• The class Fmt::AppenderOrSprinter of the Fmt.qll module has been deprecated. Use the new Fmt::AppenderOrSprinterFunc class instead. Its taint flow features have been migrated to models-as-data.

• Deleted many deprecated predicates and classes with uppercase TLD, HTTP, SQL, URL etc. in their names. Use the PascalCased versions instead.
• Deleted the deprecated and unused Source class from the SharedXss module of Xss.qll
• Support for flow sources in AWS Lambda function handlers has been added.
• Support for the fasthttp framework has been added.

• The diagnostic query go/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Go files, now considers any Go file seen during extraction, even one with some errors, to be extracted / scanned.
• The XPath library, which is used for the XPath injection query (go/xml/xpath-injection), now includes support for Parser sinks from the libxml2 package.
• CallNode::getACallee and related predicates now recognise more callees accessed via a function variable, in particular when the callee is stored into a global variable or is captured by an anonymous function. This may lead to new alerts where data-flow into such a callee is relevant.

No user-facing changes.

• A bug has been fixed that meant that value flow through a slice expression was not tracked correctly. Taint flow was tracked correctly.

• Added the gin-contrib/cors library to the experimental query "CORS misconfiguration" (go/cors-misconfiguration).

• A bug has been fixed that meant that value flow through an array was not tracked correctly in some circumstances. Taint flow was tracked correctly.

• Added Request.Cookie to reflected XSS sanitizers.

• Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing Callable. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.

• Deleted the deprecated isBarrierGuard predicate from the dataflow library and its uses, use isBarrier and the BarrierGuard module instead.
• Support has been added for file system access sinks in the following libraries: net/http, Afero, beego, Echo, Fiber, Gin, Iris.
• Added GoKit.qll to go.qll enabling the GoKit framework by default

• Added Numeric and Boolean types to SQL injection sanitzers.

No user-facing changes.

• Added http.Error to XSS sanitzers.

No user-facing changes.

• Logrus' WithContext methods are no longer treated as if they output the values stored in that context to a log message.

• The DataFlow::StateConfigSig signature module has gained default implementations for isBarrier/2 and isAdditionalFlowStep/4. Hence it is no longer needed to provide none() implementations of these predicates if they are not needed.

• Data flow configurations can now include a predicate neverSkip(Node node) in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
• Parameter nodes now exist for unused parameters as well as used parameters.
• Add support for v4 of the Go Micro framework.
• Support for the Bun framework has been added.
• Support for gqlgen has been added.
• Support for the go-pg framework has been improved.

• The LogInjection::Configuration taint flow configuration class has been deprecated. Use the LogInjection::Flow module instead.

• When a result of path query flows through a function modeled using DataFlow::FunctionModel or TaintTracking::FunctionModel, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.

No user-facing changes.

No user-facing changes.

• Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by CallNode.getArgument(int i) and CallNode.getAnArgument(), and hence aren't ArgumentNodes. They now have one result, which is an ImplicitVarargsSlice node. For example, a call f(a, b, c) to a function f(T...) is treated like f([]T{a, b, c}). The old behaviour is preserved by CallNode.getSyntacticArgument(int i) and CallNode.getASyntacticArgument(). CallExpr.getArgument(int i) and CallExpr.getAnArgument() are unchanged, and will still have three results in the example given.

• Taking a slice is now considered a sanitizer for SafeUrlFlow.

• The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.

• Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.

No user-facing changes.

• Added support for merging two PathGraphs via disjoint union to allow results from multiple data flow computations in a single path-problem query.

• The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.

No user-facing changes.

• Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of implementsComparable has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.

• Support for the Twirp framework has been added.

No user-facing changes.

No user-facing changes.

• The signature of allowImplicitRead on DataFlow::Configuration and TaintTracking::Configuration has changed from allowImplicitRead(DataFlow::Node node, DataFlow::Content c) to allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).

• The BarrierGuard class has been deprecated. Such barriers and sanitizers can now instead be created using the new BarrierGuard parameterized module.

• The predicate getNumParameter on FuncTypeExpr has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. getNumParameterDecl has been introduced to preserve this functionality.
• The definition of mayHaveSideEffects for ReturnStmt was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances globalValueNumber may have incorrectly treated two values as the same when they were in fact distinct.
• Queries that care about SQL, such as go/sql-injection, now recognise SQL-consuming functions belonging to the gorqlite and GoFrame packages.
• rsync has been added to the list of commands which may evaluate its parameters as a shell command.

• Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Added support for BeegoInput.RequestBody as a source of untrusted data.

• Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

• Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.
• Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
• Fixed data-flow to captured variable references.
• We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.

• The BarrierGuard class has been deprecated. Such barriers and sanitizers can now instead be created using the new BarrierGuard parameterized module.

• Go 1.18 generics are now extracted and can be explored using the new CodeQL classes TypeParamDecl, GenericFunctionInstantiationExpr, GenericTypeInstantiationExpr, TypeSetTerm, and TypeSetLiteralType, as well as using new predicates defined on the existing InterfaceType. Class- and predicate-level documentation can be found in the Go CodeQL library reference.

• The method predicate getACalleeIncludingExternals on DataFlow::CallNode and the function viableCallable in DataFlowDispatch now also work for calls to functions via a variable, where the function can be determined using local flow.

• Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.

• The codeql/go-upgrades CodeQL pack has been removed. All database upgrade scripts have been merged into the codeql/go-all CodeQL pack.

• Function's predicate getACall now returns more results in some situations. It now always returns callers that may call a method indirectly via an interface method that it implements. Previously this only happened if the method was in the source code being analysed.