Merge branch 'main' into main

.github/workflows/ruby-build.yml

@@ -50,7 +50,7 @@ jobs:
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
       - name: Install cargo-cross
         if: runner.os == 'Linux'
-        run: cargo install cross --version 0.2.1
+        run: cargo install cross --version 0.2.5
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -85,7 +85,12 @@ jobs:
       # This ensures we don't depend on glibc > 2.17.
       - name: Release build (linux)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
-        run: cd extractor && cross build --release
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/extractor target/release/
+          mv target/x86_64-unknown-linux-gnu/release/autobuilder target/release/
+          mv target/x86_64-unknown-linux-gnu/release/generator target/release/
       - name: Release build (windows and macos)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
         run: cd extractor && cargo build --release

.github/workflows/ruby-qltest.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - "ruby/**"
+      - "shared/**"
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml

cpp/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll

@@ -591,24 +591,6 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
     delta = D::fromInt(0) and
     (upper = true or upper = false)
     or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-      not x instanceof SemConstantIntegerExpr and
-      not e1 instanceof SemConstantIntegerExpr and
-      if strictlyPositiveIntegralExpr(x)
-      then upper = false and delta = D::fromInt(1)
-      else
-        if semPositive(x)
-        then upper = false and delta = D::fromInt(0)
-        else
-          if strictlyNegativeIntegralExpr(x)
-          then upper = true and delta = D::fromInt(-1)
-          else
-            if semNegative(x)
-            then upper = true and delta = D::fromInt(0)
-            else none()
-    )
-    or
     exists(SemExpr x, SemSubExpr sub |
       e2 = sub and
       sub.getLeftOperand() = e1 and
@@ -1043,13 +1025,193 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
         delta = D::fromFloat(f) and
         if semPositive(e) then f >= 0 else any()
       )
+      or
+      exists(
+        SemBound bLeft, SemBound bRight, D::Delta dLeft, D::Delta dRight, boolean fbeLeft,
+        boolean fbeRight, D::Delta odLeft, D::Delta odRight, SemReason rLeft, SemReason rRight
+      |
+        boundedAddOperand(e, upper, bLeft, false, dLeft, fbeLeft, odLeft, rLeft) and
+        boundedAddOperand(e, upper, bRight, true, dRight, fbeRight, odRight, rRight) and
+        delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
+        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+      |
+        b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
+        or
+        b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
+      )
+      or
+      exists(
+        SemRemExpr rem, SemZeroBound b1, SemZeroBound b2, D::Delta d_max, D::Delta d1, D::Delta d2,
+        boolean fbe1, boolean fbe2, D::Delta od1, D::Delta od2, SemReason r1, SemReason r2
+      |
+        rem = e and
+        not (upper = true and semPositive(rem.getRightOperand())) and
+        not (upper = true and semPositive(rem.getLeftOperand())) and
+        boundedRemExpr(rem, b1, true, d1, fbe1, od1, r1) and
+        boundedRemExpr(rem, b2, false, d2, fbe2, od2, r2) and
+        (
+          if D::toFloat(d1).abs() > D::toFloat(d2).abs()
+          then (
+            b = b1 and d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+          ) else (
+            b = b2 and d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+          )
+        )
+      |
+        upper = true and delta = D::fromFloat(D::toFloat(d_max).abs() - 1)
+        or
+        upper = false and delta = D::fromFloat(-D::toFloat(d_max).abs() + 1)
+      )
+      or
+      exists(
+        D::Delta dLeft, D::Delta dRight, boolean fbeLeft, boolean fbeRight, D::Delta odLeft,
+        D::Delta odRight, SemReason rLeft, SemReason rRight
+      |
+        boundedMulOperand(e, upper, true, dLeft, fbeLeft, odLeft, rLeft) and
+        boundedMulOperand(e, upper, false, dRight, fbeRight, odRight, rRight) and
+        delta = D::fromFloat(D::toFloat(dLeft) * D::toFloat(dRight)) and
+        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+      |
+        b instanceof SemZeroBound and origdelta = odLeft and reason = rLeft
+        or
+        b instanceof SemZeroBound and origdelta = odRight and reason = rRight
+      )
     )
   }
 
+  pragma[nomagic]
   private predicate boundedConditionalExpr(
     SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, D::Delta delta,
     boolean fromBackEdge, D::Delta origdelta, SemReason reason
   ) {
     bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
   }
+
+  pragma[nomagic]
+  private predicate boundedAddOperand(
+    SemAddExpr add, boolean upper, SemBound b, boolean isLeft, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    // `semValueFlowStep` already handles the case where one of the operands is a constant.
+    not semValueFlowStep(add, _, _) and
+    (
+      isLeft = true and
+      bounded(add.getLeftOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+      or
+      isLeft = false and
+      bounded(add.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+    )
+  }
+
+  private predicate boundedRemExpr(
+    SemRemExpr rem, SemZeroBound b, boolean upper, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    bounded(rem.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+  }
+
+  /**
+   * Define `cmp(true) = <=` and `cmp(false) = >=`.
+   *
+   * Holds if `mul = left * right`, and in order to know if `mul cmp(upper) 0 + k` (for
+   * some `k`) we need to know that `left cmp(upperLeft) 0 + k1` and
+   * `right cmp(upperRight) 0 + k2` (for some `k1` and `k2`).
+   */
+  pragma[nomagic]
+  private predicate boundedMulOperandCand(
+    SemMulExpr mul, SemExpr left, SemExpr right, boolean upper, boolean upperLeft,
+    boolean upperRight
+  ) {
+    not boundFlowStepMul(mul, _, _) and
+    mul.getLeftOperand() = left and
+    mul.getRightOperand() = right and
+    (
+      semPositive(left) and
+      (
+        // left, right >= 0
+        semPositive(right) and
+        (
+          // max(left * right) = max(left) * max(right)
+          upper = true and
+          upperLeft = true and
+          upperRight = true
+          or
+          // min(left * right) = min(left) * min(right)
+          upper = false and
+          upperLeft = false and
+          upperRight = false
+        )
+        or
+        // left >= 0, right <= 0
+        semNegative(right) and
+        (
+          // max(left * right) = min(left) * max(right)
+          upper = true and
+          upperLeft = false and
+          upperRight = true
+          or
+          // min(left * right) = max(left) * min(right)
+          upper = false and
+          upperLeft = true and
+          upperRight = false
+        )
+      )
+      or
+      semNegative(left) and
+      (
+        // left <= 0, right >= 0
+        semPositive(right) and
+        (
+          // max(left * right) = max(left) * min(right)
+          upper = true and
+          upperLeft = true and
+          upperRight = false
+          or
+          // min(left * right) = min(left) * max(right)
+          upper = false and
+          upperLeft = false and
+          upperRight = true
+        )
+        or
+        // left, right <= 0
+        semNegative(right) and
+        (
+          // max(left * right) = min(left) * min(right)
+          upper = true and
+          upperLeft = false and
+          upperRight = false
+          or
+          // min(left * right) = max(left) * max(right)
+          upper = false and
+          upperLeft = true and
+          upperRight = true
+        )
+      )
+    )
+  }
+
+  /**
+   * Holds if `isLeft = true` and `mul`'s left operand is bounded by `delta`,
+   * or if `isLeft = false` and `mul`'s right operand is bounded by `delta`.
+   *
+   * If `upper = true` the computed bound contributes to an upper bound of `mul`,
+   * and if `upper = false` it contributes to a lower bound.
+   * The `fromBackEdge`, `origdelta`, `reason` triple are defined by the recursive
+   * call to `bounded`.
+   */
+  pragma[nomagic]
+  private predicate boundedMulOperand(
+    SemMulExpr mul, boolean upper, boolean isLeft, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    exists(boolean upperLeft, boolean upperRight, SemExpr left, SemExpr right |
+      boundedMulOperandCand(mul, left, right, upper, upperLeft, upperRight)
+    |
+      isLeft = true and
+      bounded(left, any(SemZeroBound zb), delta, upperLeft, fromBackEdge, origdelta, reason)
+      or
+      isLeft = false and
+      bounded(right, any(SemZeroBound zb), delta, upperRight, fromBackEdge, origdelta, reason)
+    )
+  }
 }

cpp/ql/lib/qlpack.yml

@@ -8,3 +8,4 @@ upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 private import DataFlowImplConsistency
+private import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -264,15 +265,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -6,6 +6,7 @@ private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
+private import codeql.util.Unit
 
 cached
 private module Cached {
@@ -799,15 +800,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
   n instanceof OperandNode and

cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql

@@ -62,11 +62,16 @@ predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
 predicate isSinkPairImpl(
   CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
 ) {
-  exists(int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr |
+  exists(
+    int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr, ArrayFunction func
+  |
     bufInstr = bufSink.asInstruction() and
     c.getArgument(bufIndex) = bufInstr and
     sizeInstr = sizeSink.asInstruction() and
-    c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
+    c.getStaticCallTarget() = func and
+    pragma[only_bind_into](func)
+        .hasArrayWithVariableSize(pragma[only_bind_into](bufIndex),
+          pragma[only_bind_into](sizeIndex)) and
     bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
     eBuf = bufInstr.getUnconvertedResultExpression()
   )

cpp/ql/test/library-tests/CPP-205/elements.expected

@@ -1,35 +1,21 @@
-| CPP-205.cpp:0:0:0:0 | CPP-205.cpp |  |
+| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int), isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:1:20:1:20 | T |  |
+| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int), isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:1:20:1:20 | definition of T |  |
+| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T), isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int) |
+| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T), isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int) |
+| CPP-205.cpp:2:10:2:12 | definition of out | isFromTemplateInstantiation(fn), parameter declaration entry for int fn<int>(int) |
-| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T) |
+| CPP-205.cpp:2:10:2:12 | definition of out | isFromUninstantiatedTemplate(fn), parameter declaration entry for int fn<T>(T) |
-| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T) |
+| CPP-205.cpp:2:10:2:12 | out | isFromTemplateInstantiation(fn), parameter for int fn<int>(int) |
-| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<T>(T) |
+| CPP-205.cpp:2:10:2:12 | out | isFromUninstantiatedTemplate(fn), parameter for int fn<T>(T) |
-| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<int>(int) |
+| CPP-205.cpp:2:15:5:1 | { ... } | isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<T>(T) |
+| CPP-205.cpp:2:15:5:1 | { ... } | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<int>(int) |
+| CPP-205.cpp:3:3:3:33 | declaration | isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:2:15:5:1 | { ... } |  |
+| CPP-205.cpp:3:3:3:33 | declaration | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:2:15:5:1 | { ... } |  |
+| CPP-205.cpp:3:15:3:15 | declaration of y | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:3:3:3:33 | declaration |  |
+| CPP-205.cpp:3:15:3:15 | y | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:3:3:3:33 | declaration |  |
+| CPP-205.cpp:3:17:3:31 | 5 | isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:3:15:3:15 | declaration of y |  |
+| CPP-205.cpp:4:3:4:11 | return ... | isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:3:15:3:15 | y |  |
+| CPP-205.cpp:4:3:4:11 | return ... | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:3:17:3:31 | 5 |  |
+| CPP-205.cpp:4:10:4:10 | 0 | isFromTemplateInstantiation(fn) |
-| CPP-205.cpp:4:3:4:11 | return ... |  |
+| CPP-205.cpp:4:10:4:10 | 0 | isFromUninstantiatedTemplate(fn) |
-| CPP-205.cpp:4:3:4:11 | return ... |  |
-| CPP-205.cpp:4:10:4:10 | 0 |  |
-| CPP-205.cpp:4:10:4:10 | 0 |  |
 | CPP-205.cpp:7:5:7:8 | definition of main | function declaration entry for int main() |
 | CPP-205.cpp:7:5:7:8 | main | function int main() |
-| CPP-205.cpp:7:12:9:1 | { ... } |  |
-| CPP-205.cpp:8:3:8:15 | return ... |  |
-| CPP-205.cpp:8:10:8:11 | call to fn |  |
-| CPP-205.cpp:8:13:8:13 | 0 |  |
-| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
-| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
-| file://:0:0:0:0 | __super |  |
-| file://:0:0:0:0 | __va_list_tag |  |
-| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
-| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
-| file://:0:0:0:0 | y |  |

cpp/ql/test/library-tests/CPP-205/elements.ql

@@ -14,10 +14,20 @@ string describe(Element e) {
   result =
     "parameter declaration entry for " +
       getIdentityString(e.(ParameterDeclarationEntry).getFunctionDeclarationEntry().getFunction())
+  or
+  exists(Element template |
+    e.isFromTemplateInstantiation(template) and
+    result = "isFromTemplateInstantiation(" + template.toString() + ")"
+  )
+  or
+  exists(Element template |
+    e.isFromUninstantiatedTemplate(template) and
+    result = "isFromUninstantiatedTemplate(" + template.toString() + ")"
+  )
 }
 
 from Element e
 where
-  not e.getLocation() instanceof UnknownLocation and
+  e.getLocation().getFile().getBaseName() != "" and
   not e instanceof Folder
-select e, concat(describe(e), ", ")
+select e, strictconcat(describe(e), ", ")

cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp

@@ -18,20 +18,20 @@ int test2(struct List* p) {
   int count = 0;
   for (; p; p = p->next) {
     count = (count+1) % 10;
-    range(count); // $ range=<=9
+    range(count); // $ range=>=-9 range=<=9
   }
-  range(count); // $ range=<=9
+  range(count); // $ range=>=-9 range=<=9
   return count;
 }
 
 int test3(struct List* p) {
   int count = 0;
   for (; p; p = p->next) {
-    range(count++); // $ range=<=9
+    range(count++); // $ range=>=-9 range=<=9
     count = count % 10;
-    range(count); // $ range=<=9
+    range(count); // $ range=>=-9 range=<=9
   }
-  range(count); // $ range=<=9
+  range(count); // $ range=>=-9 range=<=9
   return count;
 }
 
@@ -40,13 +40,13 @@ int test4() {
   int total = 0;
   for (i = 0; i < 2; i = i+1) {
     range(i); // $ range=<=1 range=>=0
-    range(total);
+    range(total); // $ range=>=0
     total += i;
-    range(total);
+    range(total); // $ range=<=i+1 range=<=i+1 range=>=0 range=>=i+0
   }
-  range(total);
+  range(total); // $ range=>=0
   range(i); // $ range===2
-  range(total + i); // $ range=>=i+1
+  range(total + i); // $ range===i+2 range=>=2 range=>=i+0
   return total + i;
 }
 
@@ -55,13 +55,13 @@ int test5() {
   int total = 0;
   for (i = 0; i < 2; i++) {
     range(i); // $ range=<=1 range=>=0
-    range(total);
+    range(total); // $ range=>=0
     total += i;
-    range(total);
+    range(total); // $ range=<=i+1 range=>=0 range=>=i+0
   }
-  range(total);
+  range(total); // $ range=>=0
   range(i); // $ range===2
-  range(total + i); // $ range=>=i+1
+  range(total + i); // $ range===i+2 range=>=2 range=>=i+0
   return total + i;
 }
 
@@ -70,9 +70,9 @@ int test6() {
   int total = 0;
   for (i = 0; i+2 < 4; i = i+1) {
     range(i); // $ range=<=1 range=>=0
-    range(total);
+    range(total); // $ range=>=0
     total += i;
-    range(total);
+    range(total); // $ range=<=i+1 range=>=0 range=>=i+0
   }
   return total + i;
 }
@@ -175,12 +175,12 @@ int test12() {
    size_type Start = 0;
    while (Start <= test12_helper()-1)
    {
-    range(Start); // $ range=>=0
+    range(Start);
     const size_type Length = test12_helper();
     Start += Length + 1;
-    range(Start); // $ range=>=1 range=>=Start+1 range=">=call to test12_helper+1"
+    range(Start);
    }
-   range(Start); // $ range=>=0
+   range(Start);
 
    return 1;
 }
@@ -194,8 +194,8 @@ int test13(char c, int i) {
   range(y); // $ range===-1
   int z = i+1;
   range(z); // $ range===i+1
-  range(c + i + uc + x + y + z); // $ range=>=1 range=">=... - ...+0"
+  range(c + i + uc + x + y + z);
-  range((double)(c + i + uc + x + y + z)); // $ range=>=1 range=">=... - ...+0"
+  range((double)(c + i + uc + x + y + z));
   return (double)(c + i + uc + x + y + z);
 }
 
@@ -233,9 +233,9 @@ int test_unary(int a) {
     range(b); // $ range=<=11 range=>=3
     int c = -a;
     range(c); // $ range=<=-3 range=>=-11
-    range(b+c); // $ range=<=10 range="<=+ ...:a-1" range=">=- ...+1" range=>=-10
+    range(b+c); // $ range=<=8 range=>=-8
     total += b+c;
-    range(total);
+    range(total); // $ range=<=8 range=>=-8
   }
   if (0 <= a && a <= 11) {
     range(a); // $ range=<=11 range=>=0
@@ -243,9 +243,9 @@ int test_unary(int a) {
     range(b); // $ range=<=11 range=>=0
     int c = -a;
     range(c); // $ range=<=0 range=>=-11
-    range(b+c); // $ range=<=11 range="<=+ ...:a+0" range=">=- ...+0" range=>=-11
+    range(b+c); // $ range=<=11  range=>=-11
     total += b+c;
-    range(total);
+    range(total); // $ range=<=0+11 range=<=19 range=>=0-11 range=>=-19
   }
   if (-7 <= a && a <= 11) {
     range(a); // $ range=<=11 range=>=-7
@@ -253,9 +253,9 @@ int test_unary(int a) {
     range(b); // $ range=<=11 range=>=-7
     int c = -a;
     range(c); // $ range=<=7 range=>=-11
-    range(b+c);
+    range(b+c); // $ range=<=18 range=>=-18
     total += b+c;
-    range(total);
+    range(total); // $ range="<=- ...+18" range=">=- ...-18" range=<=0+29 range=<=37 range=>=0-29 range=>=-37
   }
   if (-7 <= a && a <= 1) {
     range(a); // $ range=<=1 range=>=-7
@@ -263,9 +263,9 @@ int test_unary(int a) {
     range(b); // $ range=<=1 range=>=-7
     int c = -a;
     range(c); // $ range=<=7 range=>=-1
-    range(b+c);
+    range(b+c); // $ range=<=8 range=>=-8
     total += b+c;
-    range(total);
+    range(total); // $ range="<=- ...+8" range="<=- ...+26" range=">=- ...-8" range=">=- ...-26" range=<=0+37 range=<=45 range=>=0-37 range=>=-45
   }
   if (-7 <= a && a <= 0) {
     range(a); // $ range=<=0 range=>=-7
@@ -273,9 +273,9 @@ int test_unary(int a) {
     range(b); // $ range=<=0 range=>=-7
     int c = -a;
     range(c); // $ range=<=7 range=>=0
-    range(b+c); // $ range="<=- ...+0" range=">=+ ...:a+0" range=>=-7 range=<=7
+    range(b+c); // $ range=>=-7 range=<=7
     total += b+c;
-    range(total);
+    range(total); // $ range="<=- ...+7" range="<=- ...+15" range="<=- ...+33" range=">=- ...-7" range=">=- ...-15" range=">=- ...-33" range=<=0+44 range=<=52 range=>=0-44 range=>=-52
   }
   if (-7 <= a && a <= -2) {
     range(a); // $ range=<=-2 range=>=-7
@@ -283,11 +283,11 @@ int test_unary(int a) {
     range(b); // $ range=<=-2 range=>=-7
     int c = -a;
     range(c); // $ range=<=7 range=>=2
-    range(b+c); // $ range="<=- ...-1" range=">=+ ...:a+1" range=>=-6 range=<=6
+    range(b+c); // $ range=<=5 range=>=-5
     total += b+c;
-    range(total);
+    range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
   }
-  range(total);
+  range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
   return total;
 }
 
@@ -300,17 +300,17 @@ int test_mult01(int a, int b) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=23 range=>=5
     int r = a*b;  // 15 .. 253
-    range(r);
+    range(r); // $ range=<=253 range=>=15
     total += r;
-    range(total); // $ range=>=1
+    range(total); // $ range=<=253 range=>=15
   }
   if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=23 range=>=0
     int r = a*b;  // 0 .. 253
-    range(r);
+    range(r); // $ range=<=253 range=>=0
     total += r;
-    range(total); // $ range=>=0 range=>=3+0
+    range(total); // $ range=<=3+253 range=<=506 range=>=0 range=>=3+0
   }
   if (3 <= a && a <= 11 && -13 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
@@ -324,19 +324,19 @@ int test_mult01(int a, int b) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=0 range=>=-13
     int r = a*b;  // -143 .. 0
-    range(r);
+    range(r); // $ range=<=0 range=>=-143
     total += r;
-    range(total); // $ range=<=3+0
+    range(total); // $ range=<=3+0 range=>=3-143
   }
   if (3 <= a && a <= 11 && -13 <= b && b <= -7) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=-7 range=>=-13
     int r = a*b;  // -143 .. -21
-    range(r);
+    range(r); // $ range=<=-21 range=>=-143
     total += r;
-    range(total); // $ range=<=3-1
+    range(total); // $ range=<=3-21 range=>=3-143 range=>=3-286
   }
-  range(total); // $ range=<=3+0
+  range(total); // $ range=<=3+0 range=>=3-143 range=>=3-286
   return total;
 }
 
@@ -348,17 +348,17 @@ int test_mult02(int a, int b) {
     range(a); // $ range=<=11 range=>=0
     range(b); // $ range=<=23 range=>=5
     int r = a*b;  // 0 .. 253
-    range(r);
+    range(r); // $ range=<=253 range=>=0
     total += r;
-    range(total); // $ range=>=0
+    range(total); // $ range=>=0 range=<=253
   }
   if (0 <= a && a <= 11 && 0 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=0
     range(b); // $ range=<=23 range=>=0
     int r = a*b;  // 0 .. 253
-    range(r);
+    range(r); // $ range=<=253 range=>=0
     total += r;
-    range(total); // $ range=>=0 range=>=0+0
+    range(total); // $ range=>=0 range=>=0+0 range=<=0+253 range=<=506
   }
   if (0 <= a && a <= 11 && -13 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=0
@@ -372,19 +372,19 @@ int test_mult02(int a, int b) {
     range(a); // $ range=<=11 range=>=0
     range(b); // $ range=<=0 range=>=-13
     int r = a*b;  // -143 .. 0
-    range(r);
+    range(r); // $ range=<=0 range=>=-143
     total += r;
-    range(total); // $ range=<=0+0
+    range(total); // $ range=<=0+0 range=>=0-143
   }
   if (0 <= a && a <= 11 && -13 <= b && b <= -7) {
     range(a); // $ range=<=11 range=>=0
     range(b); // $ range=<=-7 range=>=-13
     int r = a*b;  // -143 .. 0
-    range(r);
+    range(r); // $ range=<=0 range=>=-143
     total += r;
-    range(total); // $ range=<=0+0
+    range(total); // $ range=<=0+0 range=>=0-143 range=>=0-286
   }
-  range(total); // $ range=<=0+0
+  range(total); // $ range=<=0+0 range=>=0-143 range=>=0-286
   return total;
 }
 
@@ -445,15 +445,15 @@ int test_mult04(int a, int b) {
     range(b); // $ range=<=23 range=>=5
     int r = a*b;  // -391 .. 0
     total += r;
-    range(total); // $ range=<=0
+    range(total); // $ range=<=0 range=>=-391
   }
   if (-17 <= a && a <= 0 && 0 <= b && b <= 23) {
     range(a); // $ range=<=0 range=>=-17
     range(b); // $ range=<=23 range=>=0
     int r = a*b;  // -391 .. 0
-    range(r);
+    range(r); // $ range=<=0 range=>=-391
     total += r;
-    range(total); // $ range="<=- ...+0" range=<=0
+    range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
   }
   if (-17 <= a && a <= 0 && -13 <= b && b <= 23) {
     range(a); // $ range=<=0 range=>=-17
@@ -467,19 +467,19 @@ int test_mult04(int a, int b) {
     range(a); // $ range=<=0 range=>=-17
     range(b); // $ range=<=0 range=>=-13
     int r = a*b;  // 0 .. 221
-    range(r);
+    range(r); // $ range=<=221 range=>=0 
     total += r;
-    range(total); // $ range=">=- ...+0"
+    range(total); // $ range="<=- ...+221" range=">=- ...+0"
   }
   if (-17 <= a && a <= 0 && -13 <= b && b <= -7) {
     range(a); // $ range=<=0 range=>=-17
     range(b); // $ range=<=-7 range=>=-13
     int r = a*b;  // 0 .. 221
-    range(r);
+    range(r); // $ range=<=221 range=>=0
     total += r;
-    range(total); // $ range=">=- ...+0"
+    range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
   }
-  range(total); // $ range=">=- ...+0"
+  range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
   return total;
 }
 
@@ -491,17 +491,17 @@ int test_mult05(int a, int b) {
     range(a); // $ range=<=-2 range=>=-17
     range(b); // $ range=<=23 range=>=5
     int r = a*b;  // -391 .. -10
-    range(r);
+    range(r); // $ range=<=-10 range=>=-391
     total += r;
-    range(total); // $ range=<=-1
+    range(total); // $ range=<=-10 range=>=-391
   }
   if (-17 <= a && a <= -2 && 0 <= b && b <= 23) {
     range(a); // $ range=<=-2 range=>=-17
     range(b); // $ range=<=23 range=>=0
     int r = a*b;  // -391 .. 0
-    range(r);
+    range(r); // $ range=<=0 range=>=-391
     total += r;
-    range(total); // $ range="<=- ...+0" range=<=0
+    range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
   }
   if (-17 <= a && a <= -2 && -13 <= b && b <= 23) {
     range(a); // $ range=<=-2 range=>=-17
@@ -515,19 +515,19 @@ int test_mult05(int a, int b) {
     range(a); // $ range=<=-2 range=>=-17
     range(b); // $ range=<=0 range=>=-13
     int r = a*b;  // 0 .. 221
-    range(r);
+    range(r); // $ range=<=221 range=>=0
     total += r;
-    range(total); // $ range=">=- ...+0"
+    range(total); // $ range="<=- ...+221" range=">=- ...+0"
   }
   if (-17 <= a && a <= -2 && -13 <= b && b <= -7) {
     range(a); // $ range=<=-2 range=>=-17
     range(b); // $ range=<=-7 range=>=-13
     int r = a*b;  // 14 .. 221
-    range(r);
+    range(r); // $ range=<=221 range=>=14
     total += r;
-    range(total); // $ range=">=- ...+1"
+    range(total); // $ range="<=- ...+221" range="<=- ...+442" range=">=- ...+14"
   }
-  range(total); // $ range=">=- ...+0"
+  range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
   return total;
 }
 
@@ -598,7 +598,7 @@ unsigned int test_ternary01(unsigned int x) {
       (range(x), 500); // $ range=<=299
     range(y8); // y8 <= 300
   }
-  range(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
+  range(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
   return y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8;
 }
 
@@ -628,7 +628,7 @@ unsigned int test_ternary02(unsigned int x) {
       (range(x), 5); // $ range=>=300
     range(y5); // y6 >= 0
   }
-  range(y1 + y2 + y3 + y4 + y5); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
+  range(y1 + y2 + y3 + y4 + y5); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
   return y1 + y2 + y3 + y4 + y5;
 }
 
@@ -647,7 +647,7 @@ unsigned int test_comma01(unsigned int x) {
         range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
         y);
   range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
-  range(y1 + y2); // $ range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
+  range(y1 + y2); // $ MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
   return y1 + y2;
 }
 
@@ -685,7 +685,7 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
     int r = a*b;  // 15 .. 253
     range(r);
     total += r;
-    range(total); // $ range=>=1
+    range(total); // $ MISSING: range=>=1
   }
   if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
@@ -693,7 +693,7 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
     int r = a*b;  // 0 .. 253
     range(r);
     total += r;
-    range(total); // $ range=">=(unsigned int)...+0" range=>=0
+    range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
   }
   if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
@@ -701,9 +701,9 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
     int r = a*b;  // 39 .. 253
     range(r);
     total += r;
-    range(total); // $ range=">=(unsigned int)...+1" range=>=1
+    range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
   }
-  range(total); // $ range=">=(unsigned int)...+0" range=>=0
+  range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
   return total;
 }
 
@@ -715,23 +715,23 @@ int test_unsigned_mult02(unsigned b) {
     int r = 11*b;  // 55 .. 253
     range(r);
     total += r;
-    range(total); // $ range=>=1
+    range(total); // $ MISSING: range=>=1
   }
   if (0 <= b && b <= 23) {
     range(b); // $ range=<=23 range=>=0
     int r = 11*b;  // 0 .. 253
     range(r);
     total += r;
-    range(total); // $ range=">=(unsigned int)...+0" range=>=0
+    range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
   }
   if (13 <= b && b <= 23) {
     range(b); // $ range=<=23 range=>=13
     int r = 11*b;  // 143 .. 253
     range(r);
     total += r;
-    range(total); // $ range=">=(unsigned int)...+1" range=>=1
+    range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
   }
-  range(total); // $ range=">=(unsigned int)...+0" range=>=0
+  range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
   return total;
 }
 
@@ -741,7 +741,7 @@ unsigned long mult_rounding() {
   range(y); // $ range===1000000003
   range(x); // $ range===1000000003
   xy = x * y;
-  range(xy);
+  range(xy); // $ range===2147483647
   return xy; // BUG: upper bound should be >= 1000000006000000009UL
 }
 
@@ -761,13 +761,13 @@ unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
     range(ui); // $ range=>=10
     range((unsigned long)ui); // $ range=>=10
     unsigned long result = (unsigned long)ui * ui;
-    range(result);
+    range(result); // $ range=>=100 range=>=100
     return result; // BUG: upper bound should be >= 18446744065119617025
   }
   if (ul >= 10) {
     range(ul); // $ range=>=10
     unsigned long result = ul * ul;
-    range(result);
+    range(result); // $ range=>=100
     return result; // BUG: lower bound should be 0 (overflow is possible)
   }
   return 0;
@@ -777,7 +777,7 @@ unsigned long mul_assign(unsigned int ui) {
   if (ui <= 10 && ui >= 2) {
     range(ui); // $ range=<=10 range=>=2
     ui *= ui + 0;
-    range(ui);
+    range(ui); // $ range=<=100 range=>=4
     return ui; // 4 .. 100
   }
 
@@ -790,7 +790,7 @@ unsigned long mul_assign(unsigned int ui) {
   range(ulconst); // $ range===10
   ulconst *= 4;
   range(ulconst); // $ range===40
-  range(uiconst + ulconst); // $ range=">=... *= ...+1" range=>=41
+  range(uiconst + ulconst); // $ range===80
   return uiconst + ulconst; // 40 .. 40 for both
 }
 
@@ -813,7 +813,7 @@ int mul_by_constant(int i, int j) {
     range(i); // $ range===-1
     range((int)0xffFFffFF); // $ range===-1
     i = i * (int)0xffFFffFF; // fully converted literal is -1
-    range(i); // 1 .. 1
+    range(i); // $ range===1
   }
   i = i * -1;
   range(   i); // -2^31 .. 2^31-1
@@ -942,7 +942,7 @@ void widen_recursive_expr() {
   for (s = 0; s < 10; s++) {
     range(s); // $ range=<=9 range=>=0
     int result = s + s;
-    range(result); // 0 .. 18
+    range(result); // $ range=<=18 range=<=s+9 range=>=0 range=>=s+0
   }
 }
 
@@ -960,7 +960,22 @@ void guard_bound_out_of_range(void) {
 
 void test_mod(int s) {
   int s2 = s % 5;
-  range(s2); // $ range=<=4 // -4 .. 4
+  range(s2); // $ range=>=-4 range=<=4
+}
+
+void test_mod_neg(int s) {
+  int s2 = s % -5;
+  range(s2); // $ range=>=-4 range=<=4
+}
+
+void test_mod_ternary(int s, bool b) {
+  int s2 = s % (b ? 5 : 500);
+  range(s2); // $ range=>=-499 range=<=499
+}
+
+void test_mod_ternary2(int s, bool b1, bool b2) {
+  int s2 = s % (b1 ? (b2 ? 5 : -5000) : -500000);
+  range(s2); // $ range=>=-499999 range=<=499999
 }
 
 void exit(int);

cpp/ql/test/library-tests/ir/range-analysis/test.cpp

@@ -7,7 +7,7 @@
       }
 
       if (y - 2 == x && y > 300) {
-        range(x + y);  // $ range=>=300 range=>=x+1 range=>=y-1
+        range(x + y);  // $ range=<=802 range=>=600
         return x + y;
       }
 

cpp/ql/test/library-tests/lambdas/captures/elements.expected

@@ -1,26 +1,9 @@
-| captures.cpp:0:0:0:0 | captures.cpp |
-| captures.cpp:1:8:1:8 | declaration of operator= |
-| captures.cpp:1:8:1:8 | declaration of operator= |
-| captures.cpp:1:8:1:8 | operator= |
-| captures.cpp:1:8:1:8 | operator= |
-| captures.cpp:1:8:1:10 | definition of foo |
-| captures.cpp:1:8:1:10 | foo |
-| captures.cpp:2:8:2:8 | a |
-| captures.cpp:2:8:2:8 | definition of a |
-| captures.cpp:2:14:2:14 | definition of x |
-| captures.cpp:2:14:2:14 | x |
-| captures.cpp:2:17:6:3 | { ... } |
 | captures.cpp:3:5:3:5 | (unnamed constructor) |
 | captures.cpp:3:5:3:5 | (unnamed constructor) |
 | captures.cpp:3:5:3:5 | (unnamed constructor) |
-| captures.cpp:3:5:3:5 | declaration of (unnamed constructor) |
-| captures.cpp:3:5:3:5 | declaration of (unnamed constructor) |
-| captures.cpp:3:5:3:5 | definition of (unnamed constructor) |
-| captures.cpp:3:5:3:5 | definition of operator= |
 | captures.cpp:3:5:3:5 | operator= |
 | captures.cpp:3:5:5:5 | [...](...){...} |
 | captures.cpp:3:5:5:5 | {...} |
-| captures.cpp:3:5:5:6 | ExprStmt |
 | captures.cpp:3:6:3:6 | definition of x |
 | captures.cpp:3:6:3:6 | x |
 | captures.cpp:3:6:3:6 | x |
@@ -29,7 +12,6 @@
 | captures.cpp:3:9:3:9 | definition of (captured this) |
 | captures.cpp:3:9:3:12 | (captured this) |
 | captures.cpp:3:9:3:12 | this |
-| captures.cpp:3:15:3:15 | definition of operator() |
 | captures.cpp:3:15:3:15 | operator() |
 | captures.cpp:3:15:5:5 | { ... } |
 | captures.cpp:4:7:4:7 | (captured this) |
@@ -41,26 +23,14 @@
 | captures.cpp:4:9:4:13 | x |
 | captures.cpp:4:13:4:13 | 1 |
 | captures.cpp:5:5:5:5 | return ... |
-| captures.cpp:6:3:6:3 | return ... |
-| captures.cpp:8:8:8:8 | b |
-| captures.cpp:8:8:8:8 | definition of b |
-| captures.cpp:8:14:8:14 | definition of x |
-| captures.cpp:8:14:8:14 | x |
-| captures.cpp:8:17:12:3 | { ... } |
 | captures.cpp:9:5:9:5 | (unnamed constructor) |
 | captures.cpp:9:5:9:5 | (unnamed constructor) |
 | captures.cpp:9:5:9:5 | (unnamed constructor) |
-| captures.cpp:9:5:9:5 | declaration of (unnamed constructor) |
-| captures.cpp:9:5:9:5 | declaration of (unnamed constructor) |
-| captures.cpp:9:5:9:5 | definition of (unnamed constructor) |
-| captures.cpp:9:5:9:5 | definition of operator= |
 | captures.cpp:9:5:9:5 | operator= |
 | captures.cpp:9:5:11:5 | [...](...){...} |
 | captures.cpp:9:5:11:5 | this |
 | captures.cpp:9:5:11:5 | x |
 | captures.cpp:9:5:11:5 | {...} |
-| captures.cpp:9:5:11:6 | ExprStmt |
-| captures.cpp:9:9:9:9 | definition of operator() |
 | captures.cpp:9:9:9:9 | operator() |
 | captures.cpp:9:9:11:5 | { ... } |
 | captures.cpp:10:7:10:7 | (captured this) |
@@ -78,48 +48,23 @@
 | captures.cpp:10:9:10:13 | x |
 | captures.cpp:10:13:10:13 | 1 |
 | captures.cpp:11:5:11:5 | return ... |
-| captures.cpp:12:3:12:3 | return ... |
-| captures.cpp:14:15:14:15 | c |
-| captures.cpp:14:15:14:15 | definition of c |
-| captures.cpp:14:21:14:21 | definition of x |
-| captures.cpp:14:21:14:21 | x |
-| captures.cpp:14:24:18:3 | { ... } |
 | captures.cpp:15:5:15:5 | (unnamed constructor) |
 | captures.cpp:15:5:15:5 | (unnamed constructor) |
 | captures.cpp:15:5:15:5 | (unnamed constructor) |
-| captures.cpp:15:5:15:5 | declaration of (unnamed constructor) |
-| captures.cpp:15:5:15:5 | declaration of (unnamed constructor) |
-| captures.cpp:15:5:15:5 | definition of (unnamed constructor) |
-| captures.cpp:15:5:15:5 | definition of operator= |
 | captures.cpp:15:5:15:5 | operator= |
 | captures.cpp:15:5:17:5 | [...](...){...} |
 | captures.cpp:15:5:17:5 | {...} |
-| captures.cpp:15:5:17:6 | ExprStmt |
 | captures.cpp:15:6:15:6 | definition of x |
 | captures.cpp:15:6:15:6 | x |
 | captures.cpp:15:6:15:6 | x |
 | captures.cpp:15:6:15:6 | x |
-| captures.cpp:15:9:15:9 | definition of operator() |
 | captures.cpp:15:9:15:9 | operator() |
 | captures.cpp:15:9:17:5 | { ... } |
 | captures.cpp:16:7:16:7 | call to c |
 | captures.cpp:16:7:16:11 | ExprStmt |
 | captures.cpp:16:9:16:9 | 0 |
-| captures.cpp:16:13:16:49 | // `x` is unused, but still captured. |
 | captures.cpp:17:5:17:5 | return ... |
-| captures.cpp:18:3:18:3 | return ... |
-| captures.cpp:21:5:21:5 | d |
-| captures.cpp:21:5:21:5 | definition of d |
-| captures.cpp:21:11:21:11 | definition of x |
-| captures.cpp:21:11:21:11 | x |
-| captures.cpp:21:18:21:18 | definition of y |
-| captures.cpp:21:18:21:18 | y |
-| captures.cpp:21:21:27:1 | { ... } |
-| captures.cpp:22:3:24:4 | declaration |
-| captures.cpp:22:8:22:15 | definition of myLambda |
-| captures.cpp:22:8:22:15 | myLambda |
 | captures.cpp:22:18:24:3 | [...](...){...} |
-| captures.cpp:22:18:24:3 | initializer for myLambda |
 | captures.cpp:22:18:24:3 | y |
 | captures.cpp:22:18:24:3 | {...} |
 | captures.cpp:22:19:22:19 | (reference dereference) |
@@ -131,10 +76,6 @@
 | captures.cpp:22:19:22:19 | (unnamed parameter 0) |
 | captures.cpp:22:19:22:19 | constructor init of field x |
 | captures.cpp:22:19:22:19 | constructor init of field y |
-| captures.cpp:22:19:22:19 | declaration of (unnamed constructor) |
-| captures.cpp:22:19:22:19 | definition of (unnamed constructor) |
-| captures.cpp:22:19:22:19 | definition of (unnamed constructor) |
-| captures.cpp:22:19:22:19 | definition of operator= |
 | captures.cpp:22:19:22:19 | operator= |
 | captures.cpp:22:19:22:19 | return ... |
 | captures.cpp:22:19:22:19 | x |
@@ -144,9 +85,7 @@
 | captures.cpp:22:23:22:23 | x |
 | captures.cpp:22:23:22:23 | x |
 | captures.cpp:22:23:22:23 | x |
-| captures.cpp:22:25:22:25 | definition of operator() |
 | captures.cpp:22:25:22:25 | operator() |
-| captures.cpp:22:30:22:30 | definition of z |
 | captures.cpp:22:30:22:30 | z |
 | captures.cpp:22:40:24:3 | { ... } |
 | captures.cpp:23:5:23:21 | return ... |
@@ -161,30 +100,7 @@
 | captures.cpp:23:16:23:16 | y |
 | captures.cpp:23:16:23:16 | y |
 | captures.cpp:23:20:23:20 | z |
-| captures.cpp:26:3:26:24 | return ... |
-| captures.cpp:26:10:26:17 | (const lambda [] type at line 22, col. 19)... |
-| captures.cpp:26:10:26:17 | myLambda |
-| captures.cpp:26:18:26:18 | call to operator() |
-| captures.cpp:26:19:26:22 | 1000 |
-| end_pos.cpp:0:0:0:0 | end_pos.cpp |
-| end_pos.cpp:2:1:2:14 | #define OPEN { |
-| end_pos.cpp:3:6:3:10 | definition of igFun |
-| end_pos.cpp:3:6:3:10 | igFun |
-| end_pos.cpp:3:14:12:1 | { ... } |
-| end_pos.cpp:4:5:4:8 | OPEN |
-| end_pos.cpp:4:5:5:5 | { ... } |
-| end_pos.cpp:6:5:6:15 | declaration |
-| end_pos.cpp:6:9:6:10 | definition of ii |
-| end_pos.cpp:6:9:6:10 | ii |
-| end_pos.cpp:6:13:6:14 | 0 |
-| end_pos.cpp:6:13:6:14 | initializer for ii |
-| end_pos.cpp:7:5:7:69 | // EDG used to not give the initialization for this ii capture an |
-| end_pos.cpp:8:5:8:20 | // end location: |
-| end_pos.cpp:9:5:11:6 | declaration |
-| end_pos.cpp:9:10:9:11 | definition of fp |
-| end_pos.cpp:9:10:9:11 | fp |
 | end_pos.cpp:9:14:11:5 | [...](...){...} |
-| end_pos.cpp:9:14:11:5 | initializer for fp |
 | end_pos.cpp:9:14:11:5 | {...} |
 | end_pos.cpp:9:15:9:15 | (reference dereference) |
 | end_pos.cpp:9:15:9:15 | (unnamed constructor) |
@@ -192,10 +108,6 @@
 | end_pos.cpp:9:15:9:15 | (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | (unnamed parameter 0) |
 | end_pos.cpp:9:15:9:15 | constructor init of field ii |
-| end_pos.cpp:9:15:9:15 | declaration of (unnamed constructor) |
-| end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
-| end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
-| end_pos.cpp:9:15:9:15 | definition of operator= |
 | end_pos.cpp:9:15:9:15 | ii |
 | end_pos.cpp:9:15:9:15 | operator= |
 | end_pos.cpp:9:15:9:15 | return ... |
@@ -205,14 +117,10 @@
 | end_pos.cpp:9:17:9:18 | (reference to) |
 | end_pos.cpp:9:17:9:18 | ii |
 | end_pos.cpp:9:17:9:18 | ii |
-| end_pos.cpp:9:20:9:20 | definition of operator() |
 | end_pos.cpp:9:20:9:20 | operator() |
 | end_pos.cpp:9:27:11:5 | { ... } |
 | end_pos.cpp:10:9:10:17 | return ... |
 | end_pos.cpp:10:16:10:16 | 1 |
-| end_pos.cpp:12:1:12:1 | return ... |
-| file://:0:0:0:0 |  |
-| file://:0:0:0:0 | (global namespace) |
 | file://:0:0:0:0 | (reference to) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
@@ -229,90 +137,8 @@
 | file://:0:0:0:0 | (unnamed parameter 0) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
-| file://:0:0:0:0 | (unnamed parameter 0) |
-| file://:0:0:0:0 | (unnamed parameter 0) |
-| file://:0:0:0:0 | (unnamed parameter 0) |
-| file://:0:0:0:0 | (unnamed parameter 0) |
-| file://:0:0:0:0 | ..()(..) |
-| file://:0:0:0:0 | ..()(..) |
-| file://:0:0:0:0 | ..(*)(..) |
-| file://:0:0:0:0 | ..(*)(..) |
-| file://:0:0:0:0 | ..(*)(..) |
-| file://:0:0:0:0 | ..(..) |
-| file://:0:0:0:0 | __super |
-| file://:0:0:0:0 | __va_list_tag |
-| file://:0:0:0:0 | __va_list_tag & |
-| file://:0:0:0:0 | __va_list_tag && |
-| file://:0:0:0:0 | auto |
-| file://:0:0:0:0 | const __va_list_tag |
-| file://:0:0:0:0 | const __va_list_tag & |
-| file://:0:0:0:0 | const foo |
-| file://:0:0:0:0 | const foo & |
-| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 |
-| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 & |
-| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 * |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 & |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 * |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 & |
-| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 * |
-| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 |
-| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 & |
-| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 * |
-| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 |
-| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 & |
-| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 * |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
-| file://:0:0:0:0 | declaration of 1st parameter |
 | file://:0:0:0:0 | decltype([...](...){...}) |
 | file://:0:0:0:0 | decltype([...](...){...}) |
 | file://:0:0:0:0 | decltype([...](...){...}) |
 | file://:0:0:0:0 | decltype([...](...){...}) |
 | file://:0:0:0:0 | decltype([...](...){...}) |
-| file://:0:0:0:0 | definition of fp_offset |
-| file://:0:0:0:0 | definition of gp_offset |
-| file://:0:0:0:0 | definition of overflow_arg_area |
-| file://:0:0:0:0 | definition of reg_save_area |
-| file://:0:0:0:0 | foo & |
-| file://:0:0:0:0 | foo && |
-| file://:0:0:0:0 | foo * |
-| file://:0:0:0:0 | foo *const |
-| file://:0:0:0:0 | fp_offset |
-| file://:0:0:0:0 | gp_offset |
-| file://:0:0:0:0 | int & |
-| file://:0:0:0:0 | lambda [] type at line 3, col. 5 & |
-| file://:0:0:0:0 | lambda [] type at line 3, col. 5 && |
-| file://:0:0:0:0 | lambda [] type at line 3, col. 5 * |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 5 & |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 5 && |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 5 * |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 15 & |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 15 && |
-| file://:0:0:0:0 | lambda [] type at line 9, col. 15 * |
-| file://:0:0:0:0 | lambda [] type at line 15, col. 5 & |
-| file://:0:0:0:0 | lambda [] type at line 15, col. 5 && |
-| file://:0:0:0:0 | lambda [] type at line 15, col. 5 * |
-| file://:0:0:0:0 | lambda [] type at line 22, col. 19 & |
-| file://:0:0:0:0 | lambda [] type at line 22, col. 19 && |
-| file://:0:0:0:0 | lambda [] type at line 22, col. 19 * |
-| file://:0:0:0:0 | operator= |
-| file://:0:0:0:0 | operator= |
-| file://:0:0:0:0 | overflow_arg_area |
-| file://:0:0:0:0 | reg_save_area |
-| file://:0:0:0:0 | void * |

cpp/ql/test/library-tests/lambdas/captures/elements.ql

@@ -1,8 +1,13 @@
 import cpp
 
+predicate interesting(Element e) {
+  e instanceof LambdaCapture or
+  e instanceof LambdaExpression or
+  e = any(LambdaExpression le).getLambdaFunction() or
+  e = any(LambdaExpression le).getInitializer() or
+  e instanceof Closure
+}
+
 from Element e
-where
+where interesting(e.getEnclosingElement*())
-  not e instanceof BuiltInType and
-  not e instanceof Specifier and
-  not e instanceof Folder
 select e

cpp/ql/test/library-tests/templates/extern/declarations.expected

@@ -0,0 +1,3 @@
+| extern.cpp:1:20:1:20 | T |
+| extern.cpp:2:5:2:5 | f |
+| extern.cpp:2:7:2:7 | (unnamed parameter 0) |

cpp/ql/test/library-tests/templates/extern/declarations.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Declaration d
+where d.getLocation().getFile().getBaseName() != ""
+select d

cpp/ql/test/library-tests/templates/extern/elements.expected

@@ -1,8 +0,0 @@
-| extern.cpp:0:0:0:0 | extern.cpp |
-| extern.cpp:1:20:1:20 | T |
-| extern.cpp:1:20:1:20 | definition of T |
-| extern.cpp:2:5:2:5 | declaration of f |
-| extern.cpp:2:5:2:5 | f |
-| extern.cpp:2:7:2:7 | (unnamed parameter 0) |
-| extern.cpp:2:7:2:7 | declaration of 1st parameter |
-| extern.cpp:4:1:4:58 | // Currently we don't have an element for this declaration |

cpp/ql/test/library-tests/templates/extern/elements.ql

@@ -1,8 +0,0 @@
-import cpp
-
-from Element e
-where
-  exists(e.getLocation()) and
-  not e.getLocation() instanceof UnknownLocation and
-  not e instanceof Folder
-select e

csharp/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

csharp/ql/lib/semmle/code/asp/WebConfig.qll

@@ -11,6 +11,13 @@ class WebConfigXml extends XmlFile {
   WebConfigXml() { this.getName().matches("%Web.config") }
 }
 
+/**
+ * A `Web.config` transformation file.
+ */
+class WebConfigReleaseTransformXml extends XmlFile {
+  WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") }
+}
+
 /** DEPRECATED: Alias for WebConfigXml */
 deprecated class WebConfigXML = WebConfigXml;
 
@@ -19,6 +26,11 @@ class ConfigurationXmlElement extends XmlElement {
   ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" }
 }
 
+/** A `<compilation>` tag in an ASP.NET configuration file. */
+class CompilationXmlElement extends XmlElement {
+  CompilationXmlElement() { this.getName().toLowerCase() = "compilation" }
+}
+
 /** DEPRECATED: Alias for ConfigurationXmlElement */
 deprecated class ConfigurationXMLElement = ConfigurationXmlElement;
 
@@ -149,3 +161,15 @@ class HttpCookiesElement extends XmlElement {
   /** DEPRECATED: Alias for isRequireSsl */
   deprecated predicate isRequireSSL() { this.isRequireSsl() }
 }
+
+/** A `Transform` attribute in a Web.config transformation file. */
+class TransformXmlAttribute extends XmlAttribute {
+  TransformXmlAttribute() { this.getName().toLowerCase() = "transform" }
+
+  /**
+   * Gets the list of attribute removals in `Transform=RemoveAttributes(list)`.
+   */
+  string getRemoveAttributes() {
+    result = this.getValue().regexpCapture("RemoveAttributes\\((.*)\\)", 1).splitAt(",")
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -19,6 +19,7 @@ private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.cil.Ssa::Ssa as CilSsa
 private import semmle.code.cil.internal.SsaImpl as CilSsaImpl
+private import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallableImpl() }
@@ -2163,15 +2164,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { c instanceof ElementContent }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a delegate for `c`. */
@@ -2183,7 +2175,7 @@ predicate lambdaCreation(ExprNode creation, LambdaCallKind kind, DataFlowCallabl
         e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
       ]
   ) and
-  kind = TMkUnit()
+  exists(kind)
 }
 
 private class LambdaConfiguration extends ControlFlowReachabilityConfiguration {
@@ -2214,7 +2206,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
     or
     receiver = call.(SummaryCall).getReceiver()
   ) and
-  kind = TMkUnit()
+  exists(kind)
 }
 
 /** Extra data-flow steps needed for lambda flow analysis. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -10,6 +10,7 @@ private import FlowSummaryImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommon
+private import codeql.util.Unit
 
 /** Provides classes and predicates for defining flow summaries. */
 module Public {

csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql

@@ -19,6 +19,17 @@ import semmle.code.asp.WebConfig
 
 from SystemWebXmlElement web, XmlAttribute debugAttribute
 where
-  debugAttribute = web.getAChild("compilation").getAttribute("debug") and
+  exists(CompilationXmlElement compilation | compilation.getParent() = web |
-  not debugAttribute.getValue().toLowerCase() = "false"
+    debugAttribute = compilation.getAttribute("debug") and
+    not debugAttribute.getValue().toLowerCase() = "false"
+  ) and
+  not exists(
+    TransformXmlAttribute attribute, CompilationXmlElement compilation,
+    WebConfigReleaseTransformXml file
+  |
+    compilation = attribute.getElement() and
+    file = compilation.getFile() and
+    attribute.getRemoveAttributes() = "debug" and
+    file.getParentContainer() = web.getFile().getParentContainer()
+  )
 select debugAttribute, "The 'debug' flag is set for an ASP.NET configuration file."

csharp/ql/src/change-notes/2023-03-23-cs-web-debug-binary.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cs/web/debug-binary` now disregards the `debug` attribute in case there is a transformation that removes it.

csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll

@@ -18,8 +18,6 @@ module TaintTracking = CS::TaintTracking;
 
 class Type = CS::Type;
 
-class Unit = DataFlowPrivate::Unit;
-
 /**
  * Holds if any of the parameters of `api` are `System.Func<>`.
  */

csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.expected

@@ -1 +1,2 @@
-| bad/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad1/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad2/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |

csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.Debug.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <system.web>
+    <compilation xdt:Transform="RemoveAttributes(debug)" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+      debug="true"
+    />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.Release.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <system.web>
+    <compilation xdt:Transform="RemoveAttributes(debug)" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.config

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+      debug="true"
+    />
+  </system.web>
+</configuration>

docs/codeql/codeql-language-guides/codeql-for-java.rst

@@ -45,4 +45,3 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
 -  :doc:`Working with source locations <working-with-source-locations>`: You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem.
 
 -  :doc:`Abstract syntax tree classes for working with Java programs <abstract-syntax-tree-classes-for-working-with-java-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of Java programs.
-

docs/codeql/codeql-language-guides/codeql-for-javascript.rst

@@ -28,8 +28,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
 
 -  :doc:`Using flow labels for precise data flow analysis <using-flow-labels-for-precise-data-flow-analysis>`: You can associate flow labels with each value tracked by the flow analysis to determine whether the flow contains potential vulnerabilities.
 
--  :doc:`Specifying remote flow sources for JavaScript <specifying-additional-remote-flow-sources-for-javascript>`: You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
-
 -  :doc:`Using type tracking for API modeling <using-type-tracking-for-api-modeling>`: You can track data through an API by creating a model using the CodeQL type-tracking library for JavaScript.
 
 -  :doc:`Abstract syntax tree classes for working with JavaScript and TypeScript programs <abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of JavaScript and TypeScript programs.

docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst

@@ -0,0 +1,417 @@
+.. _customizing-library-models-for-java:
+
+:orphan:
+:nosearch:
+
+Customizing Library Models for Java
+===================================
+
+.. include:: ../reusables/beta-note-customizing-library-models.rst
+
+The Java analysis can be customized by adding library models (summaries, sinks and sources) in data extension files.
+A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results.
+Most of the security related queries are taint tracking queries that try to find paths from a source of untrusted input to a sink that represents a vulnerability. Sources are the starting points of a taint tracking data flow analysis, and sinks are the end points of a taint tracking data flow analysis.
+
+Furthermore, the taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are named summaries: they are models of elements that allow us to synthesize the elements flow behavior without having them in the source code. This is especially helpful when using a third party (or the standard) library.
+
+The models are defined using data extensions where each tuple constitutes a model.
+A data extension file for Java is a YAML file in the form:
+
+.. code-block:: yaml
+
+   extensions:
+     - addsTo:
+         pack: codeql/java-all
+         extensible: <name of extensible predicate>
+       data:
+         - <tuple1>
+         - <tuple2>
+         - ...
+
+Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation.
+
+The CodeQL library for Java exposes the following extensible predicates:
+
+- **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models.
+- **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models.
+- **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance). This is used for **summary** models.
+- **neutralModel**\(package, type, name, signature, provenance). This is used for **neutral** models, which only have minor impact on the data flow analysis.
+
+The extensible predicates are populated using data extensions specified in YAML files.
+
+In the sections below, we will provide examples of how to add tuples to the different extensible predicates.
+The extensible predicates are used to customize and improve the existing data flow queries, by providing sources, sinks, and flow through (summaries) for library elements.
+The :ref:`reference-material` section will provide details on the *mini DSLs* that define models for each extensible predicate.
+
+Example: Taint sink in the **java.sql** package
+------------------------------------------------
+
+In this example we will show how to model the argument of the **execute** method as a SQL injection sink.
+This is the **execute** method in the **Statement** class, which is located in the **java.sql** package.
+Note that this sink is already added to the CodeQL Java analysis.
+
+.. code-block:: java
+
+   public static void taintsink(Connection conn, String query) throws SQLException {
+       Statement stmt = conn.createStatement();
+       stmt.execute(query); // The argument to this method is a SQL injection sink.
+   }
+
+We need to add a tuple to the **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
+
+.. code-block:: yaml
+
+   extensions:
+     - addsTo:
+         pack: codeql/java-all
+         extensible: sinkModel
+       data:
+         - ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql", "manual"]
+
+
+Since we are adding a new sink, we need to add a tuple to the **sinkModel** extensible predicate.
+The first five values identify the callable (in this case a method) to be modeled as a sink.
+
+- The first value **java.sql** is the package name.
+- The second value **Statement** is the name of the class (type) that contains the method.
+- The third value **True** is a flag that indicates whether or not the sink also applies to all overrides of the method.
+- The fourth value **execute** is the method name.
+- The fifth value **(String)** is the method input type signature.
+
+The sixth value should be left empty and is out of scope for this documentation.
+The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the sink.
+
+- The seventh value **Argument[0]** is the **access path** to the first argument passed to the method, which means that this is the location of the sink.
+- The eighth value **sql** is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries.
+- The ninth value **manual** is the provenance of the sink, which is used to identify the origin of the sink.
+ 
+Example: Taint source from the **java.net** package
+----------------------------------------------------
+In this example we show how to model the return value from the **getInputStream** method as a **remote** source.
+This is the **getInputStream** method in the **Socket** class, which is located in the **java.net** package.
+Note that this source is already added to the CodeQL Java analysis.
+
+.. code-block:: java
+
+   public static void tainted(Socket socket) throws IOException {
+       InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint.
+       ...
+   }
+
+We need to add a tuple to the **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
+
+.. code-block:: yaml
+
+   extensions:
+     - addsTo:
+         pack: codeql/java-all
+         extensible: sourceModel
+       data:
+         - ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+
+
+Since we are adding a new source, we need to add a tuple to the **sourceModel** extensible predicate.
+The first five values identify the callable (in this case a method) to be modeled as a source.
+
+- The first value **java.net** is the package name.
+- The second value **Socket** is the name of the class (type) that contains the source.
+- The third value **False** is a flag that indicates whether or not the source also applies to all overrides of the method.
+- The fourth value **getInputStream** is the method name.
+- The fifth value **()** is the method input type signature.
+
+The sixth value should be left empty and is out of scope for this documentation.
+The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the source.
+
+- The seventh value **ReturnValue** is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
+- The eighth value **remote** is the kind of the source. The source kind is used to define the queries where the source is in scope. **remote** applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses **remote** sources.
+- The ninth value **manual** is the provenance of the source, which is used to identify the origin of the source.
+
+Example: Add flow through the **concat** method
+------------------------------------------------
+In this example we show how to model flow through a method for a simple case.
+This pattern covers many of the cases where we need to define flow through a method.
+Note that the flow through the **concat** method is already added to the CodeQL Java analysis.
+
+.. code-block:: java
+
+   public static void taintflow(String s1, String s2) {
+       String t = s1.concat(s2); // There is taint flow from s1 and s2 to t.
+       ...
+   }
+
+We need to add tuples to the **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
+
+.. code-block:: yaml
+
+   extensions:
+     - addsTo:
+         pack: codeql/java-all
+         extensible: summaryModel
+       data:
+         - ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+         - ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+
+Reasoning:
+
+Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
+Each tuple defines flow from one argument to the return value.
+The first row defines flow from the qualifier (**s1** in the example) to the return value (**t** in the example) and the second row defines flow from the first argument (**s2** in the example) to the return value (**t** in the example).
+
+The first five values identify the callable (in this case a method) to be modeled as a summary.
+These are the same for both of the rows above as we are adding two summaries for the same method.
+
+- The first value **java.lang** is the package name.
+- The second value **String** is the class (type) name.
+- The third value **False** is a flag that indicates whether or not the summary also applies to all overrides of the method.
+- The fourth value **concat** is the method name.
+- The fifth value **(String)** is the method input type signature.
+
+The sixth value should be left empty and is out of scope for this documentation.
+The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary.
+
+- The seventh value is the access path to the input (where data flows from). **Argument[this]** is the access path to the qualifier (**s1** in the example) and **Argument[0]** is the access path to the first argument (**s2** in the example).
+- The eighth value **ReturnValue** is the access path to the output (where data flows to), in this case **ReturnValue**, which means that the input flows to the return value.
+- The ninth value **taint** is the kind of the flow. **taint** means that taint is propagated through the call.
+- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
+
+Example: Add flow through the **map** method
+---------------------------------------------
+In this example, we will see a more complex example of modeling flow through a method.
+This pattern shows how to model flow through higher order methods and collection types.
+Note that the flow through the **map** method is already added to the CodeQL Java analysis.
+
+.. code-block:: java
+
+   public static void taintflow(Stream<String> s) {
+     Stream<String> l = s.map(e -> e.concat("\n"));
+     ...
+   }
+
+To do this, add the following to a data extension file:
+
+.. code-block:: yaml
+
+   extensions:
+     - addsTo:
+         pack: codeql/java-all
+         extensible: summaryModel
+       data:
+         - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
+         - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"]
+
+
+Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
+Each tuple defines part of the flow that comprises the total flow through the **map** method.
+The first five values identify the callable (in this case a method) to be modeled as a summary.
+These are the same for both of the rows above as we are adding two summaries for the same method.
+
+- The first value **java.util.stream** is the package name.
+- The second value **Stream** is the class (type) name.
+- The third value **True** is a flag that indicates whether or not the summary also applies to all overrides of the method.
+- The fourth value **map** is the method name.
+- The fifth value **Function** is the method input type signature.
+
+The sixth value should be left empty and is out of scope for this documentation.
+The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary definition.
+
+- The seventh value is the access path to the **input** (where data flows from).
+- The eighth value is the access path to the **output** (where data flows to).
+
+For the first row:
+
+- The seventh value is **Argument[this].Element**, which is the access path to the elements of the qualifier (the elements of the stream **s** in the example).
+- The eight value is **Argument[0].Parameter[0]**, which is the access path to the first parameter of the **Function** argument of **map** (the lambda parameter **e** in the example).
+
+For the second row:
+
+- The seventh value is **Argument[0].ReturnValue**, which is the access path to the return value of the **Function** argument of **map** (the return value of the lambda in the example).
+- The eighth value is **ReturnValue.Element**, which is the access path to the elements of the return value of **map** (the elements of the stream **l** in the example).
+
+For the remaining values for both rows:
+
+- The ninth value **value** is the kind of the flow. **value** means that the value is preserved.
+- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
+
+That is, the first row models that there is value flow from the elements of the qualifier stream into the first argument of the function provided to **map** and the second row models that there is value flow from the return value of the function to the elements of the stream returned from **map**.
+
+Example: Add a **neutral** method
+----------------------------------
+In this example we will show how to model the **now** method as being neutral.
+A neutral model is used to define that there is no flow through a method.
+Note that the neutral model for the **now** method is already added to the CodeQL Java analysis.
+
+.. code-block:: java
+   
+   public static void taintflow() {
+       Instant t = Instant.now(); // There is no flow from now to t.
+       ...
+   }
+
+We need to add a tuple to the **neutralModel**\(package, type, name, signature, provenance) extensible predicate. To do this, add the following to a data extension file:
+
+.. code-block:: yaml
+
+   extensions:
+   - addsTo:
+       pack: codeql/java-all
+       extensible: neutralModel
+     data:
+       - ["java.time", "Instant", "now", "()", "manual"]
+
+
+Since we are adding a neutral model, we need to add tuples to the **neutralModel** extensible predicate.
+The first five values identify the callable (in this case a method) to be modeled as a neutral and the fifth value is the provenance (origin) of the neutral.
+
+- The first value **java.time** is the package name.
+- The second value **Instant** is the class (type) name.
+- The third value **now** is the method name.
+- The fourth value **()** is the method input type signature.
+- The fifth value **manual** is the provenance of the neutral.
+
+.. _reference-material:
+
+Reference material
+------------------
+
+The following sections provide reference material for extensible predicates.
+This includes descriptions of each of the arguments (e.g. access paths, kinds and provenance).
+
+Extensible predicates
+---------------------
+
+Below is a description of the columns for each extensible predicate.
+Sources, sinks, summaries and neutrals are commonly known as models.
+The semantics of many of the columns of the extensible predicates are shared.
+
+The shared columns are:
+
+- **package**: Name of the package containing the element(s) to be modeled.
+- **type**: Name of the type containing the element(s) to be modeled.
+- **subtypes**: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s).
+- **name**: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria.
+- **signature**: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria.
+- **ext**: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document.
+- **provenance**: Provenance (origin) of the model definition.
+
+The columns **package**, **type**, **subtypes**, **name**, and **signature** are used to select the element(s) that the model applies to.
+
+The :ref:`access-paths` section describes how access paths are composed.
+This is the most complicated part of the extensible predicates and the **mini DSL** for access paths is shared across all extensible predicates.
+
+sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind.
+
+- **output**: Access path to the source, where the possibly tainted data flows from.
+- **kind**: Kind of the source.
+- **provenance**: Provenance (origin) of the source definition.
+
+As most sources are used by all taint tracking queries there are only a few different source kinds.
+The following source kinds are supported:
+
+- **remote**: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries.
+
+Below is an enumeration of the remaining source kinds, but they are out of scope for this documentation:
+
+- **contentprovider**, **android-widget**, **android-external-storage-dir**.
+
+sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific.
+
+- **input**: Access path to the sink, where we want to check if tainted data can flow into.
+- **kind**: Kind of the sink.
+
+The following sink kinds are supported:
+
+- **sql**: A SQL injection vulnerability sink.
+- **xss**: A cross-site scripting vulnerability sink.
+- **logging**: A log output sink.
+
+Below is an enumeration of the remaining sinks, but they are out of scope for this documentation:
+
+- **open-url**, **jndi-injection**, **ldap**, **jdbc-url**
+- **mvel**, **xpath**, **groovy**, **ognl-injection**
+- **intent-start**, **pending-intent-sent**, **url-open-stream**, **url-redirect**
+- **create-file**, **read-file**, **write-file**, **set-hostname-verifier**
+- **header-splitting**, **information-leak**, **xslt**, **jexl**
+- **bean-validation**, **ssti**, **fragment-injection**, **regex-use[**\ `arg`\ **]**
+
+summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Flow through (summary). This extensible predicate is used to model flow through elements.
+
+- **input**: Access path to the input of the element (where data will flow from to the output).
+- **output**: Access path to the output of the element (where data will flow to from the input).
+- **kind**: Kind of the flow through.
+- **provenance**: Provenance (origin) of the flow through.
+
+The following kinds are supported:
+
+- **taint**: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
+- **value**: This means that the output equals the input or a copy of the input such that all of its properties are preserved.
+
+neutralModel(package, type, name, signature, provenance)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This extensible predicate is not typically needed externally, but included here for completeness.
+It only has minor impact on the data flow analysis.
+Manual neutrals are considered high confidence dispatch call targets and can reduce the number of dispatch call targets during data flow analysis (a performance optimization).
+
+- **provenance**: Provenance (origin) of the flow through.
+
+.. _access-paths:
+
+Access paths
+------------
+The **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
+
+The following components are supported:
+
+- **Argument[**\ `n`\ **]** selects the argument at index `n` (zero-indexed).
+- **Argument[**\ `this`\ **]** selects the qualifier (instance parameter).
+- **Argument[**\ `n1..n2`\ **]** selects the arguments in the given range (both ends included).
+- **Parameter[**\ `n`\ **]** selects the parameter at index `n` (zero-indexed).
+- **Parameter[**\ `n1..n2`\ **]** selects the parameters in the given range (both ends included).
+- **ReturnValue** selects the return value.
+- **Field[**\ `name`\ **]** selects the field with the fully qualified name `name`.
+- **SyntheticField[**\ `name`\ **]** selects the synthetic field with name `name`.
+- **SyntheticGlobal[**\ `name`\ **]** selects the synthetic global with name `name`.
+- **ArrayElement** selects the elements of an array.
+- **Element** selects the elements of a collection-like container.
+- **MapKey** selects the element keys of a map.
+- **MapValue** selects the element values of a map.
+
+Provenance
+----------
+
+The **provenance** column is used to specify the provenance (origin) of the model definition and how the model was verified.
+The following values are supported:
+
+- **manual**: The model was manually created and added to the extensible predicate.
+
+or values in the form **origin-verification**, where origin is one of:
+
+- **ai**: The model was generated by AI.
+- **df**: The model was generated by the dataflow model generator.
+- **tb**: The model was generated by the type based model generator.
+- **hq**: The model was generated using a heuristic query.
+
+and verification is one of:
+
+- **manual**: The model was verified by a human.
+- **generated**: The model was generated, but not verified by a human.
+
+The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated.
+Furthermore, it impacts the data flow analysis in the following way:
+
+- A **manual** model takes precedence over **generated** models. If a **manual** model exists for an element then all **generated** models are ignored.
+- A **generated** model is ignored during analysis, if the source code of the element it is modeling is available.
+
+That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.
+
+
+.. include:: ../reusables/data-extensions.rst

docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst

@@ -0,0 +1,479 @@
+.. _customizing-library-models-for-javascript:
+
+:orphan:
+:nosearch:
+
+Customizing Library Models for JavaScript
+=========================================
+
+.. include:: ../reusables/beta-note-customizing-library-models.rst
+
+JavaScript analysis can be customized by adding library models in data extension files.
+
+A data extension for JavaScript is a YAML file of the form:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: <name of extensible predicate>
+      data:
+        - <tuple1>
+        - <tuple2>
+        - ...
+
+The CodeQL library for JavaScript exposes the following extensible predicates:
+
+- **sourceModel**\(type, path, kind)
+- **sinkModel**\(type, path, kind)
+- **typeModel**\(type1, type2, path)
+- **summaryModel**\(type, path, input, output, kind)
+
+See the [CLI documentation for how to load and use data extensions in a CodeQL evaluation run](https://docs.google.com/document/d/14IYCHX8wWuU-HTvJ2gPSdXQKHKYbWCHQKOgn8oLaa80/edit#heading=h.m0v53lpi6w2n) (internal access required).
+
+We'll explain how to use these using a few examples, and provide some reference material at the end of this article.
+
+Example: Taint sink in the 'execa' package
+------------------------------------------
+
+In this example, we'll show how to add the following argument, passed to **execa**, as a command-line injection sink:
+
+.. code-block:: js
+
+  import { shell } from "execa";
+  shell(cmd); // <-- add 'cmd' as a taint sink
+
+Note that this sink is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sinkModel
+      data:
+        - ["execa", "Member[shell].Argument[0]", "command-line-injection"]
+
+
+- Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
+- The first column, **"execa"**, identifies a set of values from which to begin the search for the sink.
+  The string **"execa"** means we start at the places where the codebase imports the NPM package **execa**.
+- The second column is an access path that is evaluated from left to right, starting at the values that were identified by the first column.
+
+  - **Member[shell]** selects accesses to the **shell** member of the **execa** package.
+  - **Argument[0]** selects the first argument to calls to that member.
+
+- **command-line-injection** indicates that this is considered a sink for the command injection query.
+
+Example: Taint sources from window 'message' events
+---------------------------------------------------
+
+In this example, we'll show how the **event.data** expression below could be marked as a remote flow source:
+
+.. code-block:: js
+
+  window.addEventListener("message", function (event) {
+    let data = event.data; // <-- add 'event.data' as a taint source
+  });
+
+Note that this source is already known by the CodeQL JS analysis, but for this example, you could use the following data extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sourceModel
+      data:
+        - [
+            "global",
+            "Member[addEventListener].Argument[1].Parameter[0].Member[data]",
+            "remote",
+          ]
+
+
+- Since we're adding a new taint source, we add a tuple to the **sourceModel** extensible predicate.
+- The first column, **"global"**, begins the search at references to the global object (also known as **window** in browser contexts). This is a special JavaScript object that contains all global variables and methods.
+- **Member[addEventListener]** selects accesses to the **addEventListener** member.
+- **Argument[1]** selects the second argument of calls to that member (the argument containing the callback).
+- **Parameter[0]** selects the first parameter of the callback (the parameter named **event**).
+- **Member[data]** selects accesses to the **data** property of the event object.
+- Finally, the kind **remote** indicates that this is considered a source of remote flow.
+
+In the next section, we'll show how to restrict the model to recognize events of a specific type.
+
+Continued example: Restricting the event type
+---------------------------------------------
+
+The model above treats all events as sources of remote flow, not just **message** events.
+For example, it would also pick up this irrelevant source:
+
+.. code-block:: js
+
+  window.addEventListener("onclick", function (event) {
+    let data = event.data; // <-- 'event.data' became a spurious taint source
+  });
+
+
+We can refine the model by adding the **WithStringArgument** component to restrict the set of calls being considered:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sourceModel
+      data:
+        - [
+            "global",
+            "Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
+            "remote",
+          ]
+
+The **WithStringArgument[0=message]** component here selects the subset of calls to **addEventListener** where the first argument is a string literal with the value **"message"**.
+
+Example: Using types to add MySQL injection sinks
+-------------------------------------------------
+
+In this example, we'll show how to add the following SQL injection sink:
+
+.. code-block:: ts
+
+  import { Connection } from "mysql";
+
+  function submit(connection: Connection, q: string) {
+    connection.query(q); // <-- add 'q' as a SQL injection sink
+  }
+
+We can recognize this using the following extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sinkModel
+      data:
+        - ["mysql.Connection", "Member[query].Argument[0]", "sql-injection"]
+
+
+- The first column, **"mysql.Connection"**, begins the search at any expression whose value is known to be an instance of
+  the **Connection** type from the **mysql** package. This will select the **connection** parameter above because of its type annotation.
+- **Member[query]** selects the **query** member from the connection object.
+- **Argument[0]** selects the first argument of a call to that member.
+- **sql-injection** indicates that this is considered a sink for the SQL injection query.
+
+This works in this example because the **connection** parameter has a type annotation that matches what the model is looking for.
+
+Note that there is a significant difference between the following two rows:
+
+.. code-block:: yaml
+
+        data:
+        - ["mysql.Connection", "", ...]
+        - ["mysql", "Member[Connection]", ...]
+
+The first row matches instances of **mysql.Connection**, which are objects that encapsulate a MySQL connection.
+The second row would match something like **require('mysql').Connection**, which is not itself a connection object.
+
+In the next section, we'll show how to generalize the model to handle the absence of type annotations.
+
+Continued example: Dealing with untyped code
+--------------------------------------------
+
+Suppose we want the model from above to detect the sink in this snippet:
+
+.. code-block:: js
+
+  import { getConnection } from "@example/db";
+  let connection = getConnection();
+  connection.query(q); // <-- add 'q' as a SQL injection sink
+
+There is no type annotation on **connection**, and there is no indication of what **getConnection()** returns.
+Using a **typeModel** tuple we can tell our model that this function returns an instance of **mysql.Connection**:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: typeModel
+      data:
+        - ["mysql.Connection", "@example/db", "Member[getConnection].ReturnValue"]
+
+
+- Since we're providing type information, we add a tuple to the **typeModel** extensible predicate.
+- The first column, **"mysql.Connection"**, names the type that we're adding a new definition for.
+- The second column, **"@example/db"**, begins the search at imports of the hypothetical NPM package **@example/db**.
+- **Member[getConnection]** selects references to the **getConnection** member from that package.
+- **ReturnValue** selects the return value from a call to that member.
+
+The new model states that the return value of **getConnection()** has type **mysql.Connection**.
+Combining this with the sink model we added earlier, the sink in the example is detected by the model.
+
+The mechanism used here is how library models work for both TypeScript and plain JavaScript.
+A good library model contains **typeModel** tuples to ensure it works even in codebases without type annotations.
+For example, the **mysql** model that is included with the CodeQL JS analysis includes this type definition (among many others):
+
+.. code-block:: yaml
+
+  - ["mysql.Connection", "mysql", "Member[createConnection].ReturnValue"]
+
+Example: Adding flow through 'decodeURIComponent'
+-------------------------------------------------
+
+In this example, we'll show how to add flow through calls to `decodeURIComponent`:
+
+.. code-block:: js
+
+  let y = decodeURIComponent(x); // add taint flow from 'x' to 'y'
+
+Note that this flow is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: summaryModel
+      data:
+        - [
+            "global",
+            "Member[decodeURIComponent]",
+            "Argument[0]",
+            "ReturnValue",
+            "taint",
+          ]
+
+
+- Since we're adding flow through a function call, we add a tuple to the **summaryModel** extensible predicate.
+- The first column, **"global"**, begins the search for relevant calls at references to the global object.
+  In JavaScript, global variables are properties of the global object, so this lets us access global variables or functions.
+- The second column, **Member[decodeURIComponent]**, is a path leading to the function calls we wish to model.
+  In this case, we select references to the **decodeURIComponent** member from the global object, that is,
+  the global variable named **decodeURIComponent**.
+- The third column, **Argument[0]**, indicates the input of the flow. In this case, the first argument to the function call.
+- The fourth column, **ReturnValue**, indicates the output of the flow. In this case, the return value of the function call.
+- The last column, **taint**, indicates the kind of flow to add. The value **taint** means the output is not necessarily equal
+  to the input, but was derived from the input in a taint-preserving way.
+
+Example: Adding flow through 'underscore.forEach'
+-------------------------------------------------
+
+In this example, we'll show how to add flow through calls to **forEach** from the **underscore** package:
+
+.. code-block:: js
+
+  require('underscore').forEach([x, y], (v) => { ... }); // add value flow from 'x' and 'y' to 'v'
+
+Note that this flow is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: summaryModel
+      data:
+        - [
+            "underscore",
+            "Member[forEach]",
+            "Argument[0].ArrayElement",
+            "Argument[1].Parameter[0]",
+            "value",
+          ]
+
+
+- Since we're adding flow through a function call, we add a tuple to the **summaryModel** extensible predicate.
+- The first column, **"underscore"**, begins the search for relevant calls at places where the **underscore** package is imported.
+- The second column, **Member[forEach]**, selects references to the **forEach** member from the **underscore** package.
+- The third column specifies the input of the flow:
+
+  - **Argument[0]** selects the first argument of **forEach**, which is the array being iterated over.
+  - **ArrayElement** selects the elements of that array (the expressions **x** and **y**).
+
+- The fourth column specifies the output of the flow:
+
+  - **Argument[1]** selects the second argument of **forEach** (the argument containing the callback function).
+  - **Parameter[0]** selects the first parameter of the callback function (the parameter named **v**).
+
+- The last column, **value**, indicates the kind of flow to add. The value **value** means the input value is unchanged as
+  it flows to the output.
+
+Reference material
+------------------
+
+The following sections provide reference material for extensible predicates, access paths, types, and kinds.
+
+Extensible predicates
+---------------------
+
+sourceModel(type, path, kind)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adds a new taint source. Most taint-tracking queries will use the new source.
+
+- **type**: Name of a type from which to evaluate **path**.
+- **path**: Access path leading to the source.
+- **kind**: Kind of source to add. Currently only **remote** is used.
+
+Example:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sourceModel
+      data:
+        - ["global", "Member[user].Member[name]", "remote"]
+
+sinkModel(type, path, kind)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adds a new taint sink. Sinks are query-specific and will typically affect one or two queries.
+
+- **type**: Name of a type from which to evaluate **path**.
+- **path**: Access path leading to the sink.
+- **kind**: Kind of sink to add. See the section on sink kinds for a list of supported kinds.
+
+Example:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sinkModel
+      data:
+        - ["global", "Member[eval].Argument[0]", "code-injection"]
+
+summaryModel(type, path, input, output, kind)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adds flow through a function call.
+
+- **type**: Name of a type from which to evaluate **path**.
+- **path**: Access path leading to a function call.
+- **input**: Path relative to the function call that leads to input of the flow.
+- **output**: Path relative to the function call leading to the output of the flow.
+- **kind**: Kind of summary to add. Can be **taint** for taint-propagating flow, or **value** for value-preserving flow.
+
+Example:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: summaryModel
+      data:
+        - [
+            "global",
+            "Member[decodeURIComponent]",
+            "Argument[0]",
+            "ReturnValue",
+            "taint",
+          ]
+
+typeModel(type1, type2, path)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adds a new definition of a type.
+
+- **type1**: Name of the type to define.
+- **type2**: Name of the type from which to evaluate **path**.
+- **path**: Access path leading from **type2** to **type1**.
+
+Example:
+
+.. code-block:: yaml
+
+  extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - [
+          "mysql.Connection",
+          "@example/db",
+          "Member[getConnection].ReturnValue",
+        ]
+
+Types
+-----
+
+A type is a string that identifies a set of values.
+In each of the extensible predicates mentioned in previous section, the first column is always the name of a type.
+A type can be defined by adding **typeModel** tuples for that type. Additionally, the following built-in types are available:
+
+- The name of an NPM package matches imports of that package. For example, the type **express** matches the expression **require("express")**. If the package name includes dots, it must be surrounded by single quotes, such as in **'lodash.escape'**.
+- The type **global** identifies the global object, also known as **window**. In JavaScript, global variables are properties of the global object, so global variables can be identified using this type. (This type also matches imports of the NPM package named **global**, which is a package that happens to export the global object.)
+- A qualified type name of form **<package>.<type>** identifies expressions of type **<type>** from **<package>**. For example, **mysql.Connection** identifies expression of type **Connection** from the **mysql** package. Note that this only works if type annotations are present in the codebase, or if sufficient **typeModel** tuples have been provided for that type.
+
+Access paths
+------------
+
+The **path**, **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
+
+The following components are supported:
+
+- **Argument[**\ `number`\ **]** selects the argument at the given index.
+- **Argument[this]** selects the receiver of a method call.
+- **Parameter[**\ `number`\ **]** selects the parameter at the given index.
+- **Parameter[this]** selects the **this** parameter of a function.
+- **ReturnValue** selects the return value of a function or call.
+- **Member[**\ `name`\ **]** selects the property with the given name.
+- **AnyMember** selects any property regardless of name.
+- **ArrayElement** selects an element of an array.
+- **Element** selects an element of an array, iterator, or set object.
+- **MapValue** selects a value of a map object.
+- **Awaited** selects the value of a promise.
+- **Instance** selects instances of a class.
+
+The following components are called "call site filters". They select a subset of the previously-selected calls, if the call fits certain criteria:
+
+- **WithArity[**\ `number`\ **]** selects the subset of calls that have the given number of arguments.
+- **WithStringArgument[**\ `number`\ **=**\ `value`\ **]** selects the subset of calls where the argument at the given index is a string literal with the given value.
+
+Components related to decorators:
+
+- **DecoratedClass** selects a class that has the current value as a decorator. For example, **Member[Component].DecoratedClass** selects any class that is decorated with **@Component**.
+- **DecoratedParameter** selects a parameter that is decorated by the current value.
+- **DecoratedMember** selects a method, field, or accessor that is decorated by the current value.
+
+Additional notes about the syntax of operands:
+
+- Multiple operands may be given to a single component, as a shorthand for the union of the operands. For example, **Member[foo,bar]** matches the union of **Member[foo]** and **Member[bar]**.
+- Numeric operands to **Argument**, **Parameter**, and **WithArity** may be given as an interval. For example, **Argument[0..2]** matches argument 0, 1, or 2.
+- **Argument[N-1]** selects the last argument of a call, and **Parameter[N-1]** selects the last parameter of a function, with **N-2** being the second-to-last and so on.
+
+Kinds
+-----
+
+Source kinds
+~~~~~~~~~~~~
+
+- **remote**: A generic source of remote flow. Most taint-tracking queries will use such a source. Currently this is the only supported source kind.
+
+Sink kinds
+~~~~~~~~~~
+
+Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries. Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
+
+- **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
+- **command-line-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
+- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **fs.readFile**.
+- **sql-injection**: A sink that can be used for SQL injection, such as in a MySQL **query** call.
+- **nosql-injection**: A sink that can be used for NoSQL injection, such as in a MongoDB **findOne** call.
+- **html-injection**: A sink that can be used for HTML injection, such as in a jQuery **$()** call.
+- **request-forgery**: A sink that controls the URL of a request, such as in a **fetch** call.
+- **url-redirection**: A sink that can be used to redirect the user to a malicious URL.
+- **unsafe-deserialization**: A deserialization sink that can lead to code execution or other unsafe behaviour, such as an unsafe YAML parser.
+
+Summary kinds
+~~~~~~~~~~~~~
+
+- **taint**: A summary that propagates taint. This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
+- **value**: A summary that preserves the value of the input or creates a copy of the input such that all of its object properties are preserved.

docs/codeql/codeql-language-guides/functions-in-python.rst

@@ -75,12 +75,12 @@ This query uses ``Call`` and ``Name`` to find calls to the function ``eval`` - w
    select call, "call to 'eval'."
 
 The ``Call`` class represents calls in Python. The ``Call.getFunc()`` predicate gets the expression being called. ``Name.getId()`` gets the identifier (as a string) of the ``Name`` expression.
-Due to the dynamic nature of Python, this query will select any call of the form ``eval(...)`` regardless of whether it is a call to the built-in function ``eval`` or not.
+This query will select any call of the form ``eval(...)`` regardless of whether it is a call to the built-in function ``eval`` or not.
-In a later tutorial we will see how to use the type-inference library to find calls to the built-in function ``eval`` regardless of name of the variable called.
+Due to the dynamic nature of Python, such syntactic queries can be inaccurate. If one is looking for invocations of the built-in function ``eval``,
+it is preferred to use the API graph, see ":doc:`Using API graphs in Python <using-api-graphs-in-python>`."
 
 Further reading
 ---------------
 
 .. include:: ../reusables/python-further-reading.rst
 .. include:: ../reusables/codeql-ref-tools-further-reading.rst
-

docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst

@@ -3,13 +3,14 @@
 Specifying additional remote flow sources for JavaScript
 ========================================================
 
-You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
-
 .. pull-quote::
 
-   Note
+   Deprecation Notice
 
-   Specifying remote flow sources in external files is currently in beta and subject to change.
+   Specifying remote flow sources with the JSON format described here is soon to be deprecated
+   and will be removed in the future.
+
+You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
 
 As mentioned in the :ref:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript--untrusted-data>`, the CodeQL libraries for JavaScript
 provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow

docs/codeql/reusables/beta-note-customizing-library-models.rst

@@ -0,0 +1,7 @@
+.. pull-quote::
+
+   Beta Notice - Unstable API
+
+   Library customization using data extensions is currently in beta and subject to change.
+
+   Breaking changes to this format may occur while in beta.

docs/codeql/reusables/data-extensions.rst

@@ -0,0 +1,10 @@
+.. _data-extensions:
+
+Data Extensions
+===============
+
+.. pull-quote::
+
+   Beta Notice - Internal documentation
+
+   Data extensions are documented internally in a `Google doc <https://docs.google.com/document/d/14IYCHX8wWuU-HTvJ2gPSdXQKHKYbWCHQKOgn8oLaa80>`_.

docs/codeql/reusables/supported-frameworks.rst

@@ -223,7 +223,9 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    aioch, Database
    aiomysql, Database
    aiopg, Database
+   aiosqlite, Database
    asyncpg, Database
+   cassandra-driver, Database
    clickhouse-driver, Database
    cx_Oracle, Database
    mysql-connector-python, Database
@@ -233,9 +235,9 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    oracledb, Database
    phoenixdb, Database
    psycopg2, Database
-   pyodbc, Database
    pymssql, Database
    PyMySQL, Database
+   pyodbc, Database
    sqlite3, Database
    Flask-SQLAlchemy, Database ORM
    peewee, Database ORM
@@ -276,4 +278,3 @@ and the CodeQL library pack ``codeql/ruby-all`` (`changelog <https://github.com/
    Ruby on Rails, Web framework
    rubyzip, Compression library
    typhoeus, HTTP client
-

docs/codeql/reusables/supported-versions-compilers.rst

@@ -11,11 +11,11 @@
    Microsoft extensions (up to VS 2019),
 
    Arm Compiler 5 [3]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
-   C#,C# up to 10.0,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
+   C#,C# up to 11,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
 
    .NET Core up to 3.1
 
-   .NET 5, .NET 6","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
+   .NET 5, .NET 6, .NET 7","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    Go (aka Golang), "Go up to 1.20", "Go 1.11 or more recent", ``.go``
    Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),
 

go/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

go/ql/lib/qlpack.yml

@@ -7,5 +7,6 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}
 dataExtensions:
   - ext/*.model.yml

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowImplCommon
 private import ContainerFlow
 private import FlowSummaryImpl as FlowSummaryImpl
+private import codeql.util.Unit
 import DataFlowNodes::Private
 
 private newtype TReturnKind =
@@ -339,15 +340,6 @@ predicate forceHighPrecision(Content c) {
   c instanceof ArrayContent or c instanceof CollectionContent
 }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /**
  * Gets the `i`th argument of call `c`, where the receiver of a method call
  * counts as argument -1.

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -10,6 +10,7 @@ private import FlowSummaryImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommon
+private import codeql.util.Unit
 
 /** Provides classes and predicates for defining flow summaries. */
 module Public {

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -4,6 +4,7 @@
 
 private import go
 private import FlowSummaryImpl as FlowSummaryImpl
+private import codeql.util.Unit
 
 /**
  * Holds if taint can flow from `src` to `sink` in zero or more
@@ -66,14 +67,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) {
   )
 }
 
-private newtype TUnit = TMkUnit()
-
-/** A singleton class containing a single dummy "unit" value. */
-private class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /**
  * A unit class for adding additional taint steps.
  *

java/documentation/library-coverage/coverage.csv

@@ -33,29 +33,28 @@ freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
 freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
 groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
-hudson.model,4,,1,,2,,,,,,,,,,,,,1,,1,,,,,,,,,,,,,,,,,,,,,1,
+hudson,44,,16,,19,,,,,,,,,,,,,6,,17,,,,,,,,,,,,,2,,,,,,,,16,
-hudson.os,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
-hudson.remoting,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
-hudson.util,4,,1,,3,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,1,
 io.netty.bootstrap,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,
-io.netty.channel,9,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,,,,
+io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77
-io.netty.handler.codec.http,3,,1,,,,,,,,,,,,,,,2,,1,,,,,,,,,,,,,,,,,,,,,1,
+io.netty.channel,9,2,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,,2,,
+io.netty.handler.codec,3,13,260,,,,,,,,,,,,,,,2,,1,,,,,,,,,,,,,,,,,,,,13,144,116
 io.netty.handler.ssl,2,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,
 io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
 io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
-io.netty.util.internal,2,,2,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,
+io.netty.util,2,,23,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,21,2
 jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
 jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
 jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
 jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
 jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
+java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
 java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
-java.io,42,,40,,17,,,,,,,,,,,,,,,3,,,,,,,,,,,,,22,,,,,,,,39,1
+java.io,42,,45,,17,,,,,,,,,,,,,,,3,,,,,,,,,,,,,22,,,,,,,,43,2
-java.lang,16,,76,,,,,,,,,,,,8,,,,,3,,4,,,1,,,,,,,,,,,,,,,,53,23
+java.lang,16,,90,,,,,,,,,,,,8,,,,,3,,4,,,1,,,,,,,,,,,,,,,,55,35
 java.net,12,3,17,,,,,,,,,,,,,,,12,,,,,,,,,,,,,,,,,,,,,,3,17,
-java.nio,25,,29,,19,,,,,,,,,,,,,,,4,,,,,,,,,,,,,2,,,,,,,,29,
+java.nio,25,,30,,19,,,,,,,,,,,,,,,4,,,,,,,,,,,,,2,,,,,,,,30,
 java.sql,13,,3,,,,,,,,4,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,2,1
-java.util,44,,465,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,,38,427
+java.util,44,,478,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,,41,437
 javafx.scene.web,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
 javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
 javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,

java/documentation/library-coverage/coverage.rst

@@ -18,10 +18,10 @@ Java framework & library support
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,39,,6,,,,,
    JBoss Logging,``org.jboss.logging``,,,324,,,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
-   Java Standard Library,``java.*``,3,631,152,36,,,9,,,12
+   Java Standard Library,``java.*``,3,667,152,36,,,9,,,12
    Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,1,,4,,1,1,2
    Kotlin Standard Library,``kotlin*``,,1835,12,10,,,,,,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,480,101,,,,19,14,,29
-   Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``hudson.model``, ``hudson.os``, ``hudson.remoting``, ``hudson.util``, ``io.netty.bootstrap``, ``io.netty.channel``, ``io.netty.handler.codec.http``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util.internal``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",60,314,328,12,,,18,18,,28
+   Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``hudson``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",75,813,364,26,,,18,18,,33
-   Totals,,217,8508,1647,150,6,10,113,33,1,113
+   Totals,,232,9043,1683,164,6,10,113,33,1,118
 

java/ql/lib/change-notes/2023-02-28-netty.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added sources and flow step models for the Netty framework up to version 4.1.

java/ql/lib/change-notes/2023-03-27-hudson-models.md

@@ -0,0 +1,7 @@
+---
+category: minorAnalysis
+---
+* Added more sink and summary dataflow models for the following packages:
+  * `hudson.model`
+  * `hudson.scm`
+  * `hudson.util`

java/ql/lib/change-notes/2023-03-27-more-hudson-models.md

@@ -0,0 +1,8 @@
+---
+category: minorAnalysis
+---
+* Added more sink and summary dataflow models for the following packages:
+  * `hudson.cli`
+  * `hudson.lifecycle`
+  * `hudson`
+  * `hudson.util.io`

java/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

java/ql/lib/change-notes/2023-03-28-deprecated-exectainted.md

@@ -0,0 +1,5 @@
+---
+category: deprecated
+---
+* The `execTainted` predicate in `CommandLineQuery.qll` has been deprecated and replaced with the predicate `execIsTainted`.
+

java/ql/lib/change-notes/2023-03-29-rangeanalysis-add.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by `java/index-out-of-bounds` and `java/constant-comparison`.

java/ql/lib/ext/hudson.cli.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson.cli", "FullDuplexHttpStream", True, "FullDuplexHttpStream", "(URL,String,String)", "", "Argument[0]", "open-url", "ai-generated"]
+      - ["hudson.cli", "FullDuplexHttpStream", True, "FullDuplexHttpStream", "(URL,String,String)", "", "Argument[1]", "open-url", "manual"]

java/ql/lib/ext/hudson.lifecycle.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson.lifecycle", "Lifecycle", True, "rewriteHudsonWar", "(File)", "", "Argument[0]", "create-file", "ai-generated"]

java/ql/lib/ext/hudson.model.model.yml

@@ -1,14 +1,18 @@
 extensions:
-  - addsTo:
-      pack: codeql/java-all
-      extensible: summaryModel
-    data:
-      - ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]
   - addsTo:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["hudson.model", "DownloadService", True, "loadJSON", "(URL)", "", "Argument[0]", "open-url", "ai-generated"]
+      - ["hudson.model", "DownloadService", True, "loadJSONHTML", "(URL)", "", "Argument[0]", "open-url", "ai-generated"]
       - ["hudson.model", "DirectoryBrowserSupport", False, "DirectoryBrowserSupport", "(ModelObject,FilePath,String,String,boolean)", "", "Argument[1]", "read-file", "ai-generated"]
+      - ["hudson.model", "Items", True, "load", "(ItemGroup,File)", "", "Argument[1]", "read-file", "ai-generated"]
       - ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "download", "(DownloadJob,URL)", "", "Argument[1]", "open-url", "ai-generated"]
       - ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[1]", "create-file", "ai-generated"] # should be delete-file
       - ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[2]", "create-file", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["hudson.model", "Node", True, "createPath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]

java/ql/lib/ext/hudson.model.yml

@@ -0,0 +1,26 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson", "FilePath", False, "copyFrom", "(FilePath)", "", "Argument[0]", "read-file", "manual"]
+      - ["hudson", "FilePath", False, "copyFrom", "(URL)", "", "Argument[0]", "read-file", "manual"]
+      - ["hudson", "FilePath", False, "copyFrom", "(FileItem)", "", "Argument[0]", "read-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String,TarCompression)", "", "Argument[1]", "create-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String)", "", "Argument[1]", "write-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyRecursiveTo", "(String,FilePath)", "", "Argument[1]", "create-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[0]", "read-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[2]", "create-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "copyTo", "(FilePath)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson", "FilePath", False, "installIfNecessaryFrom", "(URL,TaskListener,String)", "", "Argument[0]", "open-url", "ai-generated"]
+      - ["hudson", "FilePath", False, "newInputStreamDenyingSymlinkAsNeeded", "(File,String,boolean)", "", "Argument[0]", "read-file", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["hudson", "FilePath", False, "child", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson", "FilePath", False, "list", "(String,String,boolean)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson", "FilePath", False, "list", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson", "FilePath", False, "list", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson", "FilePath", False, "normalize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson", "FilePath", False, "sibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]

java/ql/lib/ext/hudson.scm.model.yml

@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson.scm", "ChangeLogParser", True, "parse", "(AbstractBuild,File)", "", "Argument[1]", "read-file", "ai-generated"]
+      - ["hudson.scm", "ChangeLogParser", True, "parse", "(Run,RepositoryBrowser,File)", "", "Argument[2]", "read-file", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "checkout", "(AbstractBuild,Launcher,FilePath,BuildListener,File)", "", "Argument[2]", "create-file", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "checkout", "(Run,Launcher,FilePath,TaskListener,File,SCMRevisionState)", "", "Argument[2]", "create-file", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "compareRemoteRevisionWith", "(Job,Launcher,FilePath,TaskListener,SCMRevisionState)", "", "Argument[2]", "read-file", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["hudson.scm", "SCM", True, "getModuleRoot", "(FilePath,AbstractBuild)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "getModuleRoot", "(FilePath)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "getModuleRoots", "(FilePath,AbstractBuild)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
+      - ["hudson.scm", "SCM", True, "getModuleRoots", "(FilePath)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]

java/ql/lib/ext/hudson.util.io.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson.util.io", "ReopenableFileOutputStream", True, "ReopenableFileOutputStream", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util.io", "RewindableFileOutputStream", True, "RewindableFileOutputStream", "(File)", "", "Argument[0]", "create-file", "ai-generated"]

java/ql/lib/ext/hudson.util.model.yml

@@ -1,11 +1,25 @@
 extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset,boolean,boolean)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util", "ClasspathBuilder", True, "add", "(FilePath)", "", "Argument[0]", "read-file", "ai-generated"]
+      - ["hudson.util", "IOUtils", True, "mkdirs", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util", "StreamTaskListener", True, "StreamTaskListener", "(File,boolean,Charset)", "", "Argument[0]", "create-file", "ai-generated"]
+      - ["hudson.util", "TextFile", True, "delete", "()", "", "Argument[this]", "create-file", "manual"]
+      - ["hudson.util", "TextFile", True, "fastTail", "", "", "Argument[this]", "read-file", "manual"]
+      - ["hudson.util", "TextFile", True, "head", "", "", "Argument[this]", "read-file", "manual"]
+      - ["hudson.util", "TextFile", True, "lines", "()", "", "Argument[this]", "read-file", "manual"]
+      - ["hudson.util", "TextFile", True, "read", "()", "", "Argument[this]", "read-file", "manual"]
+      - ["hudson.util", "TextFile", True, "readTrim", "()", "", "Argument[this]", "read-file", "manual"]
+      - ["hudson.util", "TextFile", True, "write", "(String)", "", "Argument[0]", "write-file", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
     data:
       - ["hudson.util", "QuotedStringTokenizer", True, "tokenize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
-  - addsTo:
+      - ["hudson.util", "TextFile", True, "TextFile", "(File)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
-      pack: codeql/java-all
+      
-      extensible: sinkModel
-    data:
-      - ["hudson.util", "StreamTaskListener", True, "StreamTaskListener", "(File,boolean,Charset)", "", "Argument[0]", "create-file", "ai-generated"]

java/ql/lib/ext/io.netty.buffer.model.yml

@@ -0,0 +1,212 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["io.netty.buffer", "ByteBufConvertible", True, "asByteBuf", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "asReadOnly", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "capacity", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "copy", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "discardReadBytes", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "discardSomeReadBytes", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "duplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "ensureWritable", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,OutputStream,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "markReaderIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "markWriterIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "nioBuffer", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "nioBuffers", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "order", "(ByteOrder)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(OutputStream,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readerIndex", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "resetReaderIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "resetWriterIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "retainedDuplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "retainedSlice", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setDoubleLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setFloatLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setIndex", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setIntLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setLongLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setMedium", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setMediumLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setShortLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setZero", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "skipBytes", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "slice", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "unwrap", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeDoubleLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeFloatLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeIntLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeLongLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeMedium", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeMediumLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeShortLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeZero", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writerIndex", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBufHolder", True, "copy", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufHolder", True, "content", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufHolder", True, "duplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufHolder", True, "retainedDuplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufHolder", True, "replace", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[])", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuffer)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,FileChannel,long,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,GatheringByteChannel,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,OutputStream,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getChar", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "getCharSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[])", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[],int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuffer)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(FileChannel,long,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(GatheringByteChannel,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(OutputStream,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readBytes", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readChar", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readCharSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readSlice", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "readRetainedSlice", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[])", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[],int,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuffer)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,FileChannel,long,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ScatteringByteChannel,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,InputStream,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setChar", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "setCharSequence", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeByte", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[],int,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuffer)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(FileChannel,long,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ScatteringByteChannel,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(InputStream,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeChar", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBuf", True, "writeCharSequence", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", False, "CompositeByteBuf", "(ByteBufAllocator,boolean,int,ByteBuf[])", "", "Argument[3].ArrayElement", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", False, "CompositeByteBuf", "(ByteBufAllocator,boolean,int,Iterable)", "", "Argument[3].Element", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(int,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(boolean,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(ByteBuf[])", "", "Argument[0].ArrayElement", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(int,ByteBuf[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(boolean,ByteBuf[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(Iterable)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(int,Iterable)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(boolean,Iterable)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addFlattenedComponents", "(boolean,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "addFlattenedComponents", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "component", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "componentAtOffset", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "consolidate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "consolidate", "(int,int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "CompositeByteBuf", True, "decompose", "(int,int)", "", "Argument[this]", "ReturnValue.Element", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[][])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuffer)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuffer[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(char[],Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(char[],int,int,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(CharSequence,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(CharSequence,int,int,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "unmodifiableBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "unmodifiableBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "unreleasableBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[][])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuffer)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuffer[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,byte[][])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,ByteBuf[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,ByteBuffer[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "Unpooled", False, "wrappedUnmodifiableBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,ByteBuf)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,int,ByteBuf,int)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,int,ByteBuf,int,int)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "decodeHexDump", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "decodeHexDump", "(CharSequence,int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "encodeString", "(ByteBufAllocator,CharBuffer,Charset)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "encodeString", "(ByteBufAllocator,CharBuffer,Charset,int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "ensureAccessible", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf,int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf,int,int,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "readBytes", "(ByteBufAllocator,ByteBuf,int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "reserveAndWriteUtf8", "(ByteBuf,CharSequence,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "reserveAndWriteUtf8", "(ByteBuf,CharSequence,int,int,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"]  
+      - ["io.netty.buffer", "ByteBufUtil", False, "setShortBE", "(ByteBuf,int,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeAscii", "(ByteBuf,CharSequence)", "", "Argument[1]", "Argument[0]", "taint", "manual"] 
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeAscii", "(ByteBufAllocator,CharSequence)", "", "Argument[1]", "ReturnValue", "taint", "manual"]  
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeShortBE", "(ByteBuf,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeMediumBE", "(ByteBuf,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBuf,CharSequence)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBuf,CharSequence,int,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"] 
+      - ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBufAllocator,CharSequence)", "", "Argument[1]", "ReturnValue", "taint", "manual"]  
+      - ["io.netty.buffer", "ByteBufInputStream", True, "ByteBufInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]  
+      - ["io.netty.buffer", "ByteBufOutputStream", True, "ByteBufOutputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]  
+      - ["io.netty.buffer", "ByteBufOutputStream", True, "buffer", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]  

java/ql/lib/ext/io.netty.channel.model.yml

@@ -12,3 +12,9 @@ extensions:
       - ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,ChannelPromise)", "", "Argument[0]", "open-url", "ai-generated"]
       - ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,SocketAddress,ChannelPromise)", "", "Argument[0]", "open-url", "ai-generated"]
       - ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,SocketAddress)", "", "Argument[0]", "open-url", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["io.netty.channel", "ChannelInboundHandler", True, "channelRead", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.channel", "SimpleChannelInboundHandler", True, "channelRead0", "", "", "Parameter[1]", "remote", "manual"]

java/ql/lib/ext/io.netty.handler.codec.base64.model.yml

@@ -0,0 +1,8 @@
+extensions:
+- addsTo:
+    pack: codeql/java-all
+    extensible: summaryModel
+  data:
+    - ["io.netty.handler.codec.base64", "Base64", True, "decode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.base64", "Base64", True, "encode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      

java/ql/lib/ext/io.netty.handler.codec.http.cookie.model.yml

@@ -0,0 +1,19 @@
+extensions:
+- addsTo:
+    pack: codeql/java-all
+    extensible: summaryModel
+  data:
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "domain", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "name", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "path", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "setDomain", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "setPath", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "Cookie", True, "setValue", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieDecoder", True, "decode", "(String)", "", "Argument[0]", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieDecoder", True, "decodeAll", "(String)", "", "Argument[0]", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Cookie)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Cookie[])", "", "Argument[0].ArrayElement", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Collection)", "", "Argument[0].Element", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Iterable)", "", "Argument[0].Element", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(String,String)", "", "Argument[1..2]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/io.netty.handler.codec.http.model.yml

@@ -1,12 +1,83 @@
 extensions:
-  - addsTo:
+- addsTo:
-      pack: codeql/java-all
+    pack: codeql/java-all
-      extensible: sinkModel
+    extensible: sinkModel
-    data:
+  data:
-      - ["io.netty.handler.codec.http", "DefaultFullHttpRequest", True, "DefaultFullHttpRequest", "(HttpVersion,HttpMethod,String,ByteBuf)", "", "Argument[2]", "open-url", "ai-generated"]
+    - ["io.netty.handler.codec.http", "DefaultFullHttpRequest", True, "DefaultFullHttpRequest", "(HttpVersion,HttpMethod,String,ByteBuf)", "", "Argument[2]", "open-url", "ai-generated"]
-      - ["io.netty.handler.codec.http", "DefaultHttpRequest", True, "DefaultHttpRequest", "(HttpVersion,HttpMethod,String)", "", "Argument[2]", "open-url", "ai-generated"]
+    - ["io.netty.handler.codec.http", "DefaultHttpRequest", True, "DefaultHttpRequest", "(HttpVersion,HttpMethod,String)", "", "Argument[2]", "open-url", "ai-generated"]
-  - addsTo:
+- addsTo:
-      pack: codeql/java-all
+    pack: codeql/java-all
-      extensible: summaryModel
+    extensible: summaryModel
-    data:
+  data:
-      - ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
+    - ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "addInt", "(CharSequence,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "addInt", "(CharSequence,int)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "addShort", "(CharSequence,short)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "addShort", "(CharSequence,short)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "copy", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "copy", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "entries", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "entries", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "get", "", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "get", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getAll", "", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getAllAsString", "", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getAsString", "", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getHeader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getHeader", "", "", "Argument[2]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getHost", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "getHost", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorAsString", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorAsString", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorCharSequence", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorCharSequence", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "names", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "newEntity", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "remove", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setInt", "(CharSequence,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setInt", "(CharSequence,int)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setShort", "(CharSequence,short)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "setShort", "(CharSequence,short)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "valueStringIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "valueCharSequenceIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapKey", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
+    # Currently all write steps to http messages are taint flow. It may reduce FPs to use a synthetic field for headers instead. 
+    - ["io.netty.handler.codec.http", "HttpMessage", True, "headers", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "LastHttpContent", True, "trailingHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpRequest", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpRequest", True, "uri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "HttpRequest", True, "setUri", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "QueryStringDecoder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "decodeComponent", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "parameters", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "path", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "rawPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "rawQuery", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http", "QueryStringDecoder", True, "uri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/io.netty.handler.codec.http.multipart.model.yml

@@ -4,3 +4,40 @@ extensions:
       extensible: sinkModel
     data:
       - ["io.netty.handler.codec.http.multipart", "HttpPostRequestEncoder", True, "addBodyFileUpload", "(String,File,String,boolean)", "", "Argument[1]", "read-file", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "currentPartialHttpData", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpData", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpDatas", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpDatas", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "next", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "offer", "(HttpContent)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "offer", "(HttpContent)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "InterfaceHttpData", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "addContent", "(ByteBuf,boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "get", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "getByteBuf", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "getChunk", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "getString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "getString", "(Charset)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "Attribute", True, "getValue", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "Attribute", True, "setValue", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getContentTransferEncoding", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getContentType", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getFilename", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setContentTransferEncoding", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setContentType", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setFilename", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "setContent", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.handler.codec.http.multipart", "HttpData", True, "setContent", "(InputStream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

java/ql/lib/ext/io.netty.handler.codec.http.websocketx.model.yml

@@ -0,0 +1,25 @@
+extensions:
+- addsTo:
+    pack: codeql/java-all
+    extensible: summaryModel
+  data:
+    - ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(boolean,int,int,String)", "", "Argument[3]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(int,String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(WebSocketCloseStatus,String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "reasonText", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "BinaryWebSocketFrame", True, "BinaryWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "BinaryWebSocketFrame", True, "BinaryWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(boolean,int,String)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "text", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "PingWebSocketFrame", True, "PingWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "PingWebSocketFrame", True, "PingWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "PongWebSocketFrame", True, "PongWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "PongWebSocketFrame", True, "PongWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(boolean,int,String)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+    - ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "text", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/io.netty.handler.codec.http2.model.yml

@@ -0,0 +1,49 @@
+extensions:
+- addsTo:
+    pack: codeql/java-all
+    extensible: sourceModel
+  data:
+    - ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onDataRead", "", "", "Parameter[2]", "remote", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onHeadersRead", "", "", "Parameter[2]", "remote", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onPushPromiseRead", "", "", "Parameter[3]", "remote", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onUnknownFrame", "", "", "Parameter[4]", "remote", "manual"]
+- addsTo:
+    pack: codeql/java-all
+    extensible: summaryModel
+  data:
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2Headers", True, "valueIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2HeadersFrame", True, "headers", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "Http2PushPromiseFrame", True, "http2Headers", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,FullHttpMessage,boolean)", "", "Argument[1].Element.MapKey", "Argument[2]", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,FullHttpMessage,boolean)", "", "Argument[1].Element.MapValue", "Argument[2]", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,HttpHeaders,HttpVersion,boolean,boolean)", "", "Argument[1].Element.MapKey", "Argument[2].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,HttpHeaders,HttpVersion,boolean,boolean)", "", "Argument[1].Element.MapValue", "Argument[2].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "(int,Http2Headers,ByteBuf,boolean)", "", "Argument[2]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "(int,Http2Headers,ByteBuf,boolean)", "", "Argument[2]", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,boolean)", "", "Argument[0].Element.MapKey", "ReturnValue.Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,boolean)", "", "Argument[0].Element.MapValue", "ReturnValue.Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,Http2Headers)", "", "Argument[0].Element.MapKey", "Argument[1].Element.MapKey", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,Http2Headers)", "", "Argument[0].Element.MapValue", "Argument[1].Element.MapValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpRequest", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpRequest", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpResponse", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
+    - ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpResponse", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/io.netty.handler.codec.model.yml

@@ -0,0 +1,103 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["io.netty.handler.codec", "ByteToMessageDecoder", True, "callDecode", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "ByteToMessageDecoder", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "ByteToMessageDecoder", True, "decodeLast", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "ByteToMessageCodec", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "ByteToMessageCodec", True, "decodeLast", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "MessageToMessageDecoder", True, "acceptInboundMessage", "", "", "Parameter[0]", "remote", "manual"]
+      - ["io.netty.handler.codec", "MessageToMessageDecoder", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
+      - ["io.netty.handler.codec", "MessageToMessageCodec", True, "acceptInboundMessage", "", "", "Parameter[0]", "remote", "manual"]
+      - ["io.netty.handler.codec", "MessageToMessageCodec", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel 
+    data:
+      - ["io.netty.handler.codec", "ByteToMessageDecoder$Cumulator", True, "cumulate", "(ByteBufAllocator,ByteBuf,ByteBuf)", "", "Argument[1..2]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "getAsString", "(Headers,Object)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "getAllAsString", "(Headers,Object)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "namesAsString", "(Headers)", "", "Argument[0].Element.MapKey", "ReturnValue.Element", "value", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "iteratorAsString", "(Iterable)", "", "Argument[0].Element.MapKey", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "iteratorAsString", "(Iterable)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "toString", "(Class,Iterator,int)", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "HeadersUtils", False, "toString", "(Class,Iterator,int)", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "get", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "get", "(Object,Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "get", "(Object,Object)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "getAll", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "getAllAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object,Object)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "names", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addBoolean", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addByte", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addChar", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addDouble", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addFloat", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addInt", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addLong", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addShort", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addTimeMillis", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "addTimeMillis", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setAll", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setAll", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setBoolean", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setByte", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setChar", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setDouble", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setFloat", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setInt", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setLong", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setShort", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setTimeMillis", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.handler.codec", "Headers", True, "setTimeMillis", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]

java/ql/lib/ext/io.netty.util.model.yml

@@ -0,0 +1,27 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["io.netty.util", "ReferenceCounted", True, "retain", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.util", "ReferenceCounted", True, "touch", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["io.netty.util", "AsciiString", False, "AsciiString", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "cached", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "concat", "(CharSequence)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "concat", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "copy", "(int,byte[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "copy", "(int,char[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "of", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "replace", "(char,char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "split", "(char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "split", "(String,int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "split", "(char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "subSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "toByteArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "toCharArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "toLowerCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "toUpperCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "trim", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.netty.util", "AsciiString", False, "trim", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/lib/semmle/code/Unit.qll

@@ -1,10 +1,3 @@
 /** Provides the `Unit` class. */
 
-/** The unit type. */
+import codeql.util.Unit
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}

java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll

@@ -421,32 +421,6 @@ private predicate boundFlowStep(Expr e2, Expr e1, int delta, boolean upper) {
   delta = 0 and
   (upper = true or upper = false)
   or
-  exists(Expr x |
-    e2.(AddExpr).hasOperands(e1, x)
-    or
-    exists(AssignAddExpr add | add = e2 |
-      add.getDest() = e1 and add.getRhs() = x
-      or
-      add.getDest() = x and add.getRhs() = e1
-    )
-  |
-    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-    not x instanceof ConstantIntegerExpr and
-    not e1 instanceof ConstantIntegerExpr and
-    if strictlyPositiveIntegralExpr(x)
-    then upper = false and delta = 1
-    else
-      if positive(x)
-      then upper = false and delta = 0
-      else
-        if strictlyNegativeIntegralExpr(x)
-        then upper = true and delta = -1
-        else
-          if negative(x)
-          then upper = true and delta = 0
-          else none()
-  )
-  or
   exists(Expr x |
     exists(SubExpr sub |
       e2 = sub and
@@ -896,6 +870,20 @@ private predicate bounded(
     or
     upper = false and delta = d1.minimum(d2)
   )
+  or
+  exists(
+    Bound b1, Bound b2, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2, Reason r1,
+    Reason r2
+  |
+    boundedAddition(e, upper, b1, true, d1, fbe1, od1, r1) and
+    boundedAddition(e, upper, b2, false, d2, fbe2, od2, r2) and
+    delta = d1 + d2 and
+    fromBackEdge = fbe1.booleanOr(fbe2)
+  |
+    b = b1 and origdelta = od1 and reason = r1 and b2 instanceof ZeroBound
+    or
+    b = b2 and origdelta = od2 and reason = r2 and b1 instanceof ZeroBound
+  )
 }
 
 private predicate boundedConditionalExpr(
@@ -904,3 +892,37 @@ private predicate boundedConditionalExpr(
 ) {
   bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
 }
+
+private predicate nonConstAdd(Expr add, Expr operand, boolean isLeft) {
+  exists(Expr other |
+    add.(AddExpr).getLeftOperand() = operand and
+    add.(AddExpr).getRightOperand() = other and
+    isLeft = true
+    or
+    add.(AddExpr).getLeftOperand() = other and
+    add.(AddExpr).getRightOperand() = operand and
+    isLeft = false
+    or
+    add.(AssignAddExpr).getDest() = operand and
+    add.(AssignAddExpr).getRhs() = other and
+    isLeft = true
+    or
+    add.(AssignAddExpr).getDest() = other and
+    add.(AssignAddExpr).getRhs() = operand and
+    isLeft = false
+  |
+    // `ConstantIntegerExpr` is covered by valueFlowStep
+    not other instanceof ConstantIntegerExpr and
+    not operand instanceof ConstantIntegerExpr
+  )
+}
+
+private predicate boundedAddition(
+  Expr add, boolean upper, Bound b, boolean isLeft, int delta, boolean fromBackEdge, int origdelta,
+  Reason reason
+) {
+  exists(Expr op |
+    nonConstAdd(add, op, isLeft) and
+    bounded(op, b, delta, upper, fromBackEdge, origdelta, reason)
+  )
+}

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }