Overview

CodeQL 2.24.3 has been released with significant updates to language support and query accuracy. This incremental release improves the static analysis capabilities across multiple programming languages, ensuring developers get more reliable security scanning results through GitHub code scanning.

Language and Framework Updates

Java/Kotlin

• Full support for Java 26 with intelligent Maven POM-based version detection
• Automatic preference for Java 17+ across projects for improved build compatibility
• Expanded modeling to cover both javax.* and jakarta.* namespace packages (note: this may increase Jakarta-related alerts)

JavaScript/TypeScript

• Added support for React components wrapped with mobx-react and mobx-react-lite observers

C# 14

• Support for the new field keyword in property declarations

Query and Security Improvements

Python: New SSRF sanitization barriers and guard condition handling for security checks

Ruby: Taint flow tracking through Shellwords.escape and Shellwords.shellescape methods

Rust: Support for neutral model extensibility to control generated source, sink, and flow summary models

C/C++: Reduced false positives in leap year arithmetic checking queries

Deployment and Updates

The new functionality is automatically deployed to GitHub code scanning users on github.com. GitHub Enterprise Server (GHES) users can manually upgrade their CodeQL version to access these improvements in future releases.