v2.7.3

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

• The experimental command-line option --ml-model-path that was introduced to support internal experiments has been removed.

Bugs fixed

• Editing support (content assist, code navigation, etc.) in files under the .github directory will now work properly. This is because files under the .github directory will now be indexed and processed by the CodeQL language server. Other hidden directories that start with . will remain un-indexed. This affects the vscode-codeql extension and any other IDE extension that uses the CodeQL language server.

• Fixed authentication with GitHub package registries via the GITHUB_TOKEN environment variable and the --github-auth-stdin flag when downloading and publishing packs.

• Fixed an incompatibility with glibc version 2.34 on Linux, where build tracing failed with an error message.

• Fixed a bug where codeql generate log-summary could sometimes fail with a JsonMappingException.

New features

• The CodeQL CLI for Mac OS now ships with a native Java virtual machine for M1 Macs, and this will be used by default where applicable to run the CodeQL engine, thus improving performance. Rosetta 2 is still required as not all components of the CodeQL CLI are natively compiled.

• Commands that execute queries will now exit with status code 34 if certain errors that prevent the evaluation of one or more individual queries are detected. Previously some of these errors would crash the evaluator and exit with status code 100.

  (This is currently used for "external predicate not found" errors).

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.7.2

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

• The Java extractor now defaults to extracting all XML documents under 10MB in size, a change from the previous default of only extracting documents with particular well-known names (e.g. pom.xml). However, if the source tree contains more than 50MB of XML in total, it prints a warning and falls back to the old default behaviour. Set the environment variable LGTM_INDEX_XML_MODE to byname to get the old default behaviour, or all to extract all documents under 10MB regardless of total size.

• The experimental command-line option --native-library-path that was introduced to support internal experiments has been removed.

• The beta codeql pack publish command will now prevent accidental publishing of packages with pre-release version qualifiers. Prerelease versions are those that include a - after the major, minor, and patch versions such as 1.2.3-dev. To avoid this change, use the --allow-prerelease option.

Bugs fixed

• Fixed an issue when using the --evaluator-log option where a NullPointerException could sometimes occur non-deterministically.

• Fixed bugs observed when using indirect build tracing using a CodeQL distribution unpacked to a path containing spaces or on Arch Linux.

New features

• CodeQL databases now contain metadata about how and when they were created. This can be found in the creationMetadata field of the codeql-database.yml file within the CodeQL database directory. More information may be added to this field in future releases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.7.1

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

• Previously, codeql test run would fall back to looking for an accompanying queries.xml file if it found a qlpack.yml that did not declare an extractor to use when extracting a test database. This has been removed because the internal use case that neccessitated the fallback are now removed. If you suddenly encounter errors that complain of missing extractor declarations, check whether you had a queries.xml you were inadvertently relying on.

• When queries are specified by naming a directory to scan for *.ql files, subdirectories named .codeql will now be ignored. The new QL packaging support uses subdirectories with this name of various scratch and caching purposes, so they may contain *.ql files that are not intended to be directly user-visible.

• When copying dependencies for CodeQL packages into a query pack bundle, *.ql files in these dependencies will now be included inside of the query pack's .codeql directory.

• The tables printed by codeql database analyze to summarize the results of diagnostic and metric queries that were part of the analysis have a new format and contains less (but hopefully more pertinent) information. We recommend against attempting to parse this human-readable output programmatically. Instead, use the runs[].tool.driver.invocations[].toolExecutionNotifications property in the SARIF output.

• The experimental plumbing command codeql pack packlist has a new format for its JSON results. Previously, the results were a list of paths. Now, the results are an object with a single property paths that contains the list of paths.

Deprecations

• The output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) have been deprecated. They will be removed in a later version (earliest 2.8.0). If you need this functionality, please file a public issue against https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub Support and request an escalation to engineering.

• The qlpack: instruction in query suite definitions has been deprecated due to uncertainty about whether it is intended to include all the *.ql files in the named pack, or only the pack's "default query suite". The behavior of the instruction is determined by whether the named pack declares any default query suite, but this means that a pack starting to declare such a suite may break the behavior of existing query suites that reference the pack from outside.

Bugs fixed

• The paths and paths-ignore properties of a Code Scanning config file specified using --codescanning-config were being interpreted the wrong way around.

• Queries specified using the --codescanning-config option could not be run after an explicit call to codeql database finalize.

• -J options would erroneously be recognized even after -- on the command line.

• When running codeql database analyze and codeql database interpret-results without the --sarif-group-rules-by-pack flag, the SARIF output did not include baseline lines-of-code counts.

• Expansion of query suites would sometimes fail if a query suite in a compiled query pack referenced that pack itself explicitly.

New language features

• Set literal expressions can now optionally contain a trailing comma after the last element.

New features

• Beta support for database creation on Apple Silicon, with certain requirement (see the full changelog).

• codeql database analyze can now include query-specific help texts for alerts in the SARIF output (for SARIF v2.1.0 or later). The help text must be located in an .md file next to (and with the same basename as) the .ql file for each query. Since this can significantly increase SARIF file size, the feature is not enabled by default; give a --sarif-add-query-help option to enable it.

• The query metadata validator now knows about queries that produce alert scores, so these queries no longer need to be run with a --no-metadata-verification flag.

• codeql database create and codeql-finalize have a new flag --skip-empty that will cause a language with no extracted source code to be ignored with a warning instead of treated like a fatal error. This can be useful with --db-cluster where not all of the languages may exist in the source tree. It will not be possible to run queries against the skipped database.

• codeql resolve extractor and codeql resolve languages now support an extended output format --format=betterjson wich includes information about each extractor's language-specific options.

• Rudimentary support for parallelizing database creation by importing unfinished databases (or database clusters) into another unfinished database (or cluster) under creation.

• codeql database create, codeql database index-files, and codeql database trace-command support a unified syntax for passing language-specific options to the extractor with the new --extractor-option and --extractor-options-file options.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.7.0

• The extractor for Ruby is now included. CodeQL analysis for Ruby is currently in beta. During the beta, analysis of Ruby will not be as comprehensive as CodeQL analysis of other languages. The source code of the extractor and the queries can be found in the github/codeql repository.
• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Bugs fixed

• Fixed a bug where indirect tracing would sometimes not manage to observe build processes if certain environment variables were unset during the build.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.6.3

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

• The option --compiler-spec accepted by some subcommands of codeql database is deprecated. It will be removed in a later version (earliest 2.7.0). If you need this option, please file a public issue in https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub support and request an escalation to engineering.
• By default, databases created using the CodeQL CLI will now have their underlying datasets finalized, meaning that no further data can be subsequently imported into them. This change should not affect most users.
• The codeql resolve qlref command will now throw an error when the target is ambiguous. The qlref resolution rules are now as follows: 1. If the target of a qlref is in the same qlpack, then that target is always returned. 2. If multiple targets of the qlref are found in dependent packs, this is an error. Previously, the command would have arbitrarily chosen one of the targets and ignored any ambiguities.

Bugs fixed

• Linux/MacOS: When tracing a build that involves an execvp/execvpe (Linux-only)/posix_spawnp syscall where PATH was not set in the environment, CodeQL sometimes would break the build. Now, CodeQL uses the correct, platform-specific fallback for PATH instead.
• Linux/MacOS: When tracing a build that involves an execvpe (Linux-only)/posix_spawnp syscall, the PATH lookup of the executable wrongly took place in the environment provided via envp, instead of the environment of the process calling execvpe/posix_spawnp. Now, the correct environment is used for the PATH lookup.
• A bug where query compilation would sometimes fail with a StackOverflowError when compiling a query that uses instanceof has now been fixed.

New features

• The codeql query compile command now accepts a --keep-going or -k option, which indicates that the compiler should continue compiling queries even if one of the queries has a compile error in it.
• CLI commands now run default queries if none are specified. If no queries are specified, the codeql database analyze, codeql database run-queries, and codeql database interpret-results commands will now run the default suite for the language being analyzed.
• codeql pack publish now copies the published package to the local package cache. In addition to publishing to a remote repository, the codeql pack publish command will also copy the published package to the local package cache.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.6.2

• CodeQL CLI 2.6.2 includes the same functionality as the CodeQL runner, which is being deprecated. For more information, see: CodeQL runner deprecation.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Bugs fixed

• A bug where codeql generate log-summary would sometimes crash with a JsonMappingException has been fixed.

New features

• The CodeQL CLI now counts the lines of code found under --source-root when codeql database init or codeql database create is called. This information can be viewed later by either the new codeql database print-baseline command or the new --print-baseline-loc argument to codeql database interpret-results.
• qlpack.yml files now support an additional field include in which glob patterns of additional files that should be included (or excluded) when creating a given CodeQL pack can be specified.
• QL packs created by the experimental codeql pack create command will now include some information about the build in a new buildMetadata field of their qlpack.yml file.
• codeql database create now supports the same flags as codeql database init for automatically recognizing the languages present in checkouts of GitHub repositories:
  • --github-url accepts the URL of a custom GitHub instance (previously only github.com was supported).
  • --github-auth-stdin allows a personal access token to be provided through standard input (previously only the GITHUB_TOKEN environment variable was supported).

Notable documentation changes

• Documentation has been added detailing how to use the "indirect build tracing" feature, which is enabled by using the --begin-tracing flag provided by codeql database init. The new documentation can be found here. This feature was temporarily described as "sandwiched tracing" in the 2.6.0 release notes.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.6.1

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking changes

• The codeql resolve qlref command will now throw an error when the target is ambiguous.

• The qlpack directive in query suites has its semantics changed. Previously, this directive would return all queries in the qlpack. Now, the directive returns only those queries matched by the defaultSuite directive in the query pack.

New features

• Commands that evaluate CodeQL queries now support an additional option --evaluator-log=path/to/log.json.

New language features

• QL classes can now be non-extending subtypes via the instanceof keyword, allowing for a form of private subtyping that is not visible externally.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.6.0

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Bugs fixed

• The physicalLocation.artifactLocation.uri fields in SARIF output are now properly encoded as specified by RFC 3986.

• The --include-extension option to the codeql database index-files command no longer includes directories that are named with the provided extension. For example, if the option --include-extension=.rb is provided, then a directory named foo.rb/ will be excluded from the indexing.

New features

• A new codeql database unbundle subcommand performs the reverse of codeql database bundle and extracts a CodeQL database from an archive.

• The CLI now understands per-codebase configuration files in the format already supported by the CodeQL Action.

• The CLI now supports the "sandwiched tracing" feature that has previously only been offered through the separate CodeQL Runner. This feature is intended for use with CI systems that cannot be configured to wrap build actions with codeql database trace-command.

• This version contains beta support for a new packaging and publishing system for third-party QL queries and libraries.

For more information about these new features, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.9

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.6.0-beta.1

⚠️ This is a beta release containing a new CodeQL packaging feature. It may not be compatible with existing workflows.

New features

• This release contains beta support for CodeQL packs. Please read the documentation below for more information:
  • Using CodeQL packs with the CodeQL CLI
  • Using CodeQL packs in Code Scanning on GitHub Actions
  • Using CodeQL packs in Code Scanning on 3rd-party CI systems
• codeql database create and codeql database init can now automatically recognise the languages present in checkouts of GitHub repositories by making an API call to the GitHub server. This requires a PAT token to either be set in the GITHUB_TOKEN environment variable, or passed by stdin with the --github-auth-stdin argument.
• Operations that make outgoing HTTP calls (that is, codeql github upload-results and the language-detection feature described above) now support the use of HTTP proxies. To use a proxy, specify an $https_proxy environment variable for HTTPS requests or a $http_proxy environment variable for HTTP requests. If the $no_proxy variable is also set, these variables will be ignored and requests will be made without a proxy.

New language features

• The QL language now has a new method toUnicode on the int type. This method converts Unicode codepoint to a one-character string. For example, 65.toUnicode() = "A", 128512.toUnicode() results in a smiley, and any(int i | i.toUnicode() = "A") = 65.

Downloads

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

Compatibility notes

• If you plan to upload databases to an LGTM Enterprise 1.27 instance, please create them with release 2.4.6.
• For other uses of CodeQL in a production environment, please use the latest stable release 2.5.8, or await the final release of 2.6.0.