• CodeQL »
• CodeQL overview »
• CodeQL change logs »

CodeQL 2.22.1 (2025-06-26)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.22.1 runs a total of 449 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 129 queries (covering 33 more CWE).

CodeQL CLI

New Features

• Rust language support is now in public preview.

Miscellaneous

• The version of jgit used by the CodeQL CLI has been updated to 6.10.1.202505221210-r.

Query Packs

Minor Analysis Improvements

C/C++

• Added flow model for the following libraries: madler/zlib, google/brotli, libidn/libidn2, libssh2/libssh2/, nghttp2/nghttp2, libuv/libuv/, and curl/curl. This may result in more alerts when running queries on codebases that use these libraries.

C#

• The queries cs/dereferenced-value-is-always-null and cs/dereferenced-value-may-be-null have been improved to reduce false positives. The queries no longer assume that expressions are dereferenced when passed as the receiver (this parameter) to extension methods where that parameter is a nullable type.

JavaScript/TypeScript

• The js/loop-iteration-skipped-due-to-shifting query now has the reliability tag.

• Fixed false positives in the js/loop-iteration-skipped-due-to-shifting query when the return value of splice is used to decide whether to adjust the loop counter.

• Fixed false positives in the js/template-syntax-in-string-literal query where template syntax in string concatenation and “manual string interpolation” patterns were incorrectly flagged.

• The js/useless-expression query now correctly flags only the innermost expressions with no effect, avoiding duplicate alerts on compound expressions.

Python

• The py/iter-returns-non-self query has been modernized, and no longer alerts for certain cases where an equivalent iterator is returned.

New Queries

Rust

• Initial public preview release.

Query Metadata Changes

C#

• Query metadata tags have been systematically updated for many C# queries. Primary categorization as either reliability or maintainability, and relevant sub-category tags such as readability, useless-code, complexity, performance, correctness, error-handling, and concurrency. Aligns with the established Query file metadata and alert message style guide.

• Adjusts the @security-severity from 9.3 to 7.3 for cs/uncontrolled-format-string to align CWE-134 severity for memory safe languages to better reflect their impact.

Golang

• The tag quality has been added to multiple Go quality queries for consistency. They have all been given a tag for one of the two top-level categories reliability or maintainability, and a tag for a sub-category. See Query file metadata and alert message style guide for more information about these categories.

• The tag external/cwe/cwe-129 has been added to go/constant-length-comparison.

• The tag external/cwe/cwe-193 has been added to go/index-out-of-bounds.

• The tag external/cwe/cwe-197 has been added to go/shift-out-of-range.

• The tag external/cwe/cwe-248 has been added to go/redundant-recover.

• The tag external/cwe/cwe-252 has been added to go/missing-error-check and go/unhandled-writable-file-close.

• The tag external/cwe/cwe-480 has been added to go/mistyped-exponentiation.

• The tag external/cwe/cwe-570 has been added to go/impossible-interface-nil-check and go/comparison-of-identical-expressions.

• The tag external/cwe/cwe-571 has been added to go/negative-length-check and go/comparison-of-identical-expressions.

• The tag external/cwe/cwe-783 has been added to go/whitespace-contradicts-precedence.

• The tag external/cwe/cwe-835 has been added to go/inconsistent-loop-direction.

• The tag error-handling has been added to go/missing-error-check, go/unhandled-writable-file-close, and go/unexpected-nil-value.

• The tag useless-code has been added to go/useless-assignment-to-field, go/useless-assignment-to-local, go/useless-expression, and go/unreachable-statement.

• The tag logic has been removed from go/index-out-of-bounds and go/unexpected-nil-value.

• The tags call and defer have been removed from go/unhandled-writable-file-close.

• The tags correctness and quality have been reordered in go/missing-error-check and go/unhandled-writable-file-close.

• The tag maintainability has been changed to reliability for go/unhandled-writable-file-close.

• The tag order has been standardized to have quality first, followed by the top-level category (reliability or maintainability), then sub-category tags, and finally CWE tags.

• The description text has been updated in go/whitespace-contradicts-precedence to change “may even indicate” to “may indicate”.

Java/Kotlin

• The tag quality has been added to multiple Java quality queries for consistency. They have all been given a tag for one of the two top-level categories reliability or maintainability, and a tag for a sub-category. See Query file metadata and alert message style guide for more information about these categories.

• The tag external/cwe/cwe-571 has been added to java/equals-on-unrelated-types.

• The tag readability has been added to java/missing-override-annotation, java/deprecated-call, java/inconsistent-javadoc-throws, java/unknown-javadoc-parameter, java/jdk-internal-api-access, java/underscore-identifier, java/misleading-indentation, java/inefficient-empty-string-test, java/non-static-nested-class, inefficient-string-constructor, and java/constants-only-interface.

• The tag useless-code has been added to java/useless-type-test, and java/useless-tostring-call.

• The tag complexity has been added to java/chained-type-tests, and java/abstract-to-concrete-cast.

• The tag error-handling has been added to java/ignored-error-status-of-call, and java/uncaught-number-format-exception.

• The tag correctness has been added to java/evaluation-to-constant, java/whitespace-contradicts-precedence, java/empty-container, java/string-buffer-char-init, java/call-to-object-tostring, java/print-array and java/internal-representation-exposure.

• The tag performance has been added to java/input-resource-leak, java/database-resource-leak, java/output-resource-leak, java/inefficient-key-set-iterator, java/inefficient-output-stream, and java/inefficient-boxed-constructor.

• The tag correctness has been removed from java/call-to-thread-run, java/unsafe-double-checked-locking, java/unsafe-double-checked-locking-init-order, java/non-sync-override, java/sync-on-boxed-types, java/unsynchronized-getter, java/input-resource-leak, java/output-resource-leak, java/database-resource-leak, and java/ignored-error-status-of-call.

• The tags maintainability has been removed from java/string-buffer-char-init, java/inefficient-key-set-iterator, java/inefficient-boxed-constructor, and java/internal-representation-exposure.

• The tags reliability has been removed from java/subtle-inherited-call, java/print-array, and java/call-to-object-tostring.

• The tags maintainability and useless-code have been removed from java/evaluation-to-constant.

• The tags maintainability and readability have been removed from java/whitespace-contradicts-precedence.

• The tags maintainability and useless-code have been removed from java/empty-container.

• Adjusts the @precision from high to medium for java/concatenated-command-line because it is producing false positive alerts when the concatenated strings are hard-coded.

• Adjusts the @security-severity from 9.3 to 7.3 for java/tainted-format-string to align CWE-134 severity for memory safe languages to better reflect their impact.

JavaScript/TypeScript

• The quality tag has been added to multiple JavaScript quality queries, with tags for reliability or maintainability categories and their sub-categories. See Query file metadata and alert message style guide for more information about these categories.

• Added reliability tag to the js/suspicious-method-name-declaration query.

• Added reliability and language-features tags to the js/template-syntax-in-string-literal query.

Python

• The tag quality has been added to multiple Python quality queries for consistency. They have all been given a tag for one of the two top-level categories reliability or maintainability, and a tag for a sub-category. See Query file metadata and alert message style guide for more information about these categories.

Ruby

• Update query metadata tags for rb/database-query-in-loop and rb/useless-assignment-to-local to align with the established Query file metadata and alert message style guide.

Swift

• Adjusts the @security-severity from 9.3 to 7.3 for swift/uncontrolled-format-string to align CWE-134 severity for memory safe languages to better reflect their impact.

Language Libraries

Bug Fixes

C/C++

• resolveTypedefs now properly resolves typedefs for ArrayTypes.

Minor Analysis Improvements

Java/Kotlin

• Java assert statements are now assumed to be executed for the purpose of analysing control flow. This improves precision for a number of queries.

JavaScript/TypeScript

• Calls to sinon.match() are no longer incorrectly identified as regular expression operations.

• Improved data flow tracking through middleware to handle default value and similar patterns.

• Added req._parsedUrl as a remote input source.

• Improved taint tracking through calls to serialize-javascript.

• Removed encodeURI and escape functions from the sanitizer list for request forgery.

• The JavaScript extractor now skips generated JavaScript files if the original TypeScript files are already present. It also skips any files in the output directory specified in the compilerOptions part of the tsconfig.json file.

• Added support for Axios instances in the axios module.

GitHub Actions

• Fixed performance issues in the parsing of Bash scripts in workflow files, which led to out-of-disk errors when analysing certain workflow files with complex interpolations of shell commands or quoted strings.

Deprecated APIs

C/C++

• The ThrowingFunction class (semmle.code.cpp.models.interfaces.Throwing) has been deprecated. Please use the AlwaysSehThrowingFunction class instead.

New Features

C/C++

• Added a predicate getAnAttribute to Namespace to retrieve a namespace attribute.

• The Microsoft-specific __leave statement is now supported.

• A new class LeaveStmt extending JumpStmt was added to represent __leave statements.

• Added a predicate hasParameterList to LambdaExpression to capture whether a lambda has an explicitly specified parameter list.

Rust

• Initial public preview release.

• © GitHub, Inc.
• Terms
• Privacy