CodeQL 2.23.0: New Rust Log Injection Detection and Security Improvements
Allison covers the latest in CodeQL 2.23.0, highlighting new Rust log injection detection, security query improvements across languages, and deployment updates for GitHub code scanning users.
CodeQL 2.23.0: New Rust Log Injection Detection and Security Improvements
Author: Allison
CodeQL, the static analysis engine behind GitHub code scanning, helps find and remediate security issues in source code. The recent release of CodeQL 2.23.0 brings significant security and performance enhancements, broadening support for multiple languages and frameworks.
Language and Framework Highlights
- C/C++:
- Improved dataflow and taint-tracking via new library, yielding fewer false positives.
- Added flow summaries for
Microsoft::WRL::ComPtrmember functions.
- C#:
- Enhanced data flow analysis to more accurately track flows using the
basequalifier. - The taint tracking default config now supports implicit reads from collections, improving overall coverage and reducing false negatives.
- Enhanced data flow analysis to more accurately track flows using the
- Rust:
- Extraction performance improvements by removing path resolution from the extractor.
- Enhanced modeling for
std::fs,async_std::fs, andtokio::fs, potentially surfacing more alerts for path injection vulnerabilities. - Introduction of a new query,
rust/log-injection, for detecting potential log entry manipulation by malicious users.
- Java:
- The
java/insecure-spring-actuator-configquery is promoted to the main pack asjava/spring-boot-exposed-actuators-config, now enabled by default. It detects improper actuator exposure in Spring Boot configs. - Bug fixes for null dereference and query consolidation to avoid redundancy.
- The
- Python:
py/unexpected-raise-in-special-methodnow detects more conditional exceptions.py/incomplete-ordering,py/inconsistent-equality, andpy/equals-hash-mismatchget improved documentation and focus on Python 3 issues only.
Query Improvements
- Numerous enhancements and additions across supported languages.
- More precise function call resolution and expanded taint flow tracking.
Availability and Deployment
- CodeQL updates are automatically deployed for users of GitHub code scanning at github.com.
- The new features will also be part of a future GitHub Enterprise Server (GHES) release; manual upgrades are supported for users of older GHES versions.
For all changes, check the official changelog.
This post appeared first on “The GitHub Blog”. Read the entire article here