hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3238743b1543d1d4227785ae284dba4f46f4e3b
codeql/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.3.rst
Florin Coada c3238743b1 Changedocs for 2.16.1
2024-01-25 15:55:32 +00:00

120 lines
4.7 KiB
ReStructuredText
Raw Blame History

.. _codeql-cli-2.14.3:
==========================
CodeQL 2.14.3 (2023-08-25)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.14.3 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE).
CodeQL CLI
----------
Breaking Changes
~~~~~~~~~~~~~~~~
* The :code:`<run>.tool.extensions` property in the SARIF generated by :code:`codeql database analyze` now contains the following packs:
* The containing query pack for each query that was evaluated.
* Each model pack that was specified via the :code:`--model-packs` option, regardless of whether that model pack affected any of the evaluated queries.
Library packs are no longer included in the list.
Previously, this property contained every query and library pack that was available on the search path, regardless of whether that pack was used during the evaluation.
Miscellaneous
~~~~~~~~~~~~~
* The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
* When :code:`codeql test` generates :code:`.actual` files, they will in some cases list the query predicates in a different order than past versions.
There is no need to update :code:`.expected` files, as :code:`codeql test` sorts their results accordingly before diffing.
However, when there are genuine changes in expected results, the generated :code:`.actual` file can show additional changes against the
:code:`.expected` due to the reordering.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
Python
""""""
* Fixed the computation of locations for imports with aliases in jump-to-definition.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java
""""
* Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
Swift
"""""
* Added :code:`DataFlow::CollectionContent`, which will enable more accurate flow through collections.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The query library for :code:`cs/hardcoded-credentials` now excludes benign properties such as :code:`UserNameClaimType` and :code:`AllowedUserNameCharacters` from :code:`Microsoft.AspNetCore.Identity` options classes.
Java
""""
* Modified the :code:`getSecureAlgorithmName` predicate in :code:`Encryption.qll` to also include :code:`SHA-256` and :code:`SHA-512`. Previously only the versions of the names without dashes were considered secure.
* Add support for :code:`WithElement` and :code:`WithoutElement` for MaD access paths.
Python
""""""
* Support analyzing packages (folders with python code) that do not have :code:`__init__.py` files, although this is technically required, we see real world projects that don't have this.
* Added modeling of AWS Lambda handlers that can be identified with :code:`AWS::Serverless::Function` in YAML files, where the event parameter is modeled as a remote-flow-source.
* Improvements of the :code:`aiohttp` models including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.
Ruby
""""
* Flow between positional arguments and splat parameters (:code:`*args`) is now tracked more precisely.
* Flow between splat arguments (:code:`*args`) and positional parameters is now tracked more precisely.
Swift
"""""
* Added local flow sources for :code:`UITextInput` and related classes.
* Flow through forced optional unwrapping (:code:`!`) on the left side of assignment now works in most cases.
* :code:`Type.getName` now gets the name of the type alone without any enclosing types. Use :code:`Type.getFullName` for the old behaviour.
Shared Libraries
----------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Initial release. Adds a library to implement flow through captured variables that properly adheres to inter-procedural control flow.
New Features
~~~~~~~~~~~~
YAML Data Analysis
""""""""""""""""""
* Added library for serverless functions. Currently used by JavaScript and Python.
Reference in New Issue View Git Blame Copy Permalink