CodeQL 2.23.0 (2025-09-04)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.23.0 runs a total of 479 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
Miscellaneous¶
The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.8.
Query Packs¶
Bug Fixes¶
C/C++¶
Fixed an inconsistency across languages where most have a
Customizations.qllfile for adding customizations, but not all did.
Swift¶
Fixed an inconsistency across languages where most have a
Customizations.qllfile for adding customizations, but not all did.
Rust¶
The “Low Rust analysis quality” query (
rust/diagnostic/database-quality) has been tuned so that it won’t trigger on databases that have extracted normally. This will remove spurious messages of “Low Rust analysis quality” on the CodeQL status page.Fixed an inconsistency across languages where most have a
Customizations.qllfile for adding customizations, but not all did.
Minor Analysis Improvements¶
Java/Kotlin¶
Fixed a bug that was causing false negatives in rare cases in the query
java/dereferenced-value-may-be-null.Removed the
java/empty-statementquery that was subsumed by thejava/empty-blockquery.
Python¶
The
py/unexpected-raise-in-special-methodquery has been modernized. It produces additional results in cases where the exception is only raised conditionally. Its precision has been changed fromvery-hightohigh.The queries
py/incomplete-ordering,py/inconsistent-equality, andpy/equals-hash-mismatchhave been modernized; no longer relying on outdated libraries, improved documentation, and no longer producing alerts for problems specific to Python 2.
New Queries¶
Java/Kotlin¶
The query
java/insecure-spring-actuator-confighas been promoted from experimental to the main query pack asjava/spring-boot-exposed-actuators-config. Its results will now appear by default. This query detects exposure of Spring Boot actuators through configuration files. It was originally submitted as an experimental query by @luchua-bc.
Rust¶
Added a new query,
rust/log-injection, for detecting cases where log entries could be forged by a malicious user.
Query Metadata Changes¶
Java/Kotlin¶
The tag
maintainabilityhas been removed fromjava/run-finalizers-on-exitand the tagsquality,correctness, andperformancehave been added.The tag
maintainabilityhas been removed fromjava/garbage-collectionand the tagsqualityandcorrectnesshave been added.
Language Libraries¶
Major Analysis Improvements¶
Rust¶
Path resolution has been removed from the Rust extractor. For the majority of purposes CodeQL computed paths have been in use for several previous releases, this completes the transition. Extraction is now faster and more reliable.
Minor Analysis Improvements¶
C/C++¶
Added flow summaries for the
Microsoft::WRL::ComPtrmember functions.The new dataflow/taint-tracking library (
semmle.code.cpp.dataflow.new.DataFlowandsemmle.code.cpp.dataflow.new.TaintTracking) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
C#¶
A bug has been fixed in the data flow analysis, which means that flow through calls using the
basequalifier may now be tracked more accurately.Added summary models for
System.Xml.XmlReader,System.Xml.XmlTextReaderandSystem.Xml.XmlDictionaryReader.Models-as-data summaries for byte and char arrays and pointers now treat the entire collection as tainted, reflecting their common use as string alternatives.
The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives.
JavaScript/TypeScript¶
Removed
libxmljsas an XML bomb sink. The underlying libxml2 library now includes entity reference loop detection that prevents XML bomb attacks.
Python¶
The modelling of Psycopg2 now supports the use of
psycopg2.poolconnection pools for handling database connections.Removed
lxmlas an XML bomb sink. The underlying libxml2 library now includes entity reference loop detection that prevents XML bomb attacks.
Rust¶
Attribute macros are now taken into account when identifying macro-expanded code. This affects the queries
rust/unused-variableandrust/unused-value, which exclude results in macro-expanded code.Improved modelling of the
std::fs,async_std::fsandtokio::fslibraries. This may cause more alerts to be found by Rust injection queries, particularlyrust/path-injection.
New Features¶
C/C++¶
Added a new class
PchFilerepresenting precompiled header (PCH) files used during project compilation.