CodeQL 2.20.6 Release: Enhanced Support and Improved Accuracy 🎯

[ghostinhershell]

We are excited to announce the release of CodeQL 2.20.6, the static analysis engine behind GitHub code scanning. This update brings support for a new version of Java and a variety of other improvements that enhance the accuracy of your code scanning results.

Key Updates in CodeQL 2.20.6

Java

• Support for Java 24: CodeQL now supports Java version 24, ensuring compatibility with the latest Java features.
• Improved XSS Query: The accuracy of the java/xss query has been improved when javax.servlet.http.HttpServletResponse is used without an exploitable content type.

JavaScript / TypeScript

• Response Threat Model: Added support for the response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.
• Enhanced Data Flow Analysis: Improved precision of data flow through arrays and call resolution logic, resulting in more accurate analysis results.

C/C++

• Static Buffer Overflow: Improved accuracy of the cpp/static-buffer-overflow query, leading to better detection of potential issues.

C#

• Call to Object.ToString: Enhanced precision of the cs/call-to-object-tostring query, resulting in more accurate analysis results.

GitHub Actions (Public Preview)

• Query Removal: The actions/unversioned-immutable-action query has been removed from the public suite of queries, closing any alerts triggered from it.

Availability and Further Information

Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

For a full list of changes, please refer to the complete changelog for version 2.20.6.

Stay secure with the latest enhancements in CodeQL!