v2.5.8

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking changes

• The QL compiler now verifies that @security-severity query metadata is numeric. You can disable this verification by passing the --no-metadata-verification flag.

New features

• The database index-files and database trace-command CLI commands now support --threads and --ram options, which are passed to extractors as suggestions.
• The database finalize CLI command now supports the --ram option, which controls memory usage for finalization.
• The database create CLI command now supports the --ram option, which controls memory usage for database creation.
• The generate query-help CLI command now support rendering query help in SARIF format.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.7

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

• codeql database create and codeql database init can now automatically recognise the languages present in checkouts of GitHub repositories by making an API call to the GitHub server.

• Operations that make outgoing HTTP calls (that is, codeql github upload-results and the language-detection feature described above) now support the use of HTTP proxies. To use a proxy for HTTPS requests specify an $https_proxy environment variable.

• The QL language now has a new method toUnicode on the int type. This method converts Unicode codepoint to a one-character string. For example, 65.toUnicode() = "A", 128512.toUnicode() results in a smiley, and any(int i | i.toUnicode() = "A") = 65.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.6

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

• codeql database create (and the plumbing commands it comprises) now supports creating databases for a source tree with several languages while tracing a single build. This is enabled by a new --db-cluster option. Once created, the multiple databases must be analyzed one by one.

• codeql database create and codeql database init now accept an --overwrite argument which will lead existing CodeQL databases to be overwritten.

• codeql database analyze now supports "diagnostic" queries, which are intended to report information about the analysis process itself rather than problems with the analyzed code. The results of these queries will be summarized in a table printed to the terminal when codeql database analyze finishes. They are also included in the analysis results in SARIF output formats so they can be displayed in Code Scanning.

• codeql github upload-results has a --checkout-path option which will attempt to automatically configure upload target parameters.

• The CodeQL C++ extractor includes beta support for C++20. This is only available when building codebases with GCC on Linux. C++20 modules are not supported.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.5

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking changes

• When scanning the disk for QL packs and extractors, directories of the form .../SOMETHING/SOMETHING.testproj (where the two SOMETHING are identical) will now be ignored. Names of this form are used by codeql test run for ephemeral test databases, which can sometimes contain files that confuse QL compilations.

Features added

• Query writers can now optionally use @severity in place of @problem.severity in the metadata for alert queries.

• When exporting analysis results to SARIF v2.1.0, results and metric results now contain a reporting descriptor reference object that specifies the rule that produced them. For metric results, this new property replaces the metric property.

• codeql database analyze now outputs a table that summarizes the results of metric queries that were part of the analysis. This can be suppressed by passing the --no-print-metrics-summary flag.

Bugs fixed

• When using the --sarif-group-rules-by-pack flag to place the SARIF rule object for each query underneath its corresponding query pack in runs[].tool.extensions, the rule property of result objects can now be used to look up the rule within the rules property of the appropriate query pack in runs[].tool.extensions. Previously, rule lookup for result objects in the SARIF output was not well-defined when the --sarif-group-rules-by-pack flag was passed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.4

This release is identical to release 2.5.3, except that codeql database analyze no longer produces a generated automationDetails.id field when the --sarif-category is not explicitly provided. Previously, the --sarif-category was autogenerated if not present.

Code Scanning users should upgrade to this version and avoid 2.5.3.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.3

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Features added

• codeql database analyze and codeql database interpret-results will include additional information in the SARIF output which will enable better integration with Code Scanning.

• In query metadata, @kind alert and @kind path-alert are now recognized as (more accurate) synonyms of @kind problem and @kind path-problem, respectively.

• The metadata verifier recognizes a new @kind diagnostic pattern type. Currently the result patterns of diagnostic queries are not verified. This will change in a future CLI release.

Bugs fixed

• Ensure the correct URL is generated during codeql github upload-results for GitHub Enterprise Server.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.2

This release is identical to release 2.5.1, except that an internal incompatibility with the CodeQL action (and the codeql-runner that some customers use for CI integrations) has been fixed.

The fix does not affect any use cases where the CLI is downloaded from github/codeql-cli-binaries, so if you're seeing this release there, there's no need to upgrade from 2.5.1.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.1

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking changes

• The QL compiler will now reject queries where the query metadata (if present) at the top of the .ql file is inconsistent with the output format of the query. This check can be disabled by giving the --no-metadata-verification flag.

Bugs fixed

• Environment variables required for Java extraction are now propagated by the tracer. This may resolve issues with tracing and extraction in the context of certain build systems such as Bazel.

• A number of --check-CONDITION options to codeql database finalize and codeql dataset import designed to look for consistency errors in the intermediate "TRAP" output from extractors erroneously did nothing. They will now actually print warnings if errors are found.

Features added

• codeql resolve qlref is a new command that takes in a .qlref file for a CodeQL test case and returns the path of the .ql file it references.

• codeql database analyze and codeql database interpret-results have a new --sarif-group-rules-by-pack option which will place the SARIF rule object for each query underneath its corresponding query pack in runs[].tool.extensions.

• codeql database finalize and codeql dataset import have a new --fail-on-trap-errors option that will make database creation fail if extractors produce ill-formatted "TRAP" data for inclusion into a database.

• codeql database finalize and codeql dataset import have a new --check-undefined-labels option that enables stricter consistency checks on the "TRAP" output from extractors.

QL language improvements

• super may now be used unqualified, e.g. super.predicateName(), when the declaring class has multiple super types, as long as the call itself is unambiguous.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.0

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking change

• By default, codeql test now performs additional compiler checks when extracting test code written in Java. Existing Java tests that previously passed may therefore fail due to this change, if they do not compile using the javac compiler. To allow time to migrate existing tests, the new behavior can be disabled by setting the environment variable CODEQL_EXTRACTOR_JAVA_FLOW_CHECKS=false.

Features added

• Log files that contain output from build processes will now prefix it with [build-stdout] and [build-stderr] instead of [build] and [build-err]. In particular the latter sometimes caused confusion.

QL language improvements

• The QL language now recognizes new pragma[only_bind_into](...) and pragma[only_bind_out](...) annotations on expressions. Advanced users may use these annotations to provide hints to the compiler to influence binding behavior and thus indirectly performance.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.6

This release corresponds to release 1.27.x of LGTM Enterprise, and should be used when creating databases that will be uploaded to it. Future CLI releases (numbered 2.5.x) may produce databases that are not backwards compatible with this version of LGTM Enterprise.

• Fixed a bug in codeql test run that causes tests to fail messily if the freshly-extracted test database needed to be upgraded in order to be compatible with the QL source under test.

• codeql github upload-results should now work correctly against GitHub Enterprise Server instances that are configured with a path prefix.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.