CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.
Important changes in this release include:
- CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
- A new option has been added to the Python extractor:
python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g.py.exeon Windows machines). - A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
- Two new queries:
java/android/insecure-local-authenticationfor finding uses of biometric authentication APIs that do not make use of a Keystore-backed key and thus may be bypassed.swift/unsafe-unpacking, that detects code which extracts user-controlled zip archives without validating that the contents of the zip file are not extracted outside the destination directory.
- The sinks of queries
java/path-injectionandjava/path-injection-localhave been reworked to reduce the number of false positives.
For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.