code-scanning - GitHub Changelog

CodeQL code scanning now recognizes more sources and uses of untrusted user data

July 1, 2021

We’ve improved the depth of CodeQL's analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models for several languages (C++, JavaScript, Python, and Java). As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.

We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. The libraries and frameworks added and improved are listed below.

C/C++

Smart pointers

JavaScript and TypeScript

Python

Twisted
Rsa
Jmespath
MarkupSafe
Improvements to Idna
Improvements to SimpleJson
Improvements to aiohttp

Java

Improvements to Guava Libraries
Improvements to Apache Commons Lang library
Improvements to JAX-RS

Learn more about CodeQL and code scanning.

See more See more

Improvements to the code scanning and GitHub Advanced Security APIs

June 29, 2021

We've shipped a couple of changes to our APIs:

The code scanning API now returns the CodeQL query version used for an analysis. This can be used to reproduce results or confirm that an analysis used the latest query.
Admin users can now use the REST API to enable or disable GitHub Advanced Security for repositories using the security_and_analysis object on repos/:org/:repo. In addition, admin users can check whether Advanced Security is currently enabled for a repository by using a GET /repos/{owner}/{repo} request. These changes help you manage Advanced Security repository access at scale. For more information, see the repos REST API documentation.

See more See more

Code scanning: Diagnostic information is available!

June 28, 2021

Code scanning with CodeQL now generates diagnostic information for all supported languages.

Before analyzing your code, CodeQL first creates a CodeQL database containing all of the important information about your codebase. This database is then analyzed by executing CodeQL queries against it.

The new diagnostic information includes important information to help learn more about the CodeQL analysis.

Diagnostic information includes:

Lines of code in your codebase (as a baseline)
Lines of code in the CodeQL database extracted from your code
Lines of code in the CodeQL database excluding auto-generated files and external libraries
Number of files successfully analyzed
Number of files that generate extractor errors and warnings during database creation

You can see the detailed diagnostic information in GitHub CodeQL Actions Logs.

CodeQL Action Log

You also can view Lines of code in your codebase and Lines of code in the CodeQL database by going to the Security tab and selecting Code scanning alerts.

Code scanning CodeQL security tab

Diagnostic information queries are available in CodeQL CLI 2.5.6 and later. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

See more See more

CodeQL Code Scanning: It’s now easier to analyze multiple languages on 3rd party CI/CD systems with the CodeQL CLI

June 23, 2021

The latest release of the CodeQL CLI supports creating CodeQL databases for multiple languages in a single command. This makes it easier for customers using CI/CD systems other than GitHub Actions to run code scanning analysis. Previously, these users had to use the separate CodeQL Runner. The Runner will continue to be available, but the recommended way to handle multiple languages in your codebase is to use the CodeQL CLI directly.

To use this new option:

Download the updated CodeQL bundle, which includes the updated CodeQL CLI.
Check out your codebase at the Git reference you want to analyze.
Create CodeQL databases for the supported languages in your codebase using codeql database create. You need to specify a parent directory for the databases using the --db-cluster option, and the -l option for each language you want to create a database for.

After creating the databases, you must run codeql database analyze separately for each language. Use the --sarif-category option, setting different values for each language. Specifying this option lets code scanning know that each SARIF file it receives from these analyses should be retained. Similarly, you must also run codeql github upload-results separately for the SARIF file generated by each analysis.

For more information about setting up the CodeQL CLI with your CI system, see "Running CodeQL CLI in your CI system."

The new codeql database create option for creating databases for multiple languages in a single command is available in CodeQL 2.5.6 and later. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

See more See more

Code scanning CodeQL: C++20 support (beta)

June 22, 2021

Code scanning with CodeQL now includes beta support for C++20. Currently, CodeQL can only create CodeQL databases for C++20 code that is built with GCC on Linux. C++20 modules are not supported.

This feature is in beta. We are working on adding full support for C++20.

Let us know what you think: give feedback.

See more See more

Control which code scanning alerts cause a pull request check to fail

June 3, 2021

You can now configure which code scanning alert severity levels cause a pull request check to fail. This lets you prevent pull requests that generate alerts with chosen severity levels from being merged into your codebase.

This is set at repository level, and lets you define whether alerts with severity error, warning, or note will cause a pull request check to fail.

By default, code scanning alerts with severity error will cause a pull request check failure.

Screenshot 2021-06-02 at 10 24 02

For more information see "Defining which alert severity levels cause pull request check failure."

See more See more

Free text search for code scanning alerts

June 1, 2021

Free text search is now available for code scanning alerts. You can search code scanning results to quickly find specific alerts without having to know exact search terms. The search is applied across the alerts name, description, and help text.

The syntax is:

a single word returns all matches
multiple search words returns matches to either word
words in double quotes returns exact matches
the keyword 'AND' returns matches to multiple words

Free text search on code scanning alerts

For more information, see "Searching code scanning alerts."

See more See more

View all Code Scanning alerts in one consolidated page

March 31, 2021

Code Scanning alerts from all enabled tools are now shown in one consolidated list, so that you can easily prioritise across all alerts. You can view alerts from a specific tool by using the Tool filter, and the Rule and Tag filters will dynamically update based on your Tool selection.

Screenshot

See more See more