v2.12.2

Bugs fixed

• Fixed a QL evaluator bug introduced in release 2.12.1 which could in certain rare cases lead to wrong analysis results.

• Fixed handling of -Xclang <arg> arguments passed to the clang compiler which could cause missing extractions for C++ code bases.

• Fixed a bug where the --overwrite option was failing for database clusters.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.6.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.12.2.

v2.12.1

New features

• Added a new command-line flag --expect-discarded-cache, which gives a hint to the evaluator that the evaluation cache will be discarded after analysis completes. This allows it to avoid some unnecessary writes to the cache, for predicates that aren't needed by the query/suite being evaluated.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.12.1.

v2.12.0

Breaking changes

• The --[no-]count-lines option to codeql database create and related commands that was
  deprecated in 2.11.1 has been removed. Users of this option should instead pass
  --[no-]calculate-baseline.

New features

• Query packs created by codeql pack create, codeql pack bundle, and codeql pack release now
  contain precompiled queries in a new format that aims to be compatible with future (and, to a
  certain extent, past) releases of the CodeQL CLI. Previously the precompiled queries were in a
  format specific to each CLI release, and all other releases would need to re-compile queries.
• The codeql database init command now accepts a PAT that allows you to download queries from
  external, private repositories when using the --codescanning-config <config-file> option.
• The baseline information produced by codeql database init and
  codeql database create now accounts for
  paths and paths-ignore configuration.
• In the VS Code extension, recursive calls will be marked with inlay
  hints.
• The CLI now gives a more helpful error message when asked to run queries on a
  database that has not been finalized.

Bugs fixed

• Fixed a bug where the codeql pack install command would fail if
  a CodeQL configuration file
  is used and the --additional-packs option is specified.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.12.0.

v2.11.6

Breaking changes

• Java and Kotlin analyses in this release of the CLI and all earlier releases are incompatible with Kotlin 1.7.30 and later. To prevent code scanning alerts being spuriously dismissed, Java and Kotlin analyses will now fail when using Kotlin 1.7.30 or later.

Bugs fixed

• Fixed a bug where it was not possible to run queries in CodeQL query packs for C# that use the legacy libraryPathDependencies property in their qlpack.yml file. The associated error message complained about undefined extensional predicates.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.6.

v2.11.5

Bugs Fixed

• Fixed a bug that could cause log summary generation to fail in vscode.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.5.

v2.11.4

New features

• Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default.

Potentially breaking changes

• CodeQL 2.11.1 to 2.11.3 contained a bug in indirect build tracing on Windows. See the full notes in the CodeQL CLI changelog for details.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.4.

v2.11.3

Breaking changes

• The codeql pack ls --format json deep plumbing command now returns only the name and version properties for each found pack.

Potentially breaking changes

• codeql pack download, codeql pack install, and codeql pack add will ignore CodeQL packs with pre-release versions, unless the --allow-prerelease option is passed to the command. This brings these commands into alignment with codeql pack publish that will avoid publishing CodeQL packs with pre-release versions unless the --allow-prerelease option is specified.

Deprecations

• The --[no-]fast-compilation option to codeql query compile is now deprecated.

New features

• codeql resolve files and codeql database index-files have a new --find-any option, which finds at most one match.

Miscellaneous

• The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the StringSubstitutor class that the recently disclosed CVE-2022-42889 vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability.
• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.3.

v2.11.2

Breaking changes

• Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack, then you must explicitly include it using the include property in the top-level qlpack.yml file.

  For example, if your package structure looks like this:

  qlpack.yml
  nested-pack
     ∟ qlpack.yml
       query.ql
  

  then the contents of nested-pack will not be included by default within the published package. To include nested-pack, add an entry like this to the top level qlpack.yml file:

  include:
    - nested-pack/**

Bugs fixed

• Using the --codescanning-config=<file> option in codeql database init will now correctly process the paths and pathsIgnore properties of the configuration file in a way that is identical to the behavior of the codeql-action. Previously, paths or pathsIgnore entries that end in /** or start with / were incorrectly rejected by the CLI.

• Fixed a bug where the --compilation-cache option to codeql pack publish and codeql pack create was being ignored when creating a query pack. Now, the indicated cache is used when pre-compiling the queries in it.

• Fixed a bug that would make the "Show DIL" command in the VSCode extension display nothing.

Other changes

• Emit a detailed warning if package resolution fails, the legacy --search-path option is provided, and there is at least one referenced pack that does not use legacy package resolution. In this case, --additional-packs should be used to extend the search to additional directories, instead of --search-path.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.2.

v2.11.1

Breaking changes

• Pack installation using the CodeQL Packaging beta will now fail if a
  compatible version cannot be found. This replaces the previous
  behavior where codeql pack download and related commands would
  instead install the latest version of the pack in this situation.

Deprecations

• The --[no-]count-lines option to codeql database create and
  related commands is now deprecated and will be removed in a future
  release of the CodeQL CLI (earliest 2.12.0). It is replaced by
  --[no-]calculate-baseline to reflect the additional baseline
  information that is now captured as of this release.

New features

• codeql database analyze and related commands now support absolute
  paths containing the @ or : characters when specifying which queries
  to run. To reference a query file, directory, or suite whose path contains
  a literal @ or :, prefix the query specifier with path:, for example:

      codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.1.

v2.11.0

Deprecation

• The CodeQL CLI now uses Python 3 to extract both Python 2 and Python 3 databases. Correspondingly, support for using Python 2 to extract Python databases is now deprecated. Starting with version 2.11.3, you will need to install Python 3 to extract Python databases.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.0.