Skip to content

Chore/update codeql cli 2.24.3 - fix failing tests#180

Merged
felickz merged 6 commits into
mainfrom
chore/update-codeql-cli-2.24.3
Jul 11, 2026
Merged

Chore/update codeql cli 2.24.3 - fix failing tests#180
felickz merged 6 commits into
mainfrom
chore/update-codeql-cli-2.24.3

Conversation

@felickz

@felickz felickz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

This pull request includes a version bump for the release configuration and several updates to expected test output files, primarily to reflect deprecation warnings and to clean up redundant or outdated entries. The changes also remove deprecated or unnecessary taint tracking and provenance edges from the SpringUrlRedirect test, simplifying the test output.

Release configuration:

  • Updated .release.yml to bump the version from 0.5.0 to 0.5.1.

Test output updates:

  • Added deprecation warnings for predicates and types in JxBrowserWithoutCertValidation.expected and LoadClassNoSignatureCheck.expected test files. [1] [2] [3]
  • Removed deprecated or unnecessary edges, model summaries, and node labels related to taint tracking and provenance from SpringUrlRedirect.expected to reflect code or model changes. [1] [2] [3]
  • Cleaned up duplicate or outdated #select entries in LoadClassNoSignatureCheck.expected.

felickz and others added 2 commits July 11, 2026 01:54
- java/src/library_sources/ExternalAPIs.qll: rename applyManualModel()
  to hasManualModel() on SummarizedCallable (method was removed in
  java-all 8.1.1)
- python/lib/ghsl/MassAssignment.qll: replace deprecated Value type and
  CallNode with DataFlow::MethodCallNode (Value is no longer re-exported
  from python.qll in python-all 7.0.0)

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 11, 2026 03:16
@felickz felickz changed the title Chore/update codeql cli 2.24.3 Chore/update codeql cli 2.24.3 - continued Jul 11, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates this repository’s CodeQL CLI pin and aligns the community packs’ declared dependencies/locks with the newer CodeQL library set, including a couple of small QL source updates needed for compatibility.

Changes:

  • Bump pinned CodeQL CLI version to 2.24.3 and release version to 0.5.0.
  • Update language pack qlpack.yml dependencies and codeql-pack.lock.yml lockfiles across Ruby, Python, JavaScript, Java, Go, C#, and C++.
  • Adjust QL code in Python (MassAssignment.qll) and Java (ExternalAPIs.qll) to match updated library APIs.
Show a summary per file
File Description
ruby/test/qlpack.yml Bumps Ruby test pack dependencies.
ruby/test/codeql-pack.lock.yml Updates Ruby test pack dependency lock versions.
ruby/src/qlpack.yml Bumps Ruby queries pack version/dependency.
ruby/src/codeql-pack.lock.yml Updates Ruby queries pack dependency lock versions.
ruby/lib/qlpack.yml Bumps Ruby libs pack version/dependency.
ruby/lib/codeql-pack.lock.yml Updates Ruby libs pack dependency lock versions.
python/test/qlpack.yml Bumps Python test pack dependencies.
python/test/codeql-pack.lock.yml Updates Python test pack dependency lock versions.
python/src/qlpack.yml Bumps Python queries pack version/dependency.
python/src/codeql-pack.lock.yml Updates Python queries pack dependency lock versions.
python/lib/qlpack.yml Bumps Python libs pack version/dependency.
python/lib/ghsl/MassAssignment.qll Updates call matching logic for __setattr__ to newer dataflow API.
python/lib/codeql-pack.lock.yml Updates Python libs pack dependency lock versions.
python/ext/qlpack.yml Bumps Python extensions pack version/target dependency.
javascript/test/qlpack.yml Bumps JavaScript test pack dependency.
javascript/test/codeql-pack.lock.yml Updates JavaScript test pack dependency lock versions.
javascript/src/qlpack.yml Bumps JavaScript queries pack version/dependency.
javascript/src/codeql-pack.lock.yml Updates JavaScript queries pack dependency lock versions.
javascript/lib/qlpack.yml Bumps JavaScript libs pack version/dependency.
javascript/lib/codeql-pack.lock.yml Updates JavaScript libs pack dependency lock versions.
java/test/qlpack.yml Bumps Java test pack dependency.
java/test/codeql-pack.lock.yml Updates Java test pack dependency lock versions.
java/src/qlpack.yml Bumps Java queries pack version/dependency.
java/src/library_sources/ExternalAPIs.qll Updates manual-model detection to newer FlowSummary API.
java/src/codeql-pack.lock.yml Updates Java queries pack dependency lock versions.
java/lib/qlpack.yml Bumps Java libs pack version/dependency.
java/lib/codeql-pack.lock.yml Updates Java libs pack dependency lock versions.
java/ext/qlpack.yml Bumps Java extensions pack version/target dependency.
java/ext-library-sources/qlpack.yml Bumps Java library-sources pack version/target dependency.
go/test/qlpack.yml Bumps Go test pack dependency.
go/test/codeql-pack.lock.yml Updates Go test pack dependency lock versions.
go/src/qlpack.yml Bumps Go queries pack version/dependency.
go/src/codeql-pack.lock.yml Updates Go queries pack dependency lock versions.
go/lib/qlpack.yml Bumps Go libs pack version/dependency.
go/lib/codeql-pack.lock.yml Updates Go libs pack dependency lock versions.
go/ext/qlpack.yml Bumps Go extensions pack version/target dependency.
csharp/test/qlpack.yml Bumps C# test pack dependencies.
csharp/test/codeql-pack.lock.yml Updates C# test pack dependency lock versions.
csharp/src/qlpack.yml Bumps C# queries pack version/dependencies.
csharp/src/codeql-pack.lock.yml Updates C# queries pack dependency lock versions.
csharp/lib/qlpack.yml Bumps C# libs pack version/dependency.
csharp/lib/codeql-pack.lock.yml Updates C# libs pack dependency lock versions.
csharp/ext/qlpack.yml Bumps C# extensions pack version/target dependency.
csharp/ext-library-sources/qlpack.yml Bumps C# library-sources pack version/target dependency.
cpp/test/qlpack.yml Bumps C++ test pack dependencies.
cpp/test/codeql-pack.lock.yml Updates C++ test pack dependency lock versions.
cpp/src/qlpack.yml Bumps C++ queries pack version/dependencies.
cpp/src/codeql-pack.lock.yml Updates C++ queries pack dependency lock versions.
cpp/lib/qlpack.yml Bumps C++ libs pack version/dependency.
cpp/lib/codeql-pack.lock.yml Updates C++ libs pack dependency lock versions.
.release.yml Bumps overall release version to 0.5.0.
.codeqlversion Pins CodeQL CLI version to 2.24.3.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 52/52 changed files
  • Comments generated: 0
  • Review effort level: Low

@felickz

felickz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

@copilot there are a few failing tests for java .. can you fix them?

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/29137743408/job/86505178781#step:7:253

at least these say failing:

13 tests passed; 1 tests failed:
FAILED: /home/runner/work/CodeQL-Community-Packs/CodeQL-Community-Packs/java/test/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref

Completed in 17m29s (extract 1m29s comp 14m14s eval 1m1s).
13 tests passed; 1 tests failed:
FAILED: /home/runner/work/CodeQL-Community-Packs/CodeQL-Community-Packs/java/test/security/CWE-601/SpringUrlRedirect.qlref

12 tests passed; 2 tests failed:
FAILED: /home/runner/work/CodeQL-Community-Packs/CodeQL-Community-Packs/java/test/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref
FAILED: /home/runner/work/CodeQL-Community-Packs/CodeQL-Community-Packs/java/test/security/CWE-470/LoadClassNoSignatureCheck.qlref

@felickz felickz changed the title Chore/update codeql cli 2.24.3 - continued Chore/update codeql cli 2.24.3 - fix failing tests Jul 11, 2026
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

Copilot AI commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@copilot there are a few failing tests for java .. can you fix them?

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/29137743408/job/86505178781#step:7:253
...

Fixed in commit e6094df.

I pulled failures from the validate step logs for run 29137743408 job 86507307048, reproduced all four failing Java tests locally, and updated only these expected files to match current CodeQL 2.24.3 output:

  • java/test/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
  • java/test/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected
  • java/test/security/CWE-601/SpringUrlRedirect.expected
  • java/test/security/CWE-470/LoadClassNoSignatureCheck.expected

Re-ran the four tests locally and they all pass.

@felickz

felickz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

Did we lose any results? — verified, not just assumed: I diffed every .expected/.actual file changed across the whole v0.5.0 range and actually re-ran the affected CodeQL test suites locally with CLI 2.24.3 (codeql test run for CWE-601, CWE-470, CWE-295, CWE-915) — all 7 tests pass. Findings:

SpringUrlRedirect (CWE-601, Java): Same 13 #select alerts before and after. Only removed: 5 redundant edges/nodes lines and 1 MultiValueMap.add MaD model — this came from an upstream Java standard-library model change (not our fix), providing an alternate/duplicate path to the same already-detected sink. No alert lost.
LoadClassNoSignatureCheck (CWE-470, Java): Same single alert. Diff just reorders #select above edges/nodes (CodeQL's .expected format changed) and adds 3 new deprecation warnings (getAUse, SsaVariable) — pre-existing deprecated API usage in that query, unrelated to the fd4ff0a fix, now surfaced by the newer CLI. Still just warnings, not errors.
JxBrowserWithoutCertValidation (CWE-295, both versions): Same alert counts (1 and 0 respectively). Only a new deprecation warning for getResult was added.
Python MassAssignment tests: untouched by any .expected diff in this whole range, and I re-ran them — they still pass, including the setattr sink case that the MassAssignment.qll fix (Value/CallNode → DataFlow::MethodCallNode) specifically touches.
Conclusion: the query-logic fix is correct and no detection results (true positives) were dropped by either the code fix or the test-expected updates — the diffs are purely path-explanation noise and new (pre-existing, harmless) deprecation warnings. The real problem was process: #179 was merged before CI on the final commit had actually run/passed, which is why the follow-up fix (#180, this branch) was needed at all. Since this was investigation rather than a code change to this PR, I haven't made any edits or pushed anything as part of this response.

@felickz felickz merged commit aeca4c1 into main Jul 11, 2026
20 checks passed
@felickz felickz deleted the chore/update-codeql-cli-2.24.3 branch July 11, 2026 04:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants