add overlay[caller] annotations

set compileForOverlayEval true for java
synchronise files
2026-05-16 20:27:06 +02:00 · 2025-04-21 10:09:30 +01:00 · 2025-04-21 10:09:01 +01:00 · 2025-04-21 10:08:59 +01:00 · 2025-04-21 10:08:56 +01:00
976 changed files with 7180 additions and 32123 deletions
--- a/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
@@ -1 +0,0 @@
-
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -1,17 +0,0 @@
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -1,27 +0,0 @@
-ql/actions/ql/src/Debug/SyntaxError.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
-ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -1,23 +0,0 @@
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
--- a/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -1,17 +0,0 @@
-ql/actions/ql/src/Debug/partial.ql
-ql/actions/ql/src/Models/CompositeActionsSinks.ql
-ql/actions/ql/src/Models/CompositeActionsSources.ql
-ql/actions/ql/src/Models/CompositeActionsSummaries.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
-ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
-ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
-ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
-ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
-ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
--- a/actions/ql/integration-tests/query-suite/test.py
+++ b/actions/ql/integration-tests/query-suite/test.py
@@ -1,14 +0,0 @@
-import runs_on
-import pytest
-from query_suites import *
-
-well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
-
-@runs_on.posix
-@pytest.mark.parametrize("query_suite", well_known_query_suites)
-def test(codeql, actions, check_query_suite, query_suite):
-    check_query_suite(query_suite)
-
-@runs_on.posix
-def test_not_included_queries(codeql, actions, check_queries_not_included):
-    check_queries_not_included('actions', well_known_query_suites)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,12 +1,6 @@
-## 0.4.8
-
-No user-facing changes.
-
 ## 0.4.7

-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.

 ## 0.4.6

--- a/actions/ql/lib/change-notes/released/0.4.7.md
+++ b/actions/ql/lib/change-notes/released/0.4.7.md
@@ -1,5 +1,3 @@
 ## 0.4.7

-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.8.md
+++ b/actions/ql/lib/change-notes/released/0.4.8.md
@@ -1,3 +0,0 @@
-## 0.4.8
-
-No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.8
+lastReleaseVersion: 0.4.7
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.8
+version: 0.4.8-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,29 +1,5 @@
-## 0.6.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `security-and-quality` suite.
-  They are not intended to produce user-facing
-  alerts describing vulnerabilities.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/composite-action-sinks`
-  * `actions/composite-action-sources`
-  * `actions/composite-action-summaries`
-  * `actions/reusable-workflow-sinks`
-    (renamed from `actions/reusable-wokflow-sinks`)
-  * `actions/reusable-workflow-sources`
-  * `actions/reusable-workflow-summaries`
-
-### Bug Fixes
-
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
-
 ## 0.5.4

-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
-
 ### Bug Fixes

 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
--- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -5,7 +5,7 @@
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
- * @id actions/reusable-workflow-sinks
+ * @id actions/reusable-wokflow-sinks
 * @tags actions
 *       model-generator
 *       external/cwe/cwe-020
--- a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
+++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
--- a/actions/ql/src/change-notes/released/0.5.4.md
+++ b/actions/ql/src/change-notes/released/0.5.4.md
@@ -1,9 +1,5 @@
 ## 0.5.4

-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
-
 ### Bug Fixes

 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
--- a/actions/ql/src/change-notes/released/0.6.0.md
+++ b/actions/ql/src/change-notes/released/0.6.0.md
@@ -1,19 +0,0 @@
-## 0.6.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `security-and-quality` suite.
-  They are not intended to produce user-facing
-  alerts describing vulnerabilities.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/composite-action-sinks`
-  * `actions/composite-action-sources`
-  * `actions/composite-action-summaries`
-  * `actions/reusable-workflow-sinks`
-    (renamed from `actions/reusable-wokflow-sinks`)
-  * `actions/reusable-workflow-sources`
-  * `actions/reusable-workflow-summaries`
-
-### Bug Fixes
-
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.0
+lastReleaseVersion: 0.5.4
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.0
+version: 0.5.5-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/annotateOverlayLocal.py
+++ b/annotateOverlayLocal.py
@@ -0,0 +1,123 @@
+#!/usr/bin/python
+
+import os
+
+
+def process_single_file(filename):
+    if not filename.endswith(".qll"):
+        return
+
+    with open(filename, 'r') as file_in:
+        lines = [line for line in file_in]
+
+    configuresDataflow = any(
+        "implements DataFlow::ConfigSig" in line for line in lines)
+
+    moduleAnnotations = ""
+    if any(line for line in lines if line.rstrip().endswith("module;")):
+        for line in lines:
+            moduleAnnotations += line
+            if line.rstrip().endswith("module;"):
+                break
+
+    moduleAnnotations = strip_comments(moduleAnnotations)
+
+    isFileLevelAnnotated = ("overlay[local]" in moduleAnnotations or
+                            "overlay[local?]" in moduleAnnotations)
+
+    if configuresDataflow or isFileLevelAnnotated or filename.endswith("Query.qll"):
+        if isFileLevelAnnotated and configuresDataflow:
+            print("WARNING: file \""+filename +
+                  "\" configures dataflow, but is annotated local")
+        elif configuresDataflow and not filename.endswith("Query.qll"):
+            print("WARNING: file \""+filename +
+                  "\" configures dataflow but is not a [...]Query.qll file")
+        elif filename.endswith("Query.qll") and not configuresDataflow:
+            print("WARNING: file \""+filename +
+                  "\" is a [...]Query.qll file that does not configure dataflow")
+        elif isFileLevelAnnotated and filename.endswith("Query.qll"):
+            print("WARNING: file \""+filename +
+                  "\" is a [...]Query.qll file, but is annotated local")
+    elif any(line for line in lines if line.rstrip().endswith("module;")):
+        print("file \""+filename +
+              " was annotated using an existing file-level module statment")
+        with open(filename, "w") as file_out:
+            for line in lines:
+                if line.rstrip().endswith("module;"):
+                    file_out.write("overlay[local?]\n")
+                file_out.write(line)
+    elif (lines[0].startswith("import ") or lines[0].startswith("private ") or
+          lines[0].startswith("newtype ") or lines[0].startswith("module ") or
+          lines[0].startswith("signature ")):
+        print("file \""+filename+" was annotated at the very start of the file")
+        with open(filename, "w") as file_out:
+            file_out.write("overlay[local?]\nmodule;\n\n")
+            for line in lines:
+                file_out.write(line)
+    elif (strip_comments("".join(lines)).lstrip().startswith("import") or
+          strip_comments("".join(lines)).lstrip().startswith("private import")):
+        print("file \""+filename+" was annotated at the first import statement")
+        with open(filename, "w") as file_out:
+            firstImport = True
+            addEmptyLine = ""
+            for line in lines:
+                if not line.strip():
+                    if addEmptyLine:
+                        file_out.write(addEmptyLine)
+                    addEmptyLine = line
+                else:
+                    if firstImport and (line.startswith("import") or line.startswith("private")):
+                        file_out.write("overlay[local?]\nmodule;\n")
+                        firstImport = False
+
+                    if addEmptyLine:
+                        file_out.write(addEmptyLine)
+                        addEmptyLine = ""
+                    file_out.write(line)
+    elif (len(lines) > 2 and lines[0].startswith("/** ") and lines[0].endswith(" */\n") and
+          not lines[1].strip() and lines[2].startswith("/**")):
+        print("file \""+filename+" was annotated after single-line file module qldoc")
+        with open(filename, "w") as file_out:
+            file_out.write(lines[0])
+            file_out.write("overlay[local?]\nmodule;\n")
+            for line in lines[1:]:
+                file_out.write(line)
+    else:
+        print("ERROR: failure to annotate file \""+filename+"\"")
+
+
+def strip_comments(str):
+    prev = ""
+    in_multiline = False
+    in_singleline = False
+
+    result = ""
+    for c in str:
+        if c == '*' and prev == '/':
+            in_multiline = True
+            prev = ""
+        elif c == '/' and prev == '/':
+            in_singleline = True
+            prev = ""
+        elif in_multiline and c == '/' and prev == '*':
+            in_multiline = False
+            prev = ""
+        elif in_singleline and c == '\n':
+            in_singleline = False
+            result += '\n'
+            prev = ""
+        else:
+            if not in_multiline and not in_singleline:
+                if prev == '/':
+                    result += '/'
+                if c != '/':
+                    result += c
+            prev = c
+    return result
+
+
+for roots in ["java/ql/lib/semmle/code", "shared"]:
+    for dirpath, dirnames, filenames in os.walk(roots):
+        for filename in filenames:
+            if filename.endswith(".qll"):
+                process_single_file(os.path.join(dirpath, filename))
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
@@ -1,11 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Type decltype, Expr expr, Type basetype, boolean parentheses
-where decltypes(decltype, expr, _, basetype, parentheses)
-select decltype, expr, basetype, parentheses
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
@@ -1,19 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-predicate derivedType(Type type, string name, int kind, Type type_id) {
-  derivedtypes(type, name, kind, type_id)
-}
-
-predicate typeTransformation(Type type, string name, int kind, Type type_id) {
-  type_operators(type, _, _, type_id) and
-  name = "" and
-  kind = 3 // @type_with_specifiers
-}
-
-from Type type, string name, int kind, Type type_id
-where
-  derivedType(type, name, kind, type_id) or
-  typeTransformation(type, name, kind, type_id)
-select type, name, kind, type_id
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
@@ -1,5 +0,0 @@
-description: Support C23 typeof and typeof_unqual
-compatibility: backwards
-decltypes.rel: run decltypes.qlo
-derivedtypes.rel: run derivedtypes.qlo
-type_operators.rel: delete
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,12 +1,3 @@
-## 4.3.0
-
-### New Features
-
-* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
-* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
-* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
-* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
-
 ## 4.2.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md
+++ b/cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
--- a/cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md
+++ b/cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
--- a/cpp/ql/lib/change-notes/released/4.3.0.md
+++ b/cpp/ql/lib/change-notes/released/4.3.0.md
@@ -1,8 +0,0 @@
-## 4.3.0
-
-### New Features
-
-* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
-* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
-* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
-* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.3.0
+lastReleaseVersion: 4.2.0
--- a/cpp/ql/lib/ext/generated/empty.model.yml
+++ b/cpp/ql/lib/ext/generated/empty.model.yml
@@ -1,5 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: []
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.3.0
+version: 4.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -16,7 +16,6 @@ dependencies:
  codeql/xml: ${workspace}
 dataExtensions:
  - ext/*.model.yml
-  - ext/generated/*.model.yml
  - ext/deallocation/*.model.yml
  - ext/allocation/*.model.yml
 warnOnImplicitThis: true
--- a/cpp/ql/lib/semmle/code/cpp/Print.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Print.qll
@@ -176,30 +176,6 @@ private class DecltypeDumpType extends DumpType, Decltype {
  }
 }

-private class TypeofDumpType extends DumpType, TypeofType {
-  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
-
-  override string getDeclaratorPrefix() {
-    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
-  }
-
-  override string getDeclaratorSuffix() {
-    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
-  }
-}
-
-private class IntrinsicTransformedDumpType extends DumpType, IntrinsicTransformedType {
-  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
-
-  override string getDeclaratorPrefix() {
-    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
-  }
-
-  override string getDeclaratorSuffix() {
-    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
-  }
-}
-
 private class PointerIshDumpType extends DerivedDumpType {
  PointerIshDumpType() {
    this instanceof PointerType or
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -92,9 +92,8 @@ class Type extends Locatable, @type {
  /**
   * Gets this type after typedefs have been resolved.
   *
-   * The result of this predicate will be the type itself, except in the case of a TypedefType, a Decltype,
-   * or a TypeofType, in which case the result will be type which results from (possibly recursively)
-   * resolving typedefs.
+   * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
+   * in which case the result will be type which results from (possibly recursively) resolving typedefs.
   */
  pragma[nomagic]
  Type getUnderlyingType() { result = this }
@@ -1118,20 +1117,18 @@ class DerivedType extends Type, @derivedtype {
 * decltype(a) b;
 * ```
 */
-class Decltype extends Type {
-  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
-
+class Decltype extends Type, @decltype {
  override string getAPrimaryQlClass() { result = "Decltype" }

  /**
-   * Gets the expression whose type is being obtained by this decltype.
+   * The expression whose type is being obtained by this decltype.
   */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _) }

  /**
-   * Gets the type immediately yielded by this decltype.
+   * The type immediately yielded by this decltype.
   */
-  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }
+  Type getBaseType() { decltypes(underlyingElement(this), _, unresolveElement(result), _) }

  /**
   * Whether an extra pair of parentheses around the expression would change the semantics of this decltype.
@@ -1145,7 +1142,7 @@ class Decltype extends Type {
   * ```
   * Please consult the C++11 standard for more details.
   */
-  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, _, true) }
+  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }

  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }

@@ -1186,215 +1183,6 @@ class Decltype extends Type {
  }
 }

-/**
- * An instance of the C23 `typeof` or `typeof_unqual` operator. For example:
- * ```
- * int a;
- * typeof(a) b;
- * typeof_unqual(const int) b;
- * ```
- */
-class TypeofType extends Type {
-  TypeofType() {
-    decltypes(underlyingElement(this), _, 1, _, _) or
-    type_operators(underlyingElement(this), _, 0, _)
-  }
-
-  /**
-   * Gets the type immediately yielded by this typeof.
-   */
-  Type getBaseType() {
-    decltypes(underlyingElement(this), _, _, unresolveElement(result), _)
-    or
-    type_operators(underlyingElement(this), _, _, unresolveElement(result))
-  }
-
-  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
-
-  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
-
-  override Type stripType() { result = this.getBaseType().stripType() }
-
-  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
-
-  override string toString() { result = "typeof(...)" }
-
-  override string getName() { none() }
-
-  override int getSize() { result = this.getBaseType().getSize() }
-
-  override int getAlignment() { result = this.getBaseType().getAlignment() }
-
-  override int getPointerIndirectionLevel() {
-    result = this.getBaseType().getPointerIndirectionLevel()
-  }
-
-  override string explain() {
-    result = "typeof resulting in {" + this.getBaseType().explain() + "}"
-  }
-
-  override predicate involvesReference() { this.getBaseType().involvesReference() }
-
-  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
-
-  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
-
-  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
-
-  override Specifier internal_getAnAdditionalSpecifier() {
-    result = this.getBaseType().getASpecifier()
-  }
-}
-
-/**
- * An instance of the C23 `typeof` or `typeof_unqual` operator taking an expression
- * as its argument. For example:
- * ```
- * int a;
- * typeof(a) b;
- * ```
- */
-class TypeofExprType extends TypeofType {
-  TypeofExprType() { decltypes(underlyingElement(this), _, 1, _, _) }
-
-  override string getAPrimaryQlClass() { result = "TypeofExprType" }
-
-  /**
-   * Gets the expression whose type is being obtained by this typeof.
-   */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
-
-/**
- * A type obtained by C23 `typeof` or `typeof_unqual` operator taking a type as its
- * argument. For example:
- * ```
- * typeof_unqual(const int) b;
- * ```
- */
-class TypeofTypeType extends TypeofType {
-  TypeofTypeType() { type_operators(underlyingElement(this), _, 0, _) }
-
-  /**
-   * Gets the expression whose type is being obtained by this typeof.
-   */
-  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
-
-  override string getAPrimaryQlClass() { result = "TypeofTypeType" }
-
-  override string toString() { result = "typeof(...)" }
-}
-
-/**
- * A type obtained by applying a type transforming intrinsic. For example:
- * ```
- * __make_unsigned(int) x;
- * ```
- */
-class IntrinsicTransformedType extends Type {
-  int intrinsic;
-
-  IntrinsicTransformedType() {
-    type_operators(underlyingElement(this), _, intrinsic, _) and
-    intrinsic in [1 .. 19]
-  }
-
-  override string getAPrimaryQlClass() { result = "IntrinsicTransformedType" }
-
-  override string toString() { result = this.getIntrinsicName() + "(...)" }
-
-  /**
-   * Gets the type immediately yielded by this transformation.
-   */
-  Type getBaseType() { type_operators(underlyingElement(this), _, _, unresolveElement(result)) }
-
-  /**
-   * Gets the type that is transformed.
-   */
-  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
-
-  /**
-   * Gets the name of the intrinsic used to transform the type.
-   */
-  string getIntrinsicName() {
-    intrinsic = 1 and result = "__underlying_type"
-    or
-    intrinsic = 2 and result = "__bases"
-    or
-    intrinsic = 3 and result = "__direct_bases"
-    or
-    intrinsic = 4 and result = "__add_lvalue_reference"
-    or
-    intrinsic = 5 and result = "__add_pointer"
-    or
-    intrinsic = 6 and result = "__add_rvalue_reference"
-    or
-    intrinsic = 7 and result = "__decay"
-    or
-    intrinsic = 8 and result = "__make_signed"
-    or
-    intrinsic = 9 and result = "__make_unsigned"
-    or
-    intrinsic = 10 and result = "__remove_all_extents"
-    or
-    intrinsic = 11 and result = "__remove_const"
-    or
-    intrinsic = 12 and result = "__remove_cv"
-    or
-    intrinsic = 13 and result = "__remove_cvref"
-    or
-    intrinsic = 14 and result = "__remove_extent"
-    or
-    intrinsic = 15 and result = "__remove_pointer"
-    or
-    intrinsic = 16 and result = "__remove_reference_t"
-    or
-    intrinsic = 17 and result = "__remove_restrict"
-    or
-    intrinsic = 18 and result = "__remove_volatile"
-    or
-    intrinsic = 19 and result = "__remove_reference"
-  }
-
-  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
-
-  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
-
-  override Type stripType() { result = this.getBaseType().stripType() }
-
-  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
-
-  override string getName() { none() }
-
-  override int getSize() { result = this.getBaseType().getSize() }
-
-  override int getAlignment() { result = this.getBaseType().getAlignment() }
-
-  override int getPointerIndirectionLevel() {
-    result = this.getBaseType().getPointerIndirectionLevel()
-  }
-
-  override string explain() {
-    result =
-      "application of " + this.getIntrinsicName() + " resulting in {" + this.getBaseType().explain()
-        + "}"
-  }
-
-  override predicate involvesReference() { this.getBaseType().involvesReference() }
-
-  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
-
-  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
-
-  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
-
-  override Specifier internal_getAnAdditionalSpecifier() {
-    result = this.getBaseType().getASpecifier()
-  }
-}
-
 /**
 * A C/C++ pointer type. See 4.9.1.
 * ```
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -310,8 +310,6 @@ class Expr extends StmtParent, @expr {
    or
    exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
    or
-    exists(TypeofExprType t | t.getExpr() = this.getParentWithConversions*())
-    or
    exists(ConstexprIfStmt constIf |
      constIf.getControllingExpr() = this.getParentWithConversions*()
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -16,10 +16,6 @@ private predicate isDeeplyConst(Type t) {
  or
  isDeeplyConst(t.(Decltype).getBaseType())
  or
-  isDeeplyConst(t.(TypeofType).getBaseType())
-  or
-  isDeeplyConst(t.(IntrinsicTransformedType).getBaseType())
-  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
  or
  exists(SpecifiedType specType | specType = t |
@@ -40,10 +36,6 @@ private predicate isDeeplyConstBelow(Type t) {
  or
  isDeeplyConstBelow(t.(Decltype).getBaseType())
  or
-  isDeeplyConstBelow(t.(TypeofType).getBaseType())
-  or
-  isDeeplyConstBelow(t.(IntrinsicTransformedType).getBaseType())
-  or
  isDeeplyConst(t.(PointerType).getBaseType())
  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -743,17 +743,15 @@ typedefbase(
 );

 /**
- * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual`
- * operator taking an expression as its argument.  For example:
+ * An instance of the C++11 `decltype` operator.  For example:
 * ```
 * int a;
 * decltype(1+a) b;
- * typeof(1+a) c;
 * ```
 * Here `expr` is `1+a`.
 *
 * Sometimes an additional pair of parentheses around the expression
- * changes the semantics of the decltype, e.g.
+ * would change the semantics of this decltype, e.g.
 * ```
 * struct A { double x; };
 * const A* a = new A();
@@ -763,55 +761,14 @@ typedefbase(
 * (Please consult the C++11 standard for more details).
 * `parentheses_would_change_meaning` is `true` iff that is the case.
 */
-
-/*
-case @decltype.kind of
-|  0 = @decltype
-|  1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
-;
-*/
-
 #keyset[id, expr]
 decltypes(
    int id: @decltype,
    int expr: @expr ref,
-    int kind: int ref,
    int base_type: @type ref,
    boolean parentheses_would_change_meaning: boolean ref
 );

-/*
-case @type_operator.kind of
-|  0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
-|  1 = @underlying_type
-|  2 = @bases
-|  3 = @direct_bases
-|  4 = @add_lvalue_reference
-|  5 = @add_pointer
-|  6 = @add_rvalue_reference
-|  7 = @decay
-|  8 = @make_signed
-|  9 = @make_unsigned
-| 10 = @remove_all_extents
-| 11 = @remove_const
-| 12 = @remove_cv
-| 13 = @remove_cvref
-| 14 = @remove_extent
-| 15 = @remove_pointer
-| 16 = @remove_reference_t
-| 17 = @remove_restrict
-| 18 = @remove_volatile
-| 19 = @remove_reference
-;
-*/
-
-type_operators(
-    unique int id: @type_operator,
-    int arg_type: @type ref,
-    int kind: int ref,
-    int base_type: @type ref
-)
-
 /*
 case @usertype.kind of
 |  0 = @unknown_usertype
@@ -1146,10 +1103,10 @@ stmtattributes(
@type = @builtintype
      | @derivedtype
      | @usertype
+      /* TODO | @fixedpointtype */
      | @routinetype
      | @ptrtomember
-      | @decltype
-      | @type_operator;
+      | @decltype;

 unspecifiedtype(
    unique int type_id: @type ref,
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/decltypes.ql
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/decltypes.ql
@@ -1,11 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Type decltype, Expr expr, Type basetype, boolean parentheses
-where decltypes(decltype, expr, basetype, parentheses)
-select decltype, expr, 0, basetype, parentheses
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
@@ -1,3 +0,0 @@
-description: Support C23 typeof and typeof_unqual
-compatibility: partial
-decltypes.rel: run decltypes.qlo
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.3.9
-
-No user-facing changes.
-
 ## 1.3.8

 No user-facing changes.
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -179,7 +179,6 @@ predicate overflows(MulExpr me, Type t) {

 from MulExpr me, Type t1, Type t2
 where
-  not any(Compilation c).buildModeNone() and
  t1 = me.getType().getUnderlyingType() and
  t2 = me.getConversion().getType().getUnderlyingType() and
  t1.getSize() < t2.getSize() and
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -154,7 +154,6 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }

 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
-  not any(Compilation c).buildModeNone() and
  (
    formattingFunctionCallExpectedType(ffc, n, expected) and
    formattingFunctionCallActualType(ffc, n, arg, actual) and
--- a/Management/SuspiciousCallToMemset.ql
+++ b/Management/SuspiciousCallToMemset.ql
@@ -47,17 +47,11 @@ Type stripType(Type t) {
  or
  result = stripType(t.(Decltype).getBaseType())
  or
-  result = stripType(t.(TypeofType).getBaseType())
-  or
-  result = stripType(t.(IntrinsicTransformedType).getBaseType())
-  or
  not t instanceof TypedefType and
  not t instanceof ArrayType and
  not t instanceof ReferenceType and
  not t instanceof SpecifiedType and
  not t instanceof Decltype and
-  not t instanceof TypeofType and
-  not t instanceof IntrinsicTransformedType and
  result = t
 }

--- a/Functions/ImplicitFunctionDeclaration.ql
+++ b/Functions/ImplicitFunctionDeclaration.ql
@@ -38,7 +38,6 @@ predicate isCompiledAsC(File f) {

 from FunctionDeclarationEntry fdeIm, FunctionCall fc
 where
-  not any(Compilation c).buildModeNone() and
  isCompiledAsC(fdeIm.getFile()) and
  not isFromMacroDefinition(fc) and
  fdeIm.isImplicit() and
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -51,7 +51,6 @@ int getComparisonSizeAdjustment(Expr e) {

 from Loop l, RelationalOperation rel, VariableAccess small, Expr large
 where
-  not any(Compilation c).buildModeNone() and
  small = rel.getLesserOperand() and
  large = rel.getGreaterOperand() and
  rel = l.getCondition().getAChild*() and
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -24,12 +24,10 @@ private predicate isCharSzPtrExpr(Expr e) {

 from Expr sizeofExpr, Expr e
 where
-  not any(Compilation c).buildModeNone() and
  // If we see an addWithSizeof then we expect the type of
  // the pointer expression to be `char*` or `void*`. Otherwise it
  // is probably a mistake.
-  addWithSizeof(e, sizeofExpr, _) and
-  not isCharSzPtrExpr(e)
+  addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e)
 select sizeofExpr,
  "Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.",
  e.getFullyConverted().getType() as t, t.toString()
--- a/cpp/ql/src/change-notes/released/1.3.9.md
+++ b/cpp/ql/src/change-notes/released/1.3.9.md
@@ -1,3 +0,0 @@
-## 1.3.9
-
-No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.9
+lastReleaseVersion: 1.3.8
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.9
+version: 1.3.9-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
@@ -1,13 +0,0 @@
-/**
- * @name Capture content based summary models.
- * @description Finds applicable content based summary models to be used by other queries.
- * @kind diagnostic
- * @id cpp/utils/modelgenerator/contentbased-summary-models
- * @tags modelgenerator
- */
-
-import internal.CaptureModels
-
-from DataFlowSummaryTargetApi api, string flow
-where flow = ContentSensitive::captureFlow(api, _)
-select flow order by flow
--- a/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
@@ -1,14 +0,0 @@
-/**
- * @name Capture sink models.
- * @description Finds public methods that act as sinks as they flow into a known sink.
- * @kind diagnostic
- * @id cpp/utils/modelgenerator/sink-models
- * @tags modelgenerator
- */
-
-import internal.CaptureModels
-import Heuristic
-
-from DataFlowSinkTargetApi api, string sink
-where sink = captureSink(api)
-select sink order by sink
--- a/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
@@ -1,14 +0,0 @@
-/**
- * @name Capture source models.
- * @description Finds APIs that act as sources as they expose already known sources.
- * @kind diagnostic
- * @id cpp/utils/modelgenerator/source-models
- * @tags modelgenerator
- */
-
-import internal.CaptureModels
-import Heuristic
-
-from DataFlowSourceTargetApi api, string source
-where source = captureSource(api)
-select source order by source
--- a/cpp/ql/src/utils/modelgenerator/GenerateFlowModel.py
+++ b/cpp/ql/src/utils/modelgenerator/GenerateFlowModel.py
@@ -1,15 +0,0 @@
-#!/usr/bin/python3
-
-import sys
-import os.path
-import subprocess
-
-# Add Model as Data script directory to sys.path.
-gitroot = subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode("utf-8").strip()
-madpath = os.path.join(gitroot, "misc/scripts/models-as-data/")
-sys.path.append(madpath)
-
-import generate_flow_model as model
-
-language = "cpp"
-model.Generator.make(language).run()
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -1,404 +0,0 @@
-/**
- * Provides predicates related to capturing summary models of the Standard or a 3rd party library.
- */
-
-private import cpp
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.dataflow.ExternalFlow as ExternalFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
-private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
-private import semmle.code.cpp.dataflow.new.TaintTracking
-private import codeql.mad.modelgenerator.internal.ModelGeneratorImpl
-
-module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFlow> {
-  class Type = DataFlowPrivate::DataFlowType;
-
-  // Note: This also includes `this`
-  class Parameter = DataFlow::ParameterNode;
-
-  class Callable = Declaration;
-
-  class NodeExtended extends DataFlow::Node {
-    Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingDeclaration() }
-  }
-
-  Parameter asParameter(NodeExtended n) { result = n }
-
-  Callable getEnclosingCallable(NodeExtended n) {
-    result = n.getEnclosingCallable().asSourceCallable()
-  }
-
-  Callable getAsExprEnclosingCallable(NodeExtended n) {
-    result = n.asExpr().getEnclosingDeclaration()
-  }
-
-  /** Gets `api` if it is relevant. */
-  private Callable liftedImpl(Callable api) { result = api and relevant(api) }
-
-  private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
-    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
-  }
-
-  private predicate hasManualSourceModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::NeutralSourceCallable sc | sc.hasManualModel())
-  }
-
-  private predicate hasManualSinkModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.hasManualModel())
-  }
-
-  /**
-   * Holds if `f` is a "private" function.
-   *
-   * A "private" function does not contribute any models as it is assumed
-   * to be an implementation detail of some other "public" function for which
-   * we will generate a summary.
-   */
-  private predicate isPrivateOrProtected(Function f) {
-    f.getNamespace().getParentNamespace*().isAnonymous()
-    or
-    exists(MemberFunction mf | mf = f |
-      mf.isPrivate()
-      or
-      mf.isProtected()
-    )
-    or
-    f.isStatic()
-  }
-
-  private predicate isUninterestingForModels(Callable api) {
-    // Note: This also makes all global/static-local variables
-    // not relevant (which is good!)
-    not api.(Function).hasDefinition()
-    or
-    isPrivateOrProtected(api)
-    or
-    api instanceof Destructor
-    or
-    api = any(LambdaExpression lambda).getLambdaFunction()
-    or
-    api.isFromUninstantiatedTemplate(_)
-  }
-
-  private predicate relevant(Callable api) {
-    api.fromSource() and
-    not isUninterestingForModels(api)
-  }
-
-  class SummaryTargetApi extends Callable {
-    private Callable lift;
-
-    SummaryTargetApi() {
-      lift = liftedImpl(this) and
-      not hasManualSummaryModel(lift)
-    }
-
-    Callable lift() { result = lift }
-
-    predicate isRelevant() {
-      relevant(this) and
-      not hasManualSummaryModel(this)
-    }
-  }
-
-  class SourceOrSinkTargetApi extends Callable {
-    SourceOrSinkTargetApi() { relevant(this) }
-  }
-
-  class SinkTargetApi extends SourceOrSinkTargetApi {
-    SinkTargetApi() { not hasManualSinkModel(this) }
-  }
-
-  class SourceTargetApi extends SourceOrSinkTargetApi {
-    SourceTargetApi() { not hasManualSourceModel(this) }
-  }
-
-  class InstanceParameterNode extends DataFlow::ParameterNode {
-    InstanceParameterNode() {
-      DataFlowPrivate::nodeHasInstruction(this,
-        any(InitializeParameterInstruction i | i.hasIndex(-1)), 1)
-    }
-  }
-
-  private predicate isFinalMemberFunction(MemberFunction mf) {
-    mf.isFinal()
-    or
-    mf.getDeclaringType().isFinal()
-  }
-
-  /**
-   * Holds if the summary generated for `c` should also apply to overrides
-   * of `c`.
-   */
-  private string isExtensible(Callable c) {
-    if isFinalMemberFunction(c) then result = "false" else result = "true"
-  }
-
-  /**
-   * Gets the string representing the list of template parameters declared
-   * by `template`.
-   *
-   * `template` must either be:
-   * - An uninstantiated template, or
-   * - A declaration that is not from a template instantiation.
-   */
-  private string templateParams(Declaration template) {
-    exists(string params |
-      params =
-        concat(int i |
-          |
-          template.getTemplateArgument(i).(TypeTemplateParameter).getName(), "," order by i
-        )
-    |
-      if params = "" then result = "" else result = "<" + params + ">"
-    )
-  }
-
-  /**
-   * Gets the string representing the list of parameters declared
-   * by `functionTemplate`.
-   *
-   * `functionTemplate` must either be:
-   * - An uninstantiated template, or
-   * - A declaration that is not from a template instantiation.
-   */
-  private string params(Function functionTemplate) {
-    exists(string params |
-      params =
-        concat(int i |
-          |
-          ExternalFlow::getParameterTypeWithoutTemplateArguments(functionTemplate, i, true), ","
-          order by
-            i
-        ) and
-      result = "(" + params + ")"
-    )
-  }
-
-  /**
-   * Holds if the callable `c` is:
-   * - In the namespace represented by `namespace`, and
-   * - Has a declaring type represented by `type`, and
-   * - Has the name `name`, and
-   * - Has a list of parameters represented by `params`
-   *
-   * This is the predicate that computes the columns that it put into the MaD
-   * row for `callable`.
-   */
-  private predicate qualifiedName(
-    Callable callable, string namespace, string type, string name, string params
-  ) {
-    exists(
-      Function functionTemplate, string typeWithoutTemplateArgs, string nameWithoutTemplateArgs
-    |
-      functionTemplate = ExternalFlow::getFullyTemplatedFunction(callable) and
-      functionTemplate.hasQualifiedName(namespace, typeWithoutTemplateArgs, nameWithoutTemplateArgs) and
-      nameWithoutTemplateArgs = functionTemplate.getName() and
-      name = nameWithoutTemplateArgs + templateParams(functionTemplate) and
-      params = params(functionTemplate)
-    |
-      exists(Class classTemplate |
-        classTemplate = functionTemplate.getDeclaringType() and
-        type = typeWithoutTemplateArgs + templateParams(classTemplate)
-      )
-      or
-      not exists(functionTemplate.getDeclaringType()) and
-      type = ""
-    )
-  }
-
-  predicate isRelevantType(Type t) { any() }
-
-  Type getUnderlyingContentType(DataFlow::ContentSet c) {
-    result = c.(DataFlow::FieldContent).getField().getUnspecifiedType() or
-    result = c.(DataFlow::UnionContent).getUnion().getUnspecifiedType()
-  }
-
-  string qualifierString() { result = "Argument[-1]" }
-
-  private predicate parameterContentAccessImpl(Parameter p, string argument) {
-    exists(int indirectionIndex, int argumentIndex, DataFlowPrivate::Position pos |
-      p.isSourceParameterOf(_, pos) and
-      pos.getArgumentIndex() = argumentIndex and
-      argumentIndex != -1 and // handled elsewhere
-      pos.getIndirectionIndex() = indirectionIndex
-    |
-      indirectionIndex = 0 and
-      argument = "Argument[" + argumentIndex + "]"
-      or
-      indirectionIndex > 0 and
-      argument = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
-    )
-  }
-
-  string parameterAccess(Parameter p) { parameterContentAccessImpl(p, result) }
-
-  string parameterContentAccess(Parameter p) { parameterContentAccessImpl(p, result) }
-
-  bindingset[c]
-  string paramReturnNodeAsOutput(Callable c, DataFlowPrivate::Position pos) {
-    exists(Parameter p |
-      p.isSourceParameterOf(c, pos) and
-      result = parameterAccess(p)
-    )
-    or
-    pos.getArgumentIndex() = -1 and
-    result = qualifierString() and
-    pos.getIndirectionIndex() = 1
-  }
-
-  bindingset[c]
-  string paramReturnNodeAsContentOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
-    result = paramReturnNodeAsOutput(c, pos)
-  }
-
-  pragma[nomagic]
-  Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
-    result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asSourceCallable()
-  }
-
-  /** Holds if this instance access is to an enclosing instance of type `t`. */
-  pragma[nomagic]
-  private predicate isEnclosingInstanceAccess(DataFlowPrivate::ReturnNode n, Class t) {
-    n.getKind().isIndirectReturn(-1) and
-    t = n.getType().stripType() and
-    t != n.getEnclosingCallable().asSourceCallable().(Function).getDeclaringType()
-  }
-
-  pragma[nomagic]
-  predicate isOwnInstanceAccessNode(DataFlowPrivate::ReturnNode node) {
-    node.getKind().isIndirectReturn(-1) and
-    not isEnclosingInstanceAccess(node, _)
-  }
-
-  predicate sinkModelSanitizer(DataFlow::Node node) { none() }
-
-  predicate apiSource(DataFlow::Node source) {
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1)
-    or
-    source instanceof DataFlow::ParameterNode
-  }
-
-  string getInputArgument(DataFlow::Node source) {
-    exists(DataFlowPrivate::Position pos, int argumentIndex, int indirectionIndex |
-      source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
-      argumentIndex = pos.getArgumentIndex() and
-      indirectionIndex = pos.getIndirectionIndex() and
-      result = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
-    )
-    or
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1) and
-    result = qualifierString()
-  }
-
-  string getReturnValueString(DataFlowPrivate::ReturnKind k) {
-    k.isNormalReturn() and
-    exists(int indirectionIndex | indirectionIndex = k.getIndirectionIndex() |
-      indirectionIndex = 0 and
-      result = "ReturnValue"
-      or
-      indirectionIndex > 0 and
-      result = "ReturnValue[" + DataFlow::repeatStars(indirectionIndex) + "]"
-    )
-  }
-
-  predicate irrelevantSourceSinkApi(Callable source, SourceTargetApi api) { none() }
-
-  bindingset[kind]
-  predicate isRelevantSourceKind(string kind) { any() }
-
-  bindingset[kind]
-  predicate isRelevantSinkKind(string kind) { any() }
-
-  predicate containerContent(DataFlow::ContentSet cs) { cs instanceof DataFlow::ElementContent }
-
-  predicate isAdditionalContentFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    TaintTracking::defaultAdditionalTaintStep(node1, node2, _) and
-    not exists(DataFlow::Content f |
-      DataFlowPrivate::readStep(node1, f, node2) and containerContent(f)
-    )
-  }
-
-  predicate isField(DataFlow::ContentSet cs) {
-    exists(DataFlow::Content c | cs.isSingleton(c) |
-      c instanceof DataFlow::FieldContent or
-      c instanceof DataFlow::UnionContent
-    )
-  }
-
-  predicate isCallback(DataFlow::ContentSet c) { none() }
-
-  string getSyntheticName(DataFlow::ContentSet c) {
-    exists(Field f |
-      not f.isPublic() and
-      f = c.(DataFlow::FieldContent).getField() and
-      result = f.getName()
-    )
-  }
-
-  string printContent(DataFlow::ContentSet c) {
-    exists(int indirectionIndex, string name, string kind |
-      exists(DataFlow::UnionContent uc |
-        c.isSingleton(uc) and
-        name = uc.getUnion().getName() and
-        indirectionIndex = uc.getIndirectionIndex() and
-        // Note: We don't actually support the union string in MaD, but we should do that eventually
-        kind = "Union["
-      )
-      or
-      exists(DataFlow::FieldContent fc |
-        c.isSingleton(fc) and
-        name = fc.getField().getName() and
-        indirectionIndex = fc.getIndirectionIndex() and
-        kind = "Field["
-      )
-    |
-      result = kind + DataFlow::repeatStars(indirectionIndex) + name + "]"
-    )
-    or
-    exists(DataFlow::ElementContent ec |
-      c.isSingleton(ec) and
-      result = "Element[" + ec.getIndirectionIndex() + "]"
-    )
-  }
-
-  predicate isUninterestingForDataFlowModels(Callable api) { none() }
-
-  predicate isUninterestingForHeuristicDataFlowModels(Callable api) {
-    isUninterestingForDataFlowModels(api)
-  }
-
-  string partialModelRow(Callable api, int i) {
-    i = 0 and qualifiedName(api, result, _, _, _) // namespace
-    or
-    i = 1 and qualifiedName(api, _, result, _, _) // type
-    or
-    i = 2 and result = isExtensible(api) // extensible
-    or
-    i = 3 and qualifiedName(api, _, _, result, _) // name
-    or
-    i = 4 and qualifiedName(api, _, _, _, result) // parameters
-    or
-    i = 5 and result = "" and exists(api) // ext
-  }
-
-  string partialNeutralModelRow(Callable api, int i) {
-    i = 0 and qualifiedName(api, result, _, _, _) // namespace
-    or
-    i = 1 and qualifiedName(api, _, result, _, _) // type
-    or
-    i = 2 and qualifiedName(api, _, _, result, _) // name
-    or
-    i = 3 and qualifiedName(api, _, _, _, result) // parameters
-  }
-
-  predicate sourceNode = ExternalFlow::sourceNode/2;
-
-  predicate sinkNode = ExternalFlow::sinkNode/2;
-}
-
-import MakeModelGenerator<Location, CppDataFlow, CppTaintTracking, ModelGeneratorInput>
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll
@@ -1,13 +0,0 @@
-private import cpp as Cpp
-private import codeql.mad.modelgenerator.internal.ModelPrinting
-private import CaptureModels::ModelGeneratorInput as ModelGeneratorInput
-
-private module ModelPrintingLang implements ModelPrintingLangSig {
-  class Callable = Cpp::Declaration;
-
-  predicate partialModelRow = ModelGeneratorInput::partialModelRow/2;
-
-  predicate partialNeutralModelRow = ModelGeneratorInput::partialNeutralModelRow/2;
-}
-
-import ModelPrintingImpl<ModelPrintingLang>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ext.yml
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ext.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data:
-      - [ "models", "ManuallyModelled", False, "hasSummary", "(void *)", "", "Argument[0]", "ReturnValue", "value", "manual"]
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql
@@ -1,11 +0,0 @@
-import cpp
-import utils.modelgenerator.internal.CaptureModels
-import InlineModelsAsDataTest
-
-module InlineMadTestConfig implements InlineMadTestConfigSig {
-  string getCapturedModel(MadRelevantFunction c) { result = ContentSensitive::captureFlow(c, _) }
-
-  string getKind() { result = "contentbased-summary" }
-}
-
-import InlineMadTest<InlineMadTestConfig>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ext.yml
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ext.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data:
-      - [ "Models", "ManuallyModelled", False, "hasSummary", "(void *)", "", "Argument[0]", "ReturnValue", "value", "manual"]
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql
@@ -1,11 +0,0 @@
-import cpp
-import utils.modelgenerator.internal.CaptureModels
-import InlineModelsAsDataTest
-
-module InlineMadTestConfig implements InlineMadTestConfigSig {
-  string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c) }
-
-  string getKind() { result = "heuristic-summary" }
-}
-
-import InlineMadTest<InlineMadTestConfig>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/InlineModelsAsDataTest.qll
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/InlineModelsAsDataTest.qll
@@ -1,34 +0,0 @@
-private import cpp
-private import codeql.mad.test.InlineMadTest
-
-class MadRelevantFunction extends Function {
-  MadRelevantFunction() { not this.isFromUninstantiatedTemplate(_) }
-}
-
-private module InlineMadTestLang implements InlineMadTestLangSig {
-  class Callable = MadRelevantFunction;
-
-  /**
-   * Holds if `c` is the closest `Callable` that succeeds `comment` in the file.
-   */
-  private predicate hasClosestCallable(CppStyleComment comment, Callable c) {
-    c =
-      min(Callable cand, int dist |
-        // This has no good join order, but should hopefully be good enough for tests.
-        cand.getFile() = comment.getFile() and
-        dist = cand.getLocation().getStartLine() - comment.getLocation().getStartLine() and
-        dist > 0
-      |
-        cand order by dist
-      )
-  }
-
-  string getComment(Callable c) {
-    exists(CppStyleComment comment |
-      hasClosestCallable(comment, c) and
-      result = comment.getContents().suffix(2)
-    )
-  }
-}
-
-import InlineMadTestImpl<InlineMadTestLang>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp
@@ -1,201 +0,0 @@
-using size_t = decltype(sizeof(int));
-
-size_t strlen(const char* str);
-char* strcpy(char* dest, const char* src);
-
-namespace Models {
-    struct BasicFlow {
-        int* tainted;
-
-        //No model as destructors are excluded from model generation.
-        ~BasicFlow() = default;
-
-        //heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;dfc-generated
-        BasicFlow* returnThis(int* input) {
-            return this;
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;dfc-generated
-        int* returnParam0(int* input0, int* input1) {
-            return input0;
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
-        int* returnParam1(int* input0, int* input1) {
-            return input1;
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];value;dfc-generated
-        int* returnParamMultiple(bool b, int* input0, int* input1) {
-            return b ? input0 : input1;
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];value;dfc-generated
-        char* returnSubstring(const char* source, char* dest) {
-            return strcpy(dest, source + 1);
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;setField;(int *);;Argument[0];Argument[-1];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;setField;(int *);;Argument[*0];Argument[-1];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;setField;(int *);;Argument[0];Argument[-1].Field[*tainted];value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;setField;(int *);;Argument[*0];Argument[-1].Field[**tainted];value;dfc-generated
-        void setField(int* s) {
-            tainted = s;
-        }
-
-        //heuristic-summary=Models;BasicFlow;true;returnField;();;Argument[-1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnField;();;Argument[-1];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;BasicFlow;true;returnField;();;Argument[-1].Field[*tainted];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;BasicFlow;true;returnField;();;Argument[-1].Field[**tainted];ReturnValue[*];value;dfc-generated
-        int* returnField() {
-            return tainted;
-        }
-    };
-
-    template<typename T>
-    struct TemplatedFlow {
-        T tainted;
-
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;dfc-generated
-        TemplatedFlow<T>* template_returnThis(T input) {
-            return this;
-        }
-
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
-        T* template_returnParam0(T* input0, T* input1) {
-            return input0;
-        }
-
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_setField;(T);;Argument[0];Argument[-1];taint;df-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;template_setField;(T);;Argument[0];Argument[-1].Field[*tainted];value;dfc-generated
-        void template_setField(T s) {
-            tainted = s;
-        }
-
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnField;();;Argument[-1];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnField;();;Argument[-1].Field[*tainted];ReturnValue[*];value;dfc-generated
-        T& template_returnField() {
-            return tainted;
-        }
-
-        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;dfc-generated
-        //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
-        template<typename U>
-        U* templated_function(U* u, T* t) {
-            return u;
-        }
-    };
-
-    void test_templated_flow() {
-        // Ensure that we have an instantiation of the templated class
-        TemplatedFlow<int> intFlow;
-        intFlow.template_returnThis(0);
-
-        intFlow.template_returnParam0(nullptr, nullptr);
-
-        intFlow.template_setField(0);
-        intFlow.template_returnField();
-
-        intFlow.templated_function<int>(nullptr, nullptr);
-    }
-}
-
-//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
-//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
-//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
-//contentbased-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;dfc-generated
-int toplevel_function(int* p) {
-    return *p;
-}
-
-//No model as static functions are excluded from model generation.
-static int static_toplevel_function(int* p) {
-    return *p;
-}
-
-struct NonFinalStruct {
-    //heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
-    //contentbased-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
-    virtual int public_not_final_member_function(int x) {
-        return x;
-    }
-
-    //heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
-    //contentbased-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
-    virtual int public_final_member_function(int x) final {
-        return x;
-    }
-
-private:
-    //No model as private members are excluded from model generation.
-    int private_member_function(int x) {
-        return x;
-    }
-
-protected:
-    //No model as protected members are excluded from model generation.
-    int protected_member_function(int x) {
-        return x;
-    }
-};
-
-struct FinalStruct final {
-    //heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
-    //contentbased-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
-    virtual int public_not_final_member_function_2(int x) {
-        return x;
-    }
-
-    //heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
-    //contentbased-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
-    virtual int public_final_member_function_2(int x) final {
-        return x;
-    }
-};
-
-union U {
-    int x, y;
-};
-
-//heuristic-summary=;;true;get_x_from_union;(U *);;Argument[0];ReturnValue;taint;df-generated
-//heuristic-summary=;;true;get_x_from_union;(U *);;Argument[*0];ReturnValue;taint;df-generated
-//contentbased-summary=;;true;get_x_from_union;(U *);;Argument[0];ReturnValue;taint;dfc-generated
-//contentbased-summary=;;true;get_x_from_union;(U *);;Argument[*0].Union[*U];ReturnValue;value;dfc-generated
-int get_x_from_union(U* u) {
-    return u->x;
-}
-
-//heuristic-summary=;;true;set_x_in_union;(U *,int);;Argument[1];Argument[*0];taint;df-generated
-//contentbased-summary=;;true;set_x_in_union;(U *,int);;Argument[1];Argument[*0].Union[*U];value;dfc-generated
-void set_x_in_union(U* u, int x) {
-    u->x = x;
-}
--- a/cpp/ql/test/library-tests/declstmt/getDeclaration.expected
+++ b/cpp/ql/test/library-tests/declstmt/getDeclaration.expected
@@ -1,7 +1,5 @@
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:19:3:24 | twisty |
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:43:3:48 | twisty |
-| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:19:3:24 | twisty |
-| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:43:3:48 | twisty |
 | cpp.cpp:5:5:5:62 | declaration | 0 | cpp.cpp:5:61:5:61 | i |
 | cpp.cpp:5:38:5:51 | declaration | 0 | cpp.cpp:5:44:5:44 | t |
 | declstmt.c:7:5:7:19 | declaration | 0 | declstmt.c:7:9:7:12 | fun1 |
--- a/cpp/ql/test/library-tests/declstmt/getDeclarationEntry.expected
+++ b/cpp/ql/test/library-tests/declstmt/getDeclarationEntry.expected
@@ -1,5 +1,4 @@
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:43:3:48 | declaration of twisty |
-| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:19:3:24 | declaration of twisty |
 | cpp.cpp:5:5:5:62 | declaration | 0 | cpp.cpp:5:61:5:61 | definition of i |
 | cpp.cpp:5:38:5:51 | declaration | 0 | cpp.cpp:5:44:5:44 | declaration of t |
 | declstmt.c:7:5:7:19 | declaration | 0 | declstmt.c:7:9:7:12 | definition of fun1 |
--- a/cpp/ql/test/library-tests/enums/typedefs/exprs.expected
+++ b/cpp/ql/test/library-tests/enums/typedefs/exprs.expected
@@ -1,3 +1,2 @@
 | file://:0:0:0:0 | 0 | file://:0:0:0:0 | int |
-| test.c:7:14:7:14 | E | file://:0:0:0:0 | int |
-| test.c:7:20:7:21 | E | test.c:7:14:7:14 | typeof(...) |
+| test.c:7:20:7:21 | E | file://:0:0:0:0 | int |
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
@@ -8,10 +8,7 @@ uniqueEnclosingCallable
 | misc.c:210:24:210:24 | 0 | Node should have one enclosing callable but has 0. |
 | misc.c:210:24:210:28 | ... + ... | Node should have one enclosing callable but has 0. |
 | misc.c:210:28:210:28 | 1 | Node should have one enclosing callable but has 0. |
-| stmt_in_type.cpp:3:12:3:40 | (statement expression) | Node should have one enclosing callable but has 0. |
-| stmt_in_type.cpp:3:29:3:34 | call to twisty | Node should have one enclosing callable but has 0. |
 uniqueCallEnclosingCallable
-| stmt_in_type.cpp:3:29:3:34 | call to twisty | Call should have one enclosing callable but has 0. |
 uniqueType
 uniqueNodeLocation
 | file://:0:0:0:0 | (unnamed parameter 2) | Node should have one location but has 0. |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.39
-
-No user-facing changes.
-
 ## 1.7.38

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.39.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.39.md
@@ -1,3 +0,0 @@
-## 1.7.39
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.39
+lastReleaseVersion: 1.7.38
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.39
+version: 1.7.39-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.39
-
-No user-facing changes.
-
 ## 1.7.38

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.39.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.39.md
@@ -1,3 +0,0 @@
-## 1.7.39
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.39
+lastReleaseVersion: 1.7.38
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.39
+version: 1.7.39-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
@@ -1,13 +0,0 @@
-ql/csharp/ql/src/API Abuse/FormatInvalid.ql
-ql/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql
-ql/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql
-ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
-ql/csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql
-ql/csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql
-ql/csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
-ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
-ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
-ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
-ql/csharp/ql/src/Performance/UseTryGetValue.ql
-ql/csharp/ql/src/Useless code/DefaultToString.ql
-ql/csharp/ql/src/Useless code/IntGetHashCode.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
@@ -1,57 +0,0 @@
-ql/csharp/ql/src/Diagnostics/CompilerError.ql
-ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
-ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
-ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
-ql/csharp/ql/src/Diagnostics/ExtractorError.ql
-ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
-ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
-ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
-ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
-ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
-ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
-ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
-ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
-ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
-ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
-ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
-ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
-ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
-ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
-ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
-ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
-ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
-ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
-ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
-ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
-ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
-ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
-ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
-ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
-ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
-ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
-ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
-ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
-ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
-ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
-ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
-ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
-ql/csharp/ql/src/Security Features/Encryption using ECB.ql
-ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
-ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
-ql/csharp/ql/src/Security Features/InsecureRandomness.ql
-ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
-ql/csharp/ql/src/Security Features/PersistentCookie.ql
-ql/csharp/ql/src/Security Features/WeakEncryption.ql
-ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
-ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
-ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
-ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -1,173 +0,0 @@
-ql/csharp/ql/src/API Abuse/CallToGCCollect.ql
-ql/csharp/ql/src/API Abuse/CallToObsoleteMethod.ql
-ql/csharp/ql/src/API Abuse/ClassDoesNotImplementEquals.ql
-ql/csharp/ql/src/API Abuse/ClassImplementsICloneable.ql
-ql/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql
-ql/csharp/ql/src/API Abuse/FormatInvalid.ql
-ql/csharp/ql/src/API Abuse/InconsistentEqualsGetHashCode.ql
-ql/csharp/ql/src/API Abuse/IncorrectCompareToSignature.ql
-ql/csharp/ql/src/API Abuse/IncorrectEqualsSignature.ql
-ql/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql
-ql/csharp/ql/src/API Abuse/NullArgumentToEquals.ql
-ql/csharp/ql/src/ASP/BlockCodeResponseWrite.ql
-ql/csharp/ql/src/Architecture/Refactoring Opportunities/InappropriateIntimacy.ql
-ql/csharp/ql/src/Bad Practices/CallsUnmanagedCode.ql
-ql/csharp/ql/src/Bad Practices/CatchOfNullReferenceException.ql
-ql/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql
-ql/csharp/ql/src/Bad Practices/Declarations/LocalScopeVariableShadowsMember.ql
-ql/csharp/ql/src/Bad Practices/Declarations/TooManyRefParameters.ql
-ql/csharp/ql/src/Bad Practices/EmptyCatchBlock.ql
-ql/csharp/ql/src/Bad Practices/ErroneousClassCompare.ql
-ql/csharp/ql/src/Bad Practices/Implementation Hiding/AbstractToConcreteCollection.ql
-ql/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/FieldMasksSuperField.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/SameNameAsSuper.ql
-ql/csharp/ql/src/Bad Practices/PathCombine.ql
-ql/csharp/ql/src/Bad Practices/UnmanagedCodeCheck.ql
-ql/csharp/ql/src/Bad Practices/VirtualCallInConstructorOrDestructor.ql
-ql/csharp/ql/src/CSI/CompareIdenticalValues.ql
-ql/csharp/ql/src/CSI/NullAlways.ql
-ql/csharp/ql/src/CSI/NullMaybe.ql
-ql/csharp/ql/src/Complexity/BlockWithTooManyStatements.ql
-ql/csharp/ql/src/Complexity/ComplexCondition.ql
-ql/csharp/ql/src/Concurrency/FutileSyncOnField.ql
-ql/csharp/ql/src/Concurrency/LockOrder.ql
-ql/csharp/ql/src/Concurrency/LockThis.ql
-ql/csharp/ql/src/Concurrency/LockedWait.ql
-ql/csharp/ql/src/Concurrency/SynchSetUnsynchGet.ql
-ql/csharp/ql/src/Concurrency/UnsafeLazyInitialization.ql
-ql/csharp/ql/src/Concurrency/UnsynchronizedStaticAccess.ql
-ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
-ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
-ql/csharp/ql/src/Diagnostics/CompilerError.ql
-ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
-ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
-ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
-ql/csharp/ql/src/Diagnostics/ExtractorError.ql
-ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
-ql/csharp/ql/src/Documentation/XmldocMissingSummary.ql
-ql/csharp/ql/src/Input Validation/UseOfFileUpload.ql
-ql/csharp/ql/src/Input Validation/ValueShadowing.ql
-ql/csharp/ql/src/Input Validation/ValueShadowingServerVariable.ql
-ql/csharp/ql/src/Language Abuse/CastThisToTypeParameter.ql
-ql/csharp/ql/src/Language Abuse/CatchOfGenericException.ql
-ql/csharp/ql/src/Language Abuse/ChainedIs.ql
-ql/csharp/ql/src/Language Abuse/DubiousDowncastOfThis.ql
-ql/csharp/ql/src/Language Abuse/DubiousTypeTestOfThis.ql
-ql/csharp/ql/src/Language Abuse/MissedReadonlyOpportunity.ql
-ql/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql
-ql/csharp/ql/src/Language Abuse/MissedUsingOpportunity.ql
-ql/csharp/ql/src/Language Abuse/NestedIf.ql
-ql/csharp/ql/src/Language Abuse/RethrowException.ql
-ql/csharp/ql/src/Language Abuse/SimplifyBoolExpr.ql
-ql/csharp/ql/src/Language Abuse/UnusedPropertyValue.ql
-ql/csharp/ql/src/Language Abuse/UselessCastToSelf.ql
-ql/csharp/ql/src/Language Abuse/UselessNullCoalescingExpression.ql
-ql/csharp/ql/src/Language Abuse/UselessTypeTest.ql
-ql/csharp/ql/src/Language Abuse/UselessUpcast.ql
-ql/csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql
-ql/csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql
-ql/csharp/ql/src/Likely Bugs/Collections/ReadOnlyContainer.ql
-ql/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
-ql/csharp/ql/src/Likely Bugs/ConstantComparison.ql
-ql/csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
-ql/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql
-ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
-ql/csharp/ql/src/Likely Bugs/EqualsArray.ql
-ql/csharp/ql/src/Likely Bugs/EqualsUsesAs.ql
-ql/csharp/ql/src/Likely Bugs/EqualsUsesIs.ql
-ql/csharp/ql/src/Likely Bugs/HashedButNoHash.ql
-ql/csharp/ql/src/Likely Bugs/ImpossibleArrayCast.ql
-ql/csharp/ql/src/Likely Bugs/IncomparableEquals.ql
-ql/csharp/ql/src/Likely Bugs/InconsistentCompareTo.ql
-ql/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql
-ql/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql
-ql/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql
-ql/csharp/ql/src/Likely Bugs/ObjectComparison.ql
-ql/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
-ql/csharp/ql/src/Likely Bugs/RecursiveEquals.ql
-ql/csharp/ql/src/Likely Bugs/RecursiveOperatorEquals.ql
-ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
-ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
-ql/csharp/ql/src/Likely Bugs/Statements/EmptyBlock.ql
-ql/csharp/ql/src/Likely Bugs/Statements/EmptyLockStatement.ql
-ql/csharp/ql/src/Likely Bugs/Statements/UseBraces.ql
-ql/csharp/ql/src/Likely Bugs/StaticFieldWrittenByInstance.ql
-ql/csharp/ql/src/Likely Bugs/StringBuilderCharInit.ql
-ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
-ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
-ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
-ql/csharp/ql/src/Linq/BadMultipleIteration.ql
-ql/csharp/ql/src/Linq/MissedAllOpportunity.ql
-ql/csharp/ql/src/Linq/MissedCastOpportunity.ql
-ql/csharp/ql/src/Linq/MissedOfTypeOpportunity.ql
-ql/csharp/ql/src/Linq/MissedSelectOpportunity.ql
-ql/csharp/ql/src/Linq/MissedWhereOpportunity.ql
-ql/csharp/ql/src/Linq/RedundantSelect.ql
-ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
-ql/csharp/ql/src/Performance/StringBuilderInLoop.ql
-ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
-ql/csharp/ql/src/Performance/UseTryGetValue.ql
-ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
-ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
-ql/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
-ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
-ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
-ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
-ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
-ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
-ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
-ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
-ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
-ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
-ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
-ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
-ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
-ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
-ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
-ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
-ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
-ql/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
-ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
-ql/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
-ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
-ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
-ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
-ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
-ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
-ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
-ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
-ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
-ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
-ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
-ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
-ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
-ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
-ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
-ql/csharp/ql/src/Security Features/Encryption using ECB.ql
-ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
-ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
-ql/csharp/ql/src/Security Features/InsecureRandomness.ql
-ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
-ql/csharp/ql/src/Security Features/PersistentCookie.ql
-ql/csharp/ql/src/Security Features/WeakEncryption.ql
-ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
-ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
-ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
-ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
-ql/csharp/ql/src/Useless code/DefaultToString.ql
-ql/csharp/ql/src/Useless code/FutileConditional.ql
-ql/csharp/ql/src/Useless code/IntGetHashCode.ql
-ql/csharp/ql/src/Useless code/RedundantToStringCall.ql
-ql/csharp/ql/src/Useless code/UnusedLabel.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -1,71 +0,0 @@
-ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
-ql/csharp/ql/src/Diagnostics/CompilerError.ql
-ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
-ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
-ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
-ql/csharp/ql/src/Diagnostics/ExtractorError.ql
-ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
-ql/csharp/ql/src/Input Validation/UseOfFileUpload.ql
-ql/csharp/ql/src/Input Validation/ValueShadowing.ql
-ql/csharp/ql/src/Input Validation/ValueShadowingServerVariable.ql
-ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
-ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
-ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
-ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
-ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
-ql/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
-ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
-ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
-ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
-ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
-ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
-ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
-ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
-ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
-ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
-ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
-ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
-ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
-ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
-ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
-ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
-ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
-ql/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
-ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
-ql/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
-ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
-ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
-ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
-ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
-ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
-ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
-ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
-ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
-ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
-ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
-ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
-ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
-ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
-ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
-ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
-ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
-ql/csharp/ql/src/Security Features/Encryption using ECB.ql
-ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
-ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
-ql/csharp/ql/src/Security Features/InsecureRandomness.ql
-ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
-ql/csharp/ql/src/Security Features/PersistentCookie.ql
-ql/csharp/ql/src/Security Features/WeakEncryption.ql
-ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
-ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
-ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
-ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
-ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -1,126 +0,0 @@
-ql/csharp/ql/src/API Abuse/MissingDisposeCall.ql
-ql/csharp/ql/src/API Abuse/MissingDisposeMethod.ql
-ql/csharp/ql/src/API Abuse/NonOverridingMethod.ql
-ql/csharp/ql/src/API Abuse/UncheckedReturnValue.ql
-ql/csharp/ql/src/ASP/ComplexInlineCode.ql
-ql/csharp/ql/src/ASP/NonInternationalizedText.ql
-ql/csharp/ql/src/ASP/SplitControlStructure.ql
-ql/csharp/ql/src/AlertSuppression.ql
-ql/csharp/ql/src/Architecture/Dependencies/MutualDependency.ql
-ql/csharp/ql/src/Architecture/Refactoring Opportunities/FeatureEnvy.ql
-ql/csharp/ql/src/Bad Practices/Comments/CommentedOutCode.ql
-ql/csharp/ql/src/Bad Practices/Comments/TodoComments.ql
-ql/csharp/ql/src/Bad Practices/Declarations/EmptyInterface.ql
-ql/csharp/ql/src/Bad Practices/Declarations/NoConstantsOnly.ql
-ql/csharp/ql/src/Bad Practices/Implementation Hiding/StaticArray.ql
-ql/csharp/ql/src/Bad Practices/LeftoverDebugCode.ql
-ql/csharp/ql/src/Bad Practices/Magic Constants/MagicConstantsNumbers.ql
-ql/csharp/ql/src/Bad Practices/Magic Constants/MagicConstantsString.ql
-ql/csharp/ql/src/Bad Practices/Magic Constants/MagicNumbersUseConstant.ql
-ql/csharp/ql/src/Bad Practices/Magic Constants/MagicStringsUseConstant.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/ConfusingMethodNames.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/ConfusingOverridesNames.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/ConstantNaming.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/ControlNamePrefixes.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/DefaultControlNames.ql
-ql/csharp/ql/src/Bad Practices/Naming Conventions/VariableNameTooShort.ql
-ql/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
-ql/csharp/ql/src/Bad Practices/UseOfSystemOutputStream.ql
-ql/csharp/ql/src/Dead Code/DeadRefTypes.ql
-ql/csharp/ql/src/Dead Code/NonAssignedFields.ql
-ql/csharp/ql/src/Dead Code/UnusedField.ql
-ql/csharp/ql/src/Dead Code/UnusedMethod.ql
-ql/csharp/ql/src/Documentation/XmldocExtraParam.ql
-ql/csharp/ql/src/Documentation/XmldocExtraTypeParam.ql
-ql/csharp/ql/src/Documentation/XmldocMissing.ql
-ql/csharp/ql/src/Documentation/XmldocMissingException.ql
-ql/csharp/ql/src/Documentation/XmldocMissingParam.ql
-ql/csharp/ql/src/Documentation/XmldocMissingReturn.ql
-ql/csharp/ql/src/Documentation/XmldocMissingTypeParam.ql
-ql/csharp/ql/src/Language Abuse/ForeachCapture.ql
-ql/csharp/ql/src/Language Abuse/UselessIsBeforeAs.ql
-ql/csharp/ql/src/Likely Bugs/BadCheckOdd.ql
-ql/csharp/ql/src/Likely Bugs/RandomUsedOnce.ql
-ql/csharp/ql/src/Metrics/Callables/CCyclomaticComplexity.ql
-ql/csharp/ql/src/Metrics/Callables/CLinesOfCode.ql
-ql/csharp/ql/src/Metrics/Callables/CLinesOfComment.ql
-ql/csharp/ql/src/Metrics/Callables/CNumberOfParameters.ql
-ql/csharp/ql/src/Metrics/Callables/CNumberOfStatements.ql
-ql/csharp/ql/src/Metrics/Callables/CPercentageOfComments.ql
-ql/csharp/ql/src/Metrics/Callables/StatementNestingDepth.ql
-ql/csharp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
-ql/csharp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
-ql/csharp/ql/src/Metrics/Files/FCommentRatio.ql
-ql/csharp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
-ql/csharp/ql/src/Metrics/Files/FLines.ql
-ql/csharp/ql/src/Metrics/Files/FLinesOfCode.ql
-ql/csharp/ql/src/Metrics/Files/FLinesOfComment.ql
-ql/csharp/ql/src/Metrics/Files/FLinesOfCommentedCode.ql
-ql/csharp/ql/src/Metrics/Files/FNumberOfClasses.ql
-ql/csharp/ql/src/Metrics/Files/FNumberOfInterfaces.ql
-ql/csharp/ql/src/Metrics/Files/FNumberOfStructs.ql
-ql/csharp/ql/src/Metrics/Files/FNumberOfTests.ql
-ql/csharp/ql/src/Metrics/Files/FNumberOfUsingNamespaces.ql
-ql/csharp/ql/src/Metrics/Files/FSelfContainedness.ql
-ql/csharp/ql/src/Metrics/RefTypes/TAfferentCoupling.ql
-ql/csharp/ql/src/Metrics/RefTypes/TEfferentCoupling.ql
-ql/csharp/ql/src/Metrics/RefTypes/TInheritanceDepth.ql
-ql/csharp/ql/src/Metrics/RefTypes/TLackOfCohesionCK.ql
-ql/csharp/ql/src/Metrics/RefTypes/TLackOfCohesionHS.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfCallables.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfEvents.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfFields.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfIndexers.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfNonConstFields.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfProperties.ql
-ql/csharp/ql/src/Metrics/RefTypes/TNumberOfStatements.ql
-ql/csharp/ql/src/Metrics/RefTypes/TResponse.ql
-ql/csharp/ql/src/Metrics/RefTypes/TSizeOfAPI.ql
-ql/csharp/ql/src/Metrics/RefTypes/TSpecialisationIndex.ql
-ql/csharp/ql/src/Metrics/RefTypes/TUnmanagedCode.ql
-ql/csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql
-ql/csharp/ql/src/Metrics/internal/ExtractorDiagnostics.ql
-ql/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql
-ql/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
-ql/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
-ql/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql
-ql/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
-ql/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
-ql/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
-ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
-ql/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
-ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
-ql/csharp/ql/src/Useless code/PointlessForwardingMethod.ql
-ql/csharp/ql/src/definitions.ql
-ql/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
-ql/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
-ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
-ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql
-ql/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
-ql/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
-ql/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
-ql/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
-ql/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
-ql/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
-ql/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
-ql/csharp/ql/src/filters/ClassifyFiles.ql
-ql/csharp/ql/src/meta/frameworks/Coverage.ql
-ql/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
-ql/csharp/ql/src/utils/modelconverter/ExtractNeutrals.ql
-ql/csharp/ql/src/utils/modelconverter/ExtractSinks.ql
-ql/csharp/ql/src/utils/modelconverter/ExtractSources.ql
-ql/csharp/ql/src/utils/modelconverter/ExtractSummaries.ql
-ql/csharp/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql
-ql/csharp/ql/src/utils/modeleditor/FrameworkModeEndpoints.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
-ql/csharp/ql/src/utils/modelgenerator/CaptureTypeBasedSummaryModels.ql
-ql/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
-ql/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
--- a/csharp/ql/integration-tests/posix/query-suite/test.py
+++ b/csharp/ql/integration-tests/posix/query-suite/test.py
@@ -1,14 +0,0 @@
-import runs_on
-import pytest
-from query_suites import *
-
-well_known_query_suites = ['csharp-code-quality.qls', 'csharp-security-and-quality.qls', 'csharp-security-extended.qls', 'csharp-code-scanning.qls']
-
-@runs_on.posix
-@pytest.mark.parametrize("query_suite", well_known_query_suites)
-def test(codeql, csharp, check_query_suite, query_suite):
-    check_query_suite(query_suite)
-
-@runs_on.posix
-def test_not_included_queries(codeql, csharp, check_queries_not_included):
-    check_queries_not_included('csharp', well_known_query_suites)
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 5.1.5
-
-### Minor Analysis Improvements
-
-* Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).
-
 ## 5.1.4

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2025-04-11-auto-builder-sdk.md
+++ b/csharp/ql/lib/change-notes/2025-04-11-auto-builder-sdk.md
@@ -1,5 +1,4 @@
-## 5.1.5
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.5
+lastReleaseVersion: 5.1.4
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.5
+version: 5.1.5-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Stmt.qll
@@ -278,14 +278,9 @@ class CaseStmt extends Case, @case_stmt {
  override PatternExpr getPattern() { result = this.getChild(0) }

  override Stmt getBody() {
-    exists(int i, Stmt next |
+    exists(int i |
      this = this.getParent().getChild(i) and
-      next = this.getParent().getChild(i + 1)
-    |
-      result = next and
-      not result instanceof CaseStmt
-      or
-      result = next.(CaseStmt).getBody()
+      result = this.getParent().getChild(i + 1)
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll
@@ -97,8 +97,7 @@ private class ParamsConstructedCollectionTypes extends ParamsCollectionTypeImpl
      unboundbase instanceof SystemCollectionsGenericIReadOnlyListTInterface or
      unboundbase instanceof SystemSpanStruct or
      unboundbase instanceof SystemReadOnlySpanStruct
-    ) and
-    not this instanceof SystemStringClass
+    )
  }

  override Type getElementType() { result = base.getTypeArgument(0) }
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -1153,13 +1153,7 @@ module Statements {
      )
      or
      // Flow from last element of `case` statement `i` to first element of statement `i+1`
-      exists(int i, Stmt body |
-        body = super.getStmt(i).(CaseStmt).getBody() and
-        // in case of fall-through cases, make sure to not jump from their shared body back
-        // to one of the fall-through cases
-        not body = super.getStmt(i + 1).(CaseStmt).getBody() and
-        last(body, pred, c)
-      |
+      exists(int i | last(super.getStmt(i).(CaseStmt).getBody(), pred, c) |
        c instanceof NormalCompletion and
        first(super.getStmt(i + 1), succ)
      )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
@@ -1,6 +1,8 @@
 /**
 * Provides classes for representing abstract bounds for use in, for example, range analysis.
 */
+overlay[local?]
+module;

 private import internal.rangeanalysis.BoundSpecific

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll
@@ -3,6 +3,8 @@
 * an expression, `b` is a `Bound` (typically zero or the value of an SSA
 * variable), and `v` is an integer in the range `[0 .. m-1]`.
 */
+overlay[local?]
+module;

 private import internal.rangeanalysis.ModulusAnalysisSpecific::Private
 private import Bound
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -408,8 +408,7 @@ Declaration interpretBaseDeclaration(string namespace, string type, string name,
  )
 }

-bindingset[d, ext]
-pragma[inline_late]
+pragma[inline]
 private Declaration interpretExt(Declaration d, ExtPath ext) {
  ext = "" and result = d
  or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll
@@ -1,3 +1,6 @@
+overlay[local?]
+module;
+
 newtype TSign =
  TNeg() or
  TZero() or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
@@ -5,6 +5,8 @@
 * The analysis is implemented as an abstract interpretation over the
 * three-valued domain `{negative, zero, positive}`.
 */
+overlay[local?]
+module;

 private import SignAnalysisSpecific::Private
 private import SsaReadPositionCommon
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll
@@ -1,6 +1,8 @@
 /**
 * Provides classes for representing a position at which an SSA variable is read.
 */
+overlay[local?]
+module;

 private import SsaReadPositionSpecific
 import SsaReadPositionSpecific::Public
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll
@@ -8,122 +8,69 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Text

 /** A method that formats a string, for example `string.Format()`. */
-abstract private class FormatMethodImpl extends Method {
+class FormatMethod extends Method {
+  FormatMethod() {
+    exists(Class declType | declType = this.getDeclaringType() |
+      this.getParameter(0).getType() instanceof SystemIFormatProviderInterface and
+      this.getParameter(1).getType() instanceof StringType and
+      (
+        this = any(SystemStringClass c).getFormatMethod()
+        or
+        this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
+      )
+      or
+      this.getParameter(0).getType() instanceof StringType and
+      (
+        this = any(SystemStringClass c).getFormatMethod()
+        or
+        this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
+        or
+        (this.hasName("Write") or this.hasName("WriteLine")) and
+        (
+          declType.hasFullyQualifiedName("System", "Console")
+          or
+          declType.hasFullyQualifiedName("System.IO", "TextWriter")
+          or
+          declType.hasFullyQualifiedName("System.Diagnostics", "Debug") and
+          this.getParameter(1).getType() instanceof ArrayType
+        )
+        or
+        declType.hasFullyQualifiedName("System.Diagnostics", "Trace") and
+        (
+          this.hasName("TraceError") or
+          this.hasName("TraceInformation") or
+          this.hasName("TraceWarning")
+        )
+        or
+        this.hasName("TraceInformation") and
+        declType.hasFullyQualifiedName("System.Diagnostics", "TraceSource")
+        or
+        this.hasName("Print") and
+        declType.hasFullyQualifiedName("System.Diagnostics", "Debug")
+      )
+      or
+      this.hasName("Assert") and
+      declType.hasFullyQualifiedName("System.Diagnostics", "Debug") and
+      this.getNumberOfParameters() = 4
+    )
+  }
+
  /**
   * Gets the argument containing the format string. For example, the argument of
   * `string.Format(IFormatProvider, String, Object)` is `1`.
   */
-  abstract int getFormatArgument();
-
-  /**
-   * Gets the argument number of the first supplied insert.
-   */
-  int getFirstArgument() { result = this.getFormatArgument() + 1 }
-}
-
-final class FormatMethod = FormatMethodImpl;
-
-/** A class of types used for formatting. */
-private class FormatType extends Type {
-  FormatType() {
-    this instanceof StringType or
-    this instanceof SystemTextCompositeFormatClass
-  }
-}
-
-private class StringAndStringBuilderFormatMethods extends FormatMethodImpl {
-  StringAndStringBuilderFormatMethods() {
-    (
-      this.getParameter(0).getType() instanceof SystemIFormatProviderInterface and
-      this.getParameter(1).getType() instanceof FormatType
-      or
-      this.getParameter(0).getType() instanceof StringType
-    ) and
-    (
-      this = any(SystemStringClass c).getFormatMethod()
-      or
-      this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
-    )
-  }
-
-  override int getFormatArgument() {
+  int getFormatArgument() {
    if this.getParameter(0).getType() instanceof SystemIFormatProviderInterface
    then result = 1
-    else result = 0
+    else
+      if
+        this.hasName("Assert") and
+        this.getDeclaringType().hasFullyQualifiedName("System.Diagnostics", "Debug")
+      then result = 2
+      else result = 0
  }
 }

-private class SystemMemoryExtensionsFormatMethods extends FormatMethodImpl {
-  SystemMemoryExtensionsFormatMethods() {
-    this = any(SystemMemoryExtensionsClass c).getTryWriteMethod() and
-    this.getParameter(1).getType() instanceof SystemIFormatProviderInterface and
-    this.getParameter(2).getType() instanceof SystemTextCompositeFormatClass
-  }
-
-  override int getFormatArgument() { result = 2 }
-
-  override int getFirstArgument() { result = this.getFormatArgument() + 2 }
-}
-
-private class SystemConsoleAndSystemIoTextWriterFormatMethods extends FormatMethodImpl {
-  SystemConsoleAndSystemIoTextWriterFormatMethods() {
-    this.getParameter(0).getType() instanceof StringType and
-    this.getNumberOfParameters() > 1 and
-    exists(Class declType | declType = this.getDeclaringType() |
-      this.hasName(["Write", "WriteLine"]) and
-      (
-        declType.hasFullyQualifiedName("System", "Console")
-        or
-        declType.hasFullyQualifiedName("System.IO", "TextWriter")
-      )
-    )
-  }
-
-  override int getFormatArgument() { result = 0 }
-}
-
-private class SystemDiagnosticsDebugAssert extends FormatMethodImpl {
-  SystemDiagnosticsDebugAssert() {
-    this.hasName("Assert") and
-    this.getDeclaringType().hasFullyQualifiedName("System.Diagnostics", "Debug") and
-    this.getNumberOfParameters() = 4
-  }
-
-  override int getFormatArgument() { result = 2 }
-}
-
-private class SystemDiagnosticsFormatMethods extends FormatMethodImpl {
-  SystemDiagnosticsFormatMethods() {
-    this.getParameter(0).getType() instanceof StringType and
-    this.getNumberOfParameters() > 1 and
-    exists(Class declType |
-      declType = this.getDeclaringType() and
-      declType.getNamespace().getFullName() = "System.Diagnostics"
-    |
-      declType.hasName("Trace") and
-      (
-        this.hasName("TraceError")
-        or
-        this.hasName("TraceInformation")
-        or
-        this.hasName("TraceWarning")
-      )
-      or
-      declType.hasName("TraceSource") and this.hasName("TraceInformation")
-      or
-      declType.hasName("Debug") and
-      (
-        this.hasName("Print")
-        or
-        this.hasName(["Write", "WriteLine"]) and
-        this.getParameter(1).getType() instanceof ArrayType
-      )
-    )
-  }
-
-  override int getFormatArgument() { result = 0 }
-}
-
 pragma[nomagic]
 private predicate parameterReadPostDominatesEntry(ParameterRead pr) {
  pr.getAControlFlowNode().postDominates(pr.getEnclosingCallable().getEntryPoint()) and
@@ -247,36 +194,24 @@ class FormatCall extends MethodCall {
  int getFormatArgument() { result = this.getTarget().(FormatMethod).getFormatArgument() }

  /** Gets the argument number of the first supplied insert. */
-  int getFirstArgument() { result = this.getTarget().(FormatMethod).getFirstArgument() }
+  int getFirstArgument() { result = this.getFormatArgument() + 1 }

  /** Holds if this call has one or more insertions. */
  predicate hasInsertions() { exists(this.getArgument(this.getFirstArgument())) }

-  /**
-   * DEPRECATED: use `hasCollectionExpr` instead.
-   *
-   * Holds if the arguments are supplied in an array, not individually.
-   */
-  deprecated predicate hasArrayExpr() {
+  /** Holds if the arguments are supplied in an array, not individually. */
+  predicate hasArrayExpr() {
    this.getNumberOfArguments() = this.getFirstArgument() + 1 and
    this.getArgument(this.getFirstArgument()).getType() instanceof ArrayType
  }

-  /**
-   * Holds if the arguments are supplied in a collection, not individually.
-   */
-  predicate hasCollectionExpr() {
-    this.getNumberOfArguments() = this.getFirstArgument() + 1 and
-    this.getArgument(this.getFirstArgument()).getType() instanceof ParamsCollectionType
-  }
-
  /**
   * Gets the number of supplied arguments (excluding the format string and format
   * provider). Does not return a value if the arguments are supplied in an array,
   * in which case we generally can't assess the size of the array.
   */
  int getSuppliedArguments() {
-    not this.hasCollectionExpr() and
+    not this.hasArrayExpr() and
    result = this.getNumberOfArguments() - this.getFirstArgument()
  }

--- a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -365,7 +365,7 @@ class SystemStringClass extends StringType {
  /** Gets a `Format(...)` method. */
  Method getFormatMethod() {
    result.getDeclaringType() = this and
-    result.getName().regexpMatch("Format(<.*>)?") and
+    result.hasName("Format") and
    result.getNumberOfParameters() in [2 .. 5] and
    result.getReturnType() instanceof StringType
  }
@@ -751,18 +751,6 @@ class SystemNotImplementedExceptionClass extends SystemClass {
  SystemNotImplementedExceptionClass() { this.hasName("NotImplementedException") }
 }

-/** The `System.MemoryExtensions` class. */
-class SystemMemoryExtensionsClass extends SystemClass {
-  SystemMemoryExtensionsClass() { this.hasName("MemoryExtensions") }
-
-  /** Gets a `TryWrite` method. */
-  Method getTryWriteMethod() {
-    result.getDeclaringType() = this and
-    result.getName().regexpMatch("TryWrite(<.*>)?") and
-    result.getParameter(0).getType().getUnboundDeclaration() instanceof SystemSpanStruct
-  }
-}
-
 /** The `System.DateTime` struct. */
 class SystemDateTimeStruct extends SystemStruct {
  SystemDateTimeStruct() { this.hasName("DateTime") }
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Text.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Text.qll
@@ -22,12 +22,7 @@ class SystemTextStringBuilderClass extends SystemTextClass {
  SystemTextStringBuilderClass() { this.hasName("StringBuilder") }

  /** Gets the `AppendFormat` method. */
-  Method getAppendFormatMethod() {
-    exists(string name |
-      name.regexpMatch("AppendFormat(<.*>)?") and
-      result = this.getAMethod(name)
-    )
-  }
+  Method getAppendFormatMethod() { result = this.getAMethod("AppendFormat") }
 }

 /** The `System.Text.Encoding` class. */
@@ -43,11 +38,3 @@ class SystemTextEncodingClass extends SystemTextClass {
  /** Gets the `GetChars` method. */
  Method getGetCharsMethod() { result = this.getAMethod("GetChars") }
 }
-
-/** The `System.Text.CompositeFormat` class */
-class SystemTextCompositeFormatClass extends SystemTextClass {
-  SystemTextCompositeFormatClass() { this.hasName("CompositeFormat") }
-
-  /** Gets the `Parse` method. */
-  Method getParseMethod() { result = this.getAMethod("Parse") }
-}
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -81,7 +81,7 @@ predicate hasAuthViaXml(ActionMethod m) {

 /** Holds if the given action has an attribute that indications authorization. */
 predicate hasAuthViaAttribute(ActionMethod m) {
-  exists(Attribute attr | attr.getType().getABaseType*().getName().toLowerCase().matches("%auth%") |
+  exists(Attribute attr | attr.getType().getName().toLowerCase().matches("%auth%") |
    attr = m.getOverridee*().getAnAttribute() or
    attr = getAnUnboundBaseType*(m.getDeclaringType()).getAnAttribute()
  )
--- a/Abuse/FormatInvalid.ql
+++ b/Abuse/FormatInvalid.ql
@@ -11,75 +11,37 @@
 */

 import csharp
-import semmle.code.csharp.frameworks.system.Text
 import semmle.code.csharp.frameworks.Format
-import FormatFlow::PathGraph
-
-abstract class FormatStringParseCall extends MethodCall {
-  abstract Expr getFormatExpr();
-}
-
-class OrdinaryFormatCall extends FormatStringParseCall instanceof FormatCall {
-  override Expr getFormatExpr() { result = FormatCall.super.getFormatExpr() }
-}
-
-class ParseFormatStringCall extends FormatStringParseCall {
-  ParseFormatStringCall() {
-    this.getTarget() = any(SystemTextCompositeFormatClass x).getParseMethod()
-  }
-
-  override Expr getFormatExpr() { result = this.getArgument(0) }
-}
+import FormatInvalid::PathGraph

 module FormatInvalidConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral }

-  predicate isSink(DataFlow::Node n) {
-    exists(FormatStringParseCall c | n.asExpr() = c.getFormatExpr())
-  }
+  predicate isSink(DataFlow::Node n) { exists(FormatCall c | n.asExpr() = c.getFormatExpr()) }
 }

 module FormatInvalid = DataFlow::Global<FormatInvalidConfig>;

-module FormatLiteralConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    // Add flow via `System.Text.CompositeFormat.Parse`.
-    exists(ParseFormatStringCall call |
-      pred.asExpr() = call.getFormatExpr() and
-      succ.asExpr() = call
-    )
-  }
-
-  predicate isSink(DataFlow::Node n) { exists(FormatCall c | n.asExpr() = c.getFormatExpr()) }
-}
-
-module FormatLiteral = DataFlow::Global<FormatLiteralConfig>;
-
-module FormatFlow =
-  DataFlow::MergePathGraph<FormatInvalid::PathNode, FormatLiteral::PathNode,
-    FormatInvalid::PathGraph, FormatLiteral::PathGraph>;
-
 private predicate invalidFormatString(
  InvalidFormatString src, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
-  FormatStringParseCall call, string callString
+  FormatCall call, string callString
 ) {
  source.getNode().asExpr() = src and
  sink.getNode().asExpr() = call.getFormatExpr() and
  FormatInvalid::flowPath(source, sink) and
+  call.hasInsertions() and
  msg = "Invalid format string used in $@ formatting call." and
  callString = "this"
 }

 private predicate unusedArgument(
-  FormatCall call, FormatLiteral::PathNode source, FormatLiteral::PathNode sink, string msg,
+  FormatCall call, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
  ValidFormatString src, string srcString, Expr unusedExpr, string unusedString
 ) {
  exists(int unused |
    source.getNode().asExpr() = src and
    sink.getNode().asExpr() = call.getFormatExpr() and
-    FormatLiteral::flowPath(source, sink) and
+    FormatInvalid::flowPath(source, sink) and
    unused = call.getASuppliedArgument() and
    not unused = src.getAnInsert() and
    not src.getValue() = "" and
@@ -91,13 +53,13 @@ private predicate unusedArgument(
 }

 private predicate missingArgument(
-  FormatCall call, FormatLiteral::PathNode source, FormatLiteral::PathNode sink, string msg,
+  FormatCall call, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
  ValidFormatString src, string srcString
 ) {
  exists(int used, int supplied |
    source.getNode().asExpr() = src and
    sink.getNode().asExpr() = call.getFormatExpr() and
-    FormatLiteral::flowPath(source, sink) and
+    FormatInvalid::flowPath(source, sink) and
    used = src.getAnInsert() and
    supplied = call.getSuppliedArguments() and
    used >= supplied and
@@ -107,17 +69,16 @@ private predicate missingArgument(
 }

 from
-  Element alert, FormatFlow::PathNode source, FormatFlow::PathNode sink, string msg, Element extra1,
-  string extra1String, Element extra2, string extra2String
+  Element alert, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
+  Element extra1, string extra1String, Element extra2, string extra2String
 where
-  invalidFormatString(alert, source.asPathNode1(), sink.asPathNode1(), msg, extra1, extra1String) and
+  invalidFormatString(alert, source, sink, msg, extra1, extra1String) and
  extra2 = extra1 and
  extra2String = extra1String
  or
-  unusedArgument(alert, source.asPathNode2(), sink.asPathNode2(), msg, extra1, extra1String, extra2,
-    extra2String)
+  unusedArgument(alert, source, sink, msg, extra1, extra1String, extra2, extra2String)
  or
-  missingArgument(alert, source.asPathNode2(), sink.asPathNode2(), msg, extra1, extra1String) and
+  missingArgument(alert, source, sink, msg, extra1, extra1String) and
  extra2 = extra1 and
  extra2String = extra1String
 select alert, source, sink, msg, extra1, extra1String, extra2, extra2String
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,14 +1,3 @@
-## 1.1.2
-
-### Minor Analysis Improvements
-
-* Changes to the MaD model generation infrastructure:
-  * Changed the query `cs/utils/modelgenerator/summary-models` to use the implementation from `cs/utils/modelgenerator/mixed-summary-models`.
-  * Removed the now-redundant `cs/utils/modelgenerator/mixed-summary-models` query.
-  * A similar replacement was made for `cs/utils/modelgenerator/neutral-models`. That is, if `GenerateFlowModel.py` is provided with `--with-summaries`, combined/mixed models are now generated instead of heuristic models (and similar for `--with-neutrals`).
-* Improved detection of authorization checks in the `cs/web/missing-function-level-access-control` query. The query now recognizes authorization attributes inherited from base classes and interfaces.
-* The precision of the query `cs/invalid-string-formatting` has been improved. More methods and more overloads of existing format like methods are taken into account by the query.
-
 ## 1.1.1

 ### Minor Analysis Improvements
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Philip Ginsbach	74084c9809	add overlay[caller] annotations	2025-04-21 10:09:30 +01:00
Philip Ginsbach	7926ce5b56	set compileForOverlayEval true for java	2025-04-21 10:09:01 +01:00
Philip Ginsbach	77bd819558	synchronise files	2025-04-21 10:08:59 +01:00
Philip Ginsbach	1a05a1f5b2	annotate qll files via python script	2025-04-21 10:08:56 +01:00