set compileForOverlayEval true for java

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v2.0.2
+        default: v1.2.1
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.5.0
+        default: openssl-3.3.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-22.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/codegen.yml

@@ -1,11 +1,10 @@
-name: Python tooling
+name: Codegen
 
 on:
   pull_request:
     paths:
       - "misc/bazel/**"
       - "misc/codegen/**"
-      - "misc/scripts/models-as-data/bulk_generate_mad.py"
       - "*.bazel*"
       - .github/workflows/codegen.yml
       - .pre-commit-config.yaml
@@ -18,17 +17,17 @@ permissions:
   contents: read
 
 jobs:
-  check-python-tooling:
+  codegen:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v4
         with:
-          python-version: '3.12'
+          python-version-file: 'misc/codegen/.python-version'
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
-          extra_args: black --all-files
+          extra_args: autopep8 --all-files
       - name: Run codegen tests
         shell: bash
         run: |

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -26,8 +26,9 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
+    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest
+    runs-on: windows-latest-xl
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/mad_modelDiff.yml

@@ -68,7 +68,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
             mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..

.github/workflows/ruby-qltest-rtjo.yml

@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-15-xlarge]
+        runner: [ubuntu-latest, macos-13-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.github/workflows/validate-change-notes.yml

@@ -31,4 +31,4 @@ jobs:
       - name: Fail if there are any errors with existing change notes
 
         run: |
-          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

.gitignore

@@ -62,7 +62,6 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
-/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -72,7 +71,3 @@ node_modules/
 
 # cargo build directory
 /target
-
-# some upgrade/downgrade checks create these files
-**/upgrades/*/*.dbscheme.stats
-**/downgrades/*/*.dbscheme.stats

.pre-commit-config.yaml

@@ -1,7 +1,5 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-default_language_version:
-  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -9,18 +7,18 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/psf/black
-    rev: 25.1.0
+  - repo: https://github.com/pre-commit/mirrors-autopep8
+    rev: v2.0.4
     hooks:
-      - id: black
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
+      - id: autopep8
+        files: ^misc/codegen/.*\.py
 
   - repo: local
     hooks:

CODEOWNERS

@@ -16,8 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/**/quantum/ @github/ps-codeql
-/shared/quantum/ @github/ps-codeql
+**/experimental/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

Cargo.toml

@@ -10,4 +10,8 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-exclude = ["mad-generation-build"]
+
+[patch.crates-io]
+# patch for build script bug preventing bazel build
+# see https://github.com/rust-lang/rustc_apfloat/pull/17
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }

MODULE.bazel

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -37,7 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.86.0"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,11 +71,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.98",
+    "vendor_ts__anyhow-1.0.97",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.103.0",
-    "vendor_ts__chrono-0.4.41",
-    "vendor_ts__clap-4.5.40",
+    "vendor_ts__chalk-ir-0.100.0",
+    "vendor_ts__chrono-0.4.40",
+    "vendor_ts__clap-4.5.35",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -87,33 +87,33 @@ use_repo(
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.95",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.94",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.288",
-    "vendor_ts__ra_ap_cfg-0.0.288",
-    "vendor_ts__ra_ap_hir-0.0.288",
-    "vendor_ts__ra_ap_hir_def-0.0.288",
-    "vendor_ts__ra_ap_hir_expand-0.0.288",
-    "vendor_ts__ra_ap_hir_ty-0.0.288",
-    "vendor_ts__ra_ap_ide_db-0.0.288",
-    "vendor_ts__ra_ap_intern-0.0.288",
-    "vendor_ts__ra_ap_load-cargo-0.0.288",
-    "vendor_ts__ra_ap_parser-0.0.288",
-    "vendor_ts__ra_ap_paths-0.0.288",
-    "vendor_ts__ra_ap_project_model-0.0.288",
-    "vendor_ts__ra_ap_span-0.0.288",
-    "vendor_ts__ra_ap_stdx-0.0.288",
-    "vendor_ts__ra_ap_syntax-0.0.288",
-    "vendor_ts__ra_ap_vfs-0.0.288",
-    "vendor_ts__rand-0.9.1",
+    "vendor_ts__ra_ap_base_db-0.0.273",
+    "vendor_ts__ra_ap_cfg-0.0.273",
+    "vendor_ts__ra_ap_hir-0.0.273",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
+    "vendor_ts__ra_ap_intern-0.0.273",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
+    "vendor_ts__ra_ap_parser-0.0.273",
+    "vendor_ts__ra_ap_paths-0.0.273",
+    "vendor_ts__ra_ap_project_model-0.0.273",
+    "vendor_ts__ra_ap_span-0.0.273",
+    "vendor_ts__ra_ap_stdx-0.0.273",
+    "vendor_ts__ra_ap_syntax-0.0.273",
+    "vendor_ts__ra_ap_vfs-0.0.273",
+    "vendor_ts__rand-0.9.0",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
     "vendor_ts__serde-1.0.219",
     "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.13.0",
-    "vendor_ts__syn-2.0.103",
-    "vendor_ts__toml-0.8.23",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.100",
+    "vendor_ts__toml-0.8.20",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.19",
@@ -124,7 +124,6 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
-    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -194,6 +193,10 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
+    "kotlin-compiler-1.5.0",
+    "kotlin-compiler-1.5.10",
+    "kotlin-compiler-1.5.20",
+    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -205,7 +208,10 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-2.2.0-Beta1",
+    "kotlin-compiler-embeddable-1.5.0",
+    "kotlin-compiler-embeddable-1.5.10",
+    "kotlin-compiler-embeddable-1.5.20",
+    "kotlin-compiler-embeddable-1.5.30",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -217,7 +223,10 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-2.2.0-Beta1",
+    "kotlin-stdlib-1.5.0",
+    "kotlin-stdlib-1.5.10",
+    "kotlin-stdlib-1.5.20",
+    "kotlin-stdlib-1.5.30",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -229,7 +238,6 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
-    "kotlin-stdlib-2.2.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
@@ -239,24 +247,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
+lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-linux"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-macos"],
+    executable = True,
 )
 
 register_toolchains(

actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected

@@ -1 +0,0 @@
-

actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected

@@ -1 +0,0 @@
-

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -1,17 +0,0 @@
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -1,27 +0,0 @@
-ql/actions/ql/src/Debug/SyntaxError.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
-ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -1,23 +0,0 @@
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

actions/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -1,17 +0,0 @@
-ql/actions/ql/src/Debug/partial.ql
-ql/actions/ql/src/Models/CompositeActionsSinks.ql
-ql/actions/ql/src/Models/CompositeActionsSources.ql
-ql/actions/ql/src/Models/CompositeActionsSummaries.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
-ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
-ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
-ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
-ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
-ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

actions/ql/integration-tests/query-suite/test.py

@@ -1,14 +0,0 @@
-import runs_on
-import pytest
-from query_suites import *
-
-well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
-
-@runs_on.posix
-@pytest.mark.parametrize("query_suite", well_known_query_suites)
-def test(codeql, actions, check_query_suite, query_suite):
-    check_query_suite(query_suite)
-
-@runs_on.posix
-def test_not_included_queries(codeql, actions, check_queries_not_included):
-    check_queries_not_included('actions', well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,32 +1,6 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
-
-## 0.4.11
-
-No user-facing changes.
-
-## 0.4.10
-
-No user-facing changes.
-
-## 0.4.9
-
-No user-facing changes.
-
-## 0.4.8
-
-No user-facing changes.
-
 ## 0.4.7
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.
 
 ## 0.4.6
 

actions/ql/lib/change-notes/released/0.4.10.md

@@ -1,3 +0,0 @@
-## 0.4.10
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.11.md

@@ -1,3 +0,0 @@
-## 0.4.11
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.12.md

@@ -1,7 +0,0 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.

actions/ql/lib/change-notes/released/0.4.7.md

@@ -1,5 +1,3 @@
 ## 0.4.7
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.8.md

@@ -1,3 +0,0 @@
-## 0.4.8
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.9.md

@@ -1,3 +0,0 @@
-## 0.4.9
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.12
+lastReleaseVersion: 0.4.7

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** An `env` in workflow, job or step. */
-class Env extends AstNode instanceof EnvImpl {
+/** A common class for `env` in workflow, job or step. */
+abstract class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 

actions/ql/lib/codeql/actions/Bash.qll

@@ -8,64 +8,35 @@ class BashShellScript extends ShellScript {
     )
   }
 
-  /**
-   * Gets the line at 0-based index `lineIndex` within this shell script,
-   * assuming newlines as separators.
-   */
-  private string lineProducer(int lineIndex) {
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
+  private string lineProducer(int i) {
+    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
   }
 
-  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
-    this.commandInSubstitution(lineIndex, command, id)
-    or
-    this.commandInBackticks(lineIndex, command, id)
-  }
-
-  /**
-   * Holds if there is a command substitution `$(command)` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInSubstitution(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        // Look for the command inside a $(...) command substitution
-        this.lineProducer(lineIndex)
-            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
-              occurrenceOffset)
-            // trim starting $( - TODO do this in first regex
-            .regexpReplaceAll("^\\$\\(", "")
-            // trim ending ) - TODO do this in first regex
-            .regexpReplaceAll("\\)$", "") and
-      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
+  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
+    exists(string line | line = this.lineProducer(k) |
+      exists(int i, int j |
+        cmdSubs =
+          // $() cmd substitution
+          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
+              .regexpReplaceAll("^\\$\\(", "")
+              .regexpReplaceAll("\\)$", "") and
+        id = "cmdsubs:" + k + ":" + i + ":" + j
+      )
+      or
+      exists(int i, int j |
+        // `...` cmd substitution
+        cmdSubs =
+          line.regexpFind("\\`[^\\`]+\\`", i, j)
+              .regexpReplaceAll("^\\`", "")
+              .regexpReplaceAll("\\`$", "") and
+        id = "cmd:" + k + ":" + i + ":" + j
+      )
     )
   }
 
-  /**
-   * Holds if `command` is a command in backticks `` `...` `` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInBackticks(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        this.lineProducer(lineIndex)
-            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
-            // trim leading backtick - TODO do this in first regex
-            .regexpReplaceAll("^\\`", "")
-            // trim trailing backtick - TODO do this in first regex
-            .regexpReplaceAll("\\`$", "") and
-      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
-    )
-  }
-
-  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
-    // rank commands by their unique IDs
-    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
-    // since we cannot output (command, ID) tuples from the rank operation,
-    // we need to work out the specific command associated with the resulting ID
-    this.cmdSubstitutionReplacement(command, commandId, _)
+  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
+    this.cmdSubstitutionReplacement(old, new, _)
   }
 
   private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -93,56 +64,31 @@ class BashShellScript extends ShellScript {
     this.cmdSubstitutionReplacement(result, _, i)
   }
 
-  /**
-   * Holds if `quotedStr` is a string in double quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // double quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
-  /**
-   * Holds if `quotedStr` is a string in single quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // single quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
   private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(int lineIndex |
-      this.doubleQuotedString(lineIndex, quotedStr, id)
+    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
+      exists(int i, int j |
+        // double quoted string
+        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
       or
-      this.singleQuotedString(lineIndex, quotedStr, id)
+      exists(int i, int j |
+        // single quoted string
+        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
     ) and
     // Only do this for strings that might otherwise disrupt subsequent parsing
     quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
-  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
-    // rank quoted strings by their nearly-unique IDs
-    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
-    // since we cannot output (string, ID) tuples from the rank operation,
-    // we need to work out the specific string associated with the resulting ID
-    this.quotedStringReplacement(quotedString, quotedStringId)
+  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
+    this.quotedStringReplacement(old, new)
   }
 
   private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -214,10 +214,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -16,10 +16,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -15,10 +15,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,21 +22,16 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
-      - ["actions/deploy-pages", "pages: write"]
-      - ["actions/deploy-pages", "id-token: write"]
-      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]
+      - ["actions/versions-package-tools", "contents: read"]      
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
       - ["actions/reusable-workflows", "actions: read"]
-      - ["actions/ai-inference", "contents: read"]
-      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
-      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-      # No permissions needed for actions/configure-pages
+
+      

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.12
+version: 0.4.8-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,47 +1,5 @@
-## 0.6.4
-
-No user-facing changes.
-
-## 0.6.3
-
-No user-facing changes.
-
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
-
-## 0.6.1
-
-No user-facing changes.
-
-## 0.6.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `security-and-quality` suite.
-  They are not intended to produce user-facing
-  alerts describing vulnerabilities.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/composite-action-sinks`
-  * `actions/composite-action-sources`
-  * `actions/composite-action-summaries`
-  * `actions/reusable-workflow-sinks`
-    (renamed from `actions/reusable-wokflow-sinks`)
-  * `actions/reusable-workflow-sources`
-  * `actions/reusable-workflow-summaries`
-
-### Bug Fixes
-
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
-
 ## 0.5.4
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
-
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -24,10 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -34,10 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -25,10 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -5,7 +5,7 @@
  * @problem.severity warning
  * @security-severity 9.3
  * @precision high
- * @id actions/reusable-workflow-sinks
+ * @id actions/reusable-wokflow-sinks
  * @tags actions
  *       model-generator
  *       external/cwe/cwe-020
@@ -24,10 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -34,10 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -25,10 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.

actions/ql/src/change-notes/released/0.5.4.md

@@ -1,9 +1,5 @@
 ## 0.5.4
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
-
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/change-notes/released/0.6.0.md

@@ -1,19 +0,0 @@
-## 0.6.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `security-and-quality` suite.
-  They are not intended to produce user-facing
-  alerts describing vulnerabilities.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/composite-action-sinks`
-  * `actions/composite-action-sources`
-  * `actions/composite-action-summaries`
-  * `actions/reusable-workflow-sinks`
-    (renamed from `actions/reusable-wokflow-sinks`)
-  * `actions/reusable-workflow-sources`
-  * `actions/reusable-workflow-summaries`
-
-### Bug Fixes
-
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.

actions/ql/src/change-notes/released/0.6.1.md

@@ -1,3 +0,0 @@
-## 0.6.1
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.2.md

@@ -1,5 +0,0 @@
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/src/change-notes/released/0.6.3.md

@@ -1,3 +0,0 @@
-## 0.6.3
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.4.md

@@ -1,3 +0,0 @@
-## 0.6.4
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.4
+lastReleaseVersion: 0.5.4

actions/ql/src/codeql-suites/actions-code-quality-extended.qls

@@ -1,3 +0,0 @@
-- queries: .
-- apply: code-quality-extended-selectors.yml
-  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-code-quality.qls

@@ -1,3 +1 @@
-- queries: .
-- apply: code-quality-selectors.yml
-  from: codeql/suite-helpers
+[]

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.4
+version: 0.5.5-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml

@@ -1,81 +0,0 @@
-name: Workflow with complex interpolation
-on: 
-  workflow_dispatch:
-    inputs:
-      choice-a:
-        required: true
-        type: choice
-        description: choice-a
-        default: a1
-        options: 
-        - a1
-        - a2
-        - a3
-      string-b:
-        required: false
-        type: string
-        description: string-b
-      string-c:
-        required: false
-        type: string
-        description: string-c
-      list-d:
-        required: true
-        type: string
-        default: d1 d2
-        description: list-d whitespace separated
-      list-e:
-        required: false
-        type: string
-        description: list-e whitespace separated
-      choice-f:
-        required: true
-        type: choice
-        description: choice-f
-        options: 
-        - false
-        - true
-          
-env:
-  DRY_TEST: false
-  B: ${{ github.event.inputs.string-b }}
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Produce values
-      id: produce-values
-      run: |
-        echo "region=region" >> $GITHUB_OUTPUT
-        echo "zone=zone" >> $GITHUB_OUTPUT
-
-    - name: Step with complex interpolation
-      id: complex
-      env:
-        CHOICE_A: ${{ github.event.inputs.choice-a }}
-        STRING_B: ${{ github.event.inputs.string-b }}
-        STRING_C: ${{ github.event.inputs.string-c }}
-        LIST_D: ${{ github.event.inputs.list-d }}
-        LIST_E: ${{ github.event.inputs.list-e }}
-        CHOICE_F: ${{ github.event.inputs.choice-f }}
-        REGION: ${{ steps.produce-values.outputs.region }}
-        ZONE: ${{ steps.produce-values.outputs.zone }}
-        DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
-        FUNCTION_NAME: my-function
-        USER_EMAIL: 'example@example.com'
-        TYPE: type
-        RANGE: '0-100'
-
-      run: |
-        comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
-        comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
-        c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
-        c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
-        # Similar commands that use JSON payloads with string interpolation.
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-      shell: bash

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,6 +3,3 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
-| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
-| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
-| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

config/add-overlay-annotations.py

@@ -1,274 +0,0 @@
-# This script is used to annotate .qll files without any existing overlay annotations
-# with overlay[local?] and overlay[caller?] annotations. Maintenance of overlay annotations
-# in annotated files will be handled by QL-for-QL queries.
-
-# It will walk the directory tree and annotate most .qll files, skipping only
-# some specific cases (e.g., empty files, files that configure dataflow for queries).
-
-# The script takes a list of languages and processes the corresponding directories.
-# If the optional --check argument is provided, the script checks for missing annotations,
-# but does not modify any files.
-
-# Usage: python3 add-overlay-annotations.py [--check] <language1> <language2> ...
-
-# The script will modify the files in place and print the changes made.
-# The script is designed to be run from the root of the repository.
-
-#!/usr/bin/python3
-import sys
-import os
-from difflib import context_diff
-
-
-def has_overlay_annotations(lines):
-    '''
-    Check whether the given lines contain any overlay[...] annotations.
-    '''
-    overlays = ["local", "local?", "global", "caller", "caller?"]
-    annotations = [f"overlay[{t}]" for t in overlays]
-    return any(ann in line for ann in annotations for line in lines)
-
-
-def is_line_comment(line):
-    return line.startswith("//") or (line.startswith("/*") and line.endswith("*/"))
-
-
-def find_file_level_module_declaration(lines):
-    '''
-    Returns the index of the existing file-level module declaration if one
-    exists. Returns None otherwise.
-    '''
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif not comment and trimmed.endswith("module;"):
-            return i
-
-    return None
-
-
-def is_file_module_qldoc(i, lines):
-    '''
-    Assuming a qldoc ended on line i, determine if it belongs to the implicit
-    file-level module. If it is followed by another qldoc or imports, then it
-    does and if it is followed by any other non-empty, non-comment lines, then
-    we assume that is a declaration of some kind and the qldoc is attached to
-    that declaration.
-    '''
-    comment = False
-
-    for line in lines[i+1:]:
-        trimmed = line.strip()
-
-        if trimmed.startswith("import ") or trimmed.startswith("private import ") or trimmed.startswith("/**"):
-             return True
-        elif is_line_comment(trimmed) or not trimmed:
-             continue
-        elif trimmed.startswith("/*"):
-             comment = True
-        elif comment and trimmed.endswith("*/"):
-             comment = False
-        elif not comment and trimmed:
-             return False
-
-    return True
-
-
-def find_file_module_qldoc_declaration(lines):
-    '''
-    Returns the index of last line of the implicit file module qldoc if one
-    exists. Returns None otherwise.
-    '''
-
-    qldoc = False
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if trimmed.startswith("//"):
-            continue
-        elif (qldoc or trimmed.startswith("/**")) and trimmed.endswith("*/"):
-            # a qldoc just ended; determine if it belongs to the implicit file module
-            if is_file_module_qldoc(i, lines):
-                return i
-            else:
-                return None
-        elif trimmed.startswith("/**"):
-            qldoc = True
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif (not qldoc and not comment) and trimmed:
-            return None
-
-    return None
-
-
-def only_comments(lines):
-    '''
-    Returns true if the lines contain only comments and empty lines.
-    '''
-    comment = False
-
-    for line in lines:
-        trimmed = line.strip()
-
-        if not trimmed or is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif comment:
-            continue
-        elif trimmed:
-            return False
-
-    return True
-
-
-def insert_toplevel_maybe_local_annotation(filename, lines):
-    '''
-    Find a suitable place to insert an overlay[local?] annotation at the top of the file.
-    Returns a pair consisting of description and the modified lines or None if no overlay
-    annotation is necessary (e.g., for files that only contain comments).
-    '''
-    if only_comments(lines):
-        return None
-
-    i = find_file_level_module_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i]
-        out_lines.append("overlay[local?]\n")
-        out_lines.extend(lines[i:])
-        return (f"Annotating \"{filename}\" via existing file-level module statement", out_lines)
-
-    i = find_file_module_qldoc_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i+1]
-        out_lines.append("overlay[local?]\n")
-        out_lines.append("module;\n")
-        out_lines.extend(lines[i+1:])
-        return (f"Annotating \"{filename}\" which has a file-level module qldoc", out_lines)
-
-    out_lines = ["overlay[local?]\n", "module;\n", "\n"] + lines
-    return (f"Annotating \"{filename}\" without file-level module qldoc", out_lines)
-
-
-def insert_overlay_caller_annotations(lines):
-    '''
-    Mark pragma[inline] predicates as overlay[caller?] if they are not declared private.
-    '''
-    out_lines = []
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-        if trimmed == "pragma[inline]":
-            if i + 1 < len(lines) and not "private" in lines[i+1]:
-                whitespace = line[0: line.find(trimmed)]
-                out_lines.append(f"{whitespace}overlay[caller?]\n")
-        out_lines.append(line)
-    return out_lines
-
-
-def annotate_as_appropriate(filename, lines):
-    '''
-    Insert new overlay[...] annotations according to heuristics in files without existing
-    overlay annotations.
-
-    Returns None if no annotations are needed. Otherwise, returns a pair consisting of a
-    string describing the action taken and the modified content as a list of lines.
-    '''
-    if has_overlay_annotations(lines):
-        return None
-
-    # These simple heuristics filter out those .qll files that we no _not_ want to annotate
-    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
-    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
-    if (filename.endswith("Test.qll") or
-        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
-         any("implements DataFlow::ConfigSig" in line for line in lines))):
-        return None
-    elif not any(line for line in lines if line.strip()):
-        return None
-
-    lines = insert_overlay_caller_annotations(lines)
-    return insert_toplevel_maybe_local_annotation(filename, lines)
-
-
-def process_single_file(write, filename):
-    '''
-    Process a single file, annotating it as appropriate.
-    If write is set, the changes are written back to the file.
-    Returns True if the file requires changes.
-    '''
-    with open(filename) as f:
-        old = [line for line in f]
-
-    annotate_result = annotate_as_appropriate(filename, old)
-    if annotate_result is None:
-        return False
-
-    if not write:
-        return True
-
-    new = annotate_result[1]
-
-    diff = context_diff(old, new, fromfile=filename, tofile=filename)
-    diff = [line for line in diff]
-    if diff:
-        print(annotate_result[0])
-        for line in diff:
-            print(line.rstrip())
-        with open(filename, "w") as out_file:
-            for line in new:
-                out_file.write(line)
-
-    return True
-
-
-if len(sys.argv) > 1 and sys.argv[1] == "--check":
-  check = True
-  langs = sys.argv[2:]
-else:
-  check = False
-  langs = sys.argv[1:]
-
-dirs = []
-for lang in langs:
-    if lang in ["cpp", "go", "csharp", "java", "javascript", "python", "ruby", "rust", "swift"]:
-        dirs.append(f"{lang}/ql/lib")
-    else:
-        raise Exception(f"Unknown language \"{lang}\".")
-
-if dirs:
-    dirs.append("shared")
-
-missingAnnotations = []
-
-for roots in dirs:
-    for dirpath, dirnames, filenames in os.walk(roots):
-        for filename in filenames:
-            if filename.endswith(".qll") and not dirpath.endswith("tutorial"):
-                path = os.path.join(dirpath, filename)
-                res = process_single_file(not check, path)
-                if check and res:
-                    missingAnnotations.append(path)
-
-
-if len(missingAnnotations) > 0:
-    print("The following files have no overlay annotations:")
-    for path in missingAnnotations[:10]:
-      print("- " + path)
-    if len(missingAnnotations) > 10:
-      print("and " + str(len(missingAnnotations) - 10) + " additional files.")
-    print()
-    print("Please manually add overlay annotations or use the config/add-overlay-annotations.py script to automatically add sensible default overlay annotations.")
-    exit(1)

config/annotate-overlay-local.py

@@ -0,0 +1,175 @@
+# This script is used to annotate .qll files with overlay[local?] annotations.
+# It will walk the directory tree and annotate most .qll files, skipping only
+# some specific cases (e.g., empty files, files that configure dataflow for queries).
+# It will also add overlay[caller] annotations to predicates that are pragma[inline]
+# and either not private or in a hardcoded list of predicates.
+
+# The script takes a list of languages and processes the corresponding directories.
+
+# Usage: python3 annotate-overlay-local.py <language1> <language2> ...
+
+# The script will modify the files in place and print the changes made.
+# The script is designed to be run from the root of the repository.
+
+#!/usr/bin/python3
+import sys
+import os
+from difflib import *
+
+# These are the only two predicates that are pragma[inline], private, and must be
+# overlay[caller] in order to successfully compile our internal java queries.
+hardcoded_overlay_caller_preds = [
+    "fwdFlowInCand", "fwdFlowInCandTypeFlowDisabled"]
+
+
+def filter_out_annotations(filename):
+    '''
+    Read the file and strip all existing overlay[...] annotations from the contents.
+    Return the file modified file content as a list of lines.
+    '''
+    overlays = ["local", "local?", "global", "caller"]
+    annotations = [f"overlay[{t}]" for t in overlays]
+    with open(filename, 'r') as file_in:
+        lines = [l for l in file_in if not l.strip() in annotations]
+    for ann in annotations:
+        if any(line for line in lines if ann in line):
+            raise Exception(f"Failed to filter out {ann} from {filename}.")
+    return lines
+
+
+def insert_toplevel_maybe_local_anntotation(filename, lines):
+    '''
+    Find a suitable place to insert an overlay[local?] annotation at the top of the file.
+    Return a pair: (string describing action taken, modified content as list of lines).
+    '''
+    out_lines = []
+    status = 0
+
+    for line in lines:
+        if status == 0 and line.rstrip().endswith("module;"):
+            out_lines.append("overlay[local?]\n")
+            status = 1
+        out_lines.append(line)
+
+    if status == 1:
+        return (f"Annotating \"{filename}\" via existing file-level module statement", out_lines)
+
+    out_lines = []
+    empty_line_buffer = []
+    status = 0
+    for line in lines:
+        trimmed = line.strip()
+        if not trimmed:
+            empty_line_buffer.append(line)
+            continue
+        if status <= 1 and trimmed.endswith("*/"):
+            status = 2
+        elif status == 0 and trimmed.startswith("/**"):
+            status = 1
+        elif status == 0 and not trimmed.startswith("/*"):
+            out_lines.append("overlay[local?]\n")
+            out_lines.append("module;\n")
+            out_lines.append("\n")
+            status = 3
+        elif status == 2 and (trimmed.startswith("import ") or trimmed.startswith("private import ")):
+            out_lines.append("overlay[local?]\n")
+            out_lines.append("module;\n")
+            status = 3
+        elif status == 2 and (trimmed.startswith("class ") or trimmed.startswith("predicate ")
+                              or trimmed.startswith("module ") or trimmed.startswith("signature ")):
+            out_lines = ["overlay[local?]\n", "module;\n", "\n"] + out_lines
+            status = 3
+        elif status == 2 and trimmed.startswith("/*"):
+            out_lines.append("overlay[local?]\n")
+            out_lines.append("module;\n")
+            status = 3
+        elif status == 2:
+            status = 4
+        if empty_line_buffer:
+            out_lines += empty_line_buffer
+            empty_line_buffer = []
+        out_lines.append(line)
+    if status == 3:
+        out_lines += empty_line_buffer
+
+    if status == 3:
+        return (f"Annotating \"{filename}\" after file-level module qldoc", out_lines)
+
+    raise Exception(f"Failed to annotate \"{filename}\" as overlay[local?].")
+
+
+def insert_overlay_caller_annotations(lines):
+    '''
+    Mark pragma[inline] predicates as overlay[caller] if they are not declared private
+    or if they are private but are in the list of hardcoded_overlay_caller_preds.
+    '''
+    out_lines = []
+    for i, line in enumerate(lines):
+        trimmed = line.strip()
+        if trimmed == "pragma[inline]":
+            if (not "private" in lines[i+1] or
+                    any(pred in lines[i+1] for pred in hardcoded_overlay_caller_preds)):
+                whitespace = line[0: line.find(trimmed)]
+                out_lines.append(f"{whitespace}overlay[caller]\n")
+        out_lines.append(line)
+    return out_lines
+
+
+def annotate_as_appropriate(filename):
+    '''
+    Read file and strip all existing overlay[...] annotations from the contents;
+    then insert new overlay[...] annotations according to heuristics.
+    Return a pair: (string describing action taken, modified content as list of lines).
+    '''
+    lines = filter_out_annotations(filename)
+    lines = insert_overlay_caller_annotations(lines)
+
+    # These simple heuristics filter out those .qll files that we no _not_ want to annotate
+    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
+    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
+    if (filename.endswith("Test.qll") or
+        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
+         any("implements DataFlow::ConfigSig" in line for line in lines))):
+        return (f"Keeping \"{filename}\" global because it configures dataflow for a query", lines)
+    elif not any(line for line in lines if line.strip()):
+        return (f"Keeping \"{filename}\" global because it is empty", lines)
+
+    return insert_toplevel_maybe_local_anntotation(filename, lines)
+
+
+def process_single_file(filename):
+    '''
+    Process a single file, annotating it as appropriate and writing the changes back to the file.
+    '''
+    annotate_result = annotate_as_appropriate(filename)
+
+    old = [line for line in open(filename)]
+    new = annotate_result[1]
+
+    if old != new:
+        diff = context_diff(old, new, fromfile=filename, tofile=filename)
+        diff = [line for line in diff]
+        if diff:
+            print(annotate_result[0])
+            for line in diff:
+                print(line.rstrip())
+            with open(filename, "w") as out_file:
+                for line in new:
+                    out_file.write(line)
+
+
+dirs = []
+for lang in sys.argv[1:]:
+    if lang in ["cpp", "go", "csharp", "java", "javascript", "python", "ruby", "rust", "swift"]:
+        dirs.append(f"{lang}/ql/lib")
+    else:
+        raise Exception(f"Unknown language \"{lang}\".")
+
+if dirs:
+    dirs.append("shared")
+
+for roots in dirs:
+    for dirpath, dirnames, filenames in os.walk(roots):
+        for filename in filenames:
+            if filename.endswith(".qll") and not dirpath.endswith("tutorial"):
+                process_single_file(os.path.join(dirpath, filename))

cpp/bulk_generation_targets.yml

@@ -1,31 +0,0 @@
-language: cpp
-strategy: dca
-destination: cpp/ql/lib/ext/generated
-targets:
-- name: zlib
-  with-sinks: false
-  with-sources: false
-- name: brotli
-  with-sinks: false
-  with-sources: false
-- name: libidn2
-  with-sinks: false
-  with-sources: false
-- name: libssh2
-  with-sinks: false
-  with-sources: false
-- name: sqlite
-  with-sinks: false
-  with-sources: false
-- name: openssl
-  with-sinks: false
-  with-sources: false
-- name: nghttp2
-  with-sinks: false
-  with-sources: false
-- name: libuv
-  with-sinks: false
-  with-sources: false
-- name: curl
-  with-sinks: false
-  with-sources: false

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/lambdas.ql

@@ -1,7 +0,0 @@
-class LambdaExpr extends @lambdaexpr {
-  string toString() { none() }
-}
-
-from LambdaExpr lambda, string default_capture, boolean has_explicit_return_type
-where lambdas(lambda, default_capture, has_explicit_return_type, _)
-select lambda, default_capture, has_explicit_return_type

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/upgrade.properties

@@ -1,3 +0,0 @@
-description: capture whether a lambda has an explicitly specified parameter list.
-compatibility: full
-lambdas.rel: run lambdas.qlo

cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql

@@ -11,7 +11,7 @@ int getKind(int kind) {
   if kind = 14
   then result = 6 // Represent MSFT #import as #include
   else
-    if kind = 15 or kind = 16
+    if kind = 15 or kind = 6
     then result = 3 // Represent #elifdef and #elifndef as #elif
     else result = kind
 }

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql

@@ -1,11 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Type decltype, Expr expr, Type basetype, boolean parentheses
-where decltypes(decltype, expr, _, basetype, parentheses)
-select decltype, expr, basetype, parentheses

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql

@@ -1,19 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-predicate derivedType(Type type, string name, int kind, Type type_id) {
-  derivedtypes(type, name, kind, type_id)
-}
-
-predicate typeTransformation(Type type, string name, int kind, Type type_id) {
-  type_operators(type, _, _, type_id) and
-  name = "" and
-  kind = 3 // @type_with_specifiers
-}
-
-from Type type, string name, int kind, Type type_id
-where
-  derivedType(type, name, kind, type_id) or
-  typeTransformation(type, name, kind, type_id)
-select type, name, kind, type_id

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties

@@ -1,5 +0,0 @@
-description: Support C23 typeof and typeof_unqual
-compatibility: backwards
-decltypes.rel: run decltypes.qlo
-derivedtypes.rel: run derivedtypes.qlo
-type_operators.rel: delete

cpp/downgrades/9baef67d1ffc1551429dbe1c1130815693e28218/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add a predicate `getAnAttribute` to `Namespace`
-compatibility: full
-namespaceattributes.rel: delete

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/stmts.ql

@@ -1,13 +0,0 @@
-class Stmt extends @stmt {
-  string toString() { none() }
-}
-
-class Location extends @location_stmt {
-  string toString() { none() }
-}
-
-from Stmt id, int kind, Location loc, int new_kind
-where
-  stmts(id, kind, loc) and
-  if kind = 40 then new_kind = 4 else new_kind = kind
-select id, new_kind, loc

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support `__leave` statement
-compatibility: full
-stmts.rel: run stmts.qlo

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql

@@ -1,9 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
-where
-  builtintypes(id, name, kind, size, sign, alignment) and
-  if kind = 62 then new_kind = 1 else new_kind = kind
-select id, name, new_kind, size, sign, alignment

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support __mfp8 type
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/builtintypes.ql

@@ -1,9 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
-where
-  builtintypes(id, name, kind, size, sign, alignment) and
-  if kind = 63 then /* @errortype */ new_kind = 1 else new_kind = kind
-select id, name, new_kind, size, sign, alignment

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/derivedtypes.ql

@@ -1,9 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-from Type type, string name, int kind, int new_kind, Type type_id
-where
-  derivedtypes(type, name, kind, type_id) and
-  if kind = 11 then /* @gnu_vector */ new_kind = 5 else new_kind = kind
-select type, name, new_kind, type_id

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/upgrade.properties

@@ -1,5 +0,0 @@
-description: Arm scalable vector type support
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo
-derivedtypes.rel: run derivedtypes.qlo
-tupleelements.rel: delete

cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c

@@ -1,2 +0,0 @@
-#include "a.h"
-#define FOUR 4

cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c

@@ -1,3 +0,0 @@
-int main() {
-  return ONE + FOUR;
-}

cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c

@@ -1 +0,0 @@
-#import "d.h"

cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c

@@ -1,3 +0,0 @@
-int main() {
-  return SEVENTEEN;
-}

cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c

@@ -1,5 +0,0 @@
-#if 1
-#pragma hdrstop
-extern int x;
-#define SEEN_F
-#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c

@@ -1,5 +0,0 @@
-#ifdef SEEN_F
-static int g() {
-  return 20;
-}
-#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c

@@ -1,4 +0,0 @@
-#include "h1.h"
-#pragma hdrstop
-#include "h2.h"
-#define SEEN_H

cpp/ql/integration-tests/header-variant-tests/clang-pch/test.py

@@ -1,17 +0,0 @@
-import os
-
-
-def test(codeql, cpp):
-    os.mkdir("pch")
-    extractor = cpp.get_tool("extractor")
-    codeql.database.create(command=[
-        f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
-        f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
-        f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
-        f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
-        f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
-        f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
-        f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
-        f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
-        f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
-    ])

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.c

@@ -1 +0,0 @@
-#include "a.h"

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/b.c

@@ -1,6 +0,0 @@
-#pragma hdrstop
-#include "b.h"
-
-int b() {
-  return A;
-}

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/c.c

@@ -1,6 +0,0 @@
-#include "d.h"
-#include "c.h"
-
-int c() {
-  return A;
-}