From 532e1feaccb340c9618eb22562efbb08c5e7ea58 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 23 Feb 2026 17:40:16 +0000 Subject: [PATCH 1/8] update codeql documentation --- .../codeql-changelog/codeql-cli-2.19.1.rst | 2 +- .../codeql-changelog/codeql-cli-2.21.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.22.3.rst | 2 +- .../codeql-changelog/codeql-cli-2.23.1.rst | 4 +- .../codeql-changelog/codeql-cli-2.24.2.rst | 109 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 6 files changed, 115 insertions(+), 5 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index f2948d0db67c..39d4d36537cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0\ *x* are now supported. +* Kotlin versions up to 2.1.0*x* are now supported. Python """""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index 71a8e3a68240..fffe94c04b80 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 4f1d34ff2ddd..8e5a18a0c74a 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2\ *x* are now supported. +* Kotlin versions up to 2.2.2*x* are now supported. diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index ff22a3f647cf..27f1eee84edc 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! Python """""" @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. Java/Kotlin """"""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst new file mode 100644 index 000000000000..c70654e50b63 --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst @@ -0,0 +1,109 @@ +.. _codeql-cli-2.24.2: + +========================== +CodeQL 2.24.2 (2026-02-20) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.24.2 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Bug Fixes +~~~~~~~~~ + +* Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the :code:`file:///` format instead of :code:`file:/` for better interoperability with SARIF consumers. + +Query Packs +----------- + +Bug Fixes +~~~~~~~~~ + +C# +"" + +* The :code:`cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when :code:`[ValidateAntiForgeryToken]` or :code:`[AutoValidateAntiforgeryToken]` is applied to a parent class. + +Language Libraries +------------------ + +Bug Fixes +~~~~~~~~~ + +Python +"""""" + +* Using :code:`=` as a fill character in a format specifier (e.g :code:`f"{x:=^20}"`) now no longer results in a syntax error during parsing. + +Breaking Changes +~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* The :code:`BasicBlock` class is now defined using the shared basic blocks library. :code:`BasicBlock.getRoot` has been replaced by :code:`BasicBlock.getScope`. :code:`BasicBlock.getAPredecessor` and :code:`BasicBlock.getASuccessor` now take a :code:`SuccessorType` argument. :code:`ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use :code:`BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* Go 1.26 is now supported. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* Added remote flow source models for the :code:`winhttp.h` windows header and the Azure SDK core library for C/C++. + +C# +"" + +* The model for :code:`System.Web.HttpUtility` has been modified to better model the flow of tainted URIs. +* C# 14: Added support for :code:`extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators. + +Java/Kotlin +""""""""""" + +* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for :code:`java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with :code:`@javax.validation.constraints.Pattern`. +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including :code:`java/ssrf` and :code:`java/path-injection`. In particular, being annotated with :code:`@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. +* Kotlin versions up to 2.3.10 are now supported. + +Python +"""""" + +* Added request forgery sink models for the Azure SDK. +* Made it so that models-as-data sinks with the kind :code:`request-forgery` contribute to the class :code:`Http::Client::Request` which represents HTTP client requests. + +Deprecated APIs +~~~~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* The :code:`UnreachableBlocks.qll` library has been deprecated. +* Renamed the following predicates to increase uniformity across languages. The :code:`getBody` predicate already existed on :code:`LoopStmt`, but is now properly inherited. + + * :code:`UnaryExpr.getExpr` to :code:`getOperand`. + * :code:`ConditionalExpr.getTrueExpr` to :code:`getThen`. + * :code:`ConditionalExpr.getFalseExpr` to :code:`getElse`. + * :code:`ReturnStmt.getResult` to :code:`getExpr`. + * :code:`WhileStmt.getStmt` to :code:`getBody`. + * :code:`DoStmt.getStmt` to :code:`getBody`. + * :code:`ForStmt.getStmt` to :code:`getBody`. + * :code:`EnhancedForStmt.getStmt` to :code:`getBody`. + diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 318366d1e69d..21671f1c9696 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 23 Feb 2026 11:44:53 -0600 Subject: [PATCH 2/8] Update codeql-cli-2.19.1.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst index 39d4d36537cf..f2948d0db67c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst @@ -129,7 +129,7 @@ Java/Kotlin """"""""""" * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0*x* are now supported. +* Kotlin versions up to 2.1.0\ *x* are now supported. Python """""" From 2969feef891fd81ffd1234fefc51b7ab5cf484e1 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:45:30 -0600 Subject: [PATCH 3/8] Fix formatting in Kotlin version support note --- .../codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst index fffe94c04b80..71a8e3a68240 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -144,7 +144,7 @@ New Features Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). Swift """"" From d546b85163f05ec4d8b69f22d08b14304ba531bd Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:45:59 -0600 Subject: [PATCH 4/8] Fix formatting for Kotlin version support note --- .../codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst index 8e5a18a0c74a..4f1d34ff2ddd 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.22.3.rst @@ -98,4 +98,4 @@ C/C++ Java/Kotlin """"""""""" -* Kotlin versions up to 2.2.2*x* are now supported. +* Kotlin versions up to 2.2.2\ *x* are now supported. From af0bfe0981f2b62db61f026c488fca5dc0f39f60 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:46:30 -0600 Subject: [PATCH 5/8] Promote CORS configuration query to default suite --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 27f1eee84edc..241b1a8f9d8b 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -88,7 +88,7 @@ JavaScript/TypeScript * Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions. * Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test. * The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`. -* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__\ ! +* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query `__! Python """""" From 8719072519a598dfc2832d5a10133b8d591fccda Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:46:50 -0600 Subject: [PATCH 6/8] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst index c70654e50b63..27da2f3eaf99 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.2.rst @@ -44,7 +44,7 @@ Bug Fixes Python """""" -* Using :code:`=` as a fill character in a format specifier (e.g :code:`f"{x:=^20}"`) now no longer results in a syntax error during parsing. +* Using :code:`=` as a fill character in a format specifier (e.g. :code:`f"{x:=^20}"`) now no longer results in a syntax error during parsing. Breaking Changes ~~~~~~~~~~~~~~~~ From 79ac95d8a8126591905eb4a14c87c34b356abf70 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:50:03 -0600 Subject: [PATCH 7/8] Fix syntax error with '=' in format specifier --- python/ql/lib/change-notes/released/6.1.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/ql/lib/change-notes/released/6.1.1.md b/python/ql/lib/change-notes/released/6.1.1.md index ca4d1bf46842..a880762af119 100644 --- a/python/ql/lib/change-notes/released/6.1.1.md +++ b/python/ql/lib/change-notes/released/6.1.1.md @@ -7,4 +7,4 @@ ### Bug Fixes -- Using `=` as a fill character in a format specifier (e.g `f"{x:=^20}"`) now no longer results in a syntax error during parsing. +- Using `=` as a fill character in a format specifier (e.g. `f"{x:=^20}"`) now no longer results in a syntax error during parsing. From 365bae1f9cc175ca17c9d560d5966250b4ad41ff Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 23 Feb 2026 11:50:46 -0600 Subject: [PATCH 8/8] Fix formatting in codeql-cli-2.23.1.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst index 241b1a8f9d8b..ff22a3f647cf 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst @@ -126,7 +126,7 @@ Golang """""" * The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go. -* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning. +* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning. Java/Kotlin """""""""""