v2.15.1

Release 2.15.1 (2023-10-19)

Potentially Breaking Changes

• The query server's evaluation/trimCache command was previously equivalent to the codeql database cleanup --mode=gentle CLI command, but is now equivalent to using --mode=normal.

Deprecations

• The accepted values of the codeql database cleanup --mode= command line option have been renamed to bring them in line with what they are called in the VSCode extension and the query server:
  • --mode=brutal is now --mode=clear.
  • --mode=normal is now --mode=trim.
  • --mode=light is now --mode=fit.
  • The old names are deprecated, but will be accepted for backwards-compatibility reasons until further notice.

Improvements

• The list of failed tests at the end of a codeql test run is now sorted lexicographically.

Bugs fixed

• Fixed a bug where the $CODEQL_JAVA_HOME environment variable was
  erroneously ignored for certain subsidiary Java processes started by
  codeql.
• Fixed a bug in the CodeQL build tracer on Apple Silicon machines that prevented database creation if System Integrity Protection was disabled.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.1.

v2.15.0

Deprecations

• pragma[assume_small_delta] is now deprecated. The pragma has no effect and should be removed.
• Missing override annotations on class fields now raise errors rather than warnings. This is to avoid confusion with the shadowing behavior in the presence of final fields.
• The CodeQL CLI no longer supports ML-powered alerts. For more information, including details of our work in the AI-powered security technology space, see "CodeQL code scanning deprecates ML-powered alerts."

New Features

• The output of codeql version --format json now includes a features property. Each key in the map identifies a feature of the CodeQL CLI. The value for a key is always true. Going forward, whenever a significant new feature is added to the CodeQL CLI, a corresponding entry will be added to the features map. This is intended to make it easier for tools that invoke the CodeQL CLI to know if the particular version of the CLI they are invoking supports a given feature, without having to know exactly what CLI version introduced that feature.

Improvements

• You can now specify the CodeQL languages C/C++, Java/Kotlin, and JavaScript/TypeScript using --language c-cpp, --language java-kotlin, and --language javascript-typescript respectively. These new CodeQL language names convey more clearly what languages each CodeQL language will analyze.
• CodeQL now respects custom home directories set by the $HOME environment variable on MacOS and Linux and %USERPROFILE% on Windows. When set, CodeQL will use the variable's value to change the default location of downloaded packages and the global compilation cache.
• This release improves the quality of file coverage information for repositories that vendor their dependencies. This is currently supported for Go and JavaScript projects.

Bugs fixed

• Fixed an issue with analyzing Python projects using Python 3.12.

QL language improvements

• The QL language now has two new methods codePointAt and codePointCount on the string type. The methods both return integers and act the same as the similarly named Java methods on strings. For example, "abc".codePointAt(2) is 99 and ("a" + 128512.toUnicode() + "c").codePointAt(1) is a 128512.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.0.

v2.14.6

Bugs fixed

• The tracking of RAM usage has been improved. This fixes some cases
  where CodeQL uses more RAM than requested.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.6.

v2.14.5

Bugs fixed

• Fixed a JavaScript extractor crash that was introduced in 2.14.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.5.

v2.14.4

Known Issue

• The Javascript extractor may, in specific cases, fail with StringIndexOutOfBoundsException. Users affected by this bug should temporarily downgrade to 2.14.3 until a new 2.14.5 release becomes available.

Potentially breaking changes

• The CodeQL CLI no longer supports the SEMMLE_JAVA_ARGS environment variable. All previous versions of the CodeQL CLI perform command substitution on the SEMMLE_JAVA_ARGS value (for example, replacing '$(echo foo)' with 'foo') when starting a new Java virtual machine, which, depending on the execution environment, may have security implications. Users are advised to check their environments for possible SEMMLE_JAVA_ARGS misuse.

New Features

• The Java extractor now supports files that use Lombok.

Bugs fixed

• codeql database init (and github/codeql-action/init@v2 on GitHub Actions) should no longer hang or crash for traced languages on 64-bit Windows machines when certain antivirus software is installed.
• During codeql pack create and codeql pack publish, a source version of a pack coming from --additional-packs can explicitly be used to override a requested pack version even if this source version is incompatible with the requested version in the pack file. Previously, this would fail with a confusing error message.
• Fixed a bug where codeql database interpret-results hangs when a path query produces a result that has no paths from source to sink.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL
  CLI has been updated to version 17.0.8.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.4.

v2.14.3

Breaking changes

• The <run>.tool.extensions property in the SARIF generated by codeql database analyze now contains the
  following packs:

  • The containing query pack for each query that was evaluated.
  • Each model pack that was specified via the --model-packs option, regardless of whether
    that model pack affected any of the evaluated queries.
    Library packs are no longer included in the list.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL
  CLI has been updated to version 17.0.8.

• When codeql test generates .actual files, they will in some cases
  list the query predicates in a different order than past versions.
  There is no need to update .expected files, as codeql test sorts
  their results accordingly before diffing.
  However, when there are genuine changes in expected results, the
  generated .actual file can show additional changes against the
  .expected due to the reordering.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.3.

v2.14.2

Breaking changes

• The functionality provided by the codeql execute query-server subcommand has been removed. The subcommand now responds to all JSON RPC requests with an error response. Correspondingly, this release is no longer compatible with versions of the CodeQL extension for Visual Studio Code prior to 1.7.6.

  This change also breaks third-party CodeQL IDE integrations that still rely on the codeql execute query-server subcommand. Maintainers of such CodeQL IDE integrations should migrate to the codeql execute query-server2 subcommand at the earliest opportunity.

Improvements

• Switched from prefix filtering of autocomplete suggestions in the language server to client-side filtering. This improves autocomplete suggestions in contexts with an autocompletion prefix.

• The CodeQL language server now checks query metadata for errors. This allows Visual Studio Code users to see errors in their query metadata without needing to compile the query.

Bugs fixed

• Fixed bug that made the --warnings=hide option do nothing in codeql database analyze and other commands that evaluate queries.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.2.

v2.14.1

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.1.

v2.14.0

Potentially breaking changes

• The legacy option --search-path will now be used, if provided, when searching for the dependencies of packages that have no lock file.
• CodeQL query packs that specify their dependencies using the legacy libraryPathDependencies property in qlpack.yml/codeql-pack.yml files are no longer permitted to contain a codeql-pack.lock.yml lock file.
• CodeQL CLI commands that create packages or update package lock files, such as codeql pack publish and codeql pack create, will no longer work on query packs that specify their dependencies using the legacy libraryPathDependencies property. To fix this error, convert libraryPathDependencies to dependencies.

Deprecations

• Missing override annotations on class member predicates now raise errors rather than warnings. This is to avoid confusion with the shadowing behaviour in the presence of final member predicates.

Improvements

• Unqualified imports can now be marked as deprecated to indicate that the import may be removed in the future. Usage of names only reachable through deprecated imports will generate deprecation warnings.
• Classes declared inside a parameterized modules can final extend parameters of the module as well as types that are declared outside the parameterized module.
• Fields are fully functional when extending types from within a module instantiation.
• Files with a .yaml extension will now be included in compiled CodeQL packs. Previously, files with this extension were excluded even though .yml files were included.
• When interpreting results (e.g., using bqrs interpret or database interpret-results), extra placeholders in alert messages are treated as normal text. Previously, results with more placeholders than placeholder values were skipped.
• Windows users of the CodeQL extension for VS Code will see faster start times.
• In VS Code, errors in the current file are rechecked when dependencies change.
• In VS Code, autocomplete in large QL files is now faster.
• Member predicates can shadow final member predicates of the same arity even when the signatures are not fully matching.

Bugs fixed

• Fixed super calls on final base classes (or final aliases) so that they are now dispatched the same way as super calls on instanceof supertypes.
• Fixed a bug where running codeql database finalize with a large number of threads would fail due to running out of file descriptors.
• Fixed a bug where codeql database create --overwrite would not work with database clusters.
• Fixed a bug where the CodeQL documentation coverage statistics were incorrect.
• Fixed a bug where the generated CodeQL libarary documentation could generate invalid uris on windows.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.0.

v2.13.5

New Features

• The Swift extractor now supports Swift 5.8.1.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.13.5.