CodeQL 2.21.1 (2025-04-22)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.21.1 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE).
CodeQL CLI¶
Bug Fixes¶
Fixed a bug in CodeQL analysis for GitHub Actions in the presence of a code scanning configuration file containing
paths-ignoreexclusion patterns but notpathsinclusion patterns. Previously, such a configuration incorrectly led to all YAML, HTML, JSON, and JS source files being extracted, except for those filtered bypaths-ignore. This in turn led to performance issues on large codebases. Now, only workflow and Action metadata YAML files relevant to the GitHub Actions analysis will be extracted, except for those filtered bypaths-ignore. This matches the default behavior when no configuration file is provided. The handling ofpathsinclusion patterns is unchanged: if provided, only those paths will be considered, except for those filtered bypaths-ignore.
Query Packs¶
Bug Fixes¶
JavaScript/TypeScript¶
Fixed a bug that would prevent extraction of
tsconfig.jsonfiles when it contained an array literal with a trailing comma.
GitHub Actions¶
Alerts produced by the query
actions/missing-workflow-permissionsnow include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
Major Analysis Improvements¶
Ruby¶
The query
rb/useless-assignment-to-localnow comes with query help and has been tweaked to produce fewer false positives.The query
rb/uninitialized-local-variablenow only produces alerts when the variable is the receiver of a method call and should produce very few false positives. It also now comes with a help file.
Minor Analysis Improvements¶
C#¶
Enums and
System.DateTimeOffsetare now treated as simple types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others thecs/log-forgingquery.The MaD models for the .NET 9 Runtime have been re-generated after a fix related to
out/refparameters.
JavaScript/TypeScript¶
Data passed to the Response constructor is now treated as a sink for
js/reflected-xss.Slightly improved detection of DOM element references, leading to XSS results being detected in more cases.
Python¶
The
py/mixed-tuple-returnsquery no longer flags instances where the tuple is passed into the function as an argument, as this led to too many false positives.
Language Libraries¶
Minor Analysis Improvements¶
C#¶
The alignment and format clauses in string interpolation expressions are now extracted. That is, in
$"Hello{name,align:format}"name, align and format are extracted as children of the string interpolation insert{name,align:format}.Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a
nameofexpression.
Golang¶
Local source models for APIs reading from databases have been added for
github.com/gogf/gf/database/gdbandgithub.com/uptrace/bun.
Java/Kotlin¶
Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
All existing modelling and support for
javax.persistencenow applies tojakarta.persistenceas well.
JavaScript/TypeScript¶
Data passed to the NextResponse constructor is now treated as a sink for
js/reflected-xss.Data received from NextRequest and Request is now treated as a remote user input
source.Added support for the
make-dirpackage.Added support for the
openpackage.Added taint propagation for
Uint8Array,ArrayBuffer,SharedArrayBufferandTextDecoder.decode().Improved detection of
WebSocketandSockJSusage.Added data received from
WebSocketclients as a remote flow source.Added support for additional
mkdirpmethods as sinks in path-injection queries.Added support for additional
rimrafmethods as sinks in path-injection queries.
Ruby¶
Calls to
superwithout explict arguments now have their implicit arguments generated. For example, indeffoo(x,y){super}endthe call tosuperbecomessuper(x,y).
New Features¶
C/C++¶
Calling conventions explicitly specified on function declarations (
__cdecl,__stdcall,__fastcall, etc.) are now represented as specifiers of those declarations.A new class
CallingConventionSpecifierextending theSpecifierclass was introduced, which represents explicitly specified calling conventions.
