security

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new version of Java and a variety of other improvements that improve the accuracy of your code scanning results:

Java

• CodeQL now supports Java version 24
• We’ve improved the accuracy of the (java/xss) query when javax.servlet.http.HttpServletResponse is used without an exploitable content type

JavaScript / TypeScript

• We’ve added support for the response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.
• We’ve improved the precision of data flow through arrays and call resolution logic, both resulting in improved analysis results

C/C++

• We’ve improved the accuracy of the cpp/static-buffer-overflow query, resulting in improved results

C#

• We’ve improved the precision of the cs/call-to-object-tostring query, resulting in improved analysis results

GitHub Actions (Public Preview)

• We’ve removed the query actions/unversioned-immutable-action from the public suite of queries, which will close any alerts triggered from it

For a full list of changes, please refer to the complete changelog for version 2.20.6. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

With the 2.16.5 release of CodeQL, we’re introducing a new mechanism for creating a CodeQL database for Java codebases, without relying on a build. This enables organizations to more easily adopt CodeQL for Java projects at scale. Note: this release announcement contains details for users of the CodeQL CLI and advanced setup for code scanning. If you’re using GitHub code scanning default setup (which is powered by the CodeQL engine), this related release announcement will likely contain the information you’re looking for.

Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. Starting with CodeQL 2.16.5, you can now scan Java code without the need for a build. Our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.

This feature is currently in public beta and is accessible to all GitHub.com advanced setup for code scanning and CodeQL CLI users scanning Java code:

• Repositories using advanced setup for code scanning via workflow files will have the option to choose a build-mode. The default value for newly configured Java repos will be build-mode: none.
• CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the --build-mode none option. Generally, we also recommend users set the --build-mode option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.
  codeql database create test_no_build_db --language java --build-mode none
• Repositories containing a mix of Kotlin and Java code still require a working build for CodeQL analysis.

The new mechanism for scanning Java is available on GitHub.com and in CodeQL CLI 2.16.5. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning Java projects without the need for working builds, send us your feedback.

CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze Java projects without needing a build. This enables organizations to more easily roll out CodeQL at scale. This new way of analyzing Java codebases is now enabled by default for GitHub.com users setting up new repositories with default setup for code scanning.

Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.

This feature is currently in public beta and is accessible to all users scanning Java code using default setup for code scanning on GitHub.com:

• Anyone setting up their repo using code scanning default setup will automatically benefit from this new analysis approach.
• Repositories containing a mix of Kotlin and Java code still require a working build for CodeQL analysis. CodeQL will default to the autobuild build mode to automatically try and detect the right build command.
• Repositories with an existing code scanning setup will not experience any changes. If code scanning is working for you today it will continue to work as-is, and there is no need to change your configuration.

GitHub.com users using advanced setup for code scanning and users of the CodeQL CLI will be able to analyze Java projects without needing a working build as part of CodeQL CLI version 2.16.5. While in public beta, this feature will not be available for GitHub Enterprise Server. As we continue to work on scanning Java projects without needing a working build, send us your feedback.

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.

The number of generated autofixes is now also visible in a dedicated security overview tile:

Furthermore, this release

• adds support for C# 12 and .NET 8,
• adds support for Go 1.22 and improves file coverage of Go analyses for certain project setups,
• adds a new Java query for finding instances of keys generated for biometric authentication in an insecure way, and
• enables the NoSQL injection query for Python by default.

For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

• CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
• A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
• A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
• Two new queries:
  • java/android/insecure-local-authentication for finding uses of biometric authentication APIs that do not make use of a Keystore-backed key and thus may be bypassed.
  • swift/unsafe-unpacking, that detects code which extracts user-controlled zip archives without validating that the contents of the zip file are not extracted outside the destination directory.
• The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.