From b2d9a600e5a40a00e5954f01feecf4ff075a2e69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Fri, 20 Mar 2026 11:23:20 +0100 Subject: [PATCH 1/4] Merge pull request #21486 from github/post-release-prep/codeql-cli-2.25.0 Post-release preparation for codeql-cli-2.25.0 --- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 41 files changed, 41 insertions(+), 41 deletions(-) diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 9a23a378da62..a6806dc906fb 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.30 +version: 0.4.31-dev library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 823050fa00b8..0c0978474791 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.22 +version: 0.6.23-dev library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 286288140c49..beb1e9234e88 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 8.0.1 +version: 8.0.2-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 5fb03d534347..1b32be0402f1 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.5.13 +version: 1.5.14-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index e2e83cd47e70..90919d238b89 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.61 +version: 1.7.62-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index ebbb19fa683f..ee4e92178bf9 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.61 +version: 1.7.62-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 3c914c680194..0153dbbfb30f 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.4.9 +version: 5.4.10-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 314f157005ea..807071e116b5 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.6.4 +version: 1.6.5-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index abdc2742c45a..dfa143a5866e 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.44 +version: 1.0.45-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 2e3c31c59734..2bcd50424257 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 7.0.2 +version: 7.0.3-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 2d0bef9e155e..a32eb17ebf76 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.5.8 +version: 1.5.9-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index e45e13037e7e..b9f061bcc3e8 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 9.0.0 +version: 9.0.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 6d1aa235ed65..13700fa71995 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.10.9 +version: 1.10.10-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 70d0ad7df765..c753467a0b8d 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.24 +version: 2.6.25-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index d9fc2fd16d54..5d4952bd6a53 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.4 +version: 2.3.5-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index dea7170bc375..5d2436f3e049 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.44 +version: 1.0.45-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 2400efca5a77..8d8597ea9158 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 7.0.1 +version: 7.0.2-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 7c1c1610d14b..389b1dfb493d 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.7.9 +version: 1.7.10-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 9a0242be164f..c642ddab9748 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.1.12 +version: 5.1.13-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 3ba280ea3785..6978ce40015f 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.5.9 +version: 1.5.10-dev groups: - ruby - queries diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index bce0d1b8fa54..b7d2e253cfbf 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.8 +version: 0.2.9-dev groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index e3cb21b0a451..c36bcc3f9519 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.29 +version: 0.1.30-dev groups: - rust - queries diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index fc4c0b767d5c..c23e61f19fb6 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.18 +version: 0.0.19-dev groups: shared library: true dependencies: diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 1376dbfe3ccc..35b09b7dc636 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.28 +version: 2.0.29-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 09f2320911d0..2dd531eda0a4 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.1.0 +version: 2.1.1-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 370dcab571e4..cade13e956ca 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true dependencies: diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index 066a920be90a..4e7f48d621d9 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.22 +version: 0.0.23-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index e3d15e3fb29f..5c2fc87098b4 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 0595120a7a8e..26f585673ec1 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 0e191175233d..4cfd1100a801 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.20 +version: 2.0.21-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 34df87895540..9e47885b3032 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.44 +version: 1.0.45-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 913f73c24fe8..2313b64956ae 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index bba635a47974..1cd9c4b5f7b7 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true dependencies: diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 278398e24879..533847824b19 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.25 +version: 0.0.26-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 3c3316da7fca..41a197cff1d4 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.28 +version: 2.0.29-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index 56557152de70..547c266fb942 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index b7e3b89b39ea..1b3f89c4ef72 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.31 +version: 2.0.32-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 33bf92658f8c..392bdb18282d 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index ac65e0bcb80c..b951c408c85f 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.44 +version: 1.0.45-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index d2983f8bd94c..3343e0568333 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.3.0 +version: 6.3.1-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 39171058590c..80a16a8099dc 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.18 +version: 1.2.19-dev groups: - swift - queries From 8382a352d4871895a68048ff90780a2297196839 Mon Sep 17 00:00:00 2001 From: Florin Coada Date: Tue, 24 Mar 2026 12:54:23 +0000 Subject: [PATCH 2/4] Merge pull request #21558 from github/codeql-spark-run-23458057791 Update changelog documentation site for codeql-cli-2.25.0 --- .../codeql-changelog/codeql-cli-2.19.1.rst | 2 +- .../codeql-changelog/codeql-cli-2.21.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.22.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.25.0.rst | 131 ++++++++++++++++++ .../codeql-changelog/index.rst | 2 + 5 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index f2948d0db67c..39d4d36537cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0\ *x* are now supported. +* Kotlin versions up to 2.1.0*x* are now supported. Python """""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index 71a8e3a68240..fffe94c04b80 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 4f1d34ff2ddd..8e5a18a0c74a 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2\ *x* are now supported. +* Kotlin versions up to 2.2.2*x* are now supported. diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst new file mode 100644 index 000000000000..7c371a3a365c --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst @@ -0,0 +1,131 @@ +.. _codeql-cli-2.25.0: + +========================== +CodeQL 2.25.0 (2026-03-19) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.25.0 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Breaking Changes +~~~~~~~~~~~~~~~~ + +* :code:`codeql database interpret-results` and :code:`codeql database analyze` no longer attempt to reconstruct file baseline information from databases created with CLI versions before 2.11.2. + +Bug Fixes +~~~~~~~~~ + +* Upgraded Jackson library from 2.16.1 to 2.18.6 to address a high-severity denial of service vulnerability (GHSA-72hv-8253-57qq) in jackson-core's async JSON parser. +* Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.2 to 2.3. + +Language Libraries +------------------ + +Breaking Changes +~~~~~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The Java control flow graph (CFG) implementation has been completely rewritten. The CFG now includes additional nodes to more accurately represent certain constructs. This also means that any existing code that implicitly relies on very specific details about the CFG may need to be updated. + The CFG now only includes the nodes that are reachable from the entry point. + Additionally, the following breaking changes have been made: + + * :code:`ControlFlowNode.asCall` has been removed - use :code:`Call.getControlFlowNode` instead. + * :code:`ControlFlowNode.getEnclosingStmt` has been removed. + * :code:`ControlFlow::ExprNode` has been removed. + * :code:`ControlFlow::StmtNode` has been removed. + * :code:`ControlFlow::Node` has been removed - this was merely an alias of + :code:`ControlFlowNode`, which is still available. + * Previously deprecated predicates on :code:`BasicBlock` have been removed. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Swift +""""" + +* Upgraded to allow analysis of Swift 6.2.4. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +C# +"" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. +* Added :code:`System.Net.WebSockets::ReceiveAsync` as a remote flow source. +* Added reverse taint flow from implicit conversion operator calls to their arguments. +* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments. +* C# 14: Added support for partial constructors. + +Golang +"""""" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +Java/Kotlin +""""""""""" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. +* The class :code:`Assignment` now extends :code:`BinaryExpr`. Uses of :code:`BinaryExpr` may in some cases need slight adjustment. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Added support for browser-specific source kinds (:code:`browser`, :code:`browser-url-query`, :code:`browser-url-fragment`, :code:`browser-url-path`, :code:`browser-url`, :code:`browser-window-name`, :code:`browser-message-event`) that can be used in data extensions to model sources in browser environments. +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +Python +"""""" + +* The call graph resolution no longer considers methods marked using |link-code-typing-overload-1|_ as valid targets. This ensures that only the method that contains the actual implementation gets resolved as a target. +* Inline expectations test comments, which are of the form :code:`# $ tag` or :code:`# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +Ruby +"""" + +* Inline expectations test comments, which are of the form :code:`# $ tag` or :code:`# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +Swift +""""" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. + +Rust +"""" + +* Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol. +* Added neutral models to inhibit spurious generated sink models for :code:`map` and :code:`from`. This fixes some false positive query results. + +Shared Libraries +---------------- + +New Features +~~~~~~~~~~~~ + +Dataflow Analysis +""""""""""""""""" + +* Two new flow features :code:`FeatureEscapesSourceCallContext` and :code:`FeatureEscapesSourceCallContextOrEqualSourceSinkCallContext` have been added. The former implies that the sink must be reached from the source by escaping the source call context, that is, flow must either return from the callable containing the source or use a jump-step before reaching the sink. The latter is the disjunction of the former and the existing :code:`FeatureEqualSourceSinkCallContext` flow feature. + +.. |link-code-typing-overload-1| replace:: :code:`@typing.overload`\ +.. _link-code-typing-overload-1: https://typing.python.org/en/latest/spec/overload.html#overloads + diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 21671f1c9696..d880a7e56d8c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,8 @@ A list of queries for each suite and language `is available here Date: Thu, 26 Mar 2026 15:26:16 +0100 Subject: [PATCH 3/4] Missing file --- .../codeql-changelog/codeql-cli-2.24.3.rst | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst new file mode 100644 index 000000000000..7c4f99e10d23 --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst @@ -0,0 +1,121 @@ +.. _codeql-cli-2.24.3: + +========================== +CodeQL 2.24.3 (2026-03-05) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.24.3 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Bug Fixes +~~~~~~~~~ + +* Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips :code:`*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases. +* Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as :code:`codeql query run`. + +Query Packs +----------- + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The Java extractor and QL libraries now support Java 26. +* Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility. + +Rust +"""" + +* The macro resolution metric has been removed from :code:`rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page. + +Language Libraries +------------------ + +Bug Fixes +~~~~~~~~~ + +C/C++ +""""" + +* The :code:`allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion. + +C# +"" + +* Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted. + +Breaking Changes +~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to :code:`BarrierGuard<...>::getAnIndirectBarrierNode` and :code:`InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again. +* :code:`MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the :code:`MustFlowConfiguration` class, the user should now implement a module with the :code:`MustFlow::ConfigSig` signature, and instantiate the :code:`MustFlow::Global` parameterized module with the implemented module. + +Python +"""""" + +* The :code:`Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the :code:`LegacyPointsTo` module, to classes like :code:`ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import :code:`LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Python +"""""" + +* The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add :code:`overlay[local?] module;` to user-managed libraries that extend classes that are now marked as :code:`overlay[local]`. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (:code:`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results. + +C# +"" + +* C# 14: Added support for partial events. +* C# 14: Added support for the :code:`field` keyword in properties. + +Java/Kotlin +""""""""""" + +* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Added support for React components wrapped by :code:`observer` from :code:`mobx-react` and :code:`mobx-react-lite`. + +Python +"""""" + +* Added new full SSRF sanitization barrier from the new AntiSSRF library. +* When a guard such as :code:`isSafe(x)` is defined, we now also automatically handle :code:`isSafe(x) == true` and :code:`isSafe(x) != false`. + +Ruby +"""" + +* We now track taint flow through :code:`Shellwords.escape` and :code:`Shellwords.shellescape` for all queries except command injection, for which they are sanitizers. + +Rust +"""" + +* Added support for neutral models (:code:`extensible: neutralModel`) to control where generated source, sink and flow summary models apply. From fe565baf068d42ba4064ccb322409f3f1b81465f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Thu, 26 Mar 2026 15:54:35 +0100 Subject: [PATCH 4/4] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Óscar San José --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index 39d4d36537cf..f2948d0db67c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0*x* are now supported. +* Kotlin versions up to 2.1.0\ *x* are now supported. Python """""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index fffe94c04b80..71a8e3a68240 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 8e5a18a0c74a..4f1d34ff2ddd 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2*x* are now supported. +* Kotlin versions up to 2.2.2\ *x* are now supported.