code:`--overlay-changes`. + +Swift +""""" + +* Added AST nodes :code:`UsingDecl`, :code:`UnsafeExpr`, and :code:`InlineArrayType` that correspond to new nodes in Swift 6.2. +* Added new predicates :code:`isDistributedGet`, :code:`isRead2`, :code:`isModify2`, and :code:`isInit` to the :code:`Accessor` class that correspond to new accessors in Swift 6.2. +* Added a new predicate :code:`isApply` to the :code:`KeyPathComponent` class that corresponds to method and initializer key path components in Swift 6.2. diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 4b3e1f5bb982..e48181dc0263 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 17 Nov 2025 14:30:45 -0600 Subject: [PATCH 2/3] adding in 2.23.1 changes so they stay the same --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 27f1eee84edc..78e5e367bce3 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. Java/Kotlin """"""""""" From d685e666b4ee597daba921ae12c3a4e10a3a0640 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 17 Nov 2025 14:32:04 -0600 Subject: [PATCH 3/3] missing space --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 78e5e367bce3..ff22a3f647cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! Python """"""