v2.17.0

Deprecations

• The --[no-]analysis-summary-v2 and --[no-]new-analysis-summary options that were used to enable (or disable) improved summary information printed at the end of a codeql database analyze invocation are no longer supported. Improved summary information is now enabled for all invocations.
• Support for overwriting default CodeQL SARIF run properties using the --sarif-run-property command line option has been removed. This removes the ability to overwrite the semmle.formatSpecifier, metricResults, and codeqlConfigSummary properties in the SARIF run file.

Improvements

• TRAP import (a part of codeql database create and codeql database finalize) now performs better in low-memory situations. (Put another way, it now needs less RAM to achieve the same performance as before.)
• The worst-case performance of transitive closure computation (using the + or * postfix operators or the fastTC higher-order primitive in QL) has been greatly improved.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.2.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.0.

v2.16.6

Bugs fixed

• Fixes a bug where extractor logs would be output at a lower than expected verbosity level when using the codeql database create command.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.6.

v2.16.5

New features

• Beta support has been added for analyzing Java codebases without needing a working build. To enable
  this, pass the --build-mode none option to codeql database create.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.5.

v2.16.4

Potentially breaking changes

• A number of internal command line options (--builtin_functions_file, --clang_builtin_functions,
  --disable-objc-default-synthesize-properties, --list_builtin_functions, --memory-limit-bytes,
  --mimic_config, and --objc) has been removed from the C/C++ extractor. The --verbosity
  command line option has also been removed. The option was an alias for --codeql-verbosity,
  which should be used instead.

Improvements

• The frontend of the C/C++ extractor has been updated, improving the
  extractor's reliability and increasing its ability to extract source code.

Bugs fixed

• When parsing user-authored YAML files such as codeql-pack.yml,
  qlpack.yml, codeql-workspace.yml, and any YAML file defining a data
  extension, unquoted string values starting with a * character are now
  correctly interpreted as YAML aliases. Previously, they were interpreted
  as strings, but with the first character skipped.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.4.

v2.16.3

Security patches

• Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the security advisory for more information.

New Features

• A new extractor option has been added to the Python extractor. Pass one of --extractor-option python_executable_name=py or --extractor-option python_executable_name=python or --extractor-option python_executable_name=python3 to codeql database create (or codeql database trace-command or, for indirect tracing, codeql database init) to override the default Python executable search and selection behavior of the Python extractor. For example, on Windows machines, the Python extractor will expect to find py.exe on the system PATH by default. Setting this extractor option or environment variable allows overriding this behavior to look for a different name.

  More detail can be found in the extractor option documentation.

Bugs fixed

• Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.3.

v2.16.2

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.2.

v2.16.1

Improvements

• When executing the codeql database init command, the CodeQL runner executable path is now stored in the CODEQL_RUNNER environment variable. Users of indirect tracing on MacOS with System Integrity Protection enabled who previously had trouble with indirect tracing should prefix their build command with this path. For example, $CODEQL_RUNNER build.sh.

QL language improvements

• Name clashes between weak aliases (i.e. aliases that are not final aliases of non-final entities) of the same target no longer cause ambiguity errors.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.1.

v2.16.0

Improvements

• The Experimental flag has been removed from all packaging and related commands.
• The RA pretty-printer omits names of internal RA nodes and pretty-prints binary unions
  with nested internal unions as n-ary unions.

Potentially breaking changes

• The Python extractor will no longer extract dependencies by default.
• The --ram option to codeql database run-queries and other commands that execute
  queries is now interpreted more strictly. Previously it was mostly a rough hint for how
  much memory to use, and the actual memory footprint of the CodeQL process could be
  hundreds of megabytes higher. From this release, CodeQL tries harder to keep its total
  memory consumption during evaluation below the given limit.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.0.

v2.15.5

New features

• A new extractor option has been added to the JavaScript/TypeScript extractor.
  Set the environment variable CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES
  to true to skip the extraction of types in TypeScript files.

Bugs fixed

• Fixed an issue where CodeQL would sometimes incorrectly report that no files
  were scanned when running on Windows.
  This affected the human-readable summary produced by codeql database analyze
  and codeql database interpret-results, but did not impact the file coverage
  information produced in the SARIF output and displayed on the tool status page.
• When analyzing Swift codebases, CodeQL build tracing will now ignore the
  codesign tool. This prevents errors in build commands or workflows on macOS
  that include both CodeQL and code signing.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.5.

v2.15.4

New features

• Java 21 is now fully supported, including support for new language features such as pattern switches and record patterns.

Improvements

• Parallelism in the evaluator has been improved, resulting in faster analysis when running with many threads, particularly for large databases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.4.