- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The
Storedvariants of some queries (cs/stored-command-line-injection,cs/web/stored-xss,cs/stored-ldap-injection,cs/xml/stored-xpath-injection,cs/second-order-sql-injection) have been removed. If you were using these queries, their results can be restored by enabling thefileanddatabasethreat models in your threat model configuration.
- The alert message of
cs/wrong-compareto-signaturehas been changed to remove unnecessary element references. - Data flow queries that track flow from local flow sources now use the current threat model configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses remote flow sources. The changed queries are
cs/code-injection,cs/resource-injection,cs/sql-injection, andcs/uncontrolled-format-string.
No user-facing changes.
No user-facing changes.
- Most data flow queries that track flow from remote flow sources now use the current threat model configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is remote flow sources) unless the threat model configuration is changed. The changed queries are
cs/code-injection,cs/command-line-injection,cs/user-controlled-bypass,cs/count-untrusted-data-external-api,cs/untrusted-data-to-external-api,cs/ldap-injection,cs/log-forging,cs/xml/missing-validation,cs/redos,cs/regex-injection,cs/resource-injection,cs/sql-injection,cs/path-injection,cs/unsafe-deserialization-untrusted-input,cs/web/unvalidated-url-redirection,cs/xml/insecure-dtd-handling,cs/xml/xpath-injection,cs/web/xss, andcs/uncontrolled-format-string.
- Added sanitizers for relative URLs,
List.Contains(), and checking the.Hostproperty on an URI to thecs/web/unvalidated-url-redirectionquery.
- Added string interpolation expressions and
string.Formatas possible sanitizers for thecs/web/unvalidated-url-redirectionquery.
- Modelled additional flow steps to track flow from handler methods of a
PageModelclass to the corresponding Razor Page (.cshtml) file, which may result in additional results for queries such ascs/web/xss.
- Fixed a Log forging false positive when using
String.Replaceto sanitize the input. - Fixed a URL redirection from remote source false positive when guarding a redirect with
HttpRequestBase.IsUrlLocalToHost()
No user-facing changes.
- Modelled additional flow steps to track flow from a
Viewcall in an MVC controller to the corresponding Razor View (.cshtml) file, which may result in additional results for queries such ascs/web/xss.
- CIL extraction is now disabled by default. It is still possible to turn on CIL extraction by setting the
cilextractor option totrueor by setting the environment variable$CODEQL_EXTRACTOR_CSHARP_OPTION_CILtotrue. This is the first step towards sun-setting the CIL extractor entirely.
No user-facing changes.
- The
cs/web/insecure-direct-object-referenceandcs/web/missing-function-level-access-controlhave been improved to better recognize attributes on generic classes.
- Added a new query,
cs/web/insecure-direct-object-reference, to find instances of missing authorization checks for resources selected by an ID parameter.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
cs/web/missing-function-level-access-control, to find instances of missing authorization checks.
- The query "Arbitrary file write during zip extraction ("Zip Slip")" (
cs/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Additional sinks modelling writes to unencrypted local files have been added to
ExternalLocationSink, used by thecs/cleartext-storageandcs/exposure-of-sensitive-informationqueries.
- The query
cs/web/debug-binarynow disregards thedebugattribute in case there is a transformation that removes it.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
csharp/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel.
- Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
- A new extractor option has been introduced for disabling CIL extraction. Either pass
-Ocil=falseto thecodeqlCLI or set the environment variableCODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false. - The alert message of many queries have been changed to make the message consistent with other languages.
- Parameters of delegates passed to routing endpoint calls like
MapGetin ASP.NET Core are now considered remote flow sources. - The query
cs/unsafe-deserialization-untrusted-inputis not reporting on all calls ofJsonConvert.DeserializeObjectany longer, it only covers cases that explicitly use unsafe serialization settings. - Added better support for the SQLite framework in the SQL injection query.
- File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/csharp-allpackage.
- The
kindquery metadata was changed todiagnosticoncs/compilation-error,cs/compilation-message,cs/extraction-error, andcs/extraction-message.
- The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called
provenancehas been introduced, where the allowed values aremanualandgenerated. The value used to indicate whether a model as been written by hand (manual) or create by the CSV model generator (generated). - All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
- Casts to
dynamicare excluded from the useless upcasts check (cs/useless-upcast). - The C# extractor now accepts an extractor option
buildless, which is used to decide what type of extraction that should be performed. Iftruethen buildless (standalone) extraction will be performed. Otherwise tracing extraction will be performed (default). The option is added viacodeql database create --language=csharp -Obuildless=true .... - The C# extractor now accepts an extractor option
trap.compression, which is used to decide the compression format for TRAP files. The legal values arebrotli(default),gzipornone. The option is added viacodeql database create --language=csharp -Otrap.compression=value ....
- The precision of hardcoded credentials queries (
cs/hardcoded-credentialsandcs/hardcoded-connection-string-credentials) have been downgraded to medium.