Breaking changes

• All the commands that output SARIF will output a minified version to reduce the size.
  The codeql database analyze, codeql database interpret-results, codeql generate query-help, and codeql bqrs interpret commands support the option --no-sarif-minify to output a pretty printed SARIF file.

• A number of breaking changes have been made to the semmle-extractor-options
  functionality available for C and C++ CodeQL tests, removing various flags that don't work well in the context of tests.
  These do not affect the creation of databases through the CodeQL CLI,
  or when calling the C/C++ extractor directly with the --mimic or --linker flags.

Improvements

• codeql generate log-summary now reports completed pipeline runs that
  are part of an incomplete recursive predicate.

Miscellaneous

• The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal
  documentation generation commands has been updated to version
  20240325.1.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.5.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.4.

Improvements

• The language server that our IDE integration is built on now defaults to fine-grained dependency tracking for incremental error-checking after file changes. This slightly improves the latency of refreshing errors after local source code edits and will enable significant speedups in the future.
• We now properly handle globs (such as folder/**/*.py) in paths configuration to specify what files to include for Python analysis (see documentation here).
• TRAP import (a part of codeql database create and codeql database finalize) now supports allocating 2^32 IDs during the import process. The previous limit was 2^31 IDs.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.3.

Known issues

• The beta support for analyzing Swift in this release and all previous releases requires g++-13 when running on Linux. Users analyzing Swift using the ubuntu-latest, ubuntu-22.04, or ubuntu-20.04 runner images for GitHub Actions should update their workflows to install g++-13. For more information, see the runner images announcement.

Improvements

• When uploading a SARIF file to GitHub using codeql github upload-results, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the --no-wait-for-processing flag.

  By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the --wait-for-processing-timeout option.

• The build tracer is no longer enabled when using the none build mode to analyze a compiled language, thus improving performance.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.2.

Release 2.17.1 (2024-04-24)

Deprecations

• The --mode option and -m alias to codeql database create,
  codeql database cleanup, and codeql dataset cleanup has been
  deprecated. Instead, use the new --cache-cleanup option, which has
  identical behavior.

Improvements

• Improved the diagnostic message produced when no code is processed
  when creating a database. If a build mode was specified using
  --build-mode, the message is now tailored to your build mode.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.1.

Deprecations

• The --[no-]analysis-summary-v2 and --[no-]new-analysis-summary options that were used to enable (or disable) improved summary information printed at the end of a codeql database analyze invocation are no longer supported. Improved summary information is now enabled for all invocations.
• Support for overwriting default CodeQL SARIF run properties using the --sarif-run-property command line option has been removed. This removes the ability to overwrite the semmle.formatSpecifier, metricResults, and codeqlConfigSummary properties in the SARIF run file.

Improvements

• TRAP import (a part of codeql database create and codeql database finalize) now performs better in low-memory situations. (Put another way, it now needs less RAM to achieve the same performance as before.)
• The worst-case performance of transitive closure computation (using the + or * postfix operators or the fastTC higher-order primitive in QL) has been greatly improved.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.2.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.17.0.

Bugs fixed

• Fixes a bug where extractor logs would be output at a lower than expected verbosity level when using the codeql database create command.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.6.

New features

• Beta support has been added for analyzing Java codebases without needing a working build. To enable
  this, pass the --build-mode none option to codeql database create.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.5.

Potentially breaking changes

• A number of internal command line options (--builtin_functions_file, --clang_builtin_functions,
  --disable-objc-default-synthesize-properties, --list_builtin_functions, --memory-limit-bytes,
  --mimic_config, and --objc) has been removed from the C/C++ extractor. The --verbosity
  command line option has also been removed. The option was an alias for --codeql-verbosity,
  which should be used instead.

Improvements

• The frontend of the C/C++ extractor has been updated, improving the
  extractor's reliability and increasing its ability to extract source code.

Bugs fixed

• When parsing user-authored YAML files such as codeql-pack.yml,
  qlpack.yml, codeql-workspace.yml, and any YAML file defining a data
  extension, unquoted string values starting with a * character are now
  correctly interpreted as YAML aliases. Previously, they were interpreted
  as strings, but with the first character skipped.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.4.

Security patches

• Fixes CVE-2024-25129, a limited data exfiltration vulnerability that could be triggered by untrusted databases or QL packs. See the security advisory for more information.

New Features

• A new extractor option has been added to the Python extractor. Pass one of --extractor-option python_executable_name=py or --extractor-option python_executable_name=python or --extractor-option python_executable_name=python3 to codeql database create (or codeql database trace-command or, for indirect tracing, codeql database init) to override the default Python executable search and selection behavior of the Python extractor. For example, on Windows machines, the Python extractor will expect to find py.exe on the system PATH by default. Setting this extractor option or environment variable allows overriding this behavior to look for a different name.

  More detail can be found in the extractor option documentation.

Bugs fixed

• Fixed a bug where CodeQL may produce an invalid database when it exhausts all available ID numbers. Now it detects the condition and reports an error instead.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.3.