New Language Support

CodeQL 2.24.3 adds support for Java 26, with smarter Maven version selection that automatically chooses the appropriate Java version based on POM files across project modules. The engine now preferentially uses Java 17 or higher for Maven projects to improve build compatibility.

Enhanced Analysis Across Multiple Languages

The release includes targeted improvements across six languages:

• JavaScript/TypeScript: Added support for React components wrapped by observer from mobx-react and mobx-react-lite
• Python: New SSRF sanitization barrier from the AntiSSRF library; improved guard handling for patterns like isSafe(x) == true
• Ruby: Now tracks taint flow through Shellwords.escape and Shellwords.shellescape
• Java/Kotlin: Expanded modeling to cover packages beginning with jakarta in addition to javax (may increase alerts for Jakarta namespace packages)
• C/C++: Improved the leap-year query to significantly reduce false positives
• C#: Added support for the field keyword in C# 14 properties
• Rust: New support for neutral models to control where generated source, sink, and flow summary models apply

Deployment and Upgrade Path

The new functionality is automatically deployed to GitHub code scanning users on github.com. GitHub Enterprise Server users can manually upgrade their CodeQL version, with the new features coming to future GHES releases. For detailed changes, refer to the complete CodeQL 2.24.3 changelog.