The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

New features

• codeql database create now supports the --[no-]-count-lines option, which was previously only available with codeql database init.

• codeql resolve files and codeql database index-files has a new --also-match option, which allows users to specify glob patterns that are applied in conjunction with the existing --include option.

New language features

• This release introduces experimental support for parameterized QL modules. This language feature is still subject to change and should not be used in production yet.

Bugs fixed

• Fixed a bug that would prevent resolution of a query suite in a published CodeQL query pack that has a reference to the pack itself.

• Fixed inaccurate documentation of what the --include-extension option to codeql resolve files and codeql database index-files does. The actual behavior is unchanged.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.30) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.30 instance, you need to create them with release 2.7.6.

• There are no user-facing changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Bugs fixed

• Fixed an error where running out of memory during query evaluation would cause codeql to exit with status 34 instead of the 99 that is documented for this condition.

• Fixed a bug in our handling of Clang's header maps, which caused missing files for Xcode-based projects on macOS (e.g. WebKit).

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• This release of CodeQL (and all future ones) will not include the CodeQL runner, which is now deprecated. For more information, and instructions on how to migrate to using the CodeQL CLI, see CodeQL runner deprecation.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

New features

• Executable binaries for Windows are now digitally signed by a GitHub certificate.

Other changes

• The evaluator logs produced by --evaluator-log now default to the maximum verbosity level and will therefore contain more information (and, accordingly, grow larger). The verbosity level can still be configured with --evaluator-log-level. In particular, --evaluator-log-level=1 will restore the previous default behavior.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Potentially breaking change

• The support for the output formats SARIF v1.0.0 and SARIF v2.0.0 (Committee Specification Draft 1) that were deprecated in 2.7.1 has been removed.

New feature

• The CodeQL CLI is now compatible with Windows 11 and Windows Server 2022, including building databases for compiled languages.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

New Features

• Commands that find or run queries now allow you to refer to queries within a named CodeQL pack.

Bugs fixed

• Fixed a bug that would sometimes lead to query evaluation on M1-based Macs to crash with Did not preallocate enough memory error.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.29) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.29 instance, you need to create them with release 2.6.3.

Breaking change

• The CodeQL Action versions up to and including version 1.0.22 are not compatible with the CodeQL CLI 2.8.0 and later. The CLI will emit an error if it detects that it is being used by an incompatible version of the codeql-action.

New features

• A new extractor option has been added to the Java extractor. The flag --extractor-option exclude='<glob>' allows specifying a glob that describes which paths need to be excluded from extraction but still need to be compiled. This is useful when some files are necessary for a successful build but are uninteresting for analysis.

  See also: https://codeql.github.com/docs/codeql-cli/extractor-options/

• Summary metrics can now associate messages with their results, for instance to report the name and number of uses of a particular API endpoint within a repository. To associate messages with summary metrics, define a query with @kind metric and @tags summary metadata and use either the location, message, value or the message, value results pattern.

Bug fixed

• Fixed a bug where codeql resolve upgrades ignores the --target-dbscheme option.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Bug fixed

• A bug where creation of a CodeQL database could sometimes fail with a NegativeArraySizeException has now been fixed.

New feature

• The CLI and evaluator contain a number of new features in support of internal machine learning experiments. This includes an experimental resolve ml-models subcommand and new mlModels metadata in pack definition files. As these new features are not yet ready for general use, they should be ignored by external CodeQL users.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• Beware that the CodeQL build tracer in this release (and in all earlier CodeQL CLI releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. If you use any of these languages, please avoid these specific Windows versions until a new CodeQL CLI release fixes this incompatibility.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Deprecation

• The CodeQL Action versions up to and including version 1.0.22 are now deprecated for use with CodeQL CLI 2.7.5 and later. The CLI will emit a warning if it detects that it is being used by a deprecated version of the codeql-action. This warning will become a fatal error with version 2.8.0 of the CLI.

New feature

• The codeql github upload-results command will now print the API response body in JSON format if a --format=json flag is given. Otherwise the command will print the URL of the SARIF upload. This URL can be used to get status information for the upload.

  See also: https://docs.github.com/en/rest/reference/code-scanning

Documentation fixes

• The documentation for the --trace-process-level flag of codeql database init (which is used with indirect build tracing on Windows) was erroneous.

  The help text previously claimed that --trace-process-level=1 would inject CodeQL's build tracer into the calling process. This is actually what --trace-process-level=0 achieves. The help text has now been corrected to match the actual (unchanged) behavior.

  Also, some log messages incorrectly stated which process CodeQL was injected into. These have also been corrected.

Other changes

• For commands that run queries, the --timeout option now controls the maximal time it may take to evaluate a "layer" of a query rather than a "stage". There are usually many "layers" in each "stage", but it is usually a single one of the layers in a stage that uses most of the time, so there is no need to reduce existing timeout values as a result of this change.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

• The bundled extractors are updated to match the versions currently used on LGTM.com. These are newer than the last release (1.28) of LGTM Enterprise. If you plan to upload databases to an LGTM Enterprise 1.28 instance, you need to create them with release 2.5.9.

Potentially breaking changes

• The experimental command-line option --ml-model-path that was introduced to support internal experiments has been removed.

Bugs fixed

• Editing support (content assist, code navigation, etc.) in files under the .github directory will now work properly. This is because files under the .github directory will now be indexed and processed by the CodeQL language server. Other hidden directories that start with . will remain un-indexed. This affects the vscode-codeql extension and any other IDE extension that uses the CodeQL language server.

• Fixed authentication with GitHub package registries via the GITHUB_TOKEN environment variable and the --github-auth-stdin flag when downloading and publishing packs.

• Fixed an incompatibility with glibc version 2.34 on Linux, where build tracing failed with an error message.

• Fixed a bug where codeql generate log-summary could sometimes fail with a JsonMappingException.

New features

• The CodeQL CLI for Mac OS now ships with a native Java virtual machine for M1 Macs, and this will be used by default where applicable to run the CodeQL engine, thus improving performance. Rosetta 2 is still required as not all components of the CodeQL CLI are natively compiled.

• Commands that execute queries will now exit with status code 34 if certain errors that prevent the evaluation of one or more individual queries are detected. Previously some of these errors would crash the evaluator and exit with status code 100.

  (This is currently used for "external predicate not found" errors).

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.