Merge branch 'main' into rust-cfg-fixes

cpp/ql/lib/change-notes/2024-10-16-function-pointer-resolution.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.

cpp/ql/lib/change-notes/2024-10-16-new-api-for-call-target-resolution.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a new predicate `DataFlow::getARuntimeTarget` for getting a function that may be invoked by a `Call` expression. Unlike `Call.getTarget` this new predicate may also resolve function pointers.

cpp/ql/lib/semmle/code/cpp/Parameter.qll

@@ -73,7 +73,8 @@ class Parameter extends LocalScopeVariable, @parameter {
   }
 
   private VariableDeclarationEntry getANamedDeclarationEntry() {
-    result = this.getAnEffectiveDeclarationEntry() and result.getName() != ""
+    result = this.getAnEffectiveDeclarationEntry() and
+    exists(string name | var_decls(unresolveElement(result), _, _, name, _) | name != "")
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -241,6 +241,10 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
         name != "" and result = name
         or
         name = "" and result = this.getVariable().(LocalVariable).getName()
+        or
+        name = "" and
+        not this instanceof ParameterDeclarationEntry and
+        result = this.getVariable().(Parameter).getName()
       )
     )
   }
@@ -295,19 +299,11 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
 
   private string getAnonymousParameterDescription() {
     not exists(this.getName()) and
-    exists(string idx |
-      idx =
-        ((this.getIndex() + 1).toString() + "th")
-            .replaceAll("1th", "1st")
-            .replaceAll("2th", "2nd")
-            .replaceAll("3th", "3rd")
-            .replaceAll("11st", "11th")
-            .replaceAll("12nd", "12th")
-            .replaceAll("13rd", "13th") and
+    exists(string anon |
+      anon = "(unnamed parameter " + this.getIndex().toString() + ")" and
       if exists(this.getCanonicalName())
-      then
-        result = "declaration of " + this.getCanonicalName() + " as anonymous " + idx + " parameter"
-      else result = "declaration of " + idx + " parameter"
+      then result = "declaration of " + this.getCanonicalName() + " as " + anon
+      else result = "declaration of " + anon
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1328,7 +1328,10 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
-  call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() and
+  (
+    call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() or
+    call.asCallInstruction().getCallTargetOperand() = receiver.asOperand()
+  ) and
   exists(kind)
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -17,6 +17,7 @@ private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
+private import DataFlowDispatch as DataFlowDispatch
 import ExprNodes
 
 /**
@@ -2497,3 +2498,16 @@ class AdditionalCallTarget extends Unit {
    */
   abstract Declaration viableTarget(Call call);
 }
+
+/**
+ * Gets a function that may be called by `call`.
+ *
+ * Note that `call` may be a call to a function pointer expression.
+ */
+Function getARuntimeTarget(Call call) {
+  exists(DataFlowCall dfCall | dfCall.asCallInstruction().getUnconvertedResultExpression() = call |
+    result = DataFlowDispatch::viableCallable(dfCall).asSourceCallable()
+    or
+    result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()
+  )
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -3,6 +3,9 @@ uniqueEnclosingCallable
 | test.cpp:864:47:864:54 | call to source | Node should have one enclosing callable but has 0. |
 | test.cpp:872:46:872:51 | call to source | Node should have one enclosing callable but has 0. |
 | test.cpp:872:53:872:56 | 1 | Node should have one enclosing callable but has 0. |
+| test.cpp:1126:33:1129:1 | {...} | Node should have one enclosing callable but has 0. |
+| test.cpp:1127:3:1127:13 | reads_input | Node should have one enclosing callable but has 0. |
+| test.cpp:1128:3:1128:21 | not_does_read_input | Node should have one enclosing callable but has 0. |
 uniqueCallEnclosingCallable
 | test.cpp:864:47:864:54 | call to source | Call should have one enclosing callable but has 0. |
 | test.cpp:872:46:872:51 | call to source | Call should have one enclosing callable but has 0. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -323,6 +323,7 @@ irFlow
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
 | test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
+| test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1115,4 +1115,20 @@ void indirect_sink_const_ref(const T&);
 
 void test_temp_with_conversion_from_materialization() {
   indirect_sink_const_ref(source()); // $ ir MISSING: ast
+}
+
+void reads_input(int x) {
+  sink(x); // $ ir MISSING: ast
+}
+
+void not_does_read_input(int x);
+
+void (*dispatch_table[])(int) = {
+  reads_input,
+  not_does_read_input
+};
+
+void test_dispatch_table(int i) {
+  int x = source();
+  dispatch_table[i](x);
 }

cpp/ql/test/library-tests/declarationEntry/declarationEntry/roundTrip.expected

@@ -25,8 +25,8 @@
 | declarationEntry.cpp:39:7:39:7 | declaration of operator= | declarationEntry.cpp:39:7:39:7 | operator= | yes |
 | declarationEntry.cpp:39:7:39:13 | definition of myClass | declarationEntry.cpp:39:7:39:13 | myClass | yes |
 | declarationEntry.cpp:42:6:42:21 | definition of myMemberVariable | declarationEntry.cpp:42:6:42:21 | myMemberVariable | yes |
-| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
-| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | yes |
 | file://:0:0:0:0 | definition of fp_offset | file://:0:0:0:0 | fp_offset | yes |
 | file://:0:0:0:0 | definition of gp_offset | file://:0:0:0:0 | gp_offset | yes |
 | file://:0:0:0:0 | definition of overflow_arg_area | file://:0:0:0:0 | overflow_arg_area | yes |

cpp/ql/test/library-tests/declarationEntry/more/declarationEntry.expected

@@ -1,7 +1,7 @@
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) |
 | file://:0:0:0:0 | definition of fp_offset |
 | file://:0:0:0:0 | definition of gp_offset |
 | file://:0:0:0:0 | definition of overflow_arg_area |

cpp/ql/test/library-tests/parameters/toStrings/params.expected

@@ -1,11 +1,11 @@
-| test.c:2:8:2:10 | declaration of 1st parameter |
-| test.c:2:13:2:15 | declaration of 2nd parameter |
-| test.c:2:18:2:20 | declaration of 3rd parameter |
-| test.c:2:23:2:25 | declaration of 4th parameter |
-| test.c:3:8:3:10 | declaration of y1 as anonymous 1st parameter |
-| test.c:3:13:3:15 | declaration of y2 as anonymous 2nd parameter |
-| test.c:3:18:3:20 | declaration of y3 as anonymous 3rd parameter |
-| test.c:3:23:3:25 | declaration of y4 as anonymous 4th parameter |
+| test.c:2:8:2:10 | declaration of (unnamed parameter 0) |
+| test.c:2:13:2:15 | declaration of (unnamed parameter 1) |
+| test.c:2:18:2:20 | declaration of (unnamed parameter 2) |
+| test.c:2:23:2:25 | declaration of (unnamed parameter 3) |
+| test.c:3:8:3:10 | declaration of y1 as (unnamed parameter 0) |
+| test.c:3:13:3:15 | declaration of y2 as (unnamed parameter 1) |
+| test.c:3:18:3:20 | declaration of y3 as (unnamed parameter 2) |
+| test.c:3:23:3:25 | declaration of y4 as (unnamed parameter 3) |
 | test.c:4:12:4:13 | declaration of x1 |
 | test.c:4:20:4:21 | declaration of x2 |
 | test.c:4:28:4:29 | declaration of x3 |

cpp/ql/test/query-tests/Metrics/Dependencies/dependencies.expected

@@ -1,5 +1,5 @@
-| file://:0:0:0:0 | declaration of 1st parameter | LibB/libb_internal.h:5:8:5:12 | thing |
-| file://:0:0:0:0 | declaration of 1st parameter | LibB/libb_internal.h:5:8:5:12 | thing |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) | LibB/libb_internal.h:5:8:5:12 | thing |
+| file://:0:0:0:0 | declaration of (unnamed parameter 0) | LibB/libb_internal.h:5:8:5:12 | thing |
 | include.h:3:25:3:33 | num | LibD/libd.h:5:12:5:14 | num |
 | main.cpp:8:31:8:31 | call to container | LibC/libc.h:9:3:9:3 | container |
 | main.cpp:8:31:8:31 | definition of x | LibB/libb_internal.h:5:8:5:12 | thing |

docs/codeql/reusables/supported-versions-compilers.rst

@@ -22,7 +22,7 @@
    Eclipse compiler for Java (ECJ) [6]_",``.java``
    Kotlin,"Kotlin 1.5.0 to 2.1.0\ *x*","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
-   Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12",Not applicable,``.py``
+   Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [9]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
    Swift [10]_,"Swift 5.4-5.10","Swift compiler","``.swift``"
    TypeScript [11]_,"2.6-5.6",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"

go/ql/lib/change-notes/2024-10-17-ast-viewer-type-param-decl.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The AST viewer now shows type parameter declarations in the correct place in the AST.

go/ql/lib/semmle/go/AST.qll

@@ -55,6 +55,8 @@ class AstNode extends @node, Locatable {
     kind = "commentgroup" and result = this.(File).getCommentGroup(i)
     or
     kind = "comment" and result = this.(CommentGroup).getComment(i)
+    or
+    kind = "typeparamdecl" and result = this.(TypeParamDeclParent).getTypeParameterDecl(i)
   }
 
   /**

go/ql/lib/semmle/go/Decls.qll

@@ -212,10 +212,7 @@ class MethodDecl extends FuncDecl {
    *
    * is `Rectangle`.
    */
-  NamedType getReceiverBaseType() {
-    result = this.getReceiverType() or
-    result = this.getReceiverType().(PointerType).getBaseType()
-  }
+  NamedType getReceiverBaseType() { result = lookThroughPointerType(this.getReceiverType()) }
 
   /**
    * Gets the receiver variable of this method.

go/ql/lib/semmle/go/Scopes.qll

@@ -519,13 +519,7 @@ class Method extends Function {
    * Gets the receiver base type of this method, that is, either the base type of the receiver type
    * if it is a pointer type, or the receiver type itself if it is not a pointer type.
    */
-  Type getReceiverBaseType() {
-    exists(Type recv | recv = this.getReceiverType() |
-      if recv instanceof PointerType
-      then result = recv.(PointerType).getBaseType()
-      else result = recv
-    )
-  }
+  Type getReceiverBaseType() { result = lookThroughPointerType(this.getReceiverType()) }
 
   /** Holds if this method has name `m` and belongs to the method set of type `tp` or `*tp`. */
   private predicate isIn(NamedType tp, string m) {

go/ql/lib/semmle/go/Types.qll

@@ -446,11 +446,7 @@ class StructType extends @structtype, CompositeType {
       if n = ""
       then (
         isEmbedded = true and
-        (
-          name = tp.(NamedType).getName()
-          or
-          name = tp.(PointerType).getBaseType().(NamedType).getName()
-        )
+        name = lookThroughPointerType(tp).(NamedType).getName()
       ) else (
         isEmbedded = false and
         name = n
@@ -518,9 +514,7 @@ class StructType extends @structtype, CompositeType {
     this.hasFieldCand(_, embeddedParent, depth - 1, true) and
     result.getName() = name and
     (
-      result.getReceiverBaseType() = embeddedParent.getType()
-      or
-      result.getReceiverBaseType() = embeddedParent.getType().(PointerType).getBaseType()
+      result.getReceiverBaseType() = lookThroughPointerType(embeddedParent.getType())
       or
       methodhosts(result, embeddedParent.getType())
     )
@@ -644,6 +638,16 @@ class PointerType extends @pointertype, CompositeType {
   override string toString() { result = "pointer type" }
 }
 
+/**
+ * Gets the base type if `t` is a pointer type, otherwise `t` itself.
+ */
+Type lookThroughPointerType(Type t) {
+  not t instanceof PointerType and
+  result = t
+  or
+  result = t.(PointerType).getBaseType()
+}
+
 private newtype TTypeSetTerm =
   MkTypeSetTerm(TypeSetLiteralType tslit, int index) { component_types(tslit, index, _, _) }
 

go/ql/lib/semmle/go/controlflow/IR.qll

@@ -358,11 +358,7 @@ module IR {
 
     override predicate reads(ValueEntity v) { v = field }
 
-    override Type getResultType() {
-      if field.getType() instanceof PointerType
-      then result = field.getType().(PointerType).getBaseType()
-      else result = field.getType()
-    }
+    override Type getResultType() { result = lookThroughPointerType(field.getType()) }
 
     override ControlFlow::Root getRoot() { result.isRootOf(e) }
 

go/ql/src/InconsistentCode/LengthComparisonOffByOne.ql

@@ -73,7 +73,7 @@ predicate isRegexpMethodCall(DataFlow::MethodCallNode c) {
   exists(NamedType regexp, Type recvtp |
     regexp.getName() = "Regexp" and recvtp = c.getReceiver().getType()
   |
-    recvtp = regexp or recvtp.(PointerType).getBaseType() = regexp
+    lookThroughPointerType(recvtp) = regexp
   )
 }
 

go/ql/test/library-tests/semmle/go/PrintAst/PrintAst.expected

@@ -639,6 +639,11 @@ other.go:
 #   11|             Type = int
 #   11|           0: [Ident, VariableName] myNested
 #   11|               Type = func() int
+#    8|     3: [TypeParamDecl] type parameter declaration
+#    8|       0: [Ident, TypeName] int
+#    8|           Type = int
+#    8|       1: [Ident, TypeName] U
+#    8|           Type = U
 #   15|   5: [VarDecl] variable declaration
 #   15|     0: [ValueSpec] value declaration specifier
 #   15|       0: [Ident, VariableName] x
@@ -648,3 +653,32 @@ other.go:
 #   15|       2: [IntLit] 0
 #   15|           Type = int
 #   15|           Value = [IntLit] 0
+#   17|   6: [TypeDecl] type declaration
+#   17|     0: [TypeSpec] type declaration specifier
+#   17|       0: [Ident, TypeName] myType
+#   17|           Type = myType
+#   17|       1: [ArrayTypeExpr] array type
+#   17|           Type = []T
+#   17|         0: [Ident, TypeName] T
+#   17|             Type = T
+#   17|       2: [TypeParamDecl] type parameter declaration
+#   17|         0: [TypeSetLiteralExpr] type set literal
+#   17|             Type = ~string
+#   17|           0: [Ident, TypeName] string
+#   17|               Type = string
+#   17|         1: [Ident, TypeName] T
+#   17|             Type = T
+#   19|   7: [MethodDecl] function declaration
+#   19|     0: [FunctionName, Ident] f
+#   19|         Type = func() 
+#   19|     1: [FuncTypeExpr] function type
+#   19|     2: [ReceiverDecl] receiver declaration
+#   19|       0: [GenericTypeInstantiationExpr] generic type instantiation expression
+#   19|           Type = myType
+#   19|         0: [Ident, TypeName] myType
+#   19|             Type = myType
+#   19|         1: [Ident, TypeName] U
+#   19|             Type = U
+#   19|       1: [Ident, VariableName] m
+#   19|           Type = myType
+#   19|     3: [BlockStmt] block statement

go/ql/test/library-tests/semmle/go/PrintAst/PrintAstExcludeComments.expected

@@ -619,6 +619,11 @@ other.go:
 #   11|             Type = int
 #   11|           0: [Ident, VariableName] myNested
 #   11|               Type = func() int
+#    8|     3: [TypeParamDecl] type parameter declaration
+#    8|       0: [Ident, TypeName] int
+#    8|           Type = int
+#    8|       1: [Ident, TypeName] U
+#    8|           Type = U
 #   15|   5: [VarDecl] variable declaration
 #   15|     0: [ValueSpec] value declaration specifier
 #   15|       0: [Ident, VariableName] x
@@ -628,3 +633,32 @@ other.go:
 #   15|       2: [IntLit] 0
 #   15|           Type = int
 #   15|           Value = [IntLit] 0
+#   17|   6: [TypeDecl] type declaration
+#   17|     0: [TypeSpec] type declaration specifier
+#   17|       0: [Ident, TypeName] myType
+#   17|           Type = myType
+#   17|       1: [ArrayTypeExpr] array type
+#   17|           Type = []T
+#   17|         0: [Ident, TypeName] T
+#   17|             Type = T
+#   17|       2: [TypeParamDecl] type parameter declaration
+#   17|         0: [TypeSetLiteralExpr] type set literal
+#   17|             Type = ~string
+#   17|           0: [Ident, TypeName] string
+#   17|               Type = string
+#   17|         1: [Ident, TypeName] T
+#   17|             Type = T
+#   19|   7: [MethodDecl] function declaration
+#   19|     0: [FunctionName, Ident] f
+#   19|         Type = func() 
+#   19|     1: [FuncTypeExpr] function type
+#   19|     2: [ReceiverDecl] receiver declaration
+#   19|       0: [GenericTypeInstantiationExpr] generic type instantiation expression
+#   19|           Type = myType
+#   19|         0: [Ident, TypeName] myType
+#   19|             Type = myType
+#   19|         1: [Ident, TypeName] U
+#   19|             Type = U
+#   19|       1: [Ident, VariableName] m
+#   19|           Type = myType
+#   19|     3: [BlockStmt] block statement

go/ql/test/library-tests/semmle/go/PrintAst/PrintAstNestedFunction.expected

@@ -56,6 +56,11 @@ other.go:
 #   11|             Type = int
 #   11|           0: [Ident, VariableName] myNested
 #   11|               Type = func() int
+#    8|     3: [TypeParamDecl] type parameter declaration
+#    8|       0: [Ident, TypeName] int
+#    8|           Type = int
+#    8|       1: [Ident, TypeName] U
+#    8|           Type = U
 #   15|   2: [VarDecl] variable declaration
 #   15|     0: [ValueSpec] value declaration specifier
 #   15|       0: [Ident, VariableName] x
@@ -65,3 +70,18 @@ other.go:
 #   15|       2: [IntLit] 0
 #   15|           Type = int
 #   15|           Value = [IntLit] 0
+#   17|   3: [TypeDecl] type declaration
+#   17|     0: [TypeSpec] type declaration specifier
+#   17|       0: [Ident, TypeName] myType
+#   17|           Type = myType
+#   17|       1: [ArrayTypeExpr] array type
+#   17|           Type = []T
+#   17|         0: [Ident, TypeName] T
+#   17|             Type = T
+#   17|       2: [TypeParamDecl] type parameter declaration
+#   17|         0: [TypeSetLiteralExpr] type set literal
+#   17|             Type = ~string
+#   17|           0: [Ident, TypeName] string
+#   17|               Type = string
+#   17|         1: [Ident, TypeName] T
+#   17|             Type = T

go/ql/test/library-tests/semmle/go/PrintAst/PrintAstRestrictFile.expected

@@ -41,6 +41,11 @@ other.go:
 #   11|             Type = int
 #   11|           0: [Ident, VariableName] myNested
 #   11|               Type = func() int
+#    8|     3: [TypeParamDecl] type parameter declaration
+#    8|       0: [Ident, TypeName] int
+#    8|           Type = int
+#    8|       1: [Ident, TypeName] U
+#    8|           Type = U
 #   15|   5: [VarDecl] variable declaration
 #   15|     0: [ValueSpec] value declaration specifier
 #   15|       0: [Ident, VariableName] x
@@ -50,3 +55,32 @@ other.go:
 #   15|       2: [IntLit] 0
 #   15|           Type = int
 #   15|           Value = [IntLit] 0
+#   17|   6: [TypeDecl] type declaration
+#   17|     0: [TypeSpec] type declaration specifier
+#   17|       0: [Ident, TypeName] myType
+#   17|           Type = myType
+#   17|       1: [ArrayTypeExpr] array type
+#   17|           Type = []T
+#   17|         0: [Ident, TypeName] T
+#   17|             Type = T
+#   17|       2: [TypeParamDecl] type parameter declaration
+#   17|         0: [TypeSetLiteralExpr] type set literal
+#   17|             Type = ~string
+#   17|           0: [Ident, TypeName] string
+#   17|               Type = string
+#   17|         1: [Ident, TypeName] T
+#   17|             Type = T
+#   19|   7: [MethodDecl] function declaration
+#   19|     0: [FunctionName, Ident] f
+#   19|         Type = func() 
+#   19|     1: [FuncTypeExpr] function type
+#   19|     2: [ReceiverDecl] receiver declaration
+#   19|       0: [GenericTypeInstantiationExpr] generic type instantiation expression
+#   19|           Type = myType
+#   19|         0: [Ident, TypeName] myType
+#   19|             Type = myType
+#   19|         1: [Ident, TypeName] U
+#   19|             Type = U
+#   19|       1: [Ident, VariableName] m
+#   19|           Type = myType
+#   19|     3: [BlockStmt] block statement

go/ql/test/library-tests/semmle/go/PrintAst/PrintAstRestrictFunction.expected

@@ -1,3 +1,9 @@
+other.go:
+#    8| [TypeParamDecl] type parameter declaration
+#    8|   0: [Ident, TypeName] int
+#    8|       Type = int
+#    8|   1: [Ident, TypeName] U
+#    8|       Type = U
 go.mod:
 #    0| [GoModFile] go.mod
 #    1|   0: [GoModModuleLine] go.mod module line
@@ -45,3 +51,18 @@ other.go:
 #   15|       2: [IntLit] 0
 #   15|           Type = int
 #   15|           Value = [IntLit] 0
+#   17|   3: [TypeDecl] type declaration
+#   17|     0: [TypeSpec] type declaration specifier
+#   17|       0: [Ident, TypeName] myType
+#   17|           Type = myType
+#   17|       1: [ArrayTypeExpr] array type
+#   17|           Type = []T
+#   17|         0: [Ident, TypeName] T
+#   17|             Type = T
+#   17|       2: [TypeParamDecl] type parameter declaration
+#   17|         0: [TypeSetLiteralExpr] type set literal
+#   17|             Type = ~string
+#   17|           0: [Ident, TypeName] string
+#   17|               Type = string
+#   17|         1: [Ident, TypeName] T
+#   17|             Type = T

go/ql/test/library-tests/semmle/go/PrintAst/go.mod

@@ -1,4 +1,3 @@
 module codeql-go-tests/printast
 
-go 1.14
-
+go 1.18

go/ql/test/library-tests/semmle/go/PrintAst/other.go

@@ -5,7 +5,7 @@ func main() {}
 func f() {}
 func g() {}
 
-func hasNested() {
+func hasNested[U int]() {
 
 	myNested := func() int { return 1 }
 	myNested()
@@ -13,3 +13,7 @@ func hasNested() {
 }
 
 var x int = 0
+
+type myType[T ~string] []T
+
+func (m myType[U]) f() {}

java/ql/integration-tests/java/buildless-maven-executable-war/source_archive.expected

@@ -5,3 +5,4 @@ src/main/resources/page.xml
 src/main/resources/struts.xml
 src/test/java/com/example/AppTest.java
 test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/buildless-fetches.expected

@@ -0,0 +1,26 @@
+https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
+https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
+https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
+https://repo.maven.apache.org/maven2/com/intuit/benten/benten-examples/0.1.5/benten-examples-0.1.5.jar
+https://repo.maven.apache.org/maven2/com/jakewharton/twirl/sample-runtime/1.2.0/sample-runtime-1.2.0.jar
+https://repo.maven.apache.org/maven2/com/mattunderscore/code/generation/specky/plugin-example/0.8.0/plugin-example-0.8.0.jar
+https://repo.maven.apache.org/maven2/com/microsoft/tang/tang-test-jarAB/0.9/tang-test-jarAB-0.9.jar
+https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/rx-redis-example_2.11-0.1.2.jar
+https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
+https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
+https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
+https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
+https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-mustache/0.5.10/minijax-example-mustache-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-petclinic/0.5.10/minijax-example-petclinic-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-security/0.5.10/minijax-example-security-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-ssl/0.5.10/minijax-example-ssl-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-todo-backend/0.5.10/minijax-example-todo-backend-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.10/minijax-example-websocket-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
+https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
+https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/diagnostics.expected

@@ -0,0 +1,70 @@
+{
+  "markdownMessage": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/using-build-tool-advice",
+    "name": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used the system default JDK.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/jdk-system-default",
+    "name": "Java analysis used the system default JDK"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis with build-mode 'none' completed.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/complete",
+    "name": "Java analysis with build-mode 'none' completed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/mode-active",
+    "name": "Java was extracted with build-mode set to 'none'"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Reading the dependency graph from build files provided 2 classpath entries",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-provided-by-maven",
+    "name": "Java analysis extracted precise dependency graph information from tool Maven"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/home-dir-with-maven-settings/.m2/settings.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<settings>
+    <profiles>
+        <profile>
+            <id>preexisting-profile</id>
+            <pluginRepositories>
+                <pluginRepository>
+                    <id>preexisting-repository</id>
+                    <name>A pre-existing repository</name>
+                    <url>https://nonesuch.example</url>
+                </pluginRepository>
+            </pluginRepositories>
+        </profile>
+    </profiles>
+    <activeProfiles>
+        <activeProfile>preexisting-profile</activeProfile>
+    </activeProfiles>
+</settings>

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected

@@ -0,0 +1,77 @@
+Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.11.0/error_prone_parent-2.11.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/31.1-jre/guava-parent-31.1-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/net/java/jvnet-parent/3/jvnet-parent-3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/19/apache-19.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/25/apache-25.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/27/apache-27.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-parent/47/commons-parent-47.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/35/maven-parent-35.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/37/maven-parent-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven/3.8.6/maven-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-shared-components/37/maven-shared-components-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-containers/1.5.5/plexus-containers-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/2.0.7/plexus-2.0.7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/3.3.1/plexus-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/4.0/plexus-4.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/5.1/plexus-5.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-inject/0.3.5/sisu-inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-plexus/0.3.5/sisu-plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/junit/junit-bom/5.9.1/junit-bom-5.9.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/forge/forge-parent/10/forge-parent-10.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/pom.xml

@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-sample</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-sample</name>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.7</maven.compiler.source>
+    <maven.compiler.target>1.7</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>exec-maven-plugin</artifactId>
+        <groupId>org.codehaus.mojo</groupId>
+        <version>1.1.1</version>
+        <executions>
+          <execution>
+            <id>check-maven-version</id>
+            <phase>package</phase>
+            <goals>
+              <goal>java</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <mainClass>com.example.App</mainClass>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.diffplug.spotless</groupId>
+        <artifactId>spotless-maven-plugin</artifactId>
+        <version>2.19.1</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+            <phase>compile</phase>
+          </execution>
+        </executions>
+        <configuration>
+          <java>
+            <licenseHeader>
+              <content>/* FAIL ME */</content>
+            </licenseHeader>
+          </java>
+        </configuration>
+      </plugin>
+    </plugins>
+    <pluginManagement>
+      <!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/settings-xml.expected

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<settings>
+        
+    <profiles>
+                
+        <profile>
+                        
+            <id>preexisting-profile</id>
+                        
+            <pluginRepositories>
+                                
+                <pluginRepository>
+                                        
+                    <id>preexisting-repository</id>
+                                        
+                    <name>A pre-existing repository</name>
+                                        
+                    <url>https://nonesuch.example</url>
+                                    
+                </pluginRepository>
+                            
+            </pluginRepositories>
+                    
+        </profile>
+            
+        <profile>
+            <id>codeql-depgraph-plugin-repo</id>
+            <pluginRepositories>
+                <pluginRepository>
+                    <id>codeql-depgraph-plugin-repo</id>
+                    <name>CodeQL Dependency Graph Plugin Repository</name>
+                    <url>file://[dist-root]/java/tools/ferstl-depgraph-dependencies/</url>
+                </pluginRepository>
+            </pluginRepositories>
+        </profile>
+    </profiles>
+        
+    <activeProfiles>
+                
+        <activeProfile>preexisting-profile</activeProfile>
+            
+        <activeProfile>codeql-depgraph-plugin-repo</activeProfile>
+    </activeProfiles>
+    
+</settings>

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/source_archive.expected

@@ -0,0 +1,9 @@
+home-dir-with-maven-settings/.m2/settings.xml
+pom.xml
+src/main/java/com/example/App.java
+src/main/resources/my-app.properties
+src/main/resources/page.xml
+src/main/resources/struts.xml
+src/test/java/com/example/AppTest.java
+test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/src/main/java/com/example/App.java

@@ -0,0 +1,30 @@
+package com.example;
+
+import java.util.regex.Pattern;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+/**
+ * Hello world!
+ *
+ */
+public class App 
+{
+    public static void main( String[] args )
+    {
+        System.out.println( "Hello World!" );
+        String expectedVersion = System.getenv("EXPECT_MAVEN");
+        Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
+        String observedVersion = mavenHome.getFileName().toString();
+        if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
+                System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
+                System.exit(1);
+        }
+        String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
+        String command = System.getProperty("sun.java.command");
+        if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
+                System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
+                System.exit(1);
+        }
+    }
+}

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/src/main/resources/my-app.properties

@@ -0,0 +1 @@
+version=1.0

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/src/main/resources/page.xml

@@ -0,0 +1,8 @@
+<html>
+<head>
+<title>A sample</title>
+</head>
+<body>
+<p>Hello world!</p>
+</body>
+</html>

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/src/main/resources/struts.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<struts>
+This is a sample file
+</struts>

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/src/test/java/com/example/AppTest.java

@@ -0,0 +1,20 @@
+package com.example;
+
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+/**
+ * Unit test for simple App.
+ */
+public class AppTest 
+{
+    /**
+     * Rigorous Test :-)
+     */
+    @Test
+    public void shouldAnswerWithTrue()
+    {
+        assertTrue( true );
+    }
+}

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/test.py

@@ -0,0 +1,9 @@
+import os
+import os.path
+
+def test(codeql, java):
+    codeql.database.create(build_mode = "none",
+        _env={
+            "_JAVA_OPTIONS": "-Duser.home=" + os.path.join(os.getcwd(), "home-dir-with-maven-settings")
+        }
+    )

java/ql/integration-tests/java/buildless-maven-multimodule/source_archive.expected

@@ -12,3 +12,4 @@ submod2/src/main/resources/page.xml
 submod2/src/main/resources/struts.xml
 submod2/src/test/java/com/example/AppTest2.java
 test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected

@@ -83,7 +83,7 @@
   }
 }
 {
-  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.2:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
   "severity": "note",
   "source": {
     "extractorName": "java",

java/ql/integration-tests/java/buildless-maven-timeout/source_archive.expected

@@ -6,3 +6,4 @@ src/main/resources/page.xml
 src/main/resources/struts.xml
 src/test/java/com/example/AppTest.java
 test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected

@@ -97,7 +97,7 @@
   }
 }
 {
-  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.2:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
+  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
   "severity": "note",
   "source": {
     "extractorName": "java",

java/ql/integration-tests/java/buildless-maven/maven-fetches.expected

@@ -0,0 +1,77 @@
+Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.11.0/error_prone_parent-2.11.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/31.1-jre/guava-parent-31.1-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/net/java/jvnet-parent/3/jvnet-parent-3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/19/apache-19.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/25/apache-25.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/27/apache-27.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-parent/47/commons-parent-47.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/35/maven-parent-35.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/37/maven-parent-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven/3.8.6/maven-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-shared-components/37/maven-shared-components-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-containers/1.5.5/plexus-containers-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/2.0.7/plexus-2.0.7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/3.3.1/plexus-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/4.0/plexus-4.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/5.1/plexus-5.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-inject/0.3.5/sisu-inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-plexus/0.3.5/sisu-plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/junit/junit-bom/5.9.1/junit-bom-5.9.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/forge/forge-parent/10/forge-parent-10.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom

java/ql/integration-tests/java/buildless-maven/settings-xml.expected

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<settings>
+    <profiles>
+        <profile>
+            <id>codeql-depgraph-plugin-repo</id>
+            <pluginRepositories>
+                <pluginRepository>
+                    <id>codeql-depgraph-plugin-repo</id>
+                    <name>CodeQL Dependency Graph Plugin Repository</name>
+                    <url>file://[dist-root]/java/tools/ferstl-depgraph-dependencies/</url>
+                </pluginRepository>
+            </pluginRepositories>
+        </profile>
+    </profiles>
+    <activeProfiles>
+        <activeProfile>codeql-depgraph-plugin-repo</activeProfile>
+    </activeProfiles>
+</settings>

java/ql/integration-tests/java/buildless-maven/source_archive.expected

@@ -5,3 +5,4 @@ src/main/resources/page.xml
 src/main/resources/struts.xml
 src/test/java/com/example/AppTest.java
 test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven/test.py

@@ -1,7 +1,9 @@
+import os
+import os.path
+
 def test(codeql, java):
-    codeql.database.create(
+    codeql.database.create(build_mode = "none",
         _env={
-            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
-            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "_JAVA_OPTIONS": "-Duser.home=" + os.path.join(os.getcwd(), "empty-home")
         }
     )

java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected

@@ -27,3 +27,4 @@ maven-project-2/src/main/resources/page.xml
 maven-project-2/src/main/resources/struts.xml
 maven-project-2/src/test/java/com/example/AppTest4.java
 test-db/log/ext/javac.properties
+test-db/working/settings.xml

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp

@@ -5,7 +5,7 @@
 <p>When you set up a web server to receive a request from a client without any mechanism
 for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
 trick a client into making an unintended request to the web server that will be treated as
-an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can 
+an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
 result in exposure of data or unintended code execution.</p>
 </overview>
 
@@ -30,9 +30,9 @@ OWASP:
 </li>
 <li>
 Spring Security Reference:
-<a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf">
-  Cross Site Request Forgery (CSRF) for Servlet Environments
+<a href="https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html">
+  Cross Site Request Forgery (CSRF)
 </a>.
 </li>
 </references>
-</qhelp>
+</qhelp>

python/ql/lib/semmle/python/frameworks/Stdlib.model.yml

@@ -65,6 +65,10 @@ extensions:
       - ["getopt", "Member[getopt]", "Argument[1,shortopts:,2,longopts:]", "ReturnValue.TupleElement[0].ListElement.TupleElement[0]", "taint"]
       # See https://docs.python.org/3/library/gettext.html#gettext.gettext
       - ["gettext", "Member[gettext]", "Argument[0,message:]", "ReturnValue", "taint"]
+      # See 
+      #  - https://docs.python.org/3/library/glob.html#glob.glob
+      #  - https://docs.python.org/3/library/glob.html#glob.iglob
+      - ["glob", "Member[glob,iglob]", "Argument[0,pathname:]", "ReturnValue", "taint"]
       # See https://docs.python.org/3/library/gzip.html#gzip.GzipFile
       - ["gzip.GzipFile!", "Subclass.Call", "Argument[0,filename:]", "ReturnValue", "taint"]
       # See
@@ -88,6 +92,8 @@ extensions:
       - ["nturl2path", "Member[url2pathname]", "Argument[0,url:]", "ReturnValue", "taint"]
       # See https://docs.python.org/3/library/optparse.html#optparse.OptionParser.parse_args
       - ["optparse.OptionParser", "Member[parse_args]", "Argument[0,args:,1,values:]", "ReturnValue.TupleElement[0,1]", "taint"]
+      # See https://docs.python.org/3/library/os.html#os.walk
+      - ["os", "Member[walk]", "Argument[0,top:]", "ReturnValue", "taint"]
       # See https://github.com/python/cpython/blob/3.10/Lib/pathlib.py#L972-L973
       - ["pathlib.Path", ".Member[__enter__]", "Argument[self]", "ReturnValue", "taint"]
       # See https://docs.python.org/3/library/os.html#os.PathLike.__fspath__

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.expected

@@ -75,7 +75,7 @@ edges
 | UnsafeUnpack.py:161:19:161:21 | ControlFlowNode for tar | UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | provenance |  |
 | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | UnsafeUnpack.py:161:19:161:21 | ControlFlowNode for tar | provenance |  |
 | UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | provenance | Config |
-| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | provenance | MaD:67 |
+| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | provenance | MaD:69 |
 | UnsafeUnpack.py:163:23:163:28 | ControlFlowNode for member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | provenance |  |
 | UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | UnsafeUnpack.py:163:23:163:28 | ControlFlowNode for member | provenance |  |
 | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | provenance |  |

python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected

@@ -1,23 +1,23 @@
 edges
 | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:11:21:11:29 | ControlFlowNode for file_path | provenance |  |
 | test.py:11:5:11:35 | ControlFlowNode for Attribute() | test.py:11:5:11:52 | ControlFlowNode for Attribute() | provenance | Config |
-| test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:11:5:11:35 | ControlFlowNode for Attribute() | provenance | MaD:83 |
+| test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:11:5:11:35 | ControlFlowNode for Attribute() | provenance | MaD:85 |
 | test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:11:5:11:52 | ControlFlowNode for Attribute() | provenance | Config |
 | test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:12:21:12:29 | ControlFlowNode for file_path | provenance |  |
 | test.py:12:5:12:35 | ControlFlowNode for Attribute() | test.py:12:5:12:48 | ControlFlowNode for Attribute() | provenance | Config |
-| test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:12:5:12:35 | ControlFlowNode for Attribute() | provenance | MaD:83 |
+| test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:12:5:12:35 | ControlFlowNode for Attribute() | provenance | MaD:85 |
 | test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:12:5:12:48 | ControlFlowNode for Attribute() | provenance | Config |
 | test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:14:26:14:34 | ControlFlowNode for file_path | provenance |  |
 | test.py:14:10:14:35 | ControlFlowNode for Attribute() | test.py:15:14:15:29 | ControlFlowNode for Attribute() | provenance | Config |
-| test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:14:10:14:35 | ControlFlowNode for Attribute() | provenance | MaD:83 |
+| test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:14:10:14:35 | ControlFlowNode for Attribute() | provenance | MaD:85 |
 | test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:15:14:15:29 | ControlFlowNode for Attribute() | provenance | Config |
 | test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:18:26:18:34 | ControlFlowNode for file_path | provenance |  |
 | test.py:18:10:18:35 | ControlFlowNode for Attribute() | test.py:19:14:19:39 | ControlFlowNode for Attribute() | provenance | Config |
-| test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:18:10:18:35 | ControlFlowNode for Attribute() | provenance | MaD:83 |
+| test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:18:10:18:35 | ControlFlowNode for Attribute() | provenance | MaD:85 |
 | test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:19:14:19:39 | ControlFlowNode for Attribute() | provenance | Config |
 | test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:22:21:22:29 | ControlFlowNode for file_path | provenance |  |
 | test.py:22:5:22:30 | ControlFlowNode for Attribute() | test.py:22:5:22:60 | ControlFlowNode for Attribute() | provenance | Config |
-| test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:22:5:22:30 | ControlFlowNode for Attribute() | provenance | MaD:83 |
+| test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:22:5:22:30 | ControlFlowNode for Attribute() | provenance | MaD:85 |
 | test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:22:5:22:60 | ControlFlowNode for Attribute() | provenance | Config |
 | test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:24:18:24:26 | ControlFlowNode for file_path | provenance |  |
 | test.py:24:18:24:26 | ControlFlowNode for file_path | test.py:24:5:24:52 | ControlFlowNode for Attribute() | provenance | Config |

rust/ql/src/queries/unusedentities/UnusedValue.ql

@@ -9,7 +9,16 @@
  */
 
 import rust
+import codeql.rust.dataflow.Ssa
+import codeql.rust.dataflow.internal.SsaImpl
+import UnusedVariable
 
-from Locatable e
-where none() // TODO: implement query
-select e, "Variable is assigned a value that is never used."
+from AstNode write, Ssa::Variable v
+where
+  variableWrite(write, v) and
+  // SSA definitions are only created for live writes
+  not write = any(Ssa::WriteDefinition def).getWriteAccess().getAstNode() and
+  // avoid overlap with the unused variable query
+  not isUnused(v) and
+  not v instanceof DiscardVariable
+select write, "Variable is assigned a value that is never used."

rust/ql/src/queries/unusedentities/UnusedVariable.ql

@@ -9,11 +9,8 @@
  */
 
 import rust
+import UnusedVariable
 
 from Variable v
-where
-  not exists(v.getAnAccess()) and
-  not exists(v.getInitializer()) and
-  not v.getName().charAt(0) = "_" and
-  exists(File f | f.getBaseName() = "main.rs" | v.getLocation().getFile() = f) // temporarily severely limit results
+where isUnused(v)
 select v, "Variable is not used."

rust/ql/src/queries/unusedentities/UnusedVariable.qll

@@ -0,0 +1,14 @@
+import rust
+
+/** A deliberately unused variable. */
+class DiscardVariable extends Variable {
+  DiscardVariable() { this.getName().charAt(0) = "_" }
+}
+
+/** Holds if variable `v` is unused. */
+predicate isUnused(Variable v) {
+  not exists(v.getAnAccess()) and
+  not exists(v.getInitializer()) and
+  not v instanceof DiscardVariable and
+  exists(File f | f.getBaseName() = "main.rs" | v.getLocation().getFile() = f) // temporarily severely limit results
+}

rust/ql/test/query-tests/unusedentities/UnreachableCode.expected

@@ -1,14 +1,21 @@
-| unreachable.rs:12:3:12:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:20:3:20:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:32:3:32:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:39:3:39:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:60:2:60:16 | ExprStmt | This code is never reached. |
-| unreachable.rs:106:16:106:23 | ExprStmt | This code is never reached. |
-| unreachable.rs:114:15:114:22 | ExprStmt | This code is never reached. |
-| unreachable.rs:130:2:130:16 | ExprStmt | This code is never reached. |
-| unreachable.rs:140:2:140:16 | ExprStmt | This code is never reached. |
-| unreachable.rs:147:3:147:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:156:4:156:18 | ExprStmt | This code is never reached. |
-| unreachable.rs:162:3:162:17 | ExprStmt | This code is never reached. |
-| unreachable.rs:168:4:168:18 | ExprStmt | This code is never reached. |
-| unreachable.rs:171:2:171:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:13:3:13:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:21:3:21:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:33:3:33:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:40:3:40:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:61:2:61:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:107:16:107:23 | ExprStmt | This code is never reached. |
+| unreachable.rs:115:15:115:22 | ExprStmt | This code is never reached. |
+| unreachable.rs:131:2:131:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:141:2:141:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:148:3:148:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:157:4:157:18 | ExprStmt | This code is never reached. |
+| unreachable.rs:163:3:163:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:169:4:169:18 | ExprStmt | This code is never reached. |
+| unreachable.rs:177:4:177:18 | ExprStmt | This code is never reached. |
+| unreachable.rs:180:2:180:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:197:2:197:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:203:3:203:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:206:2:206:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:218:3:218:17 | ExprStmt | This code is never reached. |
+| unreachable.rs:233:2:233:16 | ExprStmt | This code is never reached. |
+| unreachable.rs:242:2:242:16 | ExprStmt | This code is never reached. |

rust/ql/test/query-tests/unusedentities/UnusedValue.expected

@@ -0,0 +1,35 @@
+| main.rs:6:9:6:9 | a | Variable is assigned a value that is never used. |
+| main.rs:9:9:9:9 | d | Variable is assigned a value that is never used. |
+| main.rs:35:5:35:5 | b | Variable is assigned a value that is never used. |
+| main.rs:37:5:37:5 | c | Variable is assigned a value that is never used. |
+| main.rs:40:5:40:5 | c | Variable is assigned a value that is never used. |
+| main.rs:44:9:44:9 | d | Variable is assigned a value that is never used. |
+| main.rs:50:5:50:5 | e | Variable is assigned a value that is never used. |
+| main.rs:61:5:61:5 | f | Variable is assigned a value that is never used. |
+| main.rs:63:5:63:5 | f | Variable is assigned a value that is never used. |
+| main.rs:65:5:65:5 | g | Variable is assigned a value that is never used. |
+| main.rs:87:9:87:9 | a | Variable is assigned a value that is never used. |
+| main.rs:108:9:108:10 | is | Variable is assigned a value that is never used. |
+| main.rs:133:13:133:17 | total | Variable is assigned a value that is never used. |
+| main.rs:203:13:203:31 | res | Variable is assigned a value that is never used. |
+| main.rs:218:9:218:24 | kind | Variable is assigned a value that is never used. |
+| main.rs:223:9:223:32 | kind | Variable is assigned a value that is never used. |
+| main.rs:280:13:280:17 | total | Variable is assigned a value that is never used. |
+| main.rs:348:5:348:39 | kind | Variable is assigned a value that is never used. |
+| main.rs:370:9:370:9 | x | Variable is assigned a value that is never used. |
+| main.rs:378:17:378:17 | x | Variable is assigned a value that is never used. |
+| main.rs:432:9:432:10 | i6 | Variable is assigned a value that is never used. |
+| more.rs:8:9:8:13 | times | Variable is assigned a value that is never used. |
+| more.rs:9:9:9:14 | unused | Variable is assigned a value that is never used. |
+| more.rs:21:9:21:14 | unused | Variable is assigned a value that is never used. |
+| more.rs:38:23:38:25 | val | Variable is assigned a value that is never used. |
+| more.rs:42:19:42:21 | val | Variable is assigned a value that is never used. |
+| more.rs:58:9:58:11 | val | Variable is assigned a value that is never used. |
+| more.rs:80:9:80:14 | a_ptr4 | Variable is assigned a value that is never used. |
+| more.rs:95:9:95:13 | d_ptr | Variable is assigned a value that is never used. |
+| more.rs:101:9:101:17 | f_ptr | Variable is assigned a value that is never used. |
+| unreachable.rs:166:6:166:6 | x | Variable is assigned a value that is never used. |
+| unreachable.rs:190:14:190:14 | a | Variable is assigned a value that is never used. |
+| unreachable.rs:199:9:199:9 | a | Variable is assigned a value that is never used. |
+| unreachable.rs:210:11:210:11 | a | Variable is assigned a value that is never used. |
+| unreachable.rs:217:6:217:6 | a | Variable is assigned a value that is never used. |

rust/ql/test/query-tests/unusedentities/UnusedVariable.expected

@@ -6,17 +6,17 @@
 | main.rs:201:9:201:9 | x | Variable is not used. |
 | main.rs:250:17:250:17 | a | Variable is not used. |
 | main.rs:258:20:258:22 | val | Variable is not used. |
-| main.rs:271:14:271:16 | val | Variable is not used. |
-| main.rs:288:22:288:24 | val | Variable is not used. |
-| main.rs:296:24:296:26 | val | Variable is not used. |
-| main.rs:305:13:305:15 | num | Variable is not used. |
-| main.rs:320:12:320:12 | j | Variable is not used. |
-| main.rs:342:25:342:25 | y | Variable is not used. |
-| main.rs:346:28:346:28 | a | Variable is not used. |
-| main.rs:350:9:350:9 | p | Variable is not used. |
-| main.rs:365:9:365:13 | right | Variable is not used. |
-| main.rs:371:9:371:14 | right2 | Variable is not used. |
-| main.rs:378:13:378:13 | y | Variable is not used. |
-| main.rs:386:21:386:21 | y | Variable is not used. |
-| main.rs:434:27:434:29 | val | Variable is not used. |
-| main.rs:437:22:437:24 | acc | Variable is not used. |
+| main.rs:272:14:272:16 | val | Variable is not used. |
+| main.rs:287:22:287:24 | val | Variable is not used. |
+| main.rs:294:24:294:26 | val | Variable is not used. |
+| main.rs:302:13:302:15 | num | Variable is not used. |
+| main.rs:317:12:317:12 | j | Variable is not used. |
+| main.rs:337:25:337:25 | y | Variable is not used. |
+| main.rs:340:28:340:28 | a | Variable is not used. |
+| main.rs:343:9:343:9 | p | Variable is not used. |
+| main.rs:358:9:358:13 | right | Variable is not used. |
+| main.rs:364:9:364:14 | right2 | Variable is not used. |
+| main.rs:371:13:371:13 | y | Variable is not used. |
+| main.rs:379:21:379:21 | y | Variable is not used. |
+| main.rs:427:27:427:29 | val | Variable is not used. |
+| main.rs:430:22:430:24 | acc | Variable is not used. |

rust/ql/test/query-tests/unusedentities/main.rs

@@ -3,10 +3,10 @@
 // --- locals ---
 
 fn locals_1() {
-    let a = 1; // BAD: unused value [NOT DETECTED]
+    let a = 1; // BAD: unused value
     let b = 1;
     let c = 1;
-    let d = String::from("a"); // BAD: unused value [NOT DETECTED]
+    let d = String::from("a"); // BAD: unused value
     let e = String::from("b");
     let f = 1;
     let _ = 1; // (deliberately unused)
@@ -32,22 +32,22 @@ fn locals_2() {
     let h: i32;
     let i: i32;
 
-    b = 1; // BAD: unused value [NOT DETECTED]
+    b = 1; // BAD: unused value
 
-    c = 1; // BAD: unused value [NOT DETECTED]
+    c = 1; // BAD: unused value
     c = 2;
     println!("use {}", c);
-    c = 3; // BAD: unused value [NOT DETECTED]
+    c = 3; // BAD: unused value
 
     d = 1;
     if cond() {
-        d = 2; // BAD: unused value [NOT DETECTED]
+        d = 2; // BAD: unused value
         d = 3;
     } else {
     }
     println!("use {}", d);
 
-    e = 1; // BAD: unused value [NOT DETECTED]
+    e = 1; // BAD: unused value
     if cond() {
         e = 2;
     } else {
@@ -58,16 +58,16 @@ fn locals_2() {
     f = 1;
     f += 1;
     println!("use {}", f);
-    f += 1; // BAD: unused value [NOT DETECTED]
+    f += 1; // BAD: unused value
     f = 1;
-    f += 1; // BAD: unused value [NOT DETECTED]
+    f += 1; // BAD: unused value
 
-    g = if cond() { 1 } else { 2 }; // BAD: unused value (x2) [NOT DETECTED]
+    g = if cond() { 1 } else { 2 }; // BAD: unused value
     h = if cond() { 3 } else { 4 };
     i = if cond() { h } else { 5 };
     println!("use {}", i);
 
-    _ = 1; // (deliberately unused) [NOT DETECTED]
+    _ = 1; // GOOD (deliberately unused)
 }
 
 // --- structs ---
@@ -84,7 +84,7 @@ impl MyStruct {
 }
 
 fn structs() {
-    let a = MyStruct { val: 1 }; // BAD: unused value [NOT DETECTED]
+    let a = MyStruct { val: 1 }; // BAD: unused value
     let b = MyStruct { val: 2 };
     let c = MyStruct { val: 3 };
     let mut d: MyStruct; // BAD: unused variable
@@ -105,7 +105,7 @@ fn structs() {
 // --- arrays ---
 
 fn arrays() {
-    let is = [1, 2, 3]; // BAD: unused values (x3) [NOT DETECTED]
+    let is = [1, 2, 3]; // BAD: unused value
     let js = [1, 2, 3];
     let ks = [1, 2, 3];
 
@@ -130,7 +130,7 @@ fn statics() {
     static mut STAT4: i32 = 0; // BAD: unused value [NOT DETECTED]
 
     unsafe {
-        let total = CON1 + STAT1 + STAT3;
+        let total = CON1 + STAT1 + STAT3; // BAD: unused value
     }
 }
 
@@ -200,7 +200,7 @@ fn loops() {
 
     for x // SPURIOUS: unused variable
     in 1..10 {
-        _ = format!("x is {x}");
+        _ = format!("x is {x}"); // SPURIOUS: unused value `res`
     }
 
     for x
@@ -215,12 +215,12 @@ fn loops() {
 
     for x
     in 1..10 {
-        assert_eq!(x, 1);
+        assert_eq!(x, 1); // SPURIOUS: unused value `kind`
     }
 
     for x
     in 1..10 {
-        assert_eq!(id(x), id(1));
+        assert_eq!(id(x), id(1)); // SPURIOUS: unused value `kind`
     }
 
 }
@@ -255,7 +255,8 @@ fn if_lets_matches() {
     }
 
     let mut next = Some(30);
-    while let Some(val) = next // BAD: unused variable
+    while let Some(val) = // BAD: unused variable
+        next
     {
         next = None;
     }
@@ -270,25 +271,22 @@ fn if_lets_matches() {
     match c {
         Some(val) => { // BAD: unused variable
         }
-        None => {
-        }
+        None => {}
     }
 
     let d = Some(70);
     match d {
         Some(val) => {
-            total += val;
-        }
-        None => {
+            total += val; // BAD: unused value
         }
+        None => {}
     }
 
     let e = Option::Some(80);
     match e {
         Option::Some(val) => { // BAD: unused variable
         }
-        Option::None => {
-        }
+        Option::None => {}
     }
 
     let f = MyOption::Some(90);
@@ -298,10 +296,9 @@ fn if_lets_matches() {
         MyOption::None => {}
     }
 
-    let g : Result<i64, i64> = Ok(100);
+    let g: Result<i64, i64> = Ok(100);
     match g {
-        Ok(_) => {
-        }
+        Ok(_) => {}
         Err(num) => {} // BAD: unused variable
     }
 
@@ -327,8 +324,7 @@ fn if_lets_matches() {
     }
 
     let l = Yes;
-    if let Yes = l {
-    }
+    if let Yes = l {}
 
     match 1 {
         1 => {}
@@ -337,22 +333,19 @@ fn if_lets_matches() {
 
     let p1 = MyPoint { x: 1, y: 2 };
     match p1 {
-        MyPoint { x: 0, y: 0 } => {
-        }
+        MyPoint { x: 0, y: 0 } => {}
         MyPoint { x: 1, y } => { // BAD: unused variable
         }
-        MyPoint { x: 2, y: _ } => {
-        }
+        MyPoint { x: 2, y: _ } => {}
         MyPoint { x: 3, y: a } => { // BAD: unused variable
         }
-        MyPoint { x: 4, .. } => {
-        }
+        MyPoint { x: 4, .. } => {}
         p => { // BAD: unused variable
         }
     }
 
     let duration1 = std::time::Duration::new(10, 0); // ten seconds
-    assert_eq!(duration1.as_secs(), 10);
+    assert_eq!(duration1.as_secs(), 10); // SPURIOUS: unused value `kind`
 
     let duration2:Result<std::time::Duration, String> =
         Ok(std::time::Duration::new(10, 0));
@@ -374,7 +367,7 @@ fn if_lets_matches() {
 }
 
 fn shadowing() -> i32 {
-    let x = 1; // BAD: unused value [NOT DETECTED]
+    let x = 1; // BAD: unused value
     let mut y: i32; // BAD: unused variable
 
     {
@@ -382,7 +375,7 @@ fn shadowing() -> i32 {
         let mut y: i32;
 
         {
-            let x = 3; // BAD: unused value [NOT DETECTED]
+            let x = 3; // BAD: unused value
             let mut y: i32; // BAD: unused variable
         }
 
@@ -436,7 +429,7 @@ fn folds_and_closures() {
     let a5 = 1..10;
     _ = a5.fold(0, | acc, val | val); // BAD: unused variable
 
-    let i6 = 1;
+    let i6 = 1; // SPURIOUS: unused value
     let a6 = 1..10;
     _ = a6.fold(0, | acc, val | acc + val + i6);
 }
@@ -449,16 +442,21 @@ fn main() {
     structs();
     arrays();
     statics();
-	println!("lets use result {}", parameters(1, 2, 3));
+    println!("lets use result {}", parameters(1, 2, 3));
     loops();
     if_lets_matches();
     shadowing();
     func_ptrs();
     folds_and_closures();
 
-	unreachable_if();
-	unreachable_panic();
-	unreachable_match();
-	unreachable_loop();
-	unreachable_paren();
+    unreachable_if_1();
+    unreachable_panic();
+    unreachable_match();
+    unreachable_loop();
+    unreachable_paren();
+    unreachable_let_1();
+    unreachable_let_2();
+    unreachable_if_2();
+    unreachable_if_3();
+
 }

rust/ql/test/query-tests/unusedentities/more.rs

@@ -0,0 +1,119 @@
+
+
+// --- traits ---
+
+trait Incrementable {
+    fn increment(
+        &mut self,
+        times: i32, // SPURIOUS: unused value
+        unused: i32 // SPURIOUS: unused value
+    );
+}
+
+struct MyValue {
+    value: i32,
+}
+
+impl Incrementable for MyValue {
+    fn increment(
+        &mut self,
+        times: i32,
+        unused: i32 // BAD: unused variable [NOT DETECTED] SPURIOUS: unused value
+    ) {
+        self.value += times;
+    }
+}
+
+fn traits() {
+    let mut i = MyValue { value: 0 };
+    let a = 1;
+    let b = 2;
+
+    i.increment(a, b);
+}
+
+// --- generics ---
+
+trait MySettable<T> {
+    fn set(&mut self, val: T); // SPURIOUS: unused value
+}
+
+trait MyGettable<T> {
+    fn get(&self, val: T) -> &T; // SPURIOUS: unused value
+}
+
+struct MyContainer<T> {
+    val: T
+}
+
+impl<T> MySettable<T> for MyContainer<T> {
+    fn set(&mut self, val: T) {
+        self.val = val;
+    }
+}
+
+impl<T> MyGettable<T> for MyContainer<T> {
+    fn get(
+        &self,
+        val: T // BAD: unused variable [NOT DETECTED] SPURIOUS: unused value
+    ) -> &T {
+        return &(self.val);
+    }
+}
+
+fn generics() {
+    let mut a = MyContainer { val: 1 }; // BAD: unused value [NOT DETECTED]
+    let b = MyContainer { val: 2 };
+
+    a.set(
+        *b.get(3)
+    );
+}
+
+// --- pointers ---
+
+fn pointers() {
+    let a = 1;
+    let a_ptr1 = &a;
+    let a_ptr2 = &a;
+    let a_ptr3 = &a; // BAD: unused value [NOT DETECTED]
+    let a_ptr4 = &a; // BAD: unused value
+    println!("{}", *a_ptr1);
+    println!("{}", a_ptr2);
+    println!("{}", &a_ptr3);
+
+    let b = 2; // BAD: unused value [NOT DETECTED]
+    let b_ptr = &b;
+    println!("{}", b_ptr);
+
+    let c = 3;
+    let c_ptr = &c;
+    let c_ptr_ptr = &c_ptr;
+    println!("{}", **c_ptr_ptr);
+
+    let d = 4;
+    let d_ptr = &d; // BAD: unused value
+    let d_ptr_ptr = &&d;
+    println!("{}", **d_ptr_ptr);
+
+    let e = 5; // BAD: unused value [NOT DETECTED]
+    let f = 6;
+    let mut f_ptr = &e; // BAD: unused value
+    f_ptr = &f;
+    println!("{}", *f_ptr);
+
+    let mut g = 7; // BAD: unused value [NOT DETECTED]
+    let g_ptr = &mut g;
+    *g_ptr = 77; // BAD: unused value [NOT DETECTED]
+
+    let mut h = 8; // BAD: unused value [NOT DETECTED]
+    let h_ptr = &mut h;
+    *h_ptr = 88;
+    println!("{}", h);
+
+    let mut i = 9; // BAD: unused value [NOT DETECTED]
+    let i_ptr = &mut i;
+    *i_ptr = 99;
+    let i_ptr2 = &mut i;
+    println!("{}", *i_ptr2);
+}

rust/ql/test/query-tests/unusedentities/unreachable.rs

@@ -1,13 +1,14 @@
 
 //fn cond() -> bool;
 //fn get_a_number() -> i32;
+//fn maybe_get_a_number() -> Option<i32>;
 
 // --- unreachable code --
 
 fn do_something() {
 }
 
-fn unreachable_if() {
+fn unreachable_if_1() {
 	if false {
 		do_something(); // BAD: unreachable code
 	} else {
@@ -162,6 +163,14 @@ fn unreachable_loop() {
 		do_something(); // BAD: unreachable code
 	}
 
+	for x in 1..10 {
+		if cond() {
+			continue;
+			do_something(); // BAD: unreachable code
+		}
+		do_something();
+	}
+
 	loop {
 		if cond() {
 			return;
@@ -176,3 +185,59 @@ fn unreachable_loop() {
 fn unreachable_paren() {
 	let _ = (((1)));
 }
+
+fn unreachable_let_1() {
+	if let Some(a) = maybe_get_a_number() {
+		do_something();
+		return;
+	} else {
+		do_something();
+	}
+
+	do_something(); // SPURIOUS: unreachable code
+
+	if let a = get_a_number() { // (always succeeds)
+		do_something();
+		return;
+	} else {
+		do_something(); // BAD: unreachable code
+	}
+
+	do_something(); // BAD: unreachable code
+}
+
+fn unreachable_let_2() {
+	let Some(a) = maybe_get_a_number() else {
+		do_something();
+		return;
+	};
+
+	do_something();
+
+	let a = maybe_get_a_number() else { // (always succeeds)
+		do_something(); // BAD: unreachable code
+		return;
+	};
+
+	do_something();
+}
+
+fn unreachable_if_2() {
+	if cond() {
+		do_something();
+		return;
+	} else {
+		do_something();
+	}
+
+	do_something(); // SPURIOUS: unreachable code
+}
+
+fn unreachable_if_3() {
+	if !cond() {
+		do_something();
+		return;
+	}
+
+	do_something(); // SPURIOUS: unreachable code
+}

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -224,6 +224,13 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           hasFilteredSource()
         )
       }
+
+      bindingset[source, sink]
+      pragma[inline_late]
+      predicate isRelevantSourceSinkPair(Node source, Node sink) {
+        isFilteredSource(source) or
+        isFilteredSink(sink)
+      }
     }
 
     private import SourceSinkFiltering
@@ -3511,6 +3518,17 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
              * included in the module `PathGraph`.
              */
             predicate flowPath(PathNode source, PathNode sink) {
+              (
+                // When there are both sources and sinks in the diff range,
+                // diff-informed dataflow falls back to computing all paths without
+                // any filtering. To prevent significant alert flip-flopping due to
+                // minor code changes triggering the fallback, we consistently apply
+                // source-or-sink filtering here to ensure that we return the same
+                // paths regardless of whether the fallback is triggered.
+                if Config::observeDiffInformedIncrementalMode()
+                then isRelevantSourceSinkPair(source.getNode(), sink.getNode())
+                else any()
+              ) and
               exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
                 source = flowsource and sink = flowsink
               |