CodeQL 2.24.3 adds Java 26 support and other improvements
Published: (March 10, 2026 at 03:51 PM EDT)
2 min read
Source: GitHub Changelog
Source: GitHub Changelog
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.24.3, which adds support for Java 26 and includes various improvements that enhance the accuracy of your code‑scanning results.
Language and framework support
Java/Kotlin
- CodeQL now supports Java 26.
- Java analysis now selects the Java version to use based on the Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects when possible, improving build compatibility.
JavaScript/TypeScript
- Added support for React components wrapped by
observerfrommobx-reactandmobx-react-lite.
Query changes
Python
- Added a new full SSRF sanitization barrier from the AntiSSRF library.
- When a guard such as
isSafe(x)is defined, CodeQL now automatically handlesisSafe(x) == trueandisSafe(x) != false.
Ruby
- Taint flow is now tracked through
Shellwords.escapeandShellwords.shellescapefor all queries except command injection, where they are treated as sanitizers.
Java/Kotlin
- Expanded modeling that previously only covered Java EE packages beginning with
javaxto also include packages beginning withjakarta. This may increase the number of alerts for packages using thejakartanamespace.
Rust
- Added support for neutral models (
extensible: neutralModel) to control where generated source, sink, and flow‑summary models apply.
C/C++
- Improved the
cpp/leap-year/unchecked-after-arithmetic-year-modificationquery to reduce false positives.
C#
- C# 14: Added support for the
fieldkeyword in properties.
For a full list of changes, see the complete changelog for version 2.24.3. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.3 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.