v2.9.3

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• Users can now use CodeQL Packaging Beta to publish and download CodeQL packs on GitHub Enterprise Server (GHES) versions 3.6 and later.

Bugs Fixed

• Fixed a bug where precompiled CodeQL packages in the CodeQL bundle were being recompiled if they were in a read-only directory.

• Fixed a bug where new versions of the VS Code extension wouldn't run two queries in parallel against one database.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.9.2

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

Features removed

• The table printed by codeql database analyze to summarize the results of metric queries that were part of the analysis now reports a single row per metric name independently of the verbosity level of the command. Previously, at higher verbosity levels, this table would contain multiple rows for metric names with multiple values.

New features

• The tables produced by codeql database analyze summarizing the results of any diagnostic and metric queries that were run now exclude the results of queries tagged telemetry.

• Uploading SARIF results using the codeql github upload-results command now has a timeout of 5 minutes.

• Downloading CodeQL packs using the codeql pack download, codeql pack install and related commands now have a timeout of 5 minutes and will retry 3 times before failing. Similar behavior has been added to the codeql pack publish command.

• The codeql generate log-summary command will now print progress updates to stderr.

Bugs fixed

• Fixed a bug that could make it unpredictable whether the QL compiler reports problems about query metadata tags, and thereby make codeql test run fail spuriously in some cases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.9.1

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.9.0

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• codeql database create now supports the --[no-]-count-lines option, which was previously only available with codeql database init.

• codeql resolve files and codeql database index-files has a new --also-match option, which allows users to specify glob patterns that are applied in conjunction with the existing --include option.

New language features

• This release introduces experimental support for parameterized QL modules. This language feature is still subject to change and should not be used in production yet.

Bugs fixed

• Fixed a bug that would prevent resolution of a query suite in a published CodeQL query pack that has a reference to the pack itself.

• Fixed inaccurate documentation of what the --include-extension option to codeql resolve files and codeql database index-files does. The actual behavior is unchanged.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.5

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.4

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Bugs fixed

• Fixed an error where running out of memory during query evaluation would cause codeql to exit with status 34 instead of the 99 that is documented for this condition.

• Fixed a bug in our handling of Clang's header maps, which caused missing files for Xcode-based projects on macOS (e.g. WebKit).

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.3

• This release of CodeQL (and all future ones) will not include the CodeQL runner, which is now deprecated. For more information, and instructions on how to migrate to using the CodeQL CLI, see CodeQL runner deprecation.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

New features

• Executable binaries for Windows are now digitally signed by a GitHub certificate.

Other changes

• The evaluator logs produced by --evaluator-log now default to the maximum verbosity level and will therefore contain more information (and, accordingly, grow larger). The verbosity level can still be configured with --evaluator-log-level. In particular, --evaluator-log-level=1 will restore the previous default behavior.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.2

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Potentially breaking change

• The support for the output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) that were deprecated in 2.7.1 has been removed.

New feature

• The CodeQL CLI is now compatible with Windows 11 and Windows Server 2022, including building databases for compiled languages.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.1

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

New Features

• Commands that find or run queries now allow you to refer to queries within a named CodeQL pack.

Bugs fixed

• Fixed a bug that would sometimes lead to query evaluation on M1-based Macs to crash with Did not preallocate enough memory error.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

v2.8.0

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Breaking change

• The CodeQL Action versions up to and including version 1.0.22 are not compatible with the CodeQL CLI 2.8.0 and later. The CLI will emit an error if it detects that it is being used by an incompatible version of the codeql-action.

New features

• A new extractor option has been added to the Java extractor. The flag --extractor-option exclude='<glob>' allows specifying a glob that describes which paths need to be excluded from extraction but still need to be compiled. This is useful when some files are necessary for a successful build but are uninteresting for analysis.

  See also: https://codeql.github.com/docs/codeql-cli/extractor-options/

• Summary metrics can now associate messages with their results, for instance to report the name and number of uses of a particular API endpoint within a repository. To associate messages with summary metrics, define a query with @kind metric and @tags summary metadata and use either the location, message, value or the message, value results pattern.

Bug fixed

• Fixed a bug where codeql resolve upgrades ignores the --target-dbscheme option.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.