|
| 1 | +.. _codeql-cli-2.25.3: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.25.3 (2026-05-01) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.25.3 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE). |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Improvements |
| 23 | +~~~~~~~~~~~~ |
| 24 | + |
| 25 | +* The :code:`codeql database finalize` command now accepts the :code:`--working-dir` flag. When specified, any extractor pre-finalize scripts will be run in that directory. If the flag is not used, the scripts will run in the source root directory (maintaining existing behavior). The flag will also be automatically passed through when running the higher-level |
| 26 | + :code:`codeql database create` command. |
| 27 | + |
| 28 | +Query Packs |
| 29 | +----------- |
| 30 | + |
| 31 | +Major Analysis Improvements |
| 32 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 33 | + |
| 34 | +GitHub Actions |
| 35 | +"""""""""""""" |
| 36 | + |
| 37 | +* Fixed alert messages in :code:`actions/artifact-poisoning/critical` and :code:`actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful. |
| 38 | + |
| 39 | +Minor Analysis Improvements |
| 40 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 41 | + |
| 42 | +C/C++ |
| 43 | +""""" |
| 44 | + |
| 45 | +* Added :code:`AllocationFunction` models for :code:`aligned_alloc`, :code:`std::aligned_alloc`, and :code:`bsl::aligned_alloc`. |
| 46 | +* The "Comparison of narrow type with wide type in loop condition" (:code:`cpp/comparison-with-wider-type`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite. |
| 47 | +* The "Multiplication result converted to larger type" (:code:`cpp/integer-multiplication-cast-to-long`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite. |
| 48 | +* The "Suspicious add with sizeof" (:code:`cpp/suspicious-add-sizeof`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite. |
| 49 | +* The "Wrong type of arguments to formatting function" (:code:`cpp/wrong-type-format-argument`) query has been upgraded to :code:`high` precision. This query will now run in the default code scanning suite. |
| 50 | +* The "Implicit function declaration" (:code:`cpp/implicit-function-declaration`) query has been upgraded to :code:`high` precision. However, for :code:`build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise. |
| 51 | + |
| 52 | +C# |
| 53 | +"" |
| 54 | + |
| 55 | +* The query :code:`cs/useless-tostring-call` has been updated to avoid false positive results in calls to :code:`StringBuilder.AppendLine` and calls of the form :code:`base.ToString()`. Moreover, the alert message has been made more precise. |
| 56 | + |
| 57 | +JavaScript/TypeScript |
| 58 | +""""""""""""""""""""" |
| 59 | + |
| 60 | +* The query :code:`js/missing-rate-limiting` now takes Fastify per-route rate limiting into account. |
| 61 | + |
| 62 | +Python |
| 63 | +"""""" |
| 64 | + |
| 65 | +* The :code:`py/bind-socket-all-network-interfaces` query now uses the global data-flow library, leading to better precision and more results. Also, wrappers of :code:`socket.socket` in the :code:`eventlet` and :code:`gevent` libraries are now also recognized as socket binding operations. |
| 66 | + |
| 67 | +GitHub Actions |
| 68 | +"""""""""""""" |
| 69 | + |
| 70 | +* The query :code:`actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions. |
| 71 | + |
| 72 | +Language Libraries |
| 73 | +------------------ |
| 74 | + |
| 75 | +Breaking Changes |
| 76 | +~~~~~~~~~~~~~~~~ |
| 77 | + |
| 78 | +C/C++ |
| 79 | +""""" |
| 80 | + |
| 81 | +* The deprecated :code:`NonThrowingFunction` class has been removed, use :code:`NonCppThrowingFunction` instead. |
| 82 | +* The deprecated :code:`ThrowingFunction` class has been removed, use :code:`AlwaysSehThrowingFunction` instead. |
| 83 | + |
| 84 | +Major Analysis Improvements |
| 85 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 86 | + |
| 87 | +Swift |
| 88 | +""""" |
| 89 | + |
| 90 | +* Upgraded to allow analysis of Swift 6.3. |
| 91 | + |
| 92 | +Minor Analysis Improvements |
| 93 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 94 | + |
| 95 | +Java/Kotlin |
| 96 | +""""""""""" |
| 97 | + |
| 98 | +* The queries "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (:code:`java/xxe-local`) now recognize sinks in the Woodstox StAX library when :code:`com.ctc.wstx.stax.WstxInputFactory` or :code:`org.codehaus.stax2.XMLInputFactory2` are used directly. |
| 99 | + |
| 100 | +Python |
| 101 | +"""""" |
| 102 | + |
| 103 | +* The Python extractor now supports the new :code:`lazy import ...` and :code:`lazy from ... import ...` (as defined in `PEP-810 <https://peps.python.org/pep-0810/>`__) that will be part of Python 3.15. |
| 104 | + |
| 105 | +GitHub Actions |
| 106 | +"""""""""""""" |
| 107 | + |
| 108 | +* Removed false positive injection sink models for the :code:`context` input of :code:`docker/build-push-action` and the :code:`allowed-endpoints` input of :code:`step-security/harden-runner`. |
| 109 | + |
| 110 | +Deprecated APIs |
| 111 | +~~~~~~~~~~~~~~~ |
| 112 | + |
| 113 | +C# |
| 114 | +"" |
| 115 | + |
| 116 | +* The predicates :code:`get[L|R]Value` in the class :code:`Assignment` have been deprecated. Use :code:`get[Left|Right]Operand` instead. |
| 117 | + |
| 118 | +New Features |
| 119 | +~~~~~~~~~~~~ |
| 120 | + |
| 121 | +C/C++ |
| 122 | +""""" |
| 123 | + |
| 124 | +* Added a subclass :code:`AutoconfConfigureTestFile` of :code:`ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration. |
0 commit comments