Release notes from codeql-cli-binaries

v2.24.3

2026-03-05T16:13:02Z

Release 2.24.3 (2026-03-05)

Bug Fixes

Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips *.testproj directories by name, preventing interference from concurrently cleaned-up test databases.
Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as codeql query run.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.24.3.

v2.24.2

2026-02-20T11:23:39Z

Bug Fixes

Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the file:/// format instead of file:/ for better interoperability with SARIF consumers.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.24.2.

v2.24.1

2026-02-05T15:58:04Z

Miscellaneous

The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.24.1.

v2.24.0

2026-01-26T12:45:46Z

Release 2.24.0 (2026-01-26)

Miscellaneous

The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal documentation generation commands has been updated to version 20260102.1.
The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.9.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.24.0.

v2.23.9

2026-01-09T17:33:33Z

Release 2.23.9 (2026-01-09)

Deprecations

Support for Kotlin version 1.6 and 1.7 has been deprecated and will be removed from CodeQL version 2.24.1. Starting with version 2.24.1, users will need to use Kotlin version >= 1.8 to extract Kotlin databases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.9.

v2.23.8

2025-12-11T16:35:54Z

Release 2.23.8 (2025-12-10)

This release contains no CLI changes.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.8.

v2.23.7

2025-12-05T14:28:56Z

Release 2.23.7 (2025-12-05)

Deprecations

The --save-cache flag to codeql database run-queries and other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.7.

v2.23.6

2025-11-24T08:41:32Z

Breaking changes

The LGTM results format for uploading to LGTM has been removed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.6.

v2.23.5

2025-11-13T20:58:49Z

Breaking changes

In order to make a @kind path-problem query diff-informed, the getASelectedSourceLocation and getASelectedSinkLocation predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink in addition to any other locations that are selected by the query. See the QLdoc for more details.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.5.

v2.23.3

2025-10-17T13:22:12Z

Breaking changes

The --permissive command line option has been removed from the C/C++ extractor, and passing the option will make the extractor fail. When calling the extractor directly, --permissive should no longer be passed.

Bugs fixed

Fixed a bug that made many codeql subcommands fail with the message not in while, until, select, or repeat loop on Linux or macOS systems where /bin/sh is zsh.

For more information about the changes included in this release, see the CodeQL CLI changelog.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.3.