v2.11.2

Breaking changes

• Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack, then you must explicitly include it using the include property in the top-level qlpack.yml file.

  For example, if your package structure looks like this:

  qlpack.yml
  nested-pack
     ∟ qlpack.yml
       query.ql
  

  then the contents of nested-pack will not be included by default within the published package. To include nested-pack, add an entry like this to the top level qlpack.yml file:

  include:
    - nested-pack/**

Bugs fixed

• Using the --codescanning-config=<file> option in codeql database init will now correctly process the paths and pathsIgnore properties of the configuration file in a way that is identical to the behavior of the codeql-action. Previously, paths or pathsIgnore entries that end in /** or start with / were incorrectly rejected by the CLI.

• Fixed a bug where the --compilation-cache option to codeql pack publish and codeql pack create was being ignored when creating a query pack. Now, the indicated cache is used when pre-compiling the queries in it.

• Fixed a bug that would make the "Show DIL" command in the VSCode extension display nothing.

Other changes

• Emit a detailed warning if package resolution fails, the legacy --search-path option is provided, and there is at least one referenced pack that does not use legacy package resolution. In this case, --additional-packs should be used to extend the search to additional directories, instead of --search-path.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.2.

v2.11.1

Breaking changes

• Pack installation using the CodeQL Packaging beta will now fail if a
  compatible version cannot be found. This replaces the previous
  behavior where codeql pack download and related commands would
  instead install the latest version of the pack in this situation.

Deprecations

• The --[no-]count-lines option to codeql database create and
  related commands is now deprecated and will be removed in a future
  release of the CodeQL CLI (earliest 2.12.0). It is replaced by
  --[no-]calculate-baseline to reflect the additional baseline
  information that is now captured as of this release.

New features

• codeql database analyze and related commands now support absolute
  paths containing the @ or : characters when specifying which queries
  to run. To reference a query file, directory, or suite whose path contains
  a literal @ or :, prefix the query specifier with path:, for example:

      codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.1.

v2.11.0

Deprecation

• The CodeQL CLI now uses Python 3 to extract both Python 2 and Python 3 databases. Correspondingly, support for using Python 2 to extract Python databases is now deprecated. Starting with version 2.11.3, you will need to install Python 3 to extract Python databases.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.0.

v2.10.5

You can now define which registries should be used for downloading and publishing CodeQL packs on a
per-workspace basis by creating a codeql-workspace.yml file and adding a registries block. For
more infomation, see About CodeQL Workspaces.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.10.5.

v2.10.4

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

• This release does not include any user-facing changes.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.10.4.

v2.10.3

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• When called with --start-tracing, the codeql database init command now accepts extractor options for the indirect tracing environment via --extractor-option. Users should continue to specify extractor options for direct tracing environments by passing them to codeql database trace-command invocations.

Other changes

• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.10.3.

v2.10.2

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

Breaking change

• The option --compiler-spec to codeql database create (and codeql database trace-command) no longer works. It is replaced by --extra-tracing-config, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead.

Potentially breaking changes

• Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.

Deprecation

• The experimental codeql resolve ml-models command has been deprecated. Advanced users calling this command should use the new codeql resolve extensions command instead.

New features

• The codeql github upload-sarif command now supports a --merge option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.10.2.

(The Windows and all-platform release assets were updated on 2022-08-15 to correct missing digital signatures in the original release assets.)

v2.10.1

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• Improved error message from codeql database analyze when a query is missing @id or @kind query metadata.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.10.1.

(The Windows and all-platform release assets were updated on 2022-08-15 to correct missing digital signatures in the original release assets.)

v2.10.0

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

Breaking changes

• The --format=stats option of codeql generate log-summary has been renamed to --format=overall. It now produces a richer JSON object that, in addition to the previous statistics about the run (which can be found in the stats property) also records the most expensive predicates in the evaluation run.

Potentially breaking changes

• The codeql resolve ml-model command now requires one or more query specifications as command line arguments in order to determine the set of starting packs from which to initiate the resolution process.

• The buildMetadata inside of compiled CodeQL packs no longer contains a creationTime property.

• The codeql pack download command, when used with the --dir option, now downloads requested packs in directories corresponding to their version numbers.

New features

• You can now include diagnostic messages in the summary produced by the --print-diagnostics-summary option of the codeql database interpret-results and codeql database analyze commands by running these commands at high verbosity levels.

Bugs fixed

• Fixed a bug where codeql pack download, when used with the --dir option, would not download a pack that is in the global package cache.

• Fixed a bug where some versions of a CodeQL package could not be downloaded if there are more than 100 versions of this package in the package registry.

• Fixed a bug where the --also-match option for codeql resolve files and codeql database index-files does not work with relative paths.

• Fixed a bug that caused codeql query decompile to ignore the --output option when producing bytecode output (--kind=bytecode), writing only to stdout.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

(The Windows and all-platform release assets were updated on 2022-08-15 to correct missing digital signatures in the original release assets.)

v2.9.4

The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• Users of CodeQL Packaging Beta can now optionally authenticate to Container registries on GitHub Enterprise Server (GHES) versions 3.6 and later using standard input instead of the CODEQL_REGISTRIES_AUTH environment variable. To authenticate via standard input, pass --registries-auth-stdin. The value you provide will override the value of the CODEQL_REGISTRIES_AUTH environment variable.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

(The Windows and all-platform release assets were updated on 2022-08-15 to correct missing digital signatures in the original release assets.)