Java: accept new tests results

CODEOWNERS

@@ -28,6 +28,7 @@
 /swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
+/java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.39-dev
+version: 0.4.38
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.31-dev
+version: 0.6.30
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 11.0.1-dev
+version: 11.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.6-dev
+version: 1.6.5
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.70-dev
+version: 1.7.69
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.70-dev
+version: 1.7.69
 groups:
   - csharp
   - solorigate

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 7.0.1-dev
+version: 7.0.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.6-dev
+version: 1.7.5
 groups:
   - csharp
   - queries

go/extractor/go.mod

@@ -10,7 +10,7 @@ toolchain go1.26.4
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.37.0
-	golang.org/x/tools v0.47.0
+	golang.org/x/tools v0.46.0
 )
 
 require github.com/stretchr/testify v1.11.1

go/extractor/go.sum

@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
 golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
 golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
 golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
-golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
+golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
+golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.53-dev
+version: 1.0.52
 groups:
   - go
   - queries

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.2.1-dev
+version: 7.2.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/lib/semmle/go/security/StoredXssCustomizations.qll

@@ -33,11 +33,9 @@ module StoredXss {
         walkFn.getACall().getArgument(1) = f.getASuccessor*()
       )
       or
-      // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
-      // or `os.File.ReadDirNames`.
-      exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
-        m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
-        m.hasQualifiedName("os", "File", "ReadDirNames")
+      // A call to os.FileInfo.Name
+      exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
+        m = this.(DataFlow::CallNode).getTarget()
       )
     }
   }

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.6-dev
+version: 1.6.5
 groups:
   - go
   - queries

go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -156,3 +156,12 @@ nodes
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
+testFailures
+| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
+| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
+| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
+| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |

go/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -1,9 +1,7 @@
 #select
-| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
 edges
-| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
@@ -11,8 +9,6 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
-| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
-| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
@@ -20,3 +16,5 @@ nodes
 | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
+testFailures
+| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |

go/ql/test/query-tests/Security/CWE-079/websocketXss.go

@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	origin := "test"
 	{
 		ws, _ := websocket.Dial(uri, "", origin)
-		var xnet = make([]byte, 512)
-		ws.Read(xnet)              // $ Source[go/reflected-xss]
+		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
+		ws.Read(xnet)
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
 		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
-		xnet2 := make([]byte, 512)
-		codec.Receive(ws, xnet2)    // $ Source[go/reflected-xss]
+		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
+		codec.Receive(ws, xnet2)
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
 	}
 	{
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	{
 		dialer := gorilla.Dialer{}
 		conn, _, _ := dialer.Dial(uri, nil)
-		var gorillaMsg = make([]byte, 512)
-		gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
-		fmt.Fprintf(w, "%v", gorillaMsg)   // $ Alert[go/reflected-xss]
+		var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
+		gorilla.ReadJSON(conn, gorillaMsg)
+		fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
 
-		gorilla2 := make([]byte, 512)
-		conn.ReadJSON(gorilla2)        // $ Source[go/reflected-xss]
+		gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
+		conn.ReadJSON(gorilla2)
 		fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]
 
 		_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]

java/kotlin-extractor/dev/wrapper.py

@@ -75,9 +75,6 @@ def get_version():
 
 
 def install(version: str, quiet: bool):
-    if install_dir.exists():
-        return
-
     if quiet:
         info_out = subprocess.DEVNULL
         info = lambda *args: None
@@ -86,6 +83,8 @@ def install(version: str, quiet: bool):
         info = lambda *args: print(*args, file=sys.stderr)
     file = file_template.format(version=version)
     url = url_template.format(version=version)
+    if install_dir.exists():
+        shutil.rmtree(install_dir)
     install_dir.mkdir()
     zips_dir.mkdir(exist_ok=True)
     zip = zips_dir / file
@@ -157,11 +156,8 @@ def main(opts, forwarded_opts):
         selected_version = current_version or DEFAULT_VERSION
     if selected_version != current_version:
         # don't print information about install procedure unless explicitly using --select
-        if install_dir.exists():
-            shutil.rmtree(install_dir)
+        install(selected_version, quiet=opts.select is None)
         version_file.write_text(selected_version)
-    # don't print information about install procedure unless explicitly using --select
-    install(selected_version, quiet=opts.select is None)
     if opts.select and not forwarded_opts and not opts.version:
         print(f"selected {selected_version}")
         return

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -6,8 +6,6 @@ import com.github.codeql.utils.*
 import com.github.codeql.utils.versions.*
 import com.semmle.extractor.java.OdasaOutput
 import java.io.Closeable
-import java.nio.file.Files
-import java.nio.file.Path
 import java.util.*
 import kotlin.collections.ArrayList
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext
@@ -52,7 +50,6 @@ import org.jetbrains.kotlin.load.java.structure.JavaMethod
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameter
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameterListOwner
 import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
-import org.jetbrains.kotlin.fir.java.VirtualFileBasedSourceElement
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.types.Variance
 import org.jetbrains.kotlin.util.OperatorNameConventions
@@ -164,100 +161,23 @@ open class KotlinFileExtractor(
         }
     }
 
-    private fun javaBinaryDeclaresMethod(c: IrClass, name: String): Boolean? {
-        // K1 path: source is JavaSourceElement wrapping a BinaryJavaClass - inspect class metadata
-        val binaryJavaClass = (c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
-        if (binaryJavaClass != null) {
-            return binaryJavaClass.methods.any { it.name.asString() == name }
+    private fun javaBinaryDeclaresMethod(c: IrClass, name: String) =
+        ((c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods?.any {
+            it.name.asString() == name
         }
 
-        // K2 path: binary Java classes use VirtualFileBasedSourceElement instead of
-        // JavaSourceElement. The BinaryJavaClass is not stored in the source element, so we parse
-        // the class bytes directly using ASM to check if the method is explicitly declared.
-        if (c.source is VirtualFileBasedSourceElement) {
-            val virtualFile = (c.source as VirtualFileBasedSourceElement).virtualFile
-            if (!virtualFile.name.endsWith(".class")) return null
-            return try {
-                val bytes = virtualFile.contentsToByteArray()
-                var found = false
-                var hasKotlinMetadata = false
-                val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
-                reader.accept(
-                    object : org.jetbrains.org.objectweb.asm.ClassVisitor(
-                        org.jetbrains.org.objectweb.asm.Opcodes.ASM9
-                    ) {
-                        override fun visitAnnotation(
-                            descriptor: String,
-                            visible: Boolean
-                        ): org.jetbrains.org.objectweb.asm.AnnotationVisitor? {
-                            if (descriptor == "Lkotlin/Metadata;") hasKotlinMetadata = true
-                            return null
-                        }
-
-                        override fun visitMethod(
-                            access: Int,
-                            methodName: String,
-                            descriptor: String,
-                            signature: String?,
-                            exceptions: Array<String>?
-                        ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
-                            if (methodName == name) found = true
-                            return null
-                        }
-                    },
-                    org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
-                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
-                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
-                )
-                if (hasKotlinMetadata) false else found
-            } catch (e: Exception) {
-                logger.warn("Failed to check binary class methods for ${c.fqNameWhenAvailable}: $e")
-                null
-            }
-        }
-        return null
-    }
-
     private fun isJavaBinaryDeclaration(f: IrFunction) =
         f.parentClassOrNull?.let { javaBinaryDeclaresMethod(it, f.name.asString()) } ?: false
 
-    private fun hasConcreteSiblingObjectMethod(f: IrFunction): Boolean {
-        val parentClass = f.parentClassOrNull ?: return false
-        return parentClass.declarations
-            .asSequence()
-            .filterIsInstance<IrFunction>()
-            .filter { sibling ->
-                sibling !== f &&
-                    sibling.name == f.name &&
-                    sibling.codeQlValueParameters.size == f.codeQlValueParameters.size
-            }
-            .any { sibling ->
-                val hasInvisibleFakeVisibility =
-                    sibling.visibility.let {
-                        it is DelegatedDescriptorVisibility && it.delegate == Visibilities.InvisibleFake
-                    }
-                !sibling.isFakeOverride && !hasInvisibleFakeVisibility
-            }
-    }
-
     private fun isJavaBinaryObjectMethodRedeclaration(d: IrDeclaration) =
         when (d) {
             is IrFunction ->
-                d.parentClassOrNull?.typeParameters?.isEmpty() == true &&
                 when (d.name.asString()) {
                     "toString" -> d.codeQlValueParameters.isEmpty()
                     "hashCode" -> d.codeQlValueParameters.isEmpty()
-                    // Under K2 (language version 2.0+), the Object.equals(Object) parameter is
-                    // typed as Any (non-nullable) rather than Any? (nullable). Accept both.
-                    "equals" ->
-                        d.codeQlValueParameters
-                            .singleOrNull()
-                            ?.type
-                            ?.let { it.isNullableAny() || it.isAny() } ?: false
+                    "equals" -> d.codeQlValueParameters.singleOrNull()?.type?.isNullableAny() ?: false
                     else -> false
-                } &&
-                    !hasConcreteSiblingObjectMethod(d) &&
-                    isJavaBinaryDeclaration(d)
+                } && isJavaBinaryDeclaration(d)
             else -> false
         }
 
@@ -1392,28 +1312,27 @@ open class KotlinFileExtractor(
     ): TypeResults {
         with("value parameter", vp) {
             val location = locOverride ?: getLocation(vp, classTypeArgsIncludingOuterClasses)
-            val parentFunction = vp.parent as? IrFunction
-            val javaCallable = parentFunction?.let { getJavaCallable(it) }
             val maybeAlteredType =
-                parentFunction?.let {
+                (vp.parent as? IrFunction)?.let {
                     if (overridesCollectionsMethodWithAlteredParameterTypes(it))
                         eraseCollectionsMethodParameterType(vp.type, it.name.asString(), idx)
                     else if (
-                        (parentFunction as? IrConstructor)?.parentClassOrNull?.kind ==
+                        (vp.parent as? IrConstructor)?.parentClassOrNull?.kind ==
                             ClassKind.ANNOTATION_CLASS
                     )
                         kClassToJavaClass(vp.type)
                     else null
                 } ?: vp.type
-            val javaType = javaCallable?.let { jCallable -> getJavaValueParameterType(jCallable, idx) }
-            val addParameterWildcardsByDefault =
-                !getInnermostWildcardSupppressionAnnotation(vp) &&
-                    !(javaCallable == null &&
-                        parentFunction?.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
+            val javaType =
+                (vp.parent as? IrFunction)?.let {
+                    getJavaCallable(it)?.let { jCallable ->
+                        getJavaValueParameterType(jCallable, idx)
+                    }
+                }
             val typeWithWildcards =
                 addJavaLoweringWildcards(
                     maybeAlteredType,
-                    addParameterWildcardsByDefault,
+                    !getInnermostWildcardSupppressionAnnotation(vp),
                     javaType
                 )
             val substitutedType =
@@ -1427,9 +1346,9 @@ open class KotlinFileExtractor(
                 vp.origin == IrDeclarationOrigin.UNDERSCORE_PARAMETER ||
                     ((vp.parent as? IrFunction)?.let { hasSynthesizedParameterNames(it) } ?: true)
             val javaParameter =
-                when (javaCallable) {
-                    is JavaConstructor -> javaCallable.valueParameters.getOrNull(idx)
-                    is JavaMethod -> javaCallable.valueParameters.getOrNull(idx)
+                when (val callable = (vp.parent as? IrFunction)?.let { getJavaCallable(it) }) {
+                    is JavaConstructor -> callable.valueParameters.getOrNull(idx)
+                    is JavaMethod -> callable.valueParameters.getOrNull(idx)
                     else -> null
                 }
             val extraAnnotations =
@@ -2955,45 +2874,6 @@ open class KotlinFileExtractor(
         return v
     }
 
-    private val sourceTextCache = mutableMapOf<String, String?>()
-
-    private fun getCurrentFileSourceText() =
-        sourceTextCache.getOrPut(filePath) {
-            runCatching { Files.readString(Path.of(filePath)) }.getOrNull()
-        }
-
-    private fun getVariableNameLocation(v: IrVariable): Label<DbLocation>? {
-        if (v.startOffset < 0 || v.endOffset < v.startOffset) return null
-
-        val source = getCurrentFileSourceText() ?: return null
-        if (v.startOffset >= source.length) return null
-
-        val name = v.name.asString()
-        if (name.isEmpty()) return null
-
-        val endExclusive = minOf(v.endOffset + 1, source.length)
-        val declarationText = source.substring(v.startOffset, endExclusive)
-        val nameOffsetInDeclaration = declarationText.indexOf(name)
-        if (nameOffsetInDeclaration < 0) return null
-
-        val nameStartOffset = v.startOffset + nameOffsetInDeclaration
-        val nameEndOffset = nameStartOffset + name.length - 1
-        return tw.getLocation(nameStartOffset, nameEndOffset)
-    }
-
-    private fun shouldUseVariableNameLocation(v: IrVariable): Boolean {
-        val initializer = v.initializer
-        return initializer is IrTypeOperatorCall && initializer.operator == IrTypeOperator.IMPLICIT_NOTNULL
-    }
-
-    private fun getVariableLocation(v: IrVariable): Label<DbLocation> {
-        if (shouldUseVariableNameLocation(v)) {
-            val nameLocation = getVariableNameLocation(v)
-            if (nameLocation != null) return nameLocation
-        }
-        return tw.getLocation(getVariableLocationProvider(v))
-    }
-
     private fun extractVariable(
         v: IrVariable,
         callable: Label<out DbCallable>,
@@ -3002,7 +2882,7 @@ open class KotlinFileExtractor(
     ) {
         with("variable", v) {
             val stmtId = tw.getFreshIdLabel<DbLocalvariabledeclstmt>()
-            val locId = getVariableLocation(v)
+            val locId = tw.getLocation(getVariableLocationProvider(v))
             tw.writeStmts_localvariabledeclstmt(stmtId, parent, idx, callable)
             tw.writeHasLocation(stmtId, locId)
             extractVariableExpr(v, callable, stmtId, 1, stmtId)
@@ -3020,7 +2900,7 @@ open class KotlinFileExtractor(
         with("variable expr", v) {
             val varId = useVariable(v)
             val exprId = tw.getFreshIdLabel<DbLocalvariabledeclexpr>()
-            val locId = getVariableLocation(v)
+            val locId = tw.getLocation(getVariableLocationProvider(v))
             val type = useType(v.type)
             tw.writeLocalvars(varId, v.name.asString(), type.javaResult.id, exprId)
             tw.writeLocalvarsKotlinType(varId, type.kotlinResult.id)
@@ -4186,28 +4066,6 @@ open class KotlinFileExtractor(
             else -> false
         }
 
-    private fun getCallResultType(c: IrCall, syntacticCallTarget: IrFunction): IrType {
-        if (syntacticCallTarget.origin != IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB) {
-            return c.type
-        }
-
-        val primitiveInfo =
-            (c.type as? IrSimpleType)?.let { primitiveTypeMapping.getPrimitiveInfo(it) } ?: return c.type
-        val parentClass = syntacticCallTarget.parentClassOrNull ?: return c.type
-        val returnIsClassifier =
-            javaBinaryMethodReturnIsClassifierType(
-                parentClass,
-                getFunctionShortName(syntacticCallTarget).nameInDB,
-                syntacticCallTarget.codeQlValueParameters.size,
-                syntacticCallTarget is IrConstructor
-            )
-        return if (returnIsClassifier == true) {
-            primitiveInfo.javaClass.symbol.typeWith()
-        } else {
-            c.type
-        }
-    }
-
     private fun isGenericArrayType(typeName: String) =
         when (typeName) {
             "Array" -> true
@@ -4253,7 +4111,7 @@ open class KotlinFileExtractor(
                 extractRawMethodAccess(
                     syntacticCallTarget,
                     c,
-                    getCallResultType(c, syntacticCallTarget),
+                    c.type,
                     callable,
                     parent,
                     idx,

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -36,7 +36,6 @@ import org.jetbrains.kotlin.load.java.BuiltinMethodsWithSpecialGenericSignature
 import org.jetbrains.kotlin.load.java.JvmAbi
 import org.jetbrains.kotlin.load.java.sources.JavaSourceElement
 import org.jetbrains.kotlin.load.java.structure.*
-import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
 import org.jetbrains.kotlin.load.java.typeEnhancement.hasEnhancedNullability
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.name.NameUtils
@@ -997,20 +996,7 @@ open class KotlinUsesExtractor(
                 )
                 return null
             }
-            val fileClassId = extractFileClass(fqName)
-            // Under K2, external file class members sit directly under IrExternalPackageFragment
-            // rather than under their IrClass parent. In that case the file class entity won't
-            // get a location set through the normal extractClassSource path.
-            if (d is IrMemberWithContainerSource && tw.lm.externalFileClassLocationsExtracted.add(fqName)) {
-                val binaryPath =
-                    getContainerSourceBinaryPath(d.containerSource)
-                        ?.let { normalizeExternalFileClassBinaryPath(it, fqName) }
-                if (binaryPath != null && shouldUseConcreteExternalFileClassLocation(binaryPath)) {
-                    val fileId = tw.mkFileId(binaryPath, true)
-                    tw.writeHasLocation(fileClassId, tw.getWholeFileLocation(fileId))
-                }
-            }
-            return fileClassId
+            return extractFileClass(fqName)
         }
         return useDeclarationParent(parent, canBeTopLevel, classTypeArguments, inReceiverContext)
     }
@@ -1385,13 +1371,8 @@ open class KotlinUsesExtractor(
         parentId: Label<out DbElement>,
         classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?,
         maybeParameterList: List<IrValueParameter>? = null
-    ): String {
-        val javaCallable = getJavaCallable(f)
-        val addParameterWildcardsByDefault =
-            !getInnermostWildcardSupppressionAnnotation(f) &&
-                !(javaCallable == null && f.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
-
-        return getFunctionLabel(
+    ): String =
+        getFunctionLabel(
             f.parent,
             parentId,
             getFunctionShortName(f).nameInDB,
@@ -1401,10 +1382,9 @@ open class KotlinUsesExtractor(
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
-            javaCallable,
-            addParameterWildcardsByDefault
+            getJavaCallable(f),
+            !getInnermostWildcardSupppressionAnnotation(f)
         )
-    }
 
     /*
      * This function actually generates the label for a function.
@@ -1491,41 +1471,15 @@ open class KotlinUsesExtractor(
             // Finally, mimic the Java extractor's behaviour by naming functions with type
             // parameters for their erased types;
             // those without type parameters are named for the generic type.
-            var maybeErased =
+            val maybeErased =
                 if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
-            // K2 compatibility: under K2, Java @NotNull reference types such as @NotNull Integer
-            // are enhanced to Kotlin primitives (e.g. kotlin.Int). But the Java extractor uses
-            // the original reference type (java.lang.Integer) in callable labels. When we detect
-            // that the original Java parameter type is a reference (classifier) type but the
-            // Kotlin IR type is a primitive, revert to the boxed Java class so both extractors
-            // produce matching callable IDs.
-            if (functionTypeParameters.isEmpty()) {
-                val primitiveInfo = (maybeErased as? IrSimpleType)?.let {
-                    primitiveTypeMapping.getPrimitiveInfo(it)
-                }
-                if (primitiveInfo != null) {
-                    val parentClass = parent as? IrClass
-                    if (parentClass != null) {
-                        val isClassifierType = javaBinaryMethodParamIsClassifierType(
-                            parentClass,
-                            name,
-                            allParamTypes.size,
-                            name == "<init>",
-                            it.index
-                        )
-                        if (isClassifierType == true) {
-                            maybeErased = primitiveInfo.javaClass.symbol.typeWith()
-                        }
-                    }
-                }
-            }
             "{${useType(maybeErased).javaResult.id}}"
         }
         val paramTypeIds =
             allParamTypes
                 .withIndex()
                 .joinToString(separator = ",", transform = getIdForFunctionLabel)
-        var labelReturnType =
+        val labelReturnType =
             if (name == "<init>") pluginContext.irBuiltIns.unitType
             else
                 erase(
@@ -1535,28 +1489,6 @@ open class KotlinUsesExtractor(
                         pluginContext
                     )
                 )
-        // K2 compatibility: same as for parameters, if the Java binary method return type is a
-        // reference type but K2 enhanced it to a Kotlin primitive, use the boxed Java class.
-        if (functionTypeParameters.isEmpty() && name != "<init>") {
-            val primitiveInfo = (labelReturnType as? IrSimpleType)?.let {
-                primitiveTypeMapping.getPrimitiveInfo(it)
-            }
-            if (primitiveInfo != null) {
-                val parentClass = parent as? IrClass
-                if (parentClass != null) {
-                    val returnIsClassifier =
-                        javaBinaryMethodReturnIsClassifierType(
-                            parentClass,
-                            name,
-                            allParamTypes.size,
-                            false
-                        )
-                    if (returnIsClassifier == true) {
-                        labelReturnType = primitiveInfo.javaClass.symbol.typeWith()
-                    }
-                }
-            }
-        }
         // Note that `addJavaLoweringWildcards` is not required here because the return type used to
         // form the function
         // label is always erased.
@@ -1662,23 +1594,9 @@ open class KotlinUsesExtractor(
     }
 
     @OptIn(ObsoleteDescriptorBasedAPI::class)
-    fun getJavaCallable(f: IrFunction): JavaMember? {
-        val fromDescriptor = (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
-        if (fromDescriptor != null) return fromDescriptor
+    fun getJavaCallable(f: IrFunction) =
+        (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
 
-        // K2 fallback: under K2, descriptor.source may not carry JavaSourceElement for binary Java
-        // methods. Try to get the JavaMember from the parent class's binary class directly.
-        val parentClass = f.parentClassOrNull ?: return null
-        val binaryJavaClass = (parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
-            ?: return null
-        val name = getFunctionShortName(f).nameInDB
-        val nParams = f.codeQlValueParameters.size
-        return if (f is IrConstructor) {
-            binaryJavaClass.constructors.find { it.valueParameters.size == nParams }
-        } else {
-            binaryJavaClass.methods.find { it.name.asString() == name && it.valueParameters.size == nParams }
-        }
-    }
     fun getJavaValueParameterType(m: JavaMember, idx: Int) =
         when (m) {
             is JavaMethod -> m.valueParameters[idx].type

java/kotlin-extractor/src/main/kotlin/TrapWriter.kt

@@ -51,13 +51,6 @@ class TrapLabelManager {
      * to avoid duplication.
      */
     val fileClassLocationsExtracted = HashSet<IrFile>()
-
-    /**
-     * Tracks external file classes (by FqName) whose location has been set from a binary path.
-     * Used to avoid writing duplicate hasLocation facts for external file class entities extracted
-     * through the K2 code path where declarations sit directly under IrExternalPackageFragment.
-     */
-    val externalFileClassLocationsExtracted = HashSet<org.jetbrains.kotlin.name.FqName>()
 }
 
 /**

java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt

@@ -17,7 +17,6 @@ import org.jetbrains.kotlin.load.kotlin.JvmPackagePartSource
 import org.jetbrains.kotlin.load.kotlin.KotlinJvmBinarySourceElement
 import org.jetbrains.kotlin.load.kotlin.VirtualFileKotlinClass
 import org.jetbrains.kotlin.name.FqName
-import org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource
 
 // Adapted from Kotlin's interpreter/Utils.kt function 'internalName'
 // Translates class names into their JLS section 13.1 binary name,
@@ -177,238 +176,15 @@ fun getIrDeclarationBinaryPath(d: IrDeclaration): String? {
         // This is in a file class.
         val fqName = getFileClassFqName(d)
         if (fqName != null) {
-            if (d is IrMemberWithContainerSource) {
-                val containerBinaryPath = getContainerSourceBinaryPath(d.containerSource)
-                if (containerBinaryPath != null) {
-                    return normalizeExternalFileClassBinaryPath(containerBinaryPath, fqName)
-                }
-            }
             return getUnknownBinaryLocation(fqName.asString())
         }
     }
     return null
 }
 
-/**
- * Attempts to get the binary file path from a container source (typically a
- * [JvmPackagePartSource]). Returns null if the path is unavailable.
- */
-fun getContainerSourceBinaryPath(containerSource: org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource?): String? {
-    if (containerSource !is JvmPackagePartSource) return null
-    val binaryClass = containerSource.knownJvmBinaryClass ?: return null
-    return when (binaryClass) {
-        is VirtualFileKotlinClass -> {
-            val vf = binaryClass.file
-            val path = vf.path
-            if (vf.fileSystem.protocol == StandardFileSystems.JRT_PROTOCOL)
-                "/${path.split("!/", limit = 2)[1]}"
-            else path
-        }
-        else -> binaryClass.location.takeIf { it.isNotEmpty() }
-    }
-}
-
 private fun getUnknownBinaryLocation(s: String): String {
     return "/!unknown-binary-location/${s.replace(".", "/")}.class"
 }
 
-fun normalizeExternalFileClassBinaryPath(path: String, fqName: FqName): String {
-    if (path.contains(".kotlinc_installed")) {
-        return getUnknownBinaryLocation(fqName.asString())
-    }
-    val normalizedPath = path.replace('\\', '/')
-    val classInternalPath = "${fqName.asString().replace(".", "/")}.class"
-    val classSuffix = "/$classInternalPath"
-    if (normalizedPath.endsWith(classSuffix)) {
-        val classpathRoot = normalizedPath.removeSuffix(classSuffix).substringAfterLast('/')
-        if (classpathRoot.isNotEmpty()) {
-            return "$classpathRoot/$classInternalPath"
-        }
-    }
-    return path
-}
-
-fun shouldUseConcreteExternalFileClassLocation(path: String): Boolean {
-    val normalizedPath = path.replace('\\', '/')
-    return normalizedPath.contains("/") &&
-        !normalizedPath.startsWith("/!unknown-binary-location/")
-}
-
 fun getJavaEquivalentClassId(c: IrClass) =
     c.fqNameWhenAvailable?.toUnsafe()?.let { JavaToKotlinClassMap.mapKotlinToJava(it) }
-
-/**
- * Checks whether a specific parameter of a Java binary method (identified by [methodName] and
- * [paramIndex]) is a reference type (as opposed to a Java primitive). This is used to detect
- * cases where K2 FIR has enhanced a reference type parameter (e.g. `@NotNull Integer`) to a
- * Kotlin primitive (e.g. `kotlin.Int`), so that callable labels can use the original reference
- * type and remain compatible with the Java extractor's callable IDs.
- *
- * Under K1, binary Java classes use [JavaSourceElement] and we can check [BinaryJavaClass.methods]
- * directly. Under K2, they use [VirtualFileBasedSourceElement] and we fall back to reading the
- * class bytes with ASM.
- *
- * Returns `null` if the information cannot be determined.
- */
-fun javaBinaryMethodParamIsClassifierType(
-    parentClass: IrClass,
-    methodName: String,
-    nParams: Int,
-    isConstructor: Boolean,
-    paramIndex: Int
-): Boolean? {
-    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
-    val k1ParamKinds =
-        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.let {
-            binaryJavaClass ->
-            if (isConstructor)
-                binaryJavaClass.constructors
-                    .asSequence()
-                    .filter { it.valueParameters.size == nParams }
-                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
-                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
-                    .toSet()
-            else
-                binaryJavaClass.methods
-                    .asSequence()
-                    .filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
-                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
-                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
-                    .toSet()
-        }
-    if (k1ParamKinds != null && k1ParamKinds.isNotEmpty()) {
-        return k1ParamKinds.singleOrNull()
-    }
-
-    // K2 path: binary Java class has VirtualFileBasedSourceElement
-    if (parentClass.source !is VirtualFileBasedSourceElement) return null
-    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
-    if (!vf.name.endsWith(".class")) return null
-
-    return try {
-        val bytes = vf.contentsToByteArray()
-        val expectedMethodName = if (isConstructor) "<init>" else methodName
-        val descriptorKinds = mutableSetOf<Boolean>()
-        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
-        reader.accept(
-            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
-                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
-            ) {
-                override fun visitMethod(
-                    access: Int,
-                    name: String,
-                    descriptor: String,
-                    signature: String?,
-                    exceptions: Array<String>?
-                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
-                    if (name != expectedMethodName) return null
-                    val paramDescriptors = parseAsmMethodDescriptorParams(descriptor)
-                    if (paramDescriptors.size != nParams) return null
-                    val paramDesc = paramDescriptors.getOrNull(paramIndex) ?: return null
-                    // Reference types start with 'L' or '['; Java primitives are single chars
-                    descriptorKinds.add(paramDesc.startsWith("L") || paramDesc.startsWith("["))
-                    return null
-                }
-            },
-            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
-                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
-                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
-        )
-        descriptorKinds.singleOrNull()
-    } catch (e: Exception) {
-        null
-    }
-}
-
-/**
- * Checks whether the return type of a Java binary method (identified by [methodName] and
- * [nParams]) is a reference type (as opposed to a Java primitive).
- *
- * Returns `null` if the information cannot be determined.
- */
-fun javaBinaryMethodReturnIsClassifierType(
-    parentClass: IrClass,
-    methodName: String,
-    nParams: Int,
-    isConstructor: Boolean
-): Boolean? {
-    if (isConstructor) return false
-
-    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
-    val k1ReturnKinds =
-        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods
-            ?.asSequence()
-            ?.filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
-            ?.map { it.returnType is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
-            ?.toSet()
-    if (k1ReturnKinds != null && k1ReturnKinds.isNotEmpty()) {
-        return k1ReturnKinds.singleOrNull()
-    }
-
-    // K2 path: binary Java class has VirtualFileBasedSourceElement
-    if (parentClass.source !is VirtualFileBasedSourceElement) return null
-    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
-    if (!vf.name.endsWith(".class")) return null
-
-    return try {
-        val bytes = vf.contentsToByteArray()
-        val returnKinds = mutableSetOf<Boolean>()
-        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
-        reader.accept(
-            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
-                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
-            ) {
-                override fun visitMethod(
-                    access: Int,
-                    name: String,
-                    descriptor: String,
-                    signature: String?,
-                    exceptions: Array<String>?
-                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
-                    if (name != methodName) return null
-                    if (parseAsmMethodDescriptorParams(descriptor).size != nParams) return null
-                    val returnDescriptor = descriptor.substring(descriptor.lastIndexOf(')') + 1)
-                    returnKinds.add(
-                        returnDescriptor.startsWith("L") || returnDescriptor.startsWith("[")
-                    )
-                    return null
-                }
-            },
-            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
-                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
-                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
-        )
-        returnKinds.singleOrNull()
-    } catch (e: Exception) {
-        null
-    }
-}
-
-fun parseAsmMethodDescriptorParams(descriptor: String): List<String> {
-    val params = mutableListOf<String>()
-    var i = descriptor.indexOf('(') + 1
-    val end = descriptor.lastIndexOf(')')
-    while (i < end) {
-        when (val c = descriptor[i]) {
-            'L' -> {
-                val semi = descriptor.indexOf(';', i)
-                params.add(descriptor.substring(i, semi + 1))
-                i = semi + 1
-            }
-            '[' -> {
-                var j = i + 1
-                while (j < end && descriptor[j] == '[') j++
-                if (descriptor[j] == 'L') {
-                    val semi = descriptor.indexOf(';', j)
-                    params.add(descriptor.substring(i, semi + 1))
-                    i = semi + 1
-                } else {
-                    params.add(descriptor.substring(i, j + 1))
-                    i = j + 1
-                }
-            }
-            else -> { params.add(c.toString()); i++ }
-        }
-    }
-    return params
-}

java/ql/integration-tests/java/android-8-sample/settings.gradle

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts

@@ -13,9 +13,7 @@ buildscript {
 
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
     }
 
     /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
     }
 }

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts

@@ -13,9 +13,7 @@ buildscript {
 
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
     }
 
     /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
     repositories {
         google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
     }
 }

java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle

@@ -13,9 +13,7 @@ buildscript {
 
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
     }
 
     /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
     }
 }

java/ql/integration-tests/java/android-sample-old-style/build.gradle

@@ -13,9 +13,7 @@ buildscript {
 
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
     }
 
     /**
@@ -34,15 +32,13 @@ buildscript {
  * dependencies used by all modules in your project, such as third-party plugins
  * or libraries. However, you should configure module-specific dependencies in
  * each module-level build.gradle file. For new projects, Android Studio
- * includes Maven Central and Google's Maven repository by default, but it does not
+ * includes JCenter and Google's Maven repository by default, but it does not
  * configure any dependencies (unless you select a template that requires some).
  */
 
 allprojects {
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
     }
 }

java/ql/integration-tests/java/android-sample/settings.gradle

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/buildless-gradle-boms/build.gradle

@@ -8,9 +8,7 @@
 apply plugin: 'java-library'
 
 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected

@@ -1,5 +1,5 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar

java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle

@@ -8,9 +8,7 @@
 apply plugin: 'java-library'
 
 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected

@@ -1,2 +1,2 @@
-https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-gradle/build.gradle

@@ -8,9 +8,7 @@
 apply plugin: 'java-library'
 
 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle

@@ -8,9 +8,7 @@
 apply plugin: 'java-library'
 
 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected

@@ -1,7 +1,3 @@
-https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
-https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.12/junit-4.12.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -13,7 +9,10 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.12/junit-4.12.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
+https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-sibling-projects/diagnostics.expected

@@ -98,7 +98,7 @@
   }
 }
 {
-  "markdownMessage": "Reading the dependency graph from build files provided 4 classpath entries",
+  "markdownMessage": "Reading the dependency graph from build files provided 3 classpath entries",
   "severity": "unknown",
   "source": {
     "extractorName": "java",
@@ -111,3 +111,31 @@
     "telemetry": true
   }
 }
+{
+  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
+    "name": "Java analysis failed to extract a dependency graph from Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
+    "name": "Java analysis failed to extract a dependency graph from Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-sibling-projects/settings.xml

@@ -1,10 +0,0 @@
-<settings>
-  <mirrors>
-    <mirror>
-      <id>google-maven-central</id>
-      <name>GCS Maven Central mirror</name>
-      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
-      <mirrorOf>central</mirrorOf>
-    </mirror>
-  </mirrors>
-</settings>

java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected

@@ -26,5 +26,4 @@ maven-project-2/src/main/resources/my-app.properties
 maven-project-2/src/main/resources/page.xml
 maven-project-2/src/main/resources/struts.xml
 maven-project-2/src/test/java/com/example/AppTest4.java
-settings.xml
 test-db/working/settings.xml

java/ql/integration-tests/java/buildless-sibling-projects/test.py

@@ -1,5 +1,3 @@
-import os
-
 def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_java):
     # The version of gradle used doesn't work on java 17
     codeql.database.create(
@@ -7,6 +5,5 @@ def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_j
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
             "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
-            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle

@@ -14,9 +14,7 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts

@@ -12,9 +12,8 @@ plugins {
 }
 
 repositories {
-    maven {
-        url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/spring-boot-sample/build.gradle

@@ -11,9 +11,7 @@ version = '0.0.1-SNAPSHOT'
 // but I omit it to test we recognise the Spring Boot plugin version.
 
 repositories {
-	maven {
-		url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-	}
+	mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle

@@ -15,9 +15,8 @@ plugins {
 }
 
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }
 
 application {

java/ql/integration-tests/kotlin/all-platforms/enhanced-nullability/test.py

@@ -1,11 +1,11 @@
 import pathlib
 
 
-def test(codeql, java_full):
+def test(codeql, java_full, kotlinc_2_3_20):
     java_srcs = " ".join([str(s) for s in pathlib.Path().glob("*.java")])
     codeql.database.create(
         command=[
             f"javac {java_srcs} -d build",
-            "kotlinc -language-version 2.0 user.kt -cp build",
+            "kotlinc -language-version 1.9 user.kt -cp build",
         ]
     )

java/ql/integration-tests/kotlin/all-platforms/external-property-overloads/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full):
-    commands.run("kotlinc -language-version 2.0 test.kt -d lib")
-    codeql.database.create(command="kotlinc -language-version 2.0 user.kt -cp lib")
+def test(codeql, java_full, kotlinc_2_3_20):
+    commands.run("kotlinc -language-version 1.9 test.kt -d lib")
+    codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp lib")

java/ql/integration-tests/kotlin/all-platforms/extractor_information_kotlin1/ExtractorInformation.expected

@@ -9,4 +9,4 @@
 | Percentage of calls with call target | 100 |
 | Total number of lines | 3 |
 | Total number of lines with extension kt | 3 |
-| Uses Kotlin 2: true | 1 |
+| Uses Kotlin 2: false | 1 |

java/ql/integration-tests/kotlin/all-platforms/extractor_information_kotlin1/test.py

@@ -1,2 +1,2 @@
-def test(codeql, java_full):
-    codeql.database.create(command="kotlinc -J-Xmx2G -language-version 2.0 SomeClass.kt")
+def test(codeql, java_full, kotlinc_2_3_20):
+    codeql.database.create(command=f"kotlinc -J-Xmx2G -language-version 1.9 SomeClass.kt")

java/ql/integration-tests/kotlin/all-platforms/file_classes/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full):
-    commands.run("kotlinc -language-version 2.0 A.kt")
-    codeql.database.create(command="kotlinc -cp . -language-version 2.0 B.kt C.kt")
+def test(codeql, java_full, kotlinc_2_3_20):
+    commands.run("kotlinc -language-version 1.9 A.kt")
+    codeql.database.create(command="kotlinc -cp . -language-version 1.9 B.kt C.kt")

java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle

@@ -15,9 +15,8 @@ plugins {
 }
 
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }
 
 application {

java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle

@@ -4,9 +4,7 @@ plugins {
 }
 
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    mavenCentral()
 }
 
 dependencies {

java/ql/integration-tests/kotlin/all-platforms/java-interface-redeclares-tostring/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full):
+def test(codeql, java_full, kotlinc_2_3_20):
     commands.run(["javac", "Test.java", "-d", "bin"])
-    codeql.database.create(command="kotlinc -language-version 2.0 user.kt -cp bin")
+    codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp bin")

java/ql/integration-tests/kotlin/all-platforms/kotlin_java_lowering_wildcards/test.py

@@ -1,13 +1,13 @@
 import commands
 
 
-def test(codeql, java_full):
+def test(codeql, java_full, kotlinc_2_3_20):
     # Compile the JavaDefns2 copy outside tracing, to make sure the Kotlin view of it matches the Java view seen by the traced javac compilation of JavaDefns.java below.
     commands.run(["javac", "JavaDefns2.java"])
     codeql.database.create(
         command=[
             "kotlinc kotlindefns.kt",
             "javac JavaUser.java JavaDefns.java -cp .",
-            "kotlinc -language-version 2.0 -cp . kotlinuser.kt",
+            "kotlinc -language-version 1.9 -cp . kotlinuser.kt",
         ]
     )

java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle

@@ -15,9 +15,8 @@ plugins {
 }
 
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }
 
 application {

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.2.1-dev
+version: 9.2.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.6-dev
+version: 1.11.5
 groups:
   - java
   - queries

javascript/ql/lib/change-notes/2026-06-22-angular-hostlistener-postmessage.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for Angular's `@HostListener('window:message', ...)` and `@HostListener('document:message', ...)` decorators as `postMessage` event handlers. The decorated method's event parameter is now recognized as a client-side remote flow source, and is considered by the `js/missing-origin-check` query.

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.8.1-dev
+version: 2.8.0
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll

@@ -195,18 +195,6 @@ class PostMessageEventHandler extends Function {
       rhs = DataFlow::globalObjectRef().getAPropertyWrite("onmessage").getRhs() and
       rhs.getABoundFunctionValue(paramIndex).getFunction() = this
     )
-    or
-    // Angular's `@HostListener('window:message', ['$event'])` decorator registers
-    // a method as a `message` event handler on the global `window` or `document`
-    // target.  The decorated method receives the `MessageEvent` as its first
-    // parameter, so it is equivalent to `window.addEventListener('message', ...)`.
-    exists(MethodDefinition method, DataFlow::CallNode decorator |
-      decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
-      decorator = method.getADecorator().getExpression().flow() and
-      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
-      method.getBody() = this and
-      paramIndex = 0
-    )
   }
 
   /**

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.4.1-dev
+version: 2.4.0
 groups:
   - javascript
   - queries

javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/Angular.ts

@@ -1,29 +0,0 @@
-import { Component, HostListener } from '@angular/core';
-
-@Component({ selector: 'app-root' })
-class AngularComponent {
-  // Angular registers this as a `window` message handler via the decorator,
-  // equivalent to `window.addEventListener('message', ...)`.
-  @HostListener('window:message', ['$event'])
-  onWindowMessage(event: MessageEvent): void { // $ Alert - no origin check
-    eval(event.data);
-  }
-
-  @HostListener('document:message', ['$event'])
-  onDocumentMessage(event: MessageEvent): void { // $ Alert - no origin check
-    eval(event.data);
-  }
-
-  @HostListener('window:message', ['$event'])
-  onCheckedMessage(event: MessageEvent): void { // OK - has an origin check
-    if (event.origin === 'https://www.example.com') {
-      eval(event.data);
-    }
-  }
-
-  // Not a message event, so it is not a postMessage handler.
-  @HostListener('window:resize', ['$event'])
-  onResize(event: MessageEvent): void { // OK - not a message handler
-    eval(event.data);
-  }
-}

javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.expected

@@ -1,5 +1,3 @@
-| Angular.ts:8:19:8:23 | event | Postmessage handler has no origin check. |
-| Angular.ts:13:21:13:25 | event | Postmessage handler has no origin check. |
 | tst.js:11:20:11:24 | event | Postmessage handler has no origin check. |
 | tst.js:24:27:24:27 | e | Postmessage handler has no origin check. |
 | tst.js:40:27:40:27 | e | Postmessage handler has no origin check. |

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.53-dev
+version: 1.0.52
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/change-notes/2026-05-19-flask-subclasses.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `Flask::FlaskApp::instance()` will now also return instances of subclasses defined in the source tree. Previously, these were filtered out. `Flask::FlaskApp::classRef()` has been deprecated in favor of `Flask::FlaskApp::subclassRef()` since it already returned some subclasses.

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.2.1-dev
+version: 7.2.0
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -71,21 +71,14 @@ module Flask {
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.
    */
   module FlaskApp {
-    /**
-     * Gets a reference to the `flask.Flask` class or any subclass.
-     *
-     * Deprecated: Use `subclassRef()` instead, this predicate always returned some subclasses.
-     */
-    deprecated API::Node classRef() { result = subclassRef() }
-
-    /** Gets a reference to the `flask.Flask` class or any subclass. */
-    API::Node subclassRef() {
-      result = API::moduleImport("flask").getMember("Flask").getASubclass*() or
+    /** Gets a reference to the `flask.Flask` class. */
+    API::Node classRef() {
+      result = API::moduleImport("flask").getMember("Flask") or
       result = ModelOutput::getATypeNode("flask.Flask~Subclass").getASubclass*()
     }
 
     /** Gets a reference to an instance of `flask.Flask` (a flask application). */
-    API::Node instance() { result = subclassRef().getReturn() }
+    API::Node instance() { result = classRef().getReturn() }
   }
 
   /**
@@ -139,7 +132,7 @@ module Flask {
     API::Node classRef() {
       result = API::moduleImport("flask").getMember("Response")
       or
-      result = [FlaskApp::subclassRef(), FlaskApp::instance()].getMember("response_class")
+      result = [FlaskApp::classRef(), FlaskApp::instance()].getMember("response_class")
       or
       result = ModelOutput::getATypeNode("flask.Response~Subclass").getASubclass*()
     }

python/ql/src/meta/ClassHierarchy/Find.ql

@@ -351,7 +351,7 @@ class DjangoHttpRequest extends FindSubclassesSpec {
 class FlaskClass extends FindSubclassesSpec {
   FlaskClass() { this = "flask.Flask~Subclass" }
 
-  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::subclassRef() }
+  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::classRef() }
 }
 
 class FlaskBlueprint extends FindSubclassesSpec {

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.6-dev
+version: 1.8.5
 groups:
   - python
   - queries

python/ql/test/experimental/meta/InlineInstanceTest.qll

@@ -1,29 +0,0 @@
-/**
- * Defines an InlineExpectationsTest for class instances, that is,
- * for any API::Node that is an instance of a class (e.g. `Flask`).
- */
-
-import python
-import semmle.python.ApiGraphs
-import utils.test.InlineExpectationsTest
-private import semmle.python.dataflow.new.internal.PrintNode
-
-signature API::Node getInstanceSig();
-
-module MakeInlineInstanceTest<getInstanceSig/0 getInstance> {
-  private module InlineInstanceTest implements TestSig {
-    string getARelevantTag() { result = "instance" }
-
-    predicate hasActualResult(Location location, string element, string tag, string value) {
-      exists(location.getFile().getRelativePath()) and
-      exists(API::Node instance | instance = getInstance() |
-        location = instance.getLocation() and
-        element = prettyNode(instance.asSource()) and
-        value = "" and
-        tag = "instance"
-      )
-    }
-  }
-
-  import MakeTest<InlineInstanceTest>
-}

python/ql/test/library-tests/frameworks/flask/InlineInstanceTest.ql

@@ -1,8 +0,0 @@
-import python
-import semmle.python.frameworks.Flask
-import semmle.python.ApiGraphs
-import experimental.meta.InlineInstanceTest
-
-API::Node getInstance() { result = Flask::FlaskApp::instance() }
-
-import MakeInlineInstanceTest<getInstance/0>

python/ql/test/library-tests/frameworks/flask/flask_subclass.py

@@ -1,14 +0,0 @@
-from flask import Flask
-
-
-class Sub(Flask):
-    def __init__(self, *args, **kwargs):
-        Flask.__init__(self, *args, **kwargs)
-
-
-app = Sub(__name__) # $ instance
-
-
-@app.route("/") # $ routeSetup="/"
-def hello(): # $ requestHandler
-    return "world" # $ HttpResponse

python/ql/test/library-tests/frameworks/flask/old_test.py

@@ -1,7 +1,7 @@
 import flask
 
 from flask import Flask, request, make_response
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 @app.route("/")  # $ routeSetup="/"
 def hello_world():  # $ requestHandler

python/ql/test/library-tests/frameworks/flask/response_test.py

@@ -3,7 +3,7 @@ import json
 from flask import Flask, make_response, jsonify, Response, request, redirect
 from werkzeug.datastructures import Headers
 
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 
 @app.route("/html1")  # $ routeSetup="/html1"

python/ql/test/library-tests/frameworks/flask/routing_test.py

@@ -1,7 +1,7 @@
 import flask
 
 from flask import Flask, make_response
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 
 SOME_ROUTE = "/some/route"

python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py

@@ -1,5 +1,5 @@
 from flask import Flask, request
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 @app.route("/save-uploaded-file")  # $ routeSetup="/save-uploaded-file"
 def test_taint():  # $ requestHandler

python/ql/test/library-tests/frameworks/flask/taint_test.py

@@ -1,5 +1,5 @@
 from flask import Flask, request, render_template_string, stream_template_string
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 @app.route("/test_taint/<name>/<int:number>")  # $ routeSetup="/test_taint/<name>/<int:number>"
 def test_taint(name = "World!", number="0", foo="foo"):  # $ requestHandler routedParameter=name routedParameter=number

python/ql/test/library-tests/frameworks/flask/template_test.py

@@ -1,5 +1,5 @@
 from flask import Flask, Response, stream_with_context, render_template_string, stream_template_string
-app = Flask(__name__) # $ instance
+app = Flask(__name__)
 
 @app.route("/a")  # $ routeSetup="/a"
 def a():  # $ requestHandler

ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll

@@ -1312,244 +1312,6 @@ module QL {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { ql_variable_def(this, result) }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(AddExpr).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(AddExpr).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(AddExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Aggregate).getChild(i) and name = "getChild"
-      or
-      result = node.(AnnotArg).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Annotation).getArgs(i) and name = "getArgs"
-      or
-      result = node.(Annotation).getName() and i = -1 and name = "getName"
-      or
-      result = node.(AritylessPredicateExpr).getName() and i = -1 and name = "getName"
-      or
-      result = node.(AritylessPredicateExpr).getQualifier() and i = -1 and name = "getQualifier"
-      or
-      result = node.(AsExpr).getChild(i) and name = "getChild"
-      or
-      result = node.(AsExprs).getChild(i) and name = "getChild"
-      or
-      result = node.(Body).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Bool).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(CallBody).getChild(i) and name = "getChild"
-      or
-      result = node.(CallOrUnqualAggExpr).getChild(i) and name = "getChild"
-      or
-      result = node.(Charpred).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Charpred).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ClassMember).getChild(i) and name = "getChild"
-      or
-      result = node.(ClasslessPredicate).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ClasslessPredicate).getReturnType() and i = -1 and name = "getReturnType"
-      or
-      result = node.(ClasslessPredicate).getChild(i) and name = "getChild"
-      or
-      result = node.(CompTerm).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(CompTerm).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(CompTerm).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Conjunction).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(Conjunction).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(Dataclass).getExtends(i) and name = "getExtends"
-      or
-      result = node.(Dataclass).getInstanceof(i) and name = "getInstanceof"
-      or
-      result = node.(Dataclass).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Dataclass).getChild(i) and name = "getChild"
-      or
-      result = node.(Datatype).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Datatype).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(DatatypeBranch).getName() and i = -1 and name = "getName"
-      or
-      result = node.(DatatypeBranch).getChild(i) and name = "getChild"
-      or
-      result = node.(DatatypeBranches).getChild(i) and name = "getChild"
-      or
-      result = node.(Disjunction).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(Disjunction).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(ExprAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
-      or
-      result = node.(ExprAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
-      or
-      result = node.(ExprAnnotation).getAnnotArg() and i = -1 and name = "getAnnotArg"
-      or
-      result = node.(ExprAnnotation).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ExprAnnotation).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Field).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(FullAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
-      or
-      result = node.(FullAggregateBody).getGuard() and i = -1 and name = "getGuard"
-      or
-      result = node.(FullAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
-      or
-      result = node.(FullAggregateBody).getChild(i) and name = "getChild"
-      or
-      result = node.(HigherOrderTerm).getName() and i = -1 and name = "getName"
-      or
-      result = node.(HigherOrderTerm).getChild(i) and name = "getChild"
-      or
-      result = node.(IfTerm).getCond() and i = -1 and name = "getCond"
-      or
-      result = node.(IfTerm).getFirst() and i = -1 and name = "getFirst"
-      or
-      result = node.(IfTerm).getSecond() and i = -1 and name = "getSecond"
-      or
-      result = node.(Implication).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(Implication).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(ImportDirective).getChild(i) and name = "getChild"
-      or
-      result = node.(ImportModuleExpr).getQualName(i) and name = "getQualName"
-      or
-      result = node.(ImportModuleExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(InExpr).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(InExpr).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(InstanceOf).getChild(i) and name = "getChild"
-      or
-      result = node.(Literal).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(MemberPredicate).getName() and i = -1 and name = "getName"
-      or
-      result = node.(MemberPredicate).getReturnType() and i = -1 and name = "getReturnType"
-      or
-      result = node.(MemberPredicate).getChild(i) and name = "getChild"
-      or
-      result = node.(Module).getImplements(i) and name = "getImplements"
-      or
-      result = node.(Module).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Module).getParameter(i) and name = "getParameter"
-      or
-      result = node.(Module).getChild(i) and name = "getChild"
-      or
-      result = node.(ModuleAliasBody).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ModuleExpr).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ModuleExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ModuleInstantiation).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ModuleInstantiation).getChild(i) and name = "getChild"
-      or
-      result = node.(ModuleMember).getChild(i) and name = "getChild"
-      or
-      result = node.(ModuleName).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ModuleParam).getParameter() and i = -1 and name = "getParameter"
-      or
-      result = node.(ModuleParam).getSignature() and i = -1 and name = "getSignature"
-      or
-      result = node.(MulExpr).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(MulExpr).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(MulExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Negation).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(OrderBy).getChild(i) and name = "getChild"
-      or
-      result = node.(OrderBys).getChild(i) and name = "getChild"
-      or
-      result = node.(ParExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(PredicateAliasBody).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(PredicateExpr).getChild(i) and name = "getChild"
-      or
-      result = node.(PrefixCast).getChild(i) and name = "getChild"
-      or
-      result = node.(Ql).getChild(i) and name = "getChild"
-      or
-      result = node.(QualifiedRhs).getName() and i = -1 and name = "getName"
-      or
-      result = node.(QualifiedRhs).getChild(i) and name = "getChild"
-      or
-      result = node.(QualifiedExpr).getChild(i) and name = "getChild"
-      or
-      result = node.(Quantified).getExpr() and i = -1 and name = "getExpr"
-      or
-      result = node.(Quantified).getFormula() and i = -1 and name = "getFormula"
-      or
-      result = node.(Quantified).getRange() and i = -1 and name = "getRange"
-      or
-      result = node.(Quantified).getChild(i) and name = "getChild"
-      or
-      result = node.(Range).getLower() and i = -1 and name = "getLower"
-      or
-      result = node.(Range).getUpper() and i = -1 and name = "getUpper"
-      or
-      result = node.(Select).getChild(i) and name = "getChild"
-      or
-      result = node.(SetLiteral).getChild(i) and name = "getChild"
-      or
-      result = node.(SignatureExpr).getModExpr() and i = -1 and name = "getModExpr"
-      or
-      result = node.(SignatureExpr).getPredicate() and i = -1 and name = "getPredicate"
-      or
-      result = node.(SignatureExpr).getTypeExpr() and i = -1 and name = "getTypeExpr"
-      or
-      result = node.(SpecialCall).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(SuperRef).getChild(i) and name = "getChild"
-      or
-      result = node.(TypeAliasBody).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(TypeExpr).getName() and i = -1 and name = "getName"
-      or
-      result = node.(TypeExpr).getQualifier() and i = -1 and name = "getQualifier"
-      or
-      result = node.(TypeExpr).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(TypeUnionBody).getChild(i) and name = "getChild"
-      or
-      result = node.(UnaryExpr).getChild(i) and name = "getChild"
-      or
-      result = node.(UnqualAggBody).getAsExprs(i) and name = "getAsExprs"
-      or
-      result = node.(UnqualAggBody).getGuard() and i = -1 and name = "getGuard"
-      or
-      result = node.(UnqualAggBody).getChild(i) and name = "getChild"
-      or
-      result = node.(VarDecl).getChild(i) and name = "getChild"
-      or
-      result = node.(VarName).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Variable).getChild() and i = -1 and name = "getChild"
-    }
-  }
 }
 
 overlay[local]
@@ -1907,60 +1669,6 @@ module Dbscheme {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "Varchar" }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(Annotation).getArgsAnnotation() and i = -1 and name = "getArgsAnnotation"
-      or
-      result = node.(Annotation).getSimpleAnnotation() and i = -1 and name = "getSimpleAnnotation"
-      or
-      result = node.(ArgsAnnotation).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ArgsAnnotation).getChild(i) and name = "getChild"
-      or
-      result = node.(Branch).getQldoc() and i = -1 and name = "getQldoc"
-      or
-      result = node.(Branch).getChild(i) and name = "getChild"
-      or
-      result = node.(CaseDecl).getBase() and i = -1 and name = "getBase"
-      or
-      result = node.(CaseDecl).getDiscriminator() and i = -1 and name = "getDiscriminator"
-      or
-      result = node.(CaseDecl).getChild(i) and name = "getChild"
-      or
-      result = node.(ColType).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Column).getColName() and i = -1 and name = "getColName"
-      or
-      result = node.(Column).getColType() and i = -1 and name = "getColType"
-      or
-      result = node.(Column).getIsRef() and i = -1 and name = "getIsRef"
-      or
-      result = node.(Column).getIsUnique() and i = -1 and name = "getIsUnique"
-      or
-      result = node.(Column).getQldoc() and i = -1 and name = "getQldoc"
-      or
-      result = node.(Column).getReprType() and i = -1 and name = "getReprType"
-      or
-      result = node.(Dbscheme).getChild(i) and name = "getChild"
-      or
-      result = node.(Entry).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ReprType).getChild(i) and name = "getChild"
-      or
-      result = node.(Table).getTableName() and i = -1 and name = "getTableName"
-      or
-      result = node.(Table).getChild(i) and name = "getChild"
-      or
-      result = node.(TableName).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(UnionDecl).getBase() and i = -1 and name = "getBase"
-      or
-      result = node.(UnionDecl).getChild(i) and name = "getChild"
-    }
-  }
 }
 
 overlay[local]
@@ -2095,24 +1803,6 @@ module Blame {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "Number" }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(BlameEntry).getDate() and i = -1 and name = "getDate"
-      or
-      result = node.(BlameEntry).getLine(i) and name = "getLine"
-      or
-      result = node.(BlameInfo).getFileEntry(i) and name = "getFileEntry"
-      or
-      result = node.(BlameInfo).getToday() and i = -1 and name = "getToday"
-      or
-      result = node.(FileEntry).getBlameEntry(i) and name = "getBlameEntry"
-      or
-      result = node.(FileEntry).getFileName() and i = -1 and name = "getFileName"
-    }
-  }
 }
 
 overlay[local]
@@ -2287,22 +1977,4 @@ module JSON {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "True" }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(Array).getChild(i) and name = "getChild"
-      or
-      result = node.(Document).getChild(i) and name = "getChild"
-      or
-      result = node.(Object).getChild(i) and name = "getChild"
-      or
-      result = node.(Pair).getKey() and i = -1 and name = "getKey"
-      or
-      result = node.(Pair).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(String).getChild(i) and name = "getChild"
-    }
-  }
 }

ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll

@@ -1964,340 +1964,6 @@ module Ruby {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { ruby_yield_child(this, result) }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(Alias).getAlias() and i = -1 and name = "getAlias"
-      or
-      result = node.(Alias).getName() and i = -1 and name = "getName"
-      or
-      result = node.(AlternativePattern).getAlternatives(i) and name = "getAlternatives"
-      or
-      result = node.(ArgumentList).getChild(i) and name = "getChild"
-      or
-      result = node.(Array).getChild(i) and name = "getChild"
-      or
-      result = node.(ArrayPattern).getClass() and i = -1 and name = "getClass"
-      or
-      result = node.(ArrayPattern).getChild(i) and name = "getChild"
-      or
-      result = node.(AsPattern).getName() and i = -1 and name = "getName"
-      or
-      result = node.(AsPattern).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Assignment).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(Assignment).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(BareString).getChild(i) and name = "getChild"
-      or
-      result = node.(BareSymbol).getChild(i) and name = "getChild"
-      or
-      result = node.(Begin).getChild(i) and name = "getChild"
-      or
-      result = node.(BeginBlock).getChild(i) and name = "getChild"
-      or
-      result = node.(Binary).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(Binary).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(Block).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Block).getParameters() and i = -1 and name = "getParameters"
-      or
-      result = node.(BlockArgument).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(BlockBody).getChild(i) and name = "getChild"
-      or
-      result = node.(BlockParameter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(BlockParameters).getLocals(i) and name = "getLocals"
-      or
-      result = node.(BlockParameters).getChild(i) and name = "getChild"
-      or
-      result = node.(BodyStatement).getChild(i) and name = "getChild"
-      or
-      result = node.(Break).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Call).getArguments() and i = -1 and name = "getArguments"
-      or
-      result = node.(Call).getBlock() and i = -1 and name = "getBlock"
-      or
-      result = node.(Call).getMethod() and i = -1 and name = "getMethod"
-      or
-      result = node.(Call).getOperator() and i = -1 and name = "getOperator"
-      or
-      result = node.(Call).getReceiver() and i = -1 and name = "getReceiver"
-      or
-      result = node.(Case).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Case).getChild(i) and name = "getChild"
-      or
-      result = node.(CaseMatch).getClauses(i) and name = "getClauses"
-      or
-      result = node.(CaseMatch).getElse() and i = -1 and name = "getElse"
-      or
-      result = node.(CaseMatch).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(ChainedString).getChild(i) and name = "getChild"
-      or
-      result = node.(Class).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Class).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Class).getSuperclass() and i = -1 and name = "getSuperclass"
-      or
-      result = node.(Complex).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Conditional).getAlternative() and i = -1 and name = "getAlternative"
-      or
-      result = node.(Conditional).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(Conditional).getConsequence() and i = -1 and name = "getConsequence"
-      or
-      result = node.(DelimitedSymbol).getChild(i) and name = "getChild"
-      or
-      result = node.(DestructuredLeftAssignment).getChild(i) and name = "getChild"
-      or
-      result = node.(DestructuredParameter).getChild(i) and name = "getChild"
-      or
-      result = node.(Do).getChild(i) and name = "getChild"
-      or
-      result = node.(DoBlock).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(DoBlock).getParameters() and i = -1 and name = "getParameters"
-      or
-      result = node.(ElementReference).getBlock() and i = -1 and name = "getBlock"
-      or
-      result = node.(ElementReference).getObject() and i = -1 and name = "getObject"
-      or
-      result = node.(ElementReference).getChild(i) and name = "getChild"
-      or
-      result = node.(Else).getChild(i) and name = "getChild"
-      or
-      result = node.(Elsif).getAlternative() and i = -1 and name = "getAlternative"
-      or
-      result = node.(Elsif).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(Elsif).getConsequence() and i = -1 and name = "getConsequence"
-      or
-      result = node.(EndBlock).getChild(i) and name = "getChild"
-      or
-      result = node.(Ensure).getChild(i) and name = "getChild"
-      or
-      result = node.(ExceptionVariable).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Exceptions).getChild(i) and name = "getChild"
-      or
-      result = node.(ExpressionReferencePattern).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(FindPattern).getClass() and i = -1 and name = "getClass"
-      or
-      result = node.(FindPattern).getChild(i) and name = "getChild"
-      or
-      result = node.(For).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(For).getPattern() and i = -1 and name = "getPattern"
-      or
-      result = node.(For).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Hash).getChild(i) and name = "getChild"
-      or
-      result = node.(HashPattern).getClass() and i = -1 and name = "getClass"
-      or
-      result = node.(HashPattern).getChild(i) and name = "getChild"
-      or
-      result = node.(HashSplatArgument).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(HashSplatParameter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(HeredocBody).getChild(i) and name = "getChild"
-      or
-      result = node.(If).getAlternative() and i = -1 and name = "getAlternative"
-      or
-      result = node.(If).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(If).getConsequence() and i = -1 and name = "getConsequence"
-      or
-      result = node.(IfGuard).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(IfModifier).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(IfModifier).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(In).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(InClause).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(InClause).getGuard() and i = -1 and name = "getGuard"
-      or
-      result = node.(InClause).getPattern() and i = -1 and name = "getPattern"
-      or
-      result = node.(Interpolation).getChild(i) and name = "getChild"
-      or
-      result = node.(KeywordParameter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(KeywordParameter).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(KeywordPattern).getKey() and i = -1 and name = "getKey"
-      or
-      result = node.(KeywordPattern).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Lambda).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Lambda).getParameters() and i = -1 and name = "getParameters"
-      or
-      result = node.(LambdaParameters).getChild(i) and name = "getChild"
-      or
-      result = node.(LeftAssignmentList).getChild(i) and name = "getChild"
-      or
-      result = node.(MatchPattern).getPattern() and i = -1 and name = "getPattern"
-      or
-      result = node.(MatchPattern).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Method).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Method).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Method).getParameters() and i = -1 and name = "getParameters"
-      or
-      result = node.(MethodParameters).getChild(i) and name = "getChild"
-      or
-      result = node.(Module).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Module).getName() and i = -1 and name = "getName"
-      or
-      result = node.(Next).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(OperatorAssignment).getLeft() and i = -1 and name = "getLeft"
-      or
-      result = node.(OperatorAssignment).getRight() and i = -1 and name = "getRight"
-      or
-      result = node.(OptionalParameter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(OptionalParameter).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Pair).getKey() and i = -1 and name = "getKey"
-      or
-      result = node.(Pair).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(ParenthesizedPattern).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(ParenthesizedStatements).getChild(i) and name = "getChild"
-      or
-      result = node.(Pattern).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Program).getChild(i) and name = "getChild"
-      or
-      result = node.(Range).getBegin() and i = -1 and name = "getBegin"
-      or
-      result = node.(Range).getEnd() and i = -1 and name = "getEnd"
-      or
-      result = node.(Rational).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Redo).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Regex).getChild(i) and name = "getChild"
-      or
-      result = node.(Rescue).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Rescue).getExceptions() and i = -1 and name = "getExceptions"
-      or
-      result = node.(Rescue).getVariable() and i = -1 and name = "getVariable"
-      or
-      result = node.(RescueModifier).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(RescueModifier).getHandler() and i = -1 and name = "getHandler"
-      or
-      result = node.(RestAssignment).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Retry).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Return).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(RightAssignmentList).getChild(i) and name = "getChild"
-      or
-      result = node.(ScopeResolution).getName() and i = -1 and name = "getName"
-      or
-      result = node.(ScopeResolution).getScope() and i = -1 and name = "getScope"
-      or
-      result = node.(Setter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(SingletonClass).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(SingletonClass).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(SingletonMethod).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(SingletonMethod).getName() and i = -1 and name = "getName"
-      or
-      result = node.(SingletonMethod).getObject() and i = -1 and name = "getObject"
-      or
-      result = node.(SingletonMethod).getParameters() and i = -1 and name = "getParameters"
-      or
-      result = node.(SplatArgument).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(SplatParameter).getName() and i = -1 and name = "getName"
-      or
-      result = node.(String).getChild(i) and name = "getChild"
-      or
-      result = node.(StringArray).getChild(i) and name = "getChild"
-      or
-      result = node.(Subshell).getChild(i) and name = "getChild"
-      or
-      result = node.(Superclass).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(SymbolArray).getChild(i) and name = "getChild"
-      or
-      result = node.(TestPattern).getPattern() and i = -1 and name = "getPattern"
-      or
-      result = node.(TestPattern).getValue() and i = -1 and name = "getValue"
-      or
-      result = node.(Then).getChild(i) and name = "getChild"
-      or
-      result = node.(Unary).getOperand() and i = -1 and name = "getOperand"
-      or
-      result = node.(Undef).getChild(i) and name = "getChild"
-      or
-      result = node.(Unless).getAlternative() and i = -1 and name = "getAlternative"
-      or
-      result = node.(Unless).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(Unless).getConsequence() and i = -1 and name = "getConsequence"
-      or
-      result = node.(UnlessGuard).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(UnlessModifier).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(UnlessModifier).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(Until).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(Until).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(UntilModifier).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(UntilModifier).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(VariableReferencePattern).getName() and i = -1 and name = "getName"
-      or
-      result = node.(When).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(When).getPattern(i) and name = "getPattern"
-      or
-      result = node.(While).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(While).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(WhileModifier).getBody() and i = -1 and name = "getBody"
-      or
-      result = node.(WhileModifier).getCondition() and i = -1 and name = "getCondition"
-      or
-      result = node.(Yield).getChild() and i = -1 and name = "getChild"
-    }
-  }
 }
 
 overlay[local]
@@ -2441,20 +2107,4 @@ module Erb {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { erb_template_child(this, _, result) }
   }
-
-  /** Provides predicates for mapping AST nodes to their named children. */
-  module PrintAst {
-    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
-    AstNode getChild(AstNode node, string name, int i) {
-      result = node.(CommentDirective).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Directive).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(GraphqlDirective).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(OutputDirective).getChild() and i = -1 and name = "getChild"
-      or
-      result = node.(Template).getChild(i) and name = "getChild"
-    }
-  }
 }

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 6.0.1-dev
+version: 6.0.0
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme

ruby/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.6.6-dev
+version: 1.6.5
 groups:
   - ruby
   - queries

ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected

@@ -28,6 +28,8 @@ nodes
 | string_flow.rb:227:10:227:10 | a | semmle.label | a |
 subpaths
 testFailures
+| string_flow.rb:85:10:85:10 | a | Unexpected result: hasValueFlow=a |
+| string_flow.rb:227:10:227:10 | a | Unexpected result: hasValueFlow=a |
 #select
 | string_flow.rb:3:10:3:22 | call to new | string_flow.rb:2:9:2:18 | call to source | string_flow.rb:3:10:3:22 | call to new | $@ | string_flow.rb:2:9:2:18 | call to source | call to source |
 | string_flow.rb:85:10:85:10 | a | string_flow.rb:83:9:83:18 | call to source | string_flow.rb:85:10:85:10 | a | $@ | string_flow.rb:83:9:83:18 | call to source | call to source |

ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb

@@ -82,7 +82,7 @@ end
 def m_clear
     a = source "a"
     a.clear
-    sink a # $ SPURIOUS: hasValueFlow=a
+    sink a
 end
 
 # concat and prepend omitted because they clash with the summaries for
@@ -224,7 +224,7 @@ def m_replace
     b = source "b"
     sink a.replace(b) # $ hasTaintFlow=b
     # TODO: currently we get value flow for a, because we don't clear content
-    sink a # $ hasTaintFlow=b SPURIOUS: hasValueFlow=a
+    sink a # $ hasTaintFlow=b
 end
 
 def m_reverse
@@ -316,4 +316,4 @@ def m_upto(i)
     a.upto("b", true) { |x| sink x } # $ hasTaintFlow=a
     "b".upto(a) { |x| sink x } # $ hasTaintFlow=a
     "b".upto(a, true) { |x| sink x }
-end
+end

ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb

@@ -9,7 +9,7 @@ end
 class OneController < ActionController::Base
   before_action :a
   after_action :c
-
+  
   def a
     @foo = params[:foo]
   end
@@ -18,14 +18,14 @@ class OneController < ActionController::Base
   end
 
   def c
-    sink @foo # $ hasTaintFlow
+    sink @foo
   end
 end
 
 class TwoController < ActionController::Base
   before_action :a
   after_action :c
-
+  
   def a
     @foo = params[:foo]
   end
@@ -35,14 +35,14 @@ class TwoController < ActionController::Base
   end
 
   def c
-    sink @foo # $ SPURIOUS: hasTaintFlow
+    sink @foo
   end
 end
 
 class ThreeController < ActionController::Base
   before_action :a
   after_action :c
-
+  
   def a
     @foo = params[:foo]
     @foo = "safe"
@@ -52,14 +52,14 @@ class ThreeController < ActionController::Base
   end
 
   def c
-    sink @foo # $ SPURIOUS: hasTaintFlow
+    sink @foo
   end
 end
 
 class FourController < ActionController::Base
   before_action :a
   after_action :c
-
+  
   def a
     @foo.bar = params[:foo]
   end
@@ -68,14 +68,14 @@ class FourController < ActionController::Base
   end
 
   def c
-    sink(@foo.bar) # $ hasTaintFlow
+    sink(@foo.bar)
   end
 end
 
 class FiveController < ActionController::Base
   before_action :a
   after_action :c
-
+  
   def a
     self.taint_foo
   end
@@ -84,10 +84,10 @@ class FiveController < ActionController::Base
   end
 
   def c
-    sink  @foo # $ hasTaintFlow
+    sink  @foo
   end
-
+  
   def taint_foo
     @foo = params[:foo]
   end
-end
+end

ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected

@@ -270,6 +270,11 @@ nodes
 | params_flow.rb:205:10:205:10 | a | semmle.label | a |
 subpaths
 testFailures
+| filter_flow.rb:21:10:21:13 | @foo | Unexpected result: hasTaintFlow |
+| filter_flow.rb:38:10:38:13 | @foo | Unexpected result: hasTaintFlow |
+| filter_flow.rb:55:10:55:13 | @foo | Unexpected result: hasTaintFlow |
+| filter_flow.rb:71:10:71:17 | call to bar | Unexpected result: hasTaintFlow |
+| filter_flow.rb:87:11:87:14 | @foo | Unexpected result: hasTaintFlow |
 #select
 | filter_flow.rb:21:10:21:13 | @foo | filter_flow.rb:14:12:14:17 | call to params | filter_flow.rb:21:10:21:13 | @foo | $@ | filter_flow.rb:14:12:14:17 | call to params | call to params |
 | filter_flow.rb:38:10:38:13 | @foo | filter_flow.rb:30:12:30:17 | call to params | filter_flow.rb:38:10:38:13 | @foo | $@ | filter_flow.rb:30:12:30:17 | call to params | call to params |