CodeQL 2.24.0 adds Swift 6.2 and .NET 10 support, and improves file handling for minified JavaScript

Source: GitHub Changelog

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.24.0, which adds support for new language versions, expands framework coverage, and improves query accuracy across multiple languages.

Language and framework support

Swift

• Updated to support analysis of apps built with Swift 6.2.2 and 6.2.3.

C#

• Added support for .NET 10 and C# 14.

JavaScript/TypeScript

• JavaScript files with an average line length greater than 200 are now treated as minified and won’t be analyzed.
  To analyze minified files, set the environment variable:

  CODEQL_EXTRACTOR_JAVASCRIPT_ALLOW_MINIFIED_FILES=true

• Added support for Next.js 16’s use cache directives.

• Added support for the React useRef hook, with improved data‑flow tracking through the current property.

Python

• The py/decompression-bomb query now supports the compression.zstd library (added in Python 3.14).
• Added taint‑flow models for urllib.parse and remote flow sources for the python-socketio package.
• The extractor now analyzes files in hidden directories by default.

Java/Kotlin

• Added sink models for com.couchbase supporting SQL injection and hard‑coded credentials queries.
• Added more data‑flow models for org.apache.commons.fileupload.FileItem, javax/jakarta.servlet.http.Part, and org.apache.commons.fileupload.util.Streams.

C/C++

• Added support for more Windows APIs, including file‑read functions, command‑line and environment‑variable APIs, and flow models for SQLite and OpenSSL libraries.

Rust

• Method resolution now considers the Deref trait, correctly resolving method calls on receivers implementing Deref.
• Added support for the Axum web application framework.
• Improved type inference for raw pointers, including raw borrow operators and dereferencing.

Query changes

C#

• Extended the Missing cross‑site request forgery token validation query to support ASP.NET Core.
• Added NHibernate.ISession.CreateSQLQuery, NHibernate.IStatelessSession.CreateSQLQuery, and NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery as SQL‑injection sinks.
• Added implicit reads of System.Collections.Generic.KeyValuePair.Value at taint‑tracking sinks and at inputs to additional taint steps, resulting in more results when a container is tainted.

JavaScript/TypeScript

• Fixed a bug in the Next.js model that caused analysis to miss server‑side taint sources in files named route or page outside api and pages folders.
• new Response(x) is no longer treated as a reflected XSS sink when no content-type header is set (defaults to text/plain).

Java/Kotlin

• Java thread‑safety analysis now understands initialization to thread‑safe classes inside constructors.
• Added a sanitizer to java/ssrf to suppress alerts when a regular‑expression check verifies the value is safe.
• URI template variables of all Spring RestTemplate methods are now considered request‑forgery sinks, potentially generating more alerts for java/ssrf.

C/C++

• Improved the accuracy of the cpp/constant-comparison query to reduce false positives.

Rust

• Improved the accuracy of the rust/unused-variable, rust/unused-value, rust/access-invalid-pointer, and rust/access-after-lifetime-ended queries to reduce false positives.
• Extended the rust/hard-coded-cryptographic-value query with new heuristic sinks identifying passwords, initialization vectors, nonces, and salts.

For a full list of changes, please refer to the complete changelog for version 2.24.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.0 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.