codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

General issue: CWE-208 coverage for javascript

Open aniakowalewska1 opened this issue 4 weeks ago • 1 comments

Description CodeQL currently does not detect CWE-208 (Observable Timing Discrepancy) in JavaScript/TypeScript, while this weakness is covered in Java/Kotlin, Python and Ruby. This appears to be a language coverage gap rather than a configuration issue. [https://codeql.github.com/codeql-query-help/full-cwe/]

Example In authentication or validation logic, I would expect CodeQL to at least be able to model potential timing differences, for example:

if (value !== expectedValue) {
  return res.status(401).json({ message: 'Invalid token' });
}

Question Is there a plan to expand CodeQL query coverage for this weakness in the remaining languages?

aniakowalewska1 avatar Dec 12 '25 09:12 aniakowalewska1

I don't think there is anything planned currently, but @coadaflorin can confirm.

hvitved avatar Dec 12 '25 09:12 hvitved