CodeQL documentation
CodeQL resources

CodeQL 2.24.2 (2026-02-20)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.24.2 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).

CodeQL CLI

Bug Fixes

  • Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the file:/// format instead of file:/ for better interoperability with SARIF consumers.

Query Packs

Bug Fixes

C#

  • The cs/web/missing-token-validation (“Missing cross-site request forgery token validation”) query now recognizes antiforgery attributes on base controller classes, fixing false positives when [ValidateAntiForgeryToken] or [AutoValidateAntiforgeryToken] is applied to a parent class.

Language Libraries

Bug Fixes

Python

  • Using = as a fill character in a format specifier (e.g. f"{x:=^20}") now no longer results in a syntax error during parsing.

Breaking Changes

Golang

  • The BasicBlock class is now defined using the shared basic blocks library. BasicBlock.getRoot has been replaced by BasicBlock.getScope. BasicBlock.getAPredecessor and BasicBlock.getASuccessor now take a SuccessorType argument. ReachableJoinBlock.inDominanceFrontierOf has been removed, so use BasicBlock.inDominanceFrontier instead, swapping the receiver and the argument.

Major Analysis Improvements

Golang

  • Go 1.26 is now supported.

Minor Analysis Improvements

C/C++

  • Added remote flow source models for the winhttp.h windows header and the Azure SDK core library for C/C++.

C#

  • The model for System.Web.HttpUtility has been modified to better model the flow of tainted URIs.

  • C# 14: Added support for extension members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators.

Java/Kotlin

  • Using a regular expression to check that a string doesn’t contain any line breaks is already a sanitizer for java/log-injection. Additional ways of doing the regular expression check are now recognised, including annotation with @javax.validation.constraints.Pattern.

  • More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including java/ssrf and java/path-injection. In particular, being annotated with @javax.validation.constraints.Pattern is now recognised as a sanitizer for those queries.

  • Kotlin versions up to 2.3.10 are now supported.

Python

  • Added request forgery sink models for the Azure SDK.

  • Made it so that models-as-data sinks with the kind request-forgery contribute to the class Http::Client::Request which represents HTTP client requests.

Deprecated APIs

Java/Kotlin

  • The UnreachableBlocks.qll library has been deprecated.

  • Renamed the following predicates to increase uniformity across languages. The getBody predicate already existed on LoopStmt, but is now properly inherited.

    • UnaryExpr.getExpr to getOperand.

    • ConditionalExpr.getTrueExpr to getThen.

    • ConditionalExpr.getFalseExpr to getElse.

    • ReturnStmt.getResult to getExpr.

    • WhileStmt.getStmt to getBody.

    • DoStmt.getStmt to getBody.

    • ForStmt.getStmt to getBody.

    • EnhancedForStmt.getStmt to getBody.