- The alignment and format clauses in string interpolation expressions are now extracted. That is, in
$"Hello {name,align:format}"name, align and format are extracted as children of the string interpolation insert{name,align:format}. - Blazor support can now better recognize when a property being set is specified with a string literal, rather than referenced in a
nameofexpression.
- The models for
System.Urihave been modified to better model the flow of tainted URIs. - Modeled parameter passing between Blazor parent and child components.
No user-facing changes.
No user-facing changes.
- The predicates
immediatelyControlsandcontrolson theConditionBlockclass have been deprecated in favor of the newly addeddominatingEdgepredicate.
- Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
- C# 13: Add generated models for .NET 9.
- The models for
System.Net.Http.HttpRequestMessageandSystem.UriBuilderhave been modified to better model the flow of tainted URIs. - Blazor
[Parameter]fields bound to a variable from the route specified in the@pagedirective are now modeled as remote flow sources.
- Deleted the deprecated
getInstanceTypepredicate from theUnboundGenericTypeclass. - Deleted the deprecated
getElementpredicate from theNodeclass inControlFlowGraph.qll, usegetAstNodeinstead.
- C# 13: Added MaD models for some overload implementations using
ReadOnlySpanparameters (likeString.Format(System.String, System.ReadOnlySpan<System.Object>))). - C# 13: Added support for the overload resolution priority attribute (
OverloadResolutionPriority). Usages of the attribute and the corresponding priority can be found using the QL classSystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute. - C# 13: Added support for partial properties and indexers.
- Added extractor support for extracting implicit
ToStringcalls in binary+expressions and string interpolation expressions. - The Razor source generator invocation in
build-mode:noneextraction has been changed to use relative file paths instead of absolute ones. - C# 13: Added extractor support and call dispatch logic (data flow) for the (negative) type parameter constraint
allows ref struct. Added extractor support for the type parameter constraintnotnull.
- C# 13: Added QL library support for collection like type
paramsparameters. - Added
remoteflow source models for properties of Blazor components annotated with any of the following attributes fromMicrosoft.AspNetCore.Components:[SupplyParameterFromForm][SupplyParameterFromQuery]
- Added the constructor and explicit cast operator of
Microsoft.AspNetCore.Components.MarkupStringas anhtml-injectionsink. This will help catch cross-site scripting resulting from usingMarkupString. - Added flow summaries for the
Microsoft.AspNetCore.Mvc.Controller::Viewmethod. - The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
- The C# extractor now supports basic extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
- Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
- Added support for data-flow through member accesses of objects with
dynamictypes. - Only extract public and protected members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using
Field-based summaries may need to be changed toSyntheticField-based flows if they reference private fields. - Added
Microsoft.AspNetCore.Components.NagivationManager::Urias a remote flow source, since this value may contain user-specified values. - Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
System.Web.HttpUtility::ParseQueryStringMicrosoft.AspNetCore.WebUtilities.QueryHelpers::ParseQueryMicrosoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery
- Added
js-interopsinks for theInvokeAsyncandInvokeVoidAsyncmethods ofMicrosoft.JSInterop.IJSRuntime, which can run arbitrary JavaScript.
- The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.
- The generated .NET 8 runtime models have been updated.
No user-facing changes.
- C#: Add support for MaD directly on properties and indexers using attributes. Using
Attribute.GetterorAttribute.Setterin the modelextfield applies the model to the getter or setter for properties and indexers. Prior to this changeAttributemodels unintentionally worked for property setters (if the property is decorated with the matching attribute). That is, a model that uses theAttributefeature directly on a property for a property setter needs to be changed toAttribute.Setter. - C#: Remove all CIL tables and related QL library functionality.
- The class
ThreatModelFlowSourcehas been renamed toActiveThreatModelSourceto more clearly reflect it only contains the currently active threat model sources.ThreatModelFlowSourcehas been marked as deprecated.
DataFlow::Nodeinstances are no longer created for library methods and fields that are not callable (either statically or dynamically) or otherwise referred to from source code. This may affect third-party queries that use these nodes to identify library methods or fields that are present in DLL files where those methods or fields are unreferenced. If this presents a problem, consider usingCallableand other non-dataflow classes to identify such library entities.- C#: Add extractor support for attributes on indexers.
- Deleted many deprecated taint-tracking configurations based on
TaintTracking::Configuration. - Deleted many deprecated dataflow configurations based on
DataFlow::Configuration. - Deleted the deprecated
explorationLimitpredicate fromDataFlow::Configuration, useFlowExploration<explorationLimit>instead.
- Parameters of public methods in abstract controller-like classes are now considered remote flow sources.
- The reported location of
partialmethods has been changed from the definition to the implementation part.
- C# support for
build-mode: noneis now out of beta, and generally available.
- Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
- Added some new
localsource models. Most prominentlySystem.IO.Path.GetTempPathandSystem.Environment.GetFolderPath. This might produce more alerts, if thelocalthreat model is enabled. - The extractor has been changed to not skip source files that have already been seen. This has an impact on source files that are compiled multiple times in the build process. Source files with conditional compilation preprocessor directives (such as
#if) are now extracted for each set of preprocessor symbols that are used during the build process.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
- Deleted the deprecated
getAssemblyNamepredicate from theOperatorclass. UsegetFunctionNameinstead. - Deleted the deprecated
LShiftOperator,RShiftOperator,AssignLShiftExpr,AssignRShiftExpr,LShiftExpr, andRShiftExpraliases. - Deleted the deprecated
getCallableDescriptionpredicate from theExternalApiDataNodeclass. UsehasQualifiedNameinstead.
- Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
- Extracting suppress nullable warning expressions did not work when applied directly to a method call (like
System.Console.Readline()!). This has been fixed.
- The CIL extractor has been deleted and the corresponding extractor option
cilhas been removed. It is no longer possible to do CIL extraction. - The QL library C# classes no longer extend their corresponding
DotNetclasses. Furthermore, CIL related data flow functionality has been deleted and allDotNetandCILrelated classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.
- Added new source models for the
Dapperpackage. These models can be enabled by enabling thedatabasethreat model. - Additional models have been added for
System.IO. These are primarily source models with thefilethreat model, and summaries related to reading from a file or stream. - Support for C# 12 / .NET8.
- Added the
windows-registrysource kind and threat model to represent values which come from the registry on Windows. - The models for
System.Net.Http.HttpRequestMessagehave been modified to better model the flow of tainted URIs. - The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the
commandargsandenvironmentthreat models. - The
cs/assembly-path-injectionquery has been modified so that it's sources rely onThreatModelFlowSource. In order to restore results from command line arguments, you should enable thecommandargsthreat model. - The models for
System.IO.TextReaderhave been modified to better model the flow of tainted text from aTextReader.
No user-facing changes.
No user-facing changes.
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
- We no longer make use of CodeQL database stats, which may affect join-orders in custom queries. It is therefore recommended to test performance of custom queries after upgrading to this version.
- C# 12: Add QL library support (
ExperimentalAttribute) for the experimental attribute. - C# 12: Add extractor and QL library support for
ref readonlyparameters. - C#: The table
expr_compiler_generatedhas been deleted and its content has been added tocompiler_generated. - Data flow via get only properties like
public object Obj { get; }is now captured by the data flow library.
- C# 12: The QL and data flow library now support primary constructors.
- Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in buildless mode to surface information related to dependency fetching.
- Added a new database relation to store compiler arguments specified inside
@[...].rspfile arguments. The arguments are returned byCompilation::getExpandedArgument/1andCompilation::getExpandedArguments/0. - C# 12: Added extractor, QL library and data flow support for collection expressions like
[1, y, 4, .. x]. - The C# extractor now accepts an extractor option
logging.verbositythat specifies the verbosity of the logs. The option is added viacodeql database create --language=csharp -Ologging.verbosity=debug ...or by setting the corresponding environment variableCODEQL_EXTRACTOR_CSHARP_OPTION_LOGGING_VERBOSITY.
- Deleted many deprecated predicates and classes with uppercase
SSL,XML,URI,SSAetc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getALocalFlowSuccpredicate andTaintTypeclass from the dataflow library. - Deleted the deprecated
NewobjandRethrowclasses, useNewObjandReThrowinstead. - Deleted the deprecated
getAFirstRead,hasAdjacentReads,lastRefBeforeRedef, andhasLastInputRefpredicates from the SSA library. - Deleted the deprecated
getAReachableReadpredicate from theAssignableReadandVariableReadclasses. - Deleted the deprecated
hasQualifiedNamepredicate from theNamedElementclass. - C# 12: Add extractor support and QL library support for inline arrays.
- Fixed a Log forging false positive when logging the value of a nullable simple type. This fix also applies to all other queries that use the simple type sanitizer.
- The diagnostic query
cs/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned C# files, now considers any C# file seen during extraction, even one with some errors, to be extracted / scanned. - Added a new library
semmle.code.csharp.security.dataflow.flowsources.FlowSources, which provides a new classThreatModelFlowSource. TheThreatModelFlowSourceclass can be used to include sources which match the current threat model configuration. - A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
- C# 12: Add extractor support for lambda expressions with parameter defaults like
(int x, int y = 1) => ...and lambda expressions with aparamparameter like(params int[] x) => ...).
- The
Call::getArgumentForParameterpredicate has been reworked to add support for arguments passed toparamsparameters. - The dataflow models for the
System.Text.StringBuilderclass have been reworked. New summaries have been added forAppendandAppendLine. With the changes, we expect queries that use taint tracking to find more results when interpolated strings orStringBuilderinstances are passed toAppendorAppendLine. - Additional support for
Amazon.LambdaSDK
No user-facing changes.
No user-facing changes.
- The predicate
UnboundGeneric::getNamenow prints the number of type parameters as a`Nsuffix, instead of a<,...,>suffix. For example, the unbound generic typeSystem.Collections.Generic.IList<T>is printed asIList`1instead ofIList<>. - The predicates
hasQualifiedName,getQualifiedName, andgetQualifiedNameWithTypeshave been deprecated, and are instead replaced byhasFullyQualifiedName,getFullyQualifiedName, andgetFullyQualifiedNameWithTypes, respectively. The new predicates use the same format for unbound generic types as mentioned above. - These changes also affect models-as-data rows that refer to a field or a property belonging to a generic type. For example, instead of writing
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]one now writes
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "Dictionary<TKey,TValue>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair`2.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair`2.Key]", "value", "manual"]- The models-as-data format for types and methods with type parameters has been changed to include the names of the type parameters. For example, instead of writing
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "IList<>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Linq", "Enumerable", False, "Select<,>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]one now writes
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["System.Collections.Generic", "IList<T>", True, "Insert", "(System.Int32,T)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Linq", "Enumerable", False, "Select<TSource,TResult>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Int32,TResult>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]No user-facing changes.
- Deleted the deprecated
isBarrierGuardpredicate from the dataflow library and its uses, useisBarrierand theBarrierGuardmodule instead.
No user-facing changes.
No user-facing changes.
- The
--nostdlibextractor option for the standalone extractor has been removed.
- The query library for
cs/hardcoded-credentialsnow excludes benign properties such asUserNameClaimTypeandAllowedUserNameCharactersfromMicrosoft.AspNetCore.Identityoptions classes.
No user-facing changes.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
- The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
- Additional support for
command-injection,ldap-injection,log-injection, andurl-redirectionsink kinds for Models as Data.
No user-facing changes.
- The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change,
.cshtmlfiles and their generated.cshtml.g.cscounterparts are extracted on dotnet 6 and above.
- C#: Analysis of the
dotnet testcommand supplied with adllorexefile as argument no longer fails due to the addition of an erroneous-p:SharedCompilation=falseargument. - Deleted the deprecated
WebConfigXML,ConfigurationXMLElement,LocationXMLElement,SystemWebXMLElement,SystemWebServerXMLElement,CustomErrorsXMLElement, andHttpRuntimeXMLElementclasses fromWebConfig.qll. The non-deprecated names with PascalCased Xml suffixes should be used instead. - Deleted the deprecated
Recordclass from bothTypes.qllandType.qll. - Deleted the deprecated
StructuralComparisonConfigurationclass fromStructuralComparison.qll, usesameGvninstead. - Deleted the deprecated
isParameterOfpredicate from theParameterNodeclass. - Deleted the deprecated
SafeExternalAPICallable,ExternalAPIDataNode,UntrustedDataToExternalAPIConfig,UntrustedExternalAPIDataNode, andExternalAPIUsedWithUntrustedDataclasses fromExternalAPIsQuery.qll. The non-deprecated names with PascalCased Api suffixes should be used instead. - Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
codetocode-injectionsqltosql-injectionhtmltohtml-injectionxsstojs-injectionremotetofile-content-store
- The
cs/log-forging,cs/cleartext-storage, andcs/exposure-of-sensitive-informationqueries now correctly handle unsanitized arguments toILoggerextension methods. - Updated the
neutralModelextensible predicate to include akindcolumn.
No user-facing changes.
- The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
- The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
- Deleted the deprecated
getPathandgetFolderpredicates from theXmlFileclass. - Deleted the deprecated
getAssertionIndex, andgetAssertedParameterpredicates from theAssertMethodclass. - Deleted the deprecated
OverridableMethodandOverridableAccessorclasses. - The
unsafepredicate forModifiablehas been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant forunsafedeclarations extracted from assemblies.
- The query
cs/static-field-written-by-instanceis updated to handle properties. - C# 11: Support for explicit interface member implementation of operators.
- The extraction of member modifiers has been generalized, which could lead to the extraction of more modifiers.
- C# 11: Added extractor and library support for
filescoped types. - C# 11: Added extractor support for
requiredfields and properties. - C# 11: Added library support for
checkedoperators.
- C# 11: Added extractor support for the
scopedmodifier annotation on parameters and local variables.
- Add extractor and library support for UTF-8 encoded strings.
- The
StringLiteralclass includes UTF-8 encoded strings. - In the DB Scheme
@string_literal_expris renamed to@utf16_string_literal_expr.
- C# 11: Added extractor support for
reffields inref structdeclarations.
- Added library support for generic attributes (also for CIL extracted attributes).
cil.ConstructedType::getNamewas changed to include printing of the type arguments.
- Attributes on methods in CIL are now extracted (Bugfix).
- Support for
static virtualandstatic abstractinterface members. - Support for operators in interface definitions.
- C# 11: Added support for the unsigned right shift
>>>and unsigned right shift assignment>>>=operators. - Query id's have been aligned such that they are prefixed with
csinstead ofcsharp.
- C# 11: Added support for list- and slice patterns in the extractor.
- Deleted the deprecated
getNameWithoutBracketspredicate from theValueOrRefTypeclass inType.qll. Element::hasQualifiedName/1has been deprecated. UsehasQualifiedName/2orhasQualifiedName/3instead.- Added TCP/UDP sockets as taint sources.
No user-facing changes.
No user-facing changes.
- The
[Summary|Sink|Source]ModelCsvclasses have been deprecated and Models as Data models are defined as data extensions instead.
No user-facing changes.
No user-facing changes.
DateTimeexpressions are now considered simple type sanitizers. This affects a wide range of security queries.- ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed.
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- The C# extractor no longer supports the following legacy environment variables:
ODASA_BUILD_ERROR_DIR
ODASA_CSHARP_LAYOUT
ODASA_SNAPSHOT
SEMMLE_DIST
SEMMLE_EXTRACTOR_OPTIONS
SEMMLE_PLATFORM_TOOLS
SEMMLE_PRESERVE_SYMLINKS
SOURCE_ARCHIVE
TRAP_FOLDER
codeql test runnow extracts source code recursively from sub folders. This may break existing tests that have other tests in nested sub folders, as those will now get the nested test code included.
- Added support for C# 10 lambda improvements
- Explicit return types on lambda expressions.
- Lambda expression can be tagged with method and return value attributes.
- Added support for C# 10 Extended property patterns.
- Return value attributes are extracted.
- The QL
Attributeclass now has subclasses for each kind of attribute.
- The
codeql/csharp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/csharp-allCodeQL pack.
Added support for the following C# 10 features.
- Record structs.
- Improvements of structure types.
- Instance parameterless constructor in a structure type.
- Enhance
WithExprin QL to supportstructsand anonymous classes.
- Global using directives.
- File-scoped namespace declaration.
- Enhanced #line pragma.
- The query
cs/local-shadows-memberno longer highlights parameters ofrecordtypes.