No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

• The query go/incorrect-integer-conversion has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.

No user-facing changes.

• The query go/incomplete-hostname-regexp now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
• Added some more barriers to flow for go/incorrect-integer-conversion to reduce false positives, especially around type switches.

No user-facing changes.

• The query "Slice memory allocation with excessive size value" (go/uncontrolled-allocation-size) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @Malayke.

• The query go/hardcoded-credentials no longer discards string literals based on "weak password" heuristics.
• The query go/sql-injection now recognizes more sinks in the package github.com/Masterminds/squirrel.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query "Missing JWT signature check" (go/missing-jwt-signature-check) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @am0o0.

• The query "Use of a hardcoded key for signing JWT" (go/hardcoded-key) has been promoted from experimental to the main query pack. Its results will now appear by default as part of go/hardcoded-credentials. This query was originally submitted as an experimental query by @porcupineyhairs.

No user-facing changes.

• The query go/insecure-randomness now recognizes the selection of candidates from a predefined set using a weak RNG when the result is used in a sensitive operation. Also, false positives have been reduced by adding more sink exclusions for functions in the crypto package not related to cryptographic operations.
• Added more sources and sinks to the query go/clear-text-logging.

• There was a bug in the query go/incorrect-integer-conversion which meant that upper bound checks using a strict inequality (<) and comparing against math.MaxInt or math.MaxUint were not considered correctly, which led to false positives. This has now been fixed.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query go/incorrect-integer-conversion now correctly recognizes more guards of the form if val <= x to protect a conversion uintX(val).

• The query "Incorrect conversion between integer types" (go/incorrect-integer-conversion) has been improved. It can now detect parsing an unsigned integer type (like uint32) and converting it to the signed integer type of the same size (like int32), which may lead to more results. It also treats int and uint more carefully, which may lead to more results or fewer incorrect results.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query "Arbitrary file write during zip extraction ("zip slip")" (go/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The receiver arguments of net/http.Header.Set and .Del are no longer flagged by query go/untrusted-data-to-external-api.

No user-facing changes.

No user-facing changes.

• The query go/incorrect-integer-conversion now correctly recognizes guards of the form if val <= x to protect a conversion uintX(val) when x is in the range (math.MaxIntX, math.MaxUintX].

• Added a new query, go/unhandled-writable-file-close, to detect instances where writable file handles are closed without appropriate checks for errors.

• The precision of the go/log-injection query was decreased from high to medium, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.

No user-facing changes.

• Replacing "\r" or "\n" using the functions strings.ReplaceAll, strings.Replace, strings.Replacer.Replace and strings.Replacer.WriteString has been added as a sanitizer for the queries "Log entries created from user input".
• The functions strings.Replacer.Replace and strings.Replacer.WriteString have been added as sanitizers for the query "Potentially unsafe quoting".

• The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Query go/clear-text-logging now excludes GetX methods of protobuf Message structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.

• The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

No user-facing changes.

• Added the security-severity tag and CWE tag to the go/insecure-hostkeycallback query.

• The alert message of many queries have been changed to make the message consistent with other languages.

• The query go/path-injection no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.

• Added a new query, go/unexpected-nil-value, to find calls to Wrap from pkg/errors where the error argument is always nil.

• Fixed sanitization by calls to strings.Replace and strings.ReplaceAll in queries go/log-injection and go/unsafe-quoting.

• A new query Log entries created from user input (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.

• A new query "Log entries created from user input" (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.

• The query "Incorrect conversion between integer types" has been improved to treat math.MaxUint and math.MaxInt as the values they would be on a 32-bit architecture. This should lead to fewer false positive results.