diff --git a/MODULE.bazel b/MODULE.bazel
index d5c2c8784e2..16b4a4691f8 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
-bazel_dep(name = "gazelle", version = "0.47.0")
+bazel_dep(name = "gazelle", version = "0.50.0")
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
bazel_dep(name = "rules_rust", version = "0.69.0")
diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
index a8bd8a5f93d..00f601fd5da 100644
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -26,10 +26,23 @@ string permissionsForJob(Job job) {
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
}
+predicate jobHasPermissions(Job job) {
+ exists(job.getPermissions())
+ or
+ exists(job.getEnclosingWorkflow().getPermissions())
+ or
+ // The workflow is reusable and cannot be triggered in any other way; check callers
+ exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
+ not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
+ forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
+ jobHasPermissions(caller)
+ )
+ )
+}
+
from Job job, string permissions
where
- not exists(job.getPermissions()) and
- not exists(job.getEnclosingWorkflow().getPermissions()) and
+ not jobHasPermissions(job) and
// exists a trigger event that is not a workflow_call
exists(Event e |
e = job.getATriggerEvent() and
diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
index 24ecb4b0339..be49de830c3 100644
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
where
ArtifactPoisoningFlow::flowPath(source, sink) and
event = getRelevantEventInPrivilegedContext(sink.getNode())
-select sink.getNode(), source, sink,
- "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
- sink.getNode().toString(), event, event.getName()
+select source.getNode(), source, sink,
+ "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
+ event, event.getName()
diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
index d2aff7da95f..49dc856e566 100644
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
@@ -20,6 +20,5 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
where
ArtifactPoisoningFlow::flowPath(source, sink) and
inNonPrivilegedContext(sink.getNode().asExpr())
-select sink.getNode(), source, sink,
- "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
- sink.getNode().toString()
+select source.getNode(), source, sink,
+ "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."
diff --git a/actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md b/actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md
new file mode 100644
index 00000000000..e2340f446a7
--- /dev/null
+++ b/actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
\ No newline at end of file
diff --git a/actions/ql/src/change-notes/2026-04-02-permissions.md b/actions/ql/src/change-notes/2026-04-02-permissions.md
new file mode 100644
index 00000000000..2672a30ef87
--- /dev/null
+++ b/actions/ql/src/change-notes/2026-04-02-permissions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
\ No newline at end of file
diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml
new file mode 100644
index 00000000000..717cdabc302
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml
@@ -0,0 +1,9 @@
+on:
+ workflow_call:
+
+jobs:
+ build:
+ name: Build and test
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/deploy-pages
diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml
new file mode 100644
index 00000000000..25ac1f53248
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml
@@ -0,0 +1,11 @@
+on:
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ id-token: write
+ pages: write
+
+jobs:
+ call-workflow:
+ uses: ./.github/workflows/perms11.yml
diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
index 2d29cd9b79b..3c5f6bf93e9 100644
--- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
@@ -55,21 +55,21 @@ nodes
| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
subpaths
#select
-| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
diff --git a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
index 57d240fd795..d4b80599950 100644
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
diff --git a/cpp/ql/lib/change-notes/2026-04-07-autoconf.md b/cpp/ql/lib/change-notes/2026-04-07-autoconf.md
new file mode 100644
index 00000000000..9f04417b8e2
--- /dev/null
+++ b/cpp/ql/lib/change-notes/2026-04-07-autoconf.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
diff --git a/cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll b/cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll
index b39c1009f07..ae90caa0e63 100644
--- a/cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll
@@ -42,3 +42,10 @@ class MesonPrivateTestFile extends ConfigurationTestFile {
)
}
}
+
+/**
+ * A file created by a GNU autoconf configure script to test the system configuration.
+ */
+class AutoconfConfigureTestFile extends ConfigurationTestFile {
+ AutoconfConfigureTestFile() { this.getBaseName().regexpMatch("conftest[0-9]*\\.c(pp)?") }
+}
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
index d189dd36f87..624465761c2 100644
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -459,6 +459,13 @@ class FormatLiteral extends Literal instanceof StringLiteral {
*/
int getConvSpecOffset(int n) { result = this.getFormat().indexOf("%", n, 0) }
+ /**
+ * Gets the nth conversion specifier string.
+ */
+ private string getConvSpecString(int n) {
+ n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+ }
+
/*
* Each of these predicates gets a regular expressions to match each individual
* parts of a conversion specifier.
@@ -524,22 +531,20 @@ class FormatLiteral extends Literal instanceof StringLiteral {
int n, string spec, string params, string flags, string width, string prec, string len,
string conv
) {
- exists(int offset, string fmt, string rst, string regexp |
- offset = this.getConvSpecOffset(n) and
- fmt = this.getFormat() and
- rst = fmt.substring(offset, fmt.length()) and
+ exists(string convSpec, string regexp |
+ convSpec = this.getConvSpecString(n) and
regexp = this.getConvSpecRegexp() and
(
- spec = rst.regexpCapture(regexp, 1) and
- params = rst.regexpCapture(regexp, 2) and
- flags = rst.regexpCapture(regexp, 3) and
- width = rst.regexpCapture(regexp, 4) and
- prec = rst.regexpCapture(regexp, 5) and
- len = rst.regexpCapture(regexp, 6) and
- conv = rst.regexpCapture(regexp, 7)
+ spec = convSpec.regexpCapture(regexp, 1) and
+ params = convSpec.regexpCapture(regexp, 2) and
+ flags = convSpec.regexpCapture(regexp, 3) and
+ width = convSpec.regexpCapture(regexp, 4) and
+ prec = convSpec.regexpCapture(regexp, 5) and
+ len = convSpec.regexpCapture(regexp, 6) and
+ conv = convSpec.regexpCapture(regexp, 7)
or
- spec = rst.regexpCapture(regexp, 1) and
- not exists(rst.regexpCapture(regexp, 2)) and
+ spec = convSpec.regexpCapture(regexp, 1) and
+ not exists(convSpec.regexpCapture(regexp, 2)) and
params = "" and
flags = "" and
width = "" and
@@ -554,12 +559,10 @@ class FormatLiteral extends Literal instanceof StringLiteral {
* Gets the nth conversion specifier (including the initial `%`).
*/
string getConvSpec(int n) {
- exists(int offset, string fmt, string rst, string regexp |
- offset = this.getConvSpecOffset(n) and
- fmt = this.getFormat() and
- rst = fmt.substring(offset, fmt.length()) and
+ exists(string convSpec, string regexp |
+ convSpec = this.getConvSpecString(n) and
regexp = this.getConvSpecRegexp() and
- result = rst.regexpCapture(regexp, 1)
+ result = convSpec.regexpCapture(regexp, 1)
)
}
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
index f032ba4749e..98280a522cf 100644
--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -194,6 +194,13 @@ class ScanfFormatLiteral extends Expr {
)
}
+ /**
+ * Gets the nth conversion specifier string.
+ */
+ private string getConvSpecString(int n) {
+ n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+ }
+
/**
* Gets the regular expression to match each individual part of a conversion specifier.
*/
@@ -227,16 +234,14 @@ class ScanfFormatLiteral extends Expr {
* specifier.
*/
predicate parseConvSpec(int n, string spec, string width, string len, string conv) {
- exists(int offset, string fmt, string rst, string regexp |
- offset = this.getConvSpecOffset(n) and
- fmt = this.getFormat() and
- rst = fmt.substring(offset, fmt.length()) and
+ exists(string convSpec, string regexp |
+ convSpec = this.getConvSpecString(n) and
regexp = this.getConvSpecRegexp() and
(
- spec = rst.regexpCapture(regexp, 1) and
- width = rst.regexpCapture(regexp, 2) and
- len = rst.regexpCapture(regexp, 3) and
- conv = rst.regexpCapture(regexp, 4)
+ spec = convSpec.regexpCapture(regexp, 1) and
+ width = convSpec.regexpCapture(regexp, 2) and
+ len = convSpec.regexpCapture(regexp, 3) and
+ conv = convSpec.regexpCapture(regexp, 4)
)
)
}
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
index 8b71f140b01..fb2108c2ac5 100644
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -6,11 +6,15 @@
*
* The extensible relations have the following columns:
* - Sources:
- * `namespace; type; subtypes; name; signature; ext; output; kind`
+ * `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
* - Sinks:
- * `namespace; type; subtypes; name; signature; ext; input; kind`
+ * `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
* - Summaries:
- * `namespace; type; subtypes; name; signature; ext; input; output; kind`
+ * `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ * `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ * `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
*
* The interpretation of a row is similar to API-graphs with a left-to-right
* reading.
@@ -87,11 +91,23 @@
* value, and
* - flow from the _second_ indirection of the 0th argument to the first
* indirection of the return value, etc.
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ * under which the guard blocks flow. It can be one of "true" or "false". In
+ * the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources "remote" indicates a default remote flow source, and for summaries
* "taint" indicates a default additional taint step and "value" indicates a
* globally applicable value-preserving step.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
+ * The format is {origin}-{verification} or just "manual" where the origin describes
+ * the origin of the model and verification describes how the model has been verified.
+ * Some examples are:
+ * - "df-generated": The model has been generated by the model generator tool.
+ * - "df-manual": The model has been generated by the model generator and verified by a human.
+ * - "manual": The model has been written by hand.
+ * This information is used in a heuristic for dataflow analysis to determine, if a
+ * model or source code should be used for determining flow.
*/
import cpp
@@ -931,13 +947,13 @@ private module Cached {
private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) {
exists(
- SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
+ SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
string kind, string model
|
- isBarrierGuardNode(n, acceptingvalue, kind, model) and
+ isBarrierGuardNode(n, acceptingValue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
- gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+ gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g
)
}
@@ -954,14 +970,14 @@ private module Cached {
) {
exists(
SourceSinkInterpretationInput::InterpretNode interpretNode,
- Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex,
+ Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex,
Private::ArgumentNode arg
|
- isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and
+ isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and
arg = interpretNode.asNode() and
arg.asIndirectExpr(indirectionIndex) = e and
kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and
- gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+ gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
arg.getCall().asCallInstruction() = g
)
}
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll
index 1a572c221d9..22c74c2aa71 100644
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
*/
extensible predicate barrierGuardModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
- string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+ string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
index cce1b80e7fc..d91dc41febe 100644
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements
}
predicate barrierGuardElement(
- Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+ Element e, string input, Public::AcceptingValue acceptingValue, string kind,
Public::Provenance provenance, string model
) {
exists(
string package, string type, boolean subtypes, string name, string signature, string ext
|
- barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
+ barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
provenance, model) and
e = interpretElement(package, type, subtypes, name, signature, ext)
)
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
index 6747d177c80..b05bd637dc2 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
@@ -5,7 +5,7 @@
* @kind problem
* @problem.severity warning
* @security-severity 8.1
- * @precision medium
+ * @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability
* security
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
index 7f0a4833cb5..5842b9474f7 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
@@ -5,7 +5,7 @@
* @kind problem
* @problem.severity error
* @security-severity 7.5
- * @precision medium
+ * @precision high
* @id cpp/wrong-type-format-argument
* @tags reliability
* correctness
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp
index 6ff60d38341..90a98e1bf57 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp
@@ -14,6 +14,9 @@ function may behave unpredictably.
This may indicate a misspelled function name, or that the required header containing
the function declaration has not been included.
+
Note: This query is not compatible with build mode: none databases, and produces
+no results on those databases.
+
Provide an explicit declaration of the function before invoking it.
@@ -26,4 +29,4 @@ the function declaration has not been included.
-
\ No newline at end of file
+
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
index 6a55557cf70..00b29efbd0f 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
@@ -5,7 +5,7 @@
* may lead to unpredictable behavior.
* @kind problem
* @problem.severity warning
- * @precision medium
+ * @precision high
* @id cpp/implicit-function-declaration
* @tags correctness
* maintainability
@@ -17,6 +17,11 @@ import TooFewArguments
import TooManyArguments
import semmle.code.cpp.commons.Exclusions
+/*
+ * This query is not compatible with build mode: none databases, and produces
+ * no results on those databases.
+ */
+
predicate locInfo(Locatable e, File file, int line, int col) {
e.getFile() = file and
e.getLocation().getStartLine() = line and
@@ -39,6 +44,7 @@ predicate isCompiledAsC(File f) {
from FunctionDeclarationEntry fdeIm, FunctionCall fc
where
isCompiledAsC(fdeIm.getFile()) and
+ not any(Compilation c).buildModeNone() and
not isFromMacroDefinition(fc) and
fdeIm.isImplicit() and
sameLocation(fdeIm, fc) and
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll b/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll
index 2dced5d8d84..dbb457db505 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll
@@ -79,9 +79,7 @@ private predicate hasZeroParamDecl(Function f) {
// True if this file (or header) was compiled as a C file
private predicate isCompiledAsC(File f) {
- f.compiledAsC()
- or
- exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+ exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
}
predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll
index 218a54b36c5..fd323513a49 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll
@@ -28,9 +28,7 @@ private predicate hasZeroParamDecl(Function f) {
/* Holds if this file (or header) was compiled as a C file. */
private predicate isCompiledAsC(File f) {
- f.compiledAsC()
- or
- exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+ exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
}
/** Holds if `fc` is a call to `f` with too few arguments. */
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll
index 7fba78b5550..ab2a98ae3a5 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll
@@ -19,9 +19,7 @@ private predicate hasZeroParamDecl(Function f) {
// True if this file (or header) was compiled as a C file
private predicate isCompiledAsC(File f) {
- f.compiledAsC()
- or
- exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+ exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
}
predicate tooManyArguments(FunctionCall fc, Function f) {
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 3f330807304..7d9ef88adea 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -6,7 +6,7 @@
* @kind problem
* @problem.severity warning
* @security-severity 7.8
- * @precision medium
+ * @precision high
* @tags reliability
* security
* external/cwe/cwe-190
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
index 343e96a00d3..d5a5cd8f665 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -6,7 +6,7 @@
* @kind problem
* @problem.severity warning
* @security-severity 8.8
- * @precision medium
+ * @precision high
* @id cpp/suspicious-add-sizeof
* @tags security
* external/cwe/cwe-468
diff --git a/cpp/ql/src/change-notes/2026-03-23-implicit-function-declaration.md b/cpp/ql/src/change-notes/2026-03-23-implicit-function-declaration.md
new file mode 100644
index 00000000000..8c2c431ec24
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-03-23-implicit-function-declaration.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query no longer produces results on `build mode: none` databases. These results were found to be very noisy and fundamentally imprecise in this mode.
diff --git a/cpp/ql/src/change-notes/2026-04-02-comparison-with-wider-type.md b/cpp/ql/src/change-notes/2026-04-02-comparison-with-wider-type.md
new file mode 100644
index 00000000000..c84e1dba404
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-04-02-comparison-with-wider-type.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
diff --git a/cpp/ql/src/change-notes/2026-04-02-implicit-function-declaration.md b/cpp/ql/src/change-notes/2026-04-02-implicit-function-declaration.md
new file mode 100644
index 00000000000..dd0dbd4bc7d
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-04-02-implicit-function-declaration.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision.
diff --git a/cpp/ql/src/change-notes/2026-04-02-integer-multiplication-cast-to-long.md b/cpp/ql/src/change-notes/2026-04-02-integer-multiplication-cast-to-long.md
new file mode 100644
index 00000000000..cd6796b408f
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-04-02-integer-multiplication-cast-to-long.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
diff --git a/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md b/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
new file mode 100644
index 00000000000..040e89c1347
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
diff --git a/cpp/ql/src/change-notes/2026-04-02-wrong-type-format-argument.md b/cpp/ql/src/change-notes/2026-04-02-wrong-type-format-argument.md
new file mode 100644
index 00000000000..f8b9085dacc
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-04-02-wrong-type-format-argument.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.expected
new file mode 100644
index 00000000000..a87d2ddbd1b
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.expected
@@ -0,0 +1,2 @@
+| conftest.c.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
+| conftest_abc.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref
new file mode 100644
index 00000000000..82a90f5413a
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref
@@ -0,0 +1 @@
+Likely Bugs/Likely Typos/ExprHasNoEffect.ql
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c
new file mode 100644
index 00000000000..2e067f5c433
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c
@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main2() {
+ strlen(""); // GOOD: conftest files are ignored
+ return 0;
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c
new file mode 100644
index 00000000000..4ff7c225335
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c
@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main3() {
+ strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
+ return 0;
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.cpp
new file mode 100644
index 00000000000..7b8edf64261
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.cpp
@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main4() {
+ strlen(""); // GOOD: conftest files are ignored
+ return 0;
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.h b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.h
new file mode 100644
index 00000000000..9cf6f7e0d9f
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.h
@@ -0,0 +1,3 @@
+typedef long long size_t;
+
+size_t strlen(const char *s);
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest123.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest123.c
new file mode 100644
index 00000000000..b227d53ad2a
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest123.c
@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main5() {
+ strlen(""); // GOOD: conftest files are ignored
+ return 0;
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c
new file mode 100644
index 00000000000..88215d7434c
--- /dev/null
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c
@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main1() {
+ strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
+ return 0;
+}
diff --git a/csharp/ql/examples/snippets/integer_literal.ql b/csharp/ql/examples/snippets/integer_literal.ql
index 4546c1d174b..36791fc8c37 100644
--- a/csharp/ql/examples/snippets/integer_literal.ql
+++ b/csharp/ql/examples/snippets/integer_literal.ql
@@ -9,5 +9,5 @@
import csharp
from IntegerLiteral literal
-where literal.getValue().toInt() = 0
+where literal.getIntValue() = 0
select literal
diff --git a/csharp/ql/lib/Linq/Helpers.qll b/csharp/ql/lib/Linq/Helpers.qll
index d490868f453..912b12b9457 100644
--- a/csharp/ql/lib/Linq/Helpers.qll
+++ b/csharp/ql/lib/Linq/Helpers.qll
@@ -77,7 +77,7 @@ predicate missedAllOpportunity(ForeachStmtGenericEnumerable fes) {
// The then case of the if assigns false to something and breaks out of the loop.
exists(Assignment a, BoolLiteral bl |
a = is.getThen().getAChild*() and
- bl = a.getRValue() and
+ bl = a.getRightOperand() and
bl.toString() = "false"
) and
is.getThen().getAChild*() instanceof BreakStmt
diff --git a/csharp/ql/lib/change-notes/2026-04-01-getlrvalue.md b/csharp/ql/lib/change-notes/2026-04-01-getlrvalue.md
new file mode 100644
index 00000000000..da1a3d62148
--- /dev/null
+++ b/csharp/ql/lib/change-notes/2026-04-01-getlrvalue.md
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.
diff --git a/csharp/ql/lib/definitions.qll b/csharp/ql/lib/definitions.qll
index 4feaf20629c..d4f2540bbef 100644
--- a/csharp/ql/lib/definitions.qll
+++ b/csharp/ql/lib/definitions.qll
@@ -96,7 +96,7 @@ private class MethodUse extends Use, QualifiableExpr {
private class AccessUse extends Access, Use {
AccessUse() {
not this.getTarget().(Parameter).getCallable() instanceof Accessor and
- not this = any(LocalVariableDeclAndInitExpr d).getLValue() and
+ not this = any(LocalVariableDeclAndInitExpr d).getLeftOperand() and
not this.isImplicit() and
not this instanceof MethodAccess and // handled by `MethodUse`
not this instanceof TypeAccess and // handled by `TypeMentionUse`
diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll
index a0e575218ad..7075626aa3b 100644
--- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll
@@ -235,7 +235,7 @@ private class RefArg extends AssignableAccess {
module AssignableInternal {
private predicate tupleAssignmentDefinition(AssignExpr ae, Expr leaf) {
exists(TupleExpr te |
- ae.getLValue() = te and
+ ae.getLeftOperand() = te and
te.getAnArgument+() = leaf and
// `leaf` is either an assignable access or a local variable declaration
not leaf instanceof TupleExpr
@@ -249,8 +249,8 @@ module AssignableInternal {
*/
private predicate tupleAssignmentPair(AssignExpr ae, Expr left, Expr right) {
tupleAssignmentDefinition(ae, _) and
- left = ae.getLValue() and
- right = ae.getRValue()
+ left = ae.getLeftOperand() and
+ right = ae.getRightOperand()
or
exists(TupleExpr l, TupleExpr r, int i | tupleAssignmentPair(ae, l, r) |
left = l.getArgument(i) and
@@ -291,7 +291,7 @@ module AssignableInternal {
cached
newtype TAssignableDefinition =
TAssignmentDefinition(Assignment a) {
- not a.getLValue() instanceof TupleExpr and
+ not a.getLeftOperand() instanceof TupleExpr and
not a instanceof AssignCallOperation and
not a instanceof AssignCoalesceExpr
} or
@@ -358,7 +358,7 @@ module AssignableInternal {
// Not defined by dispatch in order to avoid too conservative negative recursion error
cached
AssignableAccess getTargetAccess(AssignableDefinition def) {
- def = TAssignmentDefinition(any(Assignment a | a.getLValue() = result))
+ def = TAssignmentDefinition(any(Assignment a | a.getLeftOperand() = result))
or
def = TTupleAssignmentDefinition(_, result)
or
@@ -381,8 +381,8 @@ module AssignableInternal {
tupleAssignmentPair(ae, ac, result)
)
or
- exists(Assignment ass | ac = ass.getLValue() |
- result = ass.getRValue() and
+ exists(Assignment ass | ac = ass.getLeftOperand() |
+ result = ass.getRightOperand() and
not ass instanceof AssignOperation
)
or
@@ -527,7 +527,7 @@ module AssignableDefinitions {
Assignment getAssignment() { result = a }
override Expr getSource() {
- result = a.getRValue() and
+ result = a.getRightOperand() and
not a instanceof AddOrRemoveEventExpr
}
diff --git a/csharp/ql/lib/semmle/code/csharp/Conversion.qll b/csharp/ql/lib/semmle/code/csharp/Conversion.qll
index ec7ef9cac95..e151944dc38 100644
--- a/csharp/ql/lib/semmle/code/csharp/Conversion.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Conversion.qll
@@ -232,14 +232,9 @@ private module Identity {
*/
pragma[nomagic]
private predicate convTypeArguments(Type fromTypeArgument, Type toTypeArgument, int i) {
- exists(int j |
- fromTypeArgument = getTypeArgumentRanked(_, _, i) and
- toTypeArgument = getTypeArgumentRanked(_, _, j) and
- i <= j and
- j <= i
- |
- convIdentity(fromTypeArgument, toTypeArgument)
- )
+ fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
+ toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
+ convIdentity(fromTypeArgument, toTypeArgument)
}
pragma[nomagic]
@@ -718,7 +713,7 @@ private class SignedIntegralConstantExpr extends Expr {
}
private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType toType) {
- exists(int n | n = e.getValue().toInt() |
+ exists(int n | n = e.getIntValue() |
toType = any(SByteType t | n in [t.minValue() .. t.maxValue()])
or
toType = any(ByteType t | n in [t.minValue() .. t.maxValue()])
@@ -735,7 +730,7 @@ private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType t
private predicate convConstantLongExpr(SignedIntegralConstantExpr e) {
e.getType() instanceof LongType and
- e.getValue().toInt() >= 0
+ e.getIntValue() >= 0
}
/** 6.1.10: Implicit reference conversions involving type parameters. */
@@ -929,19 +924,16 @@ private module Variance {
private predicate convTypeArguments(
TypeArgument fromTypeArgument, TypeArgument toTypeArgument, int i, TVariance v
) {
- exists(int j |
- fromTypeArgument = getTypeArgumentRanked(_, _, i, _) and
- toTypeArgument = getTypeArgumentRanked(_, _, j, _) and
- i <= j and
- j <= i
- |
+ fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
+ toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
+ (
convIdentity(fromTypeArgument, toTypeArgument) and
v = TNone()
or
- convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, j) and
+ convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, i) and
v = TOut()
or
- convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, j) and
+ convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, i) and
v = TIn()
)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/PrintAst.qll b/csharp/ql/lib/semmle/code/csharp/PrintAst.qll
index 1ac96c85e78..1fab6b0f8c4 100644
--- a/csharp/ql/lib/semmle/code/csharp/PrintAst.qll
+++ b/csharp/ql/lib/semmle/code/csharp/PrintAst.qll
@@ -343,10 +343,10 @@ final class AssignmentNode extends ControlFlowElementNode {
result.(TypeMentionNode).getTarget() = controlFlowElement
or
childIndex = 0 and
- result.(ElementNode).getElement() = assignment.getLValue()
+ result.(ElementNode).getElement() = assignment.getLeftOperand()
or
childIndex = 1 and
- result.(ElementNode).getElement() = assignment.getRValue()
+ result.(ElementNode).getElement() = assignment.getRightOperand()
}
}
diff --git a/csharp/ql/lib/semmle/code/csharp/Property.qll b/csharp/ql/lib/semmle/code/csharp/Property.qll
index bbd4fdd9d8e..c9a338d0359 100644
--- a/csharp/ql/lib/semmle/code/csharp/Property.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Property.qll
@@ -535,8 +535,8 @@ class Setter extends Accessor, @setter {
exists(AssignExpr assign |
this.getStatementBody().getNumberOfStmts() = 1 and
assign.getParent() = this.getStatementBody().getAChild() and
- assign.getLValue() = result.getAnAccess() and
- assign.getRValue() = accessToValue()
+ assign.getLeftOperand() = result.getAnAccess() and
+ assign.getRightOperand() = accessToValue()
)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll b/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
index b4641560892..776e2e97c37 100644
--- a/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
@@ -161,7 +161,7 @@ private newtype TComparisonTest =
compare.getComparisonKind().isCompare() and
outerKind = outer.getComparisonKind() and
outer.getAnArgument() = compare.getExpr() and
- i = outer.getAnArgument().getValue().toInt()
+ i = outer.getAnArgument().getIntValue()
|
outerKind.isEquality() and
(
diff --git a/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll b/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
index 5025202eb21..a5f1bc43abe 100644
--- a/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
@@ -32,13 +32,13 @@ private module ConstantComparisonOperation {
private int maxValue(Expr expr) {
if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
- then result = expr.getValue().toInt()
+ then result = expr.getIntValue()
else result = convertedType(expr).maxValue()
}
private int minValue(Expr expr) {
if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
- then result = expr.getValue().toInt()
+ then result = expr.getIntValue()
else result = convertedType(expr).minValue()
}
diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
index 03a5aa7e2b7..66b591cfcd2 100644
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
@@ -60,25 +60,16 @@ private module GuardsInput implements
override boolean asBooleanValue() { boolConst(this, result) }
}
- private predicate intConst(Expr e, int i) {
- e.getValue().toInt() = i and
- (
- e.getType() instanceof Enum
- or
- e.getType() instanceof IntegralType
- )
- }
-
private class IntegerConstant extends ConstantExpr {
- IntegerConstant() { intConst(this, _) }
+ IntegerConstant() { exists(this.getIntValue()) }
- override int asIntegerValue() { intConst(this, result) }
+ override int asIntegerValue() { result = this.getIntValue() }
}
private class EnumConst extends ConstantExpr {
EnumConst() { this.getType() instanceof Enum and this.hasValue() }
- override int asIntegerValue() { result = this.getValue().toInt() }
+ override int asIntegerValue() { result = this.getIntValue() }
}
private class StringConstant extends ConstantExpr instanceof StringLiteral {
@@ -136,7 +127,7 @@ private module GuardsInput implements
IdExpr() { this instanceof AssignExpr or this instanceof CastExpr }
Expr getEqualChildExpr() {
- result = this.(AssignExpr).getRValue()
+ result = this.(AssignExpr).getRightOperand()
or
result = this.(CastExpr).getExpr()
}
@@ -517,35 +508,35 @@ class EnumerableCollectionExpr extends Expr {
|
// x.Length == 0
ct.getComparisonKind().isEquality() and
- ct.getAnArgument().getValue().toInt() = 0 and
+ ct.getAnArgument().getIntValue() = 0 and
branch = isEmpty
or
// x.Length == k, k > 0
ct.getComparisonKind().isEquality() and
- ct.getAnArgument().getValue().toInt() > 0 and
+ ct.getAnArgument().getIntValue() > 0 and
branch = true and
isEmpty = false
or
// x.Length != 0
ct.getComparisonKind().isInequality() and
- ct.getAnArgument().getValue().toInt() = 0 and
+ ct.getAnArgument().getIntValue() = 0 and
branch = isEmpty.booleanNot()
or
// x.Length != k, k != 0
ct.getComparisonKind().isInequality() and
- ct.getAnArgument().getValue().toInt() != 0 and
+ ct.getAnArgument().getIntValue() != 0 and
branch = false and
isEmpty = false
or
// x.Length > k, k >= 0
ct.getComparisonKind().isLessThan() and
- ct.getFirstArgument().getValue().toInt() >= 0 and
+ ct.getFirstArgument().getIntValue() >= 0 and
branch = true and
isEmpty = false
or
// x.Length >= k, k > 0
ct.getComparisonKind().isLessThanEquals() and
- ct.getFirstArgument().getValue().toInt() > 0 and
+ ct.getFirstArgument().getIntValue() > 0 and
branch = true and
isEmpty = false
)
@@ -836,7 +827,7 @@ module Internal {
/** Holds if expression `e2` is a `null` value whenever `e1` is. */
predicate nullValueImpliedUnary(Expr e1, Expr e2) {
- e1 = e2.(AssignExpr).getRValue()
+ e1 = e2.(AssignExpr).getRightOperand()
or
e1 = e2.(Cast).getExpr()
or
@@ -923,7 +914,7 @@ module Internal {
/** Holds if expression `e2` is a non-`null` value whenever `e1` is. */
predicate nonNullValueImpliedUnary(Expr e1, Expr e2) {
e1 = e2.(CastExpr).getExpr() or
- e1 = e2.(AssignExpr).getRValue() or
+ e1 = e2.(AssignExpr).getRightOperand() or
e1 = e2.(NullCoalescingOperation).getAnOperand()
}
diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
index e29e92d26eb..dc2c7477a35 100644
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -521,7 +521,7 @@ module Expressions {
// ```
// need special treatment, because the accesses `[0]`, `[1]`, and `[2]`
// have no qualifier.
- this = any(MemberInitializer mi).getLValue()
+ this = any(MemberInitializer mi).getLeftOperand()
) and
not exists(AssignableDefinitions::OutRefDefinition def | def.getTargetAccess() = this)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
index a82779eaa5d..3d690ee1ac4 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
@@ -31,7 +31,7 @@ private Expr maybeNullExpr(Expr reason) {
or
result instanceof AsExpr and reason = result
or
- result.(AssignExpr).getRValue() = maybeNullExpr(reason)
+ result.(AssignExpr).getRightOperand() = maybeNullExpr(reason)
or
result.(CastExpr).getExpr() = maybeNullExpr(reason)
or
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
index af104d777b8..ab1e75b3d0f 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
@@ -29,4 +29,8 @@ module CsharpDataFlow implements InputSig {
predicate neverSkipInPathGraph(Node n) {
exists(n.(AssignableDefinitionNode).getDefinition().getTargetAccess())
}
+
+ DataFlowType getSourceContextParameterNodeType(Node p) {
+ exists(p) and result.isSourceContextParameterType()
+ }
}
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index 109c27de67b..ae530b2d451 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -528,7 +528,7 @@ module LocalFlow {
e2 =
any(AssignExpr ae |
ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
- e1 = ae.getRValue()
+ e1 = ae.getRightOperand()
)
or
e1 = e2.(ObjectCreation).getInitializer()
@@ -554,7 +554,7 @@ module LocalFlow {
e2 = we
)
or
- exists(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1)
+ exists(AssignExpr ae | ae.getLeftOperand().(TupleExpr) = e2 and ae.getRightOperand() = e1)
or
exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
cfe.(IsExpr).getExpr() = e1
@@ -795,7 +795,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
q = we and
mi = we.getInitializer().getAMemberInitializer() and
f = mi.getInitializedMember() and
- src = mi.getRValue() and
+ src = mi.getRightOperand() and
postUpdate = false
)
or
@@ -804,7 +804,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
mi = q.(ObjectInitializer).getAMemberInitializer() and
q.getParent() instanceof ObjectCreation and
f = mi.getInitializedMember() and
- src = mi.getRValue() and
+ src = mi.getRightOperand() and
postUpdate = false
)
or
@@ -879,8 +879,8 @@ private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
// Member initializer, `new C { Array = { [i] = src } }`
exists(MemberInitializer mi |
mi = a.(ObjectInitializer).getAMemberInitializer() and
- mi.getLValue() instanceof ArrayAccess and
- mi.getRValue() = src and
+ mi.getLeftOperand() instanceof ArrayAccess and
+ mi.getRightOperand() = src and
postUpdate = false
)
}
@@ -1179,7 +1179,8 @@ private module Cached {
cached
newtype TDataFlowType =
TGvnDataFlowType(Gvn::GvnType t) or
- TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) }
+ TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) } or
+ TSourceContextParameterType()
}
import Cached
@@ -2394,6 +2395,8 @@ class DataFlowType extends TDataFlowType {
Callable asDelegate() { this = TDelegateDataFlowType(result) }
+ predicate isSourceContextParameterType() { this = TSourceContextParameterType() }
+
/**
* Gets an expression that creates a delegate of this type.
*
@@ -2412,6 +2415,9 @@ class DataFlowType extends TDataFlowType {
result = this.asGvnType().toString()
or
result = this.asDelegate().toString()
+ or
+ this.isSourceContextParameterType() and
+ result = ""
}
}
@@ -2469,6 +2475,11 @@ private predicate compatibleTypesDelegateLeft(DataFlowType dt1, DataFlowType dt2
)
}
+pragma[nomagic]
+private predicate compatibleTypesSourceContextParameterTypeLeft(DataFlowType dt1, DataFlowType dt2) {
+ dt1.isSourceContextParameterType() and not exists(dt2.asDelegate())
+}
+
/**
* Holds if `t1` and `t2` are compatible, that is, whether data can flow from
* a node of type `t1` to a node of type `t2`.
@@ -2499,6 +2510,10 @@ predicate compatibleTypes(DataFlowType dt1, DataFlowType dt2) {
compatibleTypesDelegateLeft(dt2, dt1)
or
dt1.asDelegate() = dt2.asDelegate()
+ or
+ compatibleTypesSourceContextParameterTypeLeft(dt1, dt2)
+ or
+ compatibleTypesSourceContextParameterTypeLeft(dt2, dt1)
}
pragma[nomagic]
@@ -2511,6 +2526,8 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) {
uselessTypebound(t2)
or
compatibleTypesDelegateLeft(t1, t2)
+ or
+ compatibleTypesSourceContextParameterTypeLeft(t1, t2)
}
/**
@@ -2582,7 +2599,7 @@ module PostUpdateNodes {
call.getExpr() = init.(CollectionInitializer).getAnElementInitializer()
or
// E.g. `new Dictionary() { [0] = "a", [1] = "b" }`
- call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLValue()
+ call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLeftOperand()
)
}
@@ -2795,7 +2812,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
preservesValue = true
or
exists(AddEventExpr aee |
- nodeFrom.asExpr() = aee.getRValue() and
+ nodeFrom.asExpr() = aee.getRightOperand() and
nodeTo.asExpr().(EventRead).getTarget() = aee.getTarget() and
preservesValue = false
)
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
index 024e9cf119d..f8cec8c4d9f 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -4,13 +4,17 @@
* Provides classes and predicates for dealing with MaD flow models specified
* in data extensions and CSV format.
*
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
* - Sources:
* `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
* - Sinks:
* `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
* - Summaries:
* `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ * `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ * `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
* - Neutrals:
* `namespace; type; name; signature; kind; provenance`
* A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
@@ -69,14 +73,17 @@
* - "Field[f]": Selects the contents of field `f`.
* - "Property[p]": Selects the contents of property `p`.
*
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ * under which the guard blocks flow. It can be one of "true" or "false". In
+ * the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources "remote" indicates a default remote flow source, and for summaries
* "taint" indicates a default additional taint step and "value" indicates a
* globally applicable value-preserving step. For neutrals the kind can be `summary`,
* `source` or `sink` to indicate that the neutral is neutral with respect to
* flow (no summary), source (is not a source) or sink (is not a sink).
- * 9. The `provenance` column is a tag to indicate the origin and verification of a model.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
* The format is {origin}-{verification} or just "manual" where the origin describes
* the origin of the model and verification describes how the model has been verified.
* Some examples are:
@@ -230,11 +237,11 @@ module ModelValidation {
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
)
or
- exists(string acceptingvalue |
- barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
- invalidAcceptingValue(acceptingvalue) and
+ exists(string acceptingValue |
+ barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
+ invalidAcceptingValue(acceptingValue) and
result =
- "Unrecognized accepting value description \"" + acceptingvalue +
+ "Unrecognized accepting value description \"" + acceptingValue +
"\" in barrier guard model."
)
}
@@ -482,13 +489,13 @@ private module Cached {
private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
exists(
- SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
+ SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind,
string model
|
- isBarrierGuardNode(n, acceptingvalue, kind, model) and
+ isBarrierGuardNode(n, acceptingValue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
- gv = convertAcceptingValue(acceptingvalue)
+ gv = convertAcceptingValue(acceptingValue)
|
g.(Call).getAnArgument() = e or g.(QualifiableExpr).getQualifier() = e
)
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll
index 3461f0a5186..cd438ece284 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
*/
extensible predicate barrierGuardModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
- string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+ string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
index ec6bbf81fee..a7ab18a6290 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -253,13 +253,13 @@ module SourceSinkInterpretationInput implements
}
predicate barrierGuardElement(
- Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+ Element e, string input, Public::AcceptingValue acceptingValue, string kind,
Public::Provenance provenance, string model
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
- barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingvalue,
+ barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingValue,
kind, provenance, model) and
e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
)
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
index 2809f8187b9..83593a5df36 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -337,7 +337,7 @@ private module CallGraph {
pred = succ.(DelegateCreation).getArgument()
or
exists(AddEventExpr ae | succ.(EventAccess).getTarget() = ae.getTarget() |
- pred = ae.getRValue()
+ pred = ae.getRightOperand()
)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
index e3f5deb9898..bea31ed7f55 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
@@ -23,7 +23,7 @@ predicate systemArrayLengthAccess(PropertyAccess pa) {
* - a read of the `Length` of an array with `val` lengths.
*/
private predicate constantIntegerExpr(ExprNode e, int val) {
- e.getValue().toInt() = val
+ e.getExpr().getIntValue() = val
or
exists(ExprNode src |
e = getAnExplicitDefinitionRead(src) and
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
index 46153f18dae..171f2d2f59e 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
@@ -21,7 +21,7 @@ private module Impl {
/** Holds if SSA definition `def` equals `e + delta`. */
predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) {
exists(ControlFlow::Node cfn | cfn = def.getControlFlowNode() |
- e = cfn.(ExprNode::Assignment).getRValue() and
+ e = cfn.(ExprNode::Assignment).getRightOperand() and
delta = 0 and
not cfn instanceof ExprNode::AssignOperation
or
@@ -39,7 +39,7 @@ private module Impl {
/** Holds if `e1 + delta` equals `e2`. */
predicate valueFlowStep(ExprNode e2, ExprNode e1, int delta) {
- e2.(ExprNode::AssignExpr).getRValue() = e1 and delta = 0
+ e2.(ExprNode::AssignExpr).getRightOperand() = e1 and delta = 0
or
e2.(ExprNode::UnaryPlusExpr).getOperand() = e1 and delta = 0
or
@@ -207,13 +207,13 @@ module ExprNode {
override CS::Assignment e;
/** Gets the left operand of this assignment. */
- ExprNode getLValue() {
- result = unique(ExprNode res | hasChild(e, e.getLValue(), this, res) | res)
+ ExprNode getLeftOperand() {
+ result = unique(ExprNode res | hasChild(e, e.getLeftOperand(), this, res) | res)
}
/** Gets the right operand of this assignment. */
- ExprNode getRValue() {
- result = unique(ExprNode res | hasChild(e, e.getRValue(), this, res) | res)
+ ExprNode getRightOperand() {
+ result = unique(ExprNode res | hasChild(e, e.getRightOperand(), this, res) | res)
}
}
@@ -225,6 +225,10 @@ module ExprNode {
/** A compound assignment operation. */
class AssignOperation extends Assignment, BinaryOperation {
override CS::AssignOperation e;
+
+ override ExprNode getLeftOperand() { result = Assignment.super.getLeftOperand() }
+
+ override ExprNode getRightOperand() { result = Assignment.super.getRightOperand() }
}
/** A unary operation. */
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
index d59d7958765..f64eceda134 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
@@ -168,7 +168,7 @@ private module Impl {
/** Returned an expression that is assigned to `f`. */
ExprNode getAssignedValueToField(Field f) {
result.getExpr() in [
- f.getAnAssignedValue(), any(AssignOperation a | a.getLValue() = f.getAnAccess())
+ f.getAnAssignedValue(), any(AssignOperation a | a.getLeftOperand() = f.getAnAccess())
]
}
@@ -231,7 +231,7 @@ private module Impl {
/** Returns a sub expression of `e` for expression types where the sign depends on the child. */
ExprNode getASubExprWithSameSign(ExprNode e) {
exists(Expr e_, Expr child | hasChild(e_, child, e, result) |
- child = e_.(AssignExpr).getRValue() or
+ child = e_.(AssignExpr).getRightOperand() or
child = e_.(UnaryPlusExpr).getOperand() or
child = e_.(PostIncrExpr).getOperand() or
child = e_.(PostDecrExpr).getOperand() or
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll
index 89117d90ba7..cf4b44239e9 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll
@@ -55,5 +55,5 @@ ExprNode ssaRead(Definition v, int delta) {
or
v.(ExplicitDefinition).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0
or
- result.(ExprNode::AssignExpr).getRValue() = ssaRead(v, delta)
+ result.(ExprNode::AssignExpr).getRightOperand() = ssaRead(v, delta)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll
index f7f6c7a50be..770fab65f54 100644
--- a/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll
@@ -1348,7 +1348,7 @@ private module Internal {
any(DynamicMemberAccess dma | this = TDispatchDynamicEventAccess(_, dma, _)).getQualifier()
}
- override Expr getArgument(int i) { i = 0 and result = this.getCall().getRValue() }
+ override Expr getArgument(int i) { i = 0 and result = this.getCall().getRightOperand() }
}
/** A call to a constructor using dynamic types. */
diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Access.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Access.qll
index 84375bc7013..d9fb16f0974 100644
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Access.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Access.qll
@@ -112,7 +112,7 @@ class BaseAccess extends Access, @base_access_expr {
class MemberAccess extends Access, QualifiableExpr, @member_access_expr {
override predicate hasImplicitThisQualifier() {
QualifiableExpr.super.hasImplicitThisQualifier() and
- not exists(MemberInitializer mi | mi.getLValue() = this)
+ not exists(MemberInitializer mi | mi.getLeftOperand() = this)
}
override Member getQualifiedDeclaration() { result = this.getTarget() }
diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll
index 467149011d2..8c7dd80da24 100644
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll
@@ -20,14 +20,22 @@ class Assignment extends BinaryOperation, @assign_expr {
expr_parent(_, 1, this)
}
- /** Gets the left operand of this assignment. */
- Expr getLValue() { result = this.getLeftOperand() }
+ /**
+ * DEPRECATED: Use `getLeftOperand` instead.
+ *
+ * Gets the left operand of this assignment.
+ */
+ deprecated Expr getLValue() { result = this.getLeftOperand() }
- /** Gets the right operand of this assignment. */
- Expr getRValue() { result = this.getRightOperand() }
+ /**
+ * DEPRECATED: Use `getRightOperand` instead.
+ *
+ * Gets the right operand of this assignment.
+ */
+ deprecated Expr getRValue() { result = this.getRightOperand() }
/** Gets the variable being assigned to, if any. */
- Variable getTargetVariable() { result.getAnAccess() = this.getLValue() }
+ Variable getTargetVariable() { result.getAnAccess() = this.getLeftOperand() }
override string getOperator() { none() }
}
@@ -40,7 +48,12 @@ class LocalVariableDeclAndInitExpr extends LocalVariableDeclExpr, Assignment {
override LocalVariable getTargetVariable() { result = this.getVariable() }
- override LocalVariableAccess getLValue() { result = Assignment.super.getLValue() }
+ /**
+ * DEPRECATED: Use `getLeftOperand` instead.
+ */
+ deprecated override LocalVariableAccess getLValue() { result = this.getLeftOperand() }
+
+ override LocalVariableAccess getLeftOperand() { result = Assignment.super.getLeftOperand() }
override string toString() { result = LocalVariableDeclExpr.super.toString() + " = ..." }
@@ -223,9 +236,12 @@ deprecated class AssignUnsighedRightShiftExpr = AssignUnsignedRightShiftExpr;
*/
class AddOrRemoveEventExpr extends AssignOperation, @assign_event_expr {
/** Gets the event targeted by this event assignment. */
- Event getTarget() { result = this.getLValue().getTarget() }
+ Event getTarget() { result = this.getLeftOperand().getTarget() }
- override EventAccess getLValue() { result = this.getChild(0) }
+ /**
+ * DEPRECATED: Use `getLeftOperand` instead.
+ */
+ deprecated override EventAccess getLValue() { result = this.getLeftOperand() }
override EventAccess getLeftOperand() { result = this.getChild(0) }
}
diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Call.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Call.qll
index 0d9e414a5c4..272a8e0caae 100644
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Call.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Call.qll
@@ -773,7 +773,7 @@ class EventCall extends AccessorCall, EventAccessExpr {
override EventAccessor getTarget() {
exists(Event e, AddOrRemoveEventExpr aoree |
e = this.getEvent() and
- aoree.getLValue() = this
+ aoree.getLeftOperand() = this
|
aoree instanceof AddEventExpr and result = e.getAddEventAccessor()
or
@@ -784,8 +784,8 @@ class EventCall extends AccessorCall, EventAccessExpr {
override Expr getArgument(int i) {
i = 0 and
exists(AddOrRemoveEventExpr aoree |
- aoree.getLValue() = this and
- result = aoree.getRValue()
+ aoree.getLeftOperand() = this and
+ result = aoree.getRightOperand()
)
}
diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll
index 0e16e0da9c3..19ff9fac53b 100644
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Creation.qll
@@ -95,7 +95,7 @@ class MemberInitializer extends AssignExpr {
MemberInitializer() { this.getParent() instanceof ObjectInitializer }
/** Gets the initialized member. */
- Member getInitializedMember() { result.getAnAccess() = this.getLValue() }
+ Member getInitializedMember() { result.getAnAccess() = this.getLeftOperand() }
override string getAPrimaryQlClass() { result = "MemberInitializer" }
}
diff --git a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
index 66764d06479..a26afb00490 100644
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
@@ -57,6 +57,13 @@ class Expr extends ControlFlowElement, @expr {
/** Gets the value of this expression, if any */
string getValue() { expr_value(this, result) }
+ /** Gets the integer value of this expression, if any. */
+ cached
+ int getIntValue() {
+ result = this.getValue().toInt() and
+ (this.getType() instanceof IntegralType or this.getType() instanceof Enum)
+ }
+
/** Holds if this expression has a value. */
final predicate hasValue() { exists(this.getValue()) }
@@ -1099,7 +1106,7 @@ class QualifiableExpr extends Expr, @qualifiable_expr {
}
private Expr getAnAssignOrForeachChild() {
- result = any(AssignExpr e).getLValue()
+ result = any(AssignExpr e).getLeftOperand()
or
result = any(ForeachStmt fs).getVariableDeclTuple()
or
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Moq.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Moq.qll
index 9ab9a026fd2..0beec9a84b2 100644
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Moq.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Moq.qll
@@ -41,6 +41,6 @@ class ReturnedByMockObject extends ObjectCreation {
* Gets a value used to initialize a member of this object creation.
*/
Expr getAMemberInitializationValue() {
- result = this.getInitializer().(ObjectInitializer).getAMemberInitializer().getRValue()
+ result = this.getInitializer().(ObjectInitializer).getAMemberInitializer().getRightOperand()
}
}
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
index 6b1eb7b67fb..58d6d68bf0e 100644
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
@@ -17,14 +17,14 @@ abstract class SqlExpr extends Expr {
class CommandTextAssignmentSqlExpr extends SqlExpr, AssignExpr {
CommandTextAssignmentSqlExpr() {
exists(Property p, SystemDataIDbCommandInterface i, Property text |
- p = this.getLValue().(PropertyAccess).getTarget() and
+ p = this.getLeftOperand().(PropertyAccess).getTarget() and
text = i.getCommandTextProperty()
|
p.overridesOrImplementsOrEquals(text)
)
}
- override Expr getSql() { result = this.getRValue() }
+ override Expr getSql() { result = this.getRightOperand() }
}
/** A construction of an unknown `IDbCommand` object. */
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
index 2c0ba292b9c..aca2cb2cb1c 100644
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
@@ -81,7 +81,7 @@ class SystemRuntimeCompilerServicesInlineArrayAttribute extends Attribute {
/**
* Gets the length of the inline array.
*/
- int getLength() { result = this.getConstructorArgument(0).getValue().toInt() }
+ int getLength() { result = this.getConstructorArgument(0).getIntValue() }
}
/** An attribute of type `System.Runtime.CompilerServices.OverloadResolutionPriority`. */
@@ -94,5 +94,5 @@ class SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute extends A
/**
* Gets the priority number.
*/
- int getPriority() { result = this.getConstructorArgument(0).getValue().toInt() }
+ int getPriority() { result = this.getConstructorArgument(0).getIntValue() }
}
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
index 56b6294949b..e7cb6d8e308 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
@@ -100,20 +100,20 @@ Expr getAValueForCookiePolicyProp(string prop) {
Expr getAValueForProp(ObjectCreation create, Assignment a, string prop) {
// values set in object init
exists(MemberInitializer init, Expr src, PropertyAccess pa |
- a.getLValue() = pa and
+ a.getLeftOperand() = pa and
pa.getTarget().hasName(prop) and
init = create.getInitializer().(ObjectInitializer).getAMemberInitializer() and
- init.getLValue() = pa and
- DataFlow::localExprFlow(src, init.getRValue()) and
+ init.getLeftOperand() = pa and
+ DataFlow::localExprFlow(src, init.getRightOperand()) and
result = src
)
or
// values set on var that create is assigned to
exists(Expr src, PropertyAccess pa |
- a.getLValue() = pa and
+ a.getLeftOperand() = pa and
pa.getTarget().hasName(prop) and
DataFlow::localExprFlow(create, pa.getQualifier()) and
- DataFlow::localExprFlow(src, a.getRValue()) and
+ DataFlow::localExprFlow(src, a.getRightOperand()) and
result = src
)
}
@@ -138,15 +138,15 @@ private module OnAppendCookieTrackingConfig impl
exists(PropertyWrite pw, Assignment delegateAssign, Callable c |
pw.getProperty().getName() = "OnAppendCookie" and
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreBuilderCookiePolicyOptions and
- delegateAssign.getLValue() = pw and
+ delegateAssign.getLeftOperand() = pw and
(
exists(LambdaExpr lambda |
- delegateAssign.getRValue() = lambda and
+ delegateAssign.getRightOperand() = lambda and
lambda = c
)
or
exists(DelegateCreation delegate |
- delegateAssign.getRValue() = delegate and
+ delegateAssign.getRightOperand() = delegate and
delegate.getArgument().(CallableAccess).getTarget() = c
)
) and
@@ -159,9 +159,9 @@ private module OnAppendCookieTrackingConfig impl
exists(PropertyWrite pw, Assignment a |
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
pw.getProperty().getName() = getPropertyName() and
- a.getLValue() = pw and
+ a.getLeftOperand() = pw and
exists(Expr val |
- DataFlow::localExprFlow(val, a.getRValue()) and
+ DataFlow::localExprFlow(val, a.getRightOperand()) and
val.getValue() = "true"
) and
sink.asExpr() = pw.getQualifier()
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
index 5b2bd407a5c..3c8911ef807 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -126,16 +126,16 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
or
node1.getType() instanceof TypeNameHandlingEnum and
exists(PropertyWrite pw, Property p, Assignment a |
- a.getLValue() = pw and
+ a.getLeftOperand() = pw and
pw.getProperty() = p and
p.getDeclaringType() instanceof JsonSerializerSettingsClass and
p.hasName("TypeNameHandling") and
(
- node1.asExpr() = a.getRValue() and
+ node1.asExpr() = a.getRightOperand() and
node2.asExpr() = pw.getQualifier()
or
exists(ObjectInitializer oi |
- node1.asExpr() = oi.getAMemberInitializer().getRValue() and
+ node1.asExpr() = oi.getAMemberInitializer().getRightOperand() and
node2.asExpr() = oi
)
)
diff --git a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll
index 1abeaf797b0..765dc2adf54 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll
@@ -84,15 +84,15 @@ private Expr getAValueForProp(ObjectCreation create, string prop) {
// values set in object init
exists(MemberInitializer init |
init = create.getInitializer().(ObjectInitializer).getAMemberInitializer() and
- init.getLValue().(PropertyAccess).getTarget().hasName(prop) and
- result = init.getRValue()
+ init.getLeftOperand().(PropertyAccess).getTarget().hasName(prop) and
+ result = init.getRightOperand()
)
or
// values set on var that create is assigned to
exists(Assignment propAssign |
- DataFlow::localExprFlow(create, propAssign.getLValue().(PropertyAccess).getQualifier()) and
- propAssign.getLValue().(PropertyAccess).getTarget().hasName(prop) and
- result = propAssign.getRValue()
+ DataFlow::localExprFlow(create, propAssign.getLeftOperand().(PropertyAccess).getQualifier()) and
+ propAssign.getLeftOperand().(PropertyAccess).getTarget().hasName(prop) and
+ result = propAssign.getRightOperand()
)
}
diff --git a/csharp/ql/src/Dead Code/NonAssignedFields.ql b/csharp/ql/src/Dead Code/NonAssignedFields.ql
index 83aa889b77c..b9e86809749 100644
--- a/csharp/ql/src/Dead Code/NonAssignedFields.ql
+++ b/csharp/ql/src/Dead Code/NonAssignedFields.ql
@@ -84,9 +84,9 @@ where
not f.getDeclaringType() instanceof Enum and
not f.getType() instanceof Struct and
not exists(Assignment ae, Field g |
- ae.getLValue().(FieldAccess).getTarget() = g and
+ ae.getLeftOperand().(FieldAccess).getTarget() = g and
g.getUnboundDeclaration() = f and
- not ae.getRValue() instanceof NullLiteral
+ not ae.getRightOperand() instanceof NullLiteral
) and
not exists(MethodCall mc, int i, Field g |
exists(Parameter p | mc.getTarget().getParameter(i) = p | p.isOut() or p.isRef()) and
@@ -101,7 +101,7 @@ where
not init instanceof NullLiteral
) and
not exists(AssignOperation ua, Field g |
- ua.getLValue().(FieldAccess).getTarget() = g and
+ ua.getLeftOperand().(FieldAccess).getTarget() = g and
g.getUnboundDeclaration() = f
) and
not exists(MutatorOperation op |
diff --git a/csharp/ql/src/Language Abuse/ForeachCapture.ql b/csharp/ql/src/Language Abuse/ForeachCapture.ql
index 03f1f99a044..2ed24b42eba 100644
--- a/csharp/ql/src/Language Abuse/ForeachCapture.ql
+++ b/csharp/ql/src/Language Abuse/ForeachCapture.ql
@@ -60,16 +60,16 @@ module LambdaDataFlow {
}
Element getAssignmentTarget(Expr e) {
- exists(Assignment a | a.getRValue() = e |
- result = a.getLValue().(PropertyAccess).getTarget() or
- result = a.getLValue().(FieldAccess).getTarget() or
- result = a.getLValue().(LocalVariableAccess).getTarget() or
- result = a.getLValue().(EventAccess).getTarget()
+ exists(Assignment a | a.getRightOperand() = e |
+ result = a.getLeftOperand().(PropertyAccess).getTarget() or
+ result = a.getLeftOperand().(FieldAccess).getTarget() or
+ result = a.getLeftOperand().(LocalVariableAccess).getTarget() or
+ result = a.getLeftOperand().(EventAccess).getTarget()
)
or
exists(AddEventExpr aee |
- e = aee.getRValue() and
- result = aee.getLValue().getTarget()
+ e = aee.getRightOperand() and
+ result = aee.getLeftOperand().getTarget()
)
or
result = getCollectionAssignmentTarget(e)
@@ -97,8 +97,8 @@ Element getCollectionAssignmentTarget(Expr e) {
// Store values using indexer
exists(IndexerAccess ia, AssignExpr ae |
ia.getQualifier() = result.(Variable).getAnAccess() and
- ia = ae.getLValue() and
- e = ae.getRValue()
+ ia = ae.getLeftOperand() and
+ e = ae.getRightOperand()
)
}
diff --git a/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql b/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql
index bd7492b8583..01d6baa9573 100644
--- a/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql
+++ b/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql
@@ -15,7 +15,7 @@ import csharp
import semmle.code.csharp.commons.StructuralComparison
private Expr getAssignedExpr(Stmt stmt) {
- result = stmt.stripSingletonBlocks().(ExprStmt).getExpr().(AssignExpr).getLValue()
+ result = stmt.stripSingletonBlocks().(ExprStmt).getExpr().(AssignExpr).getLeftOperand()
}
from IfStmt is, string what
diff --git a/csharp/ql/src/Likely Bugs/BadCheckOdd.ql b/csharp/ql/src/Likely Bugs/BadCheckOdd.ql
index 34ae4b632ae..72924f9103d 100644
--- a/csharp/ql/src/Likely Bugs/BadCheckOdd.ql
+++ b/csharp/ql/src/Likely Bugs/BadCheckOdd.ql
@@ -13,7 +13,7 @@
import csharp
predicate isDefinitelyPositive(Expr e) {
- e.getValue().toInt() >= 0 or
+ e.getIntValue() >= 0 or
e.(PropertyAccess).getTarget().hasName("Length") or
e.(MethodCall).getTarget().hasUndecoratedName("Count")
}
@@ -23,12 +23,12 @@ where
t.getLeftOperand() = lhs and
t.getRightOperand() = rhs and
not isDefinitelyPositive(lhs.getLeftOperand().stripCasts()) and
- lhs.getRightOperand().(IntegerLiteral).getValue() = "2" and
+ lhs.getRightOperand().(IntegerLiteral).getIntValue() = 2 and
(
- t instanceof EQExpr and rhs.getValue() = "1" and parity = "oddness"
+ t instanceof EQExpr and rhs.getIntValue() = 1 and parity = "oddness"
or
- t instanceof NEExpr and rhs.getValue() = "1" and parity = "evenness"
+ t instanceof NEExpr and rhs.getIntValue() = 1 and parity = "evenness"
or
- t instanceof GTExpr and rhs.getValue() = "0" and parity = "oddness"
+ t instanceof GTExpr and rhs.getIntValue() = 0 and parity = "oddness"
)
select t, "Possibly invalid test for " + parity + ". This will fail for negative numbers."
diff --git a/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql b/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
index 5fcb140e679..046099213cc 100644
--- a/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+++ b/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
@@ -23,9 +23,10 @@ where
) and
forex(Access a | a = v.getAnAccess() |
a = any(ModifierMethodCall m).getQualifier() or
- a = any(AssignExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue() or
+ a = any(AssignExpr ass | ass.getRightOperand() instanceof ObjectCreation).getLeftOperand() or
a =
- any(LocalVariableDeclAndInitExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue()
+ any(LocalVariableDeclAndInitExpr ass | ass.getRightOperand() instanceof ObjectCreation)
+ .getLeftOperand()
) and
not v = any(ForeachStmt fs).getVariable() and
not v = any(BindingPatternExpr vpe).getVariableDeclExpr().getVariable() and
diff --git a/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql b/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql
index c8df36bf7bf..3e54a3a00db 100644
--- a/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql
+++ b/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql
@@ -27,8 +27,8 @@ predicate isExactEraStartDateCreation(ObjectCreation cr) {
cr.getType().hasFullyQualifiedName("System", "DateTime") or
cr.getType().hasFullyQualifiedName("System", "DateTimeOffset")
) and
- isEraStart(cr.getArgument(0).getValue().toInt(), cr.getArgument(1).getValue().toInt(),
- cr.getArgument(2).getValue().toInt())
+ isEraStart(cr.getArgument(0).getIntValue(), cr.getArgument(1).getIntValue(),
+ cr.getArgument(2).getIntValue())
}
predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
@@ -44,7 +44,7 @@ predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
mc.getNumberOfArguments() = 7 // implicitly current era
or
mc.getNumberOfArguments() = 8 and
- mc.getArgument(7).getValue() = "0"
+ mc.getArgument(7).getIntValue() = 0
) // explicitly current era
}
diff --git a/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql b/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
index 8b719bb92a5..1c41d24fb3c 100644
--- a/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
+++ b/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
@@ -40,8 +40,8 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
/** Holds if `div` is an exact integer division. */
predicate exactDivision(DivExpr div) {
exists(int numerator, int denominator |
- numerator = div.getNumerator().stripCasts().getValue().toInt() and
- denominator = div.getDenominator().stripCasts().getValue().toInt() and
+ numerator = div.getNumerator().stripCasts().getIntValue() and
+ denominator = div.getDenominator().stripCasts().getIntValue() and
numerator % denominator = 0
)
}
diff --git a/csharp/ql/src/Likely Bugs/SelfAssignment.ql b/csharp/ql/src/Likely Bugs/SelfAssignment.ql
index f01a1378242..6e51b87a779 100644
--- a/csharp/ql/src/Likely Bugs/SelfAssignment.ql
+++ b/csharp/ql/src/Likely Bugs/SelfAssignment.ql
@@ -19,7 +19,7 @@ private predicate candidate(AssignExpr ae) {
not ae instanceof MemberInitializer and
// Enum field initializers are never self assignments. `enum E { A = 42 }`
not ae.getParent().(Field).getDeclaringType() instanceof Enum and
- forall(Expr e | e = ae.getLValue().getAChildExpr*() |
+ forall(Expr e | e = ae.getLeftOperand().getAChildExpr*() |
// Non-trivial property accesses may have side-effects,
// so these are not considered
e instanceof PropertyAccess implies e instanceof TrivialPropertyAccess
@@ -28,7 +28,7 @@ private predicate candidate(AssignExpr ae) {
private predicate selfAssignExpr(AssignExpr ae) {
candidate(ae) and
- sameGvn(ae.getLValue(), ae.getRValue())
+ sameGvn(ae.getLeftOperand(), ae.getRightOperand())
}
private Declaration getDeclaration(Expr e) {
@@ -40,5 +40,5 @@ private Declaration getDeclaration(Expr e) {
}
from AssignExpr ae, Declaration target
-where selfAssignExpr(ae) and target = getDeclaration(ae.getLValue())
+where selfAssignExpr(ae) and target = getDeclaration(ae.getLeftOperand())
select ae, "This assignment assigns $@ to itself.", target, target.getName()
diff --git a/csharp/ql/src/Linq/BadMultipleIteration.ql b/csharp/ql/src/Linq/BadMultipleIteration.ql
index 8146bbf167d..0f9e335e225 100644
--- a/csharp/ql/src/Linq/BadMultipleIteration.ql
+++ b/csharp/ql/src/Linq/BadMultipleIteration.ql
@@ -50,7 +50,7 @@ predicate potentiallyConsumingAccess(VariableAccess va) {
Expr sequenceSource(IEnumerableSequence seq) {
result = seq.getInitializer()
or
- exists(Assignment a | a.getLValue() = seq.getAnAccess() and result = a.getRValue())
+ exists(Assignment a | a.getLeftOperand() = seq.getAnAccess() and result = a.getRightOperand())
}
from IEnumerableSequence seq, VariableAccess va
diff --git a/csharp/ql/src/Performance/StringConcatenationInLoop.ql b/csharp/ql/src/Performance/StringConcatenationInLoop.ql
index 3b3228588a4..d27b99e7bdd 100644
--- a/csharp/ql/src/Performance/StringConcatenationInLoop.ql
+++ b/csharp/ql/src/Performance/StringConcatenationInLoop.ql
@@ -24,7 +24,7 @@ class StringCat extends AddExpr {
*/
predicate isSelfConcatAssignExpr(AssignExpr e, Variable v) {
exists(VariableAccess use |
- stringCatContains(e.getRValue(), use) and
+ stringCatContains(e.getRightOperand(), use) and
use.getTarget() = e.getTargetVariable() and
v = use.getTarget()
)
@@ -41,7 +41,7 @@ predicate stringCatContains(StringCat expr, Expr child) {
* where `v` is a simple variable (and not, for example, a property).
*/
predicate isConcatExpr(AssignAddExpr e, Variable v) {
- e.getLValue().getType() instanceof StringType and
+ e.getLeftOperand().getType() instanceof StringType and
v = e.getTargetVariable()
}
diff --git a/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
index dcc520540bb..f72de01b5db 100644
--- a/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -27,8 +27,8 @@ predicate cookieAppendHttpOnlyByDefault() {
predicate httpOnlyFalse(ObjectCreation oc) {
exists(Assignment a |
- getAValueForProp(oc, a, "HttpOnly") = a.getRValue() and
- a.getRValue().getValue() = "false"
+ getAValueForProp(oc, a, "HttpOnly") = a.getRightOperand() and
+ a.getRightOperand().getValue() = "false"
)
}
@@ -100,8 +100,8 @@ predicate nonHttpOnlyCookieBuilderAssignment(Assignment a, Expr val) {
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "HttpOnly" and
- a.getLValue() = pw and
- DataFlow::localExprFlow(val, a.getRValue())
+ a.getLeftOperand() = pw and
+ DataFlow::localExprFlow(val, a.getRightOperand())
)
}
@@ -111,7 +111,7 @@ where
nonHttpOnlyCookieCall(httpOnlySink)
or
exists(Assignment a |
- httpOnlySink = a.getRValue() and
+ httpOnlySink = a.getRightOperand() and
nonHttpOnlyCookieBuilderAssignment(a, _)
)
)
diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
index 330ad1c1c32..a1dd249faba 100644
--- a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
+++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
@@ -35,8 +35,8 @@ module InsecureSqlConnectionConfig implements DataFlow::ConfigSig {
) and
not exists(MemberInitializer mi |
mi = oc.getInitializer().(ObjectInitializer).getAMemberInitializer() and
- mi.getLValue().(PropertyAccess).getTarget().getName() = "Encrypt" and
- mi.getRValue().(BoolLiteral).getValue() = "true"
+ mi.getLeftOperand().(PropertyAccess).getTarget().getName() = "Encrypt" and
+ mi.getRightOperand().(BoolLiteral).getValue() = "true"
)
)
}
diff --git a/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
index ce1f75d627c..1149b4bcad2 100644
--- a/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
+++ b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
@@ -31,8 +31,8 @@ predicate cookieAppendSecureByDefault() {
predicate secureFalse(ObjectCreation oc) {
exists(Assignment a |
- getAValueForProp(oc, a, "Secure") = a.getRValue() and
- a.getRValue().getValue() = "false"
+ getAValueForProp(oc, a, "Secure") = a.getRightOperand() and
+ a.getRightOperand().getValue() = "false"
)
}
@@ -96,8 +96,8 @@ predicate insecureSecurePolicyAssignment(Assignment a, Expr val) {
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "SecurePolicy" and
- a.getLValue() = pw and
- DataFlow::localExprFlow(val, a.getRValue()) and
+ a.getLeftOperand() = pw and
+ DataFlow::localExprFlow(val, a.getRightOperand()) and
val.getValue() = "2" // None
)
}
@@ -107,7 +107,7 @@ where
insecureCookieCall(secureSink)
or
exists(Assignment a |
- secureSink = a.getRValue() and
+ secureSink = a.getRightOperand() and
insecureSecurePolicyAssignment(a, _)
)
select secureSink, "Cookie attribute 'Secure' is not set to true."
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
index 9c6e6935186..59a6340104a 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
@@ -14,11 +14,11 @@ import csharp
from Assignment a, PropertyAccess pa
where
- a.getLValue() = pa and
+ a.getLeftOperand() = pa and
pa.getTarget().hasName("Domain") and
pa.getTarget().getDeclaringType().hasFullyQualifiedName("System.Web", "HttpCookie") and
(
- a.getRValue().getValue().regexpReplaceAll("[^.]", "").length() < 2 or
- a.getRValue().getValue().matches(".%")
+ a.getRightOperand().getValue().regexpReplaceAll("[^.]", "").length() < 2 or
+ a.getRightOperand().getValue().matches(".%")
)
select a, "Overly broad domain for cookie."
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
index 6690cac47d2..d659f7c8dc5 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
@@ -14,8 +14,8 @@ import csharp
from Assignment a, PropertyAccess pa
where
- a.getLValue() = pa and
+ a.getLeftOperand() = pa and
pa.getTarget().hasName("Path") and
pa.getTarget().getDeclaringType().hasFullyQualifiedName("System.Web", "HttpCookie") and
- a.getRValue().getValue() = "/"
+ a.getRightOperand().getValue() = "/"
select a, "Overly broad path for cookie."
diff --git a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
index 7a3a5fdc4f2..bc9bf289c2d 100644
--- a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
+++ b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
@@ -17,12 +17,12 @@ from Element l
where
// header checking is disabled programmatically in the code
exists(Assignment a, PropertyAccess pa |
- a.getLValue() = pa and
+ a.getLeftOperand() = pa and
pa.getTarget().hasName("EnableHeaderChecking") and
pa.getTarget()
.getDeclaringType()
.hasFullyQualifiedName("System.Web.Configuration", "HttpRuntimeSection") and
- a.getRValue().getValue() = "false" and
+ a.getRightOperand().getValue() = "false" and
a = l
)
or
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql
index 8237afdff13..649969a2778 100644
--- a/csharp/ql/src/Security Features/InsecureRandomness.ql
+++ b/csharp/ql/src/Security Features/InsecureRandomness.ql
@@ -89,10 +89,10 @@ module Random {
e = any(SensitiveLibraryParameter v).getAnAssignedArgument()
or
// Assignment operation, e.g. += or similar
- exists(AssignOperation ao | ao.getRValue() = e |
- ao.getLValue() = any(SensitiveVariable v).getAnAccess() or
- ao.getLValue() = any(SensitiveProperty v).getAnAccess() or
- ao.getLValue() = any(SensitiveLibraryParameter v).getAnAccess()
+ exists(AssignOperation ao | ao.getRightOperand() = e |
+ ao.getLeftOperand() = any(SensitiveVariable v).getAnAccess() or
+ ao.getLeftOperand() = any(SensitiveProperty v).getAnAccess() or
+ ao.getLeftOperand() = any(SensitiveLibraryParameter v).getAnAccess()
)
)
}
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.ql b/csharp/ql/src/Security Features/InsufficientKeySize.ql
index 94ae6b9286f..98a7852fbaf 100644
--- a/csharp/ql/src/Security Features/InsufficientKeySize.ql
+++ b/csharp/ql/src/Security Features/InsufficientKeySize.ql
@@ -20,7 +20,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
.getDeclaringType()
.hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider")
) and
- e.getRValue().getValue().toInt() < 128 and
+ e.getRightOperand().getIntValue() < 128 and
msg = "Key size should be at least 128 bits for RC2 encryption."
}
@@ -28,7 +28,7 @@ predicate incorrectUseOfDsa(ObjectCreation e, string msg) {
e.getTarget()
.getDeclaringType()
.hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
- exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+ exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
msg = "Key size should be at least 2048 bits for DSA encryption."
}
@@ -36,7 +36,7 @@ predicate incorrectUseOfRsa(ObjectCreation e, string msg) {
e.getTarget()
.getDeclaringType()
.hasFullyQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
- exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+ exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
msg = "Key size should be at least 2048 bits for RSA encryption."
}
diff --git a/csharp/ql/src/Security Features/PersistentCookie.ql b/csharp/ql/src/Security Features/PersistentCookie.ql
index 7f9861213fc..edc97b464e5 100644
--- a/csharp/ql/src/Security Features/PersistentCookie.ql
+++ b/csharp/ql/src/Security Features/PersistentCookie.ql
@@ -52,8 +52,8 @@ class FutureDateExpr extends MethodCall {
from Assignment a, PropertyAccess pa, FutureDateExpr fde
where
- a.getLValue() = pa and
- a.getRValue() = fde and
+ a.getLeftOperand() = pa and
+ a.getRightOperand() = fde and
pa.getTarget().hasName("Expires") and
pa.getTarget().getDeclaringType().hasFullyQualifiedName("System.Web", "HttpCookie") and
(fde.timeIsNotClear() or fde.getTimeInSecond() > 300) // 5 minutes max
diff --git a/csharp/ql/src/Telemetry/DatabaseQuality.qll b/csharp/ql/src/Telemetry/DatabaseQuality.qll
index ca2ab3e7e16..ad7ac682bf5 100644
--- a/csharp/ql/src/Telemetry/DatabaseQuality.qll
+++ b/csharp/ql/src/Telemetry/DatabaseQuality.qll
@@ -27,7 +27,7 @@ module CallTargetStats implements StatsSig {
p = c.getProperty() and
not p.getAnAccessor() instanceof Setter and
assign = c.getParent() and
- assign.getLValue() = c and
+ assign.getLeftOperand() = c and
assign.getParent() instanceof Property
)
}
@@ -36,7 +36,7 @@ module CallTargetStats implements StatsSig {
exists(Property p, AssignExpr assign |
p = c.getProperty() and
assign = c.getParent() and
- assign.getLValue() = c and
+ assign.getLeftOperand() = c and
assign.getParent() instanceof ObjectInitializer and
assign.getParent().getParent() instanceof AnonymousObjectCreation
)
@@ -46,8 +46,8 @@ module CallTargetStats implements StatsSig {
exists(Property p, AssignExpr assign |
p = c.getProperty() and
assign = c.getParent() and
- assign.getLValue() = c and
- assign.getRValue() instanceof ObjectOrCollectionInitializer
+ assign.getLeftOperand() = c and
+ assign.getRightOperand() instanceof ObjectOrCollectionInitializer
)
}
diff --git a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
index d43050c2deb..0dc8fc362d6 100644
--- a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
+++ b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
@@ -187,10 +187,10 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig {
or
// a salt or key is included in subclasses of `KeyedHashAlgorithm`
exists(MethodCall mc, Assignment a, ObjectCreation oc |
- a.getRValue() = oc and
+ a.getRightOperand() = oc and
oc.getObjectType().getABaseType+() instanceof KeyedHashAlgorithm and
mc.getTarget() instanceof HashMethod and
- a.getLValue() = mc.getQualifier().(VariableAccess).getTarget().getAnAccess() and
+ a.getLeftOperand() = mc.getQualifier().(VariableAccess).getTarget().getAnAccess() and
mc.getArgument(0) = node.asExpr()
)
}
diff --git a/csharp/ql/test/library-tests/assignments/AssignOperation.ql b/csharp/ql/test/library-tests/assignments/AssignOperation.ql
index 2ca3b11a831..2fa23ed0a9f 100644
--- a/csharp/ql/test/library-tests/assignments/AssignOperation.ql
+++ b/csharp/ql/test/library-tests/assignments/AssignOperation.ql
@@ -1,4 +1,4 @@
import csharp
from AssignOperation ao
-select ao, ao.getLValue(), ao.getRValue()
+select ao, ao.getLeftOperand(), ao.getRightOperand()
diff --git a/csharp/ql/test/library-tests/conversion/pointer/Pointer.ql b/csharp/ql/test/library-tests/conversion/pointer/Pointer.ql
index 69e7db8c1cf..450ed9940a8 100644
--- a/csharp/ql/test/library-tests/conversion/pointer/Pointer.ql
+++ b/csharp/ql/test/library-tests/conversion/pointer/Pointer.ql
@@ -1,5 +1,5 @@
import csharp
from Assignment a
-select a.getLocation(), a.getLValue().getType().toString(), a.getRValue().getType().toString(),
- a.getRValue().toString()
+select a.getLocation(), a.getLeftOperand().getType().toString(),
+ a.getRightOperand().getType().toString(), a.getRightOperand().toString()
diff --git a/csharp/ql/test/library-tests/csharp10/lambda.ql b/csharp/ql/test/library-tests/csharp10/lambda.ql
index 3cfec302b52..55c7faac049 100644
--- a/csharp/ql/test/library-tests/csharp10/lambda.ql
+++ b/csharp/ql/test/library-tests/csharp10/lambda.ql
@@ -3,7 +3,7 @@ import csharp
private predicate getLambda(
LocalVariableDeclAndInitExpr e, string type, LocalVariable v, LambdaExpr lexp
) {
- lexp = e.getRValue() and
+ lexp = e.getRightOperand() and
v = e.getTargetVariable() and
type = e.getType().toStringWithTypes()
}
diff --git a/csharp/ql/test/library-tests/csharp11/operators.ql b/csharp/ql/test/library-tests/csharp11/operators.ql
index 607efac0c26..f1543e2d744 100644
--- a/csharp/ql/test/library-tests/csharp11/operators.ql
+++ b/csharp/ql/test/library-tests/csharp11/operators.ql
@@ -14,8 +14,8 @@ query predicate assignbitwise(
AssignBitwiseOperation op, Expr left, Expr right, string name, string qlclass
) {
op.getFile().getStem() = "Operators" and
- left = op.getLValue() and
- right = op.getRValue() and
+ left = op.getLeftOperand() and
+ right = op.getRightOperand() and
name = op.getOperator() and
qlclass = op.getAPrimaryQlClass()
}
diff --git a/csharp/ql/test/library-tests/csharp6/MemberInitializer.ql b/csharp/ql/test/library-tests/csharp6/MemberInitializer.ql
index f3ef63fe225..1895792f07c 100644
--- a/csharp/ql/test/library-tests/csharp6/MemberInitializer.ql
+++ b/csharp/ql/test/library-tests/csharp6/MemberInitializer.ql
@@ -12,7 +12,7 @@ query predicate indexerCalls(IndexerCall indexer, int arg, Expr value) {
query predicate elementAssignments(
ElementWrite write, Assignment assignment, int index, Expr indexer
) {
- write = assignment.getLValue() and indexer = write.getIndex(index)
+ write = assignment.getLeftOperand() and indexer = write.getIndex(index)
}
query predicate arrayQualifiers(ElementAccess access, Expr qualifier) {
diff --git a/csharp/ql/test/library-tests/enums/Enums11.ql b/csharp/ql/test/library-tests/enums/Enums11.ql
index 36b2c005a21..f6133517f7d 100644
--- a/csharp/ql/test/library-tests/enums/Enums11.ql
+++ b/csharp/ql/test/library-tests/enums/Enums11.ql
@@ -6,7 +6,7 @@ import csharp
from Expr e
where
- exists(Assignment a | a.getRValue() = e |
+ exists(Assignment a | a.getRightOperand() = e |
a.getParent().(Field).getDeclaringType() instanceof Enum
)
select e, e.getValue()
diff --git a/csharp/ql/test/library-tests/expressions/AddEventExpr1.ql b/csharp/ql/test/library-tests/expressions/AddEventExpr1.ql
index 48f6b41e19d..e3c1530fb1a 100644
--- a/csharp/ql/test/library-tests/expressions/AddEventExpr1.ql
+++ b/csharp/ql/test/library-tests/expressions/AddEventExpr1.ql
@@ -9,5 +9,5 @@ where
c.hasName("LoginDialog") and
e.getEnclosingCallable() = c and
e.getTarget().hasName("Click") and
- e.getLValue().getQualifier().(FieldAccess).getTarget().hasName("OkButton")
+ e.getLeftOperand().getQualifier().(FieldAccess).getTarget().hasName("OkButton")
select c, e
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousMethod1.ql b/csharp/ql/test/library-tests/expressions/AnonymousMethod1.ql
index 2c8268e87e1..74e9d3cb1ff 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousMethod1.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousMethod1.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, AnonymousMethodExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f7") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f7") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getParameter(0).getType() instanceof IntType and
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousMethod2.ql b/csharp/ql/test/library-tests/expressions/AnonymousMethod2.ql
index e9fbbf01a10..8f0390b0f82 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousMethod2.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousMethod2.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, AnonymousMethodExpr e, Parameter p, ParameterAccess pa
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f7") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f7") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
p = e.getParameter(0) and
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousMethod3.ql b/csharp/ql/test/library-tests/expressions/AnonymousMethod3.ql
index e4c2e9ae9ba..46d8907319d 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousMethod3.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousMethod3.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, AnonymousMethodExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f7") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f7") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getType().(DelegateType).getReturnType() instanceof IntType
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousMethod4.ql b/csharp/ql/test/library-tests/expressions/AnonymousMethod4.ql
index 4d424b65b84..cca81c6b04e 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousMethod4.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousMethod4.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, AnonymousMethodExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f8") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f8") and
e.getParent+() = assign and
e.hasNoParameters()
select e, e
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousMethod5.ql b/csharp/ql/test/library-tests/expressions/AnonymousMethod5.ql
index cbc6ac82ca7..577d810dfad 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousMethod5.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousMethod5.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, AnonymousMethodExpr e, LocalVariableAccess va
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f8") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f8") and
e.getParent+() = assign and
e.hasNoParameters() and
va.getEnclosingStmt().getParent+() = e.getBody() and
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation1.ql b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation1.ql
index 74d8cd27a94..c717aa260e0 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation1.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation1.ql
@@ -6,11 +6,11 @@ import csharp
from Assignment assign, AnonymousObjectCreation o, Assignment a, Property p
where
- assign.getLValue().(VariableAccess).getTarget().hasName("list2") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("list2") and
o.getParent+() = assign and
o.getInitializer().getMemberInitializer(0) = a and
- a.getRValue().getValue() = "2" and
- p = a.getLValue().(PropertyAccess).getTarget() and
+ a.getRightOperand().getValue() = "2" and
+ p = a.getLeftOperand().(PropertyAccess).getTarget() and
p.hasName("i") and
p.getDeclaringType() = o.getObjectType()
select o
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation2.ql b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation2.ql
index 5f9e16564b4..d55bf89d606 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation2.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation2.ql
@@ -6,11 +6,11 @@ import csharp
from Assignment assign, AnonymousObjectCreation o, Assignment a, Property p
where
- assign.getLValue().(VariableAccess).getTarget().hasName("contacts2") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("contacts2") and
o.getParent+() = assign and
o.getInitializer().getMemberInitializer(0) = a and
- a.getRValue().getValue() = "Chris Smith" and
- p = a.getLValue().(PropertyAccess).getTarget() and
+ a.getRightOperand().getValue() = "Chris Smith" and
+ p = a.getLeftOperand().(PropertyAccess).getTarget() and
p.hasName("Name") and
p.getDeclaringType() = o.getObjectType()
select o, p.getType().toString()
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation3.ql b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation3.ql
index afa9ca0d3b2..6033bfed38a 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation3.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation3.ql
@@ -6,11 +6,11 @@ import csharp
from Assignment assign, AnonymousObjectCreation o, Assignment a, Property p
where
- assign.getLValue().(VariableAccess).getTarget().hasName("contacts2") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("contacts2") and
o.getParent+() = assign and
o.getInitializer().getMemberInitializer(1) = a and
- a.getRValue() instanceof ArrayCreation and
- p = a.getLValue().(PropertyAccess).getTarget() and
+ a.getRightOperand() instanceof ArrayCreation and
+ p = a.getLeftOperand().(PropertyAccess).getTarget() and
p.hasName("PhoneNumbers") and
p.getDeclaringType() = o.getObjectType()
select o, p.getType().getName()
diff --git a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation4.ql b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation4.ql
index b6354d1f493..a52278839f2 100644
--- a/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation4.ql
+++ b/csharp/ql/test/library-tests/expressions/AnonymousObjectCreation4.ql
@@ -8,7 +8,7 @@ from
Assignment assign, AnonymousObjectCreation o, Assignment a, AnonymousObjectCreation p,
Assignment b
where
- assign.getLValue().(VariableAccess).getTarget().hasName("contacts2") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("contacts2") and
o.getParent+() = assign and
o.getInitializer().getMemberInitializer(1) = a and
p.getParent+() = assign and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation1.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation1.ql
index fba7a403615..6f728347bff 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation1.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation1.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e, ArrayInitializer i
where
- a.getLValue().(VariableAccess).getTarget().hasName("is1") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is1") and
+ e = a.getRightOperand() and
not e.isImplicitlyTyped() and
i = e.getInitializer() and
e.isImplicitlySized() and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation10.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation10.ql
index d8a1df12867..951ca22c0c2 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation10.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation10.ql
@@ -6,9 +6,9 @@ import csharp
from Assignment a, ArrayCreation e, CastExpr cast
where
- a.getLValue().(VariableAccess).getTarget().hasName("os") and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("os") and
e.getEnclosingCallable().hasName("MainElementAccess") and
- e = a.getRValue() and
+ e = a.getRightOperand() and
not e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation2.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation2.ql
index ae56d579839..88ce79bc91e 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation2.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation2.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e, ArrayInitializer i
where
- a.getLValue().(VariableAccess).getTarget().hasName("is2") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is2") and
+ e = a.getRightOperand() and
not e.isImplicitlyTyped() and
i = e.getInitializer() and
e.getNumberOfLengthArguments() = 2 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation3.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation3.ql
index efe626dab08..0da55f86479 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation3.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation3.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("is3") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is3") and
+ e = a.getRightOperand() and
not e.isImplicitlyTyped() and
not e.hasInitializer() and
e.getNumberOfLengthArguments() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation4.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation4.ql
index 2a0dd531283..b79ec3f7bd6 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation4.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation4.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("is4") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is4") and
+ e = a.getRightOperand() and
not e.isImplicitlyTyped() and
not e.hasInitializer() and
e.getNumberOfLengthArguments() = 2 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation5.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation5.ql
index 04c29cafba8..88df5bef175 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation5.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation5.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e, int i
where
- a.getLValue().(VariableAccess).getTarget().hasName("is5") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is5") and
+ e = a.getRightOperand() and
e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation6.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation6.ql
index 7ca6bbe9668..237900bbe7c 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation6.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation6.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("is6") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is6") and
+ e = a.getRightOperand() and
e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation7.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation7.ql
index e34253a4f02..a466195a0b1 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation7.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation7.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("is7") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("is7") and
+ e = a.getRightOperand() and
e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation8.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation8.ql
index cc1fd366db1..8eb810247c0 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation8.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation8.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("contacts2") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("contacts2") and
+ e = a.getRightOperand() and
e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/ArrayCreation9.ql b/csharp/ql/test/library-tests/expressions/ArrayCreation9.ql
index fc4b561c170..55ba1d1edb1 100644
--- a/csharp/ql/test/library-tests/expressions/ArrayCreation9.ql
+++ b/csharp/ql/test/library-tests/expressions/ArrayCreation9.ql
@@ -6,8 +6,8 @@ import csharp
from Assignment a, ArrayCreation e
where
- a.getLValue().(VariableAccess).getTarget().hasName("t") and
- e = a.getRValue() and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("t") and
+ e = a.getRightOperand() and
e.isImplicitlyTyped() and
e.isImplicitlySized() and
e.getArrayType().getDimension() = 1 and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda1.ql b/csharp/ql/test/library-tests/expressions/Lambda1.ql
index f4787c584f3..4e4d17b9d24 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda1.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda1.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f1") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f1") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getParameter(0).getType() instanceof ShortType and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda2.ql b/csharp/ql/test/library-tests/expressions/Lambda2.ql
index 5fff4bd2cf6..ff5c06ec670 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda2.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda2.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f2") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f2") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getParameter(0).getType() instanceof IntType and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda3.ql b/csharp/ql/test/library-tests/expressions/Lambda3.ql
index 32aa919cd20..46d3a411b36 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda3.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda3.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f3") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f3") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getParameter(0).getType() instanceof IntType and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda4.ql b/csharp/ql/test/library-tests/expressions/Lambda4.ql
index ca7eb7a4207..69ac40ad932 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda4.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda4.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f4") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f4") and
e.getParent+() = assign and
e.getNumberOfParameters() = 1 and
e.getParameter(0).getType() instanceof IntType and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda5.ql b/csharp/ql/test/library-tests/expressions/Lambda5.ql
index cc577aa85cb..3836ca4effd 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda5.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda5.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f5") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f5") and
e.getParent+() = assign and
e.getNumberOfParameters() = 2 and
e.getParameter(0).getType() instanceof IntType and
diff --git a/csharp/ql/test/library-tests/expressions/Lambda6.ql b/csharp/ql/test/library-tests/expressions/Lambda6.ql
index c584e4f6c09..4a6ee312834 100644
--- a/csharp/ql/test/library-tests/expressions/Lambda6.ql
+++ b/csharp/ql/test/library-tests/expressions/Lambda6.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment assign, LambdaExpr e
where
- assign.getLValue().(VariableAccess).getTarget().hasName("f6") and
+ assign.getLeftOperand().(VariableAccess).getTarget().hasName("f6") and
e.getParent+() = assign and
e.getNumberOfParameters() = 0 and
e.getType().(DelegateType).hasName("Unit") and
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation10.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation10.ql
index abd4a9d6ec6..971654a95b3 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation10.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation10.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment a, CollectionInitializer i
where
- a.getLValue().(VariableAccess).getTarget().hasName("list1") and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("list1") and
i.getParent+() = a and
i.getElementInitializer(0).getArgument(0) instanceof AssignExpr
select i.getAChild+()
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation11.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation11.ql
index c874735c300..0265579ff67 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation11.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation11.ql
@@ -6,7 +6,7 @@ import csharp
from Assignment a, CollectionInitializer i, AnonymousObjectCreation o
where
- a.getLValue().(VariableAccess).getTarget().hasName("list2") and
+ a.getLeftOperand().(VariableAccess).getTarget().hasName("list2") and
i.getParent+() = a and
i.getElementInitializer(0).getArgument(0) = o
select i, o
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation4.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation4.ql
index 5812397b11b..6ec3e2ec327 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation4.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation4.ql
@@ -15,9 +15,9 @@ where
cc.hasName("Point") and
i = e.getInitializer() and
a = i.getMemberInitializer(0) and
- a.getLValue().(PropertyAccess).getTarget().hasName("X") and
- a.getRValue().getValue() = "0" and
+ a.getLeftOperand().(PropertyAccess).getTarget().hasName("X") and
+ a.getRightOperand().getValue() = "0" and
b = i.getMemberInitializer(1) and
- b.getLValue().(PropertyAccess).getTarget().hasName("Y") and
- b.getRValue().getValue() = "1"
+ b.getLeftOperand().(PropertyAccess).getTarget().hasName("Y") and
+ b.getRightOperand().getValue() = "1"
select e, i, a, b
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation5.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation5.ql
index cf31f518ec7..e130da484d7 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation5.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation5.ql
@@ -15,10 +15,10 @@ where
cc.hasName("Point") and
i = e.getInitializer() and
a = i.getMemberInitializer(0) and
- a.getLValue().(PropertyAccess).getTarget().hasName("X") and
- a.getRValue().getValue() = "2" and
+ a.getLeftOperand().(PropertyAccess).getTarget().hasName("X") and
+ a.getRightOperand().getValue() = "2" and
b = i.getMemberInitializer(1) and
- b.getLValue().(PropertyAccess).getTarget().hasName("Y") and
- b.getRValue().getValue() = "3" and
+ b.getLeftOperand().(PropertyAccess).getTarget().hasName("Y") and
+ b.getRightOperand().getValue() = "3" and
i.getNumberOfMemberInitializers() = 2
select i, a, b
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation6.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation6.ql
index 11e771890ca..529607c8d4b 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation6.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation6.ql
@@ -15,10 +15,10 @@ where
cc.hasName("Rectangle") and
i = e.getInitializer() and
a = i.getMemberInitializer(0) and
- a.getLValue().(PropertyAccess).getTarget().hasName("P1") and
- a.getRValue() instanceof ObjectCreation and
+ a.getLeftOperand().(PropertyAccess).getTarget().hasName("P1") and
+ a.getRightOperand() instanceof ObjectCreation and
b = i.getMemberInitializer(1) and
- b.getLValue().(PropertyAccess).getTarget().hasName("P2") and
- b.getRValue() instanceof ObjectCreation and
+ b.getLeftOperand().(PropertyAccess).getTarget().hasName("P2") and
+ b.getRightOperand() instanceof ObjectCreation and
i.getNumberOfMemberInitializers() = 2
select i, a, b
diff --git a/csharp/ql/test/library-tests/expressions/ObjectCreation7.ql b/csharp/ql/test/library-tests/expressions/ObjectCreation7.ql
index ccb17515525..404011f1896 100644
--- a/csharp/ql/test/library-tests/expressions/ObjectCreation7.ql
+++ b/csharp/ql/test/library-tests/expressions/ObjectCreation7.ql
@@ -15,10 +15,10 @@ where
cc.hasName("Rectangle2") and
i = e.getInitializer() and
a = i.getMemberInitializer(0) and
- a.getLValue().(PropertyAccess).getTarget().hasName("P1") and
- a.getRValue() instanceof ObjectInitializer and
+ a.getLeftOperand().(PropertyAccess).getTarget().hasName("P1") and
+ a.getRightOperand() instanceof ObjectInitializer and
b = i.getMemberInitializer(1) and
- b.getLValue().(PropertyAccess).getTarget().hasName("P2") and
- b.getRValue() instanceof ObjectInitializer and
+ b.getLeftOperand().(PropertyAccess).getTarget().hasName("P2") and
+ b.getRightOperand() instanceof ObjectInitializer and
i.getNumberOfMemberInitializers() = 2
select m, e
diff --git a/csharp/ql/test/library-tests/expressions/RemoveEventExpr1.ql b/csharp/ql/test/library-tests/expressions/RemoveEventExpr1.ql
index 95b223ed6f4..991fdd6e492 100644
--- a/csharp/ql/test/library-tests/expressions/RemoveEventExpr1.ql
+++ b/csharp/ql/test/library-tests/expressions/RemoveEventExpr1.ql
@@ -9,5 +9,5 @@ where
c.hasName("LoginDialog") and
e.getEnclosingCallable() = c and
e.getTarget().hasName("Click") and
- e.getLValue().getQualifier().(FieldAccess).getTarget().hasName("CancelButton")
+ e.getLeftOperand().getQualifier().(FieldAccess).getTarget().hasName("CancelButton")
select c, e
diff --git a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
index b59513504d9..4c85b397ac1 100644
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
@@ -536,6 +536,12 @@ public class HigherOrderParameters
{
a(o);
}
+
+ private void CallApply()
+ {
+ // Test that this call to `Apply` does not interfere with the flow summaries generated for `Apply`
+ Apply(x => x, null);
+ }
}
public static class HigherOrderExtensionMethods
diff --git a/docs/codeql/reusables/supported-versions-compilers.rst b/docs/codeql/reusables/supported-versions-compilers.rst
index ddda7065cf1..3891332f457 100644
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -11,23 +11,23 @@
Microsoft extensions (up to VS 2022),
Arm Compiler 5 [5]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
- C#,C# up to 13,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
+ C#,C# up to 14 [6]_,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
.NET Core up to 3.1
- .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
+ .NET 5, .NET 6, .NET 7, .NET 8, .NET 9, .NET 10 [6]_","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
Go (aka Golang), "Go up to 1.26", "Go 1.11 or more recent", ``.go``
- Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
+ Java,"Java 7 to 26 [7]_","javac (OpenJDK and Oracle JDK),
- Eclipse compiler for Java (ECJ) [7]_",``.java``
+ Eclipse compiler for Java (ECJ) [8]_",``.java``
Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
- JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
- Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
- Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
- Rust [11]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
- Swift [12]_ [13]_,"Swift 5.4-6.2","Swift compiler","``.swift``"
- TypeScript [14]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
+ JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [9]_"
+ Python [10]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
+ Ruby [11]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
+ Rust [12]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
+ Swift [13]_ [14]_,"Swift 5.4-6.2","Swift compiler","``.swift``"
+ TypeScript [15]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
.. container:: footnote-group
@@ -36,12 +36,13 @@
.. [3] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
.. [4] Support for the clang-cl compiler is preliminary.
.. [5] Support for the Arm Compiler (armcc) is preliminary.
- .. [6] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
- .. [7] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
- .. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
- .. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
- .. [10] Requires glibc 2.17.
- .. [11] Requires ``rustup`` and ``cargo`` to be installed. Features from nightly toolchains are not supported.
- .. [12] Support for the analysis of Swift requires macOS.
- .. [13] Embedded Swift is not supported.
- .. [14] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
+ .. [6] Support for .NET 10 is preliminary and code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+ .. [7] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
+ .. [8] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
+ .. [9] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
+ .. [10] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
+ .. [11] Requires glibc 2.17.
+ .. [12] Requires ``rustup`` and ``cargo`` to be installed. Features from nightly toolchains are not supported.
+ .. [13] Support for the analysis of Swift requires macOS.
+ .. [14] Embedded Swift is not supported.
+ .. [15] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
index e1170aeda24..f0dc0cf0ca2 100644
--- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
+++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
@@ -4,13 +4,17 @@
* Provides classes and predicates for dealing with flow models specified
* in data extensions and CSV format.
*
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
* - Sources:
* `package; type; subtypes; name; signature; ext; output; kind; provenance`
* - Sinks:
* `package; type; subtypes; name; signature; ext; input; kind; provenance`
* - Summaries:
* `package; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ * `package; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ * `package; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
* - Neutrals:
* `package; type; name; signature; kind; provenance`
* A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
@@ -78,11 +82,23 @@
* - "MapValue": Selects a value in a map.
* - "Dereference": Selects the value referenced by a pointer.
*
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ * under which the guard blocks flow. It can be one of "true" or "false". In
+ * the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources "remote" indicates a default remote flow source, and for summaries
* "taint" indicates a default additional taint step and "value" indicates a
* globally applicable value-preserving step.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
+ * The format is {origin}-{verification} or just "manual" where the origin describes
+ * the origin of the model and verification describes how the model has been verified.
+ * Some examples are:
+ * - "df-generated": The model has been generated by the model generator tool.
+ * - "df-manual": The model has been generated by the model generator and verified by a human.
+ * - "manual": The model has been written by hand.
+ * This information is used in a heuristic for dataflow analysis to determine, if a
+ * model or source code should be used for determining flow.
*/
overlay[local?]
module;
@@ -250,11 +266,11 @@ module ModelValidation {
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
)
or
- exists(string acceptingvalue |
- barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
- invalidAcceptingValue(acceptingvalue) and
+ exists(string acceptingValue |
+ barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
+ invalidAcceptingValue(acceptingValue) and
result =
- "Unrecognized accepting value description \"" + acceptingvalue +
+ "Unrecognized accepting value description \"" + acceptingValue +
"\" in barrier guard model."
)
}
@@ -462,13 +478,13 @@ private module Cached {
private predicate barrierGuardChecks(DataFlow::Node g, Expr e, boolean gv, TKindModelPair kmp) {
exists(
- SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
+ SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
string kind, string model
|
- isBarrierGuardNode(n, acceptingvalue, kind, model) and
+ isBarrierGuardNode(n, acceptingValue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
- gv = convertAcceptingValue(acceptingvalue)
+ gv = convertAcceptingValue(acceptingValue)
|
g.asExpr().(CallExpr).getAnArgument() = e // TODO: qualifier?
)
diff --git a/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll b/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll
index 5d43cf674c1..ab2a241e14a 100644
--- a/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll
@@ -35,7 +35,7 @@ extensible predicate barrierModel(
*/
extensible predicate barrierGuardModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
- string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+ string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
diff --git a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
index 240665bd492..ff727286c3b 100644
--- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
@@ -174,13 +174,13 @@ module SourceSinkInterpretationInput implements
}
predicate barrierGuardElement(
- Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+ Element e, string input, Public::AcceptingValue acceptingValue, string kind,
Public::Provenance provenance, string model
) {
exists(
string package, string type, boolean subtypes, string name, string signature, string ext
|
- barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
+ barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
provenance, model) and
e = interpretElement(package, type, subtypes, name, signature, ext)
)
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
index 1536c81aa08..a6a9347ca03 100644
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -4,13 +4,17 @@
* Provides classes and predicates for dealing with flow models specified
* in data extensions and CSV format.
*
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
* - Sources:
* `package; type; subtypes; name; signature; ext; output; kind; provenance`
* - Sinks:
* `package; type; subtypes; name; signature; ext; input; kind; provenance`
* - Summaries:
* `package; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ * `package; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ * `package; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
* - Neutrals:
* `package; type; name; signature; kind; provenance`
* A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
@@ -69,14 +73,17 @@
* in the given range. The range is inclusive at both ends.
* - "ReturnValue": Selects the return value of a call to the selected element.
* - "Element": Selects the collection elements of the selected element.
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ * under which the guard blocks flow. It can be one of "true" or "false". In
+ * the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources "remote" indicates a default remote flow source, and for summaries
* "taint" indicates a default additional taint step and "value" indicates a
* globally applicable value-preserving step. For neutrals the kind can be `summary`,
* `source` or `sink` to indicate that the neutral is neutral with respect to
* flow (no summary), source (is not a source) or sink (is not a sink).
- * 9. The `provenance` column is a tag to indicate the origin and verification of a model.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
* The format is {origin}-{verification} or just "manual" where the origin describes
* the origin of the model and verification describes how the model has been verified.
* Some examples are:
@@ -358,11 +365,11 @@ module ModelValidation {
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
)
or
- exists(string acceptingvalue |
- barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
- invalidAcceptingValue(acceptingvalue) and
+ exists(string acceptingValue |
+ barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
+ invalidAcceptingValue(acceptingValue) and
result =
- "Unrecognized accepting value description \"" + acceptingvalue +
+ "Unrecognized accepting value description \"" + acceptingValue +
"\" in barrier guard model."
)
}
@@ -583,13 +590,13 @@ private module Cached {
private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
exists(
- SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
+ SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind,
string model
|
- isBarrierGuardNode(n, acceptingvalue, kind, model) and
+ isBarrierGuardNode(n, acceptingValue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
- gv = convertAcceptingValue(acceptingvalue)
+ gv = convertAcceptingValue(acceptingValue)
|
g.(Call).getAnArgument() = e or g.(MethodCall).getQualifier() = e
)
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
index be474ad4535..3c6b003876d 100644
--- a/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
@@ -35,7 +35,7 @@ extensible predicate barrierModel(
*/
extensible predicate barrierGuardModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
- string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+ string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
index 64fa30c7d91..453b7ccae11 100644
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -282,7 +282,7 @@ module SourceSinkInterpretationInput implements
}
predicate barrierGuardElement(
- Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+ Element e, string input, Public::AcceptingValue acceptingValue, string kind,
Public::Provenance provenance, string model
) {
exists(
@@ -290,7 +290,7 @@ module SourceSinkInterpretationInput implements
SourceOrSinkElement baseBarrier, string originalInput
|
barrierGuardModel(namespace, type, subtypes, name, signature, ext, originalInput,
- acceptingvalue, kind, provenance, model) and
+ acceptingValue, kind, provenance, model) and
baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseBarrier and input = originalInput
diff --git a/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected b/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
index a56980d10ac..a55e73e283f 100644
--- a/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
+++ b/java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
@@ -196,6 +196,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -222,6 +224,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -248,6 +252,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -280,6 +286,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map |
@@ -310,6 +318,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | Identity |
| Map | put | Object |
| Map | putAll | Map |
@@ -341,6 +351,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map |
@@ -370,6 +382,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | Object |
| Map | putAll | Map |
| Map | putIfAbsent | Object |
@@ -397,6 +411,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | String |
| Map | putAll | Map |
| Map | putIfAbsent | String |
diff --git a/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected b/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
index 2495c1fc157..3237c89c8c7 100644
--- a/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
+++ b/java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
@@ -191,6 +191,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -216,6 +218,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -242,6 +246,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
+| List | ofLazy | IntFunction |
+| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection |
@@ -274,6 +280,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map |
@@ -303,6 +311,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | Identity |
| Map | put | Object |
| Map | putAll | Map |
@@ -333,6 +343,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map |
@@ -361,6 +373,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | Object |
| Map | putAll | Map |
| Map | putIfAbsent | Object |
@@ -388,6 +402,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry[] |
+| Map | ofLazy | Function |
+| Map | ofLazy | Set |
| Map | put | String |
| Map | putAll | Map |
| Map | putIfAbsent | String |
diff --git a/java/ql/test-kotlin2/library-tests/reflection/reflection.expected b/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
index b5de2b1adea..2c0bee11a9e 100644
--- a/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
+++ b/java/ql/test-kotlin2/library-tests/reflection/reflection.expected
@@ -266,6 +266,7 @@ compGenerated
| file:///AccessFlag$Location.class:0:0:0:0 | getEntries | Default property accessor |
| file:///AccessFlag.class:0:0:0:0 | getEntries | Default property accessor |
| file:///AccessMode.class:0:0:0:0 | getEntries | Default property accessor |
+| file:///ByteOrder.class:0:0:0:0 | getEntries | Default property accessor |
| file:///CharProgression.class:0:0:0:0 | forEach | Forwarder for a Kotlin class inheriting an interface default method |
| file:///CharProgression.class:0:0:0:0 | spliterator | Forwarder for a Kotlin class inheriting an interface default method |
| file:///CharRange.class:0:0:0:0 | forEach | Forwarder for a Kotlin class inheriting an interface default method |
diff --git a/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected b/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
index 05db00aa26d..0e1dd647e41 100644
--- a/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
+++ b/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
@@ -1 +1 @@
-| Test.java:0:0:0:0 | Test | Test.java:1:1:1:1 | Test | Compact source file 'Test' contains implicit class 'Test' |
+| Test.java:0:0:0:0 | Test | Test.java:1:1:29:1 | Test | Compact source file 'Test' contains implicit class 'Test' |
diff --git a/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected b/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
index 61dcdd8a17f..9bfaaecbbcb 100644
--- a/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
+++ b/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
@@ -1,2 +1,2 @@
-| Test.java:1:1:1:1 | Test | implicit |
+| Test.java:1:1:29:1 | Test | implicit |
| Test.java:25:7:25:16 | NotCompact | not implicit |
diff --git a/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected b/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
index 3c7b45f500e..d4b41c61441 100644
--- a/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
+++ b/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
@@ -1,5 +1,5 @@
-| Test.java:1:1:1:1 | | in compact source |
-| Test.java:1:1:1:1 | | in compact source |
+| Test.java:1:1:29:1 | | in compact source |
+| Test.java:1:1:29:1 | | in compact source |
| Test.java:5:6:5:9 | main | in compact source |
| Test.java:11:6:11:16 | processData | in compact source |
| Test.java:16:14:16:31 | updatePrivateField | in compact source |
diff --git a/java/ql/test/library-tests/compact-source-files/options b/java/ql/test/library-tests/compact-source-files/options
index db1dc01e53b..3d6e630aa73 100644
--- a/java/ql/test/library-tests/compact-source-files/options
+++ b/java/ql/test/library-tests/compact-source-files/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
+//semmle-extractor-options: --javac-args --release 25
diff --git a/java/ql/test/library-tests/dataflow/kdf/options b/java/ql/test/library-tests/dataflow/kdf/options
index f4edc64c017..801b81e0752 100644
--- a/java/ql/test/library-tests/dataflow/kdf/options
+++ b/java/ql/test/library-tests/dataflow/kdf/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --enable-preview --release 25
\ No newline at end of file
+//semmle-extractor-options: --javac-args --release 25
\ No newline at end of file
diff --git a/java/ql/test/library-tests/dataflow/scoped-values/options b/java/ql/test/library-tests/dataflow/scoped-values/options
index c793109355a..2d42b8d2cd8 100644
--- a/java/ql/test/library-tests/dataflow/scoped-values/options
+++ b/java/ql/test/library-tests/dataflow/scoped-values/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 25 -target 25 --enable-preview
\ No newline at end of file
+//semmle-extractor-options: --javac-args -source 25 -target 25
\ No newline at end of file
diff --git a/java/ql/test/library-tests/errorexpr/Test.java b/java/ql/test/library-tests/errorexpr/Test.java
index af314e5ced6..068690e7bb2 100644
--- a/java/ql/test/library-tests/errorexpr/Test.java
+++ b/java/ql/test/library-tests/errorexpr/Test.java
@@ -13,6 +13,5 @@ public class Test {
}
// Diagnostic Matches: Erroneous node in tree: (ERROR)
-// Diagnostic Matches: In file Test.java:8:15 no end location for JCMethodInvocation : yield(x)
// Diagnostic Matches: 1 errors during annotation processing
// Diagnostic Matches: Unknown or erroneous type for expression of kind ErrorExpr
diff --git a/java/ql/test/library-tests/flexible-constructors/options b/java/ql/test/library-tests/flexible-constructors/options
index db1dc01e53b..3d6e630aa73 100644
--- a/java/ql/test/library-tests/flexible-constructors/options
+++ b/java/ql/test/library-tests/flexible-constructors/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
+//semmle-extractor-options: --javac-args --release 25
diff --git a/java/ql/test/library-tests/module-import-declarations/options b/java/ql/test/library-tests/module-import-declarations/options
index b510fdce0df..801b81e0752 100644
--- a/java/ql/test/library-tests/module-import-declarations/options
+++ b/java/ql/test/library-tests/module-import-declarations/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
\ No newline at end of file
+//semmle-extractor-options: --javac-args --release 25
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-676/semmle/tests/options b/java/ql/test/query-tests/security/CWE-676/semmle/tests/options
new file mode 100644
index 00000000000..3d6e630aa73
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-676/semmle/tests/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args --release 25
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
index 60fe40e716d..155fb4b7c78 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
@@ -10,6 +10,10 @@
* `type, path, kind`
* - Summaries:
* `type, path, input, output, kind`
+ * - Barriers:
+ * `type, path, kind`
+ * - BarrierGuards:
+ * `type, path, acceptingValue, kind`
* - Types:
* `type1, type2, path`
*
@@ -42,7 +46,8 @@
* 3. The `input` and `output` columns specify how data enters and leaves the element selected by the
* first `(type, path)` tuple. Both strings are `.`-separated access paths
* of the same syntax as the `path` column.
- * 4. The `kind` column is a tag that can be referenced from QL to determine to
+ * 4. The `acceptingValue` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false".
+ * 5. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources `"remote"` indicates a default remote flow source, and for summaries
* `"taint"` indicates a default additional taint step and `"value"` indicates a
@@ -355,11 +360,11 @@ private predicate barrierModel(string type, string path, string kind, string mod
/** Holds if a barrier guard model exists for the given parameters. */
private predicate barrierGuardModel(
- string type, string path, string branch, string kind, string model
+ string type, string path, string acceptingValue, string kind, string model
) {
// No deprecation adapter for barrier models, they were not around back then.
exists(QlBuiltins::ExtensionId madId |
- Extensions::barrierGuardModel(type, path, branch, kind, madId) and
+ Extensions::barrierGuardModel(type, path, acceptingValue, kind, madId) and
model = "MaD:" + madId.toString()
)
}
@@ -783,16 +788,16 @@ module ModelOutput {
}
/**
- * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`.
+ * Holds if a barrier model contributed `barrier` with the given `kind` for the given `acceptingValue`.
*/
cached
- API::Node getABarrierGuardNode(string kind, boolean branch, string model) {
- exists(string type, string path, string branch_str |
- branch = true and branch_str = "true"
+ API::Node getABarrierGuardNode(string kind, boolean acceptingValue, string model) {
+ exists(string type, string path, string acceptingValue_str |
+ acceptingValue = true and acceptingValue_str = "true"
or
- branch = false and branch_str = "false"
+ acceptingValue = false and acceptingValue_str = "false"
|
- barrierGuardModel(type, path, branch_str, kind, model) and
+ barrierGuardModel(type, path, acceptingValue_str, kind, model) and
result = getNodeFromPath(type, path)
)
}
@@ -856,12 +861,12 @@ module ModelOutput {
API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) }
/**
- * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`.
+ * Holds if an external model contributed `barrier-guard` with the given `kind` and `acceptingValue`.
*
* INTERNAL: Do not use.
*/
- API::Node getABarrierGuardNode(string kind, boolean branch) {
- result = getABarrierGuardNode(kind, branch, _)
+ API::Node getABarrierGuardNode(string kind, boolean acceptingValue) {
+ result = getABarrierGuardNode(kind, acceptingValue, _)
}
/**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
index 2a644aabb95..8d8a4f5fd88 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -33,11 +33,11 @@ extensible predicate barrierModel(
* of the given `kind` and `madId` is the data extension row number.
* `path` is assumed to lead to a parameter of a call (possibly `self`), and
* the call is guarding the parameter.
- * `branch` is either `true` or `false`, indicating which branch of the guard
- * is protecting the parameter.
+ * `acceptingValue` is either `true` or `false`, indicating which branch of
+ * the guard is protecting the parameter.
*/
extensible predicate barrierGuardModel(
- string type, string path, string branch, string kind, QlBuiltins::ExtensionId madId
+ string type, string path, string acceptingValue, string kind, QlBuiltins::ExtensionId madId
);
/**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
index 5f4ad1b3d73..8dd9c483144 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
@@ -191,3 +191,21 @@ class RouteHandlerLimitedByRateLimiterFlexible extends RateLimitingMiddleware in
private class FastifyRateLimiter extends RateLimitingMiddleware {
FastifyRateLimiter() { this = DataFlow::moduleImport("fastify-rate-limit") }
}
+
+/**
+ * An options object with a `rateLimit` config passed to a Fastify shorthand route method,
+ * such as `fastify.post('/path', { config: { rateLimit: { ... } } }, handler)`.
+ */
+private class FastifyPerRouteRateLimit extends RateLimitingMiddleware {
+ FastifyPerRouteRateLimit() {
+ exists(Fastify::RouteSetup setup |
+ not setup.getMethodName() = ["route", "addHook"] and
+ setup.getNumArgument() >= 3 and
+ this.flowsTo(setup.getArgument(1))
+ |
+ exists(this.getAPropertySource("config").getAPropertySource("rateLimit"))
+ or
+ exists(this.getAPropertySource("rateLimit"))
+ )
+ }
+}
diff --git a/javascript/ql/src/change-notes/2026-04-13-fastify-per-route-rate-limit.md b/javascript/ql/src/change-notes/2026-04-13-fastify-per-route-rate-limit.md
new file mode 100644
index 00000000000..56d52388524
--- /dev/null
+++ b/javascript/ql/src/change-notes/2026-04-13-fastify-per-route-rate-limit.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The query `js/missing-rate-limiting` now takes Fastify per-route
+ rate limiting into account.
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected
index 3d7bc2954eb..8d197d6e37f 100644
--- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected
@@ -9,3 +9,4 @@
| tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
| tst.js:76:25:76:53 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
| tst.js:88:24:88:40 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
+| tst.js:112:28:112:44 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js
index 4f778afef68..5b4312bbbe0 100644
--- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js
@@ -88,3 +88,25 @@ const fastifyApp = require('fastify')();
fastifyApp.get('/foo', expensiveHandler1); // $ Alert
fastifyApp.register(require('fastify-rate-limit'));
fastifyApp.get('/bar', expensiveHandler1);
+
+// Fastify per-route rate limiting via config.rateLimit
+const fastifyApp2 = require('fastify')();
+fastifyApp2.register(require('@fastify/rate-limit'));
+
+fastifyApp2.post('/login', {
+ config: {
+ rateLimit: {
+ max: 3,
+ timeWindow: '1 minute'
+ }
+ }
+}, expensiveHandler1); // OK - has per-route rateLimit config
+
+fastifyApp2.post('/signup', {
+ rateLimit: {
+ max: 5,
+ timeWindow: '1 minute'
+ }
+}, expensiveHandler1); // OK - has per-route rateLimit directly in options
+
+fastifyApp2.post('/other', expensiveHandler1); // $ Alert - no rate limiting
diff --git a/python/downgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/old.dbscheme b/python/downgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/old.dbscheme
new file mode 100644
index 00000000000..eb5fc917c79
--- /dev/null
+++ b/python/downgrades/eb5fc917c79bb23ce2de4a022f3e566d57a91be9/old.dbscheme
@@ -0,0 +1,1291 @@
+/*
+ * This dbscheme is auto-generated by 'semmle/dbscheme_gen.py'.
+ * Run "make dbscheme" in python/extractor/ to regenerate.
+ * WARNING: Any modifications to this file will be lost.
+ * Relations can be changed by modifying master.py or
+ * by adding rules to dbscheme.template
+ */
+
+/* This is a dummy line to alter the dbscheme, so we can make a database upgrade
+ * without actually changing any of the dbscheme predicates. It contains a date
+ * to allow for such updates in the future as well.
+ *
+ * 2020-07-02
+ *
+ * DO NOT remove this comment carelessly, since it can revert the dbscheme back to a
+ * previously seen state (matching a previously seen SHA), which would make the upgrade
+ * mechanism not work properly.
+ */
+
+/*- DEPRECATED: External defects and metrics -*/
+
+externalDefects(
+ unique int id : @externalDefect,
+ varchar(900) queryPath : string ref,
+ int location : @location ref,
+ varchar(900) message : string ref,
+ float severity : float ref
+);
+
+externalMetrics(
+ unique int id : @externalMetric,
+ varchar(900) queryPath : string ref,
+ int location : @location ref,
+ float value : float ref
+);
+
+/*- External data -*/
+
+/**
+ * External data, loaded from CSV files during snapshot creation. See
+ * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data)
+ * for more information.
+ */
+externalData(
+ int id : @externalDataElement,
+ string path : string ref,
+ int column: int ref,
+ string value : string ref
+);
+
+/*- Database metadata -*/
+
+/**
+ * The CLI will automatically emit applicable tuples for this table,
+ * such as `databaseMetadata("isOverlay", "true")` when building an
+ * overlay database.
+ */
+databaseMetadata(
+ string metadataKey: string ref,
+ string value: string ref
+);
+
+/*- Overlay support -*/
+
+/**
+ * The CLI will automatically emit tuples for each new/modified/deleted file
+ * when building an overlay database.
+ */
+overlayChangedFiles(
+ string path: string ref
+);
+
+/*- DEPRECATED: Snapshot date -*/
+
+snapshotDate(unique date snapshotDate : date ref);
+
+/*- Source location prefix -*/
+
+/**
+ * The source location of the snapshot.
+ */
+sourceLocationPrefix(string prefix : string ref);
+
+/*- DEPRECATED: Duplicate code -*/
+
+duplicateCode(
+ unique int id : @duplication,
+ string relativePath : string ref,
+ int equivClass : int ref
+);
+
+similarCode(
+ unique int id : @similarity,
+ string relativePath : string ref,
+ int equivClass : int ref
+);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+ int id : @duplication_or_similarity ref,
+ int offset : int ref,
+ int beginLine : int ref,
+ int beginColumn : int ref,
+ int endLine : int ref,
+ int endColumn : int ref
+);
+
+/*- DEPRECATED: Version control data -*/
+
+svnentries(
+ unique int id : @svnentry,
+ string revision : string ref,
+ string author : string ref,
+ date revisionDate : date ref,
+ int changeSize : int ref
+)
+
+svnaffectedfiles(
+ int id : @svnentry ref,
+ int file : @file ref,
+ string action : string ref
+)
+
+svnentrymsg(
+ unique int id : @svnentry ref,
+ string message : string ref
+)
+
+svnchurn(
+ int commit : @svnentry ref,
+ int file : @file ref,
+ int addedLines : int ref,
+ int deletedLines : int ref
+)
+
+/*- Lines of code -*/
+
+numlines(
+ int element_id: @sourceline ref,
+ int num_lines: int ref,
+ int num_code: int ref,
+ int num_comment: int ref
+);
+
+/*- Files and folders -*/
+
+/**
+ * The location of an element.
+ * The location spans column `startcolumn` of line `startline` to
+ * column `endcolumn` of line `endline` in file `file`.
+ * For more information, see
+ * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+ */
+locations_default(
+ unique int id: @location_default,
+ int file: @file ref,
+ int beginLine: int ref,
+ int beginColumn: int ref,
+ int endLine: int ref,
+ int endColumn: int ref
+);
+
+files(
+ unique int id: @file,
+ string name: string ref
+);
+
+folders(
+ unique int id: @folder,
+ string name: string ref
+);
+
+@container = @file | @folder
+
+containerparent(
+ int parent: @container ref,
+ unique int child: @container ref
+);
+
+/*- XML Files -*/
+
+xmlEncoding(
+ unique int id: @file ref,
+ string encoding: string ref
+);
+
+xmlDTDs(
+ unique int id: @xmldtd,
+ string root: string ref,
+ string publicId: string ref,
+ string systemId: string ref,
+ int fileid: @file ref
+);
+
+xmlElements(
+ unique int id: @xmlelement,
+ string name: string ref,
+ int parentid: @xmlparent ref,
+ int idx: int ref,
+ int fileid: @file ref
+);
+
+xmlAttrs(
+ unique int id: @xmlattribute,
+ int elementid: @xmlelement ref,
+ string name: string ref,
+ string value: string ref,
+ int idx: int ref,
+ int fileid: @file ref
+);
+
+xmlNs(
+ int id: @xmlnamespace,
+ string prefixName: string ref,
+ string URI: string ref,
+ int fileid: @file ref
+);
+
+xmlHasNs(
+ int elementId: @xmlnamespaceable ref,
+ int nsId: @xmlnamespace ref,
+ int fileid: @file ref
+);
+
+xmlComments(
+ unique int id: @xmlcomment,
+ string text: string ref,
+ int parentid: @xmlparent ref,
+ int fileid: @file ref
+);
+
+xmlChars(
+ unique int id: @xmlcharacters,
+ string text: string ref,
+ int parentid: @xmlparent ref,
+ int idx: int ref,
+ int isCDATA: int ref,
+ int fileid: @file ref
+);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+ int xmlElement: @xmllocatable ref,
+ int location: @location_default ref
+);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/*- YAML -*/
+
+#keyset[parent, idx]
+yaml (unique int id: @yaml_node,
+ int kind: int ref,
+ int parent: @yaml_node_parent ref,
+ int idx: int ref,
+ string tag: string ref,
+ string tostring: string ref);
+
+case @yaml_node.kind of
+ 0 = @yaml_scalar_node
+| 1 = @yaml_mapping_node
+| 2 = @yaml_sequence_node
+| 3 = @yaml_alias_node
+;
+
+@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node;
+
+@yaml_node_parent = @yaml_collection_node | @file;
+
+yaml_anchors (unique int node: @yaml_node ref,
+ string anchor: string ref);
+
+yaml_aliases (unique int alias: @yaml_alias_node ref,
+ string target: string ref);
+
+yaml_scalars (unique int scalar: @yaml_scalar_node ref,
+ int style: int ref,
+ string value: string ref);
+
+yaml_errors (unique int id: @yaml_error,
+ string message: string ref);
+
+yaml_locations(unique int locatable: @yaml_locatable ref,
+ int location: @location_default ref);
+
+@yaml_locatable = @yaml_node | @yaml_error;
+
+/*- Python dbscheme -*/
+
+/*
+ * Line metrics
+ */
+py_codelines(int id : @py_scope ref,
+ int count : int ref);
+
+py_commentlines(int id : @py_scope ref,
+ int count : int ref);
+
+py_docstringlines(int id : @py_scope ref,
+ int count : int ref);
+
+py_alllines(int id : @py_scope ref,
+ int count : int ref);
+
+/****************************
+ Python dbscheme
+****************************/
+
+@sourceline = @file | @py_Module | @xmllocatable;
+
+@location = @location_ast | @location_default ;
+
+locations_ast(unique int id: @location_ast,
+ int module: @py_Module ref,
+ int beginLine: int ref,
+ int beginColumn: int ref,
+ int endLine: int ref,
+ int endColumn: int ref);
+
+file_contents(unique int file: @file ref, string contents: string ref);
+
+py_module_path(int module: @py_Module ref, int file: @container ref);
+
+variable(unique int id : @py_variable,
+ int scope : @py_scope ref,
+ varchar(1) name : string ref);
+
+py_line_lengths(unique int id : @py_line,
+ int file: @py_Module ref,
+ int line : int ref,
+ int length : int ref);
+
+py_extracted_version(int module : @py_Module ref,
+ varchar(1) version : string ref);
+
+/* AUTO GENERATED PART STARTS HERE */
+
+
+/* AnnAssign.location = 0, location */
+/* AnnAssign.value = 1, expr */
+/* AnnAssign.annotation = 2, expr */
+/* AnnAssign.target = 3, expr */
+
+/* Assert.location = 0, location */
+/* Assert.test = 1, expr */
+/* Assert.msg = 2, expr */
+
+/* Assign.location = 0, location */
+/* Assign.value = 1, expr */
+/* Assign.targets = 2, expr_list */
+
+/* AssignExpr.location = 0, location */
+/* AssignExpr.parenthesised = 1, bool */
+/* AssignExpr.value = 2, expr */
+/* AssignExpr.target = 3, expr */
+
+/* Attribute.location = 0, location */
+/* Attribute.parenthesised = 1, bool */
+/* Attribute.value = 2, expr */
+/* Attribute.attr = 3, str */
+/* Attribute.ctx = 4, expr_context */
+
+/* AugAssign.location = 0, location */
+/* AugAssign.operation = 1, BinOp */
+
+/* Await.location = 0, location */
+/* Await.parenthesised = 1, bool */
+/* Await.value = 2, expr */
+
+/* BinaryExpr.location = 0, location */
+/* BinaryExpr.parenthesised = 1, bool */
+/* BinaryExpr.left = 2, expr */
+/* BinaryExpr.op = 3, operator */
+/* BinaryExpr.right = 4, expr */
+/* BinaryExpr = AugAssign */
+
+/* BoolExpr.location = 0, location */
+/* BoolExpr.parenthesised = 1, bool */
+/* BoolExpr.op = 2, boolop */
+/* BoolExpr.values = 3, expr_list */
+
+/* Break.location = 0, location */
+
+/* Bytes.location = 0, location */
+/* Bytes.parenthesised = 1, bool */
+/* Bytes.s = 2, bytes */
+/* Bytes.prefix = 3, bytes */
+/* Bytes.implicitly_concatenated_parts = 4, StringPart_list */
+
+/* Call.location = 0, location */
+/* Call.parenthesised = 1, bool */
+/* Call.func = 2, expr */
+/* Call.positional_args = 3, expr_list */
+/* Call.named_args = 4, dict_item_list */
+
+/* Case.location = 0, location */
+/* Case.pattern = 1, pattern */
+/* Case.guard = 2, expr */
+/* Case.body = 3, stmt_list */
+
+/* Class.name = 0, str */
+/* Class.body = 1, stmt_list */
+/* Class = ClassExpr */
+
+/* ClassExpr.location = 0, location */
+/* ClassExpr.parenthesised = 1, bool */
+/* ClassExpr.name = 2, str */
+/* ClassExpr.bases = 3, expr_list */
+/* ClassExpr.keywords = 4, dict_item_list */
+/* ClassExpr.inner_scope = 5, Class */
+/* ClassExpr.type_parameters = 6, type_parameter_list */
+
+/* Compare.location = 0, location */
+/* Compare.parenthesised = 1, bool */
+/* Compare.left = 2, expr */
+/* Compare.ops = 3, cmpop_list */
+/* Compare.comparators = 4, expr_list */
+
+/* Continue.location = 0, location */
+
+/* Delete.location = 0, location */
+/* Delete.targets = 1, expr_list */
+
+/* Dict.location = 0, location */
+/* Dict.parenthesised = 1, bool */
+/* Dict.items = 2, dict_item_list */
+
+/* DictComp.location = 0, location */
+/* DictComp.parenthesised = 1, bool */
+/* DictComp.function = 2, Function */
+/* DictComp.iterable = 3, expr */
+
+/* DictUnpacking.location = 0, location */
+/* DictUnpacking.value = 1, expr */
+
+/* Ellipsis.location = 0, location */
+/* Ellipsis.parenthesised = 1, bool */
+
+/* ExceptGroupStmt.location = 0, location */
+/* ExceptGroupStmt.type = 1, expr */
+/* ExceptGroupStmt.name = 2, expr */
+/* ExceptGroupStmt.body = 3, stmt_list */
+
+/* ExceptStmt.location = 0, location */
+/* ExceptStmt.type = 1, expr */
+/* ExceptStmt.name = 2, expr */
+/* ExceptStmt.body = 3, stmt_list */
+
+/* Exec.location = 0, location */
+/* Exec.body = 1, expr */
+/* Exec.globals = 2, expr */
+/* Exec.locals = 3, expr */
+
+/* ExprStmt.location = 0, location */
+/* ExprStmt.value = 1, expr */
+
+/* Filter.location = 0, location */
+/* Filter.parenthesised = 1, bool */
+/* Filter.value = 2, expr */
+/* Filter.filter = 3, expr */
+
+/* For.location = 0, location */
+/* For.target = 1, expr */
+/* For.iter = 2, expr */
+/* For.body = 3, stmt_list */
+/* For.orelse = 4, stmt_list */
+/* For.is_async = 5, bool */
+
+/* FormattedValue.location = 0, location */
+/* FormattedValue.parenthesised = 1, bool */
+/* FormattedValue.value = 2, expr */
+/* FormattedValue.conversion = 3, str */
+/* FormattedValue.format_spec = 4, JoinedStr */
+
+/* Function.name = 0, str */
+/* Function.args = 1, parameter_list */
+/* Function.vararg = 2, expr */
+/* Function.kwonlyargs = 3, expr_list */
+/* Function.kwarg = 4, expr */
+/* Function.body = 5, stmt_list */
+/* Function.is_async = 6, bool */
+/* Function.type_parameters = 7, type_parameter_list */
+/* Function = FunctionParent */
+
+/* FunctionExpr.location = 0, location */
+/* FunctionExpr.parenthesised = 1, bool */
+/* FunctionExpr.name = 2, str */
+/* FunctionExpr.args = 3, arguments */
+/* FunctionExpr.returns = 4, expr */
+/* FunctionExpr.inner_scope = 5, Function */
+
+/* GeneratorExp.location = 0, location */
+/* GeneratorExp.parenthesised = 1, bool */
+/* GeneratorExp.function = 2, Function */
+/* GeneratorExp.iterable = 3, expr */
+
+/* Global.location = 0, location */
+/* Global.names = 1, str_list */
+
+/* Guard.location = 0, location */
+/* Guard.parenthesised = 1, bool */
+/* Guard.test = 2, expr */
+
+/* If.location = 0, location */
+/* If.test = 1, expr */
+/* If.body = 2, stmt_list */
+/* If.orelse = 3, stmt_list */
+
+/* IfExp.location = 0, location */
+/* IfExp.parenthesised = 1, bool */
+/* IfExp.test = 2, expr */
+/* IfExp.body = 3, expr */
+/* IfExp.orelse = 4, expr */
+
+/* Import.location = 0, location */
+/*