Skip to content

v2.7.1

Choose a tag to compare

View all tags
@codeql-ci codeql-ci released this 15 Nov 19:14
· 153 commits to main since this release
v2.7.1
84a221d
  • The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

  • Previously, codeql test run would fall back to looking for an accompanying queries.xml file if it found a qlpack.yml that did not declare an extractor to use when extracting a test database. This has been removed because the internal use case that neccessitated the fallback are now removed. If you suddenly encounter errors that complain of missing extractor declarations, check whether you had a queries.xml you were inadvertently relying on.

  • When queries are specified by naming a directory to scan for *.ql files, subdirectories named .codeql will now be ignored. The new QL packaging support uses subdirectories with this name of various scratch and caching purposes, so they may contain *.ql files that are not intended to be directly user-visible.

  • When copying dependencies for CodeQL packages into a query pack bundle, *.ql files in these dependencies will now be included inside of the query pack's .codeql directory.

  • The tables printed by codeql database analyze to summarize the results of diagnostic and metric queries that were part of the analysis have a new format and contains less (but hopefully more pertinent) information. We recommend against attempting to parse this human-readable output programmatically. Instead, use the runs[].tool.driver.invocations[].toolExecutionNotifications property in the SARIF output.

  • The experimental plumbing command codeql pack packlist has a new format for its JSON results. Previously, the results were a list of paths. Now, the results are an object with a single property paths that contains the list of paths.

Deprecations

  • The output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) have been deprecated. They will be removed in a later version (earliest 2.8.0). If you need this functionality, please file a public issue against https://github.com/github/codeql-cli-binaries, or open a private ticket with GitHub Support and request an escalation to engineering.

  • The qlpack: instruction in query suite definitions has been deprecated due to uncertainty about whether it is intended to include all the *.ql files in the named pack, or only the pack's "default query suite". The behavior of the instruction is determined by whether the named pack declares any default query suite, but this means that a pack starting to declare such a suite may break the behavior of existing query suites that reference the pack from outside.

Bugs fixed

  • The paths and paths-ignore properties of a Code Scanning config file specified using --codescanning-config were being interpreted the wrong way around.

  • Queries specified using the --codescanning-config option could not be run after an explicit call to codeql database finalize.

  • -J options would erroneously be recognized even after -- on the command line.

  • When running codeql database analyze and codeql database interpret-results without the --sarif-group-rules-by-pack flag, the SARIF output did not include baseline lines-of-code counts.

  • Expansion of query suites would sometimes fail if a query suite in a compiled query pack referenced that pack itself explicitly.

New language features

New features

  • Beta support for database creation on Apple Silicon, with certain requirement (see the full changelog).

  • codeql database analyze can now include query-specific help texts for alerts in the SARIF output (for SARIF v2.1.0 or later). The help text must be located in an .md file next to (and with the same basename as) the .ql file for each query. Since this can significantly increase SARIF file size, the feature is not enabled by default; give a --sarif-add-query-help option to enable it.

  • The query metadata validator now knows about queries that produce alert scores, so these queries no longer need to be run with a --no-metadata-verification flag.

  • codeql database create and codeql-finalize have a new flag --skip-empty that will cause a language with no extracted source code to be ignored with a warning instead of treated like a fatal error. This can be useful with --db-cluster where not all of the languages may exist in the source tree. It will not be possible to run queries against the skipped database.

  • codeql resolve extractor and codeql resolve languages now support an extended output format --format=betterjson wich includes information about each extractor's language-specific options.

  • Rudimentary support for parallelizing database creation by importing unfinished databases (or database clusters) into another unfinished database (or cluster) under creation.

  • codeql database create, codeql database index-files, and codeql database trace-command support a unified syntax for passing language-specific options to the extractor with the new --extractor-option and --extractor-options-file options.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

Assets 6
Loading