X Tutup
CodeQL documentation
CodeQL resources

CodeQL 2.24.3 (2026-03-05)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.24.3 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).

CodeQL CLI

Bug Fixes

  • Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips *.testproj directories by name, preventing interference from concurrently cleaned-up test databases.

  • Fixed spurious “OOPS” warnings that could appear in help output for commands using mutually exclusive option groups, such as codeql query run.

Query Packs

Minor Analysis Improvements

Java/Kotlin

  • The Java extractor and QL libraries now support Java 26.

  • Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.

Rust

  • The macro resolution metric has been removed from rust/diagnostic/database-quality. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page.

Language Libraries

Bug Fixes

C/C++

  • The allowInterproceduralFlow predicate of must-flow data flow configurations now correctly handles direct recursion.

C#

  • Fixed an issue where the body of a partial member could be extracted twice. When both a defining and an implementing declaration exist, only the implementing declaration is now extracted.

Breaking Changes

C/C++

  • CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to BarrierGuard<...>::getAnIndirectBarrierNode and InstructionBarrierGuard<...>::getAnIndirectBarrierNode. These breaking changes have now been reverted so that the original code compiles again.

  • MustFlow, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the MustFlowConfiguration class, the user should now implement a module with the MustFlow::ConfigSig signature, and instantiate the MustFlow::Global parameterized module with the implemented module.

Python

  • The Metrics library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the LegacyPointsTo module, to classes like ModuleMetricsWithPointsTo etc. If you depend on any of these classes, you must now remember to import LegacyPointsTo, and use the appropriate types in order to use the points-to-based functionality.

Major Analysis Improvements

Python

  • The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add overlay[local?] module; to user-managed libraries that extend classes that are now marked as overlay[local].

Minor Analysis Improvements

C/C++

  • Refactored the “Year field changed using an arithmetic operation without checking for leap year” query (cpp/leap-year/unchecked-after-arithmetic-year-modification) to address large numbers of false positive results.

C#

  • C# 14: Added support for partial events.

  • C# 14: Added support for the field keyword in properties.

Java/Kotlin

  • Some modelling which previously only worked for Java EE packages beginning with “javax” will now also work for Java EE packages beginning with “jakarta” as well. This may lead to some alert changes.

JavaScript/TypeScript

  • Added support for React components wrapped by observer from mobx-react and mobx-react-lite.

Python

  • Added new full SSRF sanitization barrier from the new AntiSSRF library.

  • When a guard such as isSafe(x) is defined, we now also automatically handle isSafe(x) == true and isSafe(x) != false.

Ruby

  • We now track taint flow through Shellwords.escape and Shellwords.shellescape for all queries except command injection, for which they are sanitizers.

Rust

  • Added support for neutral models (extensible: neutralModel) to control where generated source, sink and flow summary models apply.

  • © GitHub, Inc.
  • Terms
  • Privacy
X Tutup