Merge branch 'main' into redsun82/cargo-upgrade-2

2025-12-16 16:53:25 +01:00 · 2025-08-22 13:52:28 +02:00
parent fbeebd7d3c 374c547fa2
commit e05eca6680
216 changed files with 1119 additions and 442 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.15
+
+No user-facing changes.
+
 ## 0.4.14

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.15.md
+++ b/actions/ql/lib/change-notes/released/0.4.15.md
@@ -0,0 +1,3 @@
+## 0.4.15
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.14
+lastReleaseVersion: 0.4.15
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.15-dev
+version: 0.4.16-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.7
+
+No user-facing changes.
+
 ## 0.6.6

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.7.md
+++ b/actions/ql/src/change-notes/released/0.6.7.md
@@ -0,0 +1,3 @@
+## 0.6.7
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.6
+lastReleaseVersion: 0.6.7
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.7-dev
+version: 0.6.8-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 5.4.1
+
+### Minor Analysis Improvements
+
+* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
+* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
+* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
+
 ## 5.4.0

 ### New Features
--- a/cpp/ql/lib/Customizations.qll
+++ b/cpp/ql/lib/Customizations.qll
@@ -0,0 +1,11 @@
+/**
+ * Contains customizations to the standard library.
+ *
+ * This module is imported by `cpp.qll`, so any customizations defined here automatically
+ * apply to all queries.
+ *
+ * Typical examples of customizations include adding new subclasses of abstract classes such as
+ * the `RemoteFlowSource` class to model frameworks that are not covered by the standard library.
+ */
+
+import cpp
--- a/cpp/ql/lib/change-notes/2025-08-02-gvn.md
+++ b/cpp/ql/lib/change-notes/2025-08-02-gvn.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
--- a/cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md
+++ b/cpp/ql/lib/change-notes/2025-08-11-global-variable-flow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
--- a/cpp/ql/lib/change-notes/2025-08-13-guards.md
+++ b/cpp/ql/lib/change-notes/2025-08-13-guards.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
--- a/cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md
+++ b/cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
--- a/cpp/ql/lib/change-notes/released/5.4.1.md
+++ b/cpp/ql/lib/change-notes/released/5.4.1.md
@@ -0,0 +1,7 @@
+## 5.4.1
+
+### Minor Analysis Improvements
+
+* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
+* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
+* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.0
+lastReleaseVersion: 5.4.1
--- a/cpp/ql/lib/cpp.qll
+++ b/cpp/ql/lib/cpp.qll
@@ -13,6 +13,7 @@
 *     https://github.com/cplusplus/draft/raw/master/papers/n4140.pdf
 */

+import Customizations
 import semmle.code.cpp.File
 import semmle.code.cpp.Linkage
 import semmle.code.cpp.Location
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.4.1-dev
+version: 5.4.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -1,218 +1,21 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
-private import DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.DataFlow
+private import DataFlowPrivate as DataFlowPrivate
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
+private import codeql.typetracking.TypeTracking
+private import SsaImpl as SsaImpl

 /**
- * Gets a function that might be called by `call`.
- *
- * This predicate does not take additional call targets
- * from `AdditionalCallTarget` into account.
+ * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is
+ * an approximation of its signature for the purpose of matching functions that
+ * might be the same across link targets.
 */
-cached
-DataFlowCallable defaultViableCallable(DataFlowCall call) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  result = call.getStaticCallTarget()
-  or
-  // If the target of the call does not have a body in the snapshot, it might
-  // be because the target is just a header declaration, and the real target
-  // will be determined at run time when the caller and callee are linked
-  // together by the operating system's dynamic linker. In case a _unique_
-  // function with the right signature is present in the database, we return
-  // that as a potential callee.
-  exists(string qualifiedName, int nparams |
-    callSignatureWithoutBody(qualifiedName, nparams, call.asCallInstruction()) and
-    functionSignatureWithBody(qualifiedName, nparams, result.getUnderlyingCallable()) and
-    strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
-  )
-  or
-  // Virtual dispatch
-  result.asSourceCallable() = call.(VirtualDispatch::DataSensitiveCall).resolve()
-}
-
-/**
- * Gets a function that might be called by `call`.
- */
-cached
-DataFlowCallable viableCallable(DataFlowCall call) {
-  result = defaultViableCallable(call)
-  or
-  // Additional call targets
-  result.getUnderlyingCallable() =
-    any(AdditionalCallTarget additional)
-        .viableTarget(call.asCallInstruction().getUnconvertedResultExpression())
-}
-
-/**
- * Provides virtual dispatch support compatible with the original
- * implementation of `semmle.code.cpp.security.TaintTracking`.
- */
-private module VirtualDispatch {
-  /** A call that may dispatch differently depending on the qualifier value. */
-  abstract class DataSensitiveCall extends DataFlowCall {
-    /**
-     * Gets the node whose value determines the target of this call. This node
-     * could be the qualifier of a virtual dispatch or the function-pointer
-     * expression in a call to a function pointer. What they have in common is
-     * that we need to find out which data flows there, and then it's up to the
-     * `resolve` predicate to stitch that information together and resolve the
-     * call.
-     */
-    abstract Node getDispatchValue();
-
-    /** Gets a candidate target for this call. */
-    abstract Function resolve();
-
-    /**
-     * Whether `src` can flow to this call.
-     *
-     * Searches backwards from `getDispatchValue()` to `src`. The `allowFromArg`
-     * parameter is true when the search is allowed to continue backwards into
-     * a parameter; non-recursive callers should pass `_` for `allowFromArg`.
-     */
-    predicate flowsFrom(Node src, boolean allowFromArg) {
-      src = this.getDispatchValue() and allowFromArg = true
-      or
-      exists(Node other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) |
-        // Call argument
-        exists(DataFlowCall call, Position i |
-          other.(ParameterNode).isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
-        ) and
-        allowOtherFromArg = true and
-        allowFromArg = true
-        or
-        // Call return
-        exists(DataFlowCall call, ReturnKind returnKind |
-          other = getAnOutNode(call, returnKind) and
-          returnNodeWithKindAndEnclosingCallable(src, returnKind, call.getStaticCallTarget())
-        ) and
-        allowFromArg = false
-        or
-        // Local flow
-        localFlowStep(src, other) and
-        allowFromArg = allowOtherFromArg
-        or
-        // Flow from global variable to load.
-        exists(LoadInstruction load, GlobalOrNamespaceVariable var |
-          var = src.asVariable() and
-          other.asInstruction() = load and
-          addressOfGlobal(load.getSourceAddress(), var) and
-          // The `allowFromArg` concept doesn't play a role when `src` is a
-          // global variable, so we just set it to a single arbitrary value for
-          // performance.
-          allowFromArg = true
-        )
-        or
-        // Flow from store to global variable.
-        exists(StoreInstruction store, GlobalOrNamespaceVariable var |
-          var = other.asVariable() and
-          store = src.asInstruction() and
-          storeIntoGlobal(store, var) and
-          // Setting `allowFromArg` to `true` like in the base case means we
-          // treat a store to a global variable like the dispatch itself: flow
-          // may come from anywhere.
-          allowFromArg = true
-        )
-      )
-    }
-  }
-
-  pragma[noinline]
-  private predicate storeIntoGlobal(StoreInstruction store, GlobalOrNamespaceVariable var) {
-    addressOfGlobal(store.getDestinationAddress(), var)
-  }
-
-  /** Holds if `addressInstr` is an instruction that produces the address of `var`. */
-  private predicate addressOfGlobal(Instruction addressInstr, GlobalOrNamespaceVariable var) {
-    // Access directly to the global variable
-    addressInstr.(VariableAddressInstruction).getAstVariable() = var
-    or
-    // Access to a field on a global union
-    exists(FieldAddressInstruction fa |
-      fa = addressInstr and
-      fa.getObjectAddress().(VariableAddressInstruction).getAstVariable() = var and
-      fa.getField().getDeclaringType() instanceof Union
-    )
-  }
-
-  /**
-   * A ReturnNode with its ReturnKind and its enclosing callable.
-   *
-   * Used to fix a join ordering issue in flowsFrom.
-   */
-  pragma[noinline]
-  private predicate returnNodeWithKindAndEnclosingCallable(
-    ReturnNode node, ReturnKind kind, DataFlowCallable callable
-  ) {
-    node.getKind() = kind and
-    node.getFunction() = callable.getUnderlyingCallable()
-  }
-
-  /** Call through a function pointer. */
-  private class DataSensitiveExprCall extends DataSensitiveCall {
-    DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) }
-
-    override Node getDispatchValue() { result.asOperand() = this.getCallTargetOperand() }
-
-    override Function resolve() {
-      exists(FunctionInstruction fi |
-        this.flowsFrom(instructionNode(fi), _) and
-        result = fi.getFunctionSymbol()
-      ) and
-      (
-        this.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and
-        this.getNumberOfArguments() >= result.getEffectiveNumberOfParameters()
-        or
-        result.isVarargs()
-      )
-    }
-  }
-
-  /** Call to a virtual function. */
-  private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall {
-    DataSensitiveOverriddenFunctionCall() {
-      exists(
-        this.getStaticCallTarget()
-            .getUnderlyingCallable()
-            .(VirtualFunction)
-            .getAnOverridingFunction()
-      )
-    }
-
-    override Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) }
-
-    override MemberFunction resolve() {
-      exists(Class overridingClass |
-        this.overrideMayAffectCall(overridingClass, result) and
-        this.hasFlowFromCastFrom(overridingClass)
-      )
-    }
-
-    /**
-     * Holds if `this` is a virtual function call whose static target is
-     * overridden by `overridingFunction` in `overridingClass`.
-     */
-    pragma[noinline]
-    private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) {
-      overridingFunction.getAnOverriddenFunction+() =
-        this.getStaticCallTarget().getUnderlyingCallable().(VirtualFunction) and
-      overridingFunction.getDeclaringType() = overridingClass
-    }
-
-    /**
-     * Holds if the qualifier of `this` has flow from an upcast from
-     * `derivedClass`.
-     */
-    pragma[noinline]
-    private predicate hasFlowFromCastFrom(Class derivedClass) {
-      exists(ConvertToBaseInstruction toBase |
-        this.flowsFrom(instructionNode(toBase), _) and
-        derivedClass = toBase.getDerivedClass()
-      )
-    }
-  }
+private predicate functionSignature(Function f, string qualifiedName, int nparams) {
+  qualifiedName = f.getQualifiedName() and
+  nparams = f.getNumberOfParameters() and
+  not f.isStatic()
 }

 /**
@@ -238,34 +41,319 @@ private predicate callSignatureWithoutBody(string qualifiedName, int nparams, Ca
 }

 /**
- * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is
- * an approximation of its signature for the purpose of matching functions that
- * might be the same across link targets.
+ * Gets a function that might be called by `call`.
+ *
+ * This predicate does not take additional call targets
+ * from `AdditionalCallTarget` into account.
 */
-private predicate functionSignature(Function f, string qualifiedName, int nparams) {
-  qualifiedName = f.getQualifiedName() and
-  nparams = f.getNumberOfParameters() and
-  not f.isStatic()
+cached
+DataFlowPrivate::DataFlowCallable defaultViableCallable(DataFlowPrivate::DataFlowCall call) {
+  result = defaultViableCallableWithoutLambda(call)
+  or
+  result = DataFlowImplCommon::viableCallableLambda(call, _)
+}
+
+private DataFlowPrivate::DataFlowCallable defaultViableCallableWithoutLambda(
+  DataFlowPrivate::DataFlowCall call
+) {
+  DataFlowImplCommon::forceCachingInSameStage() and
+  result = call.getStaticCallTarget()
+  or
+  // If the target of the call does not have a body in the snapshot, it might
+  // be because the target is just a header declaration, and the real target
+  // will be determined at run time when the caller and callee are linked
+  // together by the operating system's dynamic linker. In case a _unique_
+  // function with the right signature is present in the database, we return
+  // that as a potential callee.
+  exists(string qualifiedName, int nparams |
+    callSignatureWithoutBody(qualifiedName, nparams, call.asCallInstruction()) and
+    functionSignatureWithBody(qualifiedName, nparams, result.getUnderlyingCallable()) and
+    strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
+  )
+}
+
+/**
+ * Gets a function that might be called by `call`.
+ */
+private DataFlowPrivate::DataFlowCallable nonVirtualDispatch(DataFlowPrivate::DataFlowCall call) {
+  result = defaultViableCallableWithoutLambda(call)
+  or
+  // Additional call targets
+  result.getUnderlyingCallable() =
+    any(AdditionalCallTarget additional)
+        .viableTarget(call.asCallInstruction().getUnconvertedResultExpression())
+}
+
+private class RelevantNode extends Node {
+  RelevantNode() { this.getType().stripType() instanceof Class }
+}
+
+private signature DataFlowPrivate::DataFlowCallable methodDispatchSig(
+  DataFlowPrivate::DataFlowCall c
+);
+
+private predicate ignoreConstructor(Expr e) {
+  e instanceof ConstructorDirectInit or
+  e instanceof ConstructorVirtualInit or
+  e instanceof ConstructorDelegationInit or
+  exists(ConstructorFieldInit init | init.getExpr() = e)
+}
+
+/**
+ * Holds if `n` is either:
+ * - the post-update node of a qualifier after a call to a constructor which
+ * constructs an object containing at least one virtual function.
+ * - a node which represents a derived-to-base instruction that converts from `c`.
+ */
+private predicate qualifierSourceImpl(RelevantNode n, Class c) {
+  // Object construction
+  exists(CallInstruction call, ThisArgumentOperand qualifier, Call e |
+    qualifier = call.getThisArgumentOperand() and
+    n.(PostUpdateNode).getPreUpdateNode().asOperand() = qualifier and
+    call.getStaticCallTarget() instanceof Constructor and
+    qualifier.getType().stripType() = c and
+    c.getABaseClass*().getAMemberFunction().isVirtual() and
+    e = call.getUnconvertedResultExpression() and
+    not ignoreConstructor(e)
+  |
+    exists(c.getABaseClass())
+    or
+    exists(c.getADerivedClass())
+  )
+  or
+  // Conversion to a base class
+  exists(ConvertToBaseInstruction convert |
+    // Only keep the most specific cast
+    not convert.getUnary() instanceof ConvertToBaseInstruction and
+    n.asInstruction() = convert and
+    convert.getDerivedClass() = c and
+    c.getABaseClass*().getAMemberFunction().isVirtual()
+  )
+}
+
+private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
+  /**
+   * Gets a possible runtime target of `c` using both static call-target
+   * information, and call-target resolution from `virtualDispatch0`.
+   */
+  private DataFlowPrivate::DataFlowCallable dispatch(DataFlowPrivate::DataFlowCall c) {
+    result = nonVirtualDispatch(c) or
+    result = virtualDispatch0(c)
+  }
+
+  private module TtInput implements TypeTrackingInput<Location> {
+    final class Node = RelevantNode;
+
+    class LocalSourceNode extends Node {
+      LocalSourceNode() {
+        this instanceof ParameterNode
+        or
+        this instanceof DataFlowPrivate::OutNode
+        or
+        DataFlowPrivate::readStep(_, _, this)
+        or
+        DataFlowPrivate::storeStep(_, _, this)
+        or
+        DataFlowPrivate::jumpStep(_, this)
+        or
+        qualifierSourceImpl(this, _)
+      }
+    }
+
+    final private class ContentSetFinal = ContentSet;
+
+    class Content extends ContentSetFinal {
+      Content() {
+        exists(DataFlow::Content c |
+          this.isSingleton(c) and
+          c.getIndirectionIndex() = 1
+        )
+      }
+    }
+
+    class ContentFilter extends Content {
+      Content getAMatchingContent() { result = this }
+    }
+
+    predicate compatibleContents(Content storeContents, Content loadContents) {
+      storeContents = loadContents
+    }
+
+    predicate simpleLocalSmallStep(Node nodeFrom, Node nodeTo) {
+      nodeFrom.getFunction() instanceof Function and
+      simpleLocalFlowStep(nodeFrom, nodeTo, _)
+    }
+
+    predicate levelStepNoCall(Node n1, LocalSourceNode n2) { none() }
+
+    predicate levelStepCall(Node n1, LocalSourceNode n2) { none() }
+
+    predicate storeStep(Node n1, Node n2, Content f) { DataFlowPrivate::storeStep(n1, f, n2) }
+
+    predicate callStep(Node n1, LocalSourceNode n2) {
+      exists(DataFlowPrivate::DataFlowCall call, DataFlowPrivate::Position pos |
+        n1.(DataFlowPrivate::ArgumentNode).argumentOf(call, pos) and
+        n2.(ParameterNode).isParameterOf(dispatch(call), pos)
+      )
+    }
+
+    predicate returnStep(Node n1, LocalSourceNode n2) {
+      exists(DataFlowPrivate::DataFlowCallable callable, DataFlowPrivate::DataFlowCall call |
+        n1.(DataFlowPrivate::ReturnNode).getEnclosingCallable() = callable and
+        callable = dispatch(call) and
+        n2 = DataFlowPrivate::getAnOutNode(call, n1.(DataFlowPrivate::ReturnNode).getKind())
+      )
+    }
+
+    predicate loadStep(Node n1, LocalSourceNode n2, Content f) {
+      DataFlowPrivate::readStep(n1, f, n2)
+    }
+
+    predicate loadStoreStep(Node nodeFrom, Node nodeTo, Content f1, Content f2) { none() }
+
+    predicate withContentStep(Node nodeFrom, LocalSourceNode nodeTo, ContentFilter f) { none() }
+
+    predicate withoutContentStep(Node nodeFrom, LocalSourceNode nodeTo, ContentFilter f) { none() }
+
+    predicate jumpStep(Node n1, LocalSourceNode n2) { DataFlowPrivate::jumpStep(n1, n2) }
+
+    predicate hasFeatureBacktrackStoreTarget() { none() }
+  }
+
+  private predicate qualifierSource(RelevantNode n) { qualifierSourceImpl(n, _) }
+
+  /**
+   * Holds if `n` is the qualifier of `call` which targets the virtual member
+   * function `mf`.
+   */
+  private predicate qualifierOfVirtualCallImpl(
+    RelevantNode n, CallInstruction call, MemberFunction mf
+  ) {
+    n.asOperand() = call.getThisArgumentOperand() and
+    call.getStaticCallTarget() = mf and
+    mf.isVirtual()
+  }
+
+  private predicate qualifierOfVirtualCall(RelevantNode n) { qualifierOfVirtualCallImpl(n, _, _) }
+
+  private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>
+
+  private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
+
+  /**
+   * Gets the most specific implementation of `mf` that may be called when the
+   * qualifier has runtime type `c`.
+   */
+  private MemberFunction mostSpecific(MemberFunction mf, Class c) {
+    qualifierOfVirtualCallImpl(_, _, mf) and
+    mf.getAnOverridingFunction*() = result and
+    (
+      result.getDeclaringType() = c
+      or
+      not c.getAMemberFunction().getAnOverriddenFunction*() = mf and
+      result = mostSpecific(mf, c.getABaseClass())
+    )
+  }
+
+  /**
+   * Gets a possible pair of end-points `(p1, p2)` where:
+   * - `p1` is a derived-to-base conversion that converts from some
+   * class `derived`, and
+   * - `p2` is the qualifier of a call to a virtual function that may
+   * target `callable`, and
+   * - `callable` is the most specific implementation that may be called when
+   * the qualifier has type `derived`.
+   */
+  private predicate pairCand(
+    PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
+    DataFlowPrivate::DataFlowCall call
+  ) {
+    exists(Class derived, MemberFunction mf |
+      qualifierSourceImpl(p1.getNode(), derived) and
+      qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
+      p1.isSource() and
+      p2.isSink() and
+      callable.asSourceCallable() = mostSpecific(mf, derived)
+    )
+  }
+
+  /** Gets a possible run-time target of `call`. */
+  DataFlowPrivate::DataFlowCallable virtualDispatch(DataFlowPrivate::DataFlowCall call) {
+    exists(PathNode p1, PathNode p2 | p1 = p2 or edgePlus(p1, p2) | pairCand(p1, p2, result, call))
+  }
+}
+
+private DataFlowPrivate::DataFlowCallable noDisp(DataFlowPrivate::DataFlowCall call) { none() }
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d1(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<noDisp/1>::virtualDispatch(call)
+}
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d2(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<d1/1>::virtualDispatch(call)
+}
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d3(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<d2/1>::virtualDispatch(call)
+}
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d4(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<d3/1>::virtualDispatch(call)
+}
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d5(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<d4/1>::virtualDispatch(call)
+}
+
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable d6(DataFlowPrivate::DataFlowCall call) {
+  result = TrackVirtualDispatch<d5/1>::virtualDispatch(call)
+}
+
+/** Gets a function that might be called by `call`. */
+cached
+DataFlowPrivate::DataFlowCallable viableCallable(DataFlowPrivate::DataFlowCall call) {
+  not exists(d6(call)) and
+  result = nonVirtualDispatch(call)
+  or
+  result = d6(call)
 }

 /**
 * Holds if the set of viable implementations that can be called by `call`
 * might be improved by knowing the call context.
 */
-predicate mayBenefitFromCallContext(DataFlowCall call) { mayBenefitFromCallContext(call, _, _) }
+predicate mayBenefitFromCallContext(DataFlowPrivate::DataFlowCall call) {
+  mayBenefitFromCallContext(call, _, _)
+}
+
+private predicate localLambdaFlowStep(Node nodeFrom, Node nodeTo) {
+  localFlowStep(nodeFrom, nodeTo)
+  or
+  DataFlowPrivate::additionalLambdaFlowStep(nodeFrom, nodeTo, _)
+}

 /**
 * Holds if `call` is a call through a function pointer, and the pointer
 * value is given as the `arg`'th argument to `f`.
 */
 private predicate mayBenefitFromCallContext(
-  VirtualDispatch::DataSensitiveCall call, DataFlowCallable f, int arg
+  DataFlowPrivate::DataFlowCall call, DataFlowPrivate::DataFlowCallable f, int arg
 ) {
  f = pragma[only_bind_out](call).getEnclosingCallable() and
  exists(InitializeParameterInstruction init |
-    not exists(call.getStaticCallTarget()) and
+    not exists(call.getStaticCallTarget())
+    or
+    exists(call.getStaticCallSourceTarget().(VirtualFunction).getAnOverridingFunction())
+  |
    init.getEnclosingFunction() = f.getUnderlyingCallable() and
-    call.flowsFrom(instructionNode(init), _) and
+    localLambdaFlowStep+(instructionNode(init),
+      operandNode(call.asCallInstruction().getCallTargetOperand())) and
    init.getParameter().getIndex() = arg
  )
 }
@@ -274,9 +362,11 @@ private predicate mayBenefitFromCallContext(
 * Gets a viable dispatch target of `call` in the context `ctx`. This is
 * restricted to those `call`s for which a context might make a difference.
 */
-DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
+DataFlowPrivate::DataFlowCallable viableImplInCallContext(
+  DataFlowPrivate::DataFlowCall call, DataFlowPrivate::DataFlowCall ctx
+) {
  result = viableCallable(call) and
-  exists(int i, DataFlowCallable f |
+  exists(int i, DataFlowPrivate::DataFlowCallable f |
    mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and
    f = ctx.getStaticCallTarget() and
    result.asSourceCallable() =
@@ -286,4 +376,8 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {

 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+predicate parameterMatch(
+  DataFlowPrivate::ParameterPosition ppos, DataFlowPrivate::ArgumentPosition apos
+) {
+  ppos = apos
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -1492,7 +1492,14 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 }

 /** Extra data-flow steps needed for lambda flow analysis. */
-predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) {
+  preservesValue = false and
+  exists(ContentSet cs | cs.isSingleton(any(UnionContent uc)) |
+    storeStep(nodeFrom, cs, nodeTo)
+    or
+    readStep(nodeFrom, cs, nodeTo)
+  )
+}

 predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -795,7 +795,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
  override DataFlowType getType() {
    exists(int indirectionIndex |
      indirectionIndex = globalUse.getIndirectionIndex() and
-      result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex - 1)
+      result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex)
    )
  }

--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 1.4.6
+
+### Minor Analysis Improvements
+
+* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself.
+* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type.
+
 ## 1.4.5

 ### Minor Analysis Improvements
--- a/cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md
+++ b/cpp/ql/src/change-notes/2025-08-08-overflow-buffer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type.
--- a/cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md
+++ b/cpp/ql/src/change-notes/2025-08-15-short-global-name-template-instantiations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself.
--- a/cpp/ql/src/change-notes/2025-08-20-add-customizations.md
+++ b/cpp/ql/src/change-notes/2025-08-20-add-customizations.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.
--- a/cpp/ql/src/change-notes/released/1.4.6.md
+++ b/cpp/ql/src/change-notes/released/1.4.6.md
@@ -0,0 +1,6 @@
+## 1.4.6
+
+### Minor Analysis Improvements
+
+* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself.
+* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.5
+lastReleaseVersion: 1.4.6
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.6-dev
+version: 1.4.7-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp
@@ -8,7 +8,7 @@ struct Top {
  virtual void isSink(int x) { }
  virtual int notSource1() { return source(); }
  virtual int notSource2() { return source(); }
-  virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast,ir=37:19 ast,ir=45:18
+  virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast=37:19 ast=45:18
 };

 // This class has the correct behavior for just the functions ending in 2.
@@ -32,16 +32,16 @@ void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottom
  sink(topPtr->isSource2()); // $ ir MISSING: ast
  topPtr->isSink(source()); // causing a MISSING for ast

-  sink(topPtr->notSource1()); // $ SPURIOUS: ast,ir
-  sink(topPtr->notSource2()); // $ SPURIOUS: ast,ir
+  sink(topPtr->notSource1()); // $ SPURIOUS: ast
+  sink(topPtr->notSource2()); // $ SPURIOUS: ast
  topPtr->notSink(source()); // causing SPURIOUS for ast,ir

  sink(topRef.isSource1()); // $ ir MISSING: ast
  sink(topRef.isSource2()); // $ ir MISSING: ast
  topRef.isSink(source()); // causing a MISSING for ast

-  sink(topRef.notSource1()); // $ SPURIOUS: ast,ir
-  sink(topRef.notSource2()); // $ SPURIOUS: ast,ir
+  sink(topRef.notSource1()); // $ SPURIOUS: ast
+  sink(topRef.notSource2()); // $ SPURIOUS: ast
  topRef.notSink(source()); // causing SPURIOUS for ast,ir
 }

@@ -126,8 +126,8 @@ namespace virtual_inheritance {
    // get flow from a `Middle` value to the call qualifier.
    Top *topPtr = bottomPtr, &topRef = bottomRef;

-    sink(topPtr->isSource()); // $ MISSING: ast,ir
-    sink(topRef.isSource()); // $ MISSING: ast,ir
+    sink(topPtr->isSource()); // $ ir MISSING: ast
+    sink(topRef.isSource()); // $ ir MISSING: ast
  }
 }

--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
@@ -169,10 +169,6 @@ irFlow
 | clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | *stackArray |
 | clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | *stackArray |
 | clang.cpp:57:21:57:28 | call to source | clang.cpp:59:8:59:8 | d |
-| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 |
-| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 |
-| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 |
-| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:44:15:44:24 | call to notSource2 |
 | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:32:16:32:24 | call to isSource2 |
 | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:40:15:40:23 | call to isSource2 |
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:31:16:31:24 | call to isSource1 |
@@ -180,13 +176,13 @@ irFlow
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:55:22:55:30 | call to isSource1 |
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:58:28:58:36 | call to isSource1 |
 | dispatch.cpp:33:18:33:23 | call to source | dispatch.cpp:23:38:23:38 | x |
-| dispatch.cpp:37:19:37:24 | call to source | dispatch.cpp:11:38:11:38 | x |
 | dispatch.cpp:41:17:41:22 | call to source | dispatch.cpp:23:38:23:38 | x |
-| dispatch.cpp:45:18:45:23 | call to source | dispatch.cpp:11:38:11:38 | x |
 | dispatch.cpp:69:15:69:20 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:73:14:73:19 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:81:13:81:18 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x |
+| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:129:18:129:25 | call to isSource |
+| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:130:17:130:24 | call to isSource |
 | dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x |
 | dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x |
 | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:31:9:31:9 | x |
--- a/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.cpp
@@ -0,0 +1,127 @@
+struct Base {
+  void f();
+  virtual void virtual_f();
+};
+
+struct Derived : Base {
+  void f();
+  void virtual_f();
+};
+
+void test_simple() {
+  Base b;
+  b.f(); // $ target=2
+  b.virtual_f(); // $ target=3
+
+  Derived d;
+  d.f(); // $ target=7
+  d.virtual_f(); // $ target=8
+
+  Base* b_ptr = &d;
+  b_ptr->f(); // $ target=2
+  b_ptr->virtual_f(); // $ target=8
+
+  Base& b_ref = d;
+  b_ref.f(); // $ target=2
+  b_ref.virtual_f(); // $ target=8
+
+  Base* b_null = nullptr;
+  b_null->f(); // $ target=2
+  b_null->virtual_f(); // $ target=3
+
+  Base* base_is_derived = new Derived();
+  base_is_derived->f(); // $ target=2
+  base_is_derived->virtual_f(); // $ target=8
+
+  Base* base_is_base = new Base();
+  base_is_base->f(); // $ target=2
+  base_is_base->virtual_f(); // $ target=3
+
+  Derived* derived_is_derived = new Derived();
+  derived_is_derived->f(); // $ target=7
+  derived_is_derived->virtual_f(); // $ target=8
+
+  Base& b_ref2 = b;
+  b_ref2 = d;
+  b_ref2.f(); // $ target=2
+  b_ref2.virtual_f(); // $ target=3
+}
+
+struct S {
+  Base* b1;
+  Base* b2;
+};
+
+void test_fields() {
+  S s;
+
+  s.b1 = new Base();
+  s.b2 = new Derived();
+
+  s.b1->virtual_f(); // $ target=3
+  s.b2->virtual_f(); // $ target=8
+
+  s.b1 = new Derived();
+  s.b2 = new Base();
+  s.b1->virtual_f(); // $ target=8 SPURIOUS: target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA
+  s.b2->virtual_f(); // $ target=3 SPURIOUS: target=8 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA
+}
+
+Base* getDerived() {
+  return new Derived();
+}
+
+void test_getDerived() {
+  Base* b = getDerived();
+  b->virtual_f(); // $ target=8
+
+  Derived d = *(Derived*)getDerived();
+  d.virtual_f(); // $ target=8
+}
+
+void write_to_arg(Base* b) {
+  *b = Derived();
+}
+
+void write_to_arg_2(Base** b) {
+	Derived* d = new Derived();
+  *b = d;
+}
+
+void test_write_to_arg() {
+  {
+    Base b;
+    write_to_arg(&b);
+    b.virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 // missing flow through the copy-constructor in write_to_arg
+  }
+
+  {
+    Base* b;
+    write_to_arg_2(&b);
+    b->virtual_f(); // $ target=8
+  }
+}
+
+Base* global_derived;
+
+void set_global_to_derived() {
+  global_derived = new Derived();
+}
+
+void read_global() {
+  global_derived->virtual_f(); // $ target=8
+}
+
+Base* global_base_or_derived;
+
+void set_global_base_or_derived_1() {
+  global_base_or_derived = new Base();
+}
+
+void set_global_base_or_derived_2() {
+  global_base_or_derived = new Derived();
+}
+
+void read_global_base_or_derived() {
+  global_base_or_derived->virtual_f(); // $ target=3 target=8
+}
--- a/cpp/ql/test/library-tests/dataflow/dispatch/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.expected
--- a/cpp/ql/test/library-tests/dataflow/dispatch/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/dispatch/test.ql
@@ -0,0 +1,22 @@
+import cpp
+import utils.test.InlineExpectationsTest
+import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch
+import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
+module ResolveDispatchTest implements TestSig {
+  string getARelevantTag() { result = "target" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlowCall call, SourceCallable callable, MemberFunction mf |
+      mf = callable.asSourceCallable() and
+      not mf.isCompilerGenerated() and
+      callable = viableCallable(call) and
+      location = call.getLocation() and
+      element = call.toString() and
+      tag = "target" and
+      value = callable.getLocation().getStartLine().toString()
+    )
+  }
+}
+
+import MakeTest<ResolveDispatchTest>
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.46
+
+No user-facing changes.
+
 ## 1.7.45

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.46.md
@@ -0,0 +1,3 @@
+## 1.7.46
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.45
+lastReleaseVersion: 1.7.46
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.46-dev
+version: 1.7.47-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.46
+
+No user-facing changes.
+
 ## 1.7.45

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.46.md
@@ -0,0 +1,3 @@
+## 1.7.46
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.45
+lastReleaseVersion: 1.7.46
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.46-dev
+version: 1.7.47-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 5.2.2
+
+No user-facing changes.
+
 ## 5.2.1

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md
+++ b/csharp/ql/lib/change-notes/2025-08-18-implicit-reads-at-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The default taint tracking configuration now allows implicit reads from collections at sinks and in additional flow steps. This increases flow coverage for many taint tracking queries and helps reduce false negatives.
--- a/csharp/ql/lib/change-notes/released/5.2.2.md
+++ b/csharp/ql/lib/change-notes/released/5.2.2.md
@@ -0,0 +1,3 @@
+## 5.2.2
+
+No user-facing changes.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.2.1
+lastReleaseVersion: 5.2.2
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.2.2-dev
+version: 5.2.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -29,7 +29,10 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {
 * of `c` at sinks and inputs to additional taint steps.
 */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  exists(node) and
+  c.isElement()
+}

 private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration {
  LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2

 No user-facing changes.
--- a/Features/CWE-090/LDAPInjection.qhelp
+++ b/Features/CWE-090/LDAPInjection.qhelp
@@ -12,7 +12,7 @@ is likely to be able to run malicious LDAP queries.</p>
 <p>If user input must be included in an LDAP query, it should be escaped to
 avoid a malicious user providing special characters that change the meaning
 of the query. If possible, use an existing library, such as the AntiXSS
-library.</p>
+library. One may also make their own encoder filter <code>`LdapEncode`</code> following RFC 4515 standards.</p>
 </recommendation>

 <example>
@@ -35,7 +35,6 @@ the query cannot be changed by a malicious user.</p>
 <references>
 <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li>
 <li>OWASP: <a href="https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java">Preventing LDAP Injection in Java</a>.</li>
-<li>AntiXSS doc: <a href="http://www.nudoq.org/#!/Packages/AntiXSS/AntiXssLibrary/Encoder/M/LdapFilterEncode">LdapFilterEncode</a>.</li>
-<li>AntiXSS doc: <a href="http://www.nudoq.org/#!/Packages/AntiXSS/AntiXssLibrary/Encoder/M/LdapDistinguishedNameEncode">LdapDistinguishedNameEncode</a>.</li>
+<li>RFC 4515: <a href="https://datatracker.ietf.org/doc/html/rfc4515#section-3">String Search Filter Definition</a>.</li>
 </references>
 </qhelp>
--- a/csharp/ql/src/change-notes/released/1.3.3.md
+++ b/csharp/ql/src/change-notes/released/1.3.3.md
@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3
--- a/Features/CWE-759/HashWithoutSalt.ql
+++ b/Features/CWE-759/HashWithoutSalt.ql
@@ -10,6 +10,7 @@
 */

 import csharp
+import semmle.code.csharp.frameworks.system.Collections
 import HashWithoutSalt::PathGraph

 /** The C# class `Windows.Security.Cryptography.Core.HashAlgorithmProvider`. */
@@ -93,12 +94,17 @@ predicate hasAnotherHashCall(MethodCall mc) {

 /** Holds if a password hash without salt is further processed in another method call. */
 predicate hasFurtherProcessing(MethodCall mc) {
-  mc.getTarget().fromLibrary() and
-  (
-    mc.getTarget().hasFullyQualifiedName("System", "Array", "Copy") or // Array.Copy(passwordHash, 0, password.Length), 0, key, 0, keyLen);
-    mc.getTarget().hasFullyQualifiedName("System", "String", "Concat") or // string.Concat(passwordHash, saltkey)
-    mc.getTarget().hasFullyQualifiedName("System", "Buffer", "BlockCopy") or // Buffer.BlockCopy(passwordHash, 0, allBytes, 0, 20)
-    mc.getTarget().hasFullyQualifiedName("System", "String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password)
+  exists(Method m | m = mc.getTarget() and m.fromLibrary() |
+    m.hasFullyQualifiedName("System", "Array", "Copy") // Array.Copy(passwordHash, 0, password.Length), 0, key, 0, keyLen);
+    or
+    m.hasFullyQualifiedName("System", "String", "Concat") // string.Concat(passwordHash, saltkey)
+    or
+    m.hasFullyQualifiedName("System", "Buffer", "BlockCopy") // Buffer.BlockCopy(passwordHash, 0, allBytes, 0, 20)
+    or
+    m.hasFullyQualifiedName("System", "String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password)
+    or
+    m.getName() = "CopyTo" and
+    m.getDeclaringType().getABaseType*() instanceof SystemCollectionsICollectionInterface // passBytes.CopyTo(rawSalted, 0);
  )
 }

--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.3.3-dev
+version: 1.3.4-dev
 groups:
  - csharp
  - queries
--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
@@ -116,7 +116,7 @@ namespace My.Qltest
        {
            var a = new object[] { new object() };
            var b = Reverse(a);
-            Sink(b); // No flow
+            Sink(b); // Flow
            Sink(b[0]); // Flow
        }

--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
@@ -104,6 +104,7 @@ edges
 | ExternalFlow.cs:117:17:117:17 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | provenance |  |
 | ExternalFlow.cs:117:34:117:49 | { ..., ... } : null [element] : Object | ExternalFlow.cs:117:17:117:17 | access to local variable a : null [element] : Object | provenance |  |
 | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:117:34:117:49 | { ..., ... } : null [element] : Object | provenance |  |
+| ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | ExternalFlow.cs:119:18:119:18 | access to local variable b | provenance |  |
 | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | provenance |  |
 | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | provenance |  |
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | provenance | MaD:7 |
@@ -240,6 +241,7 @@ nodes
 | ExternalFlow.cs:118:17:118:17 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | semmle.label | call to method Reverse : null [element] : Object |
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object |
+| ExternalFlow.cs:119:18:119:18 | access to local variable b | semmle.label | access to local variable b |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element |
 | ExternalFlow.cs:205:17:205:18 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
@@ -315,6 +317,7 @@ invalidModelRow
 | ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
+| ExternalFlow.cs:119:18:119:18 | access to local variable b | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:119:18:119:18 | access to local variable b | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:48 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:48 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:212:18:212:62 | call to method GeneratedFlowWithGeneratedNeutral | ExternalFlow.cs:211:22:211:33 | object creation of type Object : Object | ExternalFlow.cs:212:18:212:62 | call to method GeneratedFlowWithGeneratedNeutral | $@ | ExternalFlow.cs:211:22:211:33 | object creation of type Object : Object | object creation of type Object : Object |
--- a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs
+++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.cs
@@ -0,0 +1,13 @@
+public class CollectionTaintTracking
+{
+    public void ImplicitCollectionReadAtSink()
+    {
+        var tainted = Source<object>(1);
+        var arr = new object[] { tainted };
+        Sink(arr); // $ hasTaintFlow=1
+    }
+
+    static T Source<T>(object source) => throw null;
+
+    public static void Sink<T>(T t) { }
+}
--- a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected
+++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.expected
@@ -0,0 +1,18 @@
+models
+edges
+| CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | provenance |  |
+| CollectionTaintTracking.cs:5:23:5:39 | call to method Source<Object> : Object | CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | provenance |  |
+| CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | provenance |  |
+| CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | provenance |  |
+| CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | provenance |  |
+nodes
+| CollectionTaintTracking.cs:5:13:5:19 | access to local variable tainted : Object | semmle.label | access to local variable tainted : Object |
+| CollectionTaintTracking.cs:5:23:5:39 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| CollectionTaintTracking.cs:6:13:6:15 | access to local variable arr : null [element] : Object | semmle.label | access to local variable arr : null [element] : Object |
+| CollectionTaintTracking.cs:6:32:6:42 | { ..., ... } : null [element] : Object | semmle.label | { ..., ... } : null [element] : Object |
+| CollectionTaintTracking.cs:6:34:6:40 | access to local variable tainted : Object | semmle.label | access to local variable tainted : Object |
+| CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | semmle.label | access to local variable arr |
+subpaths
+testFailures
+#select
+| CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | CollectionTaintTracking.cs:5:23:5:39 | call to method Source<Object> : Object | CollectionTaintTracking.cs:7:14:7:16 | access to local variable arr | $@ | CollectionTaintTracking.cs:5:23:5:39 | call to method Source<Object> : Object | call to method Source<Object> : Object |
--- a/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql
+++ b/csharp/ql/test/library-tests/tainttracking/collections/CollectionTaintTracking.ql
@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import utils.test.InlineFlowTest
+import TaintFlowTest<DefaultFlowConfig>
+import PathGraph
+
+from PathNode source, PathNode sink
+where flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/csharp/ql/test/library-tests/tainttracking/collections/options
+++ b/csharp/ql/test/library-tests/tainttracking/collections/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst
@@ -74,7 +74,7 @@ To use the starter workspace:
    * Make sure you include the submodules, either by using ``git clone --recursive``, or using by ``git submodule update --init --remote`` after cloning.
    * Use ``git submodule update --remote`` regularly to keep the submodules up to date.

-#. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository.
+#. In VS Code, use the **File** > **Open Workspace from File** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository.

 Remember to update the ``ql`` submodule in the starter workspace periodically to ensure that it remains compatible with newer versions of the VS Code extension and the CodeQL CLI.

--- a/docs/codeql/ql-language-reference/aliases.rst
+++ b/docs/codeql/ql-language-reference/aliases.rst
@@ -137,6 +137,6 @@ During :ref:`name resolution <name-resolution>`, ambiguity between aliases from
 for the same module/type/predicate is allowed, but ambiguity between between aliases from distinct **strong**
 alias definitions is invalid QL.
 Likewise, for the purpose of applicative instantiation of :ref:`parameterised modules <parameterized-modules>`
-and `:ref:`parameterised module signatures <parameterized-module-signatures>`, aliases from **weak** alias
+and :ref:`parameterised module signatures <parameterized-module-signatures>`, aliases from **weak** alias
 definitions for instantiation arguments do not result in separate instantiations, but aliases from **strong**
 alias definitions for instantiation arguments do.
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -9,8 +9,8 @@ toolchain go1.25.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.26.0
-	golang.org/x/tools v0.35.0
+	golang.org/x/mod v0.27.0
+	golang.org/x/tools v0.36.0
 )

 require golang.org/x/sync v0.16.0 // indirect
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -1,8 +1,8 @@
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.29
+
+No user-facing changes.
+
 ## 1.0.28

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.29.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.29.md
@@ -0,0 +1,3 @@
+## 1.0.29
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.28
+lastReleaseVersion: 1.0.29
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.29-dev
+version: 1.0.30-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 4.3.2
+
+No user-facing changes.
+
 ## 4.3.1

 No user-facing changes.
--- a/go/ql/lib/change-notes/released/4.3.2.md
+++ b/go/ql/lib/change-notes/released/4.3.2.md
@@ -0,0 +1,3 @@
+## 4.3.2
+
+No user-facing changes.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.3.1
+lastReleaseVersion: 4.3.2
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 4.3.2-dev
+version: 4.3.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.3
+
+No user-facing changes.
+
 ## 1.4.2

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.4.3.md
+++ b/go/ql/src/change-notes/released/1.4.3.md
@@ -0,0 +1,3 @@
+## 1.4.3
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.2
+lastReleaseVersion: 1.4.3
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.4.3-dev
+version: 1.4.4-dev
 groups:
  - go
  - queries
--- a/java/documentation/library-coverage/coverage.csv
+++ b/java/documentation/library-coverage/coverage.csv
@@ -76,7 +76,7 @@ jakarta.activation,2,,2,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,,,,,,2,
 jakarta.faces.context,4,7,,,,,,,,,,,,,,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,7,,
 jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
 jakarta.persistence,2,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,1,
-jakarta.servlet,2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,,
+jakarta.servlet,2,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,19,,
 jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,
 jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
 jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
--- a/java/documentation/library-coverage/coverage.rst
+++ b/java/documentation/library-coverage/coverage.rst
@@ -19,9 +19,9 @@ Java framework & library support
   JBoss Logging,``org.jboss.logging``,,,324,,,,,,
   `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
   Java Standard Library,``java.*``,10,4621,260,99,,9,,,26
-   Java extensions,"``javax.*``, ``jakarta.*``",69,4159,90,10,4,2,1,1,4
+   Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4
   Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
   `Spring <https://spring.io/>`_,``org.springframework.*``,38,486,143,26,,28,14,,35
   Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",133,10525,927,140,6,22,18,,208
-   Totals,,312,26328,2656,404,16,128,33,1,409
+   Totals,,330,26328,2656,404,16,128,33,1,409

--- a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected
@@ -80,6 +80,7 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldC
 ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
 ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql
 ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql
 ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
 ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
 ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 7.6.0
+
+### Major Analysis Improvements
+
+* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources.
+
+### Minor Analysis Improvements
+
+* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`.
+
 ## 7.5.0

 ### New Features
--- a/java/ql/lib/change-notes/2025-07-28-guardwrappers.md
+++ b/java/ql/lib/change-notes/2025-07-28-guardwrappers.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`.
--- a/java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md
+++ b/java/ql/lib/change-notes/2025-08-15-lib-models-remotesource.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources.
--- a/java/ql/lib/change-notes/released/7.6.0.md
+++ b/java/ql/lib/change-notes/released/7.6.0.md
@@ -0,0 +1,9 @@
+## 7.6.0
+
+### Major Analysis Improvements
+
+* Added library models for the relevant method calls under `jakarta.servlet.ServletRequest` and `jakarta.servlet.http.HttpServletRequest` as remote flow sources.
+
+### Minor Analysis Improvements
+
+* Guard implication logic involving wrapper methods has been improved. In particular, this means fewer false positives for `java/dereferenced-value-may-be-null`.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.5.0
+lastReleaseVersion: 7.6.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.5.1-dev
+version: 7.6.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.3
+
+No user-facing changes.
+
 ## 1.6.2

 No user-facing changes.
--- a/Calls/CallsToRunFinalizersOnExit.ql
+++ b/Calls/CallsToRunFinalizersOnExit.ql
@@ -7,8 +7,11 @@
 * @problem.severity error
 * @precision medium
 * @id java/run-finalizers-on-exit
- * @tags reliability
- *       maintainability
+ * @previous-id java/do-not-use-finalizers
+ * @tags quality
+ *       reliability
+ *       correctness
+ *       performance
 */

 import java
--- a/Calls/GarbageCollection.ql
+++ b/Calls/GarbageCollection.ql
@@ -6,8 +6,10 @@
 * @problem.severity recommendation
 * @precision low
 * @id java/garbage-collection
- * @tags reliability
- *       maintainability
+ * @previous-id java/do-not-use-finalizers
+ * @tags quality
+ *       reliability
+ *       correctness
 */

 import java
--- a/java/ql/src/change-notes/2025-07-19-adjust-tags.md
+++ b/java/ql/src/change-notes/2025-07-19-adjust-tags.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The tag `maintainability` has been removed from `java/run-finalizers-on-exit` and the tags `quality`, `correctness`, and `performance` have been added.
+* The tag `maintainability` has been removed from `java/garbage-collection` and the tags `quality` and `correctness` have been added.
--- a/java/ql/src/change-notes/released/1.6.3.md
+++ b/java/ql/src/change-notes/released/1.6.3.md
@@ -0,0 +1,3 @@
+## 1.6.3
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.2
+lastReleaseVersion: 1.6.3
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.6.3-dev
+version: 1.6.4-dev
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 2.6.9
+
+### Minor Analysis Improvements
+
+* Improved modeling of command-line argument parsing libraries [arg](https://www.npmjs.com/package/arg), [args](https://www.npmjs.com/package/args), [command-line-args](https://www.npmjs.com/package/command-line-args) and [commander](https://www.npmjs.com/package/commander)
+
 ## 2.6.8

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/2025-08-01-cli-code-injection.md
+++ b/javascript/ql/lib/change-notes/2025-08-01-cli-code-injection.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 2.6.9
+
+### Minor Analysis Improvements
+
 * Improved modeling of command-line argument parsing libraries [arg](https://www.npmjs.com/package/arg), [args](https://www.npmjs.com/package/args), [command-line-args](https://www.npmjs.com/package/command-line-args) and [commander](https://www.npmjs.com/package/commander)
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.8
+lastReleaseVersion: 2.6.9
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.9-dev
+version: 2.6.10-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 2.0.2
+
+### Minor Analysis Improvements
+
+* The `js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category.
+
 ## 2.0.1

 No user-facing changes.
--- a/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md
+++ b/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 2.0.2
+
+### Minor Analysis Improvements
+
 * The `js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.1
+lastReleaseVersion: 2.0.2
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.0.2-dev
+version: 2.0.3-dev
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.29
+
+No user-facing changes.
+
 ## 1.0.28

 No user-facing changes.
--- a/Show More
+++ b/Show More