v2.5.2

This release is identical to release 2.5.1, except that an internal incompatibility with the CodeQL action (and the codeql-runner that some customers use for CI integrations) has been fixed.

The fix does not affect any use cases where the CLI is downloaded from github/codeql-cli-binaries, so if you're seeing this release there, there's no need to upgrade from 2.5.1.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.1

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking changes

• The QL compiler will now reject queries where the query metadata (if present) at the top of the .ql file is inconsistent with the output format of the query. This check can be disabled by giving the --no-metadata-verification flag.

Bugs fixed

• Environment variables required for Java extraction are now propagated by the tracer. This may resolve issues with tracing and extraction in the context of certain build systems such as Bazel.

• A number of --check-CONDITION options to codeql database finalize and codeql dataset import designed to look for consistency errors in the intermediate "TRAP" output from extractors erroneously did nothing. They will now actually print warnings if errors are found.

Features added

• codeql resolve qlref is a new command that takes in a .qlref file for a CodeQL test case and returns the path of the .ql file it references.

• codeql database analyze and codeql database interpret-results have a new --sarif-group-rules-by-pack option which will place the SARIF rule object for each query underneath its corresponding query pack in runs[].tool.extensions.

• codeql database finalize and codeql dataset import have a new --fail-on-trap-errors option that will make database creation fail if extractors produce ill-formatted "TRAP" data for inclusion into a database.

• codeql database finalize and codeql dataset import have a new --check-undefined-labels option that enables stricter consistency checks on the "TRAP" output from extractors.

QL language improvements

• super may now be used unqualified, e.g. super.predicateName(), when the declaring class has multiple super types, as long as the call itself is unambiguous.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.5.0

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.27) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.27 instance, you need to create them with release 2.4.6.

Potentially breaking change

• By default, codeql test now performs additional compiler checks when extracting test code written in Java. Existing Java tests that previously passed may therefore fail due to this change, if they do not compile using the javac compiler. To allow time to migrate existing tests, the new behavior can be disabled by setting the environment variable CODEQL_EXTRACTOR_JAVA_FLOW_CHECKS=false.

Features added

• Log files that contain output from build processes will now prefix it with [build-stdout] and [build-stderr] instead of [build] and [build-err]. In particular the latter sometimes caused confusion.

QL language improvements

• The QL language now recognizes new pragma[only_bind_into](...) and pragma[only_bind_out](...) annotations on expressions. Advanced users may use these annotations to provide hints to the compiler to influence binding behavior and thus indirectly performance.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.6

This release corresponds to release 1.27.x of LGTM Enterprise, and should be used when creating databases that will be uploaded to it. Future CLI releases (numbered 2.5.x) may produce databases that are not backwards compatible with this version of LGTM Enterprise.

• Fixed a bug in codeql test run that causes tests to fail messily if the freshly-extracted test database needed to be upgraded in order to be compatible with the QL source under test.

• codeql github upload-results should now work correctly against GitHub Enterprise Server instances that are configured with a path prefix.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.5

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.26) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.26 instance, you need to create them with release 2.3.4.

• The C/C++ extractor can now parse more Microsoft language extensions when in C++14 and C++17 mode.

• codeql database analyze now reports the name and version of each QL pack used by the analysis in the SARIF output.

• codeql github upload-results is a new command that uploads a SARIF file generated by CodeQL to GitHub's Code Scanning.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

Beware: Some (but not all) unzipper programs on Windows have problems with the zips in this release, and will ask your permission to overwrite codeql/codeql.exe by codeql/codeql. You should answer no to that.

v2.4.4

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.26) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.26 instance, you need to create them with release 2.3.4.

Potentially breaking changes

• The name property in qlpack.yml must now meet the following requirements:
  • Only lowercase ASCII letters, ASCII digits, and hyphens (-) are allowed.
  • A hyphen is not allowed as the first or last character of the name.
  • The name must be at least one character long, and no longer than 128 characters.

New features

• Alert and path queries can now give a score to each alert they produce. You can incorporate alert scores in an alert or path query by first adding the @scored property to the query metadata. You can then introduce a new numeric column at the end of the select statement structure to represent the score of each alert. Alert scores are exposed in the SARIF output of commands like codeql database analyze as the score property in the property bags of result objects.

Bugs fixed

• The default value of the --working-dir options for the index-files and trace-command subcommands of codeql database has been fixed to match the documentation; previously, it would erroneously use the process' current working directory rather than the database source root.
• codeql test run will not crash if database extraction in a test directory fails. Instead only the tests in that directory will be marked as failing, d tests in other directories will continue executing.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.3

This release fixes several bugs relating to searching for QL packs on disk which were introduced in release 2.4.2. It is otherwise identical to release 2.4.2.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.2

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.26) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.26 instance, you need to create them with release 2.3.4.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.4.1

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.26) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.26 instance, you need to create them with release 2.3.4.

• codeql query format now checks all files rather than stopping after the first failure when the --check-only option is given.

• codeql resolve database will produce a languages key giving the language the database was created for. This can be useful in IDEs to help describe the database and suggest default actions or queries. For databases created by earlier versions, the result will be a best-effort guess.

• codeql database interpret-results can now produce Graphviz .dot files from queries with @kind graph.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.3.4

This release corresponds to release 1.26.x of LGTM Enterprise, and should be used when creating databases that will be uploaded to it. Later releases (numbered 2.4.x and following) may produce databases that are not backwards compatible with this version of LGTM Enterprise.

For all purposes other than creating databases for LGTM Enterprise we recommend that you upgrade to CLI releases numbered 2.4.x or later.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.