From c7026c03dfb090b5f3b1f740c2a8235ef5b2ef50 Mon Sep 17 00:00:00 2001 From: Florin Coada Date: Mon, 5 May 2025 11:13:42 -0400 Subject: [PATCH 1/2] Update changelogs for CodeQL CLI 2.21.2 and adjust query reporting for unversioned immutable actions --- .../codeql-changelog/codeql-cli-2.21.2.rst | 122 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 2 files changed, 123 insertions(+) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst new file mode 100644 index 000000000000..8d9c20cfbb5c --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -0,0 +1,122 @@ +.. _codeql-cli-2.21.2: + +========================== +CodeQL 2.21.2 (2025-05-01) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.21.2 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Bug Fixes +~~~~~~~~~ + +* :code:`codeql generate log-summary` now correctly includes :code:`dependencies` maps in predicate events for :code:`COMPUTED_EXTENSIONAL` predicates. + +Query Packs +----------- + +Bug Fixes +~~~~~~~~~ + +GitHub Actions +"""""""""""""" + +* Assigned a :code:`security-severity` to the query :code:`actions/excessive-secrets-exposure`. + +Breaking Changes +~~~~~~~~~~~~~~~~ + +GitHub Actions +"""""""""""""" + +* The following queries have been removed from the :code:`security-and-quality` suite. + They are not intended to produce user-facing alerts describing vulnerabilities. + Any existing alerts for these queries will be closed automatically. + + * :code:`actions/composite-action-sinks` + * :code:`actions/composite-action-sources` + * :code:`actions/composite-action-summaries` + * :code:`actions/reusable-workflow-sinks` (renamed from :code:`actions/reusable-wokflow-sinks`) + * :code:`actions/reusable-workflow-sources` + * :code:`actions/reusable-workflow-summaries` + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Changes to the MaD model generation infrastructure: + + * Changed the query :code:`cs/utils/modelgenerator/summary-models` to use the implementation from :code:`cs/utils/modelgenerator/mixed-summary-models`. + * Removed the now-redundant :code:`cs/utils/modelgenerator/mixed-summary-models` query. + * A similar replacement was made for :code:`cs/utils/modelgenerator/neutral-models`. That is, if :code:`GenerateFlowModel.py` is provided with :code:`--with-summaries`, combined/mixed models are now generated instead of heuristic models (and similar for :code:`--with-neutrals`). + +* Improved detection of authorization checks in the :code:`cs/web/missing-function-level-access-control` query. The query now recognizes authorization attributes inherited from base classes and interfaces. +* The precision of the query :code:`cs/invalid-string-formatting` has been improved. More methods and more overloads of existing format like methods are taken into account by the query. + +Java/Kotlin +""""""""""" + +* Changes to the MaD model generation infrastructure: + + * Changed the query :code:`java/utils/modelgenerator/summary-models` to use the implementation from :code:`java/utils/modelgenerator/mixed-summary-models`. + * Removed the now-redundant :code:`java/utils/modelgenerator/mixed-summary-models` query. + * A similar replacement was made for :code:`java/utils/modelgenerator/neutral-models`. That is, if :code:`GenerateFlowModel.py` is provided with :code:`--with-summaries`, combined/mixed models are now generated instead of heuristic models (and similar for :code:`--with-neutrals`). + +Rust +"""" + +* Changes to the MaD model generation infrastructure: + + * Changed the query :code:`rust/utils/modelgenerator/summary-models` to use the implementation from :code:`rust/utils/modelgenerator/mixed-summary-models`. + * Removed the now-redundant :code:`rust/utils/modelgenerator/mixed-summary-models` query. + * A similar replacement was made for :code:`rust/utils/modelgenerator/neutral-models`. That is, if :code:`GenerateFlowModel.py` is provided with :code:`--with-summaries`, combined/mixed models are now generated instead of heuristic models (and similar for :code:`--with-neutrals`). + +Language Libraries +------------------ + +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Swift +""""" + +* Upgraded to allow analysis of Swift 6.1. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Improved autobuilder logic for detecting whether a project references a SDK (and should be built using :code:`dotnet`). + +Swift +""""" + +* Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, + :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + +New Features +~~~~~~~~~~~~ + +C/C++ +""""" + +* New classes :code:`TypeofType`, :code:`TypeofExprType`, and :code:`TypeofTypeType` were introduced, which represent the C23 :code:`typeof` and :code:`typeof_unqual` operators. The :code:`TypeofExprType` class represents the variant taking an expression as its argument. The :code:`TypeofTypeType` class represents the variant taking a type as its argument. +* A new class :code:`IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC. +* Introduced :code:`hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements. +* Added the :code:`isVla()` predicate to the :code:`ArrayType` class. This allows queries to identify variable-length arrays (VLAs). diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 137185c94db2..92781448af86 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 5 May 2025 11:30:15 -0400 Subject: [PATCH 2/2] Update codeql-cli-2.21.2.rst --- .../codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst index 8d9c20cfbb5c..636cf2fe63d5 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -108,7 +108,7 @@ Swift """"" * Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, - :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + :code:`ExtractFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. New Features ~~~~~~~~~~~~