v2.24.2

[data-douser]

v2.24.2

Highlights

🚢 New VS Code Extension: advanced-security.vscode-codeql-development-mcp-server 🚀

This release introduces a new VS Code extension distributed as a VSIX archive (codeql-development-mcp-server-v2.24.2.vsix) that acts as a "bridge" between the GitHub CodeQL extension and the CodeQL Development MCP Server. When installed, the extension:

• Automatically discovers CodeQL databases, query run results, and MRVA (Multi-Repository Variant Analysis) results managed by the GitHub.vscode-codeql extension, and exposes them to MCP-connected AI agents via environment variables.
• Bundles the MCP server and all CodeQL tool packs inside the VSIX, so that installation is self-contained — no separate npm install required.
• Manages the MCP server lifecycle (start/stop/restart) from within VS Code, with configurable settings for the server command, arguments, and npm version.
• Registers an MCP Server Definition Provider, enabling VS Code's built-in MCP support to discover and connect to the server automatically.

Download: The VSIX is attached as a release asset. Install it via code --install-extension codeql-development-mcp-server-v2.24.2.vsix or through the VS Code Extensions sidebar ("Install from VSIX…").

---

New MCP Server Tools

Tool	Description
list_codeql_databases	Discovers CodeQL databases in configured base directories. Returns path, language, CLI version, and creation time for each database.
list_query_run_results	Lists discovered query run result directories. Returns path, query name, timestamp, language, and available artifacts (evaluator-log, BQRS, SARIF, query.log, summary). Supports filtering by queryName, language, or queryPath.
list_mrva_run_results	Lists discovered MRVA run results. Returns run ID, timestamp, repositories scanned, analysis status, and available artifacts.
profile_codeql_query_from_logs	Parses CodeQL query evaluation logs into a performance profile without re-running the query. Works with logs from codeql query run, codeql database analyze, or vscode-codeql query history.
read_database_source	Reads source file contents directly from a CodeQL database's source archive (src.zip) or extracted source directory (src/), enabling agents to inspect code at alert locations without the original source tree.

New MCP Server Prompts

Prompt	Description
run_query_and_summarize_false_positives	Guides an agent through running a CodeQL query, reading source code from the database archive via read_database_source, and diagnosing false positives / false negatives to improve query precision.

Changed MCP Server Tools

Tool	Change
codeql_bqrs_decode	Added text and bqrs output formats, --result-set selection, --sort-key / --sort-direction sorting, --no-titles flag, --entities column display control, and --rows pagination. Improved description to document the typical decode workflow.
codeql_bqrs_info	Enhanced description with cross-references to related tools and workflow guidance.
codeql_database_analyze	Improved logging and error messages; auto-creates output directories.
codeql_query_run	Minor logging improvements.
register_database	Error objects now chain the original cause for better debugging.

Changed MCP Server Prompts

All existing workflow prompts have been updated to use #tool_name hashtag references (instead of backtick formatting) for tool mentions, improving consistency when rendered in VS Code Copilot Chat. Additionally, prompt templates are now embedded at build time via esbuild's loader: { '.md': 'text' }, fixing a critical bug where prompts were missing at runtime in VSIX and npm-installed deployments.

---

Bug Fixes

• VSIX bundle missing server dependencies — Fixed a packaging bug where the esbuild external configuration excluded required Node.js dependencies (express, cors, zod, etc.) from the bundled VSIX extension, causing runtime failures. (Fixes and integration tests for MCP-provided prompts and VSIX bundle #71)
• Prompt templates not found at runtime — Refactored prompt loading from filesystem reads (readFileSync) to build-time static imports, ensuring prompt templates are available in all deployment scenarios (monorepo, npm, VSIX). (Fixes and integration tests for MCP-provided prompts and VSIX bundle #71)
• Client integration test timeouts — Resolved timeout issues in client integration test fixtures that caused flaky CI runs. (Avoid timeouts in client integration test fixtures #74)
• VS Code extension version not tracked in release scripts — The update-release-version.sh script and nightly CodeQL CLI update workflow now correctly detect and update the version in extensions/vscode/package.json alongside other version-bearing files. (Fixes for v2.24.2 release prep #75)
• VSIX-bundled server pack installation — The extension now prefers the bundled server/ directory inside the VSIX for CodeQL pack resolution, falling back to npm-installed packages only if necessary. (Prep for v2.24.2 release #81)
• Error chaining in register_database — All error paths now preserve the original cause, making debugging registration failures easier. (Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results #61)

Infrastructure & CI/CD

• Refactored the release workflow into separate child workflows with isolated deployment environments. (Refactor release into separate child workflows with isolated deployment environments #45)
• Added a nightly CodeQL CLI update workflow that automates version bumps across all packages. (Add nightly CodeQL CLI update workflow #58)
• Added dedicated GitHub Actions workflows for building, testing (with coverage), linting, bundling, and packaging the VS Code extension. (Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results #61)
• Added stdio transport support to the client integration test runner alongside SSE. (Add stdio transport support to client integration test runner #77)
• Release artifacts now include version strings in filenames (e.g., codeql-development-mcp-server-v2.24.2.vsix, codeql-development-mcp-server-v2.24.2.tar.gz). (Prep for v2.24.2 release #81)
• Release workflow uses a concurrency group keyed by version, preventing overlapping releases. (Prep for v2.24.2 release #81)
• Added .md documentation enforcement for all .ql tool queries. (Prep for v2.24.2 release #81)

Dependency Updates

• Upgraded CodeQL CLI dependency to v2.24.2. (Upgrade CodeQL CLI dependency to v2.24.2 #65)
• Bumped actions/download-artifact from 6 to 7. (Build(deps): bump actions/download-artifact from 6 to 7 #49)
• Bumped dotenv from 17.2.4 to 17.3.0. (Build(deps): bump dotenv from 17.2.4 to 17.3.0 #54)
• Bumped eslint from ^10.0.0 to ^10.0.1 across all packages. (Fixes for v2.24.2 release prep #75)

---

What's Changed (PRs)

• Refactor release into separate child workflows with isolated deployment environments by @data-douser in Refactor release into separate child workflows with isolated deployment environments #45
• Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in Build(deps): bump actions/download-artifact from 6 to 7 #49
• Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in Build(deps): bump dotenv from 17.2.4 to 17.3.0 #54
• Add nightly CodeQL CLI update workflow by @data-douser in Add nightly CodeQL CLI update workflow #58
• Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results #61
• Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in Upgrade CodeQL CLI dependency to v2.24.2 #65
• Add a new prompt & tool for diagnosing FPs/FNs from query runs by @MichaelRFairhurst in Add a new prompt & tool for diagnosing FPs/FNs from query runs. #70
• Fixes and integration tests for MCP-provided prompts and VSIX bundle by @data-douser in Fixes and integration tests for MCP-provided prompts and VSIX bundle #71
• Avoid timeouts in client integration test fixtures by @data-douser in Avoid timeouts in client integration test fixtures #74
• Fixes for v2.24.2 release prep by @data-douser in Fixes for v2.24.2 release prep #75
• Add stdio transport support to client integration test runner by @Copilot in Add stdio transport support to client integration test runner #77
• Prep for v2.24.2 release by @data-douser in Prep for v2.24.2 release #81

New Contributors

• @dependabot[bot] made their first contribution in Build(deps): bump actions/download-artifact from 6 to 7 #49
• @MichaelRFairhurst made their first contribution in Add a new prompt & tool for diagnosing FPs/FNs from query runs. #70
• @github-actions[bot] made their first contribution in Upgrade CodeQL CLI dependency to v2.24.2 #65

Full Changelog: v2.24.1...v2.24.2

---

This discussion was created from the release v2.24.2.