Language and Framework Support Updates

CodeQL 2.24.1 expands language coverage with support for Kotlin up to version 2.3.0, C23 and C++26 preprocessor directives, and C# 14 null-conditional assignments. Java developers benefit from added support for Struts 7.x package names. Note that support for older Kotlin versions (1.6.x and 1.7.x) has been discontinued.

Maven Registry Enhancements

A significant improvement for enterprise environments: Maven-compatible private package registries configured for an organization now automatically extend to Maven plugin repositories. This enables teams to obtain Maven plugins from private registries when using CodeQL's Default Setup, streamlining dependency management for organizations with internal registries.

Query Accuracy Improvements

Multiple queries receive accuracy enhancements to reduce false positives:

• C/C++: Fixed a GuardCondition library bug that prevented proper recognition of binary logical operators in guard conditions. Buffer size measurement improvements reduce false positives in overflow-related queries (cpp/static-buffer-overflow, cpp/overflow-buffer, cpp/badly-bounded-write, and related queries).
• Java: Improved accuracy in the java/unreleased-lock query.
• Python: New experimental py/prompt-injection query detects potential prompt injection vulnerabilities in LLM code.

Additional Improvements

Python models-as-data now supports referring to list elements via the ListElement path, and new taint flow models cover the agents and openai modules. A crash affecting GitHub Actions analysis of long ${{ ... }} expressions (around 300+ characters) has been fixed.

Deployment

CodeQL 2.24.1 is automatically deployed to GitHub.com users. GitHub Enterprise Server users on older versions can manually upgrade their CodeQL installation.