CodeQL 2.20.6 (2025-03-06)¶

The actions/unversioned-immutable-action query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query has also been moved to the experimental folder and will not be used in code scanning unless it is explicitly added to a code scanning configuration. Once the Immutable Actions feature is available, the query will be updated to report alerts again.

Fixed false positive alerts in the java query “Cross-site scripting” (java/xss) when javax.servlet.http.HttpServletResponse is used with a content type which is not exploitable.

Improved precision of data flow through arrays, fixing some spurious flows that would sometimes cause the length property of an array to be seen as tainted.

Improved call resolution logic to better handle calls resolving “downwards”, targeting a method declared in a subclass of the enclosing class. Data flow analysis has also improved to avoid spurious flow between unrelated classes in the class hierarchy.

Due to changes in libraries the query “Static array access may cause overflow” (cpp/static-buffer-overflow) will no longer report cases where multiple fields of a struct or class are written with a single memset or similar operation.

The query “Call to memory access function may overflow buffer” (cpp/overflow-buffer) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.

C#: Improve precision of the query cs/call-to-object-tostring for value tuples.

Added support for the response threat model kind, which can enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint.

Added support for the useQuery hook from @tanstack/react-query.

Modified the getBufferSize predicate in commons/Buffer.qll to be more tolerant in some cases involving member variables in a larger struct or class.

Fixed an issue where the getBufferSize predicate in commons/Buffer.qll was returning results for references inside offsetof expressions, which are not accesses to a buffer.

The location info for the following classes has been changed slightly to match a location that is in the database: BasicBlock, ControlFlow::EntryNode, ControlFlow::ExitNode, ControlFlow::ConditionGuardNode, IR::ImplicitLiteralElementIndexInstruction, IR::EvalImplicitTrueInstruction, SsaImplicitDefinition, SsaPhiNode.

Added database source models for the github.com/rqlite/gorqlite package.

Added database source models for database methods from the go.mongodb.org/mongo-driver/mongo package.

Added a path injection sanitizer for the child argument of a java.io.File constructor if that argument does not contain path traversal sequences.

The response.download() function in express is now recognized as a sink for path traversal attacks.

The member predicate hasLocationInfo has been deprecated on the following classes: BasicBlock, Callable, Content, ContentSet, ControlFlow::Node, DataFlowCallable, DataFlow::Node, Entity, GVN, HtmlTemplate::TemplateStmt, IR:WriteTarget, SourceSinkInterpretationInput::SourceOrSinkElement, SourceSinkInterpretationInput::InterpretNode, SsaVariable, SsaDefinition, SsaWithFields, StringOps::ConcatenationElement, Type, and VariableWithFields. Use getLocation() instead.

The Java extractor and QL libraries now support Java 24.