|
| 1 | +.. _codeql-cli-2.24.2: |
| 2 | + |
| 3 | +========================== |
| 4 | +CodeQL 2.24.2 (2026-02-20) |
| 5 | +========================== |
| 6 | + |
| 7 | +.. contents:: Contents |
| 8 | + :depth: 2 |
| 9 | + :local: |
| 10 | + :backlinks: none |
| 11 | + |
| 12 | +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__. |
| 13 | + |
| 14 | +Security Coverage |
| 15 | +----------------- |
| 16 | + |
| 17 | +CodeQL 2.24.2 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). |
| 18 | + |
| 19 | +CodeQL CLI |
| 20 | +---------- |
| 21 | + |
| 22 | +Bug Fixes |
| 23 | +~~~~~~~~~ |
| 24 | + |
| 25 | +* Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the :code:`file:///` format instead of :code:`file:/` for better interoperability with SARIF consumers. |
| 26 | + |
| 27 | +Query Packs |
| 28 | +----------- |
| 29 | + |
| 30 | +Bug Fixes |
| 31 | +~~~~~~~~~ |
| 32 | + |
| 33 | +C# |
| 34 | +"" |
| 35 | + |
| 36 | +* The :code:`cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when :code:`[ValidateAntiForgeryToken]` or :code:`[AutoValidateAntiforgeryToken]` is applied to a parent class. |
| 37 | + |
| 38 | +Language Libraries |
| 39 | +------------------ |
| 40 | + |
| 41 | +Bug Fixes |
| 42 | +~~~~~~~~~ |
| 43 | + |
| 44 | +Python |
| 45 | +"""""" |
| 46 | + |
| 47 | +* Using :code:`=` as a fill character in a format specifier (e.g. :code:`f"{x:=^20}"`) now no longer results in a syntax error during parsing. |
| 48 | + |
| 49 | +Breaking Changes |
| 50 | +~~~~~~~~~~~~~~~~ |
| 51 | + |
| 52 | +Golang |
| 53 | +"""""" |
| 54 | + |
| 55 | +* The :code:`BasicBlock` class is now defined using the shared basic blocks library. :code:`BasicBlock.getRoot` has been replaced by :code:`BasicBlock.getScope`. :code:`BasicBlock.getAPredecessor` and :code:`BasicBlock.getASuccessor` now take a :code:`SuccessorType` argument. :code:`ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use :code:`BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. |
| 56 | + |
| 57 | +Major Analysis Improvements |
| 58 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 59 | + |
| 60 | +Golang |
| 61 | +"""""" |
| 62 | + |
| 63 | +* Go 1.26 is now supported. |
| 64 | + |
| 65 | +Minor Analysis Improvements |
| 66 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 67 | + |
| 68 | +C/C++ |
| 69 | +""""" |
| 70 | + |
| 71 | +* Added remote flow source models for the :code:`winhttp.h` windows header and the Azure SDK core library for C/C++. |
| 72 | + |
| 73 | +C# |
| 74 | +"" |
| 75 | + |
| 76 | +* The model for :code:`System.Web.HttpUtility` has been modified to better model the flow of tainted URIs. |
| 77 | +* C# 14: Added support for :code:`extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators. |
| 78 | + |
| 79 | +Java/Kotlin |
| 80 | +""""""""""" |
| 81 | + |
| 82 | +* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for :code:`java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with :code:`@javax.validation.constraints.Pattern`. |
| 83 | +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including :code:`java/ssrf` and :code:`java/path-injection`. In particular, being annotated with :code:`@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. |
| 84 | +* Kotlin versions up to 2.3.10 are now supported. |
| 85 | + |
| 86 | +Python |
| 87 | +"""""" |
| 88 | + |
| 89 | +* Added request forgery sink models for the Azure SDK. |
| 90 | +* Made it so that models-as-data sinks with the kind :code:`request-forgery` contribute to the class :code:`Http::Client::Request` which represents HTTP client requests. |
| 91 | + |
| 92 | +Deprecated APIs |
| 93 | +~~~~~~~~~~~~~~~ |
| 94 | + |
| 95 | +Java/Kotlin |
| 96 | +""""""""""" |
| 97 | + |
| 98 | +* The :code:`UnreachableBlocks.qll` library has been deprecated. |
| 99 | +* Renamed the following predicates to increase uniformity across languages. The :code:`getBody` predicate already existed on :code:`LoopStmt`, but is now properly inherited. |
| 100 | + |
| 101 | + * :code:`UnaryExpr.getExpr` to :code:`getOperand`. |
| 102 | + * :code:`ConditionalExpr.getTrueExpr` to :code:`getThen`. |
| 103 | + * :code:`ConditionalExpr.getFalseExpr` to :code:`getElse`. |
| 104 | + * :code:`ReturnStmt.getResult` to :code:`getExpr`. |
| 105 | + * :code:`WhileStmt.getStmt` to :code:`getBody`. |
| 106 | + * :code:`DoStmt.getStmt` to :code:`getBody`. |
| 107 | + * :code:`ForStmt.getStmt` to :code:`getBody`. |
| 108 | + * :code:`EnhancedForStmt.getStmt` to :code:`getBody`. |
| 109 | + |
0 commit comments