No user-facing changes.
No user-facing changes.
- Additional sinks modelling writes to unencrypted local files have been added to
ExternalLocationSink, used by thecs/cleartext-storageandcs/exposure-of-sensitive-informationqueries.
- The query
cs/web/debug-binarynow disregards thedebugattribute in case there is a transformation that removes it.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
csharp/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel.
- Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
- A new extractor option has been introduced for disabling CIL extraction. Either pass
-Ocil=falseto thecodeqlCLI or set the environment variableCODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false. - The alert message of many queries have been changed to make the message consistent with other languages.
- Parameters of delegates passed to routing endpoint calls like
MapGetin ASP.NET Core are now considered remote flow sources. - The query
cs/unsafe-deserialization-untrusted-inputis not reporting on all calls ofJsonConvert.DeserializeObjectany longer, it only covers cases that explicitly use unsafe serialization settings. - Added better support for the SQLite framework in the SQL injection query.
- File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/csharp-allpackage.
- The
kindquery metadata was changed todiagnosticoncs/compilation-error,cs/compilation-message,cs/extraction-error, andcs/extraction-message.
- The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called
provenancehas been introduced, where the allowed values aremanualandgenerated. The value used to indicate whether a model as been written by hand (manual) or create by the CSV model generator (generated). - All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
- Casts to
dynamicare excluded from the useless upcasts check (cs/useless-upcast). - The C# extractor now accepts an extractor option
buildless, which is used to decide what type of extraction that should be performed. Iftruethen buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added viacodeql database create --language=csharp -Obuildless=true .... - The C# extractor now accepts an extractor option
trap.compression, which is used to decide the compression format for TRAP files. The legal values arebrotli(default),gzipornone. The option is added viacodeql database create --language=csharp -Otrap.compression=value ....
- The precision of hardcoded credentials queries (
cs/hardcoded-credentialsandcs/hardcoded-connection-string-credentials) have been downgraded to medium.