v2.20.0

Known issues

• The Windows executable for this release is labeled with an incorrect version number within its properties: the version number should be 2.20.0 rather than 2.19.4. codeql version reports the correct version number.

New features

• The QlBuiltins::BigInt type of arbitrary precision integers is generally available and no longer hidden behind the --allow-experimental=bigint CLI feature flag.

Miscellaneous

• Backslashes are now escaped when writing output in the Graphviz DOT format (--format=dot).
• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.5.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.20.0.

v2.19.4

Improvements

• CodeQL now supports passing values containing the equals character (=) to extractor options via
  the --extractor-option flag.
• The codeql pack bundle command now sets the numeric user and group IDs of entries in the generated
  tararchive to0`

Bugs fixed

• On MacOS, arch -arm64 commands no longer fail when they are executed as part of a build.
• Fixed a bug where codeql test run would not preserve test databases on disk after a test failed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.4.

v2.19.3

Bugs fixed

• Fixed a bug where using codeql database import to combine multiple non-empty databases may produce a corrupted database. (The bug does not affect using codeql database finalize --additional-dbs to combine multiple databases.)
• Fixed a bug where uses of a QlBuiltins::ExtensionId variable that was not bound to a value could be incorrectly accepted in some cases. In many cases, this would result in a crash.
• CodeQL would sometimes refuse to run with more than around 1,500 GB of RAM available, complaining that having so much memory was "unrealistic". The amount of memory CodeQL is able to make any meaningful use of still tops out at about that value, but it will now gracefully accept that so large computers do in fact exist.
• Fixed a bug in command-line parsing where a misspelled option could sometimes be misinterpreted as, e.g., the name of a query to run. Now every command-line argument that begins with a dash is assumed to be intended as an option (unless it comes after the -- separator), and an appropriate error is emitted if that is not a recognized one.

Miscellaneous

• The CodeQL Bundle is now available as an artifact that is compressed using Zstandard. This artifact is smaller and faster to decompress than the original, gzip-compressed bundle. The CodeQL bundle is a tar archive containing tools, scripts, and various CodeQL-specific files.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.3.

v2.19.2

Release 2.19.2 (2024-10-21)

Potentially breaking changes

• The Python extractor will no longer extract the standard library by default, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. It will for a while be possible to force extraction of the standard library by setting the environment variable CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB to 1.

Bugs fixed

• The 2.19.1 release contained a bug in the query evaluator that under rare conditions could lead to wrong alerts or resource exhaustion. Although we have never seen the problem outside of internal testing, we encourage users on 2.19.1 to upgrade to 2.19.2.

Miscellaneous

• The database relation sourceLocationPrefix is changed for databases created with
  codeql test run. Instead of containing the path of the enclosing qlpack, it now
  contains the actual path of the test, similar to if one had run codeql database create
  on the test folder. For example, for a test such as
  <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref we now populate
  sourceLocationPrefix with <checkout>/cpp/ql/test/query-tests/Security/CWE/CWE-611/
  instead of <checkout>/cpp/ql/test/. This change typically impacts calls to
  File.getRelativePath(), and may as a result change the expected test output.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.2.

v2.19.1

New Features

• The command codeql generate query-help now supports Markdown help files.
  The Markdown help format is commonly used in custom CodeQL query packs.

• Added a new command, codeql resolve packs. This command shows each step in the
  pack search process, including what packs were found in each step. With the
  --show-hidden-packs option, it can also show details on which packs were hidden
  by packs found earlier in the search sequence.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.1.

v2.19.0

Improvements

• codeql database analyze and codeql database interpret-results now support
  the --sarif-run-property option. You can provide this option when using a SARIF
  output format to add a key-value pair to the property bag of the run object.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.19.0.

v2.18.4

New Features

• C# support for build-mode: none is now out of beta, and generally available.
• Go 1.23 is now supported.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.4.

v2.18.3

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.3.

v2.18.2

Deprecations

• Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.3.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.2.

v2.18.1

Security Updates

• Resolves CVE-2023-4759, an arbitrary file overwrite in Eclipse JGit that can be triggered when using untrusted third-party queries from a git repository. See the security advisory for more information.
• The following dependencies have been updated. These updates include security fixes in the respective libraries that prevent out-of-bounds accesses or denial-of-service in scenarios where untrusted files are processed. These scenarios are not likely to be encountered in most uses of CodeQL and code scanning, and only apply to advanced use cases where precompiled query packs, database ZIP files, or database TRAP files are obtained from untrusted sources and then processed on a trusted machine.
  • airlift/aircompressor is updated to version 0.27.
  • Apache Ant is updated to version 1.10.11.
  • Apache Commons Compress is updated to version 1.26.0.
  • Apache Commons IO is updated to version 2.15.1.
  • Apache Commons Lang3 is updated to version 3.14.0.
  • jsoup is updated to version 1.15.3.
  • Logback is updated to version 1.2.13.
  • Snappy is updated to version 0.5.

New features

• The experimental type QlBuiltins::BigInt of arbitrary-precision integers has been introduced. To opt in to this API, compile your queries with --allow-experimental=bigint. Big integers can be constructed using the .toBigInt() methods of int and string.
• codeql test run now supports postprocessing of test results. When .qlref files specify a path to a postprocess query, then this is evaluated after the test query to transform the test outputs prior to concatenating them into the actual results.

Improvements

• The 30% QL query compilation slowdown noted in 2.18.0 has been fixed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.1.