• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.3.

Deprecations

• Swift analysis on Ubuntu is no longer supported. Please migrate to macOS if this affects you.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.3.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.2.

Security Updates

• Resolves CVE-2023-4759, an arbitrary file overwrite in Eclipse JGit that can be triggered when using untrusted third-party queries from a git repository. See the security advisory for more information.
• The following dependencies have been updated. These updates include security fixes in the respective libraries that prevent out-of-bounds accesses or denial-of-service in scenarios where untrusted files are processed. These scenarios are not likely to be encountered in most uses of CodeQL and code scanning, and only apply to advanced use cases where precompiled query packs, database ZIP files, or database TRAP files are obtained from untrusted sources and then processed on a trusted machine.
  • airlift/aircompressor is updated to version 0.27.
  • Apache Ant is updated to version 1.10.11.
  • Apache Commons Compress is updated to version 1.26.0.
  • Apache Commons IO is updated to version 2.15.1.
  • Apache Commons Lang3 is updated to version 3.14.0.
  • jsoup is updated to version 1.15.3.
  • Logback is updated to version 1.2.13.
  • Snappy is updated to version 0.5.

New features

• The experimental type QlBuiltins::BigInt of arbitrary-precision integers has been introduced. To opt in to this API, compile your queries with --allow-experimental=bigint. Big integers can be constructed using the .toBigInt() methods of int and string.
• codeql test run now supports postprocessing of test results. When .qlref files specify a path to a postprocess query, then this is evaluated after the test query to transform the test outputs prior to concatenating them into the actual results.

Improvements

• The 30% QL query compilation slowdown noted in 2.18.0 has been fixed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.1.

Breaking changes

• A number of breaking changes have been made to the C and C++ CodeQL
  test environment as used by codeql test run:

  • The test environment no longer defines any GNU-specific builtin
    macros. If these macros are still needed by a test, please define
    them via semmle-extractor-options.

  • The --force-recompute option is no longer directly supported by
    semmle-extractor-options. Instead, --edg --force-recompute
    should be specified.

  • The --gnu_version and --microsoft_version options that can be
    specified via semmle-extractor-options are now synonyms, and only
    one should be specified as part of semmle-extractor-options.
    Furthermore, is also no longer possible to specify these options
    via the following syntax.

    • --edg --gnu_version --edg <version number>, and
    • --edg --microsoft_version --edg <version number>

    The shorter --gnu_version <version number> and
    --microsoft_version <version number> should be used.

• The --build_error_dir and --predefined_macros command line options
  have been removed from the C/C++ extractor. It has never been possible
  to pass these options through the CLI, but some customers with advanced
  setups may have been passing them through internal undocumented interfaces.
  Passing the option --build_error_dir did not have any effect, and it
  is safe to remove the option. The --predefined_macros option should
  have been unnecessary, as long as the extractor was invoked with the
  --mimic option.

Regressions

• Compilation of QL queries is about 30% slower than in previous releases. This
  only affects users who write custom queries, and only at compilation time, not
  at run time. This regression will be fixed in the upcoming 2.18.1 release.

Improvements

• Introduced the --include-logs option to the codeql database bundle
  command. This new feature allows users to include logs in the generated
  database bundle, allowing for a more complete treatment of the bundle, and
  bringing the tool capabilities up-to-speed with the documentation.
• Extract .xsaccess, *.xsjs and *.xsjslib files for SAP HANA XS as
  Javascript.

Bugs fixed

• Where a MacOS unsigned binary cannot be signed, CodeQL will now continue
  trying to trace compiler invocations created by that process and its
  children. In particular this means that Bazel builds on MacOS are now
  traceable.
• Fixed a bug where test discovery would fail if there is a syntax error in a
  qlpack file. Now, a warning message will be printed and discovery will
  continue.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.18.0.

New features

• Beta support is now available for analyzing C# codebases without needing a working build. To use
  this, pass the --build-mode none option to codeql database create.

Improvements

• The --model-packs option is now publicly available. This option allows commands like codeql database analyze
  to accept a list of model packs that are used to augment the analysis of all queries involved in the analysis.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.6.

Breaking changes

• All the commands that output SARIF will output a minified version to reduce the size.
  The codeql database analyze, codeql database interpret-results, codeql generate query-help, and codeql bqrs interpret commands support the option --no-sarif-minify to output a pretty printed SARIF file.

• A number of breaking changes have been made to the semmle-extractor-options
  functionality available for C and C++ CodeQL tests, removing various flags that don't work well in the context of tests.
  These do not affect the creation of databases through the CodeQL CLI,
  or when calling the C/C++ extractor directly with the --mimic or --linker flags.

Improvements

• codeql generate log-summary now reports completed pipeline runs that
  are part of an incomplete recursive predicate.

Miscellaneous

• The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal
  documentation generation commands has been updated to version
  20240325.1.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.5.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.4.

Improvements

• The language server that our IDE integration is built on now defaults to fine-grained dependency tracking for incremental error-checking after file changes. This slightly improves the latency of refreshing errors after local source code edits and will enable significant speedups in the future.
• We now properly handle globs (such as folder/**/*.py) in paths configuration to specify what files to include for Python analysis (see documentation here).
• TRAP import (a part of codeql database create and codeql database finalize) now supports allocating 2^32 IDs during the import process. The previous limit was 2^31 IDs.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.3.

Known issues

• The beta support for analyzing Swift in this release and all previous releases requires g++-13 when running on Linux. Users analyzing Swift using the ubuntu-latest, ubuntu-22.04, or ubuntu-20.04 runner images for GitHub Actions should update their workflows to install g++-13. For more information, see the runner images announcement.

Improvements

• When uploading a SARIF file to GitHub using codeql github upload-results, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the --no-wait-for-processing flag.

  By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the --wait-for-processing-timeout option.

• The build tracer is no longer enabled when using the none build mode to analyze a compiled language, thus improving performance.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.2.

Release 2.17.1 (2024-04-24)

Deprecations

• The --mode option and -m alias to codeql database create,
  codeql database cleanup, and codeql dataset cleanup has been
  deprecated. Instead, use the new --cache-cleanup option, which has
  identical behavior.

Improvements

• Improved the diagnostic message produced when no code is processed
  when creating a database. If a build mode was specified using
  --build-mode, the message is now tailored to your build mode.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.1.