Merge remote-tracking branch 'upstream/main' into docsforautofix

2025-12-17 01:03:14 +01:00 · 2024-07-10 11:17:52 +01:00
parent 74384625f6 81593ece5a
commit 0344381120
182 changed files with 830 additions and 272 deletions
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -29,6 +29,8 @@ jobs:
          key: all-queries
      - name: check formatting
        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+      - name: Omit DatabaseQualityDiagnostics.ql from compile checking # Remove me once CodeQL 2.18.0 is released!
+        run: mv java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql{,.hidden}
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
@@ -39,3 +41,6 @@ jobs:
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+      - name: Restore DatabaseQualityDiagnostics.ql after compile checking # Remove me once CodeQL 2.18.0 is released
+        run: mv java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql{.hidden,}
+
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 1.2.0
+
+### New Features
+
+* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
+* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
+
+### Minor Analysis Improvements
+
+* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
+* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
+
 ## 1.1.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md
+++ b/cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
--- a/cpp/ql/lib/change-notes/2024-06-13-double-free.md
+++ b/cpp/ql/lib/change-notes/2024-06-13-double-free.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
--- a/cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md
+++ b/cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
--- a/cpp/ql/lib/change-notes/2024-07-03-extended-mad-syntax.md
+++ b/cpp/ql/lib/change-notes/2024-07-03-extended-mad-syntax.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
--- a/cpp/ql/lib/change-notes/released/1.2.0.md
+++ b/cpp/ql/lib/change-notes/released/1.2.0.md
@@ -0,0 +1,11 @@
+## 1.2.0
+
+### New Features
+
+* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
+* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
+
+### Minor Analysis Improvements
+
+* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
+* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.2.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.1.2-dev
+version: 1.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -104,7 +104,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {

 cached
 private newtype TDefImpl =
-  TDefAddressImpl(BaseIRVariable v) or
+  TDefAddressImpl(BaseSourceVariable v) or
  TDirectDefImpl(Operand address, int indirectionIndex) {
    isDef(_, _, address, _, _, indirectionIndex)
  } or
@@ -325,9 +325,9 @@ private Instruction getInitializationTargetAddress(IRVariable v) {
  )
 }

-/** An initial definition of an `IRVariable`'s address. */
-private class DefAddressImpl extends DefImpl, TDefAddressImpl {
-  BaseIRVariable v;
+/** An initial definition of an SSA variable address. */
+abstract private class DefAddressImpl extends DefImpl, TDefAddressImpl {
+  BaseSourceVariable v;

  DefAddressImpl() {
    this = TDefAddressImpl(v) and
@@ -342,6 +342,19 @@ private class DefAddressImpl extends DefImpl, TDefAddressImpl {

  final override Node0Impl getValue() { none() }

+  override Cpp::Location getLocation() { result = v.getLocation() }
+
+  final override SourceVariable getSourceVariable() {
+    result.getBaseVariable() = v and
+    result.getIndirection() = 0
+  }
+
+  final override BaseSourceVariable getBaseSourceVariable() { result = v }
+}
+
+private class DefVariableAddressImpl extends DefAddressImpl {
+  override BaseIRVariable v;
+
  final override predicate hasIndexInBlock(IRBlock block, int index) {
    exists(IRVariable var | var = v.getIRVariable() |
      block.getInstruction(index) = getInitializationTargetAddress(var)
@@ -353,15 +366,14 @@ private class DefAddressImpl extends DefImpl, TDefAddressImpl {
      index = 0
    )
  }
+}

-  override Cpp::Location getLocation() { result = v.getIRVariable().getLocation() }
+private class DefCallAddressImpl extends DefAddressImpl {
+  override BaseCallVariable v;

-  final override SourceVariable getSourceVariable() {
-    result.getBaseVariable() = v and
-    result.getIndirection() = 0
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    block.getInstruction(index) = v.getCallInstruction()
  }
-
-  final override BaseSourceVariable getBaseSourceVariable() { result = v }
 }

 private class DirectDef extends DefImpl, TDirectDefImpl {
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 9.3
- * @precision medium
+ * @precision high
 * @id cpp/unsafe-strncat
 * @tags reliability
 *       correctness
--- a/cpp/ql/src/change-notes/2024-07-08-unsafe-strncat-query.md
+++ b/cpp/ql/src/change-notes/2024-07-08-unsafe-strncat-query.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The precision of `cpp/unsafe-strncat` ("Potentially unsafe call to strncat") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
--- a/cpp/ql/src/change-notes/released/1.0.3.md
+++ b/cpp/ql/src/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.cpp
@@ -0,0 +1,29 @@
+namespace std
+{
+  struct ptrdiff_t;
+  struct input_iterator_tag
+  {
+  };
+  struct forward_iterator_tag : public input_iterator_tag
+  {
+  };
+}
+
+struct A
+{
+  using value_type = int;
+  using difference_type = std::ptrdiff_t;
+  using pointer = int*;
+  using reference = int&;
+  using iterator_category = std::forward_iterator_tag;
+};
+
+A get();
+
+void test()
+{
+  while (true)
+  {
+    auto &&x = get();
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
--- a/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.ql
@@ -0,0 +1,23 @@
+/**
+ * @kind path-problem
+ */
+
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.dataflow.new.DataFlow
+import Flow::PathGraph
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asInstruction().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asInstruction().(CallInstruction).getStaticCallTarget().hasName("get")
+  }
+}
+
+module Flow = DataFlow::Global<Config>;
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, ""
--- a/Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected
+++ b/Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected
@@ -3,3 +3,5 @@
 | test.c:67:3:67:9 | call to strncat | Potentially unsafe call to strncat. |
 | test.c:75:3:75:9 | call to strncat | Potentially unsafe call to strncat. |
 | test.c:76:3:76:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:91:3:91:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:99:3:99:9 | call to strncat | Potentially unsafe call to strncat. |
--- a/Management/SuspiciousCallToStrncat/test.c
+++ b/Management/SuspiciousCallToStrncat/test.c
@@ -82,3 +82,20 @@ void strncat_test5(char *s) {
  strncat(buf, s, len - strlen(buf) - 1); // GOOD
  strncat(buf, s, len - strlen(buf)); // GOOD
 }
+
+void strncat_test6() {
+  {
+  char dest[60];
+  dest[0] = '\0';
+  // Will write `dest[0 .. 5]`
+  strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE]
+  }
+
+  {
+  char dest[60];
+  memset(dest, 'a', sizeof(dest));
+  dest[54] = '\0';
+  // Will write `dest[54 .. 59]`
+  strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE]
+  }
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.expected
@@ -3,3 +3,4 @@
 | test.cpp:702:27:702:27 | call to operator[] | This object is destroyed at the end of the full-expression. |
 | test.cpp:727:23:727:23 | call to operator[] | This object is destroyed at the end of the full-expression. |
 | test.cpp:735:23:735:23 | call to operator[] | This object is destroyed at the end of the full-expression. |
+| test.cpp:857:3:857:17 | pointer to ~PlusPlusReturnByValueIterator output argument | This object is destroyed at the end of the full-expression. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp
@@ -801,4 +801,60 @@ void test5(int i)
    for(const auto& vs : vvs) { }
    ++i;
  } // GOOD
+}
+
+struct HasBeginAndEnd
+{
+  ~HasBeginAndEnd();
+  using value_type = int;
+  using difference_type = std::ptrdiff_t;
+  using pointer = int*;
+  using reference = int&;
+  using iterator_category = std::random_access_iterator_tag;
+  std::vector<int>::iterator begin() const;
+  std::vector<int>::iterator end() const;
+};
+
+HasBeginAndEnd getHasBeginAndEnd();
+
+bool getBool();
+
+void test6()
+{
+  while(getBool())
+  {
+    for (const int& x : getHasBeginAndEnd()) // GOOD
+    {
+    }
+  }
+}
+
+struct PlusPlusReturnByValueIterator
+{
+  using value_type = int;
+  using difference_type = std::ptrdiff_t;
+  using pointer = int *;
+  using reference = int &;
+  using iterator_category = std::forward_iterator_tag;
+
+  PlusPlusReturnByValueIterator();
+  PlusPlusReturnByValueIterator(PlusPlusReturnByValueIterator const &);
+
+  PlusPlusReturnByValueIterator operator++();
+  bool operator==(PlusPlusReturnByValueIterator other) const;
+  bool operator!=(PlusPlusReturnByValueIterator other) const;
+  reference operator*() const;
+  pointer operator->() const;
+
+  ~PlusPlusReturnByValueIterator();
+
+  PlusPlusReturnByValueIterator begin();
+};
+
+void test7()
+{
+  PlusPlusReturnByValueIterator it;
+  it.operator++(); // GOOD [FALSE POSITIVE]
+
+  it.begin();
 }
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.20
+
+No user-facing changes.
+
 ## 1.7.19

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.20.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.20.md
@@ -0,0 +1,3 @@
+## 1.7.20
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.19
+lastReleaseVersion: 1.7.20
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.20-dev
+version: 1.7.21-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.20
+
+No user-facing changes.
+
 ## 1.7.19

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.20.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.20.md
@@ -0,0 +1,3 @@
+## 1.7.20
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.19
+lastReleaseVersion: 1.7.20
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.20-dev
+version: 1.7.21-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/released/1.0.3.md
+++ b/csharp/ql/lib/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/1.0.3.md
+++ b/csharp/ql/src/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
  - csharp
  - queries
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.3.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* DataFlow queries which previously used `RemoteFlowSource` to define their sources have been modified to instead use `ThreatModelFlowSource`. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to `RemoteFlowSource`, so there should be no change in results for users using the default.
+* Added the `ThreatModelFlowSource` class to `FlowSources.qll`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go.
+
+### Bug Fixes
+
+* Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as `io.copy(SomeGlobal, ...)` or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved.
+
 ## 1.1.1

 No user-facing changes.
--- a/go/ql/lib/change-notes/2024-06-06-add-go-threatmodelflowsource.md
+++ b/go/ql/lib/change-notes/2024-06-06-add-go-threatmodelflowsource.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added the `ThreatModelFlowSource` class to `FlowSources.qll`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go.
--- a/go/ql/lib/change-notes/2024-06-08-refactor-go-queries-to-use-threatmodelflowsource.md
+++ b/go/ql/lib/change-notes/2024-06-08-refactor-go-queries-to-use-threatmodelflowsource.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* DataFlow queries which previously used `RemoteFlowSource` to define their sources have been modified to instead use `ThreatModelFlowSource`. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to `RemoteFlowSource`, so there should be no change in results for users using the default.
--- a/go/ql/lib/change-notes/2024-06-17-go-global-variable-writes.md
+++ b/go/ql/lib/change-notes/2024-06-17-go-global-variable-writes.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as `io.copy(SomeGlobal, ...)` or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved.
--- a/go/ql/lib/change-notes/2024-07-08-fix-clear-sanitizer.md
+++ b/go/ql/lib/change-notes/2024-07-08-fix-clear-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* There was a bug which meant that the built-in function `clear` was considered as a sanitizer in some cases when it shouldn't have been. This has now been fixed, which may lead to more alerts.
--- a/go/ql/lib/change-notes/released/1.1.2.md
+++ b/go/ql/lib/change-notes/released/1.1.2.md
@@ -0,0 +1,10 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* DataFlow queries which previously used `RemoteFlowSource` to define their sources have been modified to instead use `ThreatModelFlowSource`. This means these queries will now respect threat model configurations. The default threat model configuration is equivalent to `RemoteFlowSource`, so there should be no change in results for users using the default.
+* Added the `ThreatModelFlowSource` class to `FlowSources.qll`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go.
+
+### Bug Fixes
+
+* Fixed dataflow via global variables other than via a direct write: for example, via a side-effect on a global, such as `io.copy(SomeGlobal, ...)` or via assignment to a field or array or slice cell of a global. This means that any data-flow query may return more results where global variables are involved.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 1.1.2-dev
+version: 1.1.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
@@ -423,7 +423,7 @@ private class ClearSanitizer extends DefaultTaintSanitizer {
      arg = call.getAnArgument() and
      arg = var.getAUse() and
      arg != this and
-      this.getBasicBlock().(ReachableBasicBlock).dominates(this.getBasicBlock())
+      arg.getBasicBlock().(ReachableBasicBlock).dominates(this.getBasicBlock())
    )
  }
 }
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.0.3.md
+++ b/go/ql/src/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
  - go
  - queries
--- a/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/Builtin.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/Builtin.go
@@ -8,9 +8,38 @@ func clearTestBad(sourceReq *http.Request) string {
 	return string(b)
 }

+func clearTestBad2(sourceReq *http.Request, x bool) string {
+	b := make([]byte, 8)
+	sourceReq.Body.Read(b)
+	if x {
+		clear(b)
+	}
+	return string(b)
+}
+
+func clearTestBad3(sourceReq *http.Request, x bool) string {
+	b := make([]byte, 8)
+	sourceReq.Body.Read(b)
+	if x {
+		return string(b)
+	}
+	clear(b)
+	return string(b)
+}
+
 func clearTestGood(sourceReq *http.Request) string {
 	b := make([]byte, 8)
 	sourceReq.Body.Read(b)
 	clear(b) // should prevent taint flow
 	return string(b)
 }
+
+func clearTestGood2(sourceReq *http.Request, x bool) string {
+	b := make([]byte, 8)
+	sourceReq.Body.Read(b)
+	clear(b) // should prevent taint flow
+	if x {
+		return string(b)
+	}
+	return ""
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/DefaultSanitizer.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/DefaultSanitizer.expected
@@ -1,10 +1,22 @@
 edges
 | Builtin.go:6:2:6:2 | definition of b | Builtin.go:8:9:8:17 | type conversion | provenance |  |
 | Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | MaD:626 |
+| Builtin.go:12:2:12:2 | definition of b | Builtin.go:17:9:17:17 | type conversion | provenance |  |
+| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:12:2:12:2 | definition of b | provenance | MaD:626 |
+| Builtin.go:21:2:21:2 | definition of b | Builtin.go:24:10:24:18 | type conversion | provenance |  |
+| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:21:2:21:2 | definition of b | provenance | MaD:626 |
 nodes
 | Builtin.go:6:2:6:2 | definition of b | semmle.label | definition of b |
 | Builtin.go:7:2:7:15 | selection of Body | semmle.label | selection of Body |
 | Builtin.go:8:9:8:17 | type conversion | semmle.label | type conversion |
+| Builtin.go:12:2:12:2 | definition of b | semmle.label | definition of b |
+| Builtin.go:13:2:13:15 | selection of Body | semmle.label | selection of Body |
+| Builtin.go:17:9:17:17 | type conversion | semmle.label | type conversion |
+| Builtin.go:21:2:21:2 | definition of b | semmle.label | definition of b |
+| Builtin.go:22:2:22:15 | selection of Body | semmle.label | selection of Body |
+| Builtin.go:24:10:24:18 | type conversion | semmle.label | type conversion |
 subpaths
 #select
 | Builtin.go:8:9:8:17 | type conversion | Builtin.go:7:2:7:15 | selection of Body | Builtin.go:8:9:8:17 | type conversion | Found taint flow |
+| Builtin.go:17:9:17:17 | type conversion | Builtin.go:13:2:13:15 | selection of Body | Builtin.go:17:9:17:17 | type conversion | Found taint flow |
+| Builtin.go:24:10:24:18 | type conversion | Builtin.go:22:2:22:15 | selection of Body | Builtin.go:24:10:24:18 | type conversion | Found taint flow |
--- a/java/kotlin-extractor/dev/.gitignore
+++ b/java/kotlin-extractor/dev/.gitignore
@@ -1,2 +1 @@
-/.kotlinc_version
-/.kotlinc_installed
+/.kotlinc_*
--- a/java/kotlin-extractor/dev/wrapper.py
+++ b/java/kotlin-extractor/dev/wrapper.py
@@ -29,6 +29,7 @@ import os

 DEFAULT_VERSION = "2.0.0"

+
 def options():
    parser = argparse.ArgumentParser(add_help=False)
    parser.add_argument("tool")
@@ -38,11 +39,15 @@ def options():
    return parser.parse_known_args()


-url_template = 'https://github.com/JetBrains/kotlin/releases/download/v{version}/kotlin-compiler-{version}.zip'
+file_template = "kotlin-compiler-{version}.zip"
+url_template = "https://github.com/JetBrains/kotlin/releases/download/v{version}/kotlin-compiler-{version}.zip"
 this_dir = pathlib.Path(__file__).resolve().parent
 version_file = this_dir / ".kotlinc_version"
 install_dir = this_dir / ".kotlinc_installed"
-windows_ripunzip = this_dir.parents[4] / "resources" / "lib" / "windows" / "ripunzip" / "ripunzip.exe"
+zips_dir = this_dir / ".kotlinc_zips"
+windows_ripunzip = (
+    this_dir.parents[4] / "resources" / "lib" / "windows" / "ripunzip" / "ripunzip.exe"
+)


 class Error(Exception):
@@ -62,16 +67,6 @@ class ZipFilePreservingPermissions(zipfile.ZipFile):
        return targetpath


-def check_version(version: str):
-    try:
-        with urllib.request.urlopen(url_template.format(version=version)) as response:
-            pass
-    except urllib.error.HTTPError as e:
-        if e.code == 404:
-            raise Error(f"Version {version} not found in github.com/JetBrains/kotlin/releases") from e
-        raise
-
-
 def get_version():
    try:
        return version_file.read_text()
@@ -86,29 +81,39 @@ def install(version: str, quiet: bool):
    else:
        info_out = sys.stderr
        info = lambda *args: print(*args, file=sys.stderr)
+    file = file_template.format(version=version)
    url = url_template.format(version=version)
    if install_dir.exists():
        shutil.rmtree(install_dir)
    install_dir.mkdir()
+    zips_dir.mkdir(exist_ok=True)
+    zip = zips_dir / file
+
+    if not zip.exists():
+        info(f"downloading {url}")
+        tmp_zip = zip.with_suffix(".tmp")
+        with open(tmp_zip, "wb") as out, urllib.request.urlopen(url) as response:
+            shutil.copyfileobj(response, out)
+        tmp_zip.rename(zip)
    ripunzip = shutil.which("ripunzip")
-    if ripunzip is None and platform.system() == "Windows" and windows_ripunzip.exists():
+    if (
+        ripunzip is None
+        and platform.system() == "Windows"
+        and windows_ripunzip.exists()
+    ):
        ripunzip = windows_ripunzip
    if ripunzip:
-        info(f"downloading and extracting {url} using ripunzip")
-        subprocess.run([ripunzip, "unzip-uri", url], stdout=info_out, stderr=info_out, cwd=install_dir,
-                       check=True)
-        return
-    with io.BytesIO() as buffer:
-        info(f"downloading {url}")
-        with urllib.request.urlopen(url) as response:
-            while True:
-                bytes = response.read()
-                if not bytes:
-                    break
-                buffer.write(bytes)
-        buffer.seek(0)
-        info(f"extracting kotlin-compiler-{version}.zip")
-        with ZipFilePreservingPermissions(buffer) as archive:
+        info(f"extracting {zip} using ripunzip")
+        subprocess.run(
+            [ripunzip, "unzip-file", zip],
+            stdout=info_out,
+            stderr=info_out,
+            cwd=install_dir,
+            check=True,
+        )
+    else:
+        info(f"extracting {zip}")
+        with ZipFilePreservingPermissions(zip) as archive:
            archive.extractall(install_dir)


@@ -130,6 +135,9 @@ def clear():
    if version_file.exists():
        print(f"removing {version_file}", file=sys.stderr)
        version_file.unlink()
+    if zips_dir.exists():
+        print(f"removing {zips_dir}", file=sys.stderr)
+        shutil.rmtree(zips_dir)


 def main(opts, forwarded_opts):
@@ -140,7 +148,6 @@ def main(opts, forwarded_opts):
    if opts.select == "default":
        selected_version = DEFAULT_VERSION
    elif opts.select is not None:
-        check_version(opts.select)
        selected_version = opts.select
    else:
        selected_version = current_version or DEFAULT_VERSION
@@ -153,7 +160,10 @@ def main(opts, forwarded_opts):
        return
    if opts.version:
        if opts.tool == "kotlinc":
-            print(f"info: kotlinc-jvm {selected_version} (codeql dev wrapper)", file=sys.stderr)
+            print(
+                f"info: kotlinc-jvm {selected_version} (codeql dev wrapper)",
+                file=sys.stderr,
+            )
            return
        forwarded_opts.append("-version")

--- a/java/ql/automodel/src/CHANGELOG.md
+++ b/java/ql/automodel/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/java/ql/automodel/src/change-notes/released/1.0.3.md
+++ b/java/ql/automodel/src/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/java/ql/automodel/src/codeql-pack.release.yml
+++ b/java/ql/automodel/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/java/ql/automodel/src/qlpack.yml
+++ b/java/ql/automodel/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
    - java
    - automodel
--- a/java/ql/integration-tests/all-platforms/java/buildless-erroneous/DatabaseQualityDiagnostics.expected
+++ b/java/ql/integration-tests/all-platforms/java/buildless-erroneous/DatabaseQualityDiagnostics.expected
@@ -0,0 +1,6 @@
+diagnosticAttributes
+| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true |
+| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true |
+| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true |
+#select
+| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 |
--- a/java/ql/integration-tests/all-platforms/java/buildless-erroneous/DatabaseQualityDiagnostics.qlref
+++ b/java/ql/integration-tests/all-platforms/java/buildless-erroneous/DatabaseQualityDiagnostics.qlref
@@ -0,0 +1 @@
+Telemetry/DatabaseQualityDiagnostics.ql
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,25 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Added models for the following packages:
+
+  * io.undertow.server.handlers.resource
+  * jakarta.faces.context
+  * javax.faces.context
+  * javax.servlet
+  * org.jboss.vfs
+  * org.springframework.core.io
+* A bug has been fixed in the heuristic identification of uncertain control
+  flow, which is used to filter data flow in order to improve performance and
+  reduce false positives. This fix means that slightly more code is identified
+  and hence pruned from data flow.
+* Excluded reverse DNS from the loopback address as a source of untrusted data.
+
+### Bug Fixes
+
+* Support for `codeql test run` for Kotlin sources has been fixed.
+
 ## 1.1.1

 No user-facing changes.
--- a/java/ql/lib/change-notes/2024-06-13-kotlin-qltest-support.md
+++ b/java/ql/lib/change-notes/2024-06-13-kotlin-qltest-support.md
@@ -1,5 +0,0 @@
---
-category: fix
---
-
-* Support for `codeql test run` for Kotlin sources has been fixed.
--- a/java/ql/lib/change-notes/2024-06-14-exclude-loopback-from-reverse-dns.md
+++ b/java/ql/lib/change-notes/2024-06-14-exclude-loopback-from-reverse-dns.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Excluded reverse DNS from the loopback address as a source of untrusted data.
--- a/java/ql/lib/change-notes/2024-06-17-ffbl-implicit-this.md
+++ b/java/ql/lib/change-notes/2024-06-17-ffbl-implicit-this.md
@@ -1,7 +0,0 @@
---
-category: minorAnalysis
---
-* A bug has been fixed in the heuristic identification of uncertain control
-  flow, which is used to filter data flow in order to improve performance and
-  reduce false positives. This fix means that slightly more code is identified
-  and hence pruned from data flow.
--- a/java/ql/lib/change-notes/2024-06-25-java-tools-status.md
+++ b/java/ql/lib/change-notes/2024-06-25-java-tools-status.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Java build-mode `none` analyses now only report a warning on the CodeQL status page when there are significant analysis problems-- defined as 5% of expressions lacking a type, or 5% of call targets being unknown. Other messages reported on the status page are downgraded from warnings to notes and so are less prominent, but are still available for review.
--- a/java/ql/lib/change-notes/2024-06-28-resource-models.md
+++ b/java/ql/lib/change-notes/2024-06-28-resource-models.md
@@ -1,11 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the following packages:
-
-  * io.undertow.server.handlers.resource
-  * jakarta.faces.context
-  * javax.faces.context
-  * javax.servlet
-  * org.jboss.vfs
-  * org.springframework.core.io
--- a/java/ql/lib/change-notes/released/1.1.2.md
+++ b/java/ql/lib/change-notes/released/1.1.2.md
@@ -0,0 +1,21 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Added models for the following packages:
+
+  * io.undertow.server.handlers.resource
+  * jakarta.faces.context
+  * javax.faces.context
+  * javax.servlet
+  * org.jboss.vfs
+  * org.springframework.core.io
+* A bug has been fixed in the heuristic identification of uncertain control
+  flow, which is used to filter data flow in order to improve performance and
+  reduce false positives. This fix means that slightly more code is identified
+  and hence pruned from data flow.
+* Excluded reverse DNS from the loopback address as a source of untrusted data.
+
+### Bug Fixes
+
+* Support for `codeql test run` for Kotlin sources has been fixed.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 1.1.2-dev
+version: 1.1.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.1.0
+
+### Major Analysis Improvements
+
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.
+
+### Minor Analysis Improvements
+
+* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.
+* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.
+
 ## 1.0.2

 No user-facing changes.
--- a/java/ql/src/Telemetry/DatabaseQuality.qll
+++ b/java/ql/src/Telemetry/DatabaseQuality.qll
@@ -0,0 +1,65 @@
+/**
+ * Provides database quality statistics that are reported by java/telemetry/extractor-information
+ * and perhaps warned about by java/diagnostics/database-quality.
+ */
+
+import java
+
+signature module StatsSig {
+  int getNumberOfOk();
+
+  int getNumberOfNotOk();
+
+  string getOkText();
+
+  string getNotOkText();
+}
+
+module ReportStats<StatsSig Stats> {
+  predicate numberOfOk(string key, int value) {
+    value = Stats::getNumberOfOk() and
+    key = "Number of " + Stats::getOkText()
+  }
+
+  predicate numberOfNotOk(string key, int value) {
+    value = Stats::getNumberOfNotOk() and
+    key = "Number of " + Stats::getNotOkText()
+  }
+
+  predicate percentageOfOk(string key, float value) {
+    value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
+    key = "Percentage of " + Stats::getOkText()
+  }
+}
+
+module CallTargetStats implements StatsSig {
+  int getNumberOfOk() { result = count(Call c | exists(c.getCallee())) }
+
+  int getNumberOfNotOk() { result = count(Call c | not exists(c.getCallee())) }
+
+  string getOkText() { result = "calls with call target" }
+
+  string getNotOkText() { result = "calls with missing call target" }
+}
+
+private class SourceExpr extends Expr {
+  SourceExpr() { this.getFile().isSourceFile() }
+}
+
+private predicate hasGoodType(Expr e) {
+  exists(e.getType()) and not e.getType() instanceof ErrorType
+}
+
+module ExprTypeStats implements StatsSig {
+  int getNumberOfOk() { result = count(SourceExpr e | hasGoodType(e)) }
+
+  int getNumberOfNotOk() { result = count(SourceExpr e | not hasGoodType(e)) }
+
+  string getOkText() { result = "expressions with known type" }
+
+  string getNotOkText() { result = "expressions with unknown type" }
+}
+
+module CallTargetStatsReport = ReportStats<CallTargetStats>;
+
+module ExprTypeStatsReport = ReportStats<ExprTypeStats>;
--- a/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+++ b/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
@@ -0,0 +1,44 @@
+/**
+ * @name Low Java analysis quality
+ * @description Low Java analysis quality
+ * @kind diagnostic
+ * @id java/diagnostic/database-quality
+ */
+
+import java
+import DatabaseQuality
+
+private newtype TDbQualityDiagnostic =
+  TTheDbQualityDiagnostic() {
+    exists(float percentageGood |
+      CallTargetStatsReport::percentageOfOk(_, percentageGood)
+      or
+      ExprTypeStatsReport::percentageOfOk(_, percentageGood)
+    |
+      percentageGood < 95
+    )
+  }
+
+class DbQualityDiagnostic extends TDbQualityDiagnostic {
+  string toString() {
+    result =
+      "Scanning Java code completed successfully, but the scan encountered issues. " +
+        "This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- "
+        +
+        "see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. "
+        +
+        "Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java "
+        +
+        "using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes)."
+  }
+}
+
+query predicate diagnosticAttributes(DbQualityDiagnostic e, string key, string value) {
+  e = e and // Quieten warning about unconstrained 'e'
+  key = ["visibilityCliSummaryTable", "visibilityTelemetry", "visibilityStatusPage"] and
+  value = "true"
+}
+
+from DbQualityDiagnostic d
+select d, d.toString(), 1
+/* Warning severity */
--- a/java/ql/src/Telemetry/ExtractorInformation.ql
+++ b/java/ql/src/Telemetry/ExtractorInformation.ql
@@ -8,6 +8,7 @@

 import java
 import semmle.code.java.Diagnostics
+import DatabaseQuality

 extensible predicate extractorInformationSkipKey(string key);

@@ -85,65 +86,6 @@ predicate extractorTotalDiagnostics(string key, int value) {
  )
 }

-signature module StatsSig {
-  int getNumberOfOk();
-
-  int getNumberOfNotOk();
-
-  string getOkText();
-
-  string getNotOkText();
-}
-
-module ReportStats<StatsSig Stats> {
-  predicate numberOfOk(string key, int value) {
-    value = Stats::getNumberOfOk() and
-    key = "Number of " + Stats::getOkText()
-  }
-
-  predicate numberOfNotOk(string key, int value) {
-    value = Stats::getNumberOfNotOk() and
-    key = "Number of " + Stats::getNotOkText()
-  }
-
-  predicate percentageOfOk(string key, float value) {
-    value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
-    key = "Percentage of " + Stats::getOkText()
-  }
-}
-
-module CallTargetStats implements StatsSig {
-  int getNumberOfOk() { result = count(Call c | exists(c.getCallee())) }
-
-  int getNumberOfNotOk() { result = count(Call c | not exists(c.getCallee())) }
-
-  string getOkText() { result = "calls with call target" }
-
-  string getNotOkText() { result = "calls with missing call target" }
-}
-
-private class SourceExpr extends Expr {
-  SourceExpr() { this.getFile().isSourceFile() }
-}
-
-private predicate hasGoodType(Expr e) {
-  exists(e.getType()) and not e.getType() instanceof ErrorType
-}
-
-module ExprTypeStats implements StatsSig {
-  int getNumberOfOk() { result = count(SourceExpr e | hasGoodType(e)) }
-
-  int getNumberOfNotOk() { result = count(SourceExpr e | not hasGoodType(e)) }
-
-  string getOkText() { result = "expressions with known type" }
-
-  string getNotOkText() { result = "expressions with unknown type" }
-}
-
-module CallTargetStatsReport = ReportStats<CallTargetStats>;
-
-module ExprTypeStatsReport = ReportStats<ExprTypeStats>;
-
 from string key, int value
 where
  not exists(string pattern | extractorInformationSkipKey(pattern) and key.matches(pattern)) and
--- a/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md
+++ b/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.
--- a/java/ql/src/change-notes/2024-06-10-path-injection-fileutils-sinks.md
+++ b/java/ql/src/change-notes/2024-06-10-path-injection-fileutils-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.
--- a/java/ql/src/change-notes/2024-06-17-tainted-permissions-check.md
+++ b/java/ql/src/change-notes/2024-06-17-tainted-permissions-check.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.
--- a/java/ql/src/change-notes/released/1.1.0.md
+++ b/java/ql/src/change-notes/released/1.1.0.md
@@ -0,0 +1,10 @@
+## 1.1.0
+
+### Major Analysis Improvements
+
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.
+
+### Minor Analysis Improvements
+
+* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.
+* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.1.0
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.0.3-dev
+version: 1.1.1-dev
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.1.0
+
+### Major Analysis Improvements
+
+* Added support for TypeScript 5.5.
+
+### Minor Analysis Improvements
+
+* Enabled type-tracking to follow content through array methods
+* Improved modeling of `Array.prototype.splice` for when it is called with more than two arguments
+
 ## 1.0.2

 No user-facing changes.
--- a/javascript/ql/lib/change-notes/2024-04-26-typescript-5-5.md
+++ b/javascript/ql/lib/change-notes/2024-04-26-typescript-5-5.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* Added support for TypeScript 5.5.
--- a/javascript/ql/lib/change-notes/2024-06-14-type-tracking-array-steps.md
+++ b/javascript/ql/lib/change-notes/2024-06-14-type-tracking-array-steps.md
@@ -1,5 +1,10 @@
---
-category: minorAnalysis
---
+## 1.1.0
+
+### Major Analysis Improvements
+
+* Added support for TypeScript 5.5.
+
+### Minor Analysis Improvements
+
 * Enabled type-tracking to follow content through array methods
 * Improved modeling of `Array.prototype.splice` for when it is called with more than two arguments
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.1.0
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 1.0.3-dev
+version: 1.1.1-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.0.3
+
+### Minor Analysis Improvements
+
+* Added a new experimental query, `js/cors-misconfiguration`, which detects misconfigured CORS HTTP headers in the `cors` and `apollo` libraries. 
+
 ## 1.0.2

 No user-facing changes.
--- a/javascript/ql/src/change-notes/2023-11-27-cors-permissive-configuarion.md
+++ b/javascript/ql/src/change-notes/2023-11-27-cors-permissive-configuarion.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* Added a new experimental query, `js/cors-misconfiguration`, which detects misconfigured CORS HTTP headers in the `cors` and `apollo` libraries. 
+## 1.0.3
+
+### Minor Analysis Improvements
+
+* Added a new experimental query, `js/cors-misconfiguration`, which detects misconfigured CORS HTTP headers in the `cors` and `apollo` libraries. 
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups:
  - javascript
  - queries
--- a/misc/bazel/internal/install.py
+++ b/misc/bazel/internal/install.py
@@ -11,6 +11,8 @@ import argparse
 import pathlib
 import shutil
 import subprocess
+import platform
+import time
 from python.runfiles import runfiles

 runfiles = runfiles.Create()
@@ -41,8 +43,25 @@ else:
    assert destdir.is_absolute(), "Provide `--build-file` to resolve destination directory"
 script = runfiles.Rlocation(opts.pkg_install_script)

+_WIN_FILE_IN_USE_ERROR_CODE = 32
+
 if destdir.exists() and opts.cleanup:
-    shutil.rmtree(destdir)
+    if platform.system() == 'Windows':
+        # On Windows we might have virus scanner still looking at the path so
+        # attempt removal a couple of times sleeping between each attempt.
+        for retry_delay in [1, 2, 2]:
+            try:
+                shutil.rmtree(destdir)
+                break
+            except OSError as e:
+                if e.winerror == _WIN_FILE_IN_USE_ERROR_CODE:
+                    time.sleep(retry_delay)
+                else:
+                    raise
+        else:
+            shutil.rmtree(destdir)
+    else:
+        shutil.rmtree(destdir)

 destdir.mkdir(parents=True, exist_ok=True)
 subprocess.run([script, "--destdir", destdir], check=True)
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.3.md
+++ b/misc/suite-helpers/change-notes/released/1.0.3.md
@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.3-dev
+version: 1.0.4-dev
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.0.3
+
+### Minor Analysis Improvements
+
+* A number of Python queries now support sinks defined using data extensions. The format of data extensions for Python has been documented.
+
 ## 1.0.2

 No user-facing changes.
--- a/Show More
+++ b/Show More