From 84b50606ed1b4f6f4236732d9d36d61e3cf6065f Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 6 Nov 2025 17:31:16 +0000 Subject: [PATCH 01/15] Rust: Add example queries pack. --- docs/codeql/reusables/rust-further-reading.rst | 1 + rust/ql/examples/qlpack.lock.yml | 4 ++++ rust/ql/examples/qlpack.yml | 7 +++++++ 3 files changed, 12 insertions(+) create mode 100644 rust/ql/examples/qlpack.lock.yml create mode 100644 rust/ql/examples/qlpack.yml diff --git a/docs/codeql/reusables/rust-further-reading.rst b/docs/codeql/reusables/rust-further-reading.rst index a82dee7f28e..c8d18cc77b0 100644 --- a/docs/codeql/reusables/rust-further-reading.rst +++ b/docs/codeql/reusables/rust-further-reading.rst @@ -1,2 +1,3 @@ - `CodeQL queries for Rust `__ +- `Example queries for Rust `__ - `CodeQL library reference for Rust `__ diff --git a/rust/ql/examples/qlpack.lock.yml b/rust/ql/examples/qlpack.lock.yml new file mode 100644 index 00000000000..06dd07fc7dc --- /dev/null +++ b/rust/ql/examples/qlpack.lock.yml @@ -0,0 +1,4 @@ +--- +dependencies: {} +compiled: false +lockVersion: 1.0.0 diff --git a/rust/ql/examples/qlpack.yml b/rust/ql/examples/qlpack.yml new file mode 100644 index 00000000000..41adabd2c70 --- /dev/null +++ b/rust/ql/examples/qlpack.yml @@ -0,0 +1,7 @@ +name: codeql/rust-examples +groups: + - rust + - examples +dependencies: + codeql/rust-all: ${workspace} +warnOnImplicitThis: true From 6ce0a0d9df53a2f9b90d962b57e8c7615b4ce887 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 6 Nov 2025 17:50:59 +0000 Subject: [PATCH 02/15] Rust: Add example from the basic-query-for-rust-code.rst. --- rust/ql/examples/snippets/empty_if.ql | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 rust/ql/examples/snippets/empty_if.ql diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql new file mode 100644 index 00000000000..a4270a115b6 --- /dev/null +++ b/rust/ql/examples/snippets/empty_if.ql @@ -0,0 +1,15 @@ +/** + * @name Empty 'if' statement + * @description Finds 'if' statements where the "then" branch is empty and no + * "else" branch exists. + * @id rust/examples/empty-if + * @tags example + */ + +import rust + +from IfExpr ifExpr +where + ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and + not exists(ifExpr.getElse()) +select ifExpr, "This 'if' expression is redundant." From 49aefe2110fbee92a96084b2ad59b33205c8095b Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 6 Nov 2025 18:49:55 +0000 Subject: [PATCH 03/15] Rust: Add simple SQL injection example. --- .../examples/snippets/simple_sql_injection.ql | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rust/ql/examples/snippets/simple_sql_injection.ql diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql new file mode 100644 index 00000000000..fd59ddd4c3e --- /dev/null +++ b/rust/ql/examples/snippets/simple_sql_injection.ql @@ -0,0 +1,30 @@ +/** + * @name Database query built from user-controlled sources + * @description Finds places where a value from a remote or local user input + * is used as an argument to the `sqlx_core::query::query` + * function. + * @id rust/examples/simple-sql-injection + * @tags example + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking +import codeql.rust.Concepts + +module SqlInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } + + predicate isSink(DataFlow::Node node) { + exists(CallExpr call | + call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and + call.getArg(0) = node.asExpr().getExpr() + ) + } +} + +module SqlInjectionFlow = TaintTracking::Global; + +from DataFlow::Node sourceNode, DataFlow::Node sinkNode +where SqlInjectionFlow::flow(sourceNode, sinkNode) +select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value" From 7b6e06e8de164fd7b7948262c54e8da16838f25f Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 7 Nov 2025 13:30:53 +0000 Subject: [PATCH 04/15] Rust: Add simple constant password example. --- .../snippets/simple_constant_password.ql | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rust/ql/examples/snippets/simple_constant_password.ql diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql new file mode 100644 index 00000000000..87b7603ba1b --- /dev/null +++ b/rust/ql/examples/snippets/simple_constant_password.ql @@ -0,0 +1,30 @@ +/** + * @name Constant password + * @description Finds places where a string literal is used in a function call + * argument named something like "password". + * @id rust/examples/simple-constant-password + * @tags example + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking + +module ConstantPasswordConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr } + + predicate isSink(DataFlow::Node node) { + // `node` is an argument whose corresponding parameter name matches the pattern "pass%" + exists(CallExpr call, Function target, int argIndex | + call.getStaticTarget() = target and + target.getParam(argIndex).getPat().(IdentPat).getName().getText().matches("pass%") and + call.getArg(argIndex) = node.asExpr().getExpr() + ) + } +} + +module ConstantPasswordFlow = TaintTracking::Global; + +from DataFlow::Node sourceNode, DataFlow::Node sinkNode +where ConstantPasswordFlow::flow(sourceNode, sinkNode) +select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString() From 7e3ab99d6b49856c7c2b0dee6c3939e6543f2b22 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 7 Nov 2025 13:48:03 +0000 Subject: [PATCH 05/15] Rust: Add much more detailed code comments, since these are examples. --- rust/ql/examples/snippets/empty_if.ql | 3 +++ .../snippets/simple_constant_password.ql | 21 +++++++++++++++++-- .../examples/snippets/simple_sql_injection.ql | 15 ++++++++++--- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql index a4270a115b6..5a4a62e41b6 100644 --- a/rust/ql/examples/snippets/empty_if.ql +++ b/rust/ql/examples/snippets/empty_if.ql @@ -8,8 +8,11 @@ import rust +// find 'if' statements... from IfExpr ifExpr where + // where the 'then' branch is empty ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and + // and no 'else' branch exists not exists(ifExpr.getElse()) select ifExpr, "This 'if' expression is redundant." diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql index 87b7603ba1b..202029994f4 100644 --- a/rust/ql/examples/snippets/simple_constant_password.ql +++ b/rust/ql/examples/snippets/simple_constant_password.ql @@ -1,7 +1,7 @@ /** * @name Constant password * @description Finds places where a string literal is used in a function call - * argument named something like "password". + * argument that looks like a password. * @id rust/examples/simple-constant-password * @tags example */ @@ -10,8 +10,23 @@ import rust import codeql.rust.dataflow.DataFlow import codeql.rust.dataflow.TaintTracking +/** + * A data flow configuration for tracking flow from a string literal to a function + * call argument that looks like a password. For example: + * ``` + * fn set_password(password: &str) { ... } + * + * ... + * + * let pwd = "123456"; // source + * set_password(pwd); // sink (argument 0) + * ``` + */ module ConstantPasswordConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr } + predicate isSource(DataFlow::Node node) { + // `node` is a string literal + node.asExpr().getExpr() instanceof StringLiteralExpr + } predicate isSink(DataFlow::Node node) { // `node` is an argument whose corresponding parameter name matches the pattern "pass%" @@ -23,8 +38,10 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig { } } +// instantiate the data flow configuration as a global taint tracking module module ConstantPasswordFlow = TaintTracking::Global; +// report flows from sources to sinks from DataFlow::Node sourceNode, DataFlow::Node sinkNode where ConstantPasswordFlow::flow(sourceNode, sinkNode) select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString() diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql index fd59ddd4c3e..0a991118a50 100644 --- a/rust/ql/examples/snippets/simple_sql_injection.ql +++ b/rust/ql/examples/snippets/simple_sql_injection.ql @@ -1,8 +1,7 @@ /** * @name Database query built from user-controlled sources * @description Finds places where a value from a remote or local user input - * is used as an argument to the `sqlx_core::query::query` - * function. + * is used as the first argument of a call to `sqlx_core::query::query`. * @id rust/examples/simple-sql-injection * @tags example */ @@ -12,10 +11,18 @@ import codeql.rust.dataflow.DataFlow import codeql.rust.dataflow.TaintTracking import codeql.rust.Concepts +/** + * A data flow configuration for tracking flow from a user input (threat model + * source) to the first argument of a call to `sqlx_core::query::query`. + */ module SqlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } + predicate isSource(DataFlow::Node node) { + // `node` is a user input (threat model source) + node instanceof ActiveThreatModelSource + } predicate isSink(DataFlow::Node node) { + // `node` is the first argument of a call to `sqlx_core::query::query` exists(CallExpr call | call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and call.getArg(0) = node.asExpr().getExpr() @@ -23,8 +30,10 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { } } +// instantiate the data flow configuration as a global taint tracking module module SqlInjectionFlow = TaintTracking::Global; +// report flows from sources to sinks from DataFlow::Node sourceNode, DataFlow::Node sinkNode where SqlInjectionFlow::flow(sourceNode, sinkNode) select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value" From 61481b51e7bed367aca37893e4019f4d67343552 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 7 Nov 2025 16:52:56 +0000 Subject: [PATCH 06/15] Rust: Change note. --- rust/ql/src/change-notes/2025-11-07-example-queries.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 rust/ql/src/change-notes/2025-11-07-example-queries.md diff --git a/rust/ql/src/change-notes/2025-11-07-example-queries.md b/rust/ql/src/change-notes/2025-11-07-example-queries.md new file mode 100644 index 00000000000..9e11d4e0a93 --- /dev/null +++ b/rust/ql/src/change-notes/2025-11-07-example-queries.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added three example queries (`rust/examples/empty-if`, `rust/examples/simple-sql-injection` and `rust/examples/simple-constant-password`) to help developers learn to write CodeQL queries for Rust. From 4b212239e10fc87efe0c001316354da11a1fa3fb Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 10 Nov 2025 12:35:39 +0000 Subject: [PATCH 07/15] Rust: Remove unnecessary .(BlockExpr). --- rust/ql/examples/snippets/empty_if.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql index 5a4a62e41b6..90df6b95b22 100644 --- a/rust/ql/examples/snippets/empty_if.ql +++ b/rust/ql/examples/snippets/empty_if.ql @@ -12,7 +12,7 @@ import rust from IfExpr ifExpr where // where the 'then' branch is empty - ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and + ifExpr.getThen().getStmtList().getNumberOfStmtOrExpr() = 0 and // and no 'else' branch exists not exists(ifExpr.getElse()) select ifExpr, "This 'if' expression is redundant." From 109abddc36d4ef6c12a049427d7bfced6a3b7be0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 11 Nov 2025 09:32:14 +0000 Subject: [PATCH 08/15] Apply suggestions from code review Co-authored-by: Simon Friis Vindum --- rust/ql/examples/snippets/empty_if.ql | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rust/ql/examples/snippets/empty_if.ql b/rust/ql/examples/snippets/empty_if.ql index 90df6b95b22..f2183945979 100644 --- a/rust/ql/examples/snippets/empty_if.ql +++ b/rust/ql/examples/snippets/empty_if.ql @@ -1,6 +1,6 @@ /** - * @name Empty 'if' statement - * @description Finds 'if' statements where the "then" branch is empty and no + * @name Empty 'if' expression + * @description Finds 'if' expressions where the "then" branch is empty and no * "else" branch exists. * @id rust/examples/empty-if * @tags example @@ -8,11 +8,11 @@ import rust -// find 'if' statements... +// find 'if' expressions... from IfExpr ifExpr where // where the 'then' branch is empty ifExpr.getThen().getStmtList().getNumberOfStmtOrExpr() = 0 and // and no 'else' branch exists - not exists(ifExpr.getElse()) + not ifExpr.hasElse() select ifExpr, "This 'if' expression is redundant." From 95987724773aed10a41d99eff43b87425e571ee0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:37:45 +0000 Subject: [PATCH 09/15] Update rust/ql/examples/snippets/simple_constant_password.ql Co-authored-by: Tom Hvitved --- rust/ql/examples/snippets/simple_constant_password.ql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql index 202029994f4..1f0e0a8e101 100644 --- a/rust/ql/examples/snippets/simple_constant_password.ql +++ b/rust/ql/examples/snippets/simple_constant_password.ql @@ -30,9 +30,10 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { // `node` is an argument whose corresponding parameter name matches the pattern "pass%" - exists(CallExpr call, Function target, int argIndex | + exists(CallExpr call, Function target, int argIndex, Variable v | call.getStaticTarget() = target and - target.getParam(argIndex).getPat().(IdentPat).getName().getText().matches("pass%") and + v.getParameter() = target.getParam(argIndex) and + v.getText().matches("pass%") and call.getArg(argIndex) = node.asExpr().getExpr() ) } From f1b12203f60dde4f2e1a14581a4b64879ac88857 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 17 Nov 2025 14:10:08 +0100 Subject: [PATCH 10/15] C#: Add compilation errors to the debug log in BMN. --- .../Extractor/Analyser.cs | 17 +++++++++++++++++ .../Extractor/StandaloneAnalyser.cs | 9 +++++++++ .../Extractor/TracingAnalyser.cs | 15 ++------------- 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs index 1ba8827c9d2..6701f993ac6 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs @@ -360,5 +360,22 @@ namespace Semmle.Extraction.CSharp return versionString.InformationalVersion; } } + + private static readonly HashSet errorsToIgnore = new HashSet + { + "CS7027", // Code signing failure + "CS1589", // XML referencing not supported + "CS1569" // Error writing XML documentation + }; + + /// + /// Retrieves the diagnostics from the compilation, filtering out those that should be ignored. + /// + protected List GetFilteredDiagnostics() => + compilation is not null + ? compilation.GetDiagnostics() + .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id)) + .ToList() + : []; } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs index ff3c2889bc9..b940b02cb5c 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs @@ -13,6 +13,14 @@ namespace Semmle.Extraction.CSharp { } + private void LogDiagnostics() + { + foreach (var error in GetFilteredDiagnostics()) + { + Logger.LogDebug($" Compilation error: {error}"); + } + } + public void Initialize(string outputPath, IEnumerable<(string, string)> compilationInfos, CSharpCompilation compilationIn, CommonOptions options) { compilation = compilationIn; @@ -20,6 +28,7 @@ namespace Semmle.Extraction.CSharp this.options = options; LogExtractorInfo(); SetReferencePaths(); + LogDiagnostics(); } } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs index 8a9856f1d31..9f2a1256f1a 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs @@ -136,11 +136,7 @@ namespace Semmle.Extraction.CSharp private int LogDiagnostics() { - var filteredDiagnostics = compilation! - .GetDiagnostics() - .Where(e => e.Severity >= DiagnosticSeverity.Error && !errorsToIgnore.Contains(e.Id)) - .ToList(); - + var filteredDiagnostics = GetFilteredDiagnostics(); foreach (var error in filteredDiagnostics) { Logger.LogError($" Compilation error: {error}"); @@ -148,7 +144,7 @@ namespace Semmle.Extraction.CSharp if (filteredDiagnostics.Count != 0) { - foreach (var reference in compilation.References) + foreach (var reference in compilation!.References) { Logger.LogInfo($" Resolved reference {reference.Display}"); } @@ -156,12 +152,5 @@ namespace Semmle.Extraction.CSharp return filteredDiagnostics.Count; } - - private static readonly HashSet errorsToIgnore = new HashSet - { - "CS7027", // Code signing failure - "CS1589", // XML referencing not supported - "CS1569" // Error writing XML documentation - }; } } From 9f69ff22d324076dfd60b8b7bdf8382bb3915852 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 17 Nov 2025 14:12:19 +0100 Subject: [PATCH 11/15] C#: Add change-note. --- csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md diff --git a/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md b/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md new file mode 100644 index 00000000000..082f4562615 --- /dev/null +++ b/csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Compilation errors are now included in the debug log when using build-mode none. From 47ac4dd1dcdaab4f6cbd0312a63df060225747e0 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 17 Nov 2025 19:21:37 +0000 Subject: [PATCH 12/15] C++: Add 'nomagic' to 'getParameter'. --- cpp/ql/lib/semmle/code/cpp/Function.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/Function.qll b/cpp/ql/lib/semmle/code/cpp/Function.qll index 8ddb07a868e..10b156e3fb6 100644 --- a/cpp/ql/lib/semmle/code/cpp/Function.qll +++ b/cpp/ql/lib/semmle/code/cpp/Function.qll @@ -171,12 +171,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function { * Gets the nth parameter of this function. There is no result for the * implicit `this` parameter, and there is no `...` varargs pseudo-parameter. */ + pragma[nomagic] Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) } /** * Gets a parameter of this function. There is no result for the implicit * `this` parameter, and there is no `...` varargs pseudo-parameter. */ + pragma[nomagic] Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) } /** From 63390be18583b27cd03f47d09eedf5df87f113bc Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 17 Nov 2025 14:24:35 -0600 Subject: [PATCH 13/15] Changedocs for 2.23.5 --- .../codeql-changelog/codeql-cli-2.23.1.rst | 4 +- .../codeql-changelog/codeql-cli-2.23.5.rst | 134 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 3 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index ff22a3f647c..27f1eee84ed 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. Java/Kotlin """"""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst new file mode 100644 index 00000000000..9022a09444f --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst @@ -0,0 +1,134 @@ +.. _codeql-cli-2.23.5: + +========================== +CodeQL 2.23.5 (2025-11-13) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.23.5 runs a total of 483 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release. + +CodeQL CLI +---------- + +Breaking Changes +~~~~~~~~~~~~~~~~ + +* In order to make a :code:`@kind path-problem` query diff-informed, the :code:`getASelectedSourceLocation` and :code:`getASelectedSinkLocation` predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink *in addition to* any other locations that are selected by the query. See the `QLdoc `__ for more details. + +Query Packs +----------- + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* the :code:`cs/web/missing-x-frame-options` query now correctly handles configuration nested in root :code:`` elements. + +Java/Kotlin +""""""""""" + +* Calls to :code:`String.matches` are now treated as sanitizers for the :code:`java/ssrf` query. + +Python +"""""" + +* The :code:`py/insecure-cookie` query has been split into multiple queries; with :code:`py/insecure-cookie` checking for cases in which :code:`Secure` flag is not set, :code:`py/client-exposed-cookie` checking for cases in which the :code:`HttpOnly` flag is not set, and the :code:`py/samesite-none` query checking for cases in which the :code:`SameSite` attribute is set to :code:`None`. These queries also now only alert for cases in which the cookie is detected to contain sensitive data. + +Rust +"""" + +* The "Low Rust analysis quality" query (:code:`rust/diagnostic/database-quality`), used by the tool status page, has been extended with a measure of successful type inference. + +New Queries +~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The :code:`java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack. +* Added a new query, :code:`java/escaping`, to detect values escaping from classes marked as :code:`@ThreadSafe`. +* Added a new query, :code:`java/not-threadsafe`, to detect data races in classes marked as :code:`@ThreadSafe`. +* Added a new query, :code:`java/safe-publication`, to detect unsafe publication in classes marked as :code:`@ThreadSafe`. + +Language Libraries +------------------ + +Breaking Changes +~~~~~~~~~~~~~~~~ + +Swift +""""" + +* The :code:`OpenedArchetypeType` class has been renamed as :code:`ExistentialArchetypeType`. +* The :code:`OtherAvailabilitySpec` class has been removed. Use :code:`AvailabilitySpec::isWildcard` instead. +* The :code:`PlatformVersionAvailabilitySpec` has been removed. Use :code:`AvailabilitySpec::getPlatform` and :code:`AvailabilitySpec::getVersion` instead. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for :code:`cs/inefficient-containskey` and :code:`cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: :code:`cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, :code:`cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, :code:`cs/dereferenced-value-may-be-null` has been changed from a :code:`path-problem` query to a :code:`problem` query, so paths are no longer reported for this query. + +Swift +""""" + +* Upgraded to allow analysis of Swift 6.2. +* Support for experimental Embedded Swift has been dropped. + +Rust +"""" + +* Resolution of calls to functions has been improved in a number of ways, to make it more aligned with the behavior of the Rust compiler. This may impact queries that rely on call resolution, such as data flow queries. +* Added basic models for the :code:`actix-web` web framework. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Added tracer support for macOS and Linux when the .NET CLI (:code:`dotnet`) directly invokes the C# compiler (:code:`csc`). This enhancement provides basic tracing and extraction capabilities for .NET 10 RC2 on these platforms. +* The extraction of location information for source code entities has been updated to use star IDs (:code:`*` IDs). This change should be transparent to end-users but may improve extraction performance in some cases by reducing TRAP file size and eliminating overhead from location de-duplication. + +Rust +"""" + +* Added :code:`ExtractedFile::hasSemantics` and :code:`ExtractedFile::isSkippedByCompilation` predicates. +* Generalized some existing models to improve data flow. +* Added models for the :code:`mysql` and :code:`mysql_async` libraries. + +Deprecated APIs +~~~~~~~~~~~~~~~ + +C# +"" + +* The class :code:`AbstractValue` in the :code:`Guards` library has been deprecated and replaced with the class :code:`GuardValue`. + +New Features +~~~~~~~~~~~~ + +Python +"""""" + +* Initial support for incremental Python databases via :code:`codeql database create --overlay-base`\ /\ :code:`--overlay-changes`. + +Swift +""""" + +* Added AST nodes :code:`UsingDecl`, :code:`UnsafeExpr`, and :code:`InlineArrayType` that correspond to new nodes in Swift 6.2. +* Added new predicates :code:`isDistributedGet`, :code:`isRead2`, :code:`isModify2`, and :code:`isInit` to the :code:`Accessor` class that correspond to new accessors in Swift 6.2. +* Added a new predicate :code:`isApply` to the :code:`KeyPathComponent` class that corresponds to method and initializer key path components in Swift 6.2. diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 4b3e1f5bb98..e48181dc026 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 17 Nov 2025 14:30:45 -0600 Subject: [PATCH 14/15] adding in 2.23.1 changes so they stay the same --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 27f1eee84ed..78e5e367bce 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. Java/Kotlin """"""""""" From d685e666b4ee597daba921ae12c3a4e10a3a0640 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 17 Nov 2025 14:32:04 -0600 Subject: [PATCH 15/15] missing space --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 78e5e367bce..ff22a3f647c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! Python """"""