Merge branch 'main' into redsun82/rust-str

2025-12-16 16:53:25 +01:00 · 2024-11-21 11:50:38 +01:00
parent 36d8a6d05f 295626d53b
commit 6a6154913b
173 changed files with 8382 additions and 2222 deletions
--- a/cpp/ql/src/Critical/UseAfterFree.qhelp
+++ b/cpp/ql/src/Critical/UseAfterFree.qhelp
@@ -8,7 +8,7 @@
 <p>
 This rule finds accesses through a pointer of a memory location that has already been freed (i.e. through a dangling pointer). 
 Such memory blocks have already been released to the dynamic memory manager, and modifying them can lead to anything 
-from a segfault to memory corruption that would cause subsequent calls to the dynamic memory manger to behave 
+from a segfault to memory corruption that would cause subsequent calls to the dynamic memory manager to behave 
 erratically, to a possible security vulnerability.
 </p>

--- a/cpp/ql/src/experimental/Best
+++ b/cpp/ql/src/experimental/Best
@@ -18,9 +18,31 @@ class FreeCall extends FunctionCall {
  FreeCall() { this.getTarget().hasGlobalName("free") }
 }

+predicate blockContainsPreprocessorBranches(BasicBlock bb) {
+  exists(PreprocessorBranch ppb, Location bbLoc, Location ppbLoc |
+    bbLoc = bb.(Stmt).getLocation() and ppbLoc = ppb.getLocation()
+  |
+    bbLoc.getFile() = ppb.getFile() and
+    bbLoc.getStartLine() < ppbLoc.getStartLine() and
+    ppbLoc.getEndLine() < bbLoc.getEndLine()
+  )
+}
+
 from GuardCondition gc, FreeCall fc, Variable v, BasicBlock bb
 where
  gc.ensuresEq(v.getAnAccess(), 0, bb, false) and
  fc.getArgument(0) = v.getAnAccess() and
-  bb = fc.getEnclosingStmt()
+  bb = fc.getBasicBlock() and
+  (
+    // No block statement: if (x) free(x);
+    bb = fc.getEnclosingStmt()
+    or
+    // Block statement with a single nested statement: if (x) { free(x); }
+    strictcount(bb.(BlockStmt).getAStmt()) = 1
+  ) and
+  strictcount(BasicBlock bb2 | gc.ensuresEq(_, 0, bb2, _) | bb2) = 1 and
+  not fc.isInMacroExpansion() and
+  not blockContainsPreprocessorBranches(bb) and
+  not (gc instanceof BinaryOperation and not gc instanceof ComparisonOperation) and
+  not exists(CommaExpr c | c.getAChild*() = fc)
 select gc, "unnecessary NULL check before call to $@", fc, "free"
--- a/Practices/GuardedFree/GuardedFree.expected
+++ b/Practices/GuardedFree/GuardedFree.expected
@@ -1,10 +1,5 @@
 | test.cpp:5:7:5:7 | x | unnecessary NULL check before call to $@ | test.cpp:6:5:6:8 | call to free | free |
-| test.cpp:23:7:23:7 | x | unnecessary NULL check before call to $@ | test.cpp:26:5:26:8 | call to free | free |
-| test.cpp:31:7:31:8 | ! ... | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
-| test.cpp:31:7:31:24 | ... \|\| ... | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
-| test.cpp:31:8:31:8 | x | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
-| test.cpp:94:12:94:12 | x | unnecessary NULL check before call to $@ | test.cpp:94:3:94:13 | call to free | free |
-| test.cpp:98:7:98:8 | ! ... | unnecessary NULL check before call to $@ | test.cpp:101:3:101:6 | call to free | free |
-| test.cpp:98:8:98:8 | x | unnecessary NULL check before call to $@ | test.cpp:101:3:101:6 | call to free | free |
+| test.cpp:10:7:10:7 | x | unnecessary NULL check before call to $@ | test.cpp:11:5:11:8 | call to free | free |
+| test.cpp:42:7:42:7 | x | unnecessary NULL check before call to $@ | test.cpp:43:5:43:8 | call to free | free |
+| test.cpp:49:7:49:7 | x | unnecessary NULL check before call to $@ | test.cpp:50:5:50:8 | call to free | free |
 | test.cpp:106:7:106:18 | ... != ... | unnecessary NULL check before call to $@ | test.cpp:107:5:107:8 | call to free | free |
-| test.cpp:113:7:113:18 | ... != ... | unnecessary NULL check before call to $@ | test.cpp:114:17:114:20 | call to free | free |
--- a/cpp/ql/test/experimental/query-tests/Best
+++ b/cpp/ql/test/experimental/query-tests/Best
@@ -20,7 +20,7 @@ void test2(int *x) {
 }

 void test3(int *x, bool b) {
-  if (x) { // GOOD [FALSE POSITIVE]: x is being accessed in the body of the if
+  if (x) { // GOOD: x is being accessed in the body of the if
    if (b)
      *x = 42;
    free(x);
@@ -28,7 +28,7 @@ void test3(int *x, bool b) {
 }

 bool test4(char *x, char *y) {
-  if (!x || strcmp(x, y)) { // GOOD [FALSE POSITIVE]: x is being accessed in the guard and return value depends on x
+  if (!x || strcmp(x, y)) { // GOOD: x is being accessed in the guard and return value depends on x
    free(x);
    return true;
  }
@@ -91,11 +91,11 @@ void test10(char *x) {
  if (x) free(x);

 void test11(char *x) {
-  TRY_FREE(x) // BAD
+  TRY_FREE(x) // BAD [NOT DETECTED]
 }

 bool test12(char *x) {
-  if (!x) // GOOD [FALSE POSITIVE]: return value depends on x
+  if (!x) // GOOD: return value depends on x
    return false;

  free(x);
@@ -110,6 +110,6 @@ void test13(char *x) {
 void inspect(char *x);

 void test14(char *x) {
-  if (x != nullptr) // GOOD [FALSE POSITIVE]: x might be accessed in the first operand of the comma operator
+  if (x != nullptr) // GOOD: x might be accessed in the first operand of the comma operator
    inspect(x), free(x);
 }
--- a/csharp/.vscode/launch.json
+++ b/csharp/.vscode/launch.json
@@ -6,7 +6,7 @@
            "type": "coreclr",
            "request": "launch",
            "preLaunchTask": "dotnet: build",
-            "program": "${workspaceFolder}/extractor/Semmle.Extraction.CSharp.Standalone/bin/Debug/net8.0/Semmle.Extraction.CSharp.Standalone.dll",
+            "program": "${workspaceFolder}/extractor/Semmle.Extraction.CSharp.Standalone/bin/Debug/net9.0/Semmle.Extraction.CSharp.Standalone.dll",
            "args": [],
            // Set the path to the folder that should be extracted:
            "cwd": "${workspaceFolder}/ql/test/library-tests/standalone/standalonemode",
@@ -35,7 +35,7 @@
            "type": "coreclr",
            "request": "launch",
            "preLaunchTask": "dotnet: build",
-            "program": "${workspaceFolder}/autobuilder/Semmle.Autobuild.CSharp/bin/Debug/net8.0/Semmle.Autobuild.CSharp.dll",
+            "program": "${workspaceFolder}/autobuilder/Semmle.Autobuild.CSharp/bin/Debug/net9.0/Semmle.Autobuild.CSharp.dll",
            // Set the path to the folder that should be extracted:
            "cwd": "${workspaceFolder}/ql/integration-tests/all-platforms/autobuild",
            "stopAtEntry": true,
@@ -53,7 +53,7 @@
            "type": "coreclr",
            "request": "launch",
            "preLaunchTask": "dotnet: build",
-            "program": "${workspaceFolder}/extractor/Semmle.Extraction.CSharp.Driver/bin/Debug/net8.0/Semmle.Extraction.CSharp.Driver.dll",
+            "program": "${workspaceFolder}/extractor/Semmle.Extraction.CSharp.Driver/bin/Debug/net9.0/Semmle.Extraction.CSharp.Driver.dll",
            "stopAtEntry": true,
            "args": [
                "--binlog",
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/AutoBuildRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/AutoBuildRule.cs
@@ -49,11 +49,9 @@ namespace Semmle.Autobuild.CSharp
                tryCleanExtractorArgsLogs &
                BuildScript.DeleteFile(Extractor.GetCSharpLogPath());

-            /// <summary>
-            /// Execute script `s` and check that the C# extractor has been executed.
-            /// If either fails, attempt to cleanup any artifacts produced by the extractor,
-            /// and exit with code 1, in order to proceed to the next attempt.
-            /// </summary>
+            // Execute script `s` and check that the C# extractor has been executed.
+            // If either fails, attempt to cleanup any artifacts produced by the extractor,
+            // and exit with code 1, in order to proceed to the next attempt.
            BuildScript IntermediateAttempt(BuildScript s) =>
                (s & this.autobuilder.CheckExtractorRun(false)) |
                (attemptExtractorCleanup & BuildScript.Failure);
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/Autobuilder.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/Autobuilder.cs
@@ -195,7 +195,7 @@ namespace Semmle.Autobuild.Shared
        }

        /// <summary>
-        /// Retrieves the value of an environment variable named <paramref name="name"> or throws
+        /// Retrieves the value of an environment variable named <paramref name="name"/> or throws
        /// an exception if no such environment variable has been set.
        /// </summary>
        /// <param name="name">The name of the environment variable.</param>
@@ -228,7 +228,7 @@ namespace Semmle.Autobuild.Shared
        private readonly IDiagnosticsWriter diagnostics;

        /// <summary>
-        /// Makes <see cref="path" /> relative to the root source directory.
+        /// Makes <paramref name="path"/> relative to the root source directory.
        /// </summary>
        /// <param name="path">The path which to make relative.</param>
        /// <returns>The relative path.</returns>
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/MarkdownUtil.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/MarkdownUtil.cs
@@ -22,7 +22,7 @@ namespace Semmle.Autobuild.Shared
        public static string ToMarkdownLink(this string link, string title) => $"[{title}]({link})";

        /// <summary>
-        /// Renders <see cref="projects" /> as a markdown list of the project paths.
+        /// Renders <paramref name="projects"/> as a markdown list of the project paths.
        /// </summary>
        /// <param name="projects">
        /// The list of projects whose paths should be rendered as a markdown list.
@@ -35,7 +35,7 @@ namespace Semmle.Autobuild.Shared
        }

        /// <summary>
-        /// Renders <see cref="items" /> as a markdown list.
+        /// Renders <paramref name="items" /> as a markdown list.
        /// </summary>
        /// <typeparam name="T">The item type.</typeparam>
        /// <param name="items">The list that should be formatted as a markdown list.</param>
--- a/csharp/documentation/library-coverage/coverage.csv
+++ b/csharp/documentation/library-coverage/coverage.csv
@@ -8,39 +8,40 @@ ILLink.Shared,,,31,,,,,,,,,,,,,,,,,,,11,20
 ILLink.Tasks,,,5,,,,,,,,,,,,,,,,,,,4,1
 Internal.IL,,,54,,,,,,,,,,,,,,,,,,,28,26
 Internal.Pgo,,,9,,,,,,,,,,,,,,,,,,,2,7
-Internal.TypeSystem,,,328,,,,,,,,,,,,,,,,,,,201,127
+Internal.TypeSystem,,,329,,,,,,,,,,,,,,,,,,,201,128
 JsonToItemsTaskFactory,,,11,,,,,,,,,,,,,,,,,,,1,10
 Microsoft.Android.Build,,1,14,,,,,,,,,,,,,1,,,,,,12,2
 Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,,,,,7,
 Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,,
 Microsoft.CSharp,,,2,,,,,,,,,,,,,,,,,,,2,
-Microsoft.Diagnostics.Tools.Pgo,,,23,,,,,,,,,,,,,,,,,,,2,21
+Microsoft.Diagnostics.Tools.Pgo,,,25,,,,,,,,,,,,,,,,,,,2,23
 Microsoft.DotNet.Build.Tasks,,,10,,,,,,,,,,,,,,,,,,,8,2
+Microsoft.DotNet.PlatformAbstractions,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,,,,,12
 Microsoft.Extensions.Caching.Distributed,,,3,,,,,,,,,,,,,,,,,,,,3
-Microsoft.Extensions.Caching.Memory,,,31,,,,,,,,,,,,,,,,,,,5,26
-Microsoft.Extensions.Configuration,,3,91,,,,,,,,,,,,,3,,,,,,25,66
-Microsoft.Extensions.DependencyInjection,,,130,,,,,,,,,,,,,,,,,,,17,113
+Microsoft.Extensions.Caching.Memory,,,37,,,,,,,,,,,,,,,,,,,5,32
+Microsoft.Extensions.Configuration,,3,101,,,,,,,,,,,,,3,,,,,,29,72
+Microsoft.Extensions.DependencyInjection,,,202,,,,,,,,,,,,,,,,,,,15,187
 Microsoft.Extensions.DependencyModel,,1,16,,,,,,,,,,,,,1,,,,,,14,2
 Microsoft.Extensions.Diagnostics.Metrics,,,14,,,,,,,,,,,,,,,,,,,1,13
 Microsoft.Extensions.FileProviders,,,17,,,,,,,,,,,,,,,,,,,7,10
-Microsoft.Extensions.FileSystemGlobbing,,,22,,,,,,,,,,,,,,,,,,,11,11
-Microsoft.Extensions.Hosting,,,39,,,,,,,,,,,,,,,,,,,29,10
+Microsoft.Extensions.FileSystemGlobbing,,,21,,,,,,,,,,,,,,,,,,,10,11
+Microsoft.Extensions.Hosting,,,58,,,,,,,,,,,,,,,,,,,29,29
 Microsoft.Extensions.Http,,,9,,,,,,,,,,,,,,,,,,,7,2
-Microsoft.Extensions.Logging,,,64,,,,,,,,,,,,,,,,,,,25,39
-Microsoft.Extensions.Options,,,14,,,,,,,,,,,,,,,,,,,14,
-Microsoft.Extensions.Primitives,,,72,,,,,,,,,,,,,,,,,,,67,5
-Microsoft.Interop,,,137,,,,,,,,,,,,,,,,,,,70,67
+Microsoft.Extensions.Logging,,,91,,,,,,,,,,,,,,,,,,,25,66
+Microsoft.Extensions.Options,,,68,,,,,,,,,,,,,,,,,,,44,24
+Microsoft.Extensions.Primitives,,,73,,,,,,,,,,,,,,,,,,,67,6
+Microsoft.Interop,,,159,,,,,,,,,,,,,,,,,,,75,84
 Microsoft.NET.Build.Tasks,,,5,,,,,,,,,,,,,,,,,,,3,2
 Microsoft.NET.Sdk.WebAssembly,,,2,,,,,,,,,,,,,,,,,,,1,1
 Microsoft.NET.WebAssembly.Webcil,,,6,,,,,,,,,,,,,,,,,,,6,
 Microsoft.VisualBasic,,,13,,,,,,,,,,,,,,,,,,,1,12
 Microsoft.WebAssembly.Build.Tasks,,,9,,,,,,,,,,,,,,,,,,,8,1
 Microsoft.Win32,,4,2,,,,,,,,,,,,,,,,,,4,,2
-Mono.Linker,,,287,,,,,,,,,,,,,,,,,,,145,142
+Mono.Linker,,,293,,,,,,,,,,,,,,,,,,,145,148
 MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,10313,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5351,4962
+System,54,47,10818,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5511,5307
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
--- a/csharp/documentation/library-coverage/coverage.rst
+++ b/csharp/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ C# framework & library support

   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
   `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,10313,54,5
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",57,1848,148,
-   Totals,,104,12168,396,5
+   System,"``System.*``, ``System``",47,10818,54,5
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",57,2068,148,
+   Totals,,104,12893,396,5

--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Assets.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Assets.cs
@@ -127,21 +127,21 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        ///
        /// Example:
        /// "project": {
-        //     "version": "1.0.0",
-        //     "frameworks": {
-        //         "net7.0": {
-        //             "frameworkReferences": {
-        //                 "Microsoft.AspNetCore.App": {
-        //                     "privateAssets": "none"
-        //                 },
-        //                 "Microsoft.NETCore.App": {
-        //                     "privateAssets": "all"
-        //                 }
-        //             }
-        //         }
-        //     }
-        // }
-        //
+        ///    "version": "1.0.0",
+        ///    "frameworks": {
+        ///        "net7.0": {
+        ///            "frameworkReferences": {
+        ///                "Microsoft.AspNetCore.App": {
+        ///                    "privateAssets": "none"
+        ///                },
+        ///                "Microsoft.NETCore.App": {
+        ///                    "privateAssets": "all"
+        ///                }
+        ///            }
+        ///        }
+        ///    }
+        /// }
+        ///
        /// Adds the following dependencies
        ///   Paths: {
        ///     "microsoft.aspnetcore.app.ref",
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetVersion.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetVersion.cs
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         * This is the same as FullPath, except that we assume that the
         * reference assemblies are in a directory called "packs" and
         * the reference assemblies themselves are in a directory called
-         * "<Framework>.Ref/ref".
+         * "[Framework].Ref/ref".
         * Example:
         *  FullPath: /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.2
         *  FullPathReferenceAssemblies: /usr/share/dotnet/packs/Microsoft.NETCore.App.Ref/7.0.2/ref
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
@@ -38,8 +38,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// True if any file in the source directory indicates that ASP.NET Core is used.
        /// The following heuristic is used to decide, if ASP.NET Core is used:
        /// If any file in the source directory contains something like (this will most like be a .csproj file)
-        ///     <Project Sdk="Microsoft.NET.Sdk.Web">
-        ///     <FrameworkReference Include="Microsoft.AspNetCore.App"/>
+        ///     &lt;Project Sdk="Microsoft.NET.Sdk.Web"&gt;
+        ///     &lt;FrameworkReference Include="Microsoft.AspNetCore.App"/&gt;
        /// </summary>
        public bool UseAspNetCoreDlls
        {
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
@@ -10,20 +10,20 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        string Exec { get; }

        /// <summary>
-        /// Execute `dotnet <args>` and return true if the command succeeded, otherwise false.
+        /// Execute `dotnet <paramref name="args"/>` and return true if the command succeeded, otherwise false.
        /// If `silent` is true the output of the command is logged as `debug` otherwise as `info`.
        /// </summary>
        bool RunCommand(string args, bool silent = true);

        /// <summary>
-        /// Execute `dotnet <args>` and return true if the command succeeded, otherwise false.
+        /// Execute `dotnet <paramref name="args"/>` and return true if the command succeeded, otherwise false.
        /// The output of the command is returned in `output`.
        /// If `silent` is true the output of the command is logged as `debug` otherwise as `info`.
        /// </summary>
        bool RunCommand(string args, out IList<string> output, bool silent = true);

        /// <summary>
-        /// Execute `dotnet <args>` in `<workingDirectory>` and return true if the command succeeded, otherwise false.
+        /// Execute `dotnet <paramref name="args"/>` in `<paramref name="workingDirectory"/>` and return true if the command succeeded, otherwise false.
        /// The output of the command is returned in `output`.
        /// If `silent` is true the output of the command is logged as `debug` otherwise as `info`.
        /// </summary>
--- a/csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs
@@ -133,9 +133,6 @@ namespace Semmle.Extraction.CSharp

        /// <summary>
        /// Constructs a unique string for this type symbol.
-        ///
-        /// The supplied action <paramref name="subTermAction"/> is applied to the
-        /// syntactic sub terms of this type (if any).
        /// </summary>
        /// <param name="cx">The extraction context.</param>
        /// <param name="trapFile">The trap builder used to store the result.</param>
@@ -495,31 +492,31 @@ namespace Semmle.Extraction.CSharp

        /// <summary>
        /// Holds if this type is of the form <code>int?</code> or
-        /// <code>System.Nullable<int></code>.
+        /// <code>System.Nullable&lt;int&gt;</code>.
        /// </summary>
        public static bool IsBoundNullable(this ITypeSymbol type) =>
            type.SpecialType == SpecialType.None && type.OriginalDefinition.IsUnboundNullable();

        /// <summary>
-        /// Holds if this type is <code>System.Nullable<T></code>.
+        /// Holds if this type is <code>System.Nullable&lt;T&gt;</code>.
        /// </summary>
        public static bool IsUnboundNullable(this ITypeSymbol type) =>
            type.SpecialType == SpecialType.System_Nullable_T;

        /// <summary>
-        /// Holds if this type is <code>System.Span<T></code>.
+        /// Holds if this type is <code>System.Span&lt;T&gt;</code>.
        /// </summary>
        public static bool IsUnboundSpan(this ITypeSymbol type) =>
            type.ToString() == "System.Span<T>";

        /// <summary>
-        /// Holds if this type is of the form <code>System.Span<byte></code>.
+        /// Holds if this type is of the form <code>System.Span&lt;byte&gt;</code>.
        /// </summary>
        public static bool IsBoundSpan(this ITypeSymbol type) =>
            type.SpecialType == SpecialType.None && type.OriginalDefinition.IsUnboundSpan();

        /// <summary>
-        /// Holds if this type is <code>System.ReadOnlySpan<T></code>.
+        /// Holds if this type is <code>System.ReadOnlySpan&lt;T&gt;</code>.
        /// </summary>
        public static bool IsUnboundReadOnlySpan(this ITypeSymbol type) =>
            type.ToString() == "System.ReadOnlySpan<T>";
@@ -536,7 +533,7 @@ namespace Semmle.Extraction.CSharp
        }

        /// <summary>
-        /// Holds if this type is of the form <code>System.ReadOnlySpan<byte></code>.
+        /// Holds if this type is of the form <code>System.ReadOnlySpan&lt;byte&gt;</code>.
        /// </summary>
        public static bool IsBoundReadOnlySpan(this ITypeSymbol type) =>
            type.SpecialType == SpecialType.None && type.OriginalDefinition.IsUnboundReadOnlySpan();
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/CachedEntity.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/CachedEntity.cs
@@ -7,7 +7,7 @@ namespace Semmle.Extraction.CSharp.Entities
    /// <summary>
    /// A cached entity.
    ///
-    /// The <see cref="Entity.Id"/> property is used as label in caching.
+    /// The <see cref="Entity.Label"/> property is used as label in caching.
    /// </summary>
    public abstract class CachedEntity : LabelledEntity
    {
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/IEntity.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/IEntity.cs
@@ -9,12 +9,12 @@ namespace Semmle.Extraction.CSharp
    /// Entities are divided into two types: normal entities and cached
    /// entities.
    ///
-    /// Normal entities implement <see cref="FreshEntity"/> directly, and they
+    /// Normal entities implement <see cref="Entities.FreshEntity"/> directly, and they
    /// (may) emit contents to the trap file during object construction.
    ///
-    /// Cached entities implement <see cref="CachedEntity"/>, and they
-    /// emit contents to the trap file when <see cref="CachedEntity.Populate"/>
-    /// is called. Caching prevents <see cref="CachedEntity.Populate"/>
+    /// Cached entities implement <see cref="Entities.CachedEntity"/>, and they
+    /// emit contents to the trap file when <see cref="Entities.CachedEntity.Populate"/>
+    /// is called. Caching prevents <see cref="Entities.CachedEntity.Populate"/>
    /// from being called on entities that have already been emitted.
    /// </summary>
    public interface IEntity
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -77,7 +77,7 @@ namespace Semmle.Extraction.CSharp.Entities
        /// <summary>
        /// Gets a string representation of a constant value.
        /// </summary>
-        /// <param name="obj">The value.</param>
+        /// <param name="value">The value.</param>
        /// <returns>The string representation.</returns>
        public static string ValueAsString(object? value)
        {
@@ -98,7 +98,6 @@ namespace Semmle.Extraction.CSharp.Entities
        /// <param name="node">The node to extract.</param>
        /// <param name="parent">The parent entity.</param>
        /// <param name="child">The child index.</param>
-        /// <param name="type">A type hint.</param>
        /// <returns>The new expression.</returns>
        public static Expression Create(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child, Boolean isCompilerGenerated = false)
        {
@@ -120,7 +119,6 @@ namespace Semmle.Extraction.CSharp.Entities
        /// <param name="node">The node to extract.</param>
        /// <param name="parent">The parent entity.</param>
        /// <param name="child">The child index.</param>
-        /// <param name="type">A type hint.</param>
        public static void CreateDeferred(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child)
        {
            if (ContainsPattern(node))
@@ -244,7 +242,6 @@ namespace Semmle.Extraction.CSharp.Entities
        /// to show the target of the call. Also note the dynamic method
        /// name if available.
        /// </summary>
-        /// <param name="cx">Context</param>
        /// <param name="node">The expression.</param>
        public void OperatorCall(TextWriter trapFile, ExpressionSyntax node)
        {
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities
        /// <code>expressions</code> and <code>expr_location</code> are populated by the constructor
        /// (should not fail), so even if expression-type specific population fails (e.g., in
        /// standalone extraction), the expression created via
-        /// <see cref="Expression.Create(Context, ExpressionSyntax, IEntity, int, ITypeSymbol)"/> will
+        /// <see cref="Expression.Create"/> will
        /// still be valid.
        /// </summary>
        protected abstract void PopulateExpression(TextWriter trapFile);
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -21,10 +21,9 @@ namespace Semmle.Extraction.CSharp.Entities
            NamedTypeFactory.Instance.CreateEntityFromSymbol(cx, type);

        /// <summary>
-        /// Creates a named type entity from a tuple type. Unlike `Create`, this
+        /// Creates a named type entity from a tuple type. Unlike <see cref="Create"/>, this
        /// will create an entity for the underlying `System.ValueTuple` struct.
-        /// For example, `(int, string)` will result in an entity for
-        /// `System.ValueTuple<int, string>`.
+        /// For example, `(int, string)` will result in an entity for `System.ValueTuple&lt;int, string&gt;`.
        /// </summary>
        public static NamedType CreateNamedTypeFromTupleType(Context cx, INamedTypeSymbol type) =>
            UnderlyingTupleTypeFactory.Instance.CreateEntity(cx, (new SymbolEqualityWrapper(type), typeof(TupleType)), type);
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
@@ -209,8 +209,8 @@ namespace Semmle.Extraction.CSharp.Entities
        /// This is so that we can avoid populating nullability in most cases.
        /// For example,
        /// <code>
-        /// IEnumerable&lt;string?&gt // false
-        /// IEnumerable&lt;string?&gt? // true
+        /// IEnumerable&lt;string?&gt; // false
+        /// IEnumerable&lt;string?&gt;? // true
        /// string? // true
        /// string[] // true
        /// string?[] // false
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs
@@ -86,7 +86,7 @@ namespace Semmle.Extraction.CSharp.Entities
        /// Logs an error if the name is not found.
        /// </summary>
        /// <param name="cx">Extractor context.</param>
-        /// <param name="methodName">The method name.</param>
+        /// <param name="method">The method symbol.</param>
        /// <returns>The converted name.</returns>
        private static string OperatorSymbol(Context cx, IMethodSymbol method)
        {
--- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs
@@ -152,7 +152,7 @@ namespace Semmle.Extraction.CSharp
        /// <summary>
        /// Enqueue the given action to be performed later.
        /// </summary>
-        /// <param name="toRun">The action to run.</param>
+        /// <param name="a">The action to run.</param>
        public void PopulateLater(Action a, bool preserveDuplicationKey = true)
        {
            var key = preserveDuplicationKey ? GetCurrentTagStackKey() : null;
@@ -598,7 +598,6 @@ namespace Semmle.Extraction.CSharp
        /// <summary>
        /// Register a program entity which can be bound to comments.
        /// </summary>
-        /// <param name="cx">Extractor context.</param>
        /// <param name="entity">Program entity.</param>
        /// <param name="l">Location of the entity.</param>
        public void BindComments(Entity entity, Microsoft.CodeAnalysis.Location? l)
--- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TrapWriter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/TrapWriter.cs
@@ -171,7 +171,7 @@ namespace Semmle.Extraction.CSharp
        /// <summary>
        /// Close the trap file, and move it to the right place in the trap directory.
        /// If the file exists already, rename it to allow the new file (ending .trap.gz)
-        /// to sit alongside the old file (except if <paramref name="discardDuplicates"/> is true,
+        /// to sit alongside the old file (except if <see cref="discardDuplicates"/> is true,
        /// in which case only the existing file is kept).
        /// </summary>
        public void Dispose()
--- a/csharp/extractor/Semmle.Extraction.CSharp/Trap/EscapingTextWriter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Trap/EscapingTextWriter.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.CSharp
 {
    /// <summary>
    /// A `TextWriter` object that wraps another `TextWriter` object, and which
-    /// HTML escapes the characters `&`, `{`, `}`, `"`, `@`, and `#`, before
+    /// HTML escapes the characters &amp;, {, }, &quot;, @, and #, before
    /// writing to the underlying object.
    /// </summary>
    public sealed class EscapingTextWriter : TextWriter
--- a/csharp/extractor/Semmle.Extraction.CSharp/Trap/TrapExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Trap/TrapExtensions.cs
@@ -226,7 +226,7 @@ namespace Semmle.Extraction.CSharp
        /// <summary>
        /// Builds a trap builder using a separator and an action for each item in the list.
        /// </summary>
-        /// <typeparam name="T">The type of the items.</typeparam>
+        /// <typeparam name="T2">The type of the items.</typeparam>
        /// <param name="trapFile">The trap builder to append to.</param>
        /// <param name="separator">The separator string (e.g. ",")</param>
        /// <param name="items">The list of items.</param>
@@ -251,7 +251,7 @@ namespace Semmle.Extraction.CSharp
        /// <summary>
        /// Builds a trap builder using a separator and an action for each item in the list.
        /// </summary>
-        /// <typeparam name="T">The type of the items.</typeparam>
+        /// <typeparam name="T2">The type of the items.</typeparam>
        /// <param name="trapFile">The trap builder to append to.</param>
        /// <param name="separator">The separator string (e.g. ",")</param>
        /// <param name="items">The list of items.</param>
--- a/csharp/extractor/Semmle.Util/CanonicalPathCache.cs
+++ b/csharp/extractor/Semmle.Util/CanonicalPathCache.cs
@@ -208,7 +208,7 @@ namespace Semmle.Util
        /// Create cache with a given capacity.
        /// </summary>
        /// <param name="pathStrategy">The algorithm for determining the canonical path.</param>
-        /// <param name="capacity">The size of the cache.</param>
+        /// <param name="maxCapacity">The size of the cache.</param>
        public CanonicalPathCache(int maxCapacity, PathStrategy pathStrategy)
        {
            if (maxCapacity <= 0)
@@ -230,7 +230,6 @@ namespace Semmle.Util
        /// </remarks>
        ///
        /// <param name="maxCapacity">Size of the cache.</param>
-        /// <param name="symlinks">Policy for following symlinks.</param>
        /// <returns>A new CanonicalPathCache.</returns>
        public static CanonicalPathCache Create(ILogger logger, int maxCapacity)
        {
--- a/csharp/extractor/Semmle.Util/CommandBuilder.cs
+++ b/csharp/extractor/Semmle.Util/CommandBuilder.cs
@@ -62,7 +62,6 @@ namespace Semmle.Util
        /// </summary>
        /// <param name="argument">The argument to append.</param>
        /// <param name="force">Whether to always quote the argument.</param>
-        /// <param name="cmd">Whether to escape for cmd.exe</param>
        ///
        /// <remarks>
        /// This implementation is copied from
--- a/csharp/ql/integration-tests/all-platforms/dotnet_build/test.py
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_build/test.py
@@ -1,7 +1,6 @@
 import os

 def check_build_out(msg, s):
-    lines = s.splitlines()
    lines = s.splitlines()
    assert (
        any (("[build-stdout]" in line) and (msg in line) for line in lines)
--- a/csharp/ql/test/resources/stubs/System.Web.cs
+++ b/csharp/ql/test/resources/stubs/System.Web.cs
@@ -390,6 +390,8 @@ namespace System.Web.Script.Serialization
        public JavaScriptSerializer() => throw null;
        public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null;
        public object DeserializeObject(string input) => throw null;
+        public T Deserialize<T> (string input) => throw null;
+        public object Deserialize(string input, Type targetType) => throw null;
    }

    // Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
--- a/docs/codeql/ql-language-reference/modules.rst
+++ b/docs/codeql/ql-language-reference/modules.rst
@@ -431,10 +431,7 @@ The above query therefore evalutes to:
 BigInt
 ======

-The built-in ``QlBuiltins`` module provides an **experimental** type ``BigInt`` of arbitrary-precision integers.
-
-This type is not available in the CodeQL CLI by default, but you can enable it by passing the ``--allow-experimental=bigint``
-option to the CodeQL CLI. Consequently, BigInts are currently disallowed in query results and dbscheme columns.
+The built-in ``QlBuiltins`` module provides a type ``BigInt`` of arbitrary-range integers.

 Unlike ``int`` and ``float``, there is no automatic conversion between ``BigInt`` and other numeric types.
 Instead, big integers can be constructed using the ``.toBigInt()`` methods of ``int`` and ``string``.
@@ -451,3 +448,5 @@ The other built-in operations are:
    ``rank``, ``unique``, ``any``.
 *   other: ``.pow(int)``, ``.abs()``, ``.gcd(BigInt)``, ``.minimum(BigInt)``,
    ``.maximum(BigInt)``.
+
+Note: big integers are currently disallowed in query results and dbscheme columns.
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -445,7 +445,7 @@ An integer value is of type ``int``. Each value is a 32-bit two's complement int

 A string is a finite sequence of 16-bit characters. The characters are interpreted as Unicode code points.

-A :ref:`big integer <bigint>` value is of type ``QlBuiltins::BigInt``. Each value is a signed arbitrary-precision integer.
+A :ref:`big integer <bigint>` value is of type ``QlBuiltins::BigInt``. Each value is a signed arbitrary-range integer.

 The database includes a number of opaque entity values. Each such value has a type that is one of the database types, and an identifying integer. An entity value is written as the name of its database type followed by its identifying integer in parentheses. For example, ``@tree(12)``, ``@person(16)``, and ``@location(38132)`` are entity values. The identifying integers are left opaque to programmers in this specification, so an implementation of QL is free to use some other set of countable labels to identify its entities.

--- a/docs/codeql/ql-language-reference/types.rst
+++ b/docs/codeql/ql-language-reference/types.rst
@@ -52,7 +52,7 @@ independent of the database that you are querying.
 QL has a range of built-in operations defined on primitive types. These are available by using dispatch on expressions of the appropriate type. For example, ``1.toString()`` is the string representation of the integer constant ``1``. For a full list of built-in operations available in QL, see the
 section on `built-ins <https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#built-ins>`__ in the QL language specification.

-Additionally, there is an experimental arbitrary-precision integer primitive type at :ref:`QlBuiltins::BigInt <bigint>`. This type is not available in the CodeQL CLI by default, but you can enable it by passing the ``--allow-experimental=bigint`` option to the CodeQL CLI.
+Additionally, there is an arbitrary-range integer primitive type at :ref:`QlBuiltins::BigInt <bigint>`.

 .. index:: class
 .. _classes:
--- a/go/documentation/library-coverage/coverage.csv
+++ b/go/documentation/library-coverage/coverage.csv
@@ -1,121 +1,121 @@
-package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,summary:taint,summary:value
-,,,8,,,,,,,,,,,,,,,,,3,5
-archive/tar,,,5,,,,,,,,,,,,,,,,,5,
-archive/zip,,,6,,,,,,,,,,,,,,,,,6,
-bufio,,,17,,,,,,,,,,,,,,,,,17,
-bytes,,,43,,,,,,,,,,,,,,,,,43,
-clevergo.tech/clevergo,1,,,,,,,,,,,,,,1,,,,,,
-compress/bzip2,,,1,,,,,,,,,,,,,,,,,1,
-compress/flate,,,4,,,,,,,,,,,,,,,,,4,
-compress/gzip,,,3,,,,,,,,,,,,,,,,,3,
-compress/lzw,,,1,,,,,,,,,,,,,,,,,1,
-compress/zlib,,,4,,,,,,,,,,,,,,,,,4,
-container/heap,,,5,,,,,,,,,,,,,,,,,5,
-container/list,,,20,,,,,,,,,,,,,,,,,20,
-container/ring,,,5,,,,,,,,,,,,,,,,,5,
-context,,,5,,,,,,,,,,,,,,,,,5,
-crypto,,,10,,,,,,,,,,,,,,,,,10,
-database/sql,,,11,,,,,,,,,,,,,,,,,11,
-encoding,,,77,,,,,,,,,,,,,,,,,77,
-errors,,,3,,,,,,,,,,,,,,,,,3,
-expvar,,,6,,,,,,,,,,,,,,,,,6,
-fmt,,,16,,,,,,,,,,,,,,,,,16,
-github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,3,,,,,
-github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,4,,,,,
-github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,4,,,,,
-github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,8,,,,,
-github.com/antchfx/xpath,4,,,,,,,,,,,,,,,4,,,,,
-github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,
-github.com/astaxie/beego,7,21,21,,,,5,,,,,,2,,,,,,21,21,
-github.com/beego/beego,14,42,42,,,,10,,,,,,4,,,,,,42,42,
-github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,5,,,1,1
-github.com/clevergo/clevergo,1,,,,,,,,,,,,,,1,,,,,,
-github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,
-github.com/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,18,
-github.com/couchbaselabs/gocb,,,18,,,,,,,,,,,,,,,,,18,
-github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,
-github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,9,
-github.com/elazarl/goproxy,,2,2,,,,,,,,,,,,,,,,2,2,
-github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,7,,
-github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,12,
-github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,
-github.com/gin-gonic/gin,3,46,2,,,,3,,,,,,,,,,,,46,2,
-github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,3,,
-github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,
-github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,4,
-github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,
-github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,6,
-github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,7,,,,
-github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,2,,
-github.com/gofiber/fiber,5,,,,,,4,,,,,,,,1,,,,,,
-github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,
-github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,11,
-github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,4,
-github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,1,,
-github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,3,,
-github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,1,,,,
-github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,
-github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,
-github.com/joho/godotenv,,4,,,,,,,,,,,,,,,4,,,,
-github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,4,
-github.com/kataras/iris/context,6,,,,,,6,,,,,,,,,,,,,,
-github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,
-github.com/kataras/iris/server/web/context,6,,,,,,6,,,,,,,,,,,,,,
-github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,
-github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,6,,,,
-github.com/labstack/echo,3,12,2,,,,2,,,,,,1,,,,,,12,2,
-github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,
-github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,3,,,,,
-github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,
-github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,
-github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,
-github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,
-github.com/revel/revel,2,23,10,,,,1,,,,,,1,,,,,,23,10,
-github.com/robfig/revel,2,23,10,,,,1,,,,,,1,,,,,,23,10,
-github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,2,,,,,
-github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,1,
-github.com/spf13/afero,34,,,,,,34,,,,,,,,,,,,,,
-github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,4,
-github.com/valyala/fasthttp,35,50,5,,,,8,,,,17,8,2,,,,,,50,5,
-go.uber.org/zap,,,11,,,,,,,,,,,,,,,,,11,
-golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,
-golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,5,
-golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,16,
-golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,2,,
-google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,1,
-google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,2,
-google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,8,
-google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,1,
-gopkg.in/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,18,
-gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,4,
-gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-gopkg.in/macaron,1,12,1,,,,,,,,,,,,1,,,,12,1,
-gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,4,
-gopkg.in/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,9,
-html,,,8,,,,,,,,,,,,,,,,,8,
-io,5,4,34,,,,5,,,,,,,,,,,4,,34,
-k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,10,
-k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,47,
-launchpad.net/xmlpath,2,,,,,,,,,,,,,,,2,,,,,
-log,,,3,,,,,,,,,,,,,,,,,3,
-math/big,,,1,,,,,,,,,,,,,,,,,1,
-mime,,,14,,,,,,,,,,,,,,,,,14,
-net,2,16,100,,,,1,,,,,,,1,,,,,16,100,
-nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,2,,
-os,29,10,6,3,,,26,,,,,,,,,,7,3,,6,
-path,,,18,,,,,,,,,,,,,,,,,18,
-reflect,,,37,,,,,,,,,,,,,,,,,37,
-regexp,10,,20,,,,,3,3,4,,,,,,,,,,20,
-sort,,,1,,,,,,,,,,,,,,,,,1,
-strconv,,,9,,,,,,,,,,,,,,,,,9,
-strings,,,34,,,,,,,,,,,,,,,,,34,
-sync,,,34,,,,,,,,,,,,,,,,,34,
-syscall,5,2,8,5,,,,,,,,,,,,,2,,,8,
-text/scanner,,,3,,,,,,,,,,,,,,,,,3,
-text/tabwriter,,,1,,,,,,,,,,,,,,,,,1,
-text/template,,,6,,,,,,,,,,,,,,,,,6,
+package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,source:stdin,summary:taint,summary:value
+,,,8,,,,,,,,,,,,,,,,,,3,5
+archive/tar,,,5,,,,,,,,,,,,,,,,,,5,
+archive/zip,,,6,,,,,,,,,,,,,,,,,,6,
+bufio,,,17,,,,,,,,,,,,,,,,,,17,
+bytes,,,43,,,,,,,,,,,,,,,,,,43,
+clevergo.tech/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+compress/bzip2,,,1,,,,,,,,,,,,,,,,,,1,
+compress/flate,,,4,,,,,,,,,,,,,,,,,,4,
+compress/gzip,,,3,,,,,,,,,,,,,,,,,,3,
+compress/lzw,,,1,,,,,,,,,,,,,,,,,,1,
+compress/zlib,,,4,,,,,,,,,,,,,,,,,,4,
+container/heap,,,5,,,,,,,,,,,,,,,,,,5,
+container/list,,,20,,,,,,,,,,,,,,,,,,20,
+container/ring,,,5,,,,,,,,,,,,,,,,,,5,
+context,,,5,,,,,,,,,,,,,,,,,,5,
+crypto,,,10,,,,,,,,,,,,,,,,,,10,
+database/sql,,,11,,,,,,,,,,,,,,,,,,11,
+encoding,,,77,,,,,,,,,,,,,,,,,,77,
+errors,,,3,,,,,,,,,,,,,,,,,,3,
+expvar,,,6,,,,,,,,,,,,,,,,,,6,
+fmt,,,16,,,,,,,,,,,,,,,,,,16,
+github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,3,,,,,,
+github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,4,,,,,,
+github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,4,,,,,,
+github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,8,,,,,,
+github.com/antchfx/xpath,4,,,,,,,,,,,,,,,4,,,,,,
+github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/astaxie/beego,7,21,21,,,,5,,,,,,2,,,,,,21,,21,
+github.com/beego/beego,14,42,42,,,,10,,,,,,4,,,,,,42,,42,
+github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,5,,,,1,1
+github.com/clevergo/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,,
+github.com/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+github.com/couchbaselabs/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,,9,
+github.com/elazarl/goproxy,,2,2,,,,,,,,,,,,,,,,2,,2,
+github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,7,,,
+github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,,12,
+github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,,
+github.com/gin-gonic/gin,3,46,2,,,,3,,,,,,,,,,,,46,,2,
+github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,3,,,
+github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,,6,
+github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,7,,,,,
+github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,2,,,
+github.com/gofiber/fiber,5,,,,,,4,,,,,,,,1,,,,,,,
+github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,11,
+github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,,4,
+github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,1,,,
+github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,3,,,
+github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,1,,,,,
+github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+github.com/joho/godotenv,,4,,,,,,,,,,,,,,,4,,,,,
+github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,4,
+github.com/kataras/iris/context,6,,,,,,6,,,,,,,,,,,,,,,
+github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+github.com/kataras/iris/server/web/context,6,,,,,,6,,,,,,,,,,,,,,,
+github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,,
+github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,6,,,,,
+github.com/labstack/echo,3,12,2,,,,2,,,,,,1,,,,,,12,,2,
+github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,,
+github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,3,,,,,,
+github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,,
+github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+github.com/revel/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+github.com/robfig/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,2,,,,,,
+github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,1,
+github.com/spf13/afero,34,,,,,,34,,,,,,,,,,,,,,,
+github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+github.com/valyala/fasthttp,35,50,5,,,,8,,,,17,8,2,,,,,,50,,5,
+go.uber.org/zap,,,11,,,,,,,,,,,,,,,,,,11,
+golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,
+golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,5,
+golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,,16,
+golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,,1,
+google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,,2,
+google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,,8,
+google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,,1,
+gopkg.in/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+gopkg.in/macaron,1,12,1,,,,,,,,,,,,1,,,,12,,1,
+gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+gopkg.in/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,,9,
+html,,,8,,,,,,,,,,,,,,,,,,8,
+io,5,4,34,,,,5,,,,,,,,,,,4,,,34,
+k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,,10,
+k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,,47,
+launchpad.net/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+log,,,3,,,,,,,,,,,,,,,,,,3,
+math/big,,,1,,,,,,,,,,,,,,,,,,1,
+mime,,,14,,,,,,,,,,,,,,,,,,14,
+net,2,16,100,,,,1,,,,,,,1,,,,,16,,100,
+nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+os,29,11,6,3,,,26,,,,,,,,,,7,3,,1,6,
+path,,,18,,,,,,,,,,,,,,,,,,18,
+reflect,,,37,,,,,,,,,,,,,,,,,,37,
+regexp,10,,20,,,,,3,3,4,,,,,,,,,,,20,
+sort,,,1,,,,,,,,,,,,,,,,,,1,
+strconv,,,9,,,,,,,,,,,,,,,,,,9,
+strings,,,34,,,,,,,,,,,,,,,,,,34,
+sync,,,34,,,,,,,,,,,,,,,,,,34,
+syscall,5,2,8,5,,,,,,,,,,,,,2,,,,8,
+text/scanner,,,3,,,,,,,,,,,,,,,,,,3,
+text/tabwriter,,,1,,,,,,,,,,,,,,,,,,1,
+text/template,,,6,,,,,,,,,,,,,,,,,,6,
--- a/go/documentation/library-coverage/coverage.rst
+++ b/go/documentation/library-coverage/coverage.rst
@@ -26,7 +26,7 @@ Go framework & library support
   `Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
   `Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
   `SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
-   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",32,587,51
+   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",33,587,51
   `XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
   `appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
   `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",63,63,21
@@ -61,5 +61,5 @@ Go framework & library support
   `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
   `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,
   Others,"``github.com/caarlos0/env``, ``github.com/gobuffalo/envy``, ``github.com/hashicorp/go-envparse``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``",23,2,
-   Totals,,306,911,268
+   Totals,,307,911,268

--- a/go/ql/lib/change-notes/2024-11-20-heuristic-logging-sinks.md
+++ b/go/ql/lib/change-notes/2024-11-20-heuristic-logging-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.
--- a/go/ql/lib/ext/database.sql.driver.model.yml
+++ b/go/ql/lib/ext/database.sql.driver.model.yml
@@ -1,4 +1,14 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["database/sql/driver", "Execer", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ExecerContext", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Conn", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ConnPrepareContext", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Queryer", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "QueryerContext", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/database.sql.model.yml
+++ b/go/ql/lib/ext/database.sql.model.yml
@@ -1,4 +1,32 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["database/sql", "Conn", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Conn", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "DB", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql", "Tx", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/fmt.model.yml
+++ b/go/ql/lib/ext/fmt.model.yml
@@ -1,4 +1,11 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["fmt", "", False, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["fmt", "", False, "Printf",  "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["fmt", "", False, "Println", "", "", "Argument[0]", "log-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml
+++ b/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml
@@ -0,0 +1,42 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["beego-orm", "github.com/beego/beego/client/orm"]
+      - ["beego-orm", "github.com/astaxie/beego/orm"]
+      - ["beego-orm", "github.com/beego/beego/orm"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:beego-orm", "Condition", True, "Raw", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "DB", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "Ormer", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Delete", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "From", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "InnerJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "InsertInto", "", "", "Argument[0..1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "LeftJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "On", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "RightJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Set", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Subquery", "", "", "Argument[0..1]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Update", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Values", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QueryBuilder", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:beego-orm", "QuerySeter", True, "FilterRaw", "", "", "Argument[1]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/github.com.beego.beego.core.logs.model.yml
+++ b/go/ql/lib/ext/github.com.beego.beego.core.logs.model.yml
@@ -0,0 +1,34 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["beego-logs", "github.com/astaxie/beego/logs"]
+      - ["beego-logs", "github.com/beego/beego/logs"]
+      - ["beego-logs", "github.com/beego/beego/core/logs"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:beego-logs", "", False, "Alert", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Critical", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Debug", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Emergency", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Error", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Info", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Informational", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Notice", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Trace", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Warn", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "", False, "Warning", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Alert", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Critical", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Debug", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Emergency", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Error", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Info", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Informational", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Notice", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Trace", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Warn", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego-logs", "BeeLogger", True, "Warning", "", "", "Argument[0..1]", "log-injection", "manual"]
--- a/go/ql/lib/ext/github.com.beego.beego.core.utils.model.yml
+++ b/go/ql/lib/ext/github.com.beego.beego.core.utils.model.yml
@@ -6,6 +6,11 @@ extensions:
      - ["beego-utils", "github.com/astaxie/beego/utils"]
      - ["beego-utils", "github.com/beego/beego/utils"]
      - ["beego-utils", "github.com/beego/beego/core/utils"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:beego-utils", "", False, "Display", "", "", "Argument[0]", "log-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/github.com.beego.beego.server.web.model.yml
+++ b/go/ql/lib/ext/github.com.beego.beego.server.web.model.yml
@@ -10,6 +10,18 @@ extensions:
      pack: codeql/go-all
      extensible: sinkModel
    data:
+      # log-injection
+      - ["group:beego", "", False, "Alert", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Critical", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Debug", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Emergency", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Error", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Info", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Informational", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Notice", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Trace", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Warn", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:beego", "", False, "Warning", "", "", "Argument[0..1]", "log-injection", "manual"]
      # path-injection
      - ["group:beego", "", False, "Walk", "", "", "Argument[1]", "path-injection", "manual"]
      - ["group:beego", "Controller", True, "SaveToFile", "", "", "Argument[1]", "path-injection", "manual"]
--- a/go/ql/lib/ext/github.com.couchbase.gocb.model.yml
+++ b/go/ql/lib/ext/github.com.couchbase.gocb.model.yml
@@ -3,28 +3,43 @@ extensions:
      pack: codeql/go-all
      extensible: packageGrouping
    data:
-      - ["gocb", "github.com/couchbase/gocb"]
-      - ["gocb", "gopkg.in/couchbase/gocb"]
-      - ["gocb", "github.com/couchbaselabs/gocb"]
+      - ["gocb1", "fixed-version:github.com/couchbase/gocb"]
+      - ["gocb1", "fixed-version:gopkg.in/couchbase/gocb.v1"]
+      - ["gocb1", "fixed-version:github.com/couchbaselabs/gocb"]
+      - ["gocb2", "github.com/couchbase/gocb/v2"]
+      - ["gocb2", "gopkg.in/couchbase/gocb.v2"]
+      - ["gocb2", "github.com/couchbaselabs/gocb/v2"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:gocb1", "Bucket", True, "ExecuteN1qlQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb1", "Bucket", True, "ExecuteAnalyticsQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb1", "Cluster", True, "ExecuteN1qlQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb1", "Cluster", True, "ExecuteAnalyticsQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb2", "Cluster", True, "AnalyticsQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb2", "Cluster", True, "Query", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb2", "Scope", True, "AnalyticsQuery", "", "", "Argument[0]", "nosql-injection", "manual"]
+      - ["group:gocb2", "Scope", True, "Query", "", "", "Argument[0]", "nosql-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
    data:
-      - ["group:gocb", "", False, "NewAnalyticsQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "", False, "NewN1qlQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "ContextId", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "Deferred", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "Pretty", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "Priority", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "RawParam", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "AnalyticsQuery", True, "ServerSideTimeout", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "AdHoc", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "Consistency", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "ConsistentWith", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "Custom", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "PipelineBatch", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "PipelineCap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "Profile", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "ReadOnly", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "ScanCap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
-      - ["group:gocb", "N1qlQuery", True, "Timeout", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "", False, "NewAnalyticsQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "", False, "NewN1qlQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "ContextId", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "Deferred", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "Pretty", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "Priority", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "RawParam", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "AnalyticsQuery", True, "ServerSideTimeout", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "AdHoc", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "Consistency", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "ConsistentWith", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "Custom", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "PipelineBatch", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "PipelineCap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "Profile", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "ReadOnly", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "ScanCap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["group:gocb1", "N1qlQuery", True, "Timeout", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
--- a/go/ql/lib/ext/github.com.davecgh.go-spew.spew.model.yml
+++ b/go/ql/lib/ext/github.com.davecgh.go-spew.spew.model.yml
@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/davecgh/go-spew/spew", "", False, "Dump", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Fdump", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Fprint", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Fprintf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Fprintln", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["github.com/davecgh/go-spew/spew", "", False, "Println", "", "", "Argument[0]", "log-injection", "manual"]
--- a/go/ql/lib/ext/github.com.elazarl.goproxy.model.yml
+++ b/go/ql/lib/ext/github.com.elazarl.goproxy.model.yml
@@ -1,4 +1,10 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/elazarl/goproxy", "ProxyCtx", True, "Logf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["github.com/elazarl/goproxy", "ProxyCtx", True, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/github.com.gogf.gf.database.gdb.model.yml
+++ b/go/ql/lib/ext/github.com.gogf.gf.database.gdb.model.yml
@@ -0,0 +1,57 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      # These models are for v1. Some of them hold for v2, but we should model v2 properly.
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/github.com.golang.glog.model.yml
+++ b/go/ql/lib/ext/github.com.golang.glog.model.yml
@@ -0,0 +1,102 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["glog", "github.com/golang/glog"]
+      - ["glog", "gopkg.in/glog"]
+      - ["glog", "k8s.io/klog"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:glog", "", False, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ErrorDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Exit", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "ExitDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Exitf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Exitln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "FatalDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "InfoDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "WarningDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "", False, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ErrorDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Exit", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "ExitDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Exitf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Exitln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "FatalDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "InfoDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningContext", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningContextDepth", "", "", "Argument[2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningContextDepthf", "", "", "Argument[2..3]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningContextf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningDepth", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "WarningDepthf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:glog", "Verbose", True, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
--- a/go/ql/lib/ext/github.com.jmoiron.sqlx.model.yml
+++ b/go/ql/lib/ext/github.com.jmoiron.sqlx.model.yml
@@ -0,0 +1,17 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/jmoiron/sqlx", "DB", True, "Get", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "DB", True, "MustExec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "DB", True, "NamedExec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "DB", True, "NamedQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "DB", True, "Queryx", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "DB", True, "Select", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "Get", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "MustExec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "NamedExec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "NamedQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "Queryx", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/jmoiron/sqlx", "Tx", True, "Select", "", "", "Argument[1]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml
+++ b/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml
@@ -0,0 +1,51 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["squirrel", "github.com/Masterminds/squirrel"]
+      - ["squirrel", "gopkg.in/Masterminds/squirrel"]
+      - ["squirrel", "github.com/lann/squirrel"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:squirrel", "", False, "Delete", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "", False, "Expr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "", False, "Insert", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "", False, "Select", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "", False, "Update", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+
+      - ["group:squirrel", "DeleteBuilder", True, "From", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "DeleteBuilder", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "DeleteBuilder", True, "Prefix", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "DeleteBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
+      # DeleteBuilder.Where has to be modeled in QL to avoid FPs when a non-string argument is used
+
+      - ["group:squirrel", "InsertBuilder", True, "Columns", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "InsertBuilder", True, "Into", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "InsertBuilder", True, "Options", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "InsertBuilder", True, "Prefix", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "InsertBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
+
+      - ["group:squirrel", "SelectBuilder", True, "CrossJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "Column", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "Columns", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "SelectBuilder", True, "From", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "InnerJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "LeftJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "Options", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "SelectBuilder", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "SelectBuilder", True, "Prefix", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "RightJoin", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "SelectBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
+      # SelectBuilder.Where has to be modeled in QL to avoid FPs when a non-string argument is used
+
+      - ["group:squirrel", "UpdateBuilder", True, "From", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "UpdateBuilder", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["group:squirrel", "UpdateBuilder", True, "Prefix", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "UpdateBuilder", True, "Set", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "UpdateBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:squirrel", "UpdateBuilder", True, "Table", "", "", "Argument[0]", "sql-injection", "manual"]
+      # UpdateBuilder.Where has to be modeled in QL to avoid FPs when a non-string argument is used
--- a/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
+++ b/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
@@ -0,0 +1,35 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["gorqlite", "github.com/rqlite/gorqlite"]
+      - ["gorqlite", "github.com/raindog308/gorqlite"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:gorqlite", "Connection", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "Queue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "Write", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/github.com.sirupsen.logrus.model.yml
+++ b/go/ql/lib/ext/github.com.sirupsen.logrus.model.yml
@@ -0,0 +1,159 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["logrus", "github.com/sirupsen/logrus"]
+      - ["logrus", "github.com/Sirupsen/logrus"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:logrus", "", False, "Debug", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "DebugFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Debugf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Debugln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "ErrorFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "FatalFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "InfoFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "PanicFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "PrintFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Trace", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "TraceFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Tracef", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Traceln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WarnFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warnln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WarningFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WithError", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WithField", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WithFields", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "", False, "WithTime", "", "", "Argument[0]", "log-injection", "manual"]
+
+      - ["group:logrus", "Entry", True, "Debug", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Debugf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Debugln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Log", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Logf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Logln", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Trace", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Tracef", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Traceln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warnln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "WithError", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "WithField", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "WithFields", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Entry", True, "WithTime", "", "", "Argument[0]", "log-injection", "manual"]
+
+      - ["group:logrus", "FieldLogger", True, "Debug", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Debugf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Debugln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warnln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "WithError", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "WithField", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "FieldLogger", True, "WithFields", "", "", "Argument[0]", "log-injection", "manual"]
+
+      - ["group:logrus", "Logger", True, "Debug", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "DebugFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Debugf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Debugln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "ErrorFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Errorln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "FatalFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "InfoFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Infoln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Log", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "LogFn", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Logf", "", "", "Argument[1..2]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Logln", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "PanicFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "PrintFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Trace", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "TraceFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Tracef", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Traceln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WarnFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warnln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warning", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WarningFn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warningf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "Warningln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WithError", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WithField", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WithFields", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["group:logrus", "Logger", True, "WithTime", "", "", "Argument[0]", "log-injection", "manual"]
--- a/go/ql/lib/ext/github.com.uptrace.bun.model.yml
+++ b/go/ql/lib/ext/github.com.uptrace.bun.model.yml
@@ -0,0 +1,68 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/uptrace/bun", "", False, "NewRawQuery", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "MergeQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "MergeQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "RawQuery", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "DistinctOn", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "For", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "GroupExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "OrderExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "TruncateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/go.mongodb.org.mongo-driver.mongo.model.yml
+++ b/go/ql/lib/ext/go.mongodb.org.mongo-driver.mongo.model.yml
@@ -0,0 +1,19 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Aggregate", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "CountDocuments", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "DeleteMany", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "DeleteOne", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Distinct", "", "", "Argument[2]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Find", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOne", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndDelete", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndReplace", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndUpdate", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "ReplaceOne", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateMany", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateOne", "", "", "Argument[1]", "nosql-injection", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "Argument[1]", "nosql-injection", "manual"]
--- a/go/ql/lib/ext/go.uber.org.zap.model.yml
+++ b/go/ql/lib/ext/go.uber.org.zap.model.yml
@@ -1,4 +1,41 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["go.uber.org/zap", "Logger", True, "DPanic", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Debug", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Error", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Fatal", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Info", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Named", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Panic", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "Warn", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "With", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "Logger", True, "WithOptions", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "DPanic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "DPanicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "DPanicw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Debug", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Debugf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Debugw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Error", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Errorf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Errorw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Fatalw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Info", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Infof", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Infow", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Named", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Panicw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Warn", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Warnf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "Warnw", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["go.uber.org/zap", "SugaredLogger", True, "With", "", "", "Argument[0]", "log-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/gorm.io.gorm.model.yml
+++ b/go/ql/lib/ext/gorm.io.gorm.model.yml
@@ -0,0 +1,25 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["gorm", "gorm.io/gorm"]
+      - ["gorm", "github.com/jinzhu/gorm"]
+      - ["gorm", "github.com/go-gorm/gorm"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:gorm", "DB", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Order", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Not", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Table", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Group", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Joins", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Distinct", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Pluck", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/go/ql/lib/ext/log.model.yml
+++ b/go/ql/lib/ext/log.model.yml
@@ -1,4 +1,28 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["log", "", False, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "", False, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "", False, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "", False, "Output", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["log", "", False, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "", False, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "", False, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "", False, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "", False, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "", False, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Fatal", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Fatalf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Fatalln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Output", "", "", "Argument[1]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Panic", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Panicf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Panicln", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Print", "", "", "Argument[0]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Printf", "", "", "Argument[0..1]", "log-injection", "manual"]
+      - ["log", "Logger", True, "Println", "", "", "Argument[0]", "log-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/ext/os.model.yml
+++ b/go/ql/lib/ext/os.model.yml
@@ -53,6 +53,7 @@ extensions:
      - ["os", "", False, "Open", "", "", "ReturnValue[0]", "file", "manual"]
      - ["os", "", False, "OpenFile", "", "", "ReturnValue[0]", "file", "manual"]
      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]
+      - ["os", "", False, "Stdin", "", "", "", "stdin", "manual"]
      - ["os", "", False, "UserCacheDir", "", "", "ReturnValue[0]", "environment", "manual"]
      - ["os", "", False, "UserConfigDir", "", "", "ReturnValue[0]", "environment", "manual"]
      - ["os", "", False, "UserHomeDir", "", "", "ReturnValue[0]", "environment", "manual"]
--- a/go/ql/lib/ext/xorm.io.xorm.model.yml
+++ b/go/ql/lib/ext/xorm.io.xorm.model.yml
@@ -0,0 +1,49 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["xorm", "xorm.io/xorm"]
+      - ["xorm", "github.com/go-xorm/xorm"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:xorm", "Engine", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
+      # Engine.Exec has to be modeled in QL to select only the first syntactic argument
+      - ["group:xorm", "Engine", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      # Engine.Query, Engine.QueryInterface and Engine.QueryString have to be modeled in QL to select only the first syntactic argument
+      - ["group:xorm", "Engine", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Sum", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Sums", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "SumInt", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "SumsInt", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Engine", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
+      # Session.Exec has to be modeled in QL to select only the first syntactic argument
+      - ["group:xorm", "Session", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
+      # Session.Query, Session.QueryInterface and Session.QueryString have to be modeled in QL to select only the first syntactic argument
+      - ["group:xorm", "Session", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Sum", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Sums", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "SumInt", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "SumsInt", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:xorm", "Session", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/go/ql/lib/semmle/go/Concepts.qll
+++ b/go/ql/lib/semmle/go/Concepts.qll
@@ -373,6 +373,48 @@ module LoggerCall {
  }
 }

+private class DefaultLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  DataFlow::ArgumentNode messageComponent;
+
+  DefaultLoggerCall() {
+    sinkNode(messageComponent, "log-injection") and
+    this = messageComponent.getCall()
+  }
+
+  override DataFlow::Node getAMessageComponent() {
+    not messageComponent instanceof DataFlow::ImplicitVarargsSlice and
+    result = messageComponent
+    or
+    messageComponent instanceof DataFlow::ImplicitVarargsSlice and
+    result = this.getAnImplicitVarargsArgument()
+  }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to changing logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() {
+    exists(Method m, string tp, string logFunctionPrefix, string name |
+      m = this.getTarget() and
+      m.hasQualifiedName(_, tp, name) and
+      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
+    |
+      tp.regexpMatch(".*[lL]ogger") and
+      logFunctionPrefix =
+        [
+          "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn",
+          "With"
+        ] and
+      name.matches(logFunctionPrefix + "%")
+    )
+  }
+
+  override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
+}
+
 /**
 * A function that encodes data into a binary or textual format.
 *
--- a/go/ql/lib/semmle/go/Scopes.qll
+++ b/go/ql/lib/semmle/go/Scopes.qll
@@ -472,7 +472,7 @@ class Function extends ValueEntity, @functionobject {
  /** Gets a parameter of this function. */
  Parameter getAParameter() { result = this.getParameter(_) }

-  /** Gets the `i`th reslt variable of this function. */
+  /** Gets the `i`th result variable of this function. */
  ResultVariable getResult(int i) { result.isResultOf(this.getFuncDecl(), i) }

  /** Gets a result variable of this function. */
--- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
+++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
@@ -38,7 +38,8 @@
 *    first 6 columns, and the `output` column specifies how data leaves the
 *    element selected by the first 6 columns. An `input` can be either "",
 *    "Argument[n]", or "Argument[n1..n2]":
- *    - "": Selects a write to the selected element in case this is a field.
+ *    - "": Selects a write to the selected element in case this is a field or
+ *      package-level variable.
 *    - "Argument[n]": Selects an argument in a call to the selected element.
 *      The arguments are zero-indexed, and `receiver` specifies the receiver.
 *    - "Argument[n1..n2]": Similar to "Argument[n]" but selects any argument
@@ -47,7 +48,7 @@
 *    An `output` can be either "", "Argument[n]", "Argument[n1..n2]", "Parameter",
 *    "Parameter[n]", "Parameter[n1..n2]", , "ReturnValue", "ReturnValue[n]", or
 *    "ReturnValue[n1..n2]":
- *    - "": Selects a read of a selected field.
+ *    - "": Selects a read of a selected field or package-level variable.
 *    - "Argument[n]": Selects the post-update value of an argument in a call to the
 *      selected element. That is, the value of the argument after the call returns.
 *      The arguments are zero-indexed, and `receiver` specifies the receiver.
--- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
@@ -399,6 +399,13 @@ module SourceSinkInterpretationInput implements
        c = "" and
        pragma[only_bind_into](e) = getElementWithQualifier(frn.getField(), frn.getBase())
      )
+      or
+      // A package-scope (or universe-scope) variable
+      exists(Variable v | not v instanceof Field |
+        c = "" and
+        n.(DataFlow::ReadNode).reads(v) and
+        pragma[only_bind_into](e).asEntity() = v
+      )
    )
  }

@@ -420,6 +427,17 @@ module SourceSinkInterpretationInput implements
      fw.writesField(base, f, node.asNode()) and
      pragma[only_bind_into](e) = getElementWithQualifier(f, base)
    )
+    or
+    // A package-scope (or universe-scope) variable
+    exists(Node n, SourceOrSinkElement e, DataFlow::Write w, Variable v |
+      n = node.asNode() and
+      e = mid.asElement() and
+      not v instanceof Field
+    |
+      c = "" and
+      w.writes(v, n) and
+      pragma[only_bind_into](e).asEntity() = v
+    )
  }
 }

--- a/go/ql/lib/semmle/go/frameworks/Beego.qll
+++ b/go/ql/lib/semmle/go/frameworks/Beego.qll
@@ -33,13 +33,6 @@ module Beego {
    result = package(v2modulePath(), "server/web/context")
  }

-  /** Gets the path for the logs package of beego. */
-  string logsPackagePath() {
-    result = package(v1modulePath(), "logs")
-    or
-    result = package(v2modulePath(), "core/logs")
-  }
-
  /** Gets the path for the utils package of beego. */
  string utilsPackagePath() {
    result = package(v1modulePath(), "utils")
@@ -172,36 +165,6 @@ module Beego {
    override string getAContentType() { none() }
  }

-  private string getALogFunctionName() {
-    result =
-      [
-        "Alert", "Critical", "Debug", "Emergency", "Error", "Info", "Informational", "Notice",
-        "Trace", "Warn", "Warning"
-      ]
-  }
-
-  private class ToplevelBeegoLoggers extends LoggerCall::Range, DataFlow::CallNode {
-    ToplevelBeegoLoggers() {
-      this.getTarget().hasQualifiedName([packagePath(), logsPackagePath()], getALogFunctionName())
-    }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
-  private class BeegoLoggerMethods extends LoggerCall::Range, DataFlow::MethodCallNode {
-    BeegoLoggerMethods() {
-      this.getTarget().hasQualifiedName(logsPackagePath(), "BeeLogger", getALogFunctionName())
-    }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
-  private class UtilLoggers extends LoggerCall::Range, DataFlow::CallNode {
-    UtilLoggers() { this.getTarget().hasQualifiedName(utilsPackagePath(), "Display") }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
  private class HtmlQuoteSanitizer extends SharedXss::Sanitizer {
    HtmlQuoteSanitizer() {
      exists(DataFlow::CallNode c | c.getTarget().hasQualifiedName(packagePath(), "Htmlquote") |
--- a/go/ql/lib/semmle/go/frameworks/BeegoOrm.qll
+++ b/go/ql/lib/semmle/go/frameworks/BeegoOrm.qll
@@ -14,57 +14,6 @@ module BeegoOrm {
  /** Gets the package name `github.com/astaxie/beego/orm`. */
  string packagePath() { result = package("github.com/astaxie/beego", "orm") }

-  private class DbSink extends SQL::QueryString::Range {
-    DbSink() {
-      exists(Method m, string methodName, int argNum |
-        m.hasQualifiedName(packagePath(), "DB", methodName) and
-        (
-          methodName = ["Exec", "Prepare", "Query", "QueryRow"] and
-          argNum = 0
-          or
-          methodName = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
-          argNum = 1
-        )
-      |
-        this = m.getACall().getArgument(argNum)
-      )
-    }
-  }
-
-  private class QueryBuilderSink extends SQL::QueryString::Range {
-    // Note this class doesn't do any escaping, unlike the true ORM part of the package
-    QueryBuilderSink() {
-      exists(Method impl | impl.implements(packagePath(), "QueryBuilder", _) |
-        this = impl.getACall().getASyntacticArgument()
-      ) and
-      this.getType().getUnderlyingType() instanceof StringType
-    }
-  }
-
-  private class OrmerRawSink extends SQL::QueryString::Range {
-    OrmerRawSink() {
-      exists(Method impl | impl.implements(packagePath(), "Ormer", "Raw") |
-        this = impl.getACall().getArgument(0)
-      )
-    }
-  }
-
-  private class QuerySeterFilterRawSink extends SQL::QueryString::Range {
-    QuerySeterFilterRawSink() {
-      exists(Method impl | impl.implements(packagePath(), "QuerySeter", "FilterRaw") |
-        this = impl.getACall().getArgument(1)
-      )
-    }
-  }
-
-  private class ConditionRawSink extends SQL::QueryString::Range {
-    ConditionRawSink() {
-      exists(Method impl | impl.implements(packagePath(), "Condition", "Raw") |
-        this = impl.getACall().getArgument(1)
-      )
-    }
-  }
-
  private class OrmerSource extends StoredXss::Source {
    OrmerSource() {
      exists(Method impl |
--- a/go/ql/lib/semmle/go/frameworks/Couchbase.qll
+++ b/go/ql/lib/semmle/go/frameworks/Couchbase.qll
@@ -5,57 +5,23 @@
 import go

 /**
+ * DEPRECATED
+ *
 * Provides models of commonly used functions in the official Couchbase Go SDK library.
 */
-module Couchbase {
+deprecated module Couchbase {
  /**
+   * DEPRECATED
+   *
   * Gets a package path for the official Couchbase Go SDK library.
   *
   * Note that v1 and v2 have different APIs, but the names are disjoint so there is no need to
   * distinguish between them.
   */
-  string packagePath() {
+  deprecated string packagePath() {
    result =
      package([
          "gopkg.in/couchbase/gocb", "github.com/couchbase/gocb", "github.com/couchbaselabs/gocb"
        ], "")
  }
-
-  /**
-   * A query used in an API function acting on a `Bucket` or `Cluster` struct of v1 of
-   * the official Couchbase Go library, gocb.
-   */
-  private class CouchbaseV1Query extends NoSql::Query::Range {
-    CouchbaseV1Query() {
-      // func (b *Bucket) ExecuteAnalyticsQuery(q *AnalyticsQuery, params interface{}) (AnalyticsResults, error)
-      // func (b *Bucket) ExecuteN1qlQuery(q *N1qlQuery, params interface{}) (QueryResults, error)
-      // func (c *Cluster) ExecuteAnalyticsQuery(q *AnalyticsQuery, params interface{}) (AnalyticsResults, error)
-      // func (c *Cluster) ExecuteN1qlQuery(q *N1qlQuery, params interface{}) (QueryResults, error)
-      exists(Method meth, string structName, string methodName |
-        structName in ["Bucket", "Cluster"] and
-        methodName in ["ExecuteN1qlQuery", "ExecuteAnalyticsQuery"] and
-        meth.hasQualifiedName(packagePath(), structName, methodName) and
-        this = meth.getACall().getArgument(0)
-      )
-    }
-  }
-
-  /**
-   * A query used in an API function acting on a `Bucket` or `Cluster` struct of v1 of
-   * the official Couchbase Go library, gocb.
-   */
-  private class CouchbaseV2Query extends NoSql::Query::Range {
-    CouchbaseV2Query() {
-      // func (c *Cluster) AnalyticsQuery(statement string, opts *AnalyticsOptions) (*AnalyticsResult, error)
-      // func (c *Cluster) Query(statement string, opts *QueryOptions) (*QueryResult, error)
-      // func (s *Scope) AnalyticsQuery(statement string, opts *AnalyticsOptions) (*AnalyticsResult, error)
-      // func (s *Scope) Query(statement string, opts *QueryOptions) (*QueryResult, error)
-      exists(Method meth, string structName, string methodName |
-        structName in ["Cluster", "Scope"] and
-        methodName in ["AnalyticsQuery", "Query"] and
-        meth.hasQualifiedName(packagePath(), structName, methodName) and
-        this = meth.getACall().getArgument(0)
-      )
-    }
-  }
 }
--- a/go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll
+++ b/go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll
@@ -100,10 +100,4 @@ module ElazarlGoproxy {

    override int getFormatStringIndex() { result = 0 }
  }
-
-  private class ProxyLog extends LoggerCall::Range, DataFlow::MethodCallNode {
-    ProxyLog() { this.getTarget() instanceof ProxyLogFunction }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
 }
--- a/go/ql/lib/semmle/go/frameworks/Glog.qll
+++ b/go/ql/lib/semmle/go/frameworks/Glog.qll
@@ -40,14 +40,4 @@ module Glog {

    override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
  }
-
-  private class GlogCall extends LoggerCall::Range, DataFlow::CallNode {
-    GlogFunction callee;
-
-    GlogCall() { this = callee.getACall() }
-
-    override DataFlow::Node getAMessageComponent() {
-      result = this.getSyntacticArgument(any(int i | i >= callee.getFirstPrintedArg()))
-    }
-  }
 }
--- a/go/ql/lib/semmle/go/frameworks/Logrus.qll
+++ b/go/ql/lib/semmle/go/frameworks/Logrus.qll
@@ -28,12 +28,6 @@ module Logrus {
    }
  }

-  private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
-    LogCall() { this = any(LogFunction f).getACall() }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
  private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {
    int argOffset;

--- a/go/ql/lib/semmle/go/frameworks/NoSQL.qll
+++ b/go/ql/lib/semmle/go/frameworks/NoSQL.qll
@@ -31,84 +31,6 @@ module NoSql {
        )
      }
    }
-
-    /**
-     * Holds if method `name` of struct `Collection` from package
-     * [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo)
-     * interprets parameter `n` as a query.
-     */
-    private predicate mongoDbCollectionMethod(string name, int n) {
-      // func (coll *Collection) CountDocuments(ctx context.Context, filter interface{},
-      //                                        opts ...*options.CountOptions) (int64, error)
-      name = "CountDocuments" and n = 1
-      or
-      // func (coll *Collection) DeleteMany(ctx context.Context, filter interface{},
-      //                                    opts ...*options.DeleteOptions) (*DeleteResult, error)
-      name = "DeleteMany" and n = 1
-      or
-      // func (coll *Collection) DeleteOne(ctx context.Context, filter interface{},
-      //                                   opts ...*options.DeleteOptions) (*DeleteResult, error)
-      name = "DeleteOne" and n = 1
-      or
-      // func (coll *Collection) Distinct(ctx context.Context, fieldName string, filter interface{},
-      //                                  ...) ([]interface{}, error)
-      name = "Distinct" and n = 2
-      or
-      // func (coll *Collection) Find(ctx context.Context, filter interface{},
-      //                              opts ...*options.FindOptions) (*Cursor, error)
-      name = "Find" and n = 1
-      or
-      // func (coll *Collection) FindOne(ctx context.Context, filter interface{},
-      //                                 opts ...*options.FindOneOptions) *SingleResult
-      name = "FindOne" and n = 1
-      or
-      // func (coll *Collection) FindOneAndDelete(ctx context.Context, filter interface{}, ...)
-      //                                         *SingleResult
-      name = "FindOneAndDelete" and n = 1
-      or
-      // func (coll *Collection) FindOneAndReplace(ctx context.Context, filter interface{},
-      //                                           replacement interface{}, ...) *SingleResult
-      name = "FindOneAndReplace" and n = 1
-      or
-      // func (coll *Collection) FindOneAndUpdate(ctx context.Context, filter interface{},
-      //                                          update interface{}, ...) *SingleResult
-      name = "FindOneAndUpdate" and n = 1
-      or
-      // func (coll *Collection) ReplaceOne(ctx context.Context, filter interface{},
-      //                                    replacement interface{}, ...) (*UpdateResult, error)
-      name = "ReplaceOne" and n = 1
-      or
-      // func (coll *Collection) UpdateMany(ctx context.Context, filter interface{},
-      //                                    update interface{}, ...) (*UpdateResult, error)
-      name = "UpdateMany" and n = 1
-      or
-      // func (coll *Collection) UpdateOne(ctx context.Context, filter interface{},
-      //                                   update interface{}, ...) (*UpdateResult, error)
-      name = "UpdateOne" and n = 1
-      or
-      // func (coll *Collection) Watch(ctx context.Context, pipeline interface{}, ...)
-      //                              (*ChangeStream, error)
-      name = "Watch" and n = 1
-      or
-      // func (coll *Collection) Aggregate(ctx context.Context, pipeline interface{},
-      //                                   opts ...*options.AggregateOptions) (*Cursor, error)
-      name = "Aggregate" and n = 1
-    }
-
-    /**
-     * A query used in an API function acting on a `Collection` struct of package
-     * [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo).
-     */
-    private class MongoDbCollectionQuery extends Range {
-      MongoDbCollectionQuery() {
-        exists(Method meth, string methodName, int n |
-          mongoDbCollectionMethod(methodName, n) and
-          meth.hasQualifiedName(package("go.mongodb.org/mongo-driver", "mongo"), "Collection",
-            methodName) and
-          this = meth.getACall().getArgument(n)
-        )
-      }
-    }
  }

  /**
--- a/go/ql/lib/semmle/go/frameworks/SQL.qll
+++ b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -67,41 +67,34 @@ module SQL {
     */
    abstract class Range extends DataFlow::Node { }

+    private class DefaultQueryString extends Range {
+      DefaultQueryString() {
+        exists(DataFlow::ArgumentNode arg | sinkNode(arg, "sql-injection") |
+          not arg instanceof DataFlow::ImplicitVarargsSlice and
+          this = arg
+          or
+          arg instanceof DataFlow::ImplicitVarargsSlice and
+          this = arg.getCall().getAnImplicitVarargsArgument()
+        )
+      }
+    }
+
    /**
     * An argument to an API of the squirrel library that is directly interpreted as SQL without
     * taking syntactic structure into account.
     */
    private class SquirrelQueryString extends Range {
      SquirrelQueryString() {
-        exists(Function fn |
-          exists(string sq |
-            sq =
-              package([
-                  "github.com/Masterminds/squirrel", "gopkg.in/Masterminds/squirrel",
-                  "github.com/lann/squirrel"
-                ], "")
-          |
-            fn.hasQualifiedName(sq, ["Delete", "Expr", "Insert", "Select", "Update"])
-            or
-            exists(Method m, string builder | m = fn |
-              builder = ["DeleteBuilder", "InsertBuilder", "SelectBuilder", "UpdateBuilder"] and
-              m.hasQualifiedName(sq, builder,
-                ["Columns", "From", "Options", "OrderBy", "Prefix", "Suffix", "Where"])
-              or
-              builder = "InsertBuilder" and
-              m.hasQualifiedName(sq, builder, ["Replace", "Into"])
-              or
-              builder = "SelectBuilder" and
-              m.hasQualifiedName(sq, builder,
-                ["CrossJoin", "GroupBy", "InnerJoin", "LeftJoin", "RightJoin"])
-              or
-              builder = "UpdateBuilder" and
-              m.hasQualifiedName(sq, builder, ["Set", "Table"])
-            )
-          ) and
-          this = fn.getACall().getArgument(0)
+        exists(string sq, Method m, string builder |
+          FlowExtensions::packageGrouping("squirrel", sq) and
+          builder = ["DeleteBuilder", "SelectBuilder", "UpdateBuilder"]
        |
-          this.getType().getUnderlyingType() instanceof StringType or
+          m.hasQualifiedName(sq, builder, "Where") and
+          this = m.getACall().getArgument(0)
+        ) and
+        (
+          this.getType().getUnderlyingType() instanceof StringType
+          or
          this.getType().getUnderlyingType().(SliceType).getElementType() instanceof StringType
        )
      }
@@ -113,14 +106,6 @@ module SQL {
    /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
    private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }

-    /** A string that might identify package `github.com/rqlite/gorqlite` or `github.com/raindog308/gorqlite` or a specific version of it. */
-    private string gorqlite() {
-      result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite"], "")
-    }
-
-    /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
-    private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
-
    /**
     * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without
     * taking syntactic structure into account.
@@ -185,94 +170,6 @@ module SQL {
        )
      }
    }
-
-    /**
-     * A string argument to an API of `github.com/rqlite/gorqlite`, or a specific version of it, that is directly interpreted as SQL without
-     * taking syntactic structure into account.
-     */
-    private class GorqliteQueryString extends Range {
-      GorqliteQueryString() {
-        // func (conn *Connection) Query(sqlStatements []string) (results []QueryResult, err error)
-        // func (conn *Connection) QueryOne(sqlStatement string) (qr QueryResult, err error)
-        // func (conn *Connection) Queue(sqlStatements []string) (seq int64, err error)
-        // func (conn *Connection) QueueOne(sqlStatement string) (seq int64, err error)
-        // func (conn *Connection) Write(sqlStatements []string) (results []WriteResult, err error)
-        // func (conn *Connection) WriteOne(sqlStatement string) (wr WriteResult, err error)
-        exists(Method m, string name | m.hasQualifiedName(gorqlite(), "Connection", name) |
-          name = ["Query", "QueryOne", "Queue", "QueueOne", "Write", "WriteOne"] and
-          this = m.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
-     * taking syntactic structure into account.
-     */
-    private class GogfQueryString extends Range {
-      GogfQueryString() {
-        exists(Method m, string name | m.implements(gogf(), ["DB", "Core", "TX"], name) |
-          // func (c *Core) Exec(sql string, args ...interface{}) (result sql.Result, err error)
-          // func (c *Core) GetAll(sql string, args ...interface{}) (Result, error)
-          // func (c *Core) GetArray(sql string, args ...interface{}) ([]Value, error)
-          // func (c *Core) GetCount(sql string, args ...interface{}) (int, error)
-          // func (c *Core) GetOne(sql string, args ...interface{}) (Record, error)
-          // func (c *Core) GetValue(sql string, args ...interface{}) (Value, error)
-          // func (c *Core) Prepare(sql string, execOnMaster ...bool) (*Stmt, error)
-          // func (c *Core) Query(sql string, args ...interface{}) (rows *sql.Rows, err error)
-          // func (c *Core) Raw(rawSql string, args ...interface{}) *Model
-          name =
-            [
-              "Query", "Exec", "Prepare", "GetAll", "GetOne", "GetValue", "GetArray", "GetCount",
-              "Raw"
-            ] and
-          this = m.getACall().getArgument(0)
-          or
-          // func (c *Core) GetScan(pointer interface{}, sql string, args ...interface{}) error
-          // func (c *Core) GetStruct(pointer interface{}, sql string, args ...interface{}) error
-          // func (c *Core) GetStructs(pointer interface{}, sql string, args ...interface{}) error
-          name = ["GetScan", "GetStruct", "GetStructs"] and
-          this = m.getACall().getArgument(1)
-          or
-          // func (c *Core) DoCommit(ctx context.Context, link Link, sql string, args []interface{}) (newSql string, newArgs []interface{}, err error)
-          // func (c *Core) DoExec(ctx context.Context, link Link, sql string, args ...interface{}) (result sql.Result, err error)
-          // func (c *Core) DoGetAll(ctx context.Context, link Link, sql string, args ...interface{}) (result Result, err error)
-          // func (c *Core) DoPrepare(ctx context.Context, link Link, sql string) (*Stmt, error)
-          // func (c *Core) DoQuery(ctx context.Context, link Link, sql string, args ...interface{}) (rows *sql.Rows, err error)
-          name = ["DoGetAll", "DoQuery", "DoExec", "DoCommit", "DoPrepare"] and
-          this = m.getACall().getArgument(2)
-        )
-      }
-    }
-  }
-
-  /** A model for sinks of GORM. */
-  private class GormSink extends SQL::QueryString::Range {
-    GormSink() {
-      exists(Method meth, string package, string name |
-        meth.hasQualifiedName(package, "DB", name) and
-        this = meth.getACall().getSyntacticArgument(0) and
-        package = Gorm::packagePath() and
-        name in [
-            "Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins",
-            "Exec", "Distinct", "Pluck"
-          ]
-      )
-    }
-  }
-
-  /** A model for sinks of github.com/jmoiron/sqlx. */
-  private class SqlxSink extends SQL::QueryString::Range {
-    SqlxSink() {
-      exists(Method meth, string name, int n |
-        meth.hasQualifiedName(package("github.com/jmoiron/sqlx", ""), ["DB", "Tx"], name) and
-        this = meth.getACall().getArgument(n)
-      |
-        name = ["Select", "Get"] and n = 1
-        or
-        name = ["MustExec", "Queryx", "NamedExec", "NamedQuery"] and n = 0
-      )
-    }
  }
 }

@@ -291,71 +188,25 @@ module Gorm {
 */
 module Xorm {
  /** Gets the package name for Xorm. */
-  string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") }
+  string packagePath() { FlowExtensions::packageGrouping("xorm", result) }

  /** A model for sinks of XORM. */
  private class XormSink extends SQL::QueryString::Range {
    XormSink() {
-      exists(Method meth, string type, string name, int n |
+      exists(Method meth, string type, string name |
        meth.hasQualifiedName(Xorm::packagePath(), type, name) and
-        this = meth.getACall().getSyntacticArgument(n) and
-        type = ["Engine", "Session"]
+        type = ["Engine", "Session"] and
+        name = ["Exec", "Query", "QueryInterface", "QueryString"]
      |
-        name =
-          [
-            "Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias",
-            "NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy"
-          ] and
-        n = 0
-        or
-        name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1
-        or
-        name = "Join" and n = [0, 1, 2]
+        this = meth.getACall().getSyntacticArgument(0)
      )
    }
  }
 }

 /**
+ * DEPRECATED
+ *
 * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
 */
-module Bun {
-  /** Gets the package name for Bun package. */
-  private string packagePath() { result = package("github.com/uptrace/bun", "") }
-
-  /** A model for sinks of Bun. */
-  private class BunSink extends SQL::QueryString::Range {
-    BunSink() {
-      exists(Function f, string m, int arg | this = f.getACall().getArgument(arg) |
-        f.hasQualifiedName(packagePath(), m) and
-        m = "NewRawQuery" and
-        arg = 1
-      )
-      or
-      exists(Method f, string tp, string m, int arg | this = f.getACall().getArgument(arg) |
-        f.hasQualifiedName(packagePath(), tp, m) and
-        (
-          tp = ["DB", "Conn"] and
-          m = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
-          arg = 1
-          or
-          tp = ["DB", "Conn"] and
-          m = ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"] and
-          arg = 0
-          or
-          tp.matches("%Query") and
-          m =
-            [
-              "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
-              "OrderExpr", "TableExpr", "Where", "WhereOr"
-            ] and
-          arg = 0
-          or
-          tp = "RawQuery" and
-          m = "NewRaw" and
-          arg = 0
-        )
-      )
-    }
-  }
-}
+deprecated module Bun { }
--- a/go/ql/lib/semmle/go/frameworks/Spew.qll
+++ b/go/ql/lib/semmle/go/frameworks/Spew.qll
@@ -33,16 +33,6 @@ module Spew {
    override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
  }

-  private class SpewCall extends LoggerCall::Range, DataFlow::CallNode {
-    SpewFunction target;
-
-    SpewCall() { this = target.getACall() }
-
-    override DataFlow::Node getAMessageComponent() {
-      result = this.getSyntacticArgument(any(int i | i >= target.getFirstPrintedArg()))
-    }
-  }
-
  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
  /** The `Sprint` function or one of its variants. */
  class Sprinter extends TaintTracking::FunctionModel {
--- a/go/ql/lib/semmle/go/frameworks/Zap.qll
+++ b/go/ql/lib/semmle/go/frameworks/Zap.qll
@@ -34,18 +34,6 @@ module Zap {
    override int getFormatStringIndex() { result = 0 }
  }

-  /**
-   * A call to a logger function in Zap.
-   *
-   * Functions which add data to be included the next time a direct logging
-   * function is called are included.
-   */
-  private class ZapCall extends LoggerCall::Range, DataFlow::MethodCallNode {
-    ZapCall() { this = any(ZapFunction f).getACall() }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
  /** The function `Fields` that creates an `Option` that can be added to the logger out of `Field`s. */
  class FieldsFunction extends TaintTracking::FunctionModel {
--- a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
@@ -26,7 +26,7 @@ module DatabaseSql {
    override DataFlow::Node getAResult() { result = this.getResult(0) }

    override SQL::QueryString getAQueryString() {
-      result = this.getAnArgument()
+      result = this.getASyntacticArgument()
      or
      // attempt to resolve a `QueryString` for `Stmt`s using local data flow.
      t = "Stmt" and
@@ -34,24 +34,6 @@ module DatabaseSql {
    }
  }

-  /** A query string used in an API function of the `database/sql` package. */
-  private class QueryString extends SQL::QueryString::Range {
-    QueryString() {
-      exists(Method meth, string base, string t, string m, int n |
-        t = ["DB", "Tx", "Conn"] and
-        meth.hasQualifiedName("database/sql", t, m) and
-        this = meth.getACall().getArgument(n)
-      |
-        base = ["Exec", "Prepare", "Query", "QueryRow"] and
-        (
-          m = base and n = 0
-          or
-          m = base + "Context" and n = 1
-        )
-      )
-    }
-  }
-
  /** A query in the standard `database/sql/driver` package. */
  private class DriverQuery extends SQL::Query::Range, DataFlow::MethodCallNode {
    DriverQuery() {
@@ -78,36 +60,13 @@ module DatabaseSql {
    override DataFlow::Node getAResult() { result = this.getResult(0) }

    override SQL::QueryString getAQueryString() {
-      result = this.getAnArgument()
+      result = this.getASyntacticArgument()
      or
      this.getTarget().hasQualifiedName("database/sql/driver", "Stmt") and
      result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
    }
  }

-  /** A query string used in an API function of the standard `database/sql/driver` package. */
-  private class DriverQueryString extends SQL::QueryString::Range {
-    DriverQueryString() {
-      exists(Method meth, int n |
-        (
-          meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
-          n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
-        ) and
-        this = meth.getACall().getArgument(n)
-      )
-    }
-  }
-
  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
  private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
    FunctionInput inp;
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
@@ -41,13 +41,6 @@ module Fmt {
    Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }
  }

-  /** A call to `Print` or similar. */
-  private class PrintCall extends LoggerCall::Range, DataFlow::CallNode {
-    PrintCall() { this.getTarget() instanceof Printer }
-
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
-  }
-
  /** The `Fprint` function or one of its variants. */
  private class Fprinter extends TaintTracking::FunctionModel {
    Fprinter() {
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
@@ -32,16 +32,6 @@ module Log {
    override int getFormatStringIndex() { result = 0 }
  }

-  private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
-    LogFunction target;
-
-    LogCall() { this = target.getACall() }
-
-    override DataFlow::Node getAMessageComponent() {
-      result = this.getSyntacticArgument(any(int i | i >= target.getFirstPrintedArg()))
-    }
-  }
-
  /** A fatal log function, which calls `os.Exit`. */
  private class FatalLogFunction extends Function {
    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll
@@ -43,12 +43,4 @@ module Os {
      input = inp and output = outp
    }
  }
-
-  private class Stdin extends SourceNode {
-    Stdin() {
-      exists(Variable osStdin | osStdin.hasQualifiedName("os", "Stdin") | this = osStdin.getARead())
-    }
-
-    override string getThreatModel() { result = "stdin" }
-  }
 }
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/completetest.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/completetest.ext.yml
@@ -35,10 +35,12 @@ extensions:
      pack: codeql/go-all
      extensible: sourceModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SourceVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: sinkModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SinkVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected
@@ -43,3 +43,4 @@ invalidModelRow
 | test.go:199:17:199:20 | arg1 | qltest |
 | test.go:199:23:199:26 | arg2 | qltest |
 | test.go:199:29:199:32 | arg3 | qltest |
+| test.go:202:22:202:25 | temp | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.ext.yml
@@ -3,6 +3,7 @@ extensions:
      pack: codeql/go-all
      extensible: sinkModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SinkVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkMethod", "", "", "Argument[receiver]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
@@ -21,3 +21,4 @@ invalidModelRow
 | test.go:183:17:183:24 | call to Src1 | qltest |
 | test.go:187:24:187:31 | call to Src1 | qltest |
 | test.go:191:24:191:31 | call to Src1 | qltest |
+| test.go:201:10:201:28 | selection of SourceVariable | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.ext.yml
@@ -3,9 +3,10 @@ extensions:
      pack: codeql/go-all
      extensible: sourceModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SourceVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src2", "", "", "ReturnValue", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", True, "Src2", "", "", "ReturnValue", "qltest-w-subtypes", "manual"]
      - ["github.com/nonexistent/test", "A", False, "SrcArg", "", "", "Argument[0]", "qltest-arg", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src3", "", "", "ReturnValue[0]", "qltest", "manual"]
-      - ["github.com/nonexistent/test", "A", True, "Src3", "", "", "ReturnValue[1]", "qltest-w-subtypes", "manual"]
+      - ["github.com/nonexistent/test", "A", True, "Src3", "", "", "ReturnValue[1]", "qltest-w-subtypes", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
@@ -197,6 +197,9 @@ func simpleflow() {
 	arg3 := src
 	arg4 := src
 	b.SinkManyArgs(arg1, arg2, arg3, arg4) // $ hasTaintFlow="arg1" hasTaintFlow="arg2" hasTaintFlow="arg3"
+
+	temp := test.SourceVariable
+	test.SinkVariable = temp // $ hasTaintFlow="temp"
 }

 type mapstringstringtype map[string]string
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/vendor/github.com/nonexistent/test/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/vendor/github.com/nonexistent/test/stub.go
@@ -72,3 +72,6 @@ func (c C) Get() string  { return "" }

 func (c *C) SetThroughPointer(f string) {}
 func (c *C) GetThroughPointer() string  { return "" }
+
+var SourceVariable string
+var SinkVariable string
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ext.yml
@@ -35,10 +35,12 @@ extensions:
      pack: codeql/go-all
      extensible: sourceModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SourceVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: sinkModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SinkVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
@@ -49,3 +49,4 @@ invalidModelRow
 | test.go:205:10:205:26 | call to min | qltest |
 | test.go:206:10:206:26 | call to min | qltest |
 | test.go:207:10:207:26 | call to min | qltest |
+| test.go:210:22:210:25 | temp | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.ext.yml
@@ -3,6 +3,7 @@ extensions:
      pack: codeql/go-all
      extensible: sinkModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SinkVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkMethod", "", "", "Argument[receiver]", "qltest", "manual"]
      - ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
@@ -21,3 +21,4 @@ invalidModelRow
 | test.go:183:17:183:24 | call to Src1 | qltest |
 | test.go:187:24:187:31 | call to Src1 | qltest |
 | test.go:191:24:191:31 | call to Src1 | qltest |
+| test.go:209:10:209:28 | selection of SourceVariable | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.ext.yml
@@ -3,9 +3,10 @@ extensions:
      pack: codeql/go-all
      extensible: sourceModel
    data:
+      - ["github.com/nonexistent/test", "", False, "SourceVariable", "", "", "", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src2", "", "", "ReturnValue", "qltest", "manual"]
      - ["github.com/nonexistent/test", "A", True, "Src2", "", "", "ReturnValue", "qltest-w-subtypes", "manual"]
      - ["github.com/nonexistent/test", "A", False, "SrcArg", "", "", "Argument[0]", "qltest-arg", "manual"]
      - ["github.com/nonexistent/test", "A", False, "Src3", "", "", "ReturnValue[0]", "qltest", "manual"]
-      - ["github.com/nonexistent/test", "A", True, "Src3", "", "", "ReturnValue[1]", "qltest-w-subtypes", "manual"]
+      - ["github.com/nonexistent/test", "A", True, "Src3", "", "", "ReturnValue[1]", "qltest-w-subtypes", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
@@ -205,6 +205,9 @@ func simpleflow() {
 	b.Sink1(min(srcInt, 0, 1)) // $ hasValueFlow="call to min"
 	b.Sink1(min(0, srcInt, 1)) // $ hasValueFlow="call to min"
 	b.Sink1(min(0, 1, srcInt)) // $ hasValueFlow="call to min"
+
+	temp := test.SourceVariable
+	test.SinkVariable = temp // $ hasValueFlow="temp"
 }

 type mapstringstringtype map[string]string
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/vendor/github.com/nonexistent/test/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/vendor/github.com/nonexistent/test/stub.go
@@ -72,3 +72,6 @@ func (c C) Get() string  { return "" }

 func (c *C) SetThroughPointer(f string) {}
 func (c *C) GetThroughPointer() string  { return "" }
+
+var SourceVariable string
+var SinkVariable string
--- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected
@@ -32,40 +32,61 @@
 | test.go:59:31:59:39 | untrusted | test.go:57:15:57:41 | call to UserAgent | test.go:59:31:59:39 | untrusted | This query depends on a $@. | test.go:57:15:57:41 | call to UserAgent | user-provided value |
 | test.go:65:19:65:27 | untrusted | test.go:63:15:63:41 | call to UserAgent | test.go:65:19:65:27 | untrusted | This query depends on a $@. | test.go:63:15:63:41 | call to UserAgent | user-provided value |
 edges
-| test.go:11:15:11:41 | call to UserAgent | test.go:13:11:13:19 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:14:23:14:31 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:15:14:15:22 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:16:26:16:34 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:17:12:17:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:18:24:18:32 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:19:15:19:23 | untrusted | provenance | Src:MaD:1  |
-| test.go:11:15:11:41 | call to UserAgent | test.go:20:27:20:35 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:28:12:28:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:29:10:29:18 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:30:15:30:23 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:31:14:31:22 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:32:15:32:23 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:33:8:33:16 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:34:11:34:19 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:35:9:35:17 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:36:8:36:16 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:37:8:37:16 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:38:13:38:21 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:39:13:39:21 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:40:12:40:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:41:12:41:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:42:9:42:17 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:43:12:43:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:44:16:44:24 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:45:12:45:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:25:15:25:41 | call to UserAgent | test.go:46:14:46:22 | untrusted | provenance | Src:MaD:1  |
-| test.go:26:16:26:42 | call to UserAgent | test.go:44:27:44:36 | untrusted2 | provenance | Src:MaD:1  |
-| test.go:26:16:26:42 | call to UserAgent | test.go:46:25:46:34 | untrusted2 | provenance | Src:MaD:1  |
-| test.go:50:15:50:41 | call to UserAgent | test.go:52:12:52:20 | untrusted | provenance | Src:MaD:1  |
-| test.go:57:15:57:41 | call to UserAgent | test.go:59:31:59:39 | untrusted | provenance | Src:MaD:1  |
-| test.go:63:15:63:41 | call to UserAgent | test.go:65:19:65:27 | untrusted | provenance | Src:MaD:1  |
+| test.go:11:15:11:41 | call to UserAgent | test.go:13:11:13:19 | untrusted | provenance | Src:MaD:22 Sink:MaD:2 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:14:23:14:31 | untrusted | provenance | Src:MaD:22 Sink:MaD:3 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:15:14:15:22 | untrusted | provenance | Src:MaD:22 Sink:MaD:4 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:16:26:16:34 | untrusted | provenance | Src:MaD:22 Sink:MaD:5 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:17:12:17:20 | untrusted | provenance | Src:MaD:22 Sink:MaD:6 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:18:24:18:32 | untrusted | provenance | Src:MaD:22 Sink:MaD:7 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:19:15:19:23 | untrusted | provenance | Src:MaD:22 Sink:MaD:8 |
+| test.go:11:15:11:41 | call to UserAgent | test.go:20:27:20:35 | untrusted | provenance | Src:MaD:22 Sink:MaD:9 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:28:12:28:20 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:29:10:29:18 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:30:15:30:23 | untrusted | provenance | Src:MaD:22 Sink:MaD:13 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:31:14:31:22 | untrusted | provenance | Src:MaD:22 Sink:MaD:15 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:32:15:32:23 | untrusted | provenance | Src:MaD:22 Sink:MaD:18 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:33:8:33:16 | untrusted | provenance | Src:MaD:22 Sink:MaD:16 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:34:11:34:19 | untrusted | provenance | Src:MaD:22 Sink:MaD:20 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:35:9:35:17 | untrusted | provenance | Src:MaD:22 Sink:MaD:11 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:36:8:36:16 | untrusted | provenance | Src:MaD:22 Sink:MaD:17 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:37:8:37:16 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:38:13:38:21 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:39:13:39:21 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:40:12:40:20 | untrusted | provenance | Src:MaD:22 Sink:MaD:12 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:41:12:41:20 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:42:9:42:17 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:43:12:43:20 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:44:16:44:24 | untrusted | provenance | Src:MaD:22 Sink:MaD:14 |
+| test.go:25:15:25:41 | call to UserAgent | test.go:45:12:45:20 | untrusted | provenance | Src:MaD:22  |
+| test.go:25:15:25:41 | call to UserAgent | test.go:46:14:46:22 | untrusted | provenance | Src:MaD:22 Sink:MaD:19 |
+| test.go:26:16:26:42 | call to UserAgent | test.go:44:27:44:36 | untrusted2 | provenance | Src:MaD:22  |
+| test.go:26:16:26:42 | call to UserAgent | test.go:46:25:46:34 | untrusted2 | provenance | Src:MaD:22 Sink:MaD:19 |
+| test.go:50:15:50:41 | call to UserAgent | test.go:52:12:52:20 | untrusted | provenance | Src:MaD:22 Sink:MaD:10 |
+| test.go:57:15:57:41 | call to UserAgent | test.go:59:31:59:39 | untrusted | provenance | Src:MaD:22 Sink:MaD:21 |
+| test.go:63:15:63:41 | call to UserAgent | test.go:65:19:65:27 | untrusted | provenance | Src:MaD:22 Sink:MaD:1 |
 models
-| 1 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
+| 1 | Sink: group:beego-orm; Condition; true; Raw; ; ; Argument[1]; sql-injection; manual |
+| 2 | Sink: group:beego-orm; DB; true; Exec; ; ; Argument[0]; sql-injection; manual |
+| 3 | Sink: group:beego-orm; DB; true; ExecContext; ; ; Argument[1]; sql-injection; manual |
+| 4 | Sink: group:beego-orm; DB; true; Prepare; ; ; Argument[0]; sql-injection; manual |
+| 5 | Sink: group:beego-orm; DB; true; PrepareContext; ; ; Argument[1]; sql-injection; manual |
+| 6 | Sink: group:beego-orm; DB; true; Query; ; ; Argument[0]; sql-injection; manual |
+| 7 | Sink: group:beego-orm; DB; true; QueryContext; ; ; Argument[1]; sql-injection; manual |
+| 8 | Sink: group:beego-orm; DB; true; QueryRow; ; ; Argument[0]; sql-injection; manual |
+| 9 | Sink: group:beego-orm; DB; true; QueryRowContext; ; ; Argument[1]; sql-injection; manual |
+| 10 | Sink: group:beego-orm; Ormer; true; Raw; ; ; Argument[0]; sql-injection; manual |
+| 11 | Sink: group:beego-orm; QueryBuilder; true; And; ; ; Argument[0]; sql-injection; manual |
+| 12 | Sink: group:beego-orm; QueryBuilder; true; Having; ; ; Argument[0]; sql-injection; manual |
+| 13 | Sink: group:beego-orm; QueryBuilder; true; InnerJoin; ; ; Argument[0]; sql-injection; manual |
+| 14 | Sink: group:beego-orm; QueryBuilder; true; InsertInto; ; ; Argument[0..1]; sql-injection; manual |
+| 15 | Sink: group:beego-orm; QueryBuilder; true; LeftJoin; ; ; Argument[0]; sql-injection; manual |
+| 16 | Sink: group:beego-orm; QueryBuilder; true; On; ; ; Argument[0]; sql-injection; manual |
+| 17 | Sink: group:beego-orm; QueryBuilder; true; Or; ; ; Argument[0]; sql-injection; manual |
+| 18 | Sink: group:beego-orm; QueryBuilder; true; RightJoin; ; ; Argument[0]; sql-injection; manual |
+| 19 | Sink: group:beego-orm; QueryBuilder; true; Subquery; ; ; Argument[0..1]; sql-injection; manual |
+| 20 | Sink: group:beego-orm; QueryBuilder; true; Where; ; ; Argument[0]; sql-injection; manual |
+| 21 | Sink: group:beego-orm; QuerySeter; true; FilterRaw; ; ; Argument[1]; sql-injection; manual |
+| 22 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
 nodes
 | test.go:11:15:11:41 | call to UserAgent | semmle.label | call to UserAgent |
 | test.go:13:11:13:19 | untrusted | semmle.label | untrusted |
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.expected
@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.ql
@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
@@ -1,25 +0,0 @@
-| gorm.go:20:12:20:20 | untrusted | github.com/jinzhu/gorm | DB | Where |
-| gorm.go:21:10:21:18 | untrusted | github.com/jinzhu/gorm | DB | Raw |
-| gorm.go:22:10:22:18 | untrusted | github.com/jinzhu/gorm | DB | Not |
-| gorm.go:23:12:23:20 | untrusted | github.com/jinzhu/gorm | DB | Order |
-| gorm.go:24:9:24:17 | untrusted | github.com/jinzhu/gorm | DB | Or |
-| gorm.go:25:13:25:21 | untrusted | github.com/jinzhu/gorm | DB | Select |
-| gorm.go:26:12:26:20 | untrusted | github.com/jinzhu/gorm | DB | Table |
-| gorm.go:27:12:27:20 | untrusted | github.com/jinzhu/gorm | DB | Group |
-| gorm.go:28:13:28:21 | untrusted | github.com/jinzhu/gorm | DB | Having |
-| gorm.go:29:12:29:20 | untrusted | github.com/jinzhu/gorm | DB | Joins |
-| gorm.go:30:11:30:19 | untrusted | github.com/jinzhu/gorm | DB | Exec |
-| gorm.go:31:12:31:20 | untrusted | github.com/jinzhu/gorm | DB | Pluck |
-| gorm.go:34:12:34:20 | untrusted | gorm.io/gorm | DB | Where |
-| gorm.go:35:10:35:18 | untrusted | gorm.io/gorm | DB | Raw |
-| gorm.go:36:10:36:18 | untrusted | gorm.io/gorm | DB | Not |
-| gorm.go:37:12:37:20 | untrusted | gorm.io/gorm | DB | Order |
-| gorm.go:38:9:38:17 | untrusted | gorm.io/gorm | DB | Or |
-| gorm.go:39:13:39:21 | untrusted | gorm.io/gorm | DB | Select |
-| gorm.go:40:12:40:20 | untrusted | gorm.io/gorm | DB | Table |
-| gorm.go:41:12:41:20 | untrusted | gorm.io/gorm | DB | Group |
-| gorm.go:42:13:42:21 | untrusted | gorm.io/gorm | DB | Having |
-| gorm.go:43:12:43:20 | untrusted | gorm.io/gorm | DB | Joins |
-| gorm.go:44:11:44:19 | untrusted | gorm.io/gorm | DB | Exec |
-| gorm.go:45:15:45:23 | untrusted | gorm.io/gorm | DB | Distinct |
-| gorm.go:46:12:46:20 | untrusted | gorm.io/gorm | DB | Pluck |
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
@@ -13,36 +13,35 @@ func getUntrustedString() string {
 }

 func main() {
-
 	untrusted := getUntrustedString()

 	db1 := gorm1.DB{}
-	db1.Where(untrusted)
-	db1.Raw(untrusted)
-	db1.Not(untrusted)
-	db1.Order(untrusted)
-	db1.Or(untrusted)
-	db1.Select(untrusted)
-	db1.Table(untrusted)
-	db1.Group(untrusted)
-	db1.Having(untrusted)
-	db1.Joins(untrusted)
-	db1.Exec(untrusted)
-	db1.Pluck(untrusted, nil)
+	db1.Where(untrusted)      // $ querystring=untrusted
+	db1.Raw(untrusted)        // $ querystring=untrusted
+	db1.Not(untrusted)        // $ querystring=untrusted
+	db1.Order(untrusted)      // $ querystring=untrusted
+	db1.Or(untrusted)         // $ querystring=untrusted
+	db1.Select(untrusted)     // $ querystring=untrusted
+	db1.Table(untrusted)      // $ querystring=untrusted
+	db1.Group(untrusted)      // $ querystring=untrusted
+	db1.Having(untrusted)     // $ querystring=untrusted
+	db1.Joins(untrusted)      // $ querystring=untrusted
+	db1.Exec(untrusted)       // $ querystring=untrusted
+	db1.Pluck(untrusted, nil) // $ querystring=untrusted

 	db2 := gorm2.DB{}
-	db2.Where(untrusted)
-	db2.Raw(untrusted)
-	db2.Not(untrusted)
-	db2.Order(untrusted)
-	db2.Or(untrusted)
-	db2.Select(untrusted)
-	db2.Table(untrusted)
-	db2.Group(untrusted)
-	db2.Having(untrusted)
-	db2.Joins(untrusted)
-	db2.Exec(untrusted)
-	db2.Distinct(untrusted)
-	db2.Pluck(untrusted, nil)
+	db2.Where(untrusted)      // $ querystring=untrusted
+	db2.Raw(untrusted)        // $ querystring=untrusted
+	db2.Not(untrusted)        // $ querystring=untrusted
+	db2.Order(untrusted)      // $ querystring=untrusted
+	db2.Or(untrusted)         // $ querystring=untrusted
+	db2.Select(untrusted)     // $ querystring=untrusted
+	db2.Table(untrusted)      // $ querystring=untrusted
+	db2.Group(untrusted)      // $ querystring=untrusted
+	db2.Having(untrusted)     // $ querystring=untrusted
+	db2.Joins(untrusted)      // $ querystring=untrusted
+	db2.Exec(untrusted)       // $ querystring=untrusted
+	db2.Distinct(untrusted)   // $ querystring=untrusted
+	db2.Pluck(untrusted, nil) // $ querystring=untrusted

 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql
@@ -1,5 +0,0 @@
-import go
-
-from SQL::QueryString qs, Method meth, string a, string b, string c
-where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getSyntacticArgument(0)
-select qs, a, b, c
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/QueryString.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/QueryString.expected
@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/QueryString.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/QueryString.ql
@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected
@@ -1,12 +0,0 @@
-| sqlx.go:15:17:15:25 | untrusted |
-| sqlx.go:16:14:16:22 | untrusted |
-| sqlx.go:17:14:17:22 | untrusted |
-| sqlx.go:18:12:18:20 | untrusted |
-| sqlx.go:19:15:19:23 | untrusted |
-| sqlx.go:20:16:20:24 | untrusted |
-| sqlx.go:23:17:23:25 | untrusted |
-| sqlx.go:24:14:24:22 | untrusted |
-| sqlx.go:25:14:25:22 | untrusted |
-| sqlx.go:26:12:26:20 | untrusted |
-| sqlx.go:27:15:27:23 | untrusted |
-| sqlx.go:28:16:28:24 | untrusted |
--- a/Show More
+++ b/Show More