v2.16.0

Improvements

• The Experimental flag has been removed from all packaging and related commands.
• The RA pretty-printer omits names of internal RA nodes and pretty-prints binary unions
  with nested internal unions as n-ary unions.

Potentially breaking changes

• The Python extractor will no longer extract dependencies by default.
• The --ram option to codeql database run-queries and other commands that execute
  queries is now interpreted more strictly. Previously it was mostly a rough hint for how
  much memory to use, and the actual memory footprint of the CodeQL process could be
  hundreds of megabytes higher. From this release, CodeQL tries harder to keep its total
  memory consumption during evaluation below the given limit.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.16.0.

v2.15.5

New features

• A new extractor option has been added to the JavaScript/TypeScript extractor.
  Set the environment variable CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES
  to true to skip the extraction of types in TypeScript files.

Bugs fixed

• Fixed an issue where CodeQL would sometimes incorrectly report that no files
  were scanned when running on Windows.
  This affected the human-readable summary produced by codeql database analyze
  and codeql database interpret-results, but did not impact the file coverage
  information produced in the SARIF output and displayed on the tool status page.
• When analyzing Swift codebases, CodeQL build tracing will now ignore the
  codesign tool. This prevents errors in build commands or workflows on macOS
  that include both CodeQL and code signing.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.5.

v2.15.4

New features

• Java 21 is now fully supported, including support for new language features such as pattern switches and record patterns.

Improvements

• Parallelism in the evaluator has been improved, resulting in faster analysis when running with many threads, particularly for large databases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.4.

v2.15.3

Release 2.15.3 (2023-11-22)

New features

• codeql database analyze now defaults to include markdown query help for all custom
  queries with help files available. To change the default behaviour you can pass the
  new flag --sarif-include-query-help, which provides the options always (which
  includes query help for all queries), custom_queries_only (the default) and never
  (which does not include query help for any query). The existing flag
  --sarif-add-query-help has been deprecated and will be removed in a future release.
• The new (advanced) command-line option --[no-]linkage-aware-import disables the
  linkage-awareness phase of codeql dataset import, as a quick fix (at the expense of
  database completeness) for C++ projects where this part of database creation consumes
  too much memory. This option is available in the commands database create,
  database finalize, database import, dataset import, test extract, and
  test run.
• The CodeQL language server now provides basic support for Rename, and you can now use
  the Rename Symbol functionality in Visual Studio Code for CodeQL. The current Rename
  support is less a refactoring tool and more a labor-saving device. You may have to
  perform some manual edits after using Rename, but it should still be faster and less
  work than renaming a symbol manually.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.3.

v2.15.2

Breaking changes

• C++ extraction has been updated to output more accurate C++ value categories. Note you may need to recompile query packs that were compiled with an older CodeQL (see full changelog below for details).

New features

• codeql database analyze and codeql database interpret-results can now
  output human-readable analysis summaries in a new format. To enable this new format, pass the --analysis-summary-v2 flag. See the full changelog for compatibility information if you intend to use this with GitHub Enterprise Server.
• CodeQL now supports
  distinguishing file coverage information between related languages C and C++, Java and Kotlin,
  and JavaScript and TypeScript. See the full changelog for usage and compatibility information.
• All CLI commands now support --common-caches, which controls the location of the
  cached data that is persisted between several runs of the CLI, such as downloaded QL packs
  and compiled query plans.

Improvements

• Model packs that are used in an analysis will now be included in an output SARIF results file. All model packs now include the isCodeQLModelPack: true property in their tool component property bag.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.2.

v2.15.1

Release 2.15.1 (2023-10-19)

Potentially Breaking Changes

• The query server's evaluation/trimCache command was previously equivalent to the codeql database cleanup --mode=gentle CLI command, but is now equivalent to using --mode=normal.

Deprecations

• The accepted values of the codeql database cleanup --mode= command line option have been renamed to bring them in line with what they are called in the VSCode extension and the query server:
  • --mode=brutal is now --mode=clear.
  • --mode=normal is now --mode=trim.
  • --mode=light is now --mode=fit.
  • The old names are deprecated, but will be accepted for backwards-compatibility reasons until further notice.

Improvements

• The list of failed tests at the end of a codeql test run is now sorted lexicographically.

Bugs fixed

• Fixed a bug where the $CODEQL_JAVA_HOME environment variable was
  erroneously ignored for certain subsidiary Java processes started by
  codeql.
• Fixed a bug in the CodeQL build tracer on Apple Silicon machines that prevented database creation if System Integrity Protection was disabled.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.1.

v2.15.0

Deprecations

• pragma[assume_small_delta] is now deprecated. The pragma has no effect and should be removed.
• Missing override annotations on class fields now raise errors rather than warnings. This is to avoid confusion with the shadowing behavior in the presence of final fields.
• The CodeQL CLI no longer supports ML-powered alerts. For more information, including details of our work in the AI-powered security technology space, see "CodeQL code scanning deprecates ML-powered alerts."

New Features

• The output of codeql version --format json now includes a features property. Each key in the map identifies a feature of the CodeQL CLI. The value for a key is always true. Going forward, whenever a significant new feature is added to the CodeQL CLI, a corresponding entry will be added to the features map. This is intended to make it easier for tools that invoke the CodeQL CLI to know if the particular version of the CLI they are invoking supports a given feature, without having to know exactly what CLI version introduced that feature.

Improvements

• You can now specify the CodeQL languages C/C++, Java/Kotlin, and JavaScript/TypeScript using --language c-cpp, --language java-kotlin, and --language javascript-typescript respectively. These new CodeQL language names convey more clearly what languages each CodeQL language will analyze.
• CodeQL now respects custom home directories set by the $HOME environment variable on MacOS and Linux and %USERPROFILE% on Windows. When set, CodeQL will use the variable's value to change the default location of downloaded packages and the global compilation cache.
• This release improves the quality of file coverage information for repositories that vendor their dependencies. This is currently supported for Go and JavaScript projects.

Bugs fixed

• Fixed an issue with analyzing Python projects using Python 3.12.

QL language improvements

• The QL language now has two new methods codePointAt and codePointCount on the string type. The methods both return integers and act the same as the similarly named Java methods on strings. For example, "abc".codePointAt(2) is 99 and ("a" + 128512.toUnicode() + "c").codePointAt(1) is a 128512.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.15.0.

v2.14.6

Bugs fixed

• The tracking of RAM usage has been improved. This fixes some cases
  where CodeQL uses more RAM than requested.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.6.

v2.14.5

Bugs fixed

• Fixed a JavaScript extractor crash that was introduced in 2.14.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.5.

v2.14.4

Known Issue

• The Javascript extractor may, in specific cases, fail with StringIndexOutOfBoundsException. Users affected by this bug should temporarily downgrade to 2.14.3 until a new 2.14.5 release becomes available.

Potentially breaking changes

• The CodeQL CLI no longer supports the SEMMLE_JAVA_ARGS environment variable. All previous versions of the CodeQL CLI perform command substitution on the SEMMLE_JAVA_ARGS value (for example, replacing '$(echo foo)' with 'foo') when starting a new Java virtual machine, which, depending on the execution environment, may have security implications. Users are advised to check their environments for possible SEMMLE_JAVA_ARGS misuse.

New Features

• The Java extractor now supports files that use Lombok.

Bugs fixed

• codeql database init (and github/codeql-action/init@v2 on GitHub Actions) should no longer hang or crash for traced languages on 64-bit Windows machines when certain antivirus software is installed.
• During codeql pack create and codeql pack publish, a source version of a pack coming from --additional-packs can explicitly be used to override a requested pack version even if this source version is incompatible with the requested version in the pack file. Previously, this would fail with a confusing error message.
• Fixed a bug where codeql database interpret-results hangs when a path query produces a result that has no paths from source to sink.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL
  CLI has been updated to version 17.0.8.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.14.4.