Merge pull request #21586 from github/oscarsj/hotfix-2.25.1-base

oscarsj · web-flow · commit 7a4b88fadc4d · 2026-03-26T16:36:02.000+01:00
Release 2.25.1 preparations
diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst
@@ -0,0 +1,121 @@
+.. _codeql-cli-2.24.3:
+
+==========================
+CodeQL 2.24.3 (2026-03-05)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.24.3 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips :code:`*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases.
+*   Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as :code:`codeql query run`.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   The Java extractor and QL libraries now support Java 26.
+*   Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.
+
+Rust
+""""
+
+*   The macro resolution metric has been removed from :code:`rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
+
+C#
+""
+
+*   Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to :code:`BarrierGuard<...>::getAnIndirectBarrierNode` and :code:`InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
+*   :code:`MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the :code:`MustFlowConfiguration` class, the user should now implement a module with the :code:`MustFlow::ConfigSig` signature, and instantiate the :code:`MustFlow::Global` parameterized module with the implemented module.
+
+Python
+""""""
+
+*   The :code:`Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the :code:`LegacyPointsTo` module, to classes like :code:`ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import :code:`LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add :code:`overlay[local?] module;` to user-managed libraries that extend classes that are now marked as :code:`overlay[local]`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (:code:`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
+
+C#
+""
+
+*   C# 14: Added support for partial events.
+*   C# 14: Added support for the :code:`field` keyword in properties.
+
+Java/Kotlin
+"""""""""""
+
+*   Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for React components wrapped by :code:`observer` from :code:`mobx-react` and :code:`mobx-react-lite`.
+
+Python
+""""""
+
+*   Added new full SSRF sanitization barrier from the new AntiSSRF library.
+*   When a guard such as :code:`isSafe(x)` is defined, we now also automatically handle :code:`isSafe(x) == true` and :code:`isSafe(x) != false`.
+
+Ruby
+""""
+
+*   We now track taint flow through :code:`Shellwords.escape` and :code:`Shellwords.shellescape` for all queries except command injection, for which they are sanitizers.
+
+Rust
+""""
+
+*   Added support for neutral models (:code:`extensible: neutralModel`) to control where generated source, sink and flow summary models apply.
diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.0.rst
@@ -0,0 +1,131 @@
+.. _codeql-cli-2.25.0:
+
+==========================
+CodeQL 2.25.0 (2026-03-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.0 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   :code:`codeql database interpret-results` and :code:`codeql database analyze` no longer attempt to reconstruct file baseline information from databases created with CLI versions before 2.11.2.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Upgraded Jackson library from 2.16.1 to 2.18.6 to address a high-severity denial of service vulnerability (GHSA-72hv-8253-57qq) in jackson-core's async JSON parser.
+*   Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.2 to 2.3.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   The Java control flow graph (CFG) implementation has been completely rewritten. The CFG now includes additional nodes to more accurately represent certain constructs. This also means that any existing code that implicitly relies on very specific details about the CFG may need to be updated.
+    The CFG now only includes the nodes that are reachable from the entry point.
+    Additionally, the following breaking changes have been made:
+
+    *   :code:`ControlFlowNode.asCall` has been removed - use :code:`Call.getControlFlowNode` instead.
+    *   :code:`ControlFlowNode.getEnclosingStmt` has been removed.
+    *   :code:`ControlFlow::ExprNode` has been removed.
+    *   :code:`ControlFlow::StmtNode` has been removed.
+    *   :code:`ControlFlow::Node` has been removed - this was merely an alias of
+        :code:`ControlFlowNode`, which is still available.
+    *   Previously deprecated predicates on :code:`BasicBlock` have been removed.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   Upgraded to allow analysis of Swift 6.2.4.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+C#
+""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+*   Added :code:`System.Net.WebSockets::ReceiveAsync` as a remote flow source.
+*   Added reverse taint flow from implicit conversion operator calls to their arguments.
+*   Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
+*   C# 14: Added support for partial constructors.
+
+Golang
+""""""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+Java/Kotlin
+"""""""""""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+*   The class :code:`Assignment` now extends :code:`BinaryExpr`. Uses of :code:`BinaryExpr` may in some cases need slight adjustment.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for browser-specific source kinds (:code:`browser`, :code:`browser-url-query`, :code:`browser-url-fragment`, :code:`browser-url-path`, :code:`browser-url`, :code:`browser-window-name`, :code:`browser-message-event`) that can be used in data extensions to model sources in browser environments.
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+Python
+""""""
+
+*   The call graph resolution no longer considers methods marked using |link-code-typing-overload-1|_ as valid targets. This ensures that only the method that contains the actual implementation gets resolved as a target.
+*   Inline expectations test comments, which are of the form :code:`# $ tag` or :code:`# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+Ruby
+""""
+
+*   Inline expectations test comments, which are of the form :code:`# $ tag` or :code:`# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+Swift
+"""""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+
+Rust
+""""
+
+*   Inline expectations test comments, which are of the form :code:`// $ tag` or :code:`// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the :code:`$` symbol.
+*   Added neutral models to inhibit spurious generated sink models for :code:`map` and :code:`from`. This fixes some false positive query results.
+
+Shared Libraries
+----------------
+
+New Features
+~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   Two new flow features :code:`FeatureEscapesSourceCallContext` and :code:`FeatureEscapesSourceCallContextOrEqualSourceSinkCallContext` have been added. The former implies that the sink must be reached from the source by escaping the source call context, that is, flow must either return from the callable containing the source or use a jump-step before reaching the sink. The latter is the disjunction of the former and the existing :code:`FeatureEqualSourceSinkCallContext` flow feature.
+
+.. |link-code-typing-overload-1| replace:: :code:`@typing.overload`\ 
+.. _link-code-typing-overload-1: https://typing.python.org/en/latest/spec/overload.html#overloads
+
diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,6 +11,8 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.25.0
+   codeql-cli-2.24.3
    codeql-cli-2.24.2
    codeql-cli-2.24.1
    codeql-cli-2.24.0
