Merge branch 'main' into java/experimental/command-injection

2025-12-24 04:36:35 +01:00 · 2023-07-18 11:38:44 +01:00
parent bfbb77a796 1deacf40ca
commit c7084b6d8e
742 changed files with 16406 additions and 3426 deletions
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/A.kt
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/A.kt
@@ -0,0 +1,2 @@
+fun a() {
+}
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/B.kt
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/B.kt
@@ -0,0 +1,3 @@
+fun b() {
+    a()
+}
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/C.kt
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/C.kt
@@ -0,0 +1,3 @@
+class C {
+    fun c() {}
+}
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/classes.expected
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/classes.expected
@@ -0,0 +1,3 @@
+| AKt.class:0:0:0:0 | AKt | true |
+| B.kt:0:0:0:0 | BKt | true |
+| C.kt:1:1:3:1 | C | false |
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/classes.ql
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/classes.ql
@@ -0,0 +1,5 @@
+import java
+
+from Class c
+where exists(c.getLocation().getFile().getRelativePath())
+select c, any(boolean b | if c.isFileClass() then b = true else b = false)
--- a/java/ql/integration-tests/all-platforms/kotlin/file_classes/test.py
+++ b/java/ql/integration-tests/all-platforms/kotlin/file_classes/test.py
@@ -0,0 +1,4 @@
+from create_database_utils import *
+
+runSuccessfully([get_cmd("kotlinc"), 'A.kt'])
+run_codeql_database_create(['kotlinc -cp . B.kt C.kt'], lang="java")
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,29 @@
+## 0.7.0
+
+### Deprecated APIs
+
+* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated.
+
+### Major Analysis Improvements
+
+* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
+
+### Minor Analysis Improvements
+
+* Added automatically-generated dataflow models for `javax.portlet`.
+* Added a missing summary model for the method `java.net.URL.toString`.
+* Added automatically-generated dataflow models for the following frameworks and libraries:
+  * `hudson`
+  * `jenkins`
+  * `net.sf.json`
+  * `stapler`
+* Added more models for the Hudson framework.
+* Added more models for the Stapler framework.
+
+## 0.6.4
+
+No user-facing changes.
+
 ## 0.6.3

 ### New Features
--- a/java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md
+++ b/java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated.
--- a/java/ql/lib/change-notes/2023-05-22-hudson-models.md
+++ b/java/ql/lib/change-notes/2023-05-22-hudson-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added more models for the Hudson framework.
--- a/java/ql/lib/change-notes/2023-05-22-stapler-models.md
+++ b/java/ql/lib/change-notes/2023-05-22-stapler-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added more models for the Stapler framework.
--- a/java/ql/lib/change-notes/2023-06-08-new-models.md
+++ b/java/ql/lib/change-notes/2023-06-08-new-models.md
@@ -0,0 +1,14 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * java.io
+  * java.lang
+  * java.net
+  * java.nio.channels
+  * java.nio.file
+  * java.util.zip
+  * okhttp3
+  * org.gradle.api.file
+  * retrofit2
--- a/java/ql/lib/change-notes/2023-06-08-type-strengthening.md
+++ b/java/ql/lib/change-notes/2023-06-08-type-strengthening.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
--- a/java/ql/lib/change-notes/2023-06-14-jenkins-autogenerated-models.md
+++ b/java/ql/lib/change-notes/2023-06-14-jenkins-autogenerated-models.md
@@ -1,8 +0,0 @@
---
-category: minorAnalysis
---
-* Added automatically-generated dataflow models for the following frameworks and libraries:
-  * `hudson`
-  * `jenkins`
-  * `net.sf.json`
-  * `stapler`
--- a/java/ql/lib/change-notes/2023-06-22-url-tostring-model.md
+++ b/java/ql/lib/change-notes/2023-06-22-url-tostring-model.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a missing summary model for the method `java.net.URL.toString`.
--- a/java/ql/lib/change-notes/2023-07-10-kotlin-apply.md
+++ b/java/ql/lib/change-notes/2023-07-10-kotlin-apply.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for the Kotlin method `apply`.
--- a/java/ql/lib/change-notes/2023-07-11-file-classes.md
+++ b/java/ql/lib/change-notes/2023-07-11-file-classes.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A `Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
--- a/java/ql/lib/change-notes/2023-07-12-apache-commons-lang3-tostringbuilder.md
+++ b/java/ql/lib/change-notes/2023-07-12-apache-commons-lang3-tostringbuilder.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for Apache Commons Lang3 `ToStringBuilder.reflectionToString` method.
--- a/java/ql/lib/change-notes/2023-07-12-default-stateconfigsig-predicates.md
+++ b/java/ql/lib/change-notes/2023-07-12-default-stateconfigsig-predicates.md
@@ -0,0 +1,6 @@
+---
+category: feature
+---
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
+  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+  
--- a/java/ql/lib/change-notes/released/0.6.4.md
+++ b/java/ql/lib/change-notes/released/0.6.4.md
@@ -0,0 +1,3 @@
+## 0.6.4
+
+No user-facing changes.
--- a/java/ql/lib/change-notes/released/0.7.0.md
+++ b/java/ql/lib/change-notes/released/0.7.0.md
@@ -0,0 +1,21 @@
+## 0.7.0
+
+### Deprecated APIs
+
+* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated.
+
+### Major Analysis Improvements
+
+* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
+
+### Minor Analysis Improvements
+
+* Added automatically-generated dataflow models for `javax.portlet`.
+* Added a missing summary model for the method `java.net.URL.toString`.
+* Added automatically-generated dataflow models for the following frameworks and libraries:
+  * `hudson`
+  * `jenkins`
+  * `net.sf.json`
+  * `stapler`
+* Added more models for the Hudson framework.
+* Added more models for the Stapler framework.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.3
+lastReleaseVersion: 0.7.0
--- a/java/ql/lib/ext/android.webkit.model.yml
+++ b/java/ql/lib/ext/android.webkit.model.yml
@@ -3,13 +3,13 @@ extensions:
      pack: codeql/java-all
      extensible: sourceModel
    data:
-      - ["android.webkit", "WebView", False, "getOriginalUrl", "()", "", "ReturnValue", "remote", "manual"]
-      - ["android.webkit", "WebView", False, "getUrl", "()", "", "ReturnValue", "remote", "manual"]
+      - ["android.webkit", "WebView", True, "getOriginalUrl", "()", "", "ReturnValue", "remote", "manual"]
+      - ["android.webkit", "WebView", True, "getUrl", "()", "", "ReturnValue", "remote", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: sinkModel
    data:
      # Models representing methods susceptible to XSS attacks.
-      - ["android.webkit", "WebView", False, "evaluateJavascript", "", "", "Argument[0]", "js-injection", "manual"]
-      - ["android.webkit", "WebView", False, "loadData", "", "", "Argument[0]", "html-injection", "manual"]
-      - ["android.webkit", "WebView", False, "loadDataWithBaseURL", "", "", "Argument[1]", "html-injection", "manual"]
+      - ["android.webkit", "WebView", True, "evaluateJavascript", "", "", "Argument[0]", "js-injection", "manual"]
+      - ["android.webkit", "WebView", True, "loadData", "", "", "Argument[0]", "html-injection", "manual"]
+      - ["android.webkit", "WebView", True, "loadDataWithBaseURL", "", "", "Argument[1]", "html-injection", "manual"]
--- a/java/ql/lib/ext/generated/javax.portlet.model.yml
+++ b/java/ql/lib/ext/generated/javax.portlet.model.yml
@@ -0,0 +1,190 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Definitions of models for the Java Portlet framework.
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["javax.portlet.filter", "ActionRequestWrapper", true, "ActionRequestWrapper", "(ActionRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionRequestWrapper", true, "setRequest", "(ActionRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionResponseWrapper", true, "ActionResponseWrapper", "(ActionResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionResponseWrapper", true, "setResponse", "(ActionResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventRequestWrapper", true, "EventRequestWrapper", "(EventRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventRequestWrapper", true, "setRequest", "(EventRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventResponseWrapper", true, "EventResponseWrapper", "(EventResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventResponseWrapper", true, "setResponse", "(EventResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "PortletRequestWrapper", "(PortletRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "getRequest", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "setRequest", "(PortletRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "PortletResponseWrapper", "(PortletResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "getResponse", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "setResponse", "(PortletResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderRequestWrapper", true, "RenderRequestWrapper", "(RenderRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderRequestWrapper", true, "setRequest", "(RenderRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderResponseWrapper", true, "RenderResponseWrapper", "(RenderResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderResponseWrapper", true, "setResponse", "(RenderResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceRequestWrapper", true, "ResourceRequestWrapper", "(ResourceRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceRequestWrapper", true, "setRequest", "(ResourceRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceResponseWrapper", true, "ResourceResponseWrapper", "(ResourceResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceResponseWrapper", true, "setResponse", "(ResourceResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "GenericPortlet", true, "getPortletConfig", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "Portlet", true, "init", "(PortletConfig)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletMode", true, "PortletMode", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletMode", true, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,PortletMode)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[2]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(Throwable,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "getMode", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSessionUtil", true, "decodeAttributeName", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "UnavailableException", true, "UnavailableException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "UnavailableException", true, "UnavailableException", "(String,int)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Collection)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Collection)", "", "Argument[1].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[2].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(Throwable,Collection)", "", "Argument[1].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "getFailedKeys", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "WindowState", true, "WindowState", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowState", true, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[2]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,WindowState)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(Throwable,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "getState", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["javax.portlet", "ActionResponse", "sendRedirect", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ActionResponse", "sendRedirect", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getCharacterEncoding", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getContentLength", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getMethod", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getPortletInputStream", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getReader", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "setCharacterEncoding", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "EventPortlet", "processEvent", "(EventRequest,EventResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "EventRequest", "getEvent", "()", "summary", "df-generated"]
+      - ["javax.portlet", "EventRequest", "getMethod", "()", "summary", "df-generated"]
+      - ["javax.portlet", "EventResponse", "setRenderParameters", "(EventRequest)", "summary", "df-generated"]
+      - ["javax.portlet", "GenericPortlet", "init", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createActionURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createRenderURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createResourceURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "flushBuffer", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getBufferSize", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getCacheControl", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getCharacterEncoding", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getLocale", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getPortletOutputStream", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getWriter", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "isCommitted", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "reset", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "resetBuffer", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "setBufferSize", "(int)", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "setContentType", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "destroy", "()", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "processAction", "(ActionRequest,ActionResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "render", "(RenderRequest,RenderResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getContainerRuntimeOptions", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getDefaultNamespace", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getInitParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getInitParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPortletContext", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPortletName", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getProcessingEventQNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPublicRenderParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPublishingEventQNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getResourceBundle", "(Locale)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getSupportedLocales", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletException", "PortletException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest$P3PUserInfos", "toString", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAttribute", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAttributeNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAuthType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getContextPath", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getCookies", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getLocale", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getLocales", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterValues", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortalContext", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletMode", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletSession", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletSession", "(boolean)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPreferences", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPrivateParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getProperties", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getProperty", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPropertyNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPublicParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getRemoteUser", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getRequestedSessionId", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getResponseContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getResponseContentTypes", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getScheme", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getServerName", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getServerPort", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getUserPrincipal", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getWindowID", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getWindowState", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isPortletModeAllowed", "(PortletMode)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isRequestedSessionIdValid", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isSecure", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isUserInRole", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isWindowStateAllowed", "(WindowState)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "removeAttribute", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "setAttribute", "(String,Object)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(Cookie)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(String,Element)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "createElement", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "encodeURL", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "getNamespace", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "setProperty", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", "PortletSecurityException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletSessionUtil", "decodeScope", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", "ReadOnlyException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "RenderRequest", "getETag", "()", "summary", "df-generated"]
+      - ["javax.portlet", "RenderResponse", "setNextPossiblePortletModes", "(Collection)", "summary", "df-generated"]
+      - ["javax.portlet", "RenderResponse", "setTitle", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getCacheability", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getETag", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getPrivateRenderParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getResourceID", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setCharacterEncoding", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setContentLength", "(int)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setLocale", "(Locale)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceServingPortlet", "serveResource", "(ResourceRequest,ResourceResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getPortletMode", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getRenderParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getWindowState", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "removePublicRenderParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setEvent", "(QName,Serializable)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setEvent", "(String,Serializable)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setPortletMode", "(PortletMode)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameter", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameter", "(String,String[])", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameters", "(Map)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setWindowState", "(WindowState)", "summary", "df-generated"]
+      - ["javax.portlet", "UnavailableException", "getUnavailableSeconds", "()", "summary", "df-generated"]
+      - ["javax.portlet", "UnavailableException", "isPermanent", "()", "summary", "df-generated"]
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -7,6 +7,7 @@ extensions:
      - ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
      - ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
      - ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
+      - ["java.io", "File", True, "createNewFile", "()", "", "Argument[this]", "path-injection", "ai-manual"]
      - ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
      - ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -123,7 +124,6 @@ extensions:
      - ["java.io", "DataInput", "readLong", "()", "summary", "manual"]        # taint-numeric
      - ["java.io", "DataOutput", "writeInt", "(int)", "summary", "manual"]    # taint-numeric
      - ["java.io", "DataOutput", "writeLong", "(long)", "summary", "manual"]  # taint-numeric
-
      # sink neutrals
      - ["java.io", "File", "compareTo", "", "sink", "hq-manual"]
      - ["java.io", "File", "exists", "()", "sink", "hq-manual"]
--- a/java/ql/lib/ext/java.lang.model.yml
+++ b/java/ql/lib/ext/java.lang.model.yml
@@ -47,6 +47,7 @@ extensions:
      - ["java.lang", "AbstractStringBuilder", True, "AbstractStringBuilder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
      - ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.lang", "ProcessBuilder", False, "environment", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
      # When `WithoutElement` is implemented for Java, `java.lang.AbstractStringBuilder#delete` might require a `taint` step of the form `Argument[this].WithoutElement -> Argument[this]` in addition to the below `value` step.
      - ["java.lang", "AbstractStringBuilder", True, "delete", "(int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
      - ["java.lang", "AbstractStringBuilder", True, "getChars", "", "", "Argument[this]", "Argument[2]", "taint", "manual"]
@@ -136,7 +137,6 @@ extensions:
      - ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
      - ["java.lang", "Throwable", True, "toString", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"]
      - ["java.lang", "UnsupportedOperationException", False, "UnsupportedOperationException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
-
  - addsTo:
      pack: codeql/java-all
      extensible: neutralModel
--- a/java/ql/lib/ext/java.net.model.yml
+++ b/java/ql/lib/ext/java.net.model.yml
@@ -43,6 +43,8 @@ extensions:
      - ["java.net", "URI", False, "toASCIIString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.net", "URI", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.net", "URI", False, "toURL", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.net", "URL", False, "getFile", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["java.net", "URL", False, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
      - ["java.net", "URL", False, "URL", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
      - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-manual"]
--- a/java/ql/lib/ext/java.nio.channels.model.yml
+++ b/java/ql/lib/ext/java.nio.channels.model.yml
@@ -5,3 +5,11 @@ extensions:
    data:
      - ["java.nio.channels", "Channels", False, "newChannel", "(InputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["java.nio.channels", "ReadableByteChannel", True, "read", "(ByteBuffer)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.nio.channels", "FileChannel", False, "open", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.nio.channels", "FileChannel", False, "open", "(Path,Set,FileAttribute[])", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.nio.channels", "FileChannel", True, "write", "(ByteBuffer,long)", "", "Argument[0]", "file-content-store", "ai-manual"]
+      - ["java.nio.channels", "FileChannel", True, "write", "(ByteBuffer)", "", "Argument[0]", "file-content-store", "ai-manual"]
--- a/java/ql/lib/ext/java.nio.file.model.yml
+++ b/java/ql/lib/ext/java.nio.file.model.yml
@@ -43,6 +43,8 @@ extensions:
      - ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
      - ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
      - ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
@@ -79,6 +81,7 @@ extensions:
      - ["java.nio.file", "Path", True, "relativize", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
      - ["java.nio.file", "Path", True, "resolve", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["java.nio.file", "Path", True, "resolve", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.nio.file", "Path", True, "resolveSibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
      - ["java.nio.file", "Path", True, "toAbsolutePath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.nio.file", "Path", False, "toFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.nio.file", "Path", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -96,7 +99,6 @@ extensions:
    data:
      # summary neutrals
      - ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "summary", "manual"]
-
      # sink neutrals
      - ["java.nio.file", "Files", "exists", "", "sink", "hq-manual"]
      - ["java.nio.file", "Files", "getLastModifiedTime", "", "sink", "hq-manual"]
--- a/java/ql/lib/ext/java.util.zip.model.yml
+++ b/java/ql/lib/ext/java.util.zip.model.yml
@@ -4,4 +4,10 @@ extensions:
      extensible: summaryModel
    data:
      - ["java.util.zip", "GZIPInputStream", False, "GZIPInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.util.zip", "ZipEntry", True, "ZipEntry", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
      - ["java.util.zip", "ZipInputStream", False, "ZipInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.util.zip", "ZipOutputStream", True, "putNextEntry", "(ZipEntry)", "", "Argument[0]", "file-content-store", "ai-manual"]
--- a/java/ql/lib/ext/kotlin.model.yml
+++ b/java/ql/lib/ext/kotlin.model.yml
@@ -3,5 +3,7 @@ extensions:
      pack: codeql/java-all
      extensible: summaryModel
    data:
+      - ["kotlin", "StandardKt", False, "apply", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
+      - ["kotlin", "StandardKt", False, "apply", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
      - ["kotlin", "StandardKt", False, "with", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
      - ["kotlin", "StandardKt", False, "with", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
--- a/java/ql/lib/ext/okhttp3.model.yml
+++ b/java/ql/lib/ext/okhttp3.model.yml
@@ -58,4 +58,6 @@ extensions:
      - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
      - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["okhttp3", "Request$Builder", False, "get", "()", "", "Argument[this]", "ReturnValue", "value", "ai-manual"]
+      - ["okhttp3", "Request$Builder", False, "url", "(String)", "", "Argument[this]", "ReturnValue", "value", "ai-manual"]
      - ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/ext/org.apache.commons.lang3.builder.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.lang3.builder.model.yml
@@ -19,4 +19,5 @@ extensions:
      - ["org.apache.commons.lang3.builder", "ToStringBuilder", False, "appendToString", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["org.apache.commons.lang3.builder", "ToStringBuilder", False, "build", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["org.apache.commons.lang3.builder", "ToStringBuilder", False, "getStringBuffer", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.apache.commons.lang3.builder", "ToStringBuilder", False, "reflectionToString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["org.apache.commons.lang3.builder", "ToStringBuilder", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/java/ql/lib/ext/org.gradle.api.file.model.yml
+++ b/java/ql/lib/ext/org.gradle.api.file.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.gradle.api.file", "Directory", True, "getAsFile", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.gradle.api.file", "DirectoryProperty", True, "file", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/ext/retrofit2.model.yml
+++ b/java/ql/lib/ext/retrofit2.model.yml
@@ -4,3 +4,8 @@ extensions:
      extensible: sinkModel
    data:
      - ["retrofit2", "Retrofit$Builder", True, "baseUrl", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["retrofit2", "Retrofit$Builder", False, "baseUrl", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.6.4-dev
+version: 0.7.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/lib/semmle/code/java/Constants.qll
+++ b/java/ql/lib/semmle/code/java/Constants.qll
@@ -17,7 +17,6 @@ signature int getIntValSig(Expr e);
 */
 module CalculateConstants<getBoolValSig/1 getBoolVal, getIntValSig/1 getIntVal> {
  /** Gets the value of a constant boolean expression. */
-  pragma[assume_small_delta]
  boolean calculateBooleanValue(Expr e) {
    // No casts relevant to booleans.
    // `!` is the only unary operator that evaluates to a boolean.
@@ -99,7 +98,6 @@ module CalculateConstants<getBoolValSig/1 getBoolVal, getIntValSig/1 getIntVal>
  }

  /** Gets the value of a constant integer expression. */
-  pragma[assume_small_delta]
  int calculateIntValue(Expr e) {
    exists(IntegralType t | e.getType() = t | t.getName().toLowerCase() != "long") and
    (
--- a/java/ql/lib/semmle/code/java/ControlFlowGraph.qll
+++ b/java/ql/lib/semmle/code/java/ControlFlowGraph.qll
@@ -365,7 +365,6 @@ private module ControlFlowGraphImpl {
  /**
   * Gets a non-overridable method that always throws an exception or calls `exit`.
   */
-  pragma[assume_small_delta]
  private Method nonReturningMethod() {
    result instanceof MethodExit
    or
@@ -382,7 +381,6 @@ private module ControlFlowGraphImpl {
  /**
   * Gets a virtual method that always throws an exception or calls `exit`.
   */
-  pragma[assume_small_delta]
  private EffectivelyNonVirtualMethod likelyNonReturningMethod() {
    result.getReturnType() instanceof VoidType and
    not exists(ReturnStmt ret | ret.getEnclosingCallable() = result) and
@@ -402,7 +400,6 @@ private module ControlFlowGraphImpl {
  /**
   * Gets a statement that always throws an exception or calls `exit`.
   */
-  pragma[assume_small_delta]
  private Stmt nonReturningStmt() {
    result instanceof ThrowStmt
    or
@@ -424,7 +421,6 @@ private module ControlFlowGraphImpl {
  /**
   * Gets an expression that always throws an exception or calls `exit`.
   */
-  pragma[assume_small_delta]
  private Expr nonReturningExpr() {
    result = nonReturningMethodAccess()
    or
--- a/java/ql/lib/semmle/code/java/Expr.qll
+++ b/java/ql/lib/semmle/code/java/Expr.qll
@@ -131,7 +131,6 @@ private predicate primitiveOrString(Type t) {
 * See JLS v8, section 15.28 (Constant Expressions).
 */
 class CompileTimeConstantExpr extends Expr {
-  pragma[assume_small_delta]
  CompileTimeConstantExpr() {
    primitiveOrString(this.getType()) and
    (
@@ -181,7 +180,6 @@ class CompileTimeConstantExpr extends Expr {
  /**
   * Gets the string value of this expression, where possible.
   */
-  pragma[assume_small_delta]
  pragma[nomagic]
  string getStringValue() {
    result = this.(StringLiteral).getValue()
@@ -207,7 +205,6 @@ class CompileTimeConstantExpr extends Expr {
  /**
   * Gets the boolean value of this expression, where possible.
   */
-  pragma[assume_small_delta]
  pragma[nomagic]
  boolean getBooleanValue() {
    // Literal value.
@@ -1910,7 +1907,6 @@ class TypeAccess extends Expr, Annotatable, @typeaccess {
  override CompilationUnit getCompilationUnit() { result = Expr.super.getCompilationUnit() }

  /** Gets a printable representation of this expression. */
-  pragma[assume_small_delta]
  override string toString() {
    result = this.getQualifier().toString() + "." + this.getType().toString()
    or
--- a/java/ql/lib/semmle/code/java/Member.qll
+++ b/java/ql/lib/semmle/code/java/Member.qll
@@ -736,7 +736,6 @@ class FieldDeclaration extends ExprParent, @fielddecl, Annotatable {
  /** Gets the number of fields declared in this declaration. */
  int getNumField() { result = max(int idx | fieldDeclaredIn(_, this, idx) | idx) + 1 }

-  pragma[assume_small_delta]
  override string toString() {
    if this.getNumField() = 1
    then result = this.getTypeAccess() + " " + this.getField(0) + ";"
--- a/java/ql/lib/semmle/code/java/Type.qll
+++ b/java/ql/lib/semmle/code/java/Type.qll
@@ -309,7 +309,6 @@ private predicate hasSubtypeStar1(RefType t, RefType sub) {
 /**
 * Holds if `hasSubtype*(t, sub)`, but manual-magic'ed with `getAWildcardLowerBound(sub)`.
 */
-pragma[assume_small_delta]
 pragma[nomagic]
 private predicate hasSubtypeStar2(RefType t, RefType sub) {
  sub = t and getAWildcardLowerBound(sub)
@@ -710,6 +709,12 @@ class Class extends ClassOrInterface {
    )
  }

+  /**
+   * Holds if this class is a Kotlin "file class", e.g. the class FooKt
+   * for top-level entities in Foo.kt.
+   */
+  predicate isFileClass() { file_class(this) }
+
  override string getAPrimaryQlClass() { result = "Class" }
 }

--- a/java/ql/lib/semmle/code/java/dataflow/NullGuards.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/NullGuards.qll
@@ -42,7 +42,6 @@ EqualityTest varEqualityTestExpr(SsaVariable v1, SsaVariable v2, boolean isEqual
 }

 /** Gets an expression that is provably not `null`. */
-pragma[assume_small_delta]
 Expr clearlyNotNullExpr(Expr reason) {
  result instanceof ClassInstanceExpr and reason = result
  or
@@ -237,7 +236,6 @@ Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
 * If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
 * is true, and non-null if `isnull` is false.
 */
-pragma[assume_small_delta]
 Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
  result = directNullGuard(v, branch, isnull) or
  exists(boolean branch0 | implies_v3(result, branch, nullGuard(v, branch0, isnull), branch0))
--- a/java/ql/lib/semmle/code/java/dataflow/SSA.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/SSA.qll
@@ -61,7 +61,6 @@ class SsaSourceVariable extends TSsaSourceVariable {
   * accessed from nested callables are therefore associated with several
   * `SsaSourceVariable`s.
   */
-  pragma[assume_small_delta]
  cached
  VarAccess getAnAccess() {
    exists(LocalScopeVariable v, Callable c |
@@ -451,7 +450,6 @@ private module SsaImpl {
   * Holds if `f` is live in `b` at index `i`. The rank of `i` is `rankix` as
   * defined by `callDefUseRank`.
   */
-  pragma[assume_small_delta]
  private predicate liveAtRank(TrackedField f, BasicBlock b, int rankix, int i) {
    callDefUseRank(f, b, rankix, i) and
    (
@@ -565,7 +563,6 @@ private module SsaImpl {
  }

  /** Holds if a phi node for `v` is needed at the beginning of basic block `b`. */
-  pragma[assume_small_delta]
  cached
  predicate phiNode(TrackedVar v, BasicBlock b) {
    liveAtEntry(v, b) and
--- a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
@@ -241,7 +241,6 @@ private module ForAll<NodeSig Node, RankedEdge<Node> E, TypePropagation T> {
   * Holds if `t` is a candidate bound for `n` that is also valid for data coming
   * through the edges into `n` ranked from `1` to `r`.
   */
-  pragma[assume_small_delta]
  private predicate flowJoin(int r, Node n, T::Typ t) {
    (
      r = 1 and candJoinType(n, t)
--- a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
@@ -151,7 +151,6 @@ private module SsaImpl {
  }

  /** Holds if a phi node for `v` is needed at the beginning of basic block `b`. */
-  pragma[assume_small_delta]
  cached
  predicate phiNode(BaseSsaSourceVariable v, BasicBlock b) {
    liveAtEntry(v, b) and
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll
@@ -114,7 +114,7 @@ signature module StateConfigSig {
   * Holds if data flow through `node` is prohibited when the flow state is
   * `state`.
   */
-  predicate isBarrier(Node node, FlowState state);
+  default predicate isBarrier(Node node, FlowState state) { none() }

  /** Holds if data flow into `node` is prohibited. */
  default predicate isBarrierIn(Node node) { none() }
@@ -131,7 +131,9 @@ signature module StateConfigSig {
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   * This step is only applicable in `state1` and updates the flow state to `state2`.
   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2);
+  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+    none()
+  }

  /**
   * Holds if an arbitrary number of implicit read steps of content `c` may be
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -254,6 +254,11 @@ module Impl<FullStateConfigSig Config> {
    not fullBarrier(node2)
  }

+  pragma[nomagic]
+  private predicate isUnreachableInCall1(NodeEx n, LocalCallContextSpecificCall cc) {
+    isUnreachableInCallCached(n.asNode(), cc.getCall())
+  }
+
  /**
   * Holds if data can flow in one local step from `node1` to `node2`.
   */
@@ -460,7 +465,6 @@ module Impl<FullStateConfigSig Config> {
     * The Boolean `cc` records whether the node is reached through an
     * argument in a call.
     */
-    pragma[assume_small_delta]
    private predicate fwdFlow(NodeEx node, Cc cc) {
      sourceNode(node, _) and
      if hasSourceCallCtx() then cc = true else cc = false
@@ -570,7 +574,6 @@ module Impl<FullStateConfigSig Config> {
    /**
     * Holds if `c` is the target of a store in the flow covered by `fwdFlow`.
     */
-    pragma[assume_small_delta]
    pragma[nomagic]
    private predicate fwdFlowConsCand(Content c) {
      exists(NodeEx mid, NodeEx node |
@@ -1216,7 +1219,6 @@ module Impl<FullStateConfigSig Config> {
        fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
      }

-      pragma[assume_small_delta]
      pragma[nomagic]
      private predicate fwdFlow0(
        NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
@@ -2111,7 +2113,7 @@ module Impl<FullStateConfigSig Config> {
      NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
      LocalCallContext cc
    ) {
-      not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCall1(node2, cc) and
      (
        localFlowEntry(node1, pragma[only_bind_into](state)) and
        (
@@ -2126,7 +2128,7 @@ module Impl<FullStateConfigSig Config> {
        ) and
        node1 != node2 and
        cc.relevantFor(node1.getEnclosingCallable()) and
-        not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
+        not isUnreachableInCall1(node1, cc)
        or
        exists(NodeEx mid |
          localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t, cc) and
@@ -2163,10 +2165,8 @@ module Impl<FullStateConfigSig Config> {
      preservesValue = false and
      t = node2.getDataFlowType() and
      callContext.relevantFor(node1.getEnclosingCallable()) and
-      not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
-        isUnreachableInCallCached(node1.asNode(), call) or
-        isUnreachableInCallCached(node2.asNode(), call)
-      )
+      not isUnreachableInCall1(node1, callContext) and
+      not isUnreachableInCall1(node2, callContext)
    }
  }

@@ -2706,7 +2706,7 @@ module Impl<FullStateConfigSig Config> {

    ParamNodeEx getParamNode() { result = p }

-    override string toString() { result = p + ": " + ap }
+    override string toString() { result = p + concat(" : " + ppReprType(t)) + " " + ap }

    predicate hasLocationInfo(
      string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -2758,12 +2758,21 @@ module Impl<FullStateConfigSig Config> {
    )
  }

+  private predicate forceUnfold(AccessPathApprox apa) {
+    forceHighPrecision(apa.getHead())
+    or
+    exists(Content c2 |
+      apa = TConsCons(_, _, c2, _) and
+      forceHighPrecision(c2)
+    )
+  }
+
  /**
   * Holds with `unfold = false` if a precise head-tail representation of `apa` is
   * expected to be expensive. Holds with `unfold = true` otherwise.
   */
  private predicate evalUnfold(AccessPathApprox apa, boolean unfold) {
-    if forceHighPrecision(apa.getHead())
+    if forceUnfold(apa)
    then unfold = true
    else
      exists(int aps, int nodes, int apLimit, int tupleLimit |
@@ -2777,7 +2786,6 @@ module Impl<FullStateConfigSig Config> {
  /**
   * Gets the number of `AccessPath`s that correspond to `apa`.
   */
-  pragma[assume_small_delta]
  private int countAps(AccessPathApprox apa) {
    evalUnfold(apa, false) and
    result = 1 and
@@ -2796,7 +2804,6 @@ module Impl<FullStateConfigSig Config> {
   * that it is expanded to a precise head-tail representation.
   */
  language[monotonicAggregates]
-  pragma[assume_small_delta]
  private int countPotentialAps(AccessPathApprox apa) {
    apa instanceof AccessPathApproxNil and result = 1
    or
@@ -2833,7 +2840,6 @@ module Impl<FullStateConfigSig Config> {
    }

  private newtype TPathNode =
-    pragma[assume_small_delta]
    TPathNodeMid(
      NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap
    ) {
@@ -2918,7 +2924,6 @@ module Impl<FullStateConfigSig Config> {

    override AccessPathFrontHead getFront() { result = TFrontHead(head_) }

-    pragma[assume_small_delta]
    override AccessPathApproxCons getApprox() {
      result = TConsNil(head_, t) and tail_ = TAccessPathNil()
      or
@@ -2927,7 +2932,6 @@ module Impl<FullStateConfigSig Config> {
      result = TCons1(head_, this.length())
    }

-    pragma[assume_small_delta]
    override int length() { result = 1 + tail_.length() }

    private string toStringImpl(boolean needsSuffix) {
@@ -3097,6 +3101,12 @@ module Impl<FullStateConfigSig Config> {
      result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
    }

+    private string ppSummaryCtx() {
+      this instanceof PathNodeSink and result = ""
+      or
+      result = " <" + this.(PathNodeMid).getSummaryCtx().toString() + ">"
+    }
+
    /** Gets a textual representation of this element. */
    string toString() { result = this.getNodeEx().toString() + this.ppType() + this.ppAp() }

@@ -3105,7 +3115,9 @@ module Impl<FullStateConfigSig Config> {
     * representation of the call context.
     */
    string toStringWithContext() {
-      result = this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx()
+      result =
+        this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx() +
+          this.ppSummaryCtx()
    }

    /**
@@ -3379,7 +3391,6 @@ module Impl<FullStateConfigSig Config> {
   * Holds if data may flow from `mid` to `node`. The last step in or out of
   * a callable is recorded by `cc`.
   */
-  pragma[assume_small_delta]
  pragma[nomagic]
  private predicate pathStep0(
    PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
@@ -3592,7 +3603,6 @@ module Impl<FullStateConfigSig Config> {
    )
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  private predicate pathThroughCallable0(
    DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, FlowState state, CallContext cc,
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -187,7 +187,6 @@ private module LambdaFlow {
    else any()
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlow0(
    DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,7 +273,6 @@ private module LambdaFlow {
    )
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlowOut(
    DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -23,29 +23,30 @@ module Public {
   * content type, or a return kind.
   */
  class SummaryComponent extends TSummaryComponent {
-    /** Gets a textual representation of this summary component. */
-    string toString() {
-      exists(ContentSet c | this = TContentSummaryComponent(c) and result = c.toString())
-      or
-      exists(ContentSet c | this = TWithoutContentSummaryComponent(c) and result = "without " + c)
-      or
-      exists(ContentSet c | this = TWithContentSummaryComponent(c) and result = "with " + c)
+    /** Gets a textual representation of this component used for MaD models. */
+    string getMadRepresentation() {
+      result = getMadRepresentationSpecific(this)
      or
      exists(ArgumentPosition pos |
-        this = TParameterSummaryComponent(pos) and result = "parameter " + pos
+        this = TParameterSummaryComponent(pos) and
+        result = "Parameter[" + getArgumentPosition(pos) + "]"
      )
      or
      exists(ParameterPosition pos |
-        this = TArgumentSummaryComponent(pos) and result = "argument " + pos
+        this = TArgumentSummaryComponent(pos) and
+        result = "Argument[" + getParameterPosition(pos) + "]"
      )
      or
-      exists(ReturnKind rk | this = TReturnSummaryComponent(rk) and result = "return (" + rk + ")")
-      or
-      exists(SummaryComponent::SyntheticGlobal sg |
-        this = TSyntheticGlobalSummaryComponent(sg) and
-        result = "synthetic global (" + sg + ")"
+      exists(string synthetic |
+        this = TSyntheticGlobalSummaryComponent(synthetic) and
+        result = "SyntheticGlobal[" + synthetic + "]"
      )
+      or
+      this = TReturnSummaryComponent(getReturnValueKind()) and result = "ReturnValue"
    }
+
+    /** Gets a textual representation of this summary component. */
+    string toString() { result = this.getMadRepresentation() }
  }

  /** Provides predicates for constructing summary components. */
@@ -110,7 +111,6 @@ module Public {
    }

    /** Gets the stack obtained by dropping the first `i` elements, if any. */
-    pragma[assume_small_delta]
    SummaryComponentStack drop(int i) {
      i = 0 and result = this
      or
@@ -125,19 +125,22 @@ module Public {
      this = TSingletonSummaryComponentStack(result) or result = this.tail().bottom()
    }

-    /** Gets a textual representation of this stack. */
-    string toString() {
+    /** Gets a textual representation of this stack used for MaD models. */
+    string getMadRepresentation() {
      exists(SummaryComponent head, SummaryComponentStack tail |
        head = this.head() and
        tail = this.tail() and
-        result = tail + "." + head
+        result = tail.getMadRepresentation() + "." + head.getMadRepresentation()
      )
      or
      exists(SummaryComponent c |
        this = TSingletonSummaryComponentStack(c) and
-        result = c.toString()
+        result = c.getMadRepresentation()
      )
    }
+
+    /** Gets a textual representation of this stack. */
+    string toString() { result = this.getMadRepresentation() }
  }

  /** Provides predicates for constructing stacks of summary components. */
@@ -166,42 +169,6 @@ module Public {
    SummaryComponentStack return(ReturnKind rk) { result = singleton(SummaryComponent::return(rk)) }
  }

-  /** Gets a textual representation of this component used for flow summaries. */
-  private string getComponent(SummaryComponent sc) {
-    result = getComponentSpecific(sc)
-    or
-    exists(ArgumentPosition pos |
-      sc = TParameterSummaryComponent(pos) and
-      result = "Parameter[" + getArgumentPosition(pos) + "]"
-    )
-    or
-    exists(ParameterPosition pos |
-      sc = TArgumentSummaryComponent(pos) and
-      result = "Argument[" + getParameterPosition(pos) + "]"
-    )
-    or
-    exists(string synthetic |
-      sc = TSyntheticGlobalSummaryComponent(synthetic) and
-      result = "SyntheticGlobal[" + synthetic + "]"
-    )
-    or
-    sc = TReturnSummaryComponent(getReturnValueKind()) and result = "ReturnValue"
-  }
-
-  /** Gets a textual representation of this stack used for flow summaries. */
-  string getComponentStack(SummaryComponentStack stack) {
-    exists(SummaryComponent head, SummaryComponentStack tail |
-      head = stack.head() and
-      tail = stack.tail() and
-      result = getComponentStack(tail) + "." + getComponent(head)
-    )
-    or
-    exists(SummaryComponent c |
-      stack = TSingletonSummaryComponentStack(c) and
-      result = getComponent(c)
-    )
-  }
-
  /**
   * A class that exists for QL technical reasons only (the IPA type used
   * to represent component stacks needs to be bounded).
@@ -1382,8 +1349,8 @@ module Private {
        c.relevantSummary(input, output, preservesValue) and
        csv =
          c.getCallableCsv() // Callable information
-            + getComponentStack(input) + ";" // input
-            + getComponentStack(output) + ";" // output
+            + input.getMadRepresentation() + ";" // input
+            + output.getMadRepresentation() + ";" // output
            + renderKind(preservesValue) + ";" // kind
            + renderProvenance(c) // provenance
      )
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -193,8 +193,8 @@ private string getContentSpecific(Content c) {
  c instanceof MapValueContent and result = "MapValue"
 }

-/** Gets the textual representation of the content in the format used for flow summaries. */
-string getComponentSpecific(SummaryComponent sc) {
+/** Gets the textual representation of the content in the format used for MaD models. */
+string getMadRepresentationSpecific(SummaryComponent sc) {
  exists(Content c | sc = TContentSummaryComponent(c) and result = getContentSpecific(c))
 }

--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -617,7 +617,6 @@ private MethodAccess callReturningSameType(Expr ref) {
  result.getMethod().getReturnType() = ref.getType()
 }

-pragma[assume_small_delta]
 private SrcRefType entrypointType() {
  exists(RemoteFlowSource s, RefType t |
    s instanceof DataFlow::ExplicitParameterNode and
--- a/java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll
@@ -31,7 +31,6 @@ private Callable dispatchCand(Call c) {
 /**
 * Holds if `t` and all its enclosing types are public.
 */
-pragma[assume_small_delta]
 private predicate veryPublic(RefType t) {
  t.isPublic() and
  (
--- a/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll
@@ -206,7 +206,6 @@ private predicate relevantNodeBack(ObjNode n) {
  exists(ObjNode mid | objStep(n, mid) and relevantNodeBack(mid))
 }

-pragma[assume_small_delta]
 private predicate relevantNode(ObjNode n) {
  source(_, n) and relevantNodeBack(n)
  or
--- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
@@ -53,7 +53,6 @@ private predicate hasPathAnnotation(Annotatable annotatable) {
 * A method which is annotated with one or more JaxRS resource type annotations e.g. `@GET`, `@POST` etc.
 */
 class JaxRsResourceMethod extends Method {
-  pragma[assume_small_delta]
  JaxRsResourceMethod() {
    exists(AnnotationType a |
      a = this.getAnAnnotation().getType() and
@@ -92,7 +91,6 @@ class JaxRsResourceMethod extends Method {
 * This class contains resource methods, which are executed in response to requests.
 */
 class JaxRsResourceClass extends Class {
-  pragma[assume_small_delta]
  JaxRsResourceClass() {
    // A root resource class has a @Path annotation on the class.
    hasPathAnnotation(this)
--- a/java/ql/lib/semmle/code/java/frameworks/Rmi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Rmi.qll
@@ -12,7 +12,6 @@ class RemoteCallableMethod extends Method {
  RemoteCallableMethod() { remoteCallableMethod(this) }
 }

-pragma[assume_small_delta]
 private predicate remoteCallableMethod(Method method) {
  method.getDeclaringType().getASupertype() instanceof TypeRemote
  or
--- a/java/ql/lib/semmle/code/java/frameworks/google/GsonSerializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/google/GsonSerializability.qll
@@ -45,7 +45,6 @@ private class FieldReferencedGsonDeserializableType extends GsonDeserializableTy

 /** A field that may be deserialized using the Gson JSON framework. */
 private class GsonDeserializableField extends DeserializableField {
-  pragma[assume_small_delta]
  GsonDeserializableField() {
    exists(GsonDeserializableType superType |
      superType = this.getDeclaringType().getAnAncestor() and
--- a/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -146,7 +146,6 @@ class JacksonSerializableField extends SerializableField {

 /** A field that may be deserialized using the Jackson JSON framework. */
 class JacksonDeserializableField extends DeserializableField {
-  pragma[assume_small_delta]
  JacksonDeserializableField() {
    exists(JacksonDeserializableType superType |
      superType = this.getDeclaringType().getAnAncestor() and
--- a/java/ql/lib/semmle/code/java/frameworks/kotlin/Kotlin.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/kotlin/Kotlin.qll
@@ -0,0 +1,21 @@
+/** Provides classes and predicates related to `kotlin`. */
+
+import java
+
+/** A call to Kotlin's `apply` method. */
+class KotlinApply extends MethodAccess {
+  ExtensionMethod m;
+
+  KotlinApply() {
+    this.getMethod() = m and
+    m.hasQualifiedName("kotlin", "StandardKt", "apply")
+  }
+
+  /** Gets the function block argument of this call. */
+  LambdaExpr getLambdaArg() {
+    result = this.getArgument(m.getExtensionReceiverParameterIndex() + 1)
+  }
+
+  /** Gets the receiver argument of this call. */
+  Argument getReceiver() { result = this.getArgument(m.getExtensionReceiverParameterIndex()) }
+}
--- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll
@@ -68,8 +68,6 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig {
  predicate isSink(DataFlow::Node node, FlowState state) {
    state instanceof HasInstallPackageAction and node.asExpr().getType() instanceof TypeIntent
  }
-
-  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
 }

 private module InstallPackageActionFlow =
@@ -113,8 +111,6 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig
    state instanceof HasPackageArchiveMimeType and
    node instanceof SetDataSink
  }
-
-  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
 }

 private module PackageArchiveMimeTypeFlow =
--- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -11,6 +11,8 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }

  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 /** A taint-tracking configuration to reason about underflow from unvalidated user input. */
@@ -20,6 +22,8 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }

  predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 /** Taint-tracking flow for overflow from unvalidated user input. */
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -72,8 +72,6 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {

  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer }

-  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
-
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2)
  }
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
@@ -15,6 +15,8 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
@@ -36,6 +36,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    any(LogInjectionAdditionalTaintStep c).step(node1, node2)
  }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -100,6 +100,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
    node.getEnclosingCallable() instanceof HashCodeMethod or
    exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
  }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
@@ -51,6 +51,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

 module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
--- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -5,6 +5,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.frameworks.android.WebView
+private import semmle.code.java.frameworks.kotlin.Kotlin

 /**
 * A sink that represents a method that fetches a web resource in Android.
@@ -62,10 +63,26 @@ private class WebViewRef extends Element {
      t.isOwnInstanceAccess() or t.getInstanceAccess().isEnclosingInstanceAccess(this)
    )
    or
-    result = DataFlow::exprNode(this.(Variable).getAnAccess())
+    exists(Variable v | result.asExpr() = v.getAnAccess() |
+      v = this
+      or
+      applyReceiverVariable(this, v)
+    )
  }
 }

+/**
+ * Holds if `p` is the lambda parameter that holds the receiver of an `apply` expression in Kotlin,
+ * and `v` is the variable of the receiver in the outer scope.
+ */
+private predicate applyReceiverVariable(Parameter p, Variable v) {
+  exists(LambdaExpr lambda, KotlinApply apply |
+    p.getCallable() = lambda.asMethod() and
+    lambda = apply.getLambdaArg() and
+    v = apply.getReceiver().(VarAccess).getVariable()
+  )
+}
+
 /**
 * Holds if a `WebViewLoadUrlMethod` is called on an access of `webview`
 * with `urlArg` as its first argument.
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 0.7.0
+
+### Minor Analysis Improvements
+
+* New models have been added for `org.apache.commons.lang`.
+* The query `java/unsafe-deserialization` has been updated to take into account `SerialKiller`, a library used to prevent deserialization of arbitrary classes.
+
+### Bug Fixes
+
+* The query "Arbitrary file write during archive extraction ("Zip Slip")" (`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+## 0.6.4
+
+No user-facing changes.
+
 ## 0.6.3

 ### Minor Analysis Improvements
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
@@ -97,8 +97,6 @@ module WebViewDisallowContentAccessConfig implements DataFlow::StateConfigSig {
    state instanceof IsSettings and
    node instanceof WebSettingsDisallowContentAccessSink
  }
-
-  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
 }

 module WebViewDisallowContentAccessFlow =
--- a/java/ql/src/Telemetry/AutomodelApplicationModeExtractCandidates.ql
+++ b/java/ql/src/Telemetry/AutomodelApplicationModeExtractCandidates.ql
@@ -12,9 +12,44 @@
 * @tags internal extract automodel application-mode candidates
 */

+import java
 private import AutomodelApplicationModeCharacteristics
 private import AutomodelJavaUtil

+/**
+ * Gets a sample of endpoints (of at most `limit` samples) with the given method signature.
+ *
+ * The main purpose of this helper predicate is to avoid selecting too many candidates, as this may
+ * cause the SARIF file to exceed the maximum size limit.
+ */
+bindingset[limit]
+private Endpoint getSampleForSignature(
+  int limit, string package, string type, string subtypes, string name, string signature,
+  string input
+) {
+  exists(int n, int num_endpoints, ApplicationModeMetadataExtractor meta |
+    num_endpoints =
+      count(Endpoint e | meta.hasMetadata(e, package, type, subtypes, name, signature, input))
+  |
+    result =
+      rank[n](Endpoint e, Location loc |
+        loc = e.getLocation() and
+        meta.hasMetadata(e, package, type, subtypes, name, signature, input)
+      |
+        e
+        order by
+          loc.getFile().getAbsolutePath(), loc.getStartLine(), loc.getStartColumn(),
+          loc.getEndLine(), loc.getEndColumn()
+      ) and
+    // To avoid selecting samples that are too close together (as the ranking above goes by file
+    // path first), we select `limit` evenly spaced samples from the ranked list of endpoints. By
+    // default this would always include the first sample, so we add a random-chosen prime offset
+    // to the first sample index, and reduce modulo the number of endpoints.
+    // Finally, we add 1 to the result, as ranking results in a 1-indexed relation.
+    n = 1 + (([0 .. limit - 1] * (num_endpoints / limit).floor() + 46337) % num_endpoints)
+  )
+}
+
 from
  Endpoint endpoint, string message, ApplicationModeMetadataExtractor meta, DollarAtString package,
  DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
@@ -23,6 +58,7 @@ where
  not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
    u.appliesToEndpoint(endpoint)
  ) and
+  endpoint = getSampleForSignature(9, package, type, subtypes, name, signature, input) and
  // If a node is already a known sink for any of our existing ATM queries and is already modeled as a MaD sink, we
  // don't include it as a candidate. Otherwise, we might include it as a candidate for query A, but the model will
  // label it as a sink for one of the sink types of query B, for which it's already a known sink. This would result in
--- a/java/ql/src/Telemetry/ExternalApi.qll
+++ b/java/ql/src/Telemetry/ExternalApi.qll
@@ -27,8 +27,9 @@ class ExternalApi extends Callable {
   */
  string getApiName() {
    result =
-      this.getDeclaringType().getPackage() + "." + this.getDeclaringType().getSourceDeclaration() +
-        "#" + this.getName() + paramsString(this)
+      this.getDeclaringType().getPackage() + "." +
+        this.getDeclaringType().getSourceDeclaration().nestedName() + "#" + this.getName() +
+        paramsString(this)
  }

  private string getJarName() {
@@ -95,7 +96,7 @@ deprecated class ExternalAPI = ExternalApi;
 /**
 * Gets the limit for the number of results produced by a telemetry query.
 */
-int resultLimit() { result = 1000 }
+int resultLimit() { result = 100 }

 /**
 * Holds if it is relevant to count usages of `api`.
--- a/java/ql/src/change-notes/2023-06-02-unsafe-deserialization-serialkiller.md
+++ b/java/ql/src/change-notes/2023-06-02-unsafe-deserialization-serialkiller.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query `java/unsafe-deserialization` has been updated to take into account `SerialKiller`, a library used to prevent deserialization of arbitrary classes.
--- a/java/ql/src/change-notes/2023-06-16-zipslip-rename.md
+++ b/java/ql/src/change-notes/2023-06-16-zipslip-rename.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* The query "Arbitrary file write during archive extraction ("Zip Slip")" (`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
--- a/java/ql/src/change-notes/2023-06-23-apache-commons-lang.md
+++ b/java/ql/src/change-notes/2023-06-23-apache-commons-lang.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* New models have been added for `org.apache.commons.lang`.
--- a/java/ql/src/change-notes/2023-07-10-unsafe-android-access-apply.md
+++ b/java/ql/src/change-notes/2023-07-10-unsafe-android-access-apply.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "Unsafe resource fetching in Android WebView" (`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where `setJavascriptEnabled`, `setAllowFileAccess`, `setAllowUniversalAccessFromFileURLs`, and/or `setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin `apply` function.
--- a/java/ql/src/change-notes/released/0.6.4.md
+++ b/java/ql/src/change-notes/released/0.6.4.md
@@ -0,0 +1,3 @@
+## 0.6.4
+
+No user-facing changes.
--- a/java/ql/src/change-notes/released/0.7.0.md
+++ b/java/ql/src/change-notes/released/0.7.0.md
@@ -0,0 +1,10 @@
+## 0.7.0
+
+### Minor Analysis Improvements
+
+* New models have been added for `org.apache.commons.lang`.
+* The query `java/unsafe-deserialization` has been updated to take into account `SerialKiller`, a library used to prevent deserialization of arbitrary classes.
+
+### Bug Fixes
+
+* The query "Arbitrary file write during archive extraction ("Zip Slip")" (`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.3
+lastReleaseVersion: 0.7.0
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.6.4-dev
+version: 0.7.1-dev
 groups: 
  - java
  - queries
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -160,8 +160,6 @@ module ThroughFlowConfig implements DataFlow::StateConfigSig {
    exists(Type t | t = n.getType() and not isRelevantType(t))
  }

-  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
-
  DataFlow::FlowFeature getAFeature() {
    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
  }
--- a/java/ql/test/kotlin/library-tests/annotation-accessor-result-type/test.ql
+++ b/java/ql/test/kotlin/library-tests/annotation-accessor-result-type/test.ql
@@ -1,6 +1,7 @@
 import java

 query predicate classExprs(Expr e, string tstr) {
+  exists(e.getFile().getRelativePath()) and
  tstr = e.getType().toString() and
  tstr.matches("%Class%")
 }
--- a/java/ql/test/kotlin/library-tests/annotation_classes/PrintAst.expected
+++ b/java/ql/test/kotlin/library-tests/annotation_classes/PrintAst.expected
@@ -169,15 +169,18 @@ def.kt:
 #   33|         0: [SuperConstructorInvocationStmt] super(...)
 #   33|         1: [BlockStmt] { ... }
 #   34|   5: [Class] Y
-#    0|     2: [Method] valueOf
+#    0|     2: [Method] getEntries
+#    0|       3: [TypeAccess] EnumEntries<Y>
+#    0|         0: [TypeAccess] Y
+#    0|     3: [Method] valueOf
 #    0|       3: [TypeAccess] Y
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] value
 #    0|           0: [TypeAccess] String
-#    0|     3: [Method] values
+#    0|     4: [Method] values
 #    0|       3: [TypeAccess] Y[]
 #    0|         0: [TypeAccess] Y
-#   34|     4: [Constructor] Y
+#   34|     5: [Constructor] Y
 #   34|       5: [BlockStmt] { ... }
 #   34|         0: [ExprStmt] <Expr>;
 #   34|           0: [ClassInstanceExpr] new Enum(...)
@@ -186,15 +189,15 @@ def.kt:
 #   34|             0: [NullLiteral] null
 #   34|             1: [IntegerLiteral] 0
 #   34|         1: [BlockStmt] { ... }
-#   35|     5: [FieldDeclaration] Y A;
+#   35|     6: [FieldDeclaration] Y A;
 #   35|       -1: [TypeAccess] Y
 #   35|       0: [ClassInstanceExpr] new Y(...)
 #   35|         -3: [TypeAccess] Y
-#   35|     6: [FieldDeclaration] Y B;
+#   35|     7: [FieldDeclaration] Y B;
 #   35|       -1: [TypeAccess] Y
 #   35|       0: [ClassInstanceExpr] new Y(...)
 #   35|         -3: [TypeAccess] Y
-#   35|     7: [FieldDeclaration] Y C;
+#   35|     8: [FieldDeclaration] Y C;
 #   35|       -1: [TypeAccess] Y
 #   35|       0: [ClassInstanceExpr] new Y(...)
 #   35|         -3: [TypeAccess] Y
--- a/java/ql/test/kotlin/library-tests/classes/PrintAst.expected
+++ b/java/ql/test/kotlin/library-tests/classes/PrintAst.expected
@@ -160,15 +160,18 @@ classes.kt:
 #   42|       -1: [TypeAccess] int
 #   42|       0: [IntegerLiteral] 3
 #   49|   11: [Class] Direction
-#    0|     2: [Method] valueOf
+#    0|     2: [Method] getEntries
+#    0|       3: [TypeAccess] EnumEntries<Direction>
+#    0|         0: [TypeAccess] Direction
+#    0|     3: [Method] valueOf
 #    0|       3: [TypeAccess] Direction
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] value
 #    0|           0: [TypeAccess] String
-#    0|     3: [Method] values
+#    0|     4: [Method] values
 #    0|       3: [TypeAccess] Direction[]
 #    0|         0: [TypeAccess] Direction
-#   49|     4: [Constructor] Direction
+#   49|     5: [Constructor] Direction
 #   49|       5: [BlockStmt] { ... }
 #   49|         0: [ExprStmt] <Expr>;
 #   49|           0: [ClassInstanceExpr] new Enum(...)
@@ -177,32 +180,35 @@ classes.kt:
 #   49|             0: [NullLiteral] null
 #   49|             1: [IntegerLiteral] 0
 #   49|         1: [BlockStmt] { ... }
-#   50|     5: [FieldDeclaration] Direction NORTH;
+#   50|     6: [FieldDeclaration] Direction NORTH;
 #   50|       -1: [TypeAccess] Direction
 #   50|       0: [ClassInstanceExpr] new Direction(...)
 #   50|         -3: [TypeAccess] Direction
-#   50|     6: [FieldDeclaration] Direction SOUTH;
+#   50|     7: [FieldDeclaration] Direction SOUTH;
 #   50|       -1: [TypeAccess] Direction
 #   50|       0: [ClassInstanceExpr] new Direction(...)
 #   50|         -3: [TypeAccess] Direction
-#   50|     7: [FieldDeclaration] Direction WEST;
+#   50|     8: [FieldDeclaration] Direction WEST;
 #   50|       -1: [TypeAccess] Direction
 #   50|       0: [ClassInstanceExpr] new Direction(...)
 #   50|         -3: [TypeAccess] Direction
-#   50|     8: [FieldDeclaration] Direction EAST;
+#   50|     9: [FieldDeclaration] Direction EAST;
 #   50|       -1: [TypeAccess] Direction
 #   50|       0: [ClassInstanceExpr] new Direction(...)
 #   50|         -3: [TypeAccess] Direction
 #   53|   12: [Class] Color
-#    0|     2: [Method] valueOf
+#    0|     2: [Method] getEntries
+#    0|       3: [TypeAccess] EnumEntries<Color>
+#    0|         0: [TypeAccess] Color
+#    0|     3: [Method] valueOf
 #    0|       3: [TypeAccess] Color
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] value
 #    0|           0: [TypeAccess] String
-#    0|     3: [Method] values
+#    0|     4: [Method] values
 #    0|       3: [TypeAccess] Color[]
 #    0|         0: [TypeAccess] Color
-#   53|     4: [Constructor] Color
+#   53|     5: [Constructor] Color
 #-----|       4: (Parameters)
 #   53|         0: [Parameter] rgb
 #   53|           0: [TypeAccess] int
@@ -217,26 +223,26 @@ classes.kt:
 #   53|           0: [ExprStmt] <Expr>;
 #   53|             0: [KtInitializerAssignExpr] ...=...
 #   53|               0: [VarAccess] rgb
-#   53|     5: [Method] getRgb
+#   53|     6: [Method] getRgb
 #   53|       3: [TypeAccess] int
 #   53|       5: [BlockStmt] { ... }
 #   53|         0: [ReturnStmt] return ...
 #   53|           0: [VarAccess] this.rgb
 #   53|             -1: [ThisAccess] this
-#   53|     6: [FieldDeclaration] int rgb;
+#   53|     7: [FieldDeclaration] int rgb;
 #   53|       -1: [TypeAccess] int
 #   53|       0: [VarAccess] rgb
-#   54|     7: [FieldDeclaration] Color RED;
+#   54|     8: [FieldDeclaration] Color RED;
 #   54|       -1: [TypeAccess] Color
 #   54|       0: [ClassInstanceExpr] new Color(...)
 #   54|         -3: [TypeAccess] Color
 #   54|         0: [IntegerLiteral] 16711680
-#   55|     8: [FieldDeclaration] Color GREEN;
+#   55|     9: [FieldDeclaration] Color GREEN;
 #   55|       -1: [TypeAccess] Color
 #   55|       0: [ClassInstanceExpr] new Color(...)
 #   55|         -3: [TypeAccess] Color
 #   55|         0: [IntegerLiteral] 65280
-#   56|     9: [FieldDeclaration] Color BLUE;
+#   56|     10: [FieldDeclaration] Color BLUE;
 #   56|       -1: [TypeAccess] Color
 #   56|       0: [ClassInstanceExpr] new Color(...)
 #   56|         -3: [TypeAccess] Color
--- a/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.expected
+++ b/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.expected
@@ -0,0 +1,2 @@
+| apply.kt:6:9:6:41 | apply(...) |
+| apply.kt:7:14:7:40 | apply(...) |
--- a/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.kt
+++ b/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.kt
@@ -0,0 +1,9 @@
+class ApplyFlowTest {
+    fun <T> taint(t: T) = t
+    fun sink(s: String) { }
+
+    fun test(input: String) {
+        taint(input).apply { sink(this) } // $ hasValueFlow
+        sink(taint(input).apply { this }) // $ hasValueFlow
+    }
+}
--- a/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.ql
+++ b/java/ql/test/kotlin/library-tests/dataflow/summaries/apply.ql
@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.frameworks.kotlin.Kotlin
+
+from KotlinApply a
+select a
--- a/java/ql/test/kotlin/library-tests/exprs/PrintAst.expected
+++ b/java/ql/test/kotlin/library-tests/exprs/PrintAst.expected
@@ -3344,15 +3344,18 @@ exprs.kt:
 #  154|         0: [SuperConstructorInvocationStmt] super(...)
 #  154|         1: [BlockStmt] { ... }
 #  174|   6: [Class] Direction
-#    0|     2: [Method] valueOf
+#    0|     2: [Method] getEntries
+#    0|       3: [TypeAccess] EnumEntries<Direction>
+#    0|         0: [TypeAccess] Direction
+#    0|     3: [Method] valueOf
 #    0|       3: [TypeAccess] Direction
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] value
 #    0|           0: [TypeAccess] String
-#    0|     3: [Method] values
+#    0|     4: [Method] values
 #    0|       3: [TypeAccess] Direction[]
 #    0|         0: [TypeAccess] Direction
-#  174|     4: [Constructor] Direction
+#  174|     5: [Constructor] Direction
 #  174|       5: [BlockStmt] { ... }
 #  174|         0: [ExprStmt] <Expr>;
 #  174|           0: [ClassInstanceExpr] new Enum(...)
@@ -3361,32 +3364,35 @@ exprs.kt:
 #  174|             0: [NullLiteral] null
 #  174|             1: [IntegerLiteral] 0
 #  174|         1: [BlockStmt] { ... }
-#  175|     5: [FieldDeclaration] Direction NORTH;
+#  175|     6: [FieldDeclaration] Direction NORTH;
 #  175|       -1: [TypeAccess] Direction
 #  175|       0: [ClassInstanceExpr] new Direction(...)
 #  175|         -3: [TypeAccess] Direction
-#  175|     6: [FieldDeclaration] Direction SOUTH;
+#  175|     7: [FieldDeclaration] Direction SOUTH;
 #  175|       -1: [TypeAccess] Direction
 #  175|       0: [ClassInstanceExpr] new Direction(...)
 #  175|         -3: [TypeAccess] Direction
-#  175|     7: [FieldDeclaration] Direction WEST;
+#  175|     8: [FieldDeclaration] Direction WEST;
 #  175|       -1: [TypeAccess] Direction
 #  175|       0: [ClassInstanceExpr] new Direction(...)
 #  175|         -3: [TypeAccess] Direction
-#  175|     8: [FieldDeclaration] Direction EAST;
+#  175|     9: [FieldDeclaration] Direction EAST;
 #  175|       -1: [TypeAccess] Direction
 #  175|       0: [ClassInstanceExpr] new Direction(...)
 #  175|         -3: [TypeAccess] Direction
 #  178|   7: [Class] Color
-#    0|     2: [Method] valueOf
+#    0|     2: [Method] getEntries
+#    0|       3: [TypeAccess] EnumEntries<Color>
+#    0|         0: [TypeAccess] Color
+#    0|     3: [Method] valueOf
 #    0|       3: [TypeAccess] Color
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] value
 #    0|           0: [TypeAccess] String
-#    0|     3: [Method] values
+#    0|     4: [Method] values
 #    0|       3: [TypeAccess] Color[]
 #    0|         0: [TypeAccess] Color
-#  178|     4: [Constructor] Color
+#  178|     5: [Constructor] Color
 #-----|       4: (Parameters)
 #  178|         0: [Parameter] rgb
 #  178|           0: [TypeAccess] int
@@ -3401,26 +3407,26 @@ exprs.kt:
 #  178|           0: [ExprStmt] <Expr>;
 #  178|             0: [KtInitializerAssignExpr] ...=...
 #  178|               0: [VarAccess] rgb
-#  178|     5: [Method] getRgb
+#  178|     6: [Method] getRgb
 #  178|       3: [TypeAccess] int
 #  178|       5: [BlockStmt] { ... }
 #  178|         0: [ReturnStmt] return ...
 #  178|           0: [VarAccess] this.rgb
 #  178|             -1: [ThisAccess] this
-#  178|     6: [FieldDeclaration] int rgb;
+#  178|     7: [FieldDeclaration] int rgb;
 #  178|       -1: [TypeAccess] int
 #  178|       0: [VarAccess] rgb
-#  179|     7: [FieldDeclaration] Color RED;
+#  179|     8: [FieldDeclaration] Color RED;
 #  179|       -1: [TypeAccess] Color
 #  179|       0: [ClassInstanceExpr] new Color(...)
 #  179|         -3: [TypeAccess] Color
 #  179|         0: [IntegerLiteral] 16711680
-#  180|     8: [FieldDeclaration] Color GREEN;
+#  180|     9: [FieldDeclaration] Color GREEN;
 #  180|       -1: [TypeAccess] Color
 #  180|       0: [ClassInstanceExpr] new Color(...)
 #  180|         -3: [TypeAccess] Color
 #  180|         0: [IntegerLiteral] 65280
-#  181|     9: [FieldDeclaration] Color BLUE;
+#  181|     10: [FieldDeclaration] Color BLUE;
 #  181|       -1: [TypeAccess] Color
 #  181|       0: [ClassInstanceExpr] new Color(...)
 #  181|         -3: [TypeAccess] Color
--- a/java/ql/test/kotlin/library-tests/exprs/exprs.expected
+++ b/java/ql/test/kotlin/library-tests/exprs/exprs.expected
@@ -885,10 +885,14 @@
 | delegatedProperties.kt:87:34:87:46 | this | delegatedProperties.kt:87:34:87:46 | invoke | ThisAccess |
 | exprs.kt:0:0:0:0 | Color | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | Color | file://:0:0:0:0 | <none> | TypeAccess |
+| exprs.kt:0:0:0:0 | Color | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | Color[] | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | Direction | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | Direction | file://:0:0:0:0 | <none> | TypeAccess |
+| exprs.kt:0:0:0:0 | Direction | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | Direction[] | file://:0:0:0:0 | <none> | TypeAccess |
+| exprs.kt:0:0:0:0 | EnumEntries<Color> | file://:0:0:0:0 | <none> | TypeAccess |
+| exprs.kt:0:0:0:0 | EnumEntries<Direction> | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | String | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:0:0:0:0 | String | file://:0:0:0:0 | <none> | TypeAccess |
 | exprs.kt:4:1:142:1 | int | file://:0:0:0:0 | <none> | TypeAccess |
--- a/java/ql/test/kotlin/library-tests/exprs_typeaccess/PrintAst.expected
+++ b/java/ql/test/kotlin/library-tests/exprs_typeaccess/PrintAst.expected
@@ -74,15 +74,18 @@ A.kt:
 #   20|           0: [VarAccess] B.x
 #   20|             -1: [TypeAccess] B
 #   23|     11: [Class] Enu
-#    0|       2: [Method] valueOf
+#    0|       2: [Method] getEntries
+#    0|         3: [TypeAccess] EnumEntries<Enu>
+#    0|           0: [TypeAccess] Enu
+#    0|       3: [Method] valueOf
 #    0|         3: [TypeAccess] Enu
 #-----|         4: (Parameters)
 #    0|           0: [Parameter] value
 #    0|             0: [TypeAccess] String
-#    0|       3: [Method] values
+#    0|       4: [Method] values
 #    0|         3: [TypeAccess] Enu[]
 #    0|           0: [TypeAccess] Enu
-#   23|       4: [Constructor] Enu
+#   23|       5: [Constructor] Enu
 #   23|         5: [BlockStmt] { ... }
 #   23|           0: [ExprStmt] <Expr>;
 #   23|             0: [ClassInstanceExpr] new Enum(...)
@@ -91,15 +94,15 @@ A.kt:
 #   23|               0: [NullLiteral] null
 #   23|               1: [IntegerLiteral] 0
 #   23|           1: [BlockStmt] { ... }
-#   24|       5: [FieldDeclaration] Enu A;
+#   24|       6: [FieldDeclaration] Enu A;
 #   24|         -1: [TypeAccess] Enu
 #   24|         0: [ClassInstanceExpr] new Enu(...)
 #   24|           -3: [TypeAccess] Enu
-#   24|       6: [FieldDeclaration] Enu B;
+#   24|       7: [FieldDeclaration] Enu B;
 #   24|         -1: [TypeAccess] Enu
 #   24|         0: [ClassInstanceExpr] new Enu(...)
 #   24|           -3: [TypeAccess] Enu
-#   24|       7: [FieldDeclaration] Enu C;
+#   24|       8: [FieldDeclaration] Enu C;
 #   24|         -1: [TypeAccess] Enu
 #   24|         0: [ClassInstanceExpr] new Enu(...)
 #   24|           -3: [TypeAccess] Enu
--- a/java/ql/test/kotlin/library-tests/methods/exprs.expected
+++ b/java/ql/test/kotlin/library-tests/methods/exprs.expected
@@ -225,7 +225,11 @@
 | delegates.kt:10:33:10:35 | new | VarAccess |
 | enumClass.kt:0:0:0:0 | EnumClass | TypeAccess |
 | enumClass.kt:0:0:0:0 | EnumClass | TypeAccess |
+| enumClass.kt:0:0:0:0 | EnumClass | TypeAccess |
 | enumClass.kt:0:0:0:0 | EnumClass[] | TypeAccess |
+| enumClass.kt:0:0:0:0 | EnumEntries<EnumClass> | TypeAccess |
+| enumClass.kt:0:0:0:0 | EnumEntries<EnumWithFunctions> | TypeAccess |
+| enumClass.kt:0:0:0:0 | EnumWithFunctions | TypeAccess |
 | enumClass.kt:0:0:0:0 | EnumWithFunctions | TypeAccess |
 | enumClass.kt:0:0:0:0 | EnumWithFunctions | TypeAccess |
 | enumClass.kt:0:0:0:0 | EnumWithFunctions[] | TypeAccess |
--- a/java/ql/test/kotlin/library-tests/methods/methods.expected
+++ b/java/ql/test/kotlin/library-tests/methods/methods.expected
@@ -26,10 +26,12 @@ methods
 | delegates.kt:8:32:11:5 | new KMutableProperty1<MyClass,String>(...) { ... } | delegates.kt:8:32:11:5 | set | set(MyClass,java.lang.String) | override, public |  |
 | delegates.kt:8:66:11:5 | new Function3<KProperty<?>,String,String,Unit>(...) { ... } | delegates.kt:8:66:11:5 | invoke | invoke(kotlin.reflect.KProperty,java.lang.String,java.lang.String) | final, override, public |  |
 | enumClass.kt:1:1:4:1 | EnumClass | enumClass.kt:0:0:0:0 | <clinit> | <clinit>() | static | Compiler generated |
+| enumClass.kt:1:1:4:1 | EnumClass | enumClass.kt:0:0:0:0 | getEntries | getEntries() | final, public, static | Compiler generated |
 | enumClass.kt:1:1:4:1 | EnumClass | enumClass.kt:0:0:0:0 | valueOf | valueOf(java.lang.String) | final, public, static | Compiler generated |
 | enumClass.kt:1:1:4:1 | EnumClass | enumClass.kt:0:0:0:0 | values | values() | final, public, static | Compiler generated |
 | enumClass.kt:1:1:4:1 | EnumClass | enumClass.kt:1:22:1:31 | getV | getV() | final, public | Compiler generated |
 | enumClass.kt:6:1:16:1 | EnumWithFunctions | enumClass.kt:0:0:0:0 | <clinit> | <clinit>() | static | Compiler generated |
+| enumClass.kt:6:1:16:1 | EnumWithFunctions | enumClass.kt:0:0:0:0 | getEntries | getEntries() | final, public, static | Compiler generated |
 | enumClass.kt:6:1:16:1 | EnumWithFunctions | enumClass.kt:0:0:0:0 | valueOf | valueOf(java.lang.String) | final, public, static | Compiler generated |
 | enumClass.kt:6:1:16:1 | EnumWithFunctions | enumClass.kt:0:0:0:0 | values | values() | final, public, static | Compiler generated |
 | enumClass.kt:6:1:16:1 | EnumWithFunctions | enumClass.kt:13:12:13:29 | f | f(int) | abstract, public |  |
--- a/java/ql/test/library-tests/file_classes/A.kt
+++ b/java/ql/test/library-tests/file_classes/A.kt
@@ -0,0 +1,2 @@
+fun a() {
+}
--- a/java/ql/test/library-tests/file_classes/B.kt
+++ b/java/ql/test/library-tests/file_classes/B.kt
@@ -0,0 +1,3 @@
+fun b() {
+    a()
+}
--- a/java/ql/test/library-tests/file_classes/C.kt
+++ b/java/ql/test/library-tests/file_classes/C.kt
@@ -0,0 +1,3 @@
+class C {
+    fun c() {}
+}
--- a/java/ql/test/library-tests/file_classes/classes.expected
+++ b/java/ql/test/library-tests/file_classes/classes.expected
@@ -0,0 +1,3 @@
+| A.kt:0:0:0:0 | AKt | true |
+| B.kt:0:0:0:0 | BKt | true |
+| C.kt:1:1:3:1 | C | false |
--- a/java/ql/test/library-tests/file_classes/classes.ql
+++ b/java/ql/test/library-tests/file_classes/classes.ql
@@ -0,0 +1,5 @@
+import java
+
+from Class c
+where c.fromSource()
+select c, any(boolean b | if c.isFileClass() then b = true else b = false)
--- a/java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.expected
+++ b/java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.expected
@@ -7,5 +7,9 @@
 | java.net.URL#openStream() | 1 |
 | java.net.URLConnection#getInputStream() | 1 |
 | java.time.Duration#ofMillis(long) | 1 |
+| java.util.Iterator#next() | 1 |
+| java.util.Map#entrySet() | 1 |
 | java.util.Map#put(Object,Object) | 1 |
+| java.util.Map$Entry#getKey() | 1 |
+| java.util.Set#iterator() | 1 |
 | org.apache.commons.io.FileUtils#deleteDirectory(File) | 1 |
--- a/java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.java
+++ b/java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.java
@@ -15,6 +15,7 @@ class SupportedExternalApis {

 		Map<String, Object> map = new HashMap<>(); // uninteresting (parameterless constructor)
 		map.put("foo", new Object()); // supported summary
+		map.entrySet().iterator().next().getKey(); // nested class (Map.Entry), supported summaries (entrySet, iterator, next, getKey)

 		Duration d = java.time.Duration.ofMillis(1000); // supported neutral

--- a/java/ql/test/query-tests/security/CWE-749/UnsafeActivityKt.kt
+++ b/java/ql/test/query-tests/security/CWE-749/UnsafeActivityKt.kt
@@ -9,12 +9,19 @@ import android.webkit.WebViewClient
 class UnsafeActivityKt : Activity() {
    override fun onCreate(savedInstanceState : Bundle) {

+		val src : String = intent.extras.getString("url")
+
 		val wv = findViewById<WebView>(-1)
 		// Implicit not-nulls happening here
 		wv.settings.setJavaScriptEnabled(true)
 		wv.settings.setAllowFileAccessFromFileURLs(true)

-		val thisUrl : String = intent.extras.getString("url")
-		wv.loadUrl(thisUrl) // $ hasUnsafeAndroidAccess
+		wv.loadUrl(src) // $ hasUnsafeAndroidAccess
+
+		val wv2 = findViewById<WebView>(-1)
+		wv2.apply {
+			settings.setJavaScriptEnabled(true)
+		}
+		wv2.loadUrl(src) // $ hasUnsafeAndroidAccess
    }
 }