Apply suggestion: use exists(var | range | formula) idiom in OsPathBasenameCall

Agent-Logs-Url: https://github.com/github/codeql/sessions/a319e151-8e8f-4770-b87c-12b5cdb268b8 Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>
Add os.path.basename as a sanitizer for py/path-injection
2026-05-30 02:51:24 +02:00 · 2026-04-16 09:46:07 +00:00 · 2026-04-16 08:19:48 +00:00 · 2026-04-16 07:54:08 +00:00 · 2026-04-16 09:03:06 +02:00 · 2026-04-15 09:55:53 -05:00
369 changed files with 84857 additions and 70718 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.33
+
+No user-facing changes.
+
 ## 0.4.32

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.33.md
+++ b/actions/ql/lib/change-notes/released/0.4.33.md
@@ -0,0 +1,3 @@
+## 0.4.33
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.32
+lastReleaseVersion: 0.4.33
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.33-dev
+version: 0.4.34-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.25
+
+No user-facing changes.
+
 ## 0.6.24

 No user-facing changes.
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -26,10 +26,23 @@ string permissionsForJob(Job job) {
    "{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
 }

+predicate jobHasPermissions(Job job) {
+  exists(job.getPermissions())
+  or
+  exists(job.getEnclosingWorkflow().getPermissions())
+  or
+  // The workflow is reusable and cannot be triggered in any other way; check callers
+  exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
+    not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
+    forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
+      jobHasPermissions(caller)
+    )
+  )
+}
+
 from Job job, string permissions
 where
-  not exists(job.getPermissions()) and
-  not exists(job.getEnclosingWorkflow().getPermissions()) and
+  not jobHasPermissions(job) and
  // exists a trigger event that is not a workflow_call
  exists(Event e |
    e = job.getATriggerEvent() and
--- a/actions/ql/src/change-notes/2026-04-02-permissions.md
+++ b/actions/ql/src/change-notes/2026-04-02-permissions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
--- a/actions/ql/src/change-notes/released/0.6.25.md
+++ b/actions/ql/src/change-notes/released/0.6.25.md
@@ -0,0 +1,3 @@
+## 0.6.25
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.24
+lastReleaseVersion: 0.6.25
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.25-dev
+version: 0.6.26-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml
@@ -0,0 +1,9 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages
--- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml
@@ -0,0 +1,11 @@
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+  pages: write
+
+jobs:
+  call-workflow:
+    uses: ./.github/workflows/perms11.yml
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
 ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
 ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
 ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
 ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
 ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
 ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
 ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
 ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
 ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,23 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).
+
 ## 8.0.3

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
+++ b/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
--- a/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
+++ b/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
@@ -1,5 +0,0 @@
---
-category: feature
---
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
--- a/cpp/ql/lib/change-notes/2026-03-24-field-init.md
+++ b/cpp/ql/lib/change-notes/2026-03-24-field-init.md
@@ -1,5 +0,0 @@
---
-category: feature
---
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
--- a/cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md
+++ b/cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
--- a/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md
+++ b/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).
--- a/cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md
+++ b/cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
--- a/cpp/ql/lib/change-notes/2026-03-31-meson.md
+++ b/cpp/ql/lib/change-notes/2026-03-31-meson.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
--- a/cpp/ql/lib/change-notes/2026-04-14-throwing.md
+++ b/cpp/ql/lib/change-notes/2026-04-14-throwing.md
@@ -0,0 +1,5 @@
+---
+category: breaking
+---
+* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
+* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
--- a/cpp/ql/lib/change-notes/released/9.0.0.md
+++ b/cpp/ql/lib/change-notes/released/9.0.0.md
@@ -0,0 +1,19 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.3
+lastReleaseVersion: 9.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.4-dev
+version: 9.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -459,6 +459,13 @@ class FormatLiteral extends Literal instanceof StringLiteral {
   */
  int getConvSpecOffset(int n) { result = this.getFormat().indexOf("%", n, 0) }

+  /**
+   * Gets the nth conversion specifier string.
+   */
+  private string getConvSpecString(int n) {
+    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+  }
+
  /*
   * Each of these predicates gets a regular expressions to match each individual
   * parts of a conversion specifier.
@@ -524,22 +531,20 @@ class FormatLiteral extends Literal instanceof StringLiteral {
    int n, string spec, string params, string flags, string width, string prec, string len,
    string conv
  ) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
      regexp = this.getConvSpecRegexp() and
      (
-        spec = rst.regexpCapture(regexp, 1) and
-        params = rst.regexpCapture(regexp, 2) and
-        flags = rst.regexpCapture(regexp, 3) and
-        width = rst.regexpCapture(regexp, 4) and
-        prec = rst.regexpCapture(regexp, 5) and
-        len = rst.regexpCapture(regexp, 6) and
-        conv = rst.regexpCapture(regexp, 7)
+        spec = convSpec.regexpCapture(regexp, 1) and
+        params = convSpec.regexpCapture(regexp, 2) and
+        flags = convSpec.regexpCapture(regexp, 3) and
+        width = convSpec.regexpCapture(regexp, 4) and
+        prec = convSpec.regexpCapture(regexp, 5) and
+        len = convSpec.regexpCapture(regexp, 6) and
+        conv = convSpec.regexpCapture(regexp, 7)
        or
-        spec = rst.regexpCapture(regexp, 1) and
-        not exists(rst.regexpCapture(regexp, 2)) and
+        spec = convSpec.regexpCapture(regexp, 1) and
+        not exists(convSpec.regexpCapture(regexp, 2)) and
        params = "" and
        flags = "" and
        width = "" and
@@ -554,12 +559,10 @@ class FormatLiteral extends Literal instanceof StringLiteral {
   * Gets the nth conversion specifier (including the initial `%`).
   */
  string getConvSpec(int n) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
      regexp = this.getConvSpecRegexp() and
-      result = rst.regexpCapture(regexp, 1)
+      result = convSpec.regexpCapture(regexp, 1)
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -194,6 +194,13 @@ class ScanfFormatLiteral extends Expr {
    )
  }

+  /**
+   * Gets the nth conversion specifier string.
+   */
+  private string getConvSpecString(int n) {
+    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+  }
+
  /**
   * Gets the regular expression to match each individual part of a conversion specifier.
   */
@@ -227,16 +234,14 @@ class ScanfFormatLiteral extends Expr {
   * specifier.
   */
  predicate parseConvSpec(int n, string spec, string width, string len, string conv) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
      regexp = this.getConvSpecRegexp() and
      (
-        spec = rst.regexpCapture(regexp, 1) and
-        width = rst.regexpCapture(regexp, 2) and
-        len = rst.regexpCapture(regexp, 3) and
-        conv = rst.regexpCapture(regexp, 4)
+        spec = convSpec.regexpCapture(regexp, 1) and
+        width = convSpec.regexpCapture(regexp, 2) and
+        len = convSpec.regexpCapture(regexp, 3) and
+        conv = convSpec.regexpCapture(regexp, 4)
      )
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -6,11 +6,15 @@
 *
 * The extensible relations have the following columns:
 * - Sources:
- *   `namespace; type; subtypes; name; signature; ext; output; kind`
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
 * - Sinks:
- *   `namespace; type; subtypes; name; signature; ext; input; kind`
+ *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
 * - Summaries:
- *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
+ *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ *   `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
 *
 * The interpretation of a row is similar to API-graphs with a left-to-right
 * reading.
@@ -87,11 +91,23 @@
 *    value, and
 *    - flow from the _second_ indirection of the 0th argument to the first
 *    indirection of the return value, etc.
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ *    under which the guard blocks flow. It can be one of "true" or "false". In
+ *    the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
 *    which classes the interpreted elements should be added. For example, for
 *    sources "remote" indicates a default remote flow source, and for summaries
 *    "taint" indicates a default additional taint step and "value" indicates a
 *    globally applicable value-preserving step.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
+ *    The format is {origin}-{verification} or just "manual" where the origin describes
+ *    the origin of the model and verification describes how the model has been verified.
+ *    Some examples are:
+ *    - "df-generated": The model has been generated by the model generator tool.
+ *    - "df-manual": The model has been generated by the model generator and verified by a human.
+ *    - "manual": The model has been written by hand.
+ *    This information is used in a heuristic for dataflow analysis to determine, if a
+ *    model or source code should be used for determining flow.
 */

 import cpp
@@ -931,13 +947,13 @@ private module Cached {

  private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) {
    exists(
-      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
+      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
      string kind, string model
    |
-      isBarrierGuardNode(n, acceptingvalue, kind, model) and
+      isBarrierGuardNode(n, acceptingValue, kind, model) and
      n.asNode().asExpr() = e and
      kmp = TMkPair(kind, model) and
-      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
      n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g
    )
  }
@@ -954,14 +970,14 @@ private module Cached {
  ) {
    exists(
      SourceSinkInterpretationInput::InterpretNode interpretNode,
-      Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex,
+      Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex,
      Private::ArgumentNode arg
    |
-      isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and
+      isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and
      arg = interpretNode.asNode() and
      arg.asIndirectExpr(indirectionIndex) = e and
      kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and
-      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
      arg.getCall().asCallInstruction() = g
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
 */
 extensible predicate barrierGuardModel(
  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+  string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
 );

 /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements
  }

  predicate barrierGuardElement(
-    Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Element e, string input, Public::AcceptingValue acceptingValue, string kind,
    Public::Provenance provenance, string model
  ) {
    exists(
      string package, string type, boolean subtypes, string name, string signature, string ext
    |
-      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
+      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
        provenance, model) and
      e = interpretElement(package, type, subtypes, name, signature, ext)
    )
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll
@@ -11,10 +11,3 @@ import semmle.code.cpp.models.Models
 * The function may still raise a structured exception handling (SEH) exception.
 */
 abstract class NonCppThrowingFunction extends Function { }
-
-/**
- * A function that is guaranteed to never throw.
- *
- * DEPRECATED: use `NonCppThrowingFunction` instead.
- */
-deprecated class NonThrowingFunction = NonCppThrowingFunction;
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll
@@ -10,19 +10,6 @@ import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs

-/**
- * A function that is known to raise an exception.
- *
- * DEPRECATED: use `AlwaysSehThrowingFunction` instead.
- */
-abstract deprecated class ThrowingFunction extends Function {
-  /**
-   * Holds if this function may throw an exception during evaluation.
-   * If `unconditional` is `true` the function always throws an exception.
-   */
-  abstract predicate mayThrowException(boolean unconditional);
-}
-
 /**
 * A function that unconditionally raises a structured exception handling (SEH) exception.
 */
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
+
 ## 1.5.15

 No user-facing changes.
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
- * @precision medium
+ * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
 *       security
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @problem.severity error
 * @security-severity 7.5
- * @precision medium
+ * @precision high
 * @id cpp/wrong-type-format-argument
 * @tags reliability
 *       correctness
--- a/Functions/ImplicitFunctionDeclaration.qhelp
+++ b/Functions/ImplicitFunctionDeclaration.qhelp
@@ -14,6 +14,9 @@ function may behave unpredictably.</p>
 <p>This may indicate a misspelled function name, or that the required header containing
 the function declaration has not been included.</p>

+<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
+no results on those databases.</p>
+
 </overview>
 <recommendation>
 <p>Provide an explicit declaration of the function before invoking it.</p>
@@ -26,4 +29,4 @@ the function declaration has not been included.</p>
 <references>
 <li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL31-C.+Declare+identifiers+before+using+them">DCL31-C. Declare identifiers before using them</a></li>
 </references>
-</qhelp>
+</qhelp>
--- a/Functions/ImplicitFunctionDeclaration.ql
+++ b/Functions/ImplicitFunctionDeclaration.ql
@@ -5,7 +5,7 @@
 * may lead to unpredictable behavior.
 * @kind problem
 * @problem.severity warning
- * @precision medium
+ * @precision high
 * @id cpp/implicit-function-declaration
 * @tags correctness
 *       maintainability
@@ -17,6 +17,11 @@ import TooFewArguments
 import TooManyArguments
 import semmle.code.cpp.commons.Exclusions

+/*
+ * This query is not compatible with build mode: none databases, and produces
+ * no results on those databases.
+ */
+
 predicate locInfo(Locatable e, File file, int line, int col) {
  e.getFile() = file and
  e.getLocation().getStartLine() = line and
@@ -39,6 +44,7 @@ predicate isCompiledAsC(File f) {
 from FunctionDeclarationEntry fdeIm, FunctionCall fc
 where
  isCompiledAsC(fdeIm.getFile()) and
+  not any(Compilation c).buildModeNone() and
  not isFromMacroDefinition(fc) and
  fdeIm.isImplicit() and
  sameLocation(fdeIm, fc) and
--- a/Functions/MistypedFunctionArguments.qll
+++ b/Functions/MistypedFunctionArguments.qll
@@ -79,9 +79,7 @@ private predicate hasZeroParamDecl(Function f) {

 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }

 predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
--- a/Functions/TooFewArguments.qll
+++ b/Functions/TooFewArguments.qll
@@ -28,9 +28,7 @@ private predicate hasZeroParamDecl(Function f) {

 /* Holds if this file (or header) was compiled as a C file. */
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }

 /** Holds if `fc` is a call to `f` with too few arguments. */
--- a/Functions/TooManyArguments.qll
+++ b/Functions/TooManyArguments.qll
@@ -19,9 +19,7 @@ private predicate hasZeroParamDecl(Function f) {

 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }

 predicate tooManyArguments(FunctionCall fc, Function f) {
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 7.8
- * @precision medium
+ * @precision high
 * @tags reliability
 *       security
 *       external/cwe/cwe-190
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.8
- * @precision medium
+ * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
 *       external/cwe/cwe-468
--- a/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
+++ b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -1,4 +0,0 @@
---
-category: queryMetadata
---
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
+++ b/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
--- a/cpp/ql/src/change-notes/2026-03-23-implicit-function-declaration.md
+++ b/cpp/ql/src/change-notes/2026-03-23-implicit-function-declaration.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query no longer produces results on `build mode: none` databases. These results were found to be very noisy and fundamentally imprecise in this mode.
--- a/cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md
+++ b/cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
--- a/cpp/ql/src/change-notes/2026-04-02-comparison-with-wider-type.md
+++ b/cpp/ql/src/change-notes/2026-04-02-comparison-with-wider-type.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
--- a/cpp/ql/src/change-notes/2026-04-02-implicit-function-declaration.md
+++ b/cpp/ql/src/change-notes/2026-04-02-implicit-function-declaration.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision.
--- a/cpp/ql/src/change-notes/2026-04-02-integer-multiplication-cast-to-long.md
+++ b/cpp/ql/src/change-notes/2026-04-02-integer-multiplication-cast-to-long.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
--- a/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
--- a/cpp/ql/src/change-notes/2026-04-02-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2026-04-02-wrong-type-format-argument.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
--- a/cpp/ql/src/change-notes/released/1.6.0.md
+++ b/cpp/ql/src/change-notes/released/1.6.0.md
@@ -0,0 +1,13 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.15
+lastReleaseVersion: 1.6.0
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.16-dev
+version: 1.6.1-dev
 groups:
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.64
+
+No user-facing changes.
+
 ## 1.7.63

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md
@@ -0,0 +1,3 @@
+## 1.7.64
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.63
+lastReleaseVersion: 1.7.64
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.64-dev
+version: 1.7.65-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.64
+
+No user-facing changes.
+
 ## 1.7.63

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md
@@ -0,0 +1,3 @@
+## 1.7.64
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.63
+lastReleaseVersion: 1.7.64
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.64-dev
+version: 1.7.65-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/examples/snippets/integer_literal.ql
+++ b/csharp/ql/examples/snippets/integer_literal.ql
@@ -9,5 +9,5 @@
 import csharp

 from IntegerLiteral literal
-where literal.getValue().toInt() = 0
+where literal.getIntValue() = 0
 select literal
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 5.4.12
+
+### Minor Analysis Improvements
+
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+* The `cs/log-forging` query no longer treats arguments to extension methods with
+  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
+  through extension method bodies, reducing false positives when extension methods
+  sanitize input internally.
+
 ## 5.4.11

 No user-facing changes.
--- a/csharp/ql/lib/Linq/Helpers.qll
+++ b/csharp/ql/lib/Linq/Helpers.qll
@@ -121,15 +121,17 @@ predicate missedOfTypeOpportunity(ForeachStmtEnumerable fes, LocalVariableDeclSt
 /**
 * Holds if `foreach` statement `fes` can be converted to a `.Select()` call.
 * That is, the loop variable is accessed only in the first statement of the
- * block, the access is not a cast, and the first statement is a
- * local variable declaration statement `s`.
+ * block, the access is not a cast, the first statement is a
+ * local variable declaration statement `s`, and the initializer does not
+ * contain an `await` expression (since `Select` does not support async lambdas).
 */
 predicate missedSelectOpportunity(ForeachStmtGenericEnumerable fes, LocalVariableDeclStmt s) {
  s = firstStmt(fes) and
  forex(VariableAccess va | va = fes.getVariable().getAnAccess() |
    va = s.getAVariableDeclExpr().getAChildExpr*()
  ) and
-  not s.getAVariableDeclExpr().getInitializer() instanceof Cast
+  not s.getAVariableDeclExpr().getInitializer() instanceof Cast and
+  not s.getAVariableDeclExpr().getInitializer().getAChildExpr*() instanceof AwaitExpr
 }

 /**
--- a/csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md
+++ b/csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
--- a/csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md
+++ b/csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md
@@ -1,6 +1,8 @@
---
-category: minorAnalysis
---
+## 5.4.12
+
+### Minor Analysis Improvements
+
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
 * The `cs/log-forging` query no longer treats arguments to extension methods with
  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
  through extension method bodies, reducing false positives when extension methods
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.11
+lastReleaseVersion: 5.4.12
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.12-dev
+version: 5.4.13-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Conversion.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Conversion.qll
@@ -232,14 +232,9 @@ private module Identity {
   */
  pragma[nomagic]
  private predicate convTypeArguments(Type fromTypeArgument, Type toTypeArgument, int i) {
-    exists(int j |
-      fromTypeArgument = getTypeArgumentRanked(_, _, i) and
-      toTypeArgument = getTypeArgumentRanked(_, _, j) and
-      i <= j and
-      j <= i
-    |
-      convIdentity(fromTypeArgument, toTypeArgument)
-    )
+    fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
+    toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
+    convIdentity(fromTypeArgument, toTypeArgument)
  }

  pragma[nomagic]
@@ -718,7 +713,7 @@ private class SignedIntegralConstantExpr extends Expr {
 }

 private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType toType) {
-  exists(int n | n = e.getValue().toInt() |
+  exists(int n | n = e.getIntValue() |
    toType = any(SByteType t | n in [t.minValue() .. t.maxValue()])
    or
    toType = any(ByteType t | n in [t.minValue() .. t.maxValue()])
@@ -735,7 +730,7 @@ private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType t

 private predicate convConstantLongExpr(SignedIntegralConstantExpr e) {
  e.getType() instanceof LongType and
-  e.getValue().toInt() >= 0
+  e.getIntValue() >= 0
 }

 /** 6.1.10: Implicit reference conversions involving type parameters. */
@@ -929,19 +924,16 @@ private module Variance {
  private predicate convTypeArguments(
    TypeArgument fromTypeArgument, TypeArgument toTypeArgument, int i, TVariance v
  ) {
-    exists(int j |
-      fromTypeArgument = getTypeArgumentRanked(_, _, i, _) and
-      toTypeArgument = getTypeArgumentRanked(_, _, j, _) and
-      i <= j and
-      j <= i
-    |
+    fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
+    toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
+    (
      convIdentity(fromTypeArgument, toTypeArgument) and
      v = TNone()
      or
-      convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, j) and
+      convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, i) and
      v = TOut()
      or
-      convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, j) and
+      convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, i) and
      v = TIn()
    )
  }
--- a/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
@@ -161,7 +161,7 @@ private newtype TComparisonTest =
      compare.getComparisonKind().isCompare() and
      outerKind = outer.getComparisonKind() and
      outer.getAnArgument() = compare.getExpr() and
-      i = outer.getAnArgument().getValue().toInt()
+      i = outer.getAnArgument().getIntValue()
    |
      outerKind.isEquality() and
      (
--- a/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
@@ -32,13 +32,13 @@ private module ConstantComparisonOperation {

  private int maxValue(Expr expr) {
    if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getValue().toInt()
+    then result = expr.getIntValue()
    else result = convertedType(expr).maxValue()
  }

  private int minValue(Expr expr) {
    if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getValue().toInt()
+    then result = expr.getIntValue()
    else result = convertedType(expr).minValue()
  }

--- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
@@ -60,25 +60,16 @@ private module GuardsInput implements
    override boolean asBooleanValue() { boolConst(this, result) }
  }

-  private predicate intConst(Expr e, int i) {
-    e.getValue().toInt() = i and
-    (
-      e.getType() instanceof Enum
-      or
-      e.getType() instanceof IntegralType
-    )
-  }
-
  private class IntegerConstant extends ConstantExpr {
-    IntegerConstant() { intConst(this, _) }
+    IntegerConstant() { exists(this.getIntValue()) }

-    override int asIntegerValue() { intConst(this, result) }
+    override int asIntegerValue() { result = this.getIntValue() }
  }

  private class EnumConst extends ConstantExpr {
    EnumConst() { this.getType() instanceof Enum and this.hasValue() }

-    override int asIntegerValue() { result = this.getValue().toInt() }
+    override int asIntegerValue() { result = this.getIntValue() }
  }

  private class StringConstant extends ConstantExpr instanceof StringLiteral {
@@ -517,35 +508,35 @@ class EnumerableCollectionExpr extends Expr {
          |
            // x.Length == 0
            ct.getComparisonKind().isEquality() and
-            ct.getAnArgument().getValue().toInt() = 0 and
+            ct.getAnArgument().getIntValue() = 0 and
            branch = isEmpty
            or
            // x.Length == k, k > 0
            ct.getComparisonKind().isEquality() and
-            ct.getAnArgument().getValue().toInt() > 0 and
+            ct.getAnArgument().getIntValue() > 0 and
            branch = true and
            isEmpty = false
            or
            // x.Length != 0
            ct.getComparisonKind().isInequality() and
-            ct.getAnArgument().getValue().toInt() = 0 and
+            ct.getAnArgument().getIntValue() = 0 and
            branch = isEmpty.booleanNot()
            or
            // x.Length != k, k != 0
            ct.getComparisonKind().isInequality() and
-            ct.getAnArgument().getValue().toInt() != 0 and
+            ct.getAnArgument().getIntValue() != 0 and
            branch = false and
            isEmpty = false
            or
            // x.Length > k, k >= 0
            ct.getComparisonKind().isLessThan() and
-            ct.getFirstArgument().getValue().toInt() >= 0 and
+            ct.getFirstArgument().getIntValue() >= 0 and
            branch = true and
            isEmpty = false
            or
            // x.Length >= k, k > 0
            ct.getComparisonKind().isLessThanEquals() and
-            ct.getFirstArgument().getValue().toInt() > 0 and
+            ct.getFirstArgument().getIntValue() > 0 and
            branch = true and
            isEmpty = false
          )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -4,13 +4,17 @@
 * Provides classes and predicates for dealing with MaD flow models specified
 * in data extensions and CSV format.
 *
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
 * - Sources:
 *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
 * - Sinks:
 *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
 * - Summaries:
 *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ *   `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
 * - Neutrals:
 *   `namespace; type; name; signature; kind; provenance`
 *   A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
@@ -69,14 +73,17 @@
 *    - "Field[f]": Selects the contents of field `f`.
 *    - "Property[p]": Selects the contents of property `p`.
 *
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ *    under which the guard blocks flow. It can be one of "true" or "false". In
+ *    the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
 *    which classes the interpreted elements should be added. For example, for
 *    sources "remote" indicates a default remote flow source, and for summaries
 *    "taint" indicates a default additional taint step and "value" indicates a
 *    globally applicable value-preserving step. For neutrals the kind can be `summary`,
 *    `source` or `sink` to indicate that the neutral is neutral with respect to
 *    flow (no summary), source (is not a source) or sink (is not a sink).
- * 9. The `provenance` column is a tag to indicate the origin and verification of a model.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
 *    The format is {origin}-{verification} or just "manual" where the origin describes
 *    the origin of the model and verification describes how the model has been verified.
 *    Some examples are:
@@ -230,11 +237,11 @@ module ModelValidation {
      result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
    )
    or
-    exists(string acceptingvalue |
-      barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
-      invalidAcceptingValue(acceptingvalue) and
+    exists(string acceptingValue |
+      barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
+      invalidAcceptingValue(acceptingValue) and
      result =
-        "Unrecognized accepting value description \"" + acceptingvalue +
+        "Unrecognized accepting value description \"" + acceptingValue +
          "\" in barrier guard model."
    )
  }
@@ -482,13 +489,13 @@ private module Cached {

  private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
    exists(
-      SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
+      SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind,
      string model
    |
-      isBarrierGuardNode(n, acceptingvalue, kind, model) and
+      isBarrierGuardNode(n, acceptingValue, kind, model) and
      n.asNode().asExpr() = e and
      kmp = TMkPair(kind, model) and
-      gv = convertAcceptingValue(acceptingvalue)
+      gv = convertAcceptingValue(acceptingValue)
    |
      g.(Call).getAnArgument() = e or g.(QualifiableExpr).getQualifier() = e
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll
@@ -33,7 +33,7 @@ extensible predicate barrierModel(
 */
 extensible predicate barrierGuardModel(
  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+  string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
 );

 /**
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -253,13 +253,13 @@ module SourceSinkInterpretationInput implements
  }

  predicate barrierGuardElement(
-    Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Element e, string input, Public::AcceptingValue acceptingValue, string kind,
    Public::Provenance provenance, string model
  ) {
    exists(
      string namespace, string type, boolean subtypes, string name, string signature, string ext
    |
-      barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingvalue,
+      barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingValue,
        kind, provenance, model) and
      e = interpretElement(namespace, type, subtypes, name, signature, ext, _)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
@@ -23,7 +23,7 @@ predicate systemArrayLengthAccess(PropertyAccess pa) {
 * - a read of the `Length` of an array with `val` lengths.
 */
 private predicate constantIntegerExpr(ExprNode e, int val) {
-  e.getValue().toInt() = val
+  e.getExpr().getIntValue() = val
  or
  exists(ExprNode src |
    e = getAnExplicitDefinitionRead(src) and
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
@@ -57,6 +57,13 @@ class Expr extends ControlFlowElement, @expr {
  /** Gets the value of this expression, if any */
  string getValue() { expr_value(this, result) }

+  /** Gets the integer value of this expression, if any. */
+  cached
+  int getIntValue() {
+    result = this.getValue().toInt() and
+    (this.getType() instanceof IntegralType or this.getType() instanceof Enum)
+  }
+
  /** Holds if this expression has a value. */
  final predicate hasValue() { exists(this.getValue()) }

--- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
@@ -81,7 +81,7 @@ class SystemRuntimeCompilerServicesInlineArrayAttribute extends Attribute {
  /**
   * Gets the length of the inline array.
   */
-  int getLength() { result = this.getConstructorArgument(0).getValue().toInt() }
+  int getLength() { result = this.getConstructorArgument(0).getIntValue() }
 }

 /** An attribute of type `System.Runtime.CompilerServices.OverloadResolutionPriority`. */
@@ -94,5 +94,5 @@ class SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute extends A
  /**
   * Gets the priority number.
   */
-  int getPriority() { result = this.getConstructorArgument(0).getValue().toInt() }
+  int getPriority() { result = this.getConstructorArgument(0).getIntValue() }
 }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.7.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Major Analysis Improvements
+
+* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
+
 ## 1.6.6

 No user-facing changes.
--- a/csharp/ql/src/Likely
+++ b/csharp/ql/src/Likely
@@ -13,7 +13,7 @@
 import csharp

 predicate isDefinitelyPositive(Expr e) {
-  e.getValue().toInt() >= 0 or
+  e.getIntValue() >= 0 or
  e.(PropertyAccess).getTarget().hasName("Length") or
  e.(MethodCall).getTarget().hasUndecoratedName("Count")
 }
@@ -23,12 +23,12 @@ where
  t.getLeftOperand() = lhs and
  t.getRightOperand() = rhs and
  not isDefinitelyPositive(lhs.getLeftOperand().stripCasts()) and
-  lhs.getRightOperand().(IntegerLiteral).getValue() = "2" and
+  lhs.getRightOperand().(IntegerLiteral).getIntValue() = 2 and
  (
-    t instanceof EQExpr and rhs.getValue() = "1" and parity = "oddness"
+    t instanceof EQExpr and rhs.getIntValue() = 1 and parity = "oddness"
    or
-    t instanceof NEExpr and rhs.getValue() = "1" and parity = "evenness"
+    t instanceof NEExpr and rhs.getIntValue() = 1 and parity = "evenness"
    or
-    t instanceof GTExpr and rhs.getValue() = "0" and parity = "oddness"
+    t instanceof GTExpr and rhs.getIntValue() = 0 and parity = "oddness"
  )
 select t, "Possibly invalid test for " + parity + ". This will fail for negative numbers."
--- a/Bugs/MishandlingJapaneseEra.ql
+++ b/Bugs/MishandlingJapaneseEra.ql
@@ -27,8 +27,8 @@ predicate isExactEraStartDateCreation(ObjectCreation cr) {
    cr.getType().hasFullyQualifiedName("System", "DateTime") or
    cr.getType().hasFullyQualifiedName("System", "DateTimeOffset")
  ) and
-  isEraStart(cr.getArgument(0).getValue().toInt(), cr.getArgument(1).getValue().toInt(),
-    cr.getArgument(2).getValue().toInt())
+  isEraStart(cr.getArgument(0).getIntValue(), cr.getArgument(1).getIntValue(),
+    cr.getArgument(2).getIntValue())
 }

 predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
@@ -44,7 +44,7 @@ predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
    mc.getNumberOfArguments() = 7 // implicitly current era
    or
    mc.getNumberOfArguments() = 8 and
-    mc.getArgument(7).getValue() = "0"
+    mc.getArgument(7).getIntValue() = 0
  ) // explicitly current era
 }

--- a/Bugs/PossibleLossOfPrecision.ql
+++ b/Bugs/PossibleLossOfPrecision.ql
@@ -40,8 +40,8 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
 /** Holds if `div` is an exact integer division. */
 predicate exactDivision(DivExpr div) {
  exists(int numerator, int denominator |
-    numerator = div.getNumerator().stripCasts().getValue().toInt() and
-    denominator = div.getDenominator().stripCasts().getValue().toInt() and
+    numerator = div.getNumerator().stripCasts().getIntValue() and
+    denominator = div.getDenominator().stripCasts().getIntValue() and
    numerator % denominator = 0
  )
 }
--- a/Features/InsufficientKeySize.ql
+++ b/Features/InsufficientKeySize.ql
@@ -20,7 +20,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
        .getDeclaringType()
        .hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider")
  ) and
-  e.getRightOperand().getValue().toInt() < 128 and
+  e.getRightOperand().getIntValue() < 128 and
  msg = "Key size should be at least 128 bits for RC2 encryption."
 }

@@ -28,7 +28,7 @@ predicate incorrectUseOfDsa(ObjectCreation e, string msg) {
  e.getTarget()
      .getDeclaringType()
      .hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+  exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
  msg = "Key size should be at least 2048 bits for DSA encryption."
 }

@@ -36,7 +36,7 @@ predicate incorrectUseOfRsa(ObjectCreation e, string msg) {
  e.getTarget()
      .getDeclaringType()
      .hasFullyQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+  exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
  msg = "Key size should be at least 2048 bits for RSA encryption."
 }

--- a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -1,5 +0,0 @@
---
-category: queryMetadata
---
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/csharp/ql/src/change-notes/2026-03-31-constantcondition-simplify.md
+++ b/csharp/ql/src/change-notes/2026-03-31-constantcondition-simplify.md
@@ -1,4 +1,10 @@
---
-category: majorAnalysis
---
+## 1.7.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Major Analysis Improvements
+
 * The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.6
+lastReleaseVersion: 1.7.0
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.7-dev
+version: 1.7.1-dev
 groups:
  - csharp
  - queries
--- a/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.cs
+++ b/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.cs
@@ -0,0 +1,32 @@
+using System;
+using System.Linq;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+class MissedSelectOpportunity
+{
+    public void M1(List<int> lst)
+    {
+        // BAD: Can be replaced with lst.Select(i => i * i)
+        foreach (int i in lst)
+        {
+            int j = i * i;
+            Console.WriteLine(j);
+        } // $ Alert
+    }
+
+    public async Task M2(IEnumerable<ICounter> counters)
+    {
+        // GOOD: Cannot use Select because the initializer contains an await expression
+        foreach (var counter in counters)
+        {
+            var count = await counter.CountAsync();
+            Console.WriteLine(count);
+        }
+    }
+
+    public interface ICounter
+    {
+        Task<int> CountAsync();
+    }
+}
--- a/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.expected
+++ b/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.expected
@@ -0,0 +1 @@
+| MissedSelectOpportunity.cs:11:9:15:9 | foreach (... ... in ...) ... | This foreach loop immediately $@ - consider mapping the sequence explicitly using '.Select(...)'. | MissedSelectOpportunity.cs:13:13:13:26 | ... ...; | maps its iteration variable to another variable |
--- a/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.qlref
+++ b/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/MissedSelectOpportunity.qlref
@@ -0,0 +1,2 @@
+query: Linq/MissedSelectOpportunity.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/options
+++ b/csharp/ql/test/query-tests/Linq/MissedSelectOpportunity/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.2.rst
@@ -0,0 +1,157 @@
+.. _codeql-cli-2.25.2:
+
+==========================
+CodeQL 2.25.2 (2026-04-15)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.2 runs a total of 492 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.10.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that :code:`cs/constant-comparison` used to report, and as consequence, that query has been deleted.
+
+Python
+""""""
+
+*   Several quality queries have been ported away from using the legacy points-to library. This may lead to changes in alerts.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Extraction warnings" (:code:`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields :code:`ExtractionRecoverableWarning`\ s for :code:`build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+*   Fixed an issue with the "Suspicious add with sizeof" (:code:`cpp/suspicious-add-sizeof`) query causing false positive results in :code:`build-mode: none` databases.
+*   Fixed an issue with the "Uncontrolled format string" (:code:`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+*   Fixed an issue with the "Wrong type of arguments to formatting function" (:code:`cpp/wrong-type-format-argument`) query causing false positive results in :code:`build-mode: none` databases.
+*   Fixed an issue with the "Multiplication result converted to larger type" (:code:`cpp/integer-multiplication-cast-to-long`) query causing false positive results in :code:`build-mode: none` databases.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`@security-severity` metadata of :code:`cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+C#
+""
+
+*   The :code:`@security-severity` metadata of :code:`cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+Golang
+""""""
+
+*   The :code:`@security-severity` metadata of :code:`go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`go/html-template-escaping-bypass-xss`, :code:`go/reflected-xss` and :code:`go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+Java/Kotlin
+"""""""""""
+
+*   The :code:`@security-severity` metadata of :code:`java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`java/android/webview-addjavascriptinterface`, :code:`java/android/websettings-javascript-enabled` and :code:`java/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+Python
+""""""
+
+*   The :code:`@security-severity` metadata of :code:`py/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`py/jinja2/autoescape-false` and :code:`py/reflective-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+Ruby
+""""
+
+*   The :code:`@security-severity` metadata of :code:`rb/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`rb/reflected-xss`, :code:`rb/stored-xss` and :code:`rb/html-constructed-from-input` has been increased from 6.1 (medium) to 7.8 (high).
+
+Swift
+"""""
+
+*   The :code:`@security-severity` metadata of :code:`swift/unsafe-webview-fetch` has been increased from 6.1 (medium) to 7.8 (high).
+
+Rust
+""""
+
+*   The :code:`@security-severity` metadata of :code:`rust/log-injection` has been increased from 2.6 (low) to 6.1 (medium).
+*   The :code:`@security-severity` metadata of :code:`rust/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed the resolution of relative imports such as :code:`from . import helper` inside namespace packages (directories without an :code:`__init__.py` file), which previously did not work correctly, leading to missing flow.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`SourceModelCsv`, :code:`SinkModelCsv`, and :code:`SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from :code:`ExternalFlow.qll`. New models should be added as :code:`.model.yml` files in the :code:`ext/` directory.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added :code:`HttpReceiveHttpRequest`, :code:`HttpReceiveRequestEntityBody`, and :code:`HttpReceiveClientCertificate` from Win32's :code:`http.h` as remote flow sources.
+*   Added dataflow through members initialized via non-static data member initialization (NSDMI).
+
+C#
+""
+
+*   The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+*   The :code:`cs/log-forging` query no longer treats arguments to extension methods with source code on :code:`ILogger` types as sinks. Instead, taint is tracked interprocedurally through extension method bodies, reducing false positives when extension methods sanitize input internally.
+
+Java/Kotlin
+"""""""""""
+
+*   The :code:`java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in :code:`if`\ -condition bounds-checking patterns. For example, :code:`if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
+*   The :code:`java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (:code:`EC`, :code:`ECDSA`, :code:`ECDH`, :code:`EdDSA`, :code:`Ed25519`, :code:`Ed448`, :code:`XDH`, :code:`X25519`, :code:`X448`), HMAC-based algorithms (:code:`HMACSHA1`, :code:`HMACSHA256`, :code:`HMACSHA384`, :code:`HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
+*   The first argument of the method :code:`getInstance` of :code:`java.security.Signature` is now modeled as a sink for :code:`java/potentially-weak-cryptographic-algorithm`, :code:`java/weak-cryptographic-algorithm` and :code:`java/rsa-without-oaep`. This will increase the number of alerts for these queries.
+*   Kotlin versions up to 2.3.20 are now supported.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a subclass :code:`MesonPrivateTestFile` of :code:`ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+*   Added a class :code:`ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+*   Added a class :code:`ConstructorDefaultFieldInit` to represent default field initializations.
+*   Added a class :code:`DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+*   Added a predicate :code:`Node::asIndirectInstruction` which returns the :code:`Instruction` that defines the indirect dataflow node, if any.
+*   Added a class :code:`IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

+   codeql-cli-2.25.2
   codeql-cli-2.25.1
   codeql-cli-2.25.0
   codeql-cli-2.24.3
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -26,7 +26,7 @@
   Python [10]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
   Ruby [11]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
   Rust [12]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
-   Swift [13]_ [14]_,"Swift 5.4-6.2","Swift compiler","``.swift``"
+   Swift [13]_ [14]_,"Swift 5.4-6.3","Swift compiler","``.swift``"
   TypeScript [15]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"

 .. container:: footnote-group
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -9,8 +9,8 @@ toolchain go1.26.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.34.0
-	golang.org/x/tools v0.43.0
+	golang.org/x/mod v0.35.0
+	golang.org/x/tools v0.44.0
 )

 require github.com/stretchr/testify v1.11.1
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -6,12 +6,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`\| MissedSelectOpportunity.cs:11:9:15:9 \| foreach (... ... in ...) ... \| This foreach loop immediately $@ - consider mapping the sequence explicitly using '.Select(...)'. \| MissedSelectOpportunity.cs:13:13:13:26 \| ... ...; \| maps its iteration variable to another variable \|`