CodeQL 2.23.0 (2025-09-04)¶

Fixed an inconsistency across languages where most have a Customizations.qll file for adding customizations, but not all did.

Fixed an inconsistency across languages where most have a Customizations.qll file for adding customizations, but not all did.

The “Low Rust analysis quality” query (rust/diagnostic/database-quality) has been tuned so that it won’t trigger on databases that have extracted normally. This will remove spurious messages of “Low Rust analysis quality” on the CodeQL status page.

Fixed an inconsistency across languages where most have a Customizations.qll file for adding customizations, but not all did.

Fixed a bug that was causing false negatives in rare cases in the query java/dereferenced-value-may-be-null.

Removed the java/empty-statement query that was subsumed by the java/empty-block query.

The py/unexpected-raise-in-special-method query has been modernized. It produces additional results in cases where the exception is only raised conditionally. Its precision has been changed from very-high to high.

The queries py/incomplete-ordering, py/inconsistent-equality, and py/equals-hash-mismatch have been modernized; no longer relying on outdated libraries, improved documentation, and no longer producing alerts for problems specific to Python 2.

The query java/insecure-spring-actuator-config has been promoted from experimental to the main query pack as java/spring-boot-exposed-actuators-config. Its results will now appear by default. This query detects exposure of Spring Boot actuators through configuration files. It was originally submitted as an experimental query by @luchua-bc.

Added a new query, rust/log-injection, for detecting cases where log entries could be forged by a malicious user.

The tag maintainability has been removed from java/run-finalizers-on-exit and the tags quality, correctness, and performance have been added.

The tag maintainability has been removed from java/garbage-collection and the tags quality and correctness have been added.

Path resolution has been removed from the Rust extractor. For the majority of purposes CodeQL computed paths have been in use for several previous releases, this completes the transition. Extraction is now faster and more reliable.

Added flow summaries for the Microsoft::WRL::ComPtr member functions.

The new dataflow/taint-tracking library (semmle.code.cpp.dataflow.new.DataFlow and semmle.code.cpp.dataflow.new.TaintTracking) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

A bug has been fixed in the data flow analysis, which means that flow through calls using the base qualifier may now be tracked more accurately.

Added summary models for System.Xml.XmlReader, System.Xml.XmlTextReader and System.Xml.XmlDictionaryReader.

Models-as-data summaries for byte and char arrays and pointers now treat the entire collection as tainted, reflecting their common use as string alternatives.

The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives.

Removed libxmljs as an XML bomb sink. The underlying libxml2 library now includes entity reference loop detection that prevents XML bomb attacks.

The modelling of Psycopg2 now supports the use of psycopg2.pool connection pools for handling database connections.

Removed lxml as an XML bomb sink. The underlying libxml2 library now includes entity reference loop detection that prevents XML bomb attacks.

Attribute macros are now taken into account when identifying macro-expanded code. This affects the queries rust/unused-variable and rust/unused-value, which exclude results in macro-expanded code.

Improved modelling of the std::fs, async_std::fs and tokio::fs libraries. This may cause more alerts to be found by Rust injection queries, particularly rust/path-injection.

Added a new class PchFile representing precompiled header (PCH) files used during project compilation.

Added LocatableOption and OptionWithLocationInfo as modules providing option types with location information.