CodeQL 2.24.1 improves Maven private registry support and improves query accuracy

Source: GitHub Changelog

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.24.1 (changelog), improving support for Maven private package registries, adding support for the latest version of Kotlin, and delivering various other enhancements that boost the accuracy of your code‑scanning results.

Language and framework support

Java/Kotlin

• Kotlin versions up to 2.3.0 are now supported for analysis.
• Added support for Struts 7.x package names in the Struts framework library.
• When you configure Maven‑compatible private package registries for an organization for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories, allowing you to obtain Maven plugins from private registries.
• Note: As previously announced, support for Kotlin 1.6.x and 1.7.x series has been dropped. (announcement)

C/C++

• Added support for C23 and C++26 #embed preprocessor directives.

C#

• C# 14: Added support for null‑conditional assignments.

Python

• It’s now possible to refer to list elements in the Python models‑as‑data language via the ListElement path.
• Added taint‑flow and type models for the agents and openai modules, and modeled remote flow sources for the websockets package.

Query changes

C/C++

• Fixed a bug in the GuardCondition library that sometimes prevented binary logical operators from being recognized as guard conditions. Queries using GuardCondition may now see improved results.
• Improved accuracy of measuring buffer sizes, reducing false positives in the following queries:
  • cpp/static-buffer-overflow
  • cpp/overflow-buffer
  • cpp/badly-bounded-write
  • cpp/overrunning-write
  • cpp/overrunning-write-with-float
  • cpp/very-likely-overrunning-write

Java

• Improved the accuracy of the java/unreleased-lock query.

Python

• Added an experimental query py/prompt-injection to detect potential prompt‑injection vulnerabilities in code using LLMs.

GitHub Actions

• Fixed a crash when analyzing a ${{ ... }} expression longer than ~300 characters.

For a full list of changes, please refer to the complete changelog for version 2.24.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.1 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.