CodeQL adds support for Java 24 and other improvements in version 2.20.6

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new version of Java and a variety of other improvements that improve the accuracy of your code scanning results:

Java

• CodeQL now supports Java version 24
• We’ve improved the accuracy of the (java/xss) query when javax.servlet.http.HttpServletResponse is used without an exploitable content type

JavaScript / TypeScript

• We’ve added support for the response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.
• We’ve improved the precision of data flow through arrays and call resolution logic, both resulting in improved analysis results

C/C++

• We’ve improved the accuracy of the cpp/static-buffer-overflow query, resulting in improved results

C#

• We’ve improved the precision of the cs/call-to-object-tostring query, resulting in improved analysis results

GitHub Actions (Public Preview)

• We’ve removed the query actions/unversioned-immutable-action from the public suite of queries, which will close any alerts triggered from it

For a full list of changes, please refer to the complete changelog for version 2.20.6. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.