CodeQL 2.23.7 (2025-12-05)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.23.7 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 6 security queries have been added with this release.
CodeQL CLI¶
Deprecations¶
The
--save-cacheflag tocodeql database run-queriesand other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect.
Query Packs¶
Minor Analysis Improvements¶
Java/Kotlin¶
Operations that extract only a fixed-length prefix or suffix of a string (for example,
substringin Java ortakein Kotlin), when limited to a length of at most 7 characters, are now treated as sanitizers for thejava/sensitive-logquery.
JavaScript/TypeScript¶
Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in the
app/pagesfolder.
Rust¶
The
rust/access-invalid-pointerquery has been improved with new flow sources and barriers.
New Queries¶
Golang¶
The
go/cookie-http-only-not-setquery has been promoted from the experimental query pack. This query was originally contributed to the experimental query pack by @edvraa.A new query
go/cookie-secure-not-sethas been added to detect cookies without theSecureflag set.Added a new query,
go/weak-crypto-algorithm, to detect the use of a broken or weak cryptographic algorithm. A very simple version of this query was originally contributed as an experimental query by @dilanbhalla.Added a new query,
go/weak-sensitive-data-hashing, to detect the use of a broken or weak cryptographic hash algorithm on sensitive data.
Rust¶
Added a new query
rust/xss, to detect cross-site scripting security vulnerabilities.Added a new query
rust/disabled-certificate-check, to detect disabled TLS certificate checks.Added three example queries (
rust/examples/empty-if,rust/examples/simple-sql-injectionandrust/examples/simple-constant-password) to help developers learn to write CodeQL queries for Rust.
Language Libraries¶
Bug Fixes¶
Python¶
Fixed a bug in the Python extractor’s import handling where failing to find an import in
find_modulewould cause aKeyErrorto be raised. (Contributed by @akoeplinger.)
Breaking Changes¶
Rust¶
The type
DataFlow::Nodeis now based directly on the AST instead of the CFG, which means that predicates likeasExpr()return AST nodes instead of CFG nodes.
Minor Analysis Improvements¶
C/C++¶
The class
DataFlow::FieldContentnow covers bothunionandstruct/classtypes. A new predicateFieldContent.getAFieldhas been added to access the union members associated with theFieldContent. The oldFieldContenthas been renamed toNonUnionFieldContent.
C#¶
Improved stability when downloading .NET versions by setting appropriate environment variables for
dotnetcommands. The correct architecture-specific version of .NET is now downloaded on ARM runners.Compilation errors are now included in the debug log when using build-mode none.
Added a new extractor option to specify a custom directory for dependency downloads in buildless mode. Use
-O buildless_dependency_dir=<path>to configure the target directory.
JavaScript/TypeScript¶
JavaScript
DataFlow::globalVarRefnow recognizesdocument.defaultViewas an alias ofwindow, allowing flows such asdocument.defaultView.history.pushState(...)to be modeled and found by queries relying onglobalVarRef("history").
Rust¶
Added more detailed models for
std::fsandstd::path.
Deprecated APIs¶
Java/Kotlin¶
The SSA interface has been updated and all classes and several predicates have been renamed. See the qldoc for more specific migration information.