No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The go/cookie-http-only-not-set query has been promoted from the experimental query pack. This query was originally contributed to the experimental query pack by @edvraa.
• A new query go/cookie-secure-not-set has been added to detect cookies without the Secure flag set.
• Added a new query, go/weak-crypto-algorithm, to detect the use of a broken or weak cryptographic algorithm. A very simple version of this query was originally contributed as an experimental query by @dilanbhalla.
• Added a new query, go/weak-sensitive-data-hashing, to detect the use of a broken or weak cryptographic hash algorithm on sensitive data.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• filepath.IsLocal is now recognized as a sanitizer against path-traversal and related vulnerabilities.

• The tag quality has been added to multiple Go quality queries for consistency. They have all been given a tag for one of the two top-level categories reliability or maintainability, and a tag for a sub-category. See Query file metadata and alert message style guide for more information about these categories.
• The tag external/cwe/cwe-129 has been added to go/constant-length-comparison.
• The tag external/cwe/cwe-193 has been added to go/index-out-of-bounds.
• The tag external/cwe/cwe-197 has been added to go/shift-out-of-range.
• The tag external/cwe/cwe-248 has been added to go/redundant-recover.
• The tag external/cwe/cwe-252 has been added to go/missing-error-check and go/unhandled-writable-file-close.
• The tag external/cwe/cwe-480 has been added to go/mistyped-exponentiation.
• The tag external/cwe/cwe-570 has been added to go/impossible-interface-nil-check and go/comparison-of-identical-expressions.
• The tag external/cwe/cwe-571 has been added to go/negative-length-check and go/comparison-of-identical-expressions.
• The tag external/cwe/cwe-783 has been added to go/whitespace-contradicts-precedence.
• The tag external/cwe/cwe-835 has been added to go/inconsistent-loop-direction.
• The tag error-handling has been added to go/missing-error-check, go/unhandled-writable-file-close, and go/unexpected-nil-value.
• The tag useless-code has been added to go/useless-assignment-to-field, go/useless-assignment-to-local, go/useless-expression, and go/unreachable-statement.
• The tag logic has been removed from go/index-out-of-bounds and go/unexpected-nil-value.
• The tags call and defer have been removed from go/unhandled-writable-file-close.
• The tags correctness and quality have been reordered in go/missing-error-check and go/unhandled-writable-file-close.
• The tag maintainability has been changed to reliability for go/unhandled-writable-file-close.
• The tag order has been standardized to have quality first, followed by the top-level category (reliability or maintainability), then sub-category tags, and finally CWE tags.
• The description text has been updated in go/whitespace-contradicts-precedence to change "may even indicate" to "may indicate".

• Query (go/html-template-escaping-bypass-xss) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the html/template package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in github/codeql-go#493.

• The query go/hardcoded-credentials has been removed from all query suites.

• The tag external/cwe/cwe-20 has been removed from go/count-untrusted-data-external-api and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-20 has been removed from go/incomplete-hostname-regexp and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-20 has been removed from go/regex/missing-regexp-anchor and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-20 has been removed from go/suspicious-character-in-regex and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-20 has been removed from go/untrusted-data-to-external-api and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-20 has been removed from go/untrusted-data-to-unknown-external-api and the tag external/cwe/cwe-020 has been added.
• The tag external/cwe/cwe-90 has been removed from go/ldap-injection and the tag external/cwe/cwe-090 has been added.
• The tag external/cwe/cwe-74 has been removed from go/dsn-injection and the tag external/cwe/cwe-074 has been added.
• The tag external/cwe/cwe-74 has been removed from go/dsn-injection-local and the tag external/cwe/cwe-074 has been added.
• The tag external/cwe/cwe-79 has been removed from go/html-template-escaping-passthrough and the tag external/cwe/cwe-079 has been added.

No user-facing changes.

No user-facing changes.

• False positives in "Log entries created from user input" (go/log-injection) and "Clear-text logging of sensitive information" (go/clear-text-logging) which involved the verb %T in a format specifier have been fixed. As a result, some users may also see more alerts from the "Use of constant state value in OAuth 2.0 URL" (go/constant-oauth2-state) query.

No user-facing changes.

No user-facing changes.

• Added github.com/gorilla/mux.Vars to path sanitizers (disabled if github.com/gorilla/mix.Router.SkipClean has been called).

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Added value flow models for functions in the slices package which do not involve the iter package.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The precision of the go/incorrect-integer-conversion-query query was decreased from very-high to high, since there is at least one known class of false positives involving dynamic bounds checking.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

• The query go/incorrect-integer-conversion has now been restricted to only use flow through value-preserving steps. This reduces false positives, especially around type switches.

No user-facing changes.

• The query go/incomplete-hostname-regexp now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
• Added some more barriers to flow for go/incorrect-integer-conversion to reduce false positives, especially around type switches.

No user-facing changes.

• The query "Slice memory allocation with excessive size value" (go/uncontrolled-allocation-size) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @Malayke.

• The query go/hardcoded-credentials no longer discards string literals based on "weak password" heuristics.
• The query go/sql-injection now recognizes more sinks in the package github.com/Masterminds/squirrel.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query "Missing JWT signature check" (go/missing-jwt-signature-check) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @am0o0.

• The query "Use of a hardcoded key for signing JWT" (go/hardcoded-key) has been promoted from experimental to the main query pack. Its results will now appear by default as part of go/hardcoded-credentials. This query was originally submitted as an experimental query by @porcupineyhairs.

No user-facing changes.

• The query go/insecure-randomness now recognizes the selection of candidates from a predefined set using a weak RNG when the result is used in a sensitive operation. Also, false positives have been reduced by adding more sink exclusions for functions in the crypto package not related to cryptographic operations.
• Added more sources and sinks to the query go/clear-text-logging.

• There was a bug in the query go/incorrect-integer-conversion which meant that upper bound checks using a strict inequality (<) and comparing against math.MaxInt or math.MaxUint were not considered correctly, which led to false positives. This has now been fixed.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query go/incorrect-integer-conversion now correctly recognizes more guards of the form if val <= x to protect a conversion uintX(val).

• The query "Incorrect conversion between integer types" (go/incorrect-integer-conversion) has been improved. It can now detect parsing an unsigned integer type (like uint32) and converting it to the signed integer type of the same size (like int32), which may lead to more results. It also treats int and uint more carefully, which may lead to more results or fewer incorrect results.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query "Arbitrary file write during zip extraction ("zip slip")" (go/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The receiver arguments of net/http.Header.Set and .Del are no longer flagged by query go/untrusted-data-to-external-api.

No user-facing changes.

No user-facing changes.

• The query go/incorrect-integer-conversion now correctly recognizes guards of the form if val <= x to protect a conversion uintX(val) when x is in the range (math.MaxIntX, math.MaxUintX].

• Added a new query, go/unhandled-writable-file-close, to detect instances where writable file handles are closed without appropriate checks for errors.

• The precision of the go/log-injection query was decreased from high to medium, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.

No user-facing changes.

• Replacing "\r" or "\n" using the functions strings.ReplaceAll, strings.Replace, strings.Replacer.Replace and strings.Replacer.WriteString has been added as a sanitizer for the queries "Log entries created from user input".
• The functions strings.Replacer.Replace and strings.Replacer.WriteString have been added as sanitizers for the query "Potentially unsafe quoting".

• The AlertSuppression.ql query has been updated to support the new // codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy // lgtm and // lgtm[query-id] comments can now also be placed on the line before an alert.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Query go/clear-text-logging now excludes GetX methods of protobuf Message structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.

• The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

No user-facing changes.

• Added the security-severity tag and CWE tag to the go/insecure-hostkeycallback query.

• The alert message of many queries have been changed to make the message consistent with other languages.

• The query go/path-injection no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.

• Added a new query, go/unexpected-nil-value, to find calls to Wrap from pkg/errors where the error argument is always nil.

• Fixed sanitization by calls to strings.Replace and strings.ReplaceAll in queries go/log-injection and go/unsafe-quoting.

• A new query Log entries created from user input (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.

• A new query "Log entries created from user input" (go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.

• The query "Incorrect conversion between integer types" has been improved to treat math.MaxUint and math.MaxInt as the values they would be on a 32-bit architecture. This should lead to fewer false positive results.