CodeQL documentation
CodeQL resources

CodeQL 2.24.1 (2026-02-05)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.24.1 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).

CodeQL CLI

Miscellaneous

  • The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code.

Language Libraries

Bug Fixes

C/C++

  • Fixed a bug in the GuardCondition library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using GuardCondition may see improved results.

  • Fixed a bug which caused Node.asDefinition() to not have a result for certain assignments.

Java/Kotlin

  • Kotlin: The Kotlin extractor now registers as the last IR generation extension, ensuring that code generated by other compiler plugins (such as kotlinx.serialization) is correctly captured.

GitHub Actions

  • Fixed a crash when analysing a ${{ ... }} expression over around 300 characters in length.

Breaking Changes

Java/Kotlin

  • Support for Kotlin 1.6.x and 1.7.x series has been dropped

Minor Analysis Improvements

C/C++

  • The Buffer.qll library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries cpp/static-buffer-overflow, cpp/overflow-buffer, cpp/badly-bounded-write, cpp/overrunning-write, cpp/overrunning-write-with-float, and cpp/very-likely-overrunning-write will report fewer false positives on such databases.

  • Added taint summary models and sql-injection barrier models for the MySQL mysql_real_escape_string and mysql_real_escape_string_quote escaping functions.

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

C#

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

  • C# 14: Support for null-conditional assignments (such as c?.Prop = p). Furthermore, the MaybeNullExpr class now takes null-conditional access (such as ?.) into account when modeling potential null values.

Golang

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

Java/Kotlin

  • Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy com.opensymphony.xwork2 package names (Struts 2.x-6.x) and the new org.apache.struts2 package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions.

  • The query java/unreleased-lock no longer applies to lock types with names ending in “Pool”, as these typically manage a collection of resources and the lock and unlock methods typically only lock one resource at a time. This may lead to a reduction in false positives.

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

  • When Maven-compatible private package registries are configured for an organisation for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories. CodeQL previously already configured Maven to use them as regular package repositories. This should now allow Maven plugins to be obtained from private registries.

JavaScript/TypeScript

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

Python

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

  • Added experimental query py/prompt-injection to detect potential prompt injection vulnerabilities in code using LLMs.

  • Added taint flow model and type model for agents and openai modules.

  • Remote flow sources for the websockets package have been modeled.

Ruby

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

Swift

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

Rust

  • The predicate SummarizedCallable.propagatesFlow has been extended with the columns Provenance p and boolean isExact, and as a consequence the predicates SummarizedCallable.hasProvenance and SummarizedCallable.hasExactModel have been removed.

  • Added type inference support for the FnMut(..) -> .. and Fn(..) -> .. traits. They now work in type parameter bounds and are implemented by closures.

New Features

C/C++

  • Added a subclass Embed of PreprocessorDirective for C23 and C++26 #embed preprocessor directives.

  • Added modules DataFlow::ParameterizedBarrierGuard and DataFlow::ParameterizedInstructionBarrierGuard. These modules provide the same features as DataFlow::BarrierGuard and DataFlow::InstructionBarrierGuard, but allow for an additional parameter to support properly using them in dataflow configurations that uses flow states.

Java/Kotlin

  • Kotlin versions up to 2.3.0 are now supported.

Python

  • It is now possible to refer to list elements in the Python models-as-data language, via the ListElement path.