Java and Kotlin queries for CodeQL analysis

Explore the queries that CodeQL uses to analyze code written in Java or Kotlin when you select the default or the security-extended query suite.

Who can use this feature?

CodeQL is available for the following repository types:

Public repositories on GitHub.com, see GitHub CodeQL Terms and Conditions
Organization-owned repositories on GitHub Team with GitHub Code Security enabled

CodeQL includes many queries for analyzing Java and Kotlin code. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see CodeQL query suites.

Built-in queries for Java and Kotlin analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Query name	Related CWEs	Default	Extended	Copilot Autofix
`TrustManager` that accepts all certificates	295
Android `WebView` that accepts all certificates	295
Android debuggable attribute enabled	489
Android fragment injection	470
Android fragment injection in PreferenceActivity	470
Android Intent redirection	926, 940
Android Webview debugging enabled	489
Arbitrary file access during archive extraction ("Zip Slip")	022
Cleartext storage of sensitive information in cookie	315
Cross-site scripting	079
Depending upon JCenter/Bintray as an artifact repository	1104
Deserialization of user-controlled data	502
Detect JHipster Generator Vulnerability CVE-2019-16303	338
Disabled Netty HTTP header validation	093, 113
Disabled Spring CSRF protection	352
Exposed Spring Boot actuators	200
Exposed Spring Boot actuators in configuration file	200
Expression language injection (JEXL)	094
Expression language injection (MVEL)	094
Expression language injection (Spring)	094
Failure to use HTTPS or SFTP URL in Maven artifact upload/download	300, 319, 494, 829
Failure to use secure cookies	614
Groovy Language injection	094
HTTP response splitting	113
Implicit narrowing conversion in compound assignment	190, 192, 197, 681
Implicitly exported Android component	926
Improper verification of intent by broadcast receiver	925
Inefficient regular expression	1333, 730, 400
Information exposure through a stack trace	209, 497
Information exposure through an error message	209
Insecure Bean Validation	094
Insecure LDAP authentication	522, 319
Insecure local authentication	287
Insecure randomness	330, 338
Intent URI permission manipulation	266, 926
JNDI lookup with user-controlled name	074
LDAP query built from user-controlled sources	090
Missing JWT signature check	347
OGNL Expression Language statement with user-controlled input	917
Overly permissive regular expression range	020
Partial path traversal vulnerability from remote	023
Polynomial regular expression used on uncontrolled data	1333, 730, 400
Query built from user-controlled sources	089, 564
Reading from a world writable file	732
Regular expression injection	730, 400
Resolving XML external entity in user-controlled data	611, 776, 827
Server-side request forgery	918
Server-side template injection	1336, 094
Uncontrolled command line	078, 088
Uncontrolled data used in content resolution	441, 610
Uncontrolled data used in path expression	022, 023, 036, 073
Unsafe hostname verification	297
URL forward from a remote source	552
URL redirection from remote source	601
Use of a broken or risky cryptographic algorithm	327, 328
Use of a cryptographic algorithm with insufficient key size	326
Use of a predictable seed in a secure random number generator	335, 337
Use of externally-controlled format string	134
Use of implicit PendingIntents	927
Use of RSA algorithm without OAEP	780
User-controlled data in numeric cast	197, 681
User-controlled data used in permissions check	807, 290
Using a static initialization vector for encryption	329, 1204
XPath injection	643
XSLT transformation with user-controlled stylesheet	074
Access Java object methods through JavaScript exposure	079
Android APK installation	094
Android missing certificate pinning	295
Android sensitive keyboard cache	524
Android WebSettings file access	200
Android WebView JavaScript settings	079
Android WebView settings allows access to content links	200
Application backup allowed	312
Building a command line with string concatenation	078, 088
Building a command with an injected environment variable	078, 088, 454
Cleartext storage of sensitive information in the Android filesystem	312
Cleartext storage of sensitive information using 'Properties' class	313
Cleartext storage of sensitive information using `SharedPreferences` on Android	312
Cleartext storage of sensitive information using a local database on Android	312
Comparison of narrow type with wide type in loop condition	190, 197
Executing a command with a relative path	078, 088
Exposure of sensitive information to notifications	200
Exposure of sensitive information to UI text views	200
HTTP request type unprotected from CSRF	352
Improper validation of user-provided array index	129
Improper validation of user-provided size used for array construction	129
Insecure basic authentication	522, 319
Insecure JavaMail SSL Configuration	297
Insecurely generated keys for local authentication	287
Insertion of sensitive information into log files	532
Leaking sensitive information through a ResultReceiver	927
Leaking sensitive information through an implicit Intent	927
Local information disclosure in a temporary directory	200, 732
Log Injection	117
Loop with unreachable exit condition	835
Missing read or write permission in a content provider	926
Partial path traversal vulnerability	023
Query built by concatenation with a possibly-untrusted string	089, 564
Race condition in socket authentication	421
Time-of-check time-of-use race condition	367
Trust boundary violation	501
Uncontrolled data in arithmetic expression	190, 191
Unreleased lock	764, 833
Unsafe certificate trust	273
Unsafe resource fetching in Android WebView	749, 079
Use of a potentially broken or risky cryptographic algorithm	327, 328
Use of a potentially dangerous function	676
User-controlled bypass of sensitive method	807, 290
User-controlled data in arithmetic expression	190, 191