C++: Update stats

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
+bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")

actions/ql/lib/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 0.4.25
-
-No user-facing changes.
-
-## 0.4.24
-
-No user-facing changes.
-
-## 0.4.23
-
-No user-facing changes.
-
-## 0.4.22
-
-No user-facing changes.
-
 ## 0.4.21
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.22.md

@@ -1,3 +0,0 @@
-## 0.4.22
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.23.md

@@ -1,3 +0,0 @@
-## 0.4.23
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.24.md

@@ -1,3 +0,0 @@
-## 0.4.24
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.25.md

@@ -1,3 +0,0 @@
-## 0.4.25
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.21

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.25
+version: 0.4.22-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 0.6.17
-
-No user-facing changes.
-
-## 0.6.16
-
-No user-facing changes.
-
-## 0.6.15
-
-No user-facing changes.
-
-## 0.6.14
-
-No user-facing changes.
-
 ## 0.6.13
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.14.md

@@ -1,3 +0,0 @@
-## 0.6.14
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.15.md

@@ -1,3 +0,0 @@
-## 0.6.15
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.16.md

@@ -1,3 +0,0 @@
-## 0.6.16
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.17.md

@@ -1,3 +0,0 @@
-## 0.6.17
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.13

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -1,5 +1,5 @@
 /**
- * @name Artifact Poisoning (Path Traversal)
+ * @name Artifact Poisoning (Path Traversal).
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind problem
  * @problem.severity error

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.17
+version: 0.6.14-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/identical-files.json

@@ -276,12 +276,5 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
-  ],
-  "XML discard predicates": [
-    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
-    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
-    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
-    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll"
   ]
 }

cpp/ql/lib/CHANGELOG.md

@@ -1,21 +1,3 @@
-## 6.1.4
-
-No user-facing changes.
-
-## 6.1.3
-
-No user-facing changes.
-
-## 6.1.2
-
-No user-facing changes.
-
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
-
 ## 6.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2025-11-19-content.md

@@ -1,5 +1,4 @@
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
+---
+category: minorAnalysis
+---
+* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.

cpp/ql/lib/change-notes/released/6.1.2.md

@@ -1,3 +0,0 @@
-## 6.1.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.3.md

@@ -1,3 +0,0 @@
-## 6.1.3
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.4.md

@@ -1,3 +0,0 @@
-## 6.1.4
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 6.1.0

cpp/ql/lib/cpp.qll

@@ -74,4 +74,3 @@ import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
 import DefaultOptions
-private import semmle.code.cpp.internal.Overlay

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.4
+version: 6.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -15,17 +15,16 @@
  * reading.
  * 1. The `namespace` column selects a namespace.
  * 2. The `type` column selects a type within that namespace. This column can
- *    introduce template type names that can be mentioned in the `signature` column.
+ *    introduce template names that can be mentioned in the `signature` column.
  *    For example, `vector<T,Allocator>` introduces the template names `T` and
- *    `Allocator`. Non-type template parameters cannot be specified.
+ *    `Allocator`.
  * 3. The `subtypes` is a boolean that indicates whether to jump to an
  *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
  *    blank (for example, a free function).
  * 4. The `name` column optionally selects a specific named member of the type.
- *    Like the `type` column, this column can introduce template type names
- *    that can be mentioned in the `signature` column. For example,
- *    `insert<InputIt>` introduces the template name `InputIt`. Non-type
- *    template parameters cannot be specified.
+ *    Like the `type` column, this column can introduce template names that can
+ *    be mentioned in the `signature` column. For example, `insert<InputIt>`
+ *    introduces the template name `InputIt`.
  * 5. The `signature` column optionally restricts the named member. If
  *    `signature` is blank then no such filtering is done. The format of the
  *    signature is a comma-separated list of types enclosed in parentheses. The
@@ -634,28 +633,6 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
   canonical = true
 }
 
-/**
- * Gets the largest index of a template parameter of `templateFunction` that
- * is a type template parameter.
- */
-private int getLastTypeTemplateFunctionParameterIndex(Function templateFunction) {
-  result =
-    max(int index | templateFunction.getTemplateArgument(index) instanceof TypeTemplateParameter)
-}
-
-/** Gets the number of supported template parameters for `templateFunction`. */
-private int getNumberOfSupportedFunctionTemplateArguments(Function templateFunction) {
-  result = count(int i | exists(getSupportedFunctionTemplateArgument(templateFunction, i)) | i)
-}
-
-/** Gets the `i`'th supported template parameter for `templateFunction`. */
-private Locatable getSupportedFunctionTemplateArgument(Function templateFunction, int i) {
-  result = templateFunction.getTemplateArgument(i) and
-  // We don't yet support non-type template parameters in the middle of a
-  // template parameter list
-  i <= getLastTypeTemplateFunctionParameterIndex(templateFunction)
-}
-
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `func:N` (where `N` is the index of the template).
@@ -663,41 +640,18 @@ private Locatable getSupportedFunctionTemplateArgument(Function templateFunction
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
     templateFunction = getFullyTemplatedFunction(f) and
-    remaining = getNumberOfSupportedFunctionTemplateArguments(templateFunction) and
+    remaining = templateFunction.getNumberOfTemplateArguments() and
     result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
   )
   or
   exists(string mid, TypeTemplateParameter tp, Function templateFunction |
     mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
     templateFunction = getFullyTemplatedFunction(f) and
-    tp = getSupportedFunctionTemplateArgument(templateFunction, remaining)
-  |
+    tp = templateFunction.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
   )
 }
 
-/**
- * Gets the largest index of a template parameter of `templateClass` that
- * is a type template parameter.
- */
-private int getLastTypeTemplateClassParameterIndex(Class templateClass) {
-  result =
-    max(int index | templateClass.getTemplateArgument(index) instanceof TypeTemplateParameter)
-}
-
-/** Gets the `i`'th supported template parameter for `templateClass`. */
-private Locatable getSupportedClassTemplateArgument(Class templateClass, int i) {
-  result = templateClass.getTemplateArgument(i) and
-  // We don't yet support non-type template parameters in the middle of a
-  // template parameter list
-  i <= getLastTypeTemplateClassParameterIndex(templateClass)
-}
-
-/** Gets the number of supported template parameters for `templateClass`. */
-private int getNumberOfSupportedClassTemplateArguments(Class templateClass) {
-  result = count(int i | exists(getSupportedClassTemplateArgument(templateClass, i)) | i)
-}
-
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `class:N` (where `N` is the index of the template).
@@ -707,7 +661,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    remaining = getNumberOfSupportedClassTemplateArguments(template) and
+    remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
   or
@@ -719,8 +673,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    tp = getSupportedClassTemplateArgument(template, remaining)
-  |
+    tp = template.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
   )
 }

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -1,60 +0,0 @@
-/**
- * Defines entity discard predicates for C++ overlay analysis.
- */
-
-/**
- * Holds always for the overlay variant and never for the base variant.
- * This local predicate is used to define local predicates that behave
- * differently for the base and overlay variant.
- */
-overlay[local]
-predicate isOverlay() { databaseMetadata("isOverlay", "true") }
-
-overlay[local]
-private string getLocationFilePath(@location_default loc) {
-  exists(@file file | locations_default(loc, file, _, _, _, _) | files(file, result))
-}
-
-/**
- * Gets the file path for an element with a single location.
- */
-overlay[local]
-private string getSingleLocationFilePath(@element e) {
-  // @var_decl has a direct location in the var_decls relation
-  exists(@location_default loc | var_decls(e, _, _, _, loc) | result = getLocationFilePath(loc))
-  //TODO: add other kinds of elements with single locations
-}
-
-/**
- * Gets the file path for an element with potentially multiple locations.
- */
-overlay[local]
-private string getMultiLocationFilePath(@element e) {
-  // @variable gets its location(s) from its @var_decl(s)
-  exists(@var_decl vd, @location_default loc | var_decls(vd, e, _, _, loc) |
-    result = getLocationFilePath(loc)
-  )
-  //TODO: add other kinds of elements with multiple locations
-}
-
-/**
- * A local helper predicate that holds in the base variant and never in the
- * overlay variant.
- */
-overlay[local]
-private predicate holdsInBase() { not isOverlay() }
-
-/**
- * Discards an element from the base variant if:
- * - It has a single location in a changed file, or
- * - All of its locations are in changed files.
- */
-overlay[discard_entity]
-private predicate discardElement(@element e) {
-  holdsInBase() and
-  (
-    overlayChangedFiles(getSingleLocationFilePath(e))
-    or
-    forex(string path | path = getMultiLocationFilePath(e) | overlayChangedFiles(path))
-  )
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2078,151 +2078,38 @@ predicate localExprFlow(Expr e1, Expr e2) {
   localExprFlowPlus(e1, e2)
 }
 
-/**
- * A canonical representation of a field.
- *
- * For performance reasons we want a unique `Content` that represents
- * a given field across any template instantiation of a class.
- *
- * This is possible in _almost_ all cases, but there are cases where it is
- * not possible to map between a field in the uninstantiated template to a
- * field in the instantiated template. This happens in the case of local class
- * definitions (because the local class is not the template that constructs
- * the instantiation - it is the enclosing function). So this abstract class
- * has two implementations: a non-local case (where we can represent a
- * canonical field as the field declaration from an uninstantiated class
- * template or a non-templated class), and a local case (where we simply use
- * the field from the instantiated class).
- */
-abstract private class CanonicalField extends Field {
-  /** Gets a field represented by this canonical field. */
-  abstract Field getAField();
-
-  /**
-   * Gets a class that declares a field represented by this canonical field.
-   */
-  abstract Class getADeclaringType();
-
-  /**
-   * Gets a type that this canonical field may have. Note that this may
-   * not be a unique type. For example, consider this case:
-   * ```
-   * template<typename T>
-   * struct S { T x; };
-   *
-   * S<int> s1;
-   * S<char> s2;
-   * ```
-   * In this case the canonical field corresponding to `S::x` has two types:
-   * `int` and `char`.
-   */
-  Type getAType() { result = this.getAField().getType() }
-
-  Type getAnUnspecifiedType() { result = this.getAType().getUnspecifiedType() }
-}
-
-private class NonLocalCanonicalField extends CanonicalField {
-  Class declaringType;
-
-  NonLocalCanonicalField() {
-    declaringType = this.getDeclaringType() and
-    not declaringType.isFromTemplateInstantiation(_) and
-    not declaringType.isLocal() // handled in LocalCanonicalField
-  }
-
-  override Field getAField() {
-    exists(Class c | result.getDeclaringType() = c |
-      // Either the declaring class of the field is a template instantiation
-      // that has been constructed from this canonical declaration
-      c.isConstructedFrom(declaringType) and
-      pragma[only_bind_out](result.getName()) = pragma[only_bind_out](this.getName())
-      or
-      // or this canonical declaration is not a template.
-      not c.isConstructedFrom(_) and
-      result = this
-    )
-  }
-
-  override Class getADeclaringType() {
-    result = this.getDeclaringType()
-    or
-    result.isConstructedFrom(this.getDeclaringType())
-  }
-}
-
-private class LocalCanonicalField extends CanonicalField {
-  Class declaringType;
-
-  LocalCanonicalField() {
-    declaringType = this.getDeclaringType() and
-    declaringType.isLocal()
-  }
-
-  override Field getAField() { result = this }
-
-  override Class getADeclaringType() { result = declaringType }
-}
-
-/**
- * A canonical representation of a `Union`. See `CanonicalField` for the explanation for
- * why we need a canonical representation.
- */
-abstract private class CanonicalUnion extends Union {
-  /** Gets a union represented by this canonical union. */
-  abstract Union getAUnion();
-
-  /** Gets a canonical field of this canonical union. */
-  CanonicalField getACanonicalField() { result.getDeclaringType() = this }
-}
-
-private class NonLocalCanonicalUnion extends CanonicalUnion {
-  NonLocalCanonicalUnion() { not this.isFromTemplateInstantiation(_) and not this.isLocal() }
-
-  override Union getAUnion() {
-    result = this
-    or
-    result.isConstructedFrom(this)
-  }
-}
-
-private class LocalCanonicalUnion extends CanonicalUnion {
-  LocalCanonicalUnion() { this.isLocal() }
-
-  override Union getAUnion() { result = this }
-}
-
 bindingset[f]
 pragma[inline_late]
-private int getFieldSize(CanonicalField f) { result = max(f.getAType().getSize()) }
+private int getFieldSize(Field f) { result = f.getType().getSize() }
 
 /**
  * Gets a field in the union `u` whose size
  * is `bytes` number of bytes.
  */
-private CanonicalField getAFieldWithSize(CanonicalUnion u, int bytes) {
-  result = u.getACanonicalField() and
+private Field getAFieldWithSize(Union u, int bytes) {
+  result = u.getAField() and
   bytes = getFieldSize(result)
 }
 
 cached
 private newtype TContent =
-  TNonUnionContent(CanonicalField f, int indirectionIndex) {
+  TNonUnionContent(Field f, int indirectionIndex) {
     // the indirection index for field content starts at 1 (because `TNonUnionContent` is thought of as
     // the address of the field, `FieldAddress` in the IR).
-    indirectionIndex = [1 .. max(SsaImpl::getMaxIndirectionsForType(f.getAnUnspecifiedType()))] and
+    indirectionIndex = [1 .. SsaImpl::getMaxIndirectionsForType(f.getUnspecifiedType())] and
     // Reads and writes of union fields are tracked using `UnionContent`.
     not f.getDeclaringType() instanceof Union
   } or
-  TUnionContent(CanonicalUnion u, int bytes, int indirectionIndex) {
-    exists(CanonicalField f |
-      f = u.getACanonicalField() and
+  TUnionContent(Union u, int bytes, int indirectionIndex) {
+    exists(Field f |
+      f = u.getAField() and
       bytes = getFieldSize(f) and
       // We key `UnionContent` by the union instead of its fields since a write to one
       // field can be read by any read of the union's fields. Again, the indirection index
       // is 1-based (because 0 is considered the address).
       indirectionIndex =
         [1 .. max(SsaImpl::getMaxIndirectionsForType(getAFieldWithSize(u, bytes)
-                    .getAnUnspecifiedType())
+                    .getUnspecifiedType())
           )]
     )
   } or
@@ -2288,12 +2175,8 @@ class FieldContent extends Content, TFieldContent {
 
   /**
    * Gets the field associated with this `Content`, if a unique one exists.
-   *
-   * For fields from template instantiations this predicate may still return
-   * more than one field, but all the fields will be constructed from the same
-   * template.
    */
-  Field getField() { none() } // overridden in subclasses
+  final Field getField() { result = unique( | | this.getAField()) }
 
   override int getIndirectionIndex() { none() } // overridden in subclasses
 
@@ -2304,33 +2187,32 @@ class FieldContent extends Content, TFieldContent {
 
 /** A reference through a non-union instance field. */
 class NonUnionFieldContent extends FieldContent, TNonUnionContent {
-  private CanonicalField f;
+  private Field f;
   private int indirectionIndex;
 
   NonUnionFieldContent() { this = TNonUnionContent(f, indirectionIndex) }
 
   override string toString() { result = contentStars(this) + f.toString() }
 
-  final override Field getField() { result = f.getAField() }
-
-  override Field getAField() { result = this.getField() }
+  override Field getAField() { result = f }
 
   /** Gets the indirection index of this `FieldContent`. */
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) {
-    exists(int i |
-      c = TNonUnionContent(f, i) and
+    exists(FieldContent fc |
+      fc = c and
+      fc.getField() = f and
       // If `this` is `f` then `c` is cleared if it's of the
       // form `*f`, `**f`, etc.
-      i >= indirectionIndex
+      fc.getIndirectionIndex() >= indirectionIndex
     )
   }
 }
 
 /** A reference through an instance field of a union. */
 class UnionContent extends FieldContent, TUnionContent {
-  private CanonicalUnion u;
+  private Union u;
   private int indirectionIndex;
   private int bytes;
 
@@ -2338,31 +2220,24 @@ class UnionContent extends FieldContent, TUnionContent {
 
   override string toString() { result = contentStars(this) + u.toString() }
 
-  final override Field getField() { result = unique( | | u.getACanonicalField()).getAField() }
-
   /** Gets a field of the underlying union of this `UnionContent`, if any. */
-  override Field getAField() {
-    exists(CanonicalField cf |
-      cf = u.getACanonicalField() and
-      result = cf.getAField() and
-      getFieldSize(cf) = bytes
-    )
-  }
+  override Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }
 
   /** Gets the underlying union of this `UnionContent`. */
-  Union getUnion() { result = u.getAUnion() }
+  Union getUnion() { result = u }
 
   /** Gets the indirection index of this `UnionContent`. */
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) {
-    exists(int i |
-      c = TUnionContent(u, _, i) and
+    exists(UnionContent uc |
+      uc = c and
+      uc.getUnion() = u and
       // If `this` is `u` then `c` is cleared if it's of the
       // form `*u`, `**u`, etc. (and we ignore `bytes` because
       // we know the entire union is overwritten because it's a
       // union).
-      i >= indirectionIndex
+      uc.getIndirectionIndex() >= indirectionIndex
     )
   }
 }

cpp/ql/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 1.5.8
-
-No user-facing changes.
-
-## 1.5.7
-
-No user-facing changes.
-
-## 1.5.6
-
-No user-facing changes.
-
-## 1.5.5
-
-No user-facing changes.
-
 ## 1.5.4
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.5.5.md

@@ -1,3 +0,0 @@
-## 1.5.5
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.6.md

@@ -1,3 +0,0 @@
-## 1.5.6
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.7.md

@@ -1,3 +0,0 @@
-## 1.5.7
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.8.md

@@ -1,3 +0,0 @@
-## 1.5.8
-
-No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.4

cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use convert function
+ * @name Dangerous use convert function.
  * @description Using convert function with an invalid length argument can result in an out-of-bounds access error or unexpected result.
  * @kind problem
  * @id cpp/dangerous-use-convert-function

cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of transformation after operation
+ * @name Dangerous use of transformation after operation.
  * @description By using the transformation after the operation, you are doing a pointless and dangerous action.
  * @kind problem
  * @id cpp/dangerous-use-of-transformation-after-operation

cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

@@ -1,5 +1,5 @@
 /**
- * @name Writing to a file without setting permissions
+ * @name Writing to a file without setting permissions.
  * @description Lack of restriction on file access rights can be unsafe.
  * @kind problem
  * @id cpp/work-with-file-without-permissions-rights

cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find work with changing working directories, with security errors
+ * @name Find work with changing working directories, with security errors.
  * @description Not validating the return value or pinning the directory can be unsafe.
  * @kind problem
  * @id cpp/work-with-changing-working-directories

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find the wrong use of the umask function
+ * @name Find the wrong use of the umask function.
  * @description Incorrectly evaluated argument to the umask function may have security implications.
  * @kind problem
  * @id cpp/wrong-use-of-the-umask

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

@@ -1,5 +1,5 @@
 /**
- * @name Insecure generation of filenames
+ * @name Insecure generation of filenames.
  * @description Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.
  * @kind problem
  * @id cpp/insecure-generation-of-filename

cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of exception blocks
+ * @name Dangerous use of exception blocks.
  * @description When clearing the data in the catch block, you must be sure that the memory was allocated before the exception.
  * @kind problem
  * @id cpp/dangerous-use-of-exception-blocks

cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use SSL_shutdown
+ * @name Dangerous use SSL_shutdown.
  * @description Incorrect closing of the connection leads to the creation of different states for the server and client, which can be exploited by an attacker.
  * @kind problem
  * @id cpp/dangerous-use-of-ssl-shutdown

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.8
+version: 1.5.5-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture content based summary models
+ * @name Capture content based summary models.
  * @description Finds applicable content based summary models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/contentbased-summary-models

cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture neutral models
+ * @name Capture neutral models.
  * @description Finds neutral models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/neutral-models

cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture sink models
+ * @name Capture sink models.
  * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/sink-models

cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture source models
+ * @name Capture source models.
  * @description Finds APIs that act as sources as they expose already known sources.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/source-models

cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture summary models
+ * @name Capture summary models.
  * @description Finds applicable summary models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/summary-models

cpp/ql/test/library-tests/attributes/deprecated_with_msg/deprecated_with_msg.expected

@@ -1,2 +1,4 @@
 | clang421.c:1:12:1:19 | clang421 | 0 |
 | clang450.c:1:12:1:19 | clang450 | 1 |
+| gcc421.c:1:12:1:17 | gcc421 | 0 |
+| gcc450.c:1:12:1:17 | gcc450 | 1 |

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc421.c

@@ -0,0 +1,2 @@
+static int gcc421 = __has_feature(attribute_deprecated_with_message);
+// semmle-extractor-options: --gnu_version 40201

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc450.c

@@ -0,0 +1,2 @@
+static int gcc450 = __has_feature(attribute_deprecated_with_message);
+// semmle-extractor-options: --gnu_version 40500

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -30,14 +30,13 @@ models
 | 29 | Summary: ; ; false; RtlMoveMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
 | 30 | Summary: ; ; false; RtlMoveVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
 | 31 | Summary: ; ; false; callWithArgument; ; ; Argument[1]; Argument[0].Parameter[0]; value; manual |
-| 32 | Summary: ; ; false; callWithNonTypeTemplate<T>; (const T &); ; Argument[*0]; ReturnValue; value; manual |
-| 33 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
-| 34 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
-| 35 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
-| 36 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 37 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 32 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
+| 33 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
+| 34 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
+| 35 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
+| 36 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:37 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:36 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -46,10 +45,10 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:37 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:35 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:34 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:36 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:36 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:34 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:33 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:35 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16  |
@@ -61,15 +60,15 @@ edges
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:35 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:34 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:34 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:33 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:36 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:35 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
@@ -77,7 +76,7 @@ edges
 | test.cpp:46:30:46:32 | *arg [x] | test.cpp:47:12:47:19 | *arg [x] | provenance |  |
 | test.cpp:47:12:47:19 | *arg [x] | test.cpp:48:13:48:13 | *s [x] | provenance |  |
 | test.cpp:48:13:48:13 | *s [x] | test.cpp:48:16:48:16 | x | provenance | Sink:MaD:1 |
-| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:33 |
+| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:32 |
 | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | test.cpp:46:30:46:32 | *arg [x] | provenance |  |
 | test.cpp:56:2:56:2 | *s [post update] [x] | test.cpp:59:55:59:64 | *& ... [x] | provenance |  |
 | test.cpp:56:2:56:18 | ... = ... | test.cpp:56:2:56:2 | *s [post update] [x] | provenance |  |
@@ -104,13 +103,6 @@ edges
 | test.cpp:101:26:101:26 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:103:63:103:63 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:104:62:104:62 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
-| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | provenance | MaD:32 |
-| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:114:10:114:18 | call to ymlSource | provenance | Src:MaD:16  |
-| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:118:44:118:44 | *x | provenance |  |
-| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance |  |
-| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
-| test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
-| test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:32 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -322,14 +314,6 @@ nodes
 | test.cpp:101:26:101:26 | x | semmle.label | x |
 | test.cpp:103:63:103:63 | x | semmle.label | x |
 | test.cpp:104:62:104:62 | x | semmle.label | x |
-| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | semmle.label | [summary param] *0 in callWithNonTypeTemplate |
-| test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | semmle.label | [summary] to write: ReturnValue in callWithNonTypeTemplate |
-| test.cpp:114:10:114:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:114:10:114:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
-| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
-| test.cpp:118:44:118:44 | *x | semmle.label | *x |
-| test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -488,7 +472,6 @@ subpaths
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
-| test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -17,5 +17,4 @@ extensions:
       - ["", "", False, "ymlStepGenerated", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
-      - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
-      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -13,5 +13,3 @@
 | test.cpp:75:11:75:11 | y | test-sink |
 | test.cpp:83:11:83:11 | y | test-sink |
 | test.cpp:89:11:89:11 | y | test-sink |
-| test.cpp:116:10:116:11 | y1 | test-sink |
-| test.cpp:119:10:119:11 | y2 | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -2,7 +2,6 @@
 | test.cpp:10:10:10:18 | call to ymlSource | local |
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
-| test.cpp:114:10:114:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -102,19 +102,4 @@ void test_callWithArgument() {
 	}
 	callWithArgument(StructWithOperatorCall_has_constructor_2(), x);
 	callWithArgument(StructWithOperatorCall_no_constructor_2(), x);
-}
-
-template<int N, typename T>
-T callWithNonTypeTemplate(const T&);
-
-template<typename T, int N>
-T callWithNonTypeTemplate(const T&);
-
-void test_callWithNonTypeTemplate() {
-	int x = ymlSource();
-	int y1 = callWithNonTypeTemplate<10, int>(x);
-	ymlSink(y1); // $ MISSING: ir
-
-	int y2 = callWithNonTypeTemplate<int, 10>(x);
-	ymlSink(y2); // $ ir
-}
+}

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected

@@ -142,7 +142,6 @@ postWithInFlow
 | simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:118:7:118:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:124:5:124:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| simple.cpp:167:9:167:9 | x [post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected

@@ -308,5 +308,3 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
 | simple.cpp:124:5:124:6 | * ... | AST only |
 | simple.cpp:131:14:131:14 | a | IR only |
 | simple.cpp:136:10:136:10 | a | IR only |
-| simple.cpp:167:9:167:9 | x | AST only |
-| simple.cpp:168:8:168:12 | u_int | IR only |

cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected

@@ -670,8 +670,6 @@
 | simple.cpp:131:14:131:14 | a |
 | simple.cpp:135:20:135:20 | q |
 | simple.cpp:136:10:136:10 | a |
-| simple.cpp:167:3:167:7 | u_int |
-| simple.cpp:168:8:168:12 | u_int |
 | struct_init.c:15:8:15:9 | ab |
 | struct_init.c:15:12:15:12 | a |
 | struct_init.c:16:8:16:9 | ab |

cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected

@@ -597,8 +597,6 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
 | simple.cpp:118:7:118:7 | i |
 | simple.cpp:124:5:124:6 | * ... |
 | simple.cpp:135:20:135:20 | q |
-| simple.cpp:167:3:167:7 | u_int |
-| simple.cpp:167:9:167:9 | x |
 | struct_init.c:15:8:15:9 | ab |
 | struct_init.c:15:12:15:12 | a |
 | struct_init.c:16:8:16:9 | ab |

cpp/ql/test/library-tests/dataflow/fields/simple.cpp

@@ -136,36 +136,4 @@ void alias_with_fields(bool b) {
     sink(a.i); // $ MISSING: ast,ir
 }
 
-template<typename T>
-union U_with_two_instantiations_of_different_size {
-  int x;
-  T y;
-};
-
-struct LargeStruct {
-  int data[64];
-};
-
-void test_union_with_two_instantiations_of_different_sizes() {
-  // A union's fields is partitioned into "chunks" for field-flow in order to
-  // improve performance (so that a write to a field of a union does not flow
-  // to too many reads that don't happen at runtime). The partitioning is based
-  // the size of the types in the union. So a write to a field of size k only
-  // flows to a read of size k.
-  // Since field-flow is based on uninstantiated types a field can have
-  // multiple sizes if the union is instantiated with types of
-  // different sizes. So to compute the partition we pick the maximum size.
-  // Because of this there are `Content`s corresponding to the union
-  // `U_with_two_instantiations_of_different_size<T>`: The one for size
-  // `sizeof(int)`, and the one for size `sizeof(LargeStruct)` (because
-  // `LargeStruct` is larger than `int`). So the write to `x` writes to the
-  // `Content` for size `sizeof(int)`, and the read of `y` reads from the
-  // `Content` for size `sizeof(LargeStruct)`.
-  U_with_two_instantiations_of_different_size<int> u_int;
-  U_with_two_instantiations_of_different_size<LargeStruct> u_very_large;
-
-  u_int.x = user_input();
-  sink(u_int.y); // $ MISSING: ir
-}
-
 } // namespace Simple

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -26843,24 +26843,6 @@ getParameterTypeName
 | atl.cpp:71:5:71:17 | _U_STRINGorID | 0 | unsigned int |
 | atl.cpp:72:5:72:17 | _U_STRINGorID | 0 | LPCTSTR |
 | atl.cpp:72:5:72:17 | _U_STRINGorID | 0 | const char * |
-| atl.cpp:96:5:96:10 | CA2AEX | 0 | LPCSTR |
-| atl.cpp:96:5:96:10 | CA2AEX | 0 | const char * |
-| atl.cpp:96:5:96:10 | CA2AEX | 1 | UINT |
-| atl.cpp:96:5:96:10 | CA2AEX | 1 | unsigned int |
-| atl.cpp:97:5:97:10 | CA2AEX | 0 | LPCSTR |
-| atl.cpp:97:5:97:10 | CA2AEX | 0 | const char * |
-| atl.cpp:124:5:124:11 | CA2CAEX | 0 | LPCSTR |
-| atl.cpp:124:5:124:11 | CA2CAEX | 0 | const char * |
-| atl.cpp:124:5:124:11 | CA2CAEX | 1 | UINT |
-| atl.cpp:124:5:124:11 | CA2CAEX | 1 | unsigned int |
-| atl.cpp:125:5:125:11 | CA2CAEX | 0 | LPCSTR |
-| atl.cpp:125:5:125:11 | CA2CAEX | 0 | const char * |
-| atl.cpp:149:5:149:10 | CA2WEX | 0 | LPCSTR |
-| atl.cpp:149:5:149:10 | CA2WEX | 0 | const char * |
-| atl.cpp:149:5:149:10 | CA2WEX | 1 | UINT |
-| atl.cpp:149:5:149:10 | CA2WEX | 1 | unsigned int |
-| atl.cpp:150:5:150:10 | CA2WEX | 0 | LPCSTR |
-| atl.cpp:150:5:150:10 | CA2WEX | 0 | const char * |
 | atl.cpp:196:12:196:14 | Add | 0 | INARGTYPclass:0 |
 | atl.cpp:198:12:198:17 | Append | 0 | const CAtlArray & |
 | atl.cpp:199:10:199:13 | Copy | 0 | const CAtlArray & |
@@ -27101,10 +27083,6 @@ getParameterTypeName
 | atl.cpp:940:10:940:18 | SetString | 0 | PCXSTR |
 | atl.cpp:940:10:940:18 | SetString | 0 | const class:0 * |
 | atl.cpp:942:11:942:20 | operator[] | 0 | int |
-| atl.cpp:1018:10:1018:10 | operator= | 0 | MakeOther && |
-| atl.cpp:1018:10:1018:10 | operator= | 0 | const MakeOther & |
-| atl.cpp:1023:10:1023:10 | operator= | 0 | MakeOther && |
-| atl.cpp:1023:10:1023:10 | operator= | 0 | const MakeOther & |
 | atl.cpp:1036:5:1036:12 | CStringT | 0 | const VARIANT & |
 | atl.cpp:1036:5:1036:12 | CStringT | 0 | const tagVARIANT & |
 | atl.cpp:1037:5:1037:12 | CStringT | 0 | const VARIANT & |
@@ -27308,8 +27286,6 @@ getParameterTypeName
 | standalone_iterators.cpp:20:7:20:7 | operator= | 0 | const int_iterator_by_trait & |
 | standalone_iterators.cpp:20:7:20:7 | operator= | 0 | int_iterator_by_trait && |
 | standalone_iterators.cpp:23:27:23:36 | operator++ | 0 | int |
-| standalone_iterators.cpp:28:13:28:13 | operator= | 0 | const iterator_traits & |
-| standalone_iterators.cpp:28:13:28:13 | operator= | 0 | iterator_traits && |
 | standalone_iterators.cpp:36:7:36:7 | operator= | 0 | const non_iterator & |
 | standalone_iterators.cpp:36:7:36:7 | operator= | 0 | non_iterator && |
 | standalone_iterators.cpp:39:18:39:27 | operator++ | 0 | int |
@@ -27321,8 +27297,6 @@ getParameterTypeName
 | standalone_iterators.cpp:66:30:66:39 | operator++ | 0 | int |
 | standalone_iterators.cpp:68:30:68:39 | operator-- | 0 | int |
 | standalone_iterators.cpp:70:31:70:39 | operator= | 0 | int |
-| standalone_iterators.cpp:74:13:74:13 | operator= | 0 | const iterator_traits & |
-| standalone_iterators.cpp:74:13:74:13 | operator= | 0 | iterator_traits && |
 | standalone_iterators.cpp:82:7:82:7 | container | 0 | const container & |
 | standalone_iterators.cpp:82:7:82:7 | container | 0 | container && |
 | standalone_iterators.cpp:82:7:82:7 | operator= | 0 | const container & |

cpp/ql/test/library-tests/variables/variables/variable.expected

@@ -2,10 +2,10 @@
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | address && | SemanticStackVariable |  |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const __va_list_tag & | SemanticStackVariable |  |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const address & | SemanticStackVariable |  |  |
-| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int | NonLocalCanonicalField |  |  |
-| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | NonLocalCanonicalField |  |  |
-| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | NonLocalCanonicalField |  |  |
-| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | NonLocalCanonicalField |  |  |
+| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int | Field |  |  |
+| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | Field |  |  |
+| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | Field |  |  |
+| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | Field |  |  |
 | variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable |  |  |
 | variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable |  |  |
 | variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable |  |  |
@@ -33,10 +33,10 @@
 | variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable |  |  |
 | variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | LocalVariable, SemanticStackVariable |  |  |
 | variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | GlobalLikeVariable, StaticLocalVariable |  | static |
-| variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | NonLocalCanonicalField |  |  |
-| variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | NonLocalCanonicalField |  |  |
-| variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | NonLocalCanonicalField |  |  |
-| variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | NonLocalCanonicalField |  |  |
+| variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | Field |  |  |
+| variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | Field |  |  |
+| variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | Field |  |  |
+| variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | Field |  |  |
 | variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | MemberVariable, StaticStorageDurationVariable |  | static |
 | variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable |  |  |
 | variables.cpp:60:10:60:17 | __func__ | file://:0:0:0:0 | const char[9] | GlobalLikeVariable, StaticInitializedStaticLocalVariable |  | static |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -1,10 +1,6 @@
 | overflowdestination.cpp:46:2:46:7 | call to memcpy | This 'memcpy' operation accesses 128 bytes but the $@ is only 64 bytes. | overflowdestination.cpp:40:7:40:10 | dest | destination buffer |
 | tests.cpp:23:2:23:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:19:7:19:17 | smallbuffer | source buffer |
 | tests.cpp:25:2:25:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:19:7:19:17 | smallbuffer | destination buffer |
-| tests.cpp:34:2:34:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:30:30:30:35 | call to malloc | source buffer |
-| tests.cpp:36:2:36:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:30:30:30:35 | call to malloc | destination buffer |
-| tests.cpp:50:2:50:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:46:16:46:27 | new[] | source buffer |
-| tests.cpp:52:2:52:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:46:16:46:27 | new[] | destination buffer |
 | tests.cpp:172:23:172:31 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:170:17:170:41 | {...} | array |
 | tests.cpp:176:23:176:30 | access to array | This array indexing operation accesses byte offset 31 but the $@ is only 24 bytes. | tests.cpp:170:17:170:41 | {...} | array |
 | tests.cpp:222:3:222:8 | call to memset | This 'memset' operation accesses 33 bytes but the $@ is only 32 bytes. | tests.cpp:214:8:214:14 | buffer1 | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -30,10 +30,10 @@ void test2()
 	char *smallbuffer = (char *)malloc(sizeof(char) * 10);
 	char *bigbuffer = (char *)malloc(sizeof(char) * 20);
 
-	memcpy(bigbuffer, smallbuffer, sizeof(char) * 10); // GOOD
-	memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read
-	memcpy(smallbuffer, bigbuffer, sizeof(char) * 10); // GOOD
-	memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write
+	memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD
+	memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read [NOT DETECTED]
+	memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD
+	memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write [NOT DETECTED]
 
 	free(bigbuffer);
 	free(smallbuffer);
@@ -46,10 +46,10 @@ void test3()
 	smallbuffer = new char[10];
 	bigbuffer = new char[20];
 
-	memcpy(bigbuffer, smallbuffer, sizeof(char[10])); // GOOD
-	memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read
-	memcpy(smallbuffer, bigbuffer, sizeof(char[10])); // GOOD
-	memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write
+	memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD
+	memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read [NOT DETECTED]
+	memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD
+	memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write [NOT DETECTED]
 
 	delete [] bigbuffer;
 	delete [] smallbuffer;

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 1.7.56
-
-No user-facing changes.
-
-## 1.7.55
-
-No user-facing changes.
-
-## 1.7.54
-
-No user-facing changes.
-
-## 1.7.53
-
-No user-facing changes.
-
 ## 1.7.52
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.53.md

@@ -1,3 +0,0 @@
-## 1.7.53
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.54.md

@@ -1,3 +0,0 @@
-## 1.7.54
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.55.md

@@ -1,3 +0,0 @@
-## 1.7.55
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.56.md

@@ -1,3 +0,0 @@
-## 1.7.56
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.52

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.56
+version: 1.7.53-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 1.7.56
-
-No user-facing changes.
-
-## 1.7.55
-
-No user-facing changes.
-
-## 1.7.54
-
-No user-facing changes.
-
-## 1.7.53
-
-No user-facing changes.
-
 ## 1.7.52
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.53.md

@@ -1,3 +0,0 @@
-## 1.7.53
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.54.md

@@ -1,3 +0,0 @@
-## 1.7.54
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.55.md

@@ -1,3 +0,0 @@
-## 1.7.55
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.56.md

@@ -1,3 +0,0 @@
-## 1.7.56
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.52

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.56
+version: 1.7.53-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/all-platforms/blazor/global.json

@@ -1,5 +0,0 @@
-{
-    "sdk": {
-        "version": "9.0.304"
-    }
-}

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json

@@ -1,5 +0,0 @@
-{
-    "sdk": {
-        "version": "9.0.304"
-    }
-}

csharp/ql/integration-tests/all-platforms/blazor_net_8/global.json

@@ -1,5 +0,0 @@
-{
-    "sdk": {
-        "version": "8.0.401"
-    }
-}

csharp/ql/integration-tests/all-platforms/dotnet_10/test.py

@@ -1,9 +1,5 @@
-import pytest
-
-@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test1(codeql, csharp):
     codeql.database.create()
 
-@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test2(codeql, csharp):
     codeql.database.create(build_mode="none")

csharp/ql/integration-tests/all-platforms/standalone_failed/global.json

@@ -1,5 +0,0 @@
-{
-  "sdk": {
-    "version": "9.0.304"
-  }
-}

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error_timeout/global.json

@@ -1,5 +0,0 @@
-{
-    "sdk": {
-        "version": "9.0.304"
-    }
-}

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_fallback/global.json

@@ -1,5 +0,0 @@
-{
-    "sdk": {
-        "version": "9.0.304"
-    }
-}

csharp/ql/lib/CHANGELOG.md

@@ -1,23 +1,3 @@
-## 5.4.4
-
-No user-facing changes.
-
-## 5.4.3
-
-No user-facing changes.
-
-## 5.4.2
-
-No user-facing changes.
-
-## 5.4.1
-
-### Minor Analysis Improvements
-
-* Improved stability when downloading .NET versions by setting appropriate environment variables for `dotnet` commands. The correct architecture-specific version of .NET is now downloaded on ARM runners.
-* Compilation errors are now included in the debug log when using build-mode none.
-* Added a new extractor option to specify a custom directory for dependency downloads in buildless mode. Use `-O buildless_dependency_dir=<path>` to configure the target directory.
-
 ## 5.4.0
 
 ### Deprecated APIs

csharp/ql/lib/change-notes/2025-11-17-compiler-error-debug.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Compilation errors are now included in the debug log when using build-mode none.

csharp/ql/lib/change-notes/2025-11-17-dependencies-directory.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a new extractor option to specify a custom directory for dependency downloads in buildless mode. Use `-O buildless_dependency_dir=<path>` to configure the target directory.

csharp/ql/lib/change-notes/2025-11-19-autobuilder-stability.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved stability when downloading .NET versions by setting appropriate environment variables for `dotnet` commands. The correct architecture-specific version of .NET is now downloaded on ARM runners.

csharp/ql/lib/change-notes/released/5.4.1.md

@@ -1,7 +0,0 @@
-## 5.4.1
-
-### Minor Analysis Improvements
-
-* Improved stability when downloading .NET versions by setting appropriate environment variables for `dotnet` commands. The correct architecture-specific version of .NET is now downloaded on ARM runners.
-* Compilation errors are now included in the debug log when using build-mode none.
-* Added a new extractor option to specify a custom directory for dependency downloads in buildless mode. Use `-O buildless_dependency_dir=<path>` to configure the target directory.

csharp/ql/lib/change-notes/released/5.4.2.md

@@ -1,3 +0,0 @@
-## 5.4.2
-
-No user-facing changes.

csharp/ql/lib/change-notes/released/5.4.3.md

@@ -1,3 +0,0 @@
-## 5.4.3
-
-No user-facing changes.

csharp/ql/lib/change-notes/released/5.4.4.md

@@ -1,3 +0,0 @@
-## 5.4.4
-
-No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.4
+lastReleaseVersion: 5.4.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.4
+version: 5.4.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/internal/Overlay.qll

@@ -2,8 +2,6 @@
  * Defines entity discard predicates for C# overlay analysis.
  */
 
-private import OverlayXml
-
 /**
  * Holds always for the overlay variant and never for the base variant.
  * This local predicate is used to define local predicates that behave
@@ -112,6 +110,36 @@ private predicate discardLocation(@location_default loc) {
   exists(string path | discardableLocation(loc, path) | overlayChangedFiles(path))
 }
 
+/**
+ * A class of Xml locatables that can be discarded from the base.
+ */
+overlay[local]
+private class DiscardableXmlEntity extends DiscardableEntityBase instanceof @xmllocatable {
+  /** Gets the path to the file in which this element occurs. */
+  override string getFilePath() {
+    exists(@location_default loc | result = getLocationFilePath(loc) | xmllocations(this, loc))
+  }
+}
+
+overlay[local]
+private predicate overlayXmlExtracted(string file) {
+  exists(DiscardableXmlEntity dxe |
+    dxe.existsInOverlay() and
+    file = dxe.getFilePath() and
+    not files(dxe, _) and
+    not xmlNs(dxe, _, _, _)
+  )
+}
+
+overlay[discard_entity]
+private predicate discardXmlEntity(@xmllocatable xml) {
+  overlayChangedFiles(xml.(DiscardableXmlEntity).getFilePath())
+  or
+  // The XML extractor is not incremental and may extract more
+  // XML files than those included in overlayChangedFiles.
+  overlayXmlExtracted(xml.(DiscardableXmlEntity).getFilePath())
+}
+
 overlay[local]
 private class DiscardableAspEntity extends DiscardableEntityBase instanceof @asp_element {
   /** Gets the path to the file in which this element occurs. */

csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll

@@ -1,46 +0,0 @@
-overlay[local]
-module;
-
-/**
- * A local predicate that always holds for the overlay variant and never holds for the base variant.
- * This is used to define local predicates that behave differently for the base and overlay variant.
- */
-private predicate isOverlay() { databaseMetadata("isOverlay", "true") }
-
-private string getXmlFile(@xmllocatable locatable) {
-  exists(@location_default location, @file file | xmllocations(locatable, location) |
-    locations_default(location, file, _, _, _, _) and
-    files(file, result)
-  )
-}
-
-private string getXmlFileInBase(@xmllocatable locatable) {
-  not isOverlay() and
-  result = getXmlFile(locatable)
-}
-
-/**
- * Holds if the given `file` was extracted as part of the overlay and was extracted by the HTML/XML
- * extractor.
- */
-private predicate overlayXmlExtracted(string file) {
-  isOverlay() and
-  exists(@xmllocatable locatable |
-    not files(locatable, _) and not xmlNs(locatable, _, _, _) and file = getXmlFile(locatable)
-  )
-}
-
-/**
- * Holds if the given XML `locatable` should be discarded, because it is part of the overlay base
- * and is in a file that was also extracted as part of the overlay database.
- */
-overlay[discard_entity]
-private predicate discardXmlLocatable(@xmllocatable locatable) {
-  exists(string file | file = getXmlFileInBase(locatable) |
-    overlayChangedFiles(file)
-    or
-    // The HTML/XML extractor is currently not incremental and may extract more files than those
-    // included in overlayChangedFiles.
-    overlayXmlExtracted(file)
-  )
-}

csharp/ql/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 1.5.4
-
-No user-facing changes.
-
-## 1.5.3
-
-No user-facing changes.
-
-## 1.5.2
-
-No user-facing changes.
-
-## 1.5.1
-
-No user-facing changes.
-
 ## 1.5.0
 
 ### New Queries
@@ -196,7 +180,7 @@ No user-facing changes.
 
 ### Minor Analysis Improvements
 
-* C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query.
+* C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query. 
 
 ## 1.0.10