- Enums and
System.DateTimeOffsetare now treated as simple types, which means that they are considered to have a sanitizing effect. This impacts many queries, among others thecs/log-forgingquery. - The MaD models for the .NET 9 Runtime have been re-generated after a fix related to
out/refparameters.
- Added a new query,
csharp/path-combine, to recommend against thePath.Combinemethod due to it silently discarding its earlier parameters if later parameters are rooted.
- Improved dependency resolution in
build-mode: noneextraction to handle failingdotnet restoreprocesses that managed to download a subset of the dependencies before the failure. - Increase query precision for
cs/useless-gethashcode-callby not flagging calls toGetHashCodeonuint,longandulong. - Increase query precision for
cs/constant-conditionand allow the use of discards in switch/case statements and also take the condition (if any) into account. - The
cs/local-not-disposedquery no longer flags un-disposed tasks as this is often not needed (explained here). - Increase query precision for
cs/useless-assignment-to-localandcs/constant-conditionwhen unknown types are involved (mostly relevant forbuild-mode: nonedatabases). - Don't consider an if-statement to be useless in
cs/useless-if-statementif there is at least a comment.
No user-facing changes.
- C#: Improve precision of the query
cs/call-to-object-tostringfor value tuples.
No user-facing changes.
- All experimental queries have been deprecated. The queries are instead available as part of the default query suite in CodeQL-Community-Packs.
No user-facing changes.
- The
ExternalApiandTestLibrarymodules have been moved to the library pack.
csharp/diagnostic/database-qualityhas been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.
No user-facing changes.
- C#: The method
string.ReplaceLineEndings(string)is now considered a sanitizer for thecs/log-forgingquery.
No user-facing changes.
- C#: The indexer and
Addmethod onSystem.Web.UI.AttributeCollectionis no longer considered an HTML sink.
No user-facing changes.
No user-facing changes.
- Attributes in the
System.Runtime.CompilerServicesnamespace are ignored when checking if a declaration requires documentation comments. - C# build-mode
noneanalyses now report a warning on the CodeQL status page when there are significant analysis problems -- defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- .NET 8 Runtime models have been updated based on the newest version of the model generator. Furthermore, the database sources have been changed slightly to reduce result multiplicity.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The
Storedvariants of some queries (cs/stored-command-line-injection,cs/web/stored-xss,cs/stored-ldap-injection,cs/xml/stored-xpath-injection,cs/second-order-sql-injection) have been removed. If you were using these queries, their results can be restored by enabling thefileanddatabasethreat models in your threat model configuration.
- The alert message of
cs/wrong-compareto-signaturehas been changed to remove unnecessary element references. - Data flow queries that track flow from local flow sources now use the current threat model configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses remote flow sources. The changed queries are
cs/code-injection,cs/resource-injection,cs/sql-injection, andcs/uncontrolled-format-string.
No user-facing changes.
No user-facing changes.
- Most data flow queries that track flow from remote flow sources now use the current threat model configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is remote flow sources) unless the threat model configuration is changed. The changed queries are
cs/code-injection,cs/command-line-injection,cs/user-controlled-bypass,cs/count-untrusted-data-external-api,cs/untrusted-data-to-external-api,cs/ldap-injection,cs/log-forging,cs/xml/missing-validation,cs/redos,cs/regex-injection,cs/resource-injection,cs/sql-injection,cs/path-injection,cs/unsafe-deserialization-untrusted-input,cs/web/unvalidated-url-redirection,cs/xml/insecure-dtd-handling,cs/xml/xpath-injection,cs/web/xss, andcs/uncontrolled-format-string.
- Added sanitizers for relative URLs,
List.Contains(), and checking the.Hostproperty on an URI to thecs/web/unvalidated-url-redirectionquery.
- Added string interpolation expressions and
string.Formatas possible sanitizers for thecs/web/unvalidated-url-redirectionquery.
- Modelled additional flow steps to track flow from handler methods of a
PageModelclass to the corresponding Razor Page (.cshtml) file, which may result in additional results for queries such ascs/web/xss.
- Fixed a Log forging false positive when using
String.Replaceto sanitize the input. - Fixed a URL redirection from remote source false positive when guarding a redirect with
HttpRequestBase.IsUrlLocalToHost()
No user-facing changes.
- Modelled additional flow steps to track flow from a
Viewcall in an MVC controller to the corresponding Razor View (.cshtml) file, which may result in additional results for queries such ascs/web/xss.
- CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the
cilextractor option totrueor by setting the environment variable$CODEQL_EXTRACTOR_CSHARP_OPTION_CILtotrue. This is the first step towards sun-setting the CIL extractor entirely.
No user-facing changes.
- The
cs/web/insecure-direct-object-referenceandcs/web/missing-function-level-access-controlhave been improved to better recognize attributes on generic classes.
- Added a new query,
cs/web/insecure-direct-object-reference, to find instances of missing authorization checks for resources selected by an ID parameter.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
cs/web/missing-function-level-access-control, to find instances of missing authorization checks.
- The query "Arbitrary file write during zip extraction ("Zip Slip")" (
cs/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Additional sinks modelling writes to unencrypted local files have been added to
ExternalLocationSink, used by thecs/cleartext-storageandcs/exposure-of-sensitive-informationqueries.
- The query
cs/web/debug-binarynow disregards thedebugattribute in case there is a transformation that removes it.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
csharp/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel.
- Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
- A new extractor option has been introduced for disabling CIL extraction. Either pass
-Ocil=falseto thecodeqlCLI or set the environment variableCODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false. - The alert message of many queries have been changed to make the message consistent with other languages.
- Parameters of delegates passed to routing endpoint calls like
MapGetin ASP.NET Core are now considered remote flow sources. - The query
cs/unsafe-deserialization-untrusted-inputis not reporting on all calls ofJsonConvert.DeserializeObjectany longer, it only covers cases that explicitly use unsafe serialization settings. - Added better support for the SQLite framework in the SQL injection query.
- File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/csharp-allpackage.
- The
kindquery metadata was changed todiagnosticoncs/compilation-error,cs/compilation-message,cs/extraction-error, andcs/extraction-message.
- The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called
provenancehas been introduced, where the allowed values aremanualandgenerated. The value used to indicate whether a model as been written by hand (manual) or create by the CSV model generator (generated). - All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
- Casts to
dynamicare excluded from the useless upcasts check (cs/useless-upcast). - The C# extractor now accepts an extractor option
buildless, which is used to decide what type of extraction that should be performed. Iftruethen buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added viacodeql database create --language=csharp -Obuildless=true .... - The C# extractor now accepts an extractor option
trap.compression, which is used to decide the compression format for TRAP files. The legal values arebrotli(default),gzipornone. The option is added viacodeql database create --language=csharp -Otrap.compression=value ....
- The precision of hardcoded credentials queries (
cs/hardcoded-credentialsandcs/hardcoded-connection-string-credentials) have been downgraded to medium.