hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-1

Browse Source
This commit is contained in:
Kasper Svendsen
2025-10-07 12:59:56 +02:00
committed by GitHub
parent adf01e76cd c809cce170
commit 74fb46c849
2787 changed files with 152070 additions and 48759 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/codeql/_static/custom.css_t
View File

@@ -1,7 +1,7 @@
/*
* This Sphinx stylesheet adds some customizations to the default Alabaster theme.
*
* The source for the default stylesheet can be found at
*
* The source for the default stylesheet can be found at
* https://github.com/bitprophet/alabaster/blob/master/alabaster/static/alabaster.css_t
*
* For the classes provided by the primer, see https://unpkg.com/@primer/css/dist/primer.css
@@ -45,7 +45,7 @@ article ul, article ol {
}
.SideNav li {
margin: 10px 0 10px 0px;
margin: 10px 0 10px 0px;
}
.SideNav ul, .SideNav ol, .SideNav li {
@@ -80,20 +80,20 @@ a.reference {
}
a.reference:hover {
text-decoration: none;
text-decoration: none;
}
/* -- ADMONITIONS ---------------------------------------------------------------------------- */
/*
* Override default styling for "admonitions".
/*
* Override default styling for "admonitions".
* This includes: note, tip, important, and caution.
*
*/
div.admonition p.admonition-title {
div.admonition p.admonition-title {
/* Make title same size and font as body, but bold. */
font-family: Lato, sans-serif;
font-family: Lato, sans-serif;
font-size: 14px;
font-weight: bold;
}
@@ -102,7 +102,7 @@ p.admonition-title:after {
content: ""; /* Don't insert a colon after the title */
}
/*
/*
* Don't use yellow for footnote background.
*
*/
@@ -111,7 +111,7 @@ p.admonition-title:after {
background-color: unset;
}
/*
/*
* Add a border with rounded corners around code blocks
* (as in the QL language spec).
*
@@ -198,7 +198,7 @@ blockquote.pull-quote {
background-color: #EEE;
border: #CCC;
border-radius: 5px;
}
}
blockquote.pull-quote:first-line {
font-weight: bold;
@@ -230,6 +230,11 @@ blockquote.pull-quote > :last-child {
font-family: "monospace";
}
/* Fixes a bug in "Supported languages and frameworks" where footnotes were incorrectly indented */
aside .label {
border: 0;
}
/* -- PRINT VIEW ----------------------------------------------------------------------------*/
@media print {
@@ -252,14 +257,14 @@ blockquote.pull-quote > :last-child {
/* -- SMALL SCREEN ------------------------------------------------------------------------------- */
@media screen and (max-width: 875px) {
@media screen and (max-width: 875px) {
/* Overrides strange behaviour caused by default styles */
body {
padding: 0;
}
}
div.footer {
display: block;
}

2
docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst
View File

@@ -74,7 +74,7 @@ To use the starter workspace:
* Make sure you include the submodules, either by using ``git clone --recursive``, or using by ``git submodule update --init --remote`` after cloning.
* Use ``git submodule update --remote`` regularly to keep the submodules up to date.
#. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository.
#. In VS Code, use the **File** > **Open Workspace from File** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository.
Remember to update the ``ql`` submodule in the starter workspace periodically to ensure that it remains compatible with newer versions of the VS Code extension and the CodeQL CLI.

131
docs/codeql/codeql-language-guides/basic-query-for-rust-code.rst Normal file
View File

@@ -0,0 +1,131 @@
.. _basic-query-for-rust-code:
Basic query for Rust code
==========================
Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension.
.. include:: ../reusables/vs-code-basic-instructions/setup-to-run-queries.rst
About the query
---------------
The query we're going to run performs a basic search of the code for ``if`` expressions that are redundant, in the sense that they have an empty ``then`` branch. For example, code such as:
.. code-block:: rust
if error {
// we should handle the error
}
.. include:: ../reusables/vs-code-basic-instructions/find-database.rst
Running a quick query
---------------------
.. include:: ../reusables/vs-code-basic-instructions/run-quick-query-1.rst
#. In the quick query tab, delete the content and paste in the following query.
.. code-block:: ql
import rust
from IfExpr ifExpr
where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0
select ifExpr, "This 'if' expression is redundant."
.. include:: ../reusables/vs-code-basic-instructions/run-quick-query-2.rst
.. image:: ../images/codeql-for-visual-studio-code/basic-rust-query-results-1.png
:align: center
If any matching code is found, click a link in the ``ifExpr`` column to open the file and highlight the matching ``if`` expression.
.. image:: ../images/codeql-for-visual-studio-code/basic-rust-query-results-2.png
:align: center
.. include:: ../reusables/vs-code-basic-instructions/note-store-quick-query.rst
About the query structure
~~~~~~~~~~~~~~~~~~~~~~~~~
After the initial ``import`` statement, this simple query comprises three parts that serve similar purposes to the FROM, WHERE, and SELECT parts of an SQL query.
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| Query part | Purpose | Details |
+==================================================================================+===================================================================================================================+======================================================================================================+
| ``import rust`` | Imports the standard CodeQL AST libraries for Rust. | Every query begins with one or more ``import`` statements. |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``from IfExpr ifExpr`` | Defines the variables for the query. | We use: an ``IfExpr`` variable for ``if`` expressions. |
| | Declarations are of the form: | |
| | ``<type> <variable name>`` | |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0`` | Defines a condition on the variables. | ``ifExpr.getThen()``: gets the ``then`` branch of the ``if`` expression. |
| | | ``.(BlockExpr)``: requires that the ``then`` branch is a block expression (``{ }``). |
| | | ``.getStmtList()``: gets the list of things in the block. |
| | | ``.getNumberOfStmtOrExpr() = 0``: requires that there are no statements or expressions in the block. |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
| ``select ifExpr, "This 'if' expression is redundant."`` | Defines what to report for each match. | Reports the resulting ``if`` expression with a string that explains the problem. |
| | | |
| | ``select`` statements for queries that are used to find instances of poor coding practice are always in the form: | |
| | ``select <program element>, "<alert message>"`` | |
+----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
Extend the query
----------------
Query writing is an inherently iterative process. You write a simple query and then, when you run it, you discover examples that you had not previously considered, or opportunities for improvement.
Remove false positive results
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Browsing the results of our basic query shows that it could be improved. Among the results you are likely to find examples of ``if`` expressions with an ``else`` branch, where an empty ``then`` branch does serve a purpose. For example:
.. code-block:: rust
if (option == "-verbose") {
// nothing to do - handled earlier
} else {
handleError("unrecognized option")
}
In this case, identifying the ``if`` expression with the empty ``then`` branch as redundant is a false positive. One solution to this is to modify the query to select ``if`` expressions where both the ``then`` and ``else`` branches are missing.
To exclude ``if`` expressions that have an ``else`` branch:
#. Add the following to the where clause:
.. code-block:: ql
and not exists(ifExpr.getElse())
The ``where`` clause is now:
.. code-block:: ql
where
ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and
not exists(ifExpr.getElse())
#. Re-run the query.
There are now fewer results because ``if`` expressions with an ``else`` branch are no longer included.
Further reading
---------------
.. include:: ../reusables/rust-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst
.. Article-specific substitutions for the reusables used in docs/codeql/reusables/vs-code-basic-instructions
.. |language-text| replace:: Rust
.. |language-code| replace:: ``rust``
.. |example-url| replace:: https://github.com/rust-lang/rustlings
.. |image-quick-query| image:: ../images/codeql-for-visual-studio-code/quick-query-tab-rust.png
.. |result-col-1| replace:: The first column corresponds to the expression ``ifExpr`` and is linked to the location in the source code of the project where ``ifExpr`` occurs.

4
docs/codeql/codeql-language-guides/codeql-for-rust.rst
View File

@@ -9,8 +9,12 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
.. toctree::
:hidden:
basic-query-for-rust-code
codeql-library-for-rust
analyzing-data-flow-in-rust
- :doc:`Basic query for Rust code <basic-query-for-rust-code>`: Learn to write and run a simple CodeQL query.
- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
- :doc:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`: You can use CodeQL to track the flow of data through a Rust program to places where the data is used.

2
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst
View File

@@ -79,4 +79,4 @@ JavaScript/TypeScript
* Added taint-steps for :code:`Array.prototype.toReversed`.
* Added taint-steps for :code:`Array.prototype.toSorted`.
* Added support for :code:`String.prototype.matchAll`.
* Added taint-steps for :code:`Array.prototype.reverse`.
* Added taint-steps for :code:`Array.prototype.reverse`\

6
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst
View File

@@ -117,8 +117,8 @@ Java/Kotlin
* Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead.
* Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead.
* Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead.
* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead.
* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead.
* Deleted a lot of deprecated classes ending in :code:`*Access`, use the corresponding :code:`*Call` classes instead.
* Deleted a lot of deprecated predicates ending in :code:`*Access`, use the corresponding :code:`*Call` predicates instead.
* Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead.
* Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead.
@@ -144,7 +144,7 @@ Ruby
* Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead.
* Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead.
* Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`.
* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files.
* Deleted a lot of deprecated dataflow modules from :code:`*Query.qll` files.
* Deleted the old deprecated TypeTracking library.
Swift

2
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst
View File

@@ -207,5 +207,5 @@ JavaScript/TypeScript
* Intersection :code:`&&`
* Subtraction :code:`--`
* :code:`\\q` quoted string
* :code:`\q` quoted string

2
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.4.rst
View File

@@ -38,7 +38,7 @@ Minor Analysis Improvements
C/C++
"""""
* Added flow model for the :code:`SQLite` and :code:`OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
* Added flow models for the :code:`SQLite` and :code:`OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
C#
""

2
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.0.rst
View File

@@ -50,7 +50,7 @@ New Queries
Golang
""""""
* Query (:code:`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the :code:`html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in `https://github.com/github/codeql-go/pull/493 <https://github.com/github/codeql-go/pull/493>`_.
* Query (:code:`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the :code:`html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in https://github.com/github/codeql-go/pull/493.
Language Libraries
------------------

4
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.1.rst
View File

@@ -14,7 +14,7 @@ This is an overview of changes in the CodeQL CLI and relevant CodeQL query and l
Security Coverage
-----------------
CodeQL 2.22.1 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 129 queries (covering 33 more CWE).
CodeQL 2.22.1 runs a total of 476 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 129 queries (covering 32 more CWE). 27 security queries have been added with this release.
CodeQL CLI
----------
@@ -38,7 +38,7 @@ Minor Analysis Improvements
C/C++
"""""
* Added flow model for the following libraries: :code:`madler/zlib`, :code:`google/brotli`, :code:`libidn/libidn2`, :code:`libssh2/libssh2/`, :code:`nghttp2/nghttp2`, :code:`libuv/libuv/`, and :code:`curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
* Added flow models for the following libraries: :code:`madler/zlib`, :code:`google/brotli`, :code:`libidn/libidn2`, :code:`libssh2/libssh2`, :code:`nghttp2/nghttp2`, :code:`libuv/libuv`, and :code:`curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
C#
""

238
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.2.rst Normal file
View File

@@ -0,0 +1,238 @@
.. _codeql-cli-2.22.2:
==========================
CodeQL 2.22.2 (2025-07-29)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.22.2 runs a total of 474 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE).
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixes a bug in query suites where the :code:`version` property of an :code:`import` instruction was ignored. Previously, the following query suite would *not* resolve to :code:`v1.0.19` of :code:`codeql/csharp-queries`. Instead it would resolve to the latest version. This is now fixed and the resolve pack version would be :code:`v1.0.19`.
.. code-block:: text
- from: codeql/csharp-queries
import: codeql-suites/csharp-security-and-quality.qls
version: 1.0.19
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C#
""
* :code:`web.config` and :code:`web.release.config` files are now recognized regardless of case. This means queries :code:`cs/web/debug-binary` and :code:`cs/web/missing-x-frame-options` may produce more results than before.
Breaking Changes
~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`Type` and :code:`Symbol` classes have been deprecated and will be empty in newly extracted databases, since the TypeScript extractor no longer populates them.
This is a breaking change for custom queries that explicitly relied on these classes.
Such queries will still compile, but with deprecation warnings, and may have different query results due to type information no longer being available.
We expect most custom queries will not be affected, however. If a custom query has no deprecation warnings, it should not be affected by this change.
Uses of :code:`getType()` should be rewritten to use the new :code:`getTypeBinding()` or :code:`getNameBinding()` APIs instead.
If the new API is not sufficient, please consider opening an issue in :code:`github/codeql` describing your use-case.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The TypeScript extractor no longer relies on the TypeScript compiler for extracting type information.
Instead, the information we need from types is now derived by an algorithm written in QL.
This results in more robust extraction with faster extraction times, in some cases significantly faster.
* Taint is now tracked through the React :code:`use` function.
* Parameters of React server functions, marked with the :code:`"use server"` directive, are now seen as taint sources.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Due to changes in the :code:`FunctionWithWrappers` library (:code:`semmle.code.cpp.security.FunctionWithWrappers`) the primary alert location generated by the queries :code:`cpp/path-injection`, :code:`cpp/sql-injection`, :code:`cpp/tainted-format-string`, and :code:`cpp/command-line-injection` may have changed.
* Added flow models for the Win32 API functions :code:`CreateThread`, :code:`CreateRemoteThread`, and :code:`CreateRemoteThreadEx`.
* Improved support for dataflow through function objects and lambda expressions.
* Added flow models for :code:`pthread_create` and :code:`std::thread`.
* The :code:`cpp/incorrect-string-type-conversion` query no longer alerts on incorrect type conversions that occur in unreachable code.
* Added flow models for the GNU C Library.
* Fixed a number of false positives and false negatives in :code:`cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.
* The query :code:`cpp/sql-injection` now can be extended using the :code:`sql-injection` Models as Data (MaD) sink kind.
C#
""
* Explicitly added summary models for all overloads of :code:`System.Xml.XmlDictionaryReader.CreateBinaryReader`. Added models for some of the methods and properties in :code:`System.Runtime.Serialization.SerializationInfo` and :code:`System.Runtime.Serialization.SerializationInfoEnumerator`. Updated models for :code:`System.Text.Encoding.GetBytes`, :code:`System.Text.Encoding.GetChars` and the constructor for :code:`System.IO.MemoryStream`. This generally improves the library modelling and thus reduces the number of false negatives.
* Added explicit SQL injection Models as Data models for :code:`Microsoft.Data.SqlClient.SqlCommand` and :code:`Microsoft.Data.SqlClient.SqlDataAdapter`. This reduces false negatives for the query :code:`cs/sql-injection`.
Golang
""""""
* :code:`filepath.IsLocal` is now recognized as a sanitizer against path-traversal and related vulnerabilities.
Java/Kotlin
"""""""""""
* Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular :code:`java/dereferenced-value-may-be-null`, which now has fewer false positives, and :code:`java/useless-null-check` and :code:`java/constant-comparison`, which gain additional true positives.
JavaScript/TypeScript
"""""""""""""""""""""
* Removed three queries from the JS qlpack, which have been superseded by newer queries that are part of the Actions qlpack:
* :code:`js/actions/pull-request-target` has been superseded by :code:`actions/untrusted-checkout/{medium,high,critical}`
* :code:`js/actions/actions-artifact-leak` has been superseded by :code:`actions/secrets-in-artifacts`
* :code:`js/actions/command-injection` has been superseded by :code:`actions/command-injection/{medium,critical}`
New Queries
~~~~~~~~~~~
Rust
""""
* Added a new query, :code:`rust/access-after-lifetime-ended`, for detecting pointer dereferences after the lifetime of the pointed-to object has ended.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* The JavaScript extractor no longer ignores source files specified in the :code:`tsconfig.json` compiler options :code:`outDir` if doing so would result in excluding all source code.
Python
""""""
* The Python parser is now able to correctly parse expressions such as :code:`match[1]` and :code:`match()` where :code:`match` is not used as a keyword.
GitHub Actions
""""""""""""""
* The :code:`actions/artifact-poisoning/critical` and :code:`actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to :code:`$[{ runner.temp }}` in addition to :code:`/tmp`.
Breaking Changes
~~~~~~~~~~~~~~~~
Ruby
""""
* Most classes and predicates in the AST, SSA, and control-flow-graph libraries are now annotated with :code:`overlay[local]`, in preparation for incremental analysis. This could result in compiler errors for custom queries if they extend these classes. To mitigate such errors, look for ways to restructure custom QL code so it doesn't depend on changing the behavior of standard-library classes.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`FunctionWithWrappers` library (:code:`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the :code:`arm_neon.h` header and Neon vector types, and support for the :code:`fp8` scalar type. The :code:`arm_sve.h` header and scalable vectors are only partially supported at this point.
* Added support for :code:`__fp16 _Complex` and :code:`__bf16 _Complex` types
* Added :code:`sql-injection` sink models for the Oracle Call Interface (OCI) database library functions :code:`OCIStmtPrepare` and :code:`OCIStmtPrepare2`.
Golang
""""""
* Added models for the :code:`Head` function and the :code:`Client.Head` method, from the :code:`net/http` package, to the :code:`Http::ClientRequest` class. This means that they will be recognized as sinks for the query :code:`go/request-forgery` and the experimental query :code:`go/ssrf`.
* Previously, :code:`DefinedType.getBaseType` gave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.
Java/Kotlin
"""""""""""
* The qualifiers of a calls to :code:`readObject` on any classes that implement :code:`java.io.ObjectInput` are now recognised as sinks for :code:`java/unsafe-deserialization`. Previously this was only the case for classes which extend :code:`java.io.ObjectInputStream`.
JavaScript/TypeScript
"""""""""""""""""""""
* Enhanced modeling for the :code:`execa` library, adding support for command execution methods :code:`execaCommand`, :code:`execaCommandSync`, :code:`$`, and :code:`$.sync`, as well as file system operations through :code:`inputFile`, :code:`pipeStdout`, :code:`pipeAll`, and :code:`pipeStderr`.
Python
""""""
* Type annotations such as :code:`foo : Bar` are now treated by the call graph as an indication that :code:`foo` may be an instance of :code:`Bar`.
Rust
""""
* Type inference has been extended to support pattern matching.
* Call resolution for calls to associated functions has been improved, so it now disambiguates the targets based on type information at the call sites (either type information about the arguments or about the expected return types).
* Type inference has been improved for :code:`for` loops and range expressions, which improves call resolution and may ultimately lead to more query results.
* Implemented support for data flow through trait functions. For the purpose of data flow, calls to trait functions dispatch to all possible implementations.
* :code:`AssocItem` and :code:`ExternItem` are now proper subclasses of :code:`Item`.
* Added type inference for :code:`for` loops and array expressions.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`UnknownDefaultLocation`, :code:`UnknownExprLocation`, and :code:`UnknownStmtLocation` classes have been deprecated. Use :code:`UnknownLocation` instead.
Golang
""""""
* The class :code:`BuiltinType` is now deprecated. Use the new replacement :code:`BuiltinTypeEntity` instead.
* The class :code:`DeclaredType` is now deprecated. Use the new replacement :code:`DeclaredTypeEntity` instead.
Java/Kotlin
"""""""""""
* The module :code:`semmle.code.java.frameworks.Castor` has been deprecated and will be removed in a future release.
* The module :code:`semmle.code.java.frameworks.JYaml` has been deprecated and will be removed in a future release.
* The classes :code:`UnsafeHessianInputReadObjectMethod` and :code:`BurlapInputReadObjectMethod` in the module :code:`semmle.code.java.frameworks.HessianBurlap` have been deprecated and will be removed in a future release.
* The class :code:`YamlBeansReaderReadMethod` in the module :code:`semmle.code.java.frameworks.YamlBeans` has been deprecated and will be removed in a future release.
* The class :code:`MethodApacheSerializationUtilsDeserialize` in the module :code:`semmle.code.java.frameworks.apache.Lang` has been deprecated and will be removed in a future release.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a :code:`isFinalValueOfParameter` predicate to :code:`DataFlow::Node` which holds when a dataflow node represents the final value of an output parameter of a function.
C#
""
* Added a new predicate, :code:`getASuperType()`, to get a direct supertype of this type.
Java/Kotlin
"""""""""""
* You can now add sinks for the query "Deserialization of user-controlled data" (:code:`java/unsafe-deserialization`) using `data extensions <https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#extensible-predicates-used-to-create-custom-models-in-java-and-kotlin>`__ by extending :code:`sinkModel` and using the kind "unsafe-deserialization". The existing sinks that do not require extra logic to determine if they are unsafe are now defined in this way.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Concepts
""""""""
* Initial release. Moves the shared concepts library into its own qlpack.

101
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst Normal file
View File

@@ -0,0 +1,101 @@
.. _codeql-cli-2.22.3:
==========================
CodeQL 2.22.3 (2025-08-06)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.22.3 runs a total of 476 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* The :code:`codeql database cleanup` command now takes the :code:`--cache-cleanup=overlay` option, which trims the cache to just the data that will be useful when evaluating against an overlay.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Initialization code not run" query (:code:`cpp/initialization-not-run`) no longer reports an alert on static global variables that have no dereference.
Rust
""""
* Type inference now supports closures, calls to closures, and trait bounds using the :code:`FnOnce` trait.
* Type inference now supports trait objects, i.e., :code:`dyn Trait` types.
* Type inference now supports tuple types.
New Queries
~~~~~~~~~~~
Rust
""""
* Added a new query, :code:`rust/hard-coded-cryptographic-value`, for detecting use of hardcoded keys, passwords, salts and initialization vectors.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/overrun-write` query now recognizes more bound checks and thus produces fewer false positives.
JavaScript/TypeScript
"""""""""""""""""""""
* The regular expressions in :code:`SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Python
""""""
* The regular expressions in :code:`SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Ruby
""""
* The regular expressions in :code:`SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Swift
"""""
* The regular expressions in :code:`SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Rust
""""
* Removed deprecated dataflow extensible predicates :code:`sourceModelDeprecated`, :code:`sinkModelDeprecated`, and :code:`summaryModelDeprecated`, along with their associated classes.
* The regular expressions in :code:`SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Exposed various SSA-related classes (:code:`Definition`, :code:`PhiNode`, :code:`ExplicitDefinition`, :code:`DirectExplicitDefinition`, and :code:`IndirectExplicitDefinition`) which were previously only usable inside the internal dataflow directory.
Java/Kotlin
"""""""""""
* Kotlin versions up to 2.2.2\ *x* are now supported.

108
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.4.rst Normal file
View File

@@ -0,0 +1,108 @@
.. _codeql-cli-2.22.4:
==========================
CodeQL 2.22.4 (2025-08-21)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.22.4 runs a total of 478 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
There are no user-facing CLI changes in this release.
Query Packs
-----------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The :code:`cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself.
* Fixed a false positive in :code:`cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type.
Golang
""""""
* Go 1.25 is now supported.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category.
New Queries
~~~~~~~~~~~
Rust
""""
* Added a new query, :code:`rust/cleartext-storage-database`, for detecting cases where sensitive information is stored non-encrypted in a database.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Ruby
""""
* Made the following changes to :code:`NetHttpRequest`
* Adds :code:`connectionNode`, like other Ruby HTTP clients
* Makes :code:`requestNode` and :code:`connectionNode` public so subclasses can use them
* Adds detection of :code:`Net::HTTP.start`, a common way to make HTTP requests in Ruby
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* Added library models for the relevant method calls under :code:`jakarta.servlet.ServletRequest` and :code:`jakarta.servlet.http.HttpServletRequest` as remote flow sources.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The guards libraries (:code:`semmle.code.cpp.controlflow.Guards` and :code:`semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
* Improved dataflow through global variables in the new dataflow library (:code:`semmle.code.cpp.dataflow.new.DataFlow` and :code:`semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
* The global value numbering library (:code:`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and :code:`semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
Java/Kotlin
"""""""""""
* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for :code:`java/dereferenced-value-may-be-null`.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved modeling of command-line argument parsing libraries `arg <https://www.npmjs.com/package/arg>`__, `args <https://www.npmjs.com/package/args>`__, `command-line-args <https://www.npmjs.com/package/command-line-args>`__ and `commander <https://www.npmjs.com/package/commander>`__
Rust
""""
* |link-code-let-chains-in-code-if-and-code-while-1|_ are now supported, as well as |link-code-if-let-guards-in-code-match-expressions-2|_.
* Added more detail to models of :code:`postgres`, :code:`rusqlite`, :code:`sqlx` and :code:`tokio-postgres`. This may improve query results, particularly for :code:`rust/sql-injection` and :code:`rust/cleartext-storage-database`.
.. |link-code-let-chains-in-code-if-and-code-while-1| replace:: :code:`let` chains in :code:`if` and :code:`while`\
.. _link-code-let-chains-in-code-if-and-code-while-1: https://doc.rust-lang.org/edition-guide/rust-2024/let-chains.html
.. |link-code-if-let-guards-in-code-match-expressions-2| replace:: :code:`if let` guards in :code:`match` expressions
.. _link-code-if-let-guards-in-code-match-expressions-2: https://rust-lang.github.io/rfcs/2294-if-let-guard.html

149
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.0.rst Normal file
View File

@@ -0,0 +1,149 @@
.. _codeql-cli-2.23.0:
==========================
CodeQL 2.23.0 (2025-09-04)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.23.0 runs a total of 479 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI
----------
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.8.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* Fixed an inconsistency across languages where most have a :code:`Customizations.qll` file for adding customizations, but not all did.
Swift
"""""
* Fixed an inconsistency across languages where most have a :code:`Customizations.qll` file for adding customizations, but not all did.
Rust
""""
* The "Low Rust analysis quality" query (:code:`rust/diagnostic/database-quality`) has been tuned so that it won't trigger on databases that have extracted normally. This will remove spurious messages of "Low Rust analysis quality" on the CodeQL status page.
* Fixed an inconsistency across languages where most have a :code:`Customizations.qll` file for adding customizations, but not all did.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* Fixed a bug that was causing false negatives in rare cases in the query :code:`java/dereferenced-value-may-be-null`.
* Removed the :code:`java/empty-statement` query that was subsumed by the :code:`java/empty-block` query.
Python
""""""
* The :code:`py/unexpected-raise-in-special-method` query has been modernized. It produces additional results in cases where the exception is
only raised conditionally. Its precision has been changed from :code:`very-high` to :code:`high`.
* The queries :code:`py/incomplete-ordering`, :code:`py/inconsistent-equality`, and :code:`py/equals-hash-mismatch` have been modernized; no longer relying on outdated libraries, improved documentation, and no longer producing alerts for problems specific to Python 2.
New Queries
~~~~~~~~~~~
Java/Kotlin
"""""""""""
* The query :code:`java/insecure-spring-actuator-config` has been promoted from experimental to the main query pack as :code:`java/spring-boot-exposed-actuators-config`. Its results will now appear by default. This query detects exposure of Spring Boot actuators through configuration files. It was originally submitted as an experimental query `by @luchua-bc <https://github.com/github/codeql/pull/5384>`__.
Rust
""""
* Added a new query, :code:`rust/log-injection`, for detecting cases where log entries could be forged by a malicious user.
Query Metadata Changes
~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* The tag :code:`maintainability` has been removed from :code:`java/run-finalizers-on-exit` and the tags :code:`quality`, :code:`correctness`, and :code:`performance` have been added.
* The tag :code:`maintainability` has been removed from :code:`java/garbage-collection` and the tags :code:`quality` and :code:`correctness` have been added.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rust
""""
* Path resolution has been removed from the Rust extractor. For the majority of purposes CodeQL computed paths have been in use for several previous releases, this completes the transition. Extraction is now faster and more reliable.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Added flow summaries for the :code:`Microsoft::WRL::ComPtr` member functions.
* The new dataflow/taint-tracking library (:code:`semmle.code.cpp.dataflow.new.DataFlow` and :code:`semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
C#
""
* A bug has been fixed in the data flow analysis, which means that flow through calls using the :code:`base` qualifier may now be tracked more accurately.
* Added summary models for :code:`System.Xml.XmlReader`, :code:`System.Xml.XmlTextReader` and :code:`System.Xml.XmlDictionaryReader`.
* Models-as-data summaries for byte and char arrays and pointers now treat the entire collection as tainted, reflecting their common use as string alternatives.
* The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives.
JavaScript/TypeScript
"""""""""""""""""""""
* Removed :code:`libxmljs` as an XML bomb sink. The underlying libxml2 library now includes `entity reference loop detection <https://github.com/GNOME/libxml2/blob/0c948334a8f5c66d50e9f8992e62998017dc4fc6/NEWS#L905-L908>`__ that prevents XML bomb attacks.
Python
""""""
* The modelling of Psycopg2 now supports the use of :code:`psycopg2.pool` connection pools for handling database connections.
* Removed :code:`lxml` as an XML bomb sink. The underlying libxml2 library now includes `entity reference loop detection <https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077>`__ that prevents XML bomb attacks.
Rust
""""
* Attribute macros are now taken into account when identifying macro-expanded code. This affects the queries :code:`rust/unused-variable` and :code:`rust/unused-value`, which exclude results in macro-expanded code.
* Improved modelling of the :code:`std::fs`, :code:`async_std::fs` and :code:`tokio::fs` libraries. This may cause more alerts to be found by Rust injection queries, particularly :code:`rust/path-injection`.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added a new class :code:`PchFile` representing precompiled header (PCH) files used during project compilation.
Shared Libraries
----------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Utility Classes
"""""""""""""""
* Added :code:`LocatableOption` and :code:`OptionWithLocationInfo` as modules providing option types with location information.

176
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst Normal file
View File

@@ -0,0 +1,176 @@
.. _codeql-cli-2.23.1:
==========================
CodeQL 2.23.1 (2025-09-23)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.23.1 runs a total of 478 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* CodeQL now adds the sources and sinks of path alerts to the :code:`relatedLocations` property of SARIF results if they are not included as the primary location or within the alert message. This means that path alerts will show on PRs if a source or sink is added or modified, even for queries that don't follow the common convention of selecting the sink as the primary location and mentioning the source in the alert message.
* CodeQL now populates file coverage information for GitHub Actions on
\ `the tool status page for code scanning <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository>`__.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* The predicate :code:`occurenceCount` in the file module :code:`MagicConstants` has been deprecated. Use :code:`occurrenceCount` instead.
* The predicate :code:`additionalAdditionOrSubstractionCheckForLeapYear` in the file module :code:`LeapYear` has been deprecated. Use :code:`additionalAdditionOrSubtractionCheckForLeapYear` instead.
C#
""
* The message for :code:`csharp/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.
Java/Kotlin
"""""""""""
* The message for :code:`java/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.
Rust
""""
* The message for :code:`rust/diagnostic/database-quality` has been updated to include detailed database health metrics. These changes are visible on the tool status page.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The queries :code:`cpp/wrong-type-format-argument`, :code:`cpp/comparison-with-wider-type`, :code:`cpp/integer-multiplication-cast-to-long`, :code:`cpp/implicit-function-declaration` and :code:`cpp/suspicious-add-sizeof` have had their precisions reduced from :code:`high` to :code:`medium`. They will also now give alerts for projects built with :code:`build-mode: none`.
* The queries :code:`cpp/wrong-type-format-argument`, :code:`cpp/comparison-with-wider-type`, :code:`cpp/integer-multiplication-cast-to-long` and :code:`cpp/suspicious-add-sizeof` are no longer included in the :code:`code-scanning` suite.
Java/Kotlin
"""""""""""
* The implementation of :code:`java/dereferenced-value-may-be-null` has been completely replaced with a new general control-flow reachability library. This improves precision by reducing false positives. However, since the entire calculation has been reworked, there can be small corner cases where precision regressions might occur and new false positives may occur, but these cases should be rare.
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 5.9
* Added support for :code:`import defer` syntax in JavaScript and TypeScript.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The query :code:`cs/call-to-object-tostring` has been improved to remove false positives for enum types.
JavaScript/TypeScript
"""""""""""""""""""""
* Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions.
* Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.
* The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`.
* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query <https://github.com/github/codeql/pull/14342>`__!
Python
""""""
* The queries :code:`py/missing-call-to-init`, :code:`py/missing-calls-to-del`, :code:`py/multiple-calls-to-init`, and :code:`py/multiple-calls-to-del` queries have been modernized; no longer relying on outdated libraries, producing more precise results with more descriptive alert messages, and improved documentation.
GitHub Actions
""""""""""""""
* Actions analysis now reports file coverage information on the CodeQL status page.
Deprecated Queries
~~~~~~~~~~~~~~~~~~
C#
""
* The query :code:`cs/captured-foreach-variable` has been deprecated as the semantics of capturing a 'foreach' variable and using it outside the loop has been stable since C# version 5.
New Queries
~~~~~~~~~~~
Rust
""""
* Added a new query, :code:`rust/request-forgery`, for detecting server-side request forgery vulnerabilities.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go.
* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning.
Java/Kotlin
"""""""""""
* Improved support for various assertion libraries, in particular JUnit. This affects the control-flow graph slightly, and in turn affects several queries (mainly quality queries). Most queries should see improved precision (new true positives and fewer false positives), in particular :code:`java/constant-comparison`, :code:`java/index-out-of-bounds`, :code:`java/dereferenced-value-may-be-null`, and :code:`java/useless-null-check`. Some medium precision queries like :code:`java/toctou-race-condition` and :code:`java/unreleased-lock` may see mixed result changes (both slight improvements and slight regressions).
* Added taint flow model for :code:`java.crypto.KDF`.
* Added taint flow model for :code:`java.lang.ScopedValue`.
JavaScript/TypeScript
"""""""""""""""""""""
* Added modeling for promisification libraries :code:`@gar/promisify`, :code:`es6-promisify`, :code:`util.promisify`, :code:`thenify-all`, :code:`call-me-maybe`, :code:`@google-cloud/promisify`, and :code:`util-promisify`.
* Data flow is now tracked through promisified user-defined functions.
Swift
"""""
* Updated to allow analysis of Swift 6.1.3.
Rust
""""
* Added cryptography related models for the :code:`cookie` and :code:`biscotti` crates.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The predicate :code:`getAContructorCall` in the class :code:`SslContextClass` has been deprecated. Use :code:`getAConstructorCall` instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added predicates :code:`getTransitiveNumberOfVlaDimensionStmts`, :code:`getTransitiveVlaDimensionStmt`, and :code:`getParentVlaDecl` to :code:`VlaDeclStmt` for handling :code:`VlaDeclStmt`\ s whose base type is defined in terms of another :code:`VlaDeclStmt` via a :code:`typedef`.
Java/Kotlin
"""""""""""
* The Java extractor and QL libraries now support Java 25.
* Added support for Java 25 compact source files (JEP 512). The new predicate :code:`Class.isImplicit()` identifies classes that are implicitly declared when using compact source files, and the new predicate :code:`CompilationUnit.isCompactSourceFile()` identifies compilation units that contain compact source files.
* Added support for Java 25 module import declarations.
* Add :code:`ModuleImportDeclaration` class.

5
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,11 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.23.1
codeql-cli-2.23.0
codeql-cli-2.22.4
codeql-cli-2.22.3
codeql-cli-2.22.2
codeql-cli-2.22.1
codeql-cli-2.22.0
codeql-cli-2.21.4

BIN
docs/codeql/images/codeql-for-visual-studio-code/basic-rust-query-results-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/basic-rust-query-results-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/quick-query-tab-rust.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

2
docs/codeql/ql-language-reference/aliases.rst
View File

@@ -137,6 +137,6 @@ During :ref:`name resolution <name-resolution>`, ambiguity between aliases from
for the same module/type/predicate is allowed, but ambiguity between between aliases from distinct **strong**
alias definitions is invalid QL.
Likewise, for the purpose of applicative instantiation of :ref:`parameterised modules <parameterized-modules>`
and `:ref:`parameterised module signatures <parameterized-module-signatures>`, aliases from **weak** alias
and :ref:`parameterised module signatures <parameterized-module-signatures>`, aliases from **weak** alias
definitions for instantiation arguments do not result in separate instantiations, but aliases from **strong**
alias definitions for instantiation arguments do.

43
docs/codeql/ql-language-reference/annotations.rst
View File

@@ -16,9 +16,9 @@ For example, to declare a module ``M`` as private, you could use:
}
Note that some annotations act on an entity itself, whilst others act on a particular *name* for the entity:
- Act on an **entity**: ``abstract``, ``cached``, ``external``, ``transient``, ``override``, ``pragma``, ``language``,
and ``bindingset``
- Act on a **name**: ``deprecated``, ``library``, ``private``, ``final``, and ``query``
- Act on an **entity**: ``abstract``, ``bindingset``, ``cached``, ``extensible``, ``external``, ``language``,
``override``, ``pragma``, and ``transient``
- Act on a **name**: ``additional``, ``deprecated``, ``final``, ``library``, ``private``, and ``query``
For example, if you annotate an entity with ``private``, then only that particular name is
private. You could still access that entity under a different name (using an :ref:`alias <aliases>`).
@@ -97,13 +97,27 @@ own body, or they must inherit from another class that overrides ``isSource``:
// doesn't need to override `isSource`, because it inherits it from ConfigA
}
.. index:: additional
.. _additional:
``additional``
==============
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |non-member predicates|, |modules|, |aliases|, |signatures|
The ``additional`` annotation can be used on declarations in explicit modules.
All declarations that are not required by a module signature in modules that implement |module signatures| must be annotated with ``additional``.
Omitting ``additional`` on such declarations, or using the annotation in any other context, will result in a compiler error.
Other than that, the annotation has no effect.
.. index:: cached
.. _cached:
``cached``
==========
**Available for**: |classes|, |algebraic datatypes|, |characteristic predicates|, |member predicates|, |non-member predicates|, |modules|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |characteristic predicates|, |member predicates|, |non-member predicates|, |modules|
The ``cached`` annotation indicates that an entity should be evaluated in its entirety and
stored in the evaluation cache. All later references to this entity will use the
@@ -126,7 +140,7 @@ body must also be annotated with ``cached``, otherwise a compiler error is repor
``deprecated``
==============
**Available for**: |classes|, |algebraic datatypes|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|, |signatures|
The ``deprecated`` annotation is applied to names that are outdated and scheduled for removal
in a future release of QL.
@@ -151,6 +165,16 @@ For example, the name ``DataFlowNode`` is deprecated and has the following QLDoc
This QLDoc comment appears when you use the name ``DataFlowNode`` in a QL editor.
.. index:: extensible
.. _extensible:
``extensible``
==============
**Available for**: |non-member predicates|
The ``extensible`` annotation is used to mark predicates that are populated at evaluation time through data extensions.
.. index:: external
.. _external:
@@ -235,7 +259,7 @@ warning.
``private``
===========
**Available for**: |classes|, |algebraic datatypes|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|
**Available for**: |classes|, |algebraic datatypes|, |type unions|, |member predicates|, |non-member predicates|, |imports|, |fields|, |modules|, |aliases|, |signatures|
The ``private`` annotation is used to prevent names from being exported.
@@ -461,7 +485,7 @@ For more information, see ":ref:`monotonic-aggregates`."
Binding sets
============
**Available for**: |classes|, |characteristic predicates|, |member predicates|, |non-member predicates|
**Available for**: |classes|, |characteristic predicates|, |member predicates|, |non-member predicates|, |predicate signatures|, |type signatures|
``bindingset[...]``
-------------------
@@ -490,4 +514,9 @@ The ``bindingset`` annotation takes a comma-separated list of variables.
.. |aliases| replace:: :ref:`aliases <aliases>`
.. |type-aliases| replace:: :ref:`type aliases <type-aliases>`
.. |algebraic datatypes| replace:: :ref:`algebraic datatypes <algebraic-datatypes>`
.. |type unions| replace:: :ref:`type unions <type-unions>`
.. |expressions| replace:: :ref:`expressions <expressions>`
.. |signatures| replace:: :ref:`signatures <signatures>`
.. |predicate signatures| replace:: :ref:`predicate signatures <predicate-signatures>`
.. |type signatures| replace:: :ref:`type signatures <type-signatures>`
.. |module signatures| replace:: :ref:`module signatures <module-signatures>`

2
docs/codeql/ql-language-reference/expressions.rst
View File

@@ -625,7 +625,7 @@ Then the evaluation of the ``depth`` predicate proceeds as follows:
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **Stage** | **depth** | **Comments** |
+===========+============================================+==========================================================================================================================================================================+
| 0 |   | We always begin with the empty set. |
| 0 | | We always begin with the empty set. |
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | ``(0, b), (0, d), (0, e)`` | The nodes with no children have depth 0. The recursive step for **a** and **c** fails to produce a value, since some of their children do not have values for ``depth``. |
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

76
docs/codeql/ql-language-reference/ql-language-specification.rst
View File

@@ -36,7 +36,7 @@ Architecture
A *QL program* consists of a query module defined in a QL file and a number of library modules defined in QLL files that it imports (see "`Import directives <#import-directives>`__"). The module in the QL file includes one or more queries (see "`Queries <#queries>`__"). A module may also include *import directives* (see "`Import directives <#import-directives>`__"), non-member predicates (see "`Non-member predicates <#non-member-predicates>`__"), class definitions (see "`Classes <#classes>`__"), and module definitions (see "`Modules <#modules>`__").
QL programs are interpreted in the context of a *database* and a *library path* . The database provides a number of definitions: database types (see "`Types <#types>`__"), entities (see "`Values <#values>`__"), built-in predicates (see "`Built-ins <#built-ins>`__"), and the *database content* of built-in predicates and external predicates (see "`Evaluation <#evaluation>`__"). The library path is a sequence of file-system directories that hold QLL files.
QL programs are interpreted in the context of a *database* and a *library path* . The database provides a number of definitions: database types (see "`Types <#types>`__"), entities (see "`Values <#values>`__"), built-in predicates (see "`Built-ins <#built-ins>`__"), and the *database content* of built-in predicates, external predicates, and extensible predicates (see "`Evaluation <#evaluation>`__"). The library path is a sequence of file-system directories that hold QLL files.
A QL program can be *evaluated* (see "`Evaluation <#evaluation>`__") to produce a set of tuples of values (see "`Values <#values>`__").
@@ -761,17 +761,17 @@ Various kinds of syntax can have *annotations* applied to them. Annotations are
annotation ::= simpleAnnotation | argsAnnotation
simpleAnnotation ::= "abstract"
| "cached"
| "external"
| "extensible"
| "final"
| "transient"
| "library"
| "private"
| "deprecated"
| "override"
| "additional"
| "cached"
| "deprecated"
| "extensible"
| "external"
| "final"
| "library"
| "override"
| "private"
| "query"
| "transient"
argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
| "language" "[" "monotonicAggregates" "]"
@@ -791,28 +791,28 @@ The following table summarizes the syntactic constructs which can be marked with
+================+=========+============+===================+=======================+=========+========+=========+=========+============+
| ``abstract`` | yes | | yes | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``additional`` | yes | | | yes | | | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``cached`` | yes | yes | yes | yes | | | yes | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``external`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``extensible`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``final`` | yes | | yes | | | yes | | (yes) | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``transient`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``library`` | (yes) | | | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``private`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``deprecated`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``extensible`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``external`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``final`` | yes | | yes | | | yes | | (yes) | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``library`` | (yes) | | | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``override`` | | | yes | | | yes | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``additional`` | yes | | | yes | | | yes | yes | yes |
| ``private`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``query`` | | | | yes | | | | yes | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``transient`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
The ``library`` annotation is only usable within a QLL file, not a QL file.
The ``final`` annotation is usable on type aliases, but not on module aliases and predicate aliases.
@@ -933,7 +933,9 @@ A predicate definition adds a mapping from the predicate name and arity to the p
When a predicate is a top-level clause in a module, it is called a non-member predicate. See below for "`Member predicates <#member-predicates>`__."
A valid non-member predicate can be annotated with ``cached``, ``deprecated``, ``external``, ``transient``, ``private``, and ``query``. Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
A valid non-member predicate can be annotated with ``additional``, ``cached``, ``deprecated``, ``extensible``, ``external``, ``transient``, ``private``, and ``query``.
Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
Note, the annotations ``extensible`` and ``external`` cannot both be used on the same non-member predicate.
The head of the predicate gives a name, an optional *result type*, and a sequence of variables declarations that are *arguments*:
@@ -951,7 +953,7 @@ The body of a predicate is of one of three forms:
In the first form, with just a semicolon, the predicate is said to not have a body. In the second form, the body of the predicate is the given formula (see "`Formulas <#formulas>`__"). In the third form, the body is a higher-order relation.
A valid non-member predicate must have a body, either a formula or a higher-order relation, unless it is external, in which case it must not have a body.
A valid non-member predicate must have a body, either a formula or a higher-order relation, unless it is external or extensible, in which case it must not have a body.
The typing environment for the body of the formula, if present, maps the variables in the head of the predicate to their associated types. If the predicate has a result type, then the typing environment also maps ``result`` to the result type.
@@ -979,7 +981,7 @@ A class type is said to *final inherit* from base types that are final or refere
A class adds a mapping from the class name to the class declaration to the current module's declared type environment.
A valid class can be annotated with ``abstract``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
A valid class can be annotated with ``abstract``, ``additional``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
A valid class may not inherit from itself, or from more than one primitive type. The set of types that a valid class inherits from must be disjoint from the set of types that it final inherits from.
@@ -1052,7 +1054,7 @@ A member predicate ``p`` with enclosing class ``C`` *shadows* a member predicate
Member predicates have one or more *root definitions*. If a member predicate overrides no other member predicate, then it is its own root definition. Otherwise, its root definitions are those of any member predicate that it overrides.
A valid member predicate must have a body unless it is abstract or external, in which case it must not have a body.
A valid member predicate must have a body unless it is abstract, in which case it must not have a body.
A valid member predicate must override another member predicate if it is annotated override.
@@ -2179,7 +2181,7 @@ If a QL program has no valid stratification, then the program itself is not vali
Layer evaluation
~~~~~~~~~~~~~~~~
The store is first initialized with the *database content* of all built-in predicates and external predicates. The database content of a predicate is a set of ordered tuples that are included in the database.
The store is first initialized with the *database content* of all built-in predicates, external predicates, and extensible predicates. The database content of a predicate is a set of ordered tuples that are included in the database.
Each layer of the stratification is *populated* in order. To populate a layer, each predicate in the layer is repeatedly populated until the store stops changing. The way that a predicate is populated is as follows:
@@ -2292,17 +2294,17 @@ The complete grammar for QL is as follows:
annotation ::= simpleAnnotation | argsAnnotation
simpleAnnotation ::= "abstract"
| "cached"
| "external"
| "extensible"
| "final"
| "transient"
| "library"
| "private"
| "deprecated"
| "override"
| "additional"
| "cached"
| "deprecated"
| "extensible"
| "external"
| "final"
| "library"
| "override"
| "private"
| "query"
| "transient"
argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
| "language" "[" "monotonicAggregates" "]"

12
docs/codeql/ql-language-reference/signatures.rst
View File

@@ -10,6 +10,10 @@ Signatures
Parameterized modules use signatures as a type system for their parameters.
There are three categories of signatures: **predicate signatures**, **type signatures**, and **module signatures**.
.. index:: predicate signature
.. _predicate-signatures:
Predicate signatures
====================
@@ -36,6 +40,10 @@ For example:
signature int operator(int lhs, int rhs);
.. index:: type signature
.. _type-signatures:
Type signatures
===============
@@ -66,6 +74,10 @@ For example:
string toString();
}
.. index:: module signature
.. _module-signatures:
Module signatures
=================

2
docs/codeql/reusables/extractors.rst
View File

@@ -20,7 +20,7 @@
- ``python``
* - Ruby
- ``ruby``
- Rust
* - Rust
- ``rust``
* - Swift
- ``swift``

9
docs/codeql/reusables/supported-frameworks.rst
View File

@@ -324,12 +324,15 @@ All support is experimental.
Name, Category
`actix-web <https://crates.io/crates/actix-web>`__, Web framework
alloc, Standard library
`async-std <https://crates.io/crates/async-std>`__, Asynchronous programming library
`biscotti <https://crates.io/crates/biscotti>`__, Cookie management
`clap <http://crates.io/crates/clap>`__, Utility library
`cookie <https://crates.io/crates/cookie>`__, Cookie management
core, Standard library
`digest <https://crates.io/crates/digest>`__, Cryptography library
`futures-executor <https://crates.io/crates/futures-executor>`__, Utility library
`futures <https://crates.io/crates/futures>`__, Asynchronous programming library
`futures-rustls <https://crates.io/crates/futures-rustls>`__, Network communicator
`hyper <https://crates.io/crates/hyper>`__, HTTP library
`hyper-util <https://crates.io/crates/hyper-util>`__, HTTP library
`libc <https://crates.io/crates/libc>`__, Utility library
`log <https://crates.io/crates/log>`__, Logging library
`md5 <https://crates.io/crates/md5>`__, Utility library
@@ -345,12 +348,14 @@ All support is experimental.
`rusqlite <https://crates.io/crates/rusqlite>`__, Database
std, Standard library
`rust-crypto <https://crates.io/crates/rust-crypto>`__, Cryptography library
`rustls <https://crates.io/crates/rustls>`__, Network communicator
`serde <https://crates.io/crates/serde>`__, Serialization
`smallvec <https://crates.io/crates/smallvec>`__, Utility library
`sqlx <https://crates.io/crates/sqlx>`__, Database
`tokio <https://crates.io/crates/tokio>`__, Asynchronous IO
`tokio-postgres <https://crates.io/crates/tokio-postgres>`__, Database
`url <https://crates.io/crates/url>`__, Utility library
`warp <https://crates.io/crates/warp>`__, Web framework
Swift built-in support
================================

8
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -17,8 +17,8 @@
.NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
Java,"Java 7 to 24 [6]_","javac (OpenJDK and Oracle JDK),
Go (aka Golang), "Go up to 1.25", "Go 1.11 or more recent", ``.go``
Java,"Java 7 to 25 [6]_","javac (OpenJDK and Oracle JDK),
Eclipse compiler for Java (ECJ) [7]_",``.java``
Kotlin,"Kotlin 1.6.0 to 2.2.2\ *x*","kotlinc",``.kt``
@@ -27,7 +27,7 @@
Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
Rust [11]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
Swift [12]_,"Swift 5.4-6.1","Swift compiler","``.swift``"
TypeScript [13]_,"2.6-5.8",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
TypeScript [13]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
.. container:: footnote-group
@@ -36,7 +36,7 @@
.. [3] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
.. [4] Support for the clang-cl compiler is preliminary.
.. [5] Support for the Arm Compiler (armcc) is preliminary.
.. [6] Builds that execute on Java 7 to 24 can be analyzed. The analysis understands standard language features in Java 8 to 24; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
.. [6] Builds that execute on Java 7 to 25 can be analyzed. The analysis understands standard language features in Java 8 to 25; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
.. [7] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
.. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
.. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.

4
docs/supported-queries.md
View File

@@ -2,8 +2,8 @@
Queries and libraries outside [the `experimental` directories](experimental.md) are _supported_ by GitHub, allowing our users to rely on their continued existence and functionality in the future:
1. Once a query or library has appeared in a stable release, a one-year deprecation period is required before we can remove it. There can be exceptions to this when it's not technically possible to mark it as deprecated.
2. Major changes to supported queries and libraries are always announced in the [change notes for stable releases](../change-notes/).
1. Once a query has appeared in a stable release, a one-year deprecation period is required before we can remove it.
2. Major changes to supported queries and libraries are always announced in the change notes for stable releases.
3. We will do our best to address user reports of false positives or false negatives.
Because of these commitments, we set a high bar for accepting new supported queries. The requirements are detailed in the rest of this document.